Debbie Reynolds “The Data Diva” talks to Vikas Malhotra, Founder and CEO of WOPLLI Technologies, Co-Chair - Trust over IP Foundation’s AI & Metaverse taskforce, and Chair of IEEE’s Cyber Security for Next Generation Connectivity Systems for an IEEE project called "Cybersecurity for Next Generation Connectivity Systems". We discuss his early career in electronics and system integration, trust and the Internet, human centricity, and our work together with IEEE Cyber Security for Next Generation Connectivity Systems. identity, self-sovereign identity, privacy as an agency, the benefits of privacy to organizations, the cloud has encouraged retention of data, and his hope for Data Privacy in the future.
Debbie Reynolds “The Data Diva” talks to Vikas Malhotra, Founder and CEO of WOPLLI Technologies, Co-Chair - Trust over IP Foundation’s AI & Metaverse taskforce, and Chair of IEEE’s Cyber Security for Next Generation Connectivity Systems for an IEEE project called "Cybersecurity for Next Generation Connectivity Systems". We discuss his early career in electronics and system integration, trust and the Internet, human centricity, and our work together with IEEE Cyber Security for Next Generation Connectivity Systems. identity, self-sovereign identity, privacy as an agency, the benefits of privacy to organizations, the cloud has encouraged retention of data, and his hope for Data Privacy in the future.
44:46
SUMMARY KEYWORDS
data, organizations, identity, privacy, trust, debbie, world, decentralized, situation, identifiers, wallet, systems, sovereign, collect, person, people, timeframe, control, cloud, lead
SPEAKERS
Vikas Malhotra, Debbie Reynolds
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. They call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show all the way from New Jersey, Vikas Malhotra. He is the founder and CEO of WOPLLI Technologies. Welcome.
Vikas Malhotra 00:41
Thank you so much, Debbie. Thank you for having me on the show. Yeah. Nice to meet you and your audience. Yeah, I thought it would be great if I invited you to be a guest on the show. I love the things that you post and the way that you talk about data and digital life. You talk about it like a trust fabric for life. And I’d love to get your thoughts on all that. But before we get started, why don't you tell us a bit about your technology journey, why you decided to start WOPLLI and also how you got interested in privacy. Awesome. Thank you so much, Debbie, for that question. I started my journey in the mid-90s. And I'm a technologist and an engineer by training. I did a lot of work in electronics and telecommunication during my education timeframe. And I got into this whole area of digital technologies and system integration, working with the many things on up and down the OSI, ISO, and OSI layers. And during that time, I ended up in some places where I got the opportunity to be a pioneer and affect some of the new paradigms in the technology areas. So early on, I worked in the networking side of things, emails, systems, and application systems. And then, in the early 2000s, I was actually bringing up something called an application service provider, which was a precursor to the cloud services. And from around the 2008 timeframe, I got an opportunity to bring the cloud technologies at Microsoft from zero to one situation. And in doing so, I got exposed to many areas which were related to think of, like how the Internet works, how cybersecurity works, and privacy works. I was leading a program around trust with transparency at Microsoft Office 365. And this was going back to 1990s, late 1990s, I, in fact, was in a situation where there was first very first attack, I believe, an anti-virus attack that happened, which was a Melissa virus, 1999 timeframe, I was there on the ground, working to mitigate that kind of a situation. So, a lot of these things have happened over the years. And I lately, at Microsoft, I spent all my good technology working through a lot of areas. But then, in early 2021, I realized that the cybersecurity and the privacy problems of the world are not going to just go away the way things are situated today. And it required some new form of thinking, a new form of building things. And that is where what led to the formation of WOPLLI Technologies. I came out of the corporate world, so to say, and formed technology whose rich vision is to make our experiences as we work, play, learn, live, be safe, fair, and trusted. Work, play, learn live at our experiences, as I highlighted, and that is how the word WOPLLI has been found, so it's a combination of those four words.
Debbie Reynolds 04:49
Wow, that’s really cool. Really cool. I would love to talk a bit about trust and the Internet. So I think it's cool that you were so early in your career, going from computing where people were, let's say, computing in ways where they were doing it, like on premise within organizations move, developing technologies where people are in the cloud. And I feel like a lot of people who are in the cloud are allowed, especially around security, sometimes they still have that idea, they're trying to use methods that they use when data was on-premise, right, and not as ubiquitous in the cloud, it just doesn't work. It just is not a fit there. So tell me about things that you were seeing as companies were moving data from on prem into the cloud, and what the challenges that are created as a result of that, and how kind of WOPLLI deals with that.
Vikas Malhotra 06:05
That's a good question. So there'll be one thing that has happened with the cloud world coming together is that previously, when, as you noted that when the organizations were putting the data, right, or creating the data, it was all under their control, and now, there is always obviously a debate about whose data it is whether it is a person's data or whether it is organization's data, but organizations were controlling it, at least in their on-premises environment, with the cloud world that changed. So now there was this notion of putting data in somebody else's data center, which was for these cloud service providers, and that led to, in fact, a new paradigm of thinking of a shared services model on how companies should view their responsibilities versus the cloud service providers responsibilities. And where that line could be drawn between how the risk management is done, how the compliance is done, and who holds what, from the responsibility standpoint. And as part of my experience, at Microsoft, in fact, I had an opportunity to draw some of those paradigms in the 2010 and 2011 timeframe when we were thinking through this. There are some shared services models that were drawn out, and I have been on the frontline in creating those and presenting them to the world, and now it is out there. So it has led to a change in how companies would view their responsibilities and the risk models and where how they would view who to trust versus not to trust. And at the end, a big thing that has happened in the last decade or so is that people have been trying to figure out how they can trust their particular cloud services provider, and now, the cloud comes in different ways, the SAAS providers, there are commercial services, then there are, you can think of SAAS and whatnot, and placing that trust on and how the data is being processed in those different places. That is a big, big challenge. And people go to different degrees, and companies go to different degrees based upon the regulatory stance or what they want out of in what kind of compliance they want to implement, to go and review these places, but then not every cloud service or every service is actually transparent enough to provide that information, either. So from a WOPLLI perspective, we think that the current system requires some change from the perspective of giving control to the data provider, who is supposed to hold the data and do it in a way with the information could be stored and leverage this, like masking cloud establishments, but still, the data is in the control of who that data should be with. Right. And that is where one of the principles that we put out there is the distribution of data processing across different vendors. And that and across various layers, including from the compute to going up to storage to the application side.
Debbie Reynolds 10:36
So what problem does your organization WOPLLI help organizations solve?
Vikas Malhotra 10:44
That's a great question. So we are at an early stage startup right now, and we are currently working in three-wide areas. Given our vision, and those three areas that we are, first is we are building a new platform. And this platform is going to be a trusted platform of verified things that people can interact with. And we are basing this platform on the five architecture principles that we have laid out, which I will go in a little later. The second area that we are working in is we are affecting and contributing to and also creating new standards and frameworks in visible work at organizations like cluster IP Foundation, decentralized identity Foundation, IEEE, NIST, etc. And the third area, which we have to really do some more work on, in fact, at this point of time, is we want to create a global alliance between academia, public and private, on a center of excellence for digital trust. So I will make a call out for anybody who would want to join us in this center of excellence stress journey; you have to contact me. Now coming back to the first one, which is where I spoke about the principles. And we have found five architectural principles. The first one is human centricity, which essentially is to provide better control or control to a human being on their data and their experiences. Number two is decentralization in identifiers. Number three is distribution of in data processing across various layers and architectures. Number four is heterogeneity in the control providers and control assessors. And number five is the verification of things and creating the self-healing mechanisms within the architectures. So those are the five principles that we have adopted. And we are looking to create a platform around these things. I will not go into the detail of what that platform will actually do. We have a grand vision, and we are executing on it. And yeah, and the two things, which are the standards and frameworks in the center of excellence.
Debbie Reynolds 14:06
Excellent, excellent. I would love to talk with you about human centricity. I love that you put it that way. So much of the business world has been focused on the human has really been focused on the customer and what we can sell someone, so it hasn't been thought about in terms of the benefit and also the harm to humans. And so I think what you're proposing is the way of the future is the way that companies have to be in it, but it's the opposite of the way the companies are today, which is very shareholder centric, centered on the business and what they can do with data and information. Not really centered on the human, and I feel like this is definitely the wave of the future but tell me why human centricity is very important to your principles in the way that you are working.
Vikas Malhotra 15:06
Great question, Debbie. And thank you so much for holding on to that point. So, as you said, the world has been very focused on the word customer-centricity or user-centricity, or consumer-centered centricity. And all of those things actually assume that somebody is going to become your customer, and somehow you're going to manage them differently at that point in time. On the other hand, what we are proposing is that we got to look at humans and the human experience. And even if they're not paying customer at a given point of time, you got to provide them with the right services, and we're talking in the digital context, obviously, which which you would provide in the, as in when they become the customer paying customers as well, we should not be discriminating between the two, the experience should be a continuous stream over there. Now, what, where does this thing has an effect is that if you consider that people have many organizations, many companies, many services have considered a user a paying customer kind of a paradigm, and there has been a notion that a few people are getting free services, then their data is essentially up for grabs. And we can offer whatever, and people will just take it because it's for free. And that's not the way to look at it. The data of a person is not for grabs. If they're not paying customers, I believe that that is the actually the root of why we are in such privacy kind of problems today. Because we have been thinking that we have rights to a person's data, and we can take that data and do anything with it, as long as a person is getting some free services and stuff. And we're trying to, as you said, it's a very opposite point of view. But I believe the solution for these privacy problems and the data processing problems that we are dealing with in the world today in the digital world today. I think the solutions lie in the understanding that we have to look at it from a human-centric standpoint.
Debbie Reynolds 18:06
Excellent, excellent. I also want to talk with you about identity. So identity is something that I like to talk about because it is so centered on human rights. So, unfortunately, the way the businesses have gone about identity is, like you said, as a user and customer type of issue, but I did see it’s a lot deeper than that. So tell me about what's happening in the identity space that you think needs to change going forward to make this kind of human-centric thing work?
Vikas Malhotra 18:41
Yeah. So there have been three shifts, actually, in the digital identity world. And there is a lot of thinking going on right now. Around the world, including at the United Nations, they're discussing legal identity and all those aspects. But at a broad level, there are three changes that have happened. First, there was something called a centralized identity systems. Think of it like this. We used to have mainframes in the 80s and 90s timeframe. And a person would walk up to a certain console and they walked up to their identity information to log into that console. So it was a very centralized organism. And that kind of mechanism kept on going; obviously, we're just logging back and forth into that particular place. Then came something called federated identity systems, which is where now they were new identities. Solutions are different setups were done by different companies like Microsoft, Facebook, Google etc., etc. And but they created these centralized islands of identity systems where they could talk to each other, but then everybody is essentially trying to become the key trust provider in the sense among everybody else, right. So that is the federated identity system, and that has been in existence for about 10, 15 years now, and now, what we are talking about is something called decentralized identifiers or decentralized identity systems where along with taking that taking it along with something called a self-sovereign identity, what we are saying is that the person is actually in control of their identifiers, and there are some organizations think of like your licensing organization or the passport information organization, and they issue these something called as verifiable credentials are identifiers to you, but only you have access to that information nobody else has. And, and the architecture is such that the wallet, or in that scenario, only you are the holder of it. And then you can produce those verifiable credentials in front of the verifiers out there. So, they can verify you with a minimum amount of information that you can produce using zero knowledge proofs. And this kind of a scheme can help a person not only have control of their own personal data as it is getting stored inside their wallet. But it can also help them control the data flow as the data is going to the verifiers and whoever it is. So now, in this whole situation, so what is the difference from the existing identity system so the difference is that, in the current identity systems, the issuer of an identity, or the creator of an identity, or identifier, and the verifier of identity, are many times one of the same, same organization, think of a Google right, so you create a Google account. So you are, they are issuing you some sort of a username password, and but then you are also being verified against their own systems, et cetera, et cetera. So they are holding your information also. So that's the second thing, they are also taking the information, and there is a whole debate about how that information is used and etc., etc. Now, in the self-sovereign, identify world and verifiable credentials, you are holding the information inside your wallet, nobody else's. And as far as the issuer of the credentials is concerned, and the verifiable credentials are concerned, they are, in most cases, separate ones. They are separate, separate organizations. And that leads to a question of how you would form trust between those two parties without them being in the direct connection. And that is what the trust over IP foundation and those architectures are trying to create. So this is the new form of identifier systems which are being brought to the world now.
Debbie Reynolds 24:00
I want to back up a bit. I obviously know what self-sovereign identity is, but I would love for you to explain to the audience what it is. So for me, and you correct me if I'm wrong, I'm sure you have a more eloquent way to put it. I think of self-sovereign identity as almost like an individual is kind of a bank of their own data. And then they choose how they share it. But I understand your point, which is there has to be kind of some verification or authentication that happens. And so, how do you have people control or have agency over their own data as if they're a bank? And how do those these other organizations verify or trust kind of that that that identification? What are your thoughts?
Vikas Malhotra 24:51
Yeah. So self-sovereign identity, as the word suggests, first of all, is think of like SSL sovereign, right? It's self-sovereign, it is like you are holding your wallet and the information that is inside that wallet is only accessible by you. So that is the first thing. So that's what is meant by self-sovereign. Now, let us say Debbie has a wallet, as an SSI wallet, and she has something to hold now, right so, so she's a holder of this wallet, and what is she going to hold inside that wallet? That becomes the question, right? It is again part of the Verification Scheme, authentication authorization, Single Sign-On, etc., etc. Now, how would you go about doing that is that think of like, there are organizations that would issue some form of identifiers today, in our physical world today, these things happen in paper form, for example, licenses get issued to us, passports get issued to us, we have paper copies of those things, birth certificates, etc., etc. And think of these getting converted into digital form, which are called verifiable credentials, and only getting issued inside your wallet to which only Debbie has access. Yeah, and on the other hand, there is a verifier organization. Now let us say you are going to go to the airport and you are taking an international flight, and you want to produce your passport. And when you show up at that kiosk, they would want to see your passport, and you bring out your self-sovereign identity wallet. And there is a whole mechanism with only the public keys going into an external database. So there is like a public key kind of verifiable database like blockchain, which is used to figure out the PKI public key of the issuer. And the verifier uses that to read the document that is personal and private to Debbie inside her into inside her SSI wallet. Now, also, one other thing over here is that Debbie doesn't need to produce more information than actually what is desired. So if all that is needed to be confirmed is that you are a United States National, and the birthdate, etc. And whether the passport is valid or not, you don't have to produce your name and this and that or everything else. So, different situations can require different kinds of verification. But Debbie can control what kind of information gets produced and gets verified by the verifier, as well. So in all of these situations, the information, the actual information, is personal, inside the SSI wallet of Debbie. And there is an external database like blockchain that is being used to exchange the public keys between the issuer and the verifier.
Debbie Reynolds 28:37
That's an excellent description of it. Let's talk about privacy here. So I think the example you gave was a really good one, especially when I think about privacy. So when I think about privacy, I think about it as agency to decide what you do or don't want to share. So your example about someone having a passport or going to a border. And so the person, they just need to know that you are eligible, right to be able to cross that border, they don't need to know your address or these other bits of information. So for me, privacy is about sharing, deciding what you want to share, or what you don't want to share, or your question, which is even a bigger one is like what is necessary to be able to do this transaction where what we're seeing now is that companies, they've just collect so much data, and so a lot of it is very unnecessary. You don't need to know all that to be able to do these functions. So tell me about how privacy goes in there and then how trust is interwoven in all those processes.
Vikas Malhotra 29:52
Yeah. So as I said, privacy becomes the key output. of this whole situation because one is that the privacy of the data is private to me in this in this particular situation is personal inside your SSI wallet. And then, on top of it, you can control what data gets shared, right? And if there are proper controls, establish like, okay, what is the minimum amount of information that a verifier needs to get Debbie? To the next thing, then you can establish the minimal data exchange. So data minimization is achieved through this right, you can put more controls around this whole situation as well, around the data processing and whatnot there could be situations that were put there, we can probably define whether whichever variable the data is getting shared with the verifier. You know, what kind of processing can happen on that data. But that's the second part of the problem. But at the minimal level, it changes the equation back, like, let's say, you're going to a website, which is like taking all your information as you go in there. And the,n you are establishing an account for every website to interact with them. It solves both of those issues. One is, with your self-sovereign identity wallet, you do not have to create another account. You could use that wallet to actually authenticate and authorize, get authorized to do functions inside a website or some service. And then you can also have control over what data you share to get to that authentication, right. And there's going to be a negotiation over here, depending upon the different parties in the mix. But those kinds of negotiating, that negotiation model can be established using this SSI wallet and verifiable credential scheme.
Debbie Reynolds 32:07
Let's talk about the benefit to organizations. So what we see now, organizations that collect data indiscriminately they're not happy about moving in this direction because they get to collect less data, right. But then, on the other hand, if you really want to build that trust, I think you need to and what we're seeing are both Data Privacy regulations around the world, you have to have a purpose, you have a reason for wanting that data to begin with. And so, to me, that helps to engender that trust. But let's talk about the benefits in terms of, for example, let's say, this is a good example that my friends in identity like to use. So if I have to go to a store in the US to buy alcohol, you have to be 18 years old in the US. The person that I am interacting with to make this purchase they don't need to know my name, they don't need to know my address, they don't even need to know my date of birth, they just need to know am I over 18 or not? Right? So to me, this is the type of data exchanged that can be achieved in identity systems and the way that you're talking about self-sovereign identity. But then, on the flip side, it can help organizations because it should speed transactions. First of all, it can limit their data risk because they're not collecting more data than they need, and then it can help engender trust. So, talk to me a little bit about what you think are the benefits for organizations to be able to move in this direction.
Vikas Malhotra 33:45
You are absolutely right. In fact, that example that you just talked to, it has been used so many times to explain this kind of situation. So, you can prove that you're above 18 without actually telling your date of birth or your name or your address, which is what you actually do when you flash your license in front of someone. So minimum amount of data exchange, the benefits, I think are things like one thing you just mentioned over here is that there is better clarity on what data is actually getting collected. And how it is being processed. Today, organizations are confused, and they collect more data than they need to collect. It is not useful for their business anyways that additional data and that, and the other side of the problem is that data ends up in from hands and stuff and leads to other problems. So so, they will have better clarity on what data is being shared and being collected and how it is being processed so that they can produce in front of the regulators or whoever the case is to show their compliance to whatever regulations are going on. So it helps with the GDPR side of things. Now, the other thing is other benefit is that if they're minimizing the data collection, obviously they could be collecting for whatever is required by the business, right—and making it clear to the person that this is being done. And as long as that full transparency is there in the system that is needed, but it is leading to data minimization. Now, your processing costs for that data go down as well because you're collecting less to the point. And you have better control over how you're going to process it, how you're going to store it, and how you're going to secure it, more importantly. Because one side effect of all this data collection is that the data is collected, and now it is forming these data pockets, essentially, which is a honeypot for the hackers to come in and scoop that data away. So the third benefit, I would say is that it will lead to better security, cyber security situations where like as a result of this, I mean, they, we have to put other controls from the cybersecurity standpoint, this is not the only control that will lead to that situation. But less data getting out is better than all data getting out if we feel we do end up in that situation.
Debbie Reynolds 36:50
Absolutely. And then to that point, let's say if the only data that you're collecting is that someone came to your establishment that was over 18 about alcohol. So I'm breached that. What did they get? They didn't get anything; there's no value to that data outside of your transaction with the individual, which is what you want at the end of the day. So you want, that's all you need. That's all you really need to be able to do your job and your business and then not increasing the risk. So one thing about the cloud, I’d love your thoughts. I think one thing that the cloud has done is turn people more so into digital packrats. So because we have as much space as we want to buy, people don't purge things. And from a privacy perspective, I always tell organizations people get in trouble based on what they collect and how long they keep it, right? So if you're in this example, if you can do a transaction where you don't need to retain the data collected in the first place, you're going to be in a better situation. But if you have to collect it, pare it down, think about what are the essential things I really need to click, and then on the retention part, make sure it's not an open-ended retention period. So I tell organizations, data that has a low business value often has a very high business risk, especially as it relates to privacy. So what are your thoughts about that?
Vikas Malhotra 38:23
I totally agree with you that data retention has to be thought out by the organization. What we are talking of over here is that don't do the data minimization so that you don't have to be thinking about that data retention, to that extent, as you're doing today. So take care of this data flow problem right at the root first. And then obviously, you have to put the data retention kind of policies as well to take care of privacy. And I will just add to this thing, from a human perspective, think of the person you're trying to serve as a human. And if you were in that situation, have empathy towards that situation, and also like, it's their data, and you could be on the other end as well.
Debbie Reynolds 39:21
That's a great answer. I love it. So if it were the world according to Vikas and we did everything that you said, what would be your wish for privacy or data handling or in identity, what would be your wish?
Vikas Malhotra 39:37
My wish would be that a person is actually in control of their data and that's worthwhile it is being stored. So that is where the self-sovereign identifiers scheme comes in. And also when it is in flow, and it is being exchanged with the other parties. And I think that has so many this whole situation has so many benefits not only to the privacy of a person are, establishing better privacy parameters for a person, but also will lead to better security models. And taken along with some other controls that we are bringing out, it will essentially lead to better data management capabilities in our digital worlds. And I think that's one of the bases of the trust problem. This whole situation is one of the bases of why we are seeing so many trust issues, people not trusting this and that and whatnot. I also believe that we should not have so many different identities and different systems and the average person. I think there's been some study on this average person holds more than 85 accounts. And then there are 85 passwords that are associated with that as well. And nobody remembers that. And I know there are organizations who are doing this single sign-on and stuff like that. But what if that single sign-on was established with a self-sovereign identifier, rather than something which is like there are 100 accounts. And now, I'm going to create another repository of those accounts and passwords. So that is what my world looks like. It has to be more decentralized. And it has to be more human-centric, taking the human centricity in the designs. And then there are other architectural principles which will help enable this model as well.
Debbie Reynolds 42:12
Right? I always think of when you say decentralized; basically, you're thinking about decentralized from the organization, but you're really centralizing it to the human.
Vikas Malhotra 42:24
Decentralized and that we have to look at that picture; in fact, there was a recent discussion by a person, and he painted the picture of the Internet or decentralized Internet as an individual dots that are being represented on a picture rather than the dots that are interconnected with each other. And if you look from our real physical being kind of a perspective, that is how we work, that is how we behave. As human beings, we are dots, and we connect with each other when needed. We exchange information, etc., etc. But we are not always connected with each other. Right? So we have to think of this as a decentralized. At least from an identity standpoint, it has to be a decentralized identifier that you are in control of. And, yes, you connect with other parties as and when needed for either the issuance of your credentials or for the verification side of things. But you're not always connected.
Debbie Reynolds 43:46
Yeah, I agree. Perfect. Well, thank you so much for being on the show. This is great. I love this conversation. And I like what you're doing. So definitely keep me updated on what you're doing. I love to be able to share that as well.
Vikas Malhotra 44:01
Thank you so much, Debbie, and thank you for the invitation to your podcast. Thank you.
Debbie Reynolds 44:19
You’re welcome.