Being digital
When people talk about digital IDs, they tend to limit it to identifying themselves in very official situations. Do you ever see digital IDs being used more casually, the same way caller ID is used now?
I think that's a good point. This technology that we have, something called digital IDs and digital signatures, really has broad-based usage. Much the same way you have a library card, a credit card, or a driver's license, they're all used for various degrees of identifying who you are, some more casually and some more officially. You'll have a set of digital IDs that are appropriate for a given set of transactions you're going to do. We actually think that for secure mail--that is, sending people encrypted mail that nobody else but the receiver can read--you'll use a very casual digital ID that's just associated with your name. Whereas, to do a credit card transaction, you'll really need a digital ID that's issued by Visa, MasterCard, or American Express. So just the same way in the physical world where there is not a one-size identity vehicle that fits all, you won't see one size in the digital domain, either.
The way we describe it is two to three years out, you'll probably have something known as a digital wallet that's managing a variety of these different digital IDs: some for credit cards, some for banking, and some for just sending mail to your friends.
People might worry about how those digital IDs will mix and match information.
Right, and in fact, they really can't. These things are prepared with some of the strongest encryption technology that currently exists. Once they are created, they can't be forged, they can't be tampered with, and in essence, they can't be shared across multiple sites of applications. They cannot mix and match each other.
Aren't we sort of assuming a bit of American-centric ideal here, that IDs will come out of VeriSign, that they're approved by VeriSign, but not necessarily the French government? What are some of the issues there?
I think there are a lot of issues. Again, just as today the government doesn't issue your credit card, Visa doesn't issue your driver's license...There are many, many entities today that issue you some form of identity or authorization card based on what relationship you have with them. We think it's going to be the same on the Internet. Your credit card companies will have their brand on the digital credit card, VeriSign will have its brand on the digital ID a variety of classes, and a government may also issue digital IDs for its citizens to interact with government--Social Security, taxes, medical benefits, etc.
So there's going to be a variety of these things and they will be issued by a variety of different entities. We have already started a subsidiary in Japan specifically because we want to localize what we do to the practices inherent in the Japanese culture. The Japanese government, in fact, is spending $100 million over the next two or three years to do electronic commerce pilots and really test out the cultural acceptance of things like digital IDs and digital cash. So we're already in Japan. You'll see us in Europe next year, again, localizing all the things that we do to make them culturally right, yet at the technology level, interoperable across the globe.
There are more than cultural issues in Europe, though. There are some very strict data privacy directives from the European Union.
One of the first people we hired here actually wasn't a technologist. He was a lawyer who had been working for eight or nine years in electronic commerce law. We're very closely following all the various legislative and legal aspects that are developing in all these countries, and we'll have to change what we do based on what the local laws and customs are.
Data privacy is a particularly interesting one for us. It's likely that in France, as an example, you'll have to issue the digital IDs from France under French law. But in Germany, it's probably okay to issue them from Belgium or somewhere in the Nordic countries. So all of this stuff is kind of maturing, developing, and evolving over the course of the next 12 to 18 months. Meanwhile, what we're seeing is that we have issued digital IDs to consumers in over 50 countries already.
How many of those have you done?
We sold well over a 250,000 [individual certificates] in just our first 90 days. Today, we've sold over 400,000 individual certificates and 10,000 business certificates.
What does that mean in terms of actual trade? What are people doing with them?
Today, the most likely usage is to replace a password and log-in as you go to a Web site. Instead of being asked for one of ten passwords you might have to memorize and use, your digital ID can act as your gatekeeper, your access control into these Web sites without you as the user having to type your password in again. That's the predominant use today. We also see secure mail as another big driver for the IDs.
Soon with Visa, we'll roll out a pilot for digital credit cards with some of their banks and their cardholders. I think that's where you'll start to see the payoff in trade: electronic payments with credit cards. There are other things with brokerages and banks where they want to give you access to the accounts you have and let you either see what your account balance is and also potentially move money from account to account, or buy stock in one account, or in one company, or sell it in another.
So you're going to see a variety of uses. Predominantly the 250,000 we've issued today will be used mostly for access control on Web sites, but in the next 6 months you're going to see at least another half-dozen applications roll out.
So is it the end of anonymity on the Internet?
No, I think that anonymity has its place. We also think there's room for identifying who you are at various levels of assurance on the Net. Today, we don't care in the physical world if we're anonymous when we hand somebody our credit card, right? If we're going to do that on the Internet or in the digital world, we need to identify ourselves and make sure that somebody understands that we have the authority to purchase something on the Net.
I think it's very simple: Everything we do in the physical world that's appropriate, we're going to move into a digital world in terms of providing services or buying goods--buying software, buying flowers, buying wine--all of those things that are obviously early successes on the Web. Those things where we identify ourselves to a physical merchant today, we will want to do with a digital merchant in the future.
Can you describe what businesses buy from you and what individuals buy?
An individual gets something that's more like his or her driver's license; it identifies who he or she is as an individual.
What do I get? A card or a little bit of paper? How do I know I actually have one?
Well, it will be sitting in your browser and you can pull down a menu item and look at your certificates where you'll see your digital ID in there from VeriSign. In the business sense, it's more like getting a business license. People know that you are an incorporated business and you have legal provisions that are allowing you to use this trade name and the rest. So when we get a request from a business, we don't check out the Webmaster, we check and make sure that the business has an article of incorporation, that we can confirm the businesses identity. We check the InterNIC to make sure the domain names or the URL they want to use for the certificate really belongs to them.
How do you register an individual?
We check them against a computer database such as Equifax to make certain that the date of birth and the address of the individual and the social security number and so on match what's in those consumer databases.
And if it doesn't match?
We don't register the consumer.
What about all the mistakes in those databases?
We have pretty sophisticated algorithms that look for transpositions of numbers and to see if abbreviations are misspelled, etc. In general our goal is not to issue 100 percent. Our goal is to maintain very strict guidelines. We never bend the rules, and what we try to do is make sure the algorithms are as good as possible to try to sort out mistakes.
Can you describe where you keep all this information?
We have three locked doors between the outside world and these keys that we use to sign certificates. The first door you have to come through with a physical key, the second door requires an electronic key, and the third door requires an electronic key and your fingerprint. In the war room, the digital keys themselves are stored in military-grade boxes that, if they are tampered with, electrically erase their contents.
Self-destruct?
That's right, but without the smoke.
NEXT: The business of digital identity