Verifiable Credentials, Britney Spears and the Future of Digital Identity
When it comes to security in the virtual world, she was a pioneer.
Dateline: Woking, 27th March 2022.
While it is clearly the case that the world of decentralised finance is home to flagrant criminality, outrageous fraud, tax avoidance, money-laundering and no end of flim-flam, we should not lose sight of the fact that a new and valuable infrastructure is emerging. Whatever you think about picture of chimpanzees with sunglasses on or venture capitalists pumping coins for distributed autonomous organisations (DAOs) and such like, it is clear that this new infrastructure will open up new services and new business models that will transform the way that we interact. That new technology, technology that provides a means to execute completely secure transactions in completely insecure environments, is game changing. And in this, as in so many other ways, Britney Spears was a pioneer whose place in history is assured.
Younger readers of a cyber-disposition may not remember the time when Ms. Spears was the biggest pop star in the world and dedicated fans of the celebrated songstress could buy her fan club smart card kit. The Britney Spears smart card should be regarded as a landmark in the evolution of online services and I will explain why…
The Britney Card
Twenty years ago, a British start-up called Internet PLC launched the Britney SmartFlash card kit. The $29.95 SmartFlash kit came with a card and a USB card reader. When the card was inserted into a reader, a web browser launched and the viewer was taken to a secure web site where they could see information about upcoming tours and other promotions. When the card was removed, the site closed. The fan club sold more than 25,000 of these kits before they were discontinued.
Yes, that's right, Britney launched a branded smart card and a branded smart card reader, and I have them on my desk in front of me as I write.
(Fearing that I would end up on some police database, I bullied my sister-in-law into joining the Britney fan club on my behalf and ordering one of the kits for me. But as a marker for how dull my life is, I should reveal that I wasn't interested in Ms. Spears music: I wanted the smart card reader!)
At the time Britney took her brave step, my colleagues and I were involved in a number of leading-edge smart card developments in the payments space, so we had plenty of cards and readers at our disposal. The reason that I indulge in this nostalgic discussion about her kits here is that they stood out to me for one very simple, but vitally important reason: they worked. I wrote about my experience with the kit a few years later, reflecting on what happened when some of the leading financial institutions of the time (eg, American Express) had been experimenting with authorising online access via connected smart cards and readers:
We plugged in a well-known financial services company's smart card reader. It didn't work. We downloaded some drivers, reloaded the software, rebooted. The card reader was visible to the software, but nothing happened when we put the card in, so we gave up.
We plugged in the Britney smart card reader and it worked first time. We inserted the Britney card and it launched Microsoft Internet Explorer and took us straight to the members-only section of the Britney web site.
Somewhat surprisingly, we discovered that the financial services card that we were testing worked perfectly in the Britney reader. In other words, having installed the Britney reader we could now gain the ability to perform secure financial transactions on line.
Let me re-emphasise my point here: it worked. And it was designed for 9-year old girls to use. And once the user had been motivated to install the Britney smart card reader, when they would never in a million years have bothered to install a Wells Fargo card reader or a Citi card reader, that standard reader with a standard interface worked not only with the standard Britney card but with any other standard smart cards.
I always wondered why business didn't exploit Britney's trailblazing smart card expertise. It would have been relatively trivial to use a $5 smart card reader, an EMV card and a few bytes of application code to create a Britney-like online experience. Plug in the reader, insert your debit card, your default web browser takes you to your bank home page.
(The software to do that, standard SSL client-side certificates, was present in almost all web servers and web browsers at the time.)
Since then chip cards have gone contactless and vanished inside mobile phones with near-field communication (NFC) goodness, but the crucial reason for using them to store credentials remains the same: they cannot be cloned. There are billions of smart credit and debit cards out, billions of SIM cards. They are used for that straightforward reason: they are unique and it is computationally-infeasible to make an identical copy of any of them. Sound familiar?
You can probably see where my clumsy analogies are going. It is time to tell this story, not because I loved my Britney Spears card (indeed, I still do), but because it is a useful weathervane for the metaverse. To borrow the historian David Edgerton's phrase, when I was talking to the brilliant Evin McMullen of Disco about business models enabled by the new security technologies of digital wallets, blockchains and verifiable credentials, I was struck by the shock of the old.
(Incidentally, if you haven't watched Evin's outstanding talk about verifiable credentials at Denver ETH earlier this year, you will find it twelve minutes extremely well worth your time.)
In the days of the Britney card all the fans needed to know was that if you had the card you could see stuff, if you didn't have the card then you couldn't see stuff. The card was a secure proof that you were a member of the fan club and it worked online. It was, in essence, a verifiable credential but no-one using it had to understand anything about public key cryptography, digital certificates or ISO 7816.
Verifiable credentials have a crucial role in resolving the "clash of the titans" between the growing metaverse and growing demands for data privacy. We have to bear in mind, as David Blonder (data protection officer at BlackBerry) says, one simple truism: people will trade security for convenience. For security to work in the metaverse, it will have to be implemented in a way that is robust without negatively impacting user convenience. In other words, if we are going to keep personal information out of transactions and interact through credentials, we need credentials that are as easy to use in the virtual world as Britney’s smart card.
I said at that time that where Britney has blazed a trail, others would surely follow, but it has taken a generation to get us to the point where her vision can be realised at population scale. An NFT that is a JPG from Britney, meh. A VC from Britney that means you can access part of her website that is invisible to the hapless VC-less multitudes, now you're talking. An VC that gets you into the VIP area at the next Britney show, now you are talking bank.
If that VC is the modern day equivalent of the Britney smart card, then the modern day equivalent of the Britney smart card reader is a digital wallet capable of storing VCs so that they can be presented under user control as the metaphorical card is pushed into the metaphorical reader.
In 2022 we are not going to use smart cards when we have Trusted Execution Environments (TEEs) in our phones and we are not going to use smart card readers when we have smart wallets and super apps. The challenge for our industry is to make VCs as easy in terms of customer proposition, installation and use as that celebrated card and USB reader, both built on international standards, were. Britney set us a high bar, but I think there are some people out there who can reach it.