How is KILT giving data back to the owner?

Take KYC, for example: KYC, or “know your customer”, is just checking the credentials of people. It is checking where you are from, if you really live where you say you live, if you really have control over the bank account you have sent the details of,etc. KILT could be used for social KYC – actually, that’s the first use case everybody thinks of. 

And KYC is done millions of times a day probably, because you always need KYC – you need it when you open a new account pretty much anywhere. And this KYC information is normally not reusable. Or at least, if you want to make it reusable you have to give control over your information to someone else. And this is something that is broken right now with digital identity, because the identity, the credentials and the identifier together, they are normally not with the user.  

And there is a huge difference between the real world and the internet world. In the real world you have all those credentials with you, you own them, and you decide who you show what credentials to and for what purpose. So if you want to get into a bar and have to prove that you are old enough, you can choose from your wallet what you want to show. It could be your driving license, or your passport, or your student card. You can pick anything with your date of birth on it. Then you choose this credential. You can also choose not to present it and just not bother going into the bar. 

And then when you’ve chosen your ID, you can still decide what kind of information on it you want to actually disclose. You’ll probably need to disclose the photo because the person on the door will want to compare the photo to your face, and you will have to disclose the date of birth printed on there. But there’s no use disclosing your name. So you can put your thumb over your name and say look at the photo, the date of birth, and then you get into the bar. 

Another good thing about this besides being able to make selective disclosure, as this is called, is that the person who gave you the id card will never find out if you went to this bar. Because the person on the door is not checking with the government to see if they issued you your driving license – the only thing they check is if the face matches the photo and if the credential actually looks like it was issued by an entity that they trust. 

You could make yourself a credential and stick your photo and a date of birth on it and say, “here’s my credential and it says I’m old enough to come into this bar” but why would the person on the door trust you? But if it’s a driving license that looks like a driving license then the person on the door would say “it’s from a department I normally trust so you can come into the bar.” 

So there’s a trust relationship – a non-electronic relationship. And that provides great scalability because billions of people can go into bars with their driving license, but the server of the department that issues the driving license never crashes because the department is never asked about you. That’s a cool thing! This is how it works in the real world and this is a mechanism that we’ve had for thousands of years. 

And then the internet came and there you go to a service like Facebook and you say, “Hey, I’d like to use a username and a password.” Then the username is looked up to see if it exists and the password to see if it’s long enough and if both are OK then this is a new identifier. So your Facebook account is actually an identifier. But this identifier lies with Facebook and not in your pocket. So then you start to do things on Facebook, to make friends and connections and post pictures and all of that stuff. Which are actually credentials, because they form your identity on Facebook. But all this information is not in your wallet – it is on a central server on Facebook. 

And this creates some problems. The first is that it is a honeypot for hackers because it is not just your identity that is there, there are lots of them, billions of them there. So if a hacker wants to break into the system they just hack in and get billions of identities, which is not good because when they break into your wallet in the real world they just have something from you and they can’t even use it because they have a different face. So if your passport gets stolen that’s annoying but it’s actually not really a huge problem. But if they break into Facebook, it is a huge problem, because then billions of identities are stolen. 

And the second problem that this causes is that it introduces a lot of power on the side of the platforms because of OAuth2, which is a standard used for digital identities right now. And that says that you need a digital platform and other people can trust this digital platform. So what happens when you want to log in with WhatsApp? Well, what it does is give you a little button that says “Log in with Facebook” and then you can say yeah, I want to log in with Facebook and it looks up all the information Facebook has on you. 

Then Facebook shares the info with WhatsApp, and that means that they keep all your credentials and other people can look at your credentials. And this is not right because this produces a lot of power on the site because more and more information is gathering with Facebook, and not with the people who own it. 

And there are more problems with that – from a security point of view the first thing is that there is a shared secret here, because you know your password and Facebook also knows your password. And that’s not good because it can be stolen. So a system is needed that produces identity in the digital world for people, and also for things, which is as decentralized as the normal wallet is. 

That would need to be a system where you can go to a trusted entity, like the department that gives out driving licenses, and say “Please, I think I can drive, can I do a test and if I pass the test can you please issue a credential to me?” And then they issue a credential to you and it goes into your possession, it doesn’t stay at the driving license department. 

And when you meet a policeman who wants to know if you have a driving license he just looks at it. And when you want to get into the bar you can prove you are old enough to have a driving license by showing it to the barman. 

And this is where we meet a different system - the kind of system that KILT does. It provides the possibility for you to have a claim about yourself and go to a central entity and say “Please issue me a credential that I can drive.” And then the attester will probably check that you really can drive and issue a credential to you and this credential then goes into your possession. And you choose what you want to do with it, if you want to show it to the car hire company, if you want to show it to someone else, whatever. 

This is the basic idea of KILT. The power of handling the data is taken from the central platforms and from the attesters into the hands of the claimers, the people, sometimes also called the holders, the people who actually own the information.