The advent of digitization affects not only human digital identities but also corporate digital identities. As our digital identities become "smart", they're increasingly able to act on our behalf. When we die, our smart digital identities, like the Energizer Bunny, keeps right on going, hypothetically able to continue making decisions, acting et al.
Then there's AI systems and bots identities. These too are increasingly becoming "smarter", able to make decisions, interact with humans and other AI systems/bots.
All of this means new forms of risk. Insurers beware. That's what this article dives into.
Note 1: Thanks to Gerry Kennedy for getting me focused on insurers and digital identities.
Note 2: This is a long article because there's a lot of ground to cover. So, if you're looking for a short read, this isn't the article for you!
Human Digital Identities First Require A Good Underlying Human Physical Identity Which Doesn't Exist Today
Most people leap to talking about human digital identity without first considering the underlying human legal physical identity, which digital identities will need to be tied to. Bluntly speaking, they're crappy. Skim:
Why is this? The underlying authoritative source for a human is our CRVS systems (civil registration vital statistics) e,g, birth certificates, et al:
- They don’t have any data standards
- Exist as silos within each jurisdiction (often at province/state within a country)
- Use paper which is easily frauded
- Don’t have any common protocol to query other CRVS systems to confirm an identity
- Don’t use biometrics to tie the person holding the CRVS paper to the actual CRVS entry
- Not prepared for the arrival of smart digital versions of us requiring legal identities which are tied to the physical legal identity
- Totally not prepared for the arrival of AI systems and bots, requiring legal identities
- Many places around the planet have poor CRVS practices resulting in weak identification of many people, e.g. there’s 1 billion people who don’t have a legal identity
- Ironically, CRVS documents are one of the “foundational documents” most identity assurance systems around the planet rely upon – upon which are based digital identities
Here's my point - When an insurer signs a contract with a human, depending on risk, they will want to know that Jane Doe is really Jane Doe. In today's world, this isn't easily done with a high degree of assurance it's Jane.
I was the identity architect for the Government of Alberta. I was told by their security auditors that criminals were traveling across Canada, using face masks plus fake CRVS documents, successfully creating fake identities. They'd obtain driver's licenses, health care cards, passports et al and then begin to bilk government and companies. IT'S A BIG BUSINESS.
The absence of having good legal identity, has spawned an industry, "KYC", i.e. Know Your Customer. These solutions use a variety of meta-data to determine if it's really Jane. These work well depending on how smart the criminals are. If the underlying fake legal identity is well thought through, then a fake legal identity will likely successfully pass through a KYC system.
So, before focusing on smart digital identities of us, which are emerging, e.g. AI personal assistants, digital twins, etc., the planet needs a new legal human identity solution. Here's the major political challenge in creating it. It must still allow local state/provincial political control over human legal identity, both physically and digitally, but work, from cradle to grave anywhere on the planet. How can this occur?
Rethinking Human Legal Identity
Skim this paper, "Rethinking Human Legal Identity". It lays out the architecture addressing this. At a high-level here's the summary:
- When you're born, your legal identity information plus your forensic biometrics are written to not only a new age CRVS (Civil Registration Vital Statistics) system, BUT ALSO TO YOUR SOLICT (Source of Legal Identity & Credential Truth)
- SOLICT is a database you control. It contains your legal identity information, credentials (e.g., Covid vaccination, education credentials etc.), as well as all consents given from you for use of your legal identity and credentials from cradle to grave
- LSSI (Legal Self-Sovereign Identity) devices which are ways in which you prove your legal identity. These include physical legal ID card, digital legal application, biometrically tied wristband containing your legal identity information, and a chip implanted into you containing your legal identity
- Smart digital identities of you. Depending on risk, you'll be required to legally register smart digital identities like digital twins, virtual selves, et al with the CRVS. These will be registered against your legal physical identity
- PIAM (Personal Identity Access Management) which is an AI leverage identity assistant. You can preconfigure it to release, with your consent, identity information to others. For each one, the PIAM writes the consent agreement to your SOLICT
- Rethought notaries - they're able to prove to a high degree of assurance it's really you
- New, independent, global non-profit - it's job is to set legal identity standards, as well as do 24x7x365 threat analysis against the legal identity framework e.g., governance, business processes, tech and end users
- Physical or digital legal identity, which the government issues, but you control i.e. a legal self sovereign identity (LSSI), which
- Also contains your forensic biometrics (e.g. fingerprints and iris), which you control, able to prove to the highest level of identity assurance who you are, which
- Enables you to determine the degree of information you want to release about yourself
- I’m a human acting anonymously, above or below age of consent, gender, name, country, state/province, city/town, address, etc., which
- Contains information about children you have or are guardian for or,
- People you’re legally acting on behalf of, e.g. children, power of attorney, etc. or
- Covid vaccinations, school degrees, transcripts, etc., that
- Also contains information you’re authoritative for like your will, etc.
- All of which you control in deciding who to release the information to
- Each time when you do decide to release the information, the consent for the identity and data you’ve agreed to release, is written to your SOLICT
- Now, you have a legal record, from your birth on, to all the consents granted to release your legal identity and data to which can be used by you, at a later date, to request removal from the datastores using acts like EU GDPR Article 17 (‘right to be forgotten’)
- If your LSSI device is compromised, you’d simply request cancellation of it, and a new one issued
- Your master legal identity data is written from birth, to to your own personal database which you control i.e., your SOLICT
- Which is able to prove you are you by securely obtaining your biometrics, with your consent, and can legally verify you are you, at any place on the planet, to the highest level of identity assurance
- When a civil registration event occurs to you, like a name/gender change, marriage, divorce, birth of children, etc., the local CRVS authority verifies, with your consent, your identity, via your biometrics, and updates the master SOLICT, which in turn updates your LSSI devices
- With the ability to only write to your SOLICT but never be able to delete it
- You can use your LSSI devices to anonymously prove Covid vaccinations, digitally sign documents using your legal identity, etc.
- All with a global independent body administering the standards, API interfaces, as well as doing continuous testing of the governance, business processes and technological interfaces, to ensure your legal identity remains secure
- It enables business and governments to streamline their legal identity processes, significantly reducing identity fraud
- All without the government telling you when to use your legal identity, or how to use it
The above leverages a protocol called TODA. To learn more skim "Legal Identity & TODA".
Biometrics Are Not Secrets and Can Be Easily Stolen
Biometrics are not secrets. Just ask the German defense minister in 2014, who had her fingerprints obtained at a distance using a high resolution camera. Today, if your biometrics are obtained by criminals, you're effectively screwed because you can't revoke and re-issue them.
That's why, on page 76 of this cost centre paper, it calls out for urgent research to confirm the 2015 paper of Rud Bolle. His paper suggested anonymizing biometrics such that they become revocable and re-issuable. If this is possible, the architecture heavily leverages this, significantly reducing risk of criminals stealing your biometrics. Look at the example of page 22 of the paper.
Proving Legal Identity Relationships
TODA offers the ability to cryptographically cross-link different people's files. This can be used to easily prove legal identity relationships. Thus, when Jane Doe gives birth to John Doe, both of their SOLICT entries would be cryptographically cross-linked, showing a parent/child relationship.
Delegating Human Legal Identity
Additionally TIDA files can be created, called "capability files" which are like authorization rights. Hypothetically, these can be time based. An easy example is Jane Doe drops off her son John, at her parent's to look after him for three weeks. She could create a time limited authorization file granting her parents control over John's legal identity, behavioral and biometric information. So, the grandparents can approve John's use of their AI/AR/VR tech to use it only anonymously or, take him to the hospital granting the hospital rights to access his medical information. From an insurer's perspective, this is important for both human, and smart digital entities of us.
Smart Digital Entities of Us
MOST PEOPLE AROUND THE PLANET ARE NOT THINKING OF SMART DIGITAL VERSIONS OF US AND HOW WE'D LEGALLY IDENTIFY THEM BASED ON RISK. Skim the following two articles to see what's coming our way:
Then consider this curve. In practical insurance terms, it means the risk changes faster and faster for a policy relating to humans and smart digital identities of them. So, let's use Jane Doe as an example to illustrate this. She uses a smart digital identity to do:
- Financial transactions
- Work on her behalf
- Recommend to her what to do
The smart digital entities live on long after she dies, with an increasing ability to independently function. My dumb questions to insurers are:
- How will you assess risk to then base policy costs on?
- How will you mitigate your risks when the smart digital entity does things causing claims against the policy?
- How will you ensure post death of your client, you've terminated the policy regarding smart digital entities? Or,
- If the smart digital entity is generating revenue, post death, how will your policy function?
All of this is uncharted waters.
Evil Inc.s & National Security
Skim “National Security – Reduce Risk By Instantly Determining Entity Friend From Foe”. My point to insurers is you folks are directly in the line of fire from this as your clients make claims resulting from fraud.
Which means, depending on risk, you folks need to be able to legally tie smart digital entities to the underlying legal physical identity. The rethought human identity framework of SOLICT, LSSI devices, and PIAM allows for this.
As well, hypothetically, a smart digital entity can have TODA capability files limiting what it can and can't do. I can see insurers specifying what these capability files say, as well as demanding, as terms of a policy, they be quickly changed when the risk landscape changes due to the tech curve.
AI Systems and Bots
As if the above isn't enough to deal with, the planet is rapidly entering the age of AI. As background to understanding risk associated with these new types of entities, skim the following:
Yes, it's complicated. Yes, it's rapidly changing. Yes, insuring for this won't be easy.
Architectures & Costs Addressing This
All I can see in my head is a large wave of risk coming at us. Thus, insurers should be embracing a new legal identity framework for AI systems and bots outlined above.
Smart people will see this coming and ride on top of the wave, managing risk. The not so smart, will pay the price as the wave overtakes them, with large risk and costs associated with it.
My Message To Government & Industry Leaders
Summary - IT'S ALL ABOUT RISK
Insurers understand risk. However, you folks are entering uncharted waters relating to emerging smart digital identities of humans, AI systems/bots and corporate digital identities. My point - even if you folks create a risk analysis to cost out policies, the rate of change, depicted by this curve, will change the risk analysis faster and faster. In practical terms, it means creating policies with the ability to rapidly change terms and conditions on the fly. All of this requires a whole new toolkit, which mostly doesn't exist at the moment.
If you'd like to chat with me about this, then please contact me. - Thanks!
About Guy Huntington
I'm an identity trailblazing problem solver. My past clients include Boeing, Capital One and the Government of Alberta's Digital Citizen Identity & Authentication project. Many of my past projects were leading edge at the time in the identity/security space. I've spent the last eight years working my way through creating a new legal identity architecture and leveraging this to then rethink learning.
I've also done a lot in education as a volunteer over my lifetime. This included chairing my school district's technology committee in the 90's - which resulted in wiring most of the schools with optic fiber, behind building a technology leveraged school, and past president of Skills Canada BC and Skills Canada.
I do short term consulting for Boards, C-suites and Governments, assisting them in readying themselves for the arrival of AI systems, bots and AI leveraged, smart digital identities of humans.
I've written LOTS about the change coming. Skim the over 100 LinkedIn articles I've written, or my webpage with lots of papers.
Quotes I REALLY LIKE!!!!!!:
- We cannot solve our problems with the same thinking we used when we created them” – Albert Einstein
- “Change is hard at first, messy in the middle and gorgeous at the end.” – Robin Sharma
- “Change is the law of life. And those who look only to the past or present are certain to miss the future” – John F. Kennedy
Reference Links:
An Identity Day in The Life:
My Message To Government & Industry Leaders:
National Security:
Rethinking Legal Identity, Credentials & Learning:
Learning Vision:
Creativity:
AI Agents:
- “Personal AI FinTech Agents - Risks, Security And Identity”
- “AI/Bots Health Agents, Medical IoT Devices, Risks, Privacy, Security And Legal Identity”
- “Marketing In The Age of AI Agents, Bots, Behavioural Tech and Crime”
- “Legal Departments - AI/Bots, Gen AI, AI Agents, Hives, Behavioural Tech And AI's Ability To Own LLC's”
- “AI Agents & Kids"
- “AI Agent Authorization - Identity, Graphs & Architecture”
Architecture:
AI/Human Legal Identity/Learning Cost References
AI Leveraged, Smart Digital Identities of Humans:
CISO's:
Companies, C-Suites and Boards:
Legal Identity & TODA:
Enterprise Articles:
- “Legal Departments - AI/Bots, Gen AI, AI Agents, Hives, Behavioural Tech And AI's Ability To Own LLC's”
- “Marketing In The Age of AI Agents, Bots, Behavioural Tech and Crime”
- "Major Change – Future of HR"
- “AI/Bots Health Agents, Medical IoT Devices, Risks, Privacy, Security And Legal Identity”
- “TODA, EMS & Graphs – New Enterprise Architectural Tools For A New Age”
- "Entity Management System"
- "Personal AI FinTech Agents - Risks, Security And Identity"
Rethinking Enterprise Architecture In The Age of AI:
LLC's & AI:
Challenges With AI:
New Security Model:
DAO:
Kids:
Sex:
Schools:
- “The Coming Classroom Revolution – Privacy & Internet of Things In A Classroom”
- “Kids, Digital Learning Twins, Neural Biometrics, Their Data, Privacy & Liabilities”
- “Bots, Classrooms, Privacy, Legal Identity & Contracts”
- “We Have An Identity Problem – AI/Bots in School, Home & Work”
- “Kids, Schools, AI/AR/VR, Legal Identities, Contracts and Privacy”
- “EdTech Law – Legal Identity Contracts”
- “AI, Cheating & Future of Schools/Work”
- “Using AI/Digital Learning Twins in Assessment & Education”
Biometrics:
Legal Identity:
Identity, Death, Laws & Processes:
Open Source:
Notaries:
Climate Change, Migration & Legal Identity:
Fraud/Crime:
Behavioral Marketing:
AI Systems and Bots:
- “AI, Bots & Us - Examples of Rapid Change”
- “Decentralized AI – Risks, Legal Identity, Consent & Privacy”
- "ChatGPT, AI, Identity & Privacy"
- “Why We Need To Legally Register AI Systems and Bots”
- “Why AI Regulation Requires Legal Identities of AI Systems and Bots”
- “Artificial Intelligence & Legal Identification – A Thought Paper”
- “Mission Control – We Have a Problem”
- “Lease or Rent a Bot! Rapidly Emerging Contract Law & Legal Identity Challenges”
- “The Infrastructure Behind Coordinating up to 3,000 bots in One Factory”
- “Nanobots & Legal Identity”
- “Micro Flying Bots & Legal Identity”
- “Microbots Able to Swim Through Your Body & Legal Identity”
- “Bots, Swarms, Risk & Legal Identity”
- “Nanobots, Microbots, Manufacturing, Risk, Legal Identity & Contracts”
Contract Law:
Insurance:
Health:
AI/AR/VR Metaverse Type Environments:
SOLICT:
EMP/HEMP Data Centre Protection:
Climate:
A 100,000-Foot Level Summary Of Legal Human Identity
- Each person when they’re born has their legal identity data plus their forensic biometrics (fingerprints, and later when they can keep their eyes open – their iris) entered into a new age CRVS system (Civil Registration Vital Statistics - birth, name/gender change, marriage/divorce and death registry) with data standards
- The CRVS writes to an external database, per single person, the identity data plus their forensic biometrics called a SOLICT “Source of Legal Identity & Credential Truth). The person now controls this
- As well, the CRVS also writes to the SOLICT legal identity relationships e.g. child/parent, cryptographically linking the SOLICTs. So Jane Doe and her son John will have cryptographic digitally signed links showing their parent/child. The same methodology can be used for power of attorney/person, executor of estate/deceased, etc.
- The SOLICT in turn then pushes out the information to four different types of LSSI Devices “Legal Self-Sovereign Identity”; physical ID card, digital legal identity app, biometrically tied physical wristband containing identity information or a chip inserted into each person
- The person is now able, with their consent, to release legal identity information about themselves. This ranges from being able to legally, anonymously prove they’re a human (and not a bot), above or below age of consent, Covid vaccinated, etc. It also means they can, at their discretion, release portions of their identity like gender, first name, legal name, address, etc.
- NOTE: All consents granted by the person are stored in their SOLICT
- Consent management for each person will be managed by their PIAM “Personal Identity Access Management) system. This is AI leveraged, allowing the person, at their discretion, to automatically create consent legal agreements on the fly
- It works both locally and globally, physically and digitally anywhere on the planet
- AI systems/bots are also registered, where risk requires it, in the new age CRVS system
- Governance and continual threat assessment, is done by a new, global, independent, non-profit funded by a very small charge per CRVS event to a jurisdiction to a maximum yearly amount.
A 100,000-Foot Level Summary Of The Learning Vision:
- When the learner is a toddler, with their parents’ consent, they’ll be assessed by a physical bot for their learning abilities. This will include sight, sound, hearing and smell, as well as hand-eye coordination, how they work or don’t work with others, learning abilities, all leveraging biometric and behavioral data
- All consents given on behalf of the learner or, later in the learner’s life by the learner themselves, are stored in the learner’s SOLICT “Source of Legal Identity & Credential Truth”
- This is fed into a DLT “Digital Learning Twin”, which is created and legally bound to the learner
- The DLT the produces its first IEP “Individualized Education Plan”, for the learner
- The parents take home with them a learning assistant bot to assist the learner, each day, in learning. The bot updates the DLT, which in turn continually refines the learner’s IEP
- All learning data from the learner is stored in their LDV “Learner Data Vault”
- When the learner’s first day of school comes, the parents prove the learner and their identities and legal relationship with the learner, via their LSSI devices (Legal Self-Sovereign Identity)
- With their consent, they approve how the learner’s identity information will be used not only within the school, but also in AI/AR/VR learning environments
- As well, the parents give their consent for the learner’s DLT, IEP and learning assistant bot to be used, via their PIAM (Personal Identity Access Management) and the learner’s PIAM
- The schools LMS “Learning Management System” instantly takes the legal consent agreements, plus the learner’s identity and learning information, and integrates this with the school’s learning systems
- From the first day, each learner is delivered a customized learning program, continually updated by both human and AI system/bot learning specialists, as well as sensors, learning assessments, etc.
- All learner data collected in the school, is stored in the learner’s LDV
- If the learner enters any AI/AR/VR type learning environment, consent agreements are created instantly on the fly with the learner, school, school districts, learning specialists, etc.
- These specify how the learner will be identified, learning data use, storage, deletion, etc.
- When the learner acquires learning credentials, these are digitally signed by the authoritative learning authority, and written to the learner’s SOLICT.
- The SOLICT in turn pushes these out to the learner’s LSSI devices
- The learner is now in control of their learning credentials
- When the learner graduates, they’ll be able, with their consent, to offer use of their DLT, IEP and LDV to employers, post-secondary, etc. This significantly reduces time and costs to train or help the learner learn
- The learner continually leverages their DLT/IEP/LDV until their die i.e., it’s a lifelong learning system
- IT’S TRANSFORMATIONAL OVER TIME, NOT OVERNIGHT
