Avast’s Charlie Walton wants you to Bring Your Own Identity
When I heard that Evernym, one of the first companies to bet big on self-sovereign identity, was acquired by European security company Avast, I had a lot of questions. What was a European security company doing buying a U.S.-based decentralized digital identity technology company? Could Avast bring the dream of decentralized identity to the masses? I sat down with Avast’s Senior Vice President and General Manager of Identity Charlie Walton to find out.
Security is Identity
“We live in a hybrid world and need to meet the markets where they are today,” Walton says.
In 2022, to be secure you need to know who someone is. That someone can be an individual, a company or even an IoT device. Digital businesses need to know you are who you say you are, so they aren’t ripped off. Customers need to know that the businesses they are transacting with online are who they say they are, so they aren’t ripped off either.
Walton, previously at Mastercard, most recently came at this problem from the payments perspective.
“I was working with Coles in Australia on digital identity for wine sales. When solving for digital identity verification, I thought, what about having the customer bring their own account? Then as a vendor, I can have access to the verification data for the transaction, but I don’t need to save it. This reduces the cybersecurity file of the customer (and I can comply with CDR, Australia’s Consumer Data Right Law, similar to GDPR), reduces the big data honey pot for Mastercard and treats users better.”
Walton clearly articulates the big benefits of decentralized identity. Instead of collecting and storing PII, something companies have been doing for decades, decentralized identity flips the paradigm and trusts the verified data a customer brings to the transaction.
The dream of collecting your verified credentials from various places all over the web isn’t new. I worked for a year or two with SWIFT on the concept of the Digital Asset Grid, a digital safety deposit box where you could collect verified data about yourself, your businesses, even your baby, and securely share it with others. It failed. That was a decade ago. Walton has been at it for much longer.
Walton’s first exposure to the world of online identity was in 1995, when he was working on classified security systems for the DoD and introduced to PKI. Since then, he has gone on to launch multiple digital identity-based products and hold leadership positions most recently at SecureKey, also recently acquired by Avast, and Mastercard.
“Just last week, I checked into a hotel, I provided my ID, a credit card and covid credential. I took these out of my wallet, and put them back after sharing the data. So, you see, at the end of the day, decentralized identity isn’t new.”
What’s curious though, is that PKI has been around all this time. It’s not a new technology. And yet, the primary business model for the internet today is based on collecting and selling user data, which has led to a number of unintended social consequences, and many security issues.
Who is left to deal with the aftermath of the security breach? Often, it’s the affected customer, if not the incident response team. And the solutions? They come from a security company. Enter Avast, with their 435 million user base, and track record for protecting digital freedom.
Bring your own Identity
“Software that works for you, a digital smart agent. It helps you fill out some forms, keeps track of your digital footprint, data exhaust and has an SSI wallet,” describes Walton. “The notion of decentralized identity is that you carry some stuff that is validated, other things, like my credit score, can be validated in real time.”
What Walton describes, sounds a lot like a password manager without the passwords. And then there’s the curious fact that Avast is a European company, who must comply with GDPR. The U.S. is nowhere near passing federal data regulation, yet, Walton points out, “multinational companies are going to embrace GDPR. It’s the right thing to do. It’s better to do business in a way that respects people.”
Businesses respecting their customers is an old-fashioned concept in our age of data collection, monetization and weaponization. And where some may describe the ways that regulation stifles innovation, in this case, European and GDPR compliant companies must innovate. Up to now, digital customers haven’t had much of a choice to opt-out of a surveillance capitalism paradigm. As that changes, however, European digital services could find themselves with an edge over U.S.-centric services.
Still, the road is long. Gartner’s latest Emerging Technologies hype cycle shows decentralized identity at the peak of inflated expectations.
“This is the way the world is headed, but we will have to be hybrid in the next wave of business. We have good token-based authentication, FIDO makes sense, mDL has ISO, we still use SAML, OpenID and there’s DIDComm.” says Walton of the many standards available. “The digital smart agent must be multilingual and speak the language of the world today.”
It’s this hybrid attitude that makes me think, maybe this time we can succeed. Maybe after decades of failures, we can bring our own identity layer to the internet and solve some of today’s rampant security problems in the process.
About the author
Heather Vescent is a digital identity industry thought leader and futurist with more than a decade of experience delivering strategic intelligence consulting to governments, corporations and entrepreneurs. Vescent’s research has been covered in the New York Times, CNN, American Banker, CNBC, Fox and the Atlantic. She is co-author of the The Secrets of Spies, The Cyber Attack Survival Manual and The Comprehensive Guide to Self Sovereign Identity.