Self Sovereign Identity with Evernym’s Drummond Reed
Jon Prial: I've got some credentials and it identifies who I am in real life. I've got my passport. I now have a new cool driver's license called a REAL ID and it meets some newer federal guidelines that minimizes some fraud stuff. But in the digital realm, I got lots of user IDs. I've got passwords. They all enabled me to access systems. And although this will never happen, I suppose I could share this password with a kid, but you see the problem is digital identity isn't that easy. So today we'll be talking with Drummond Reed who spent the past 20 years. He's been focused on internet identity, security, privacy trust frameworks. Currently he's the Chief Trust Officer of Evernym. A company at the forefront of a rapidly growing global movement to decentralize digital density. Evernym acquired respect network, where Drummond was the CEO co- founder and co- author of the respect trust framework. He's been active in industry foundations including the open identity exchange and has been recognized for his distinguished work. And it's our pleasure to have Drummond with us today. I'm Jon Prial. All welcome to the Georgian Impact podcast. So Drummond, I'd like to just get right to it. What do you see as broken today and what leads you to what you're talking about with this thing called SSI, self- sovereign identity?
Drummond Reed: Oh, well, if you asked me what's broken on the internet, I need to go no further than about 20 feet to my wife's desk where since I'm sheltering in place I've been for four and a half months. Now I am the household IT guy. Yeah. I'd say that's an average, even though she uses all Apple devices and Apple password manager, which I think is about as good as it gets up there. I'd say it's an average of once a day, I'm helping her with some account logging in to some websites, some place. It's still that hard, and she still has dozens and dozens of usernames and passwords and the sites get confusing and she gets confused and it's all very weak and broken. And that's just passwords. Let's not get into any of the rest of how you really can't prove anything else about yourself online except that you were the person that was there last time if you're going to remember the username and password.
Jon Prial: I love that. I hadn't really thought about it. I'm not going to get in trouble with my wife at all either. But I think the sense of passwords still sitting on little yellow sticky notes and passwords of I'm sure it wouldn't be your wife or anybody in your family using one, two, three, four, five, six as a password. But yeah, we definitely have that problem, but I liked your point about all it knows is you were the last person to log on with that user ID and password. That's really interesting. Now there's obviously much more to identify yourself, right?
Drummond Reed: Exactly. Well, in the emergence of this category, we now call SSI, self- sovereign identity over the last three and a half, four years. I used to start out with more tactical descriptions, but now it's become so easy to explain it every single time. And I know we're just on a podcast, but if you saw me in person, I would pull out my wallet, I would hold it up, and I would say," Ladies and gentlemen, we all know how to do self- sovereign identity. We've been using it for as long as we've been in a holding wallet in our hands." It is how we prove ourselves, our identity in the real world, every day, every time we get on an airplane, we rent a car, we rent a hotel room, we do it with a set of credentials we carry in a wallet with us. And they're issued to us by the trusted authorities that know enough about us to issue us that credential. And we carry them to wherever we need to prove something about our identity. And we call that the verifier and the verifier asks for just the credentials that they'll accept, and then they look at them like, TSA, when you get on a plane, they'll pass the driver's license under blue light. They'll check the hologram on the passport, whatever. And if they say, yeah, I think this is a valid credential and make sure it's current, it's not expired, it looks like me and I get through. But what's just patently clear, as soon as you explain that is we have nothing like that online. There are no credentials that we have that we can go any place and use. And if we had that, life online would just be dramatically easier, more productive for all of us.
Jon Prial: Now, what about my face? I'm thinking Apple here, Face ID. Is that better? Is that a step in the right direction?
Drummond Reed: It's absolutely a step in the right direction because when you're using Face ID or before that I've had both generation of the Apple devices, even the fingerprint, the Touch ID. What you're doing is you're verifying your biometric to your device. And the reason that's both powerful and safe, it's powerful because it's hard to replicate, although fingerprint was easier than face, so that's why they migrated. And secondly, it's safe because you're just doing that between yourself and the device. And that's the only place where that biometric is stored, so it can do the comparison and verify you. What's hard is if you want to do that with websites over the internet or with applications that are not tied to your device, how are they supposed to know what your biometric is?
Jon Prial: Ah, I see. Yes.
Drummond Reed: If you stored your biometric out there on the network someplace, that gets really dangerous because if someone gets a hold of that by a metric, suddenly they have literally a copy of you and they can go and impersonate you anywhere in a very strong way. So that's why biometrics are very useful as one piece of this chain of trust about authentication you need to build. And with self- sovereign identity where we do it is you have a digital wallet with those credentials and you use the biometric to unlock your digital wallet. So it's for protection.
Jon Prial: Correct. And that digital wallet is not centralized. Like you say, having the Face ID in a central place is a high risk.
Drummond Reed: Yes.
Jon Prial: The last thing you want is with that one place where everything gets inaudible.
Drummond Reed: Exactly. The whole idea of self- sovereign and moving physical credentials online into digital credentials is, you have the wallet, just like you carry a wallet close to yourself in your pocket or your purse. You want to have your digital wallet close to yourself. So typically it will be on a smartphone or a tablet, or a laptop on your own devices, and that's where you do the biometric authentication to unlock the wallet, and then you want to register log in on a website. Today, you have to create a new username and password, and maybe you'll use a password manager or Apple's keychain to help automate that process for you but still you have to do that at every site and username and password. And any combination is not very strong. That's why we have to add these multi- factor authentication processes. Is like when they send you a text message and say, well, is it your phone as well? Right?
Jon Prial: Sure.
Drummond Reed: And those help, it definitely makes things stronger, but it also adds more friction to the whole process. When, if you had a digital wallet with digital credentials in it, and this software we call the agent that essentially is the software that runs that wallet. Then you could show up at a website and they could say," Hey, you want to register? You could scan a QR code with your phone and say, yes, and you're done." And what's happened there is that the agent on your phone and the agent on that website, these two little pieces of software, they quickly negotiate this cryptographic connection between the two. There's no username, there's no password, and the strength of that connection because of the underlying cryptography is like 100 times more powerful than any username or password you can come up with. It's just super strong.
Jon Prial: This layer that you're talking about is separate from, I'll drop the F bomb here, separate than say Facebook.
Drummond Reed: Yes.
Jon Prial: I'm not logging on with Facebook credentials, I'm logging on with these independent credentials that would then go to Facebook, or Amazon or anybody else. Correct?
Drummond Reed: Yes. The all thing you're referring to there is, the whole generation we developed of what we call federated identity, where you as an individual, you didn't have these tools but it was so painful to have to manage your own usernames and passwords that you've said," Oh, what if there's a site that I can log into and then that site can log me in every place else that I need." And the best known of those of course are login with Facebook, login with Google, or LinkedIn, or Twitter, the social login services. And honestly, they've been very helpful. They've been fairly widely accepted. The problem we've run into, well, a couple of problems. One is that they're not universal. There are many places you can't use those services. And one of the reasons is it's either privacy that you don't actually want someone else knowing every place you're logging in and all the times you're doing it. But in some cases, one of the reasons that banks or financial institutions don't take them is they're not strong enough. They're not secure enough. Right?
Jon Prial: Right.
Drummond Reed: By definition, you've got another party in the middle of your transactions. And then the larger thing that they've run into is the recognition of those different sites and relationships you have out there that they're putting someone else in the middle, who's growing more and more powerful because it's leveraging relationships that belong directly to you and other party.
Jon Prial: Yeah. It's interesting. The banks obviously have a lot of work to do in it. There's no doubt the banks want to provide the most secure connection. I believe that the people don't recognize that when my friends and family log on via Facebook eyes, or you do know that you're giving them that much more information about you, that they now know that inaudible if I'm using any... Yeah. I'm not going to log on to Netflix through Amazon prime, for example. I want everything to be as siloed as best we can, but it's a challenge because you mentioned friction. It's harder. There's more friction when you have to do it all yourself.
Drummond Reed: Exactly. And so Jon, the way we're getting rid of that friction with SSI is we're giving you a digital wallet and a digital agent that goes with it to automate all that for you. So it literally becomes as simple as wherever you go and you want to form a new relationship with a new website, or a new person, or an organization, any place it's a... And the various ceremonies, you can click a link or you can scan a QR code, but you literally just basically do that one action to wake up your agent and say," Ah, I need a connection here, or I need to share some credentials they're asking for." And you're always going to have the same experience of saying yes or no to the information that they're asking to share. And once you've done it and the connection is established, you never need to do it again. I can't emphasize this enough that there's never been anything like this on the internet before when you and I, let's say we formed a connection. A good example is we meet at a conference. Today, you'll have some badge that might have a QR code on it or something that the conference has given you, and I might do that and we can scan those things or we can get out our phones and we can connect through LinkedIn. But with SSI, either one of us could just pop up a wallet and a QR code and the other one could scan it or we could do it via Bluetooth or NFC. When we form a connection, there is no one else in the middle. It is directly between the two of us. It's literally based on cryptographic keys, long numbers in our digital walls that are shared with each other, and that connection will exist for as long as we both want it no matter how many times we move or change service providers or changing email addresses or anything else, because those two wallets can always connect and verify that, that's, yes. It's you Jon. It's me Drummond, and we can use that connection anything we want.
Jon Prial: Now, staying on the wallet metaphor, I've checked into a hotel, they want to see my passport, I write signature required on my credit card. And they asked to see my driver's license. Are these unique things in my wallet, or is it a one wallet with one thing in it called me, or however you want to categorize that?
Drummond Reed: It's very much like the wall you have today. It's your wallet but it has as many credentials as you've been issued that you find useful. And in fact, what will happen with digital wallets is very much like our computers contain many more documents than our typical personal filing cabinets, because it's so easy for a computer to manage them all. Same thing will be true. You'll end up with, as the technology matures, you'll end up with the same type of credentials you have in your wallet today plus a whole bunch of other ones that are more sometimes called micro- credentials. Like you go and you take a course online, you listened to a webinar for an hour, you can get a credential just like that at the end.
Jon Prial: Sure.
Drummond Reed: Yes. I was there the whole time. And now you can prove, yes. I took that webinar or I took the quiz at the end.
Jon Prial: But when I go to you, my friend at a conference, and I share my wallet with you, I just want you to know my name and address or something. And I don't want you to know of courses I take.
Drummond Reed: Exactly.
Jon Prial: If I go to the hotel, I want them just to see the passport, nothing else. So, that's manageable?
Drummond Reed: This is one of the most powerful things about SSI. The way it works is that party that needs to know something called the verifier, they create this thing called a proof request, which is basically," Hey, here's what we need to know." It's the digital agent equivalent of a webform. If you went to their website today, or you went to check in a hotel that put an iPad in front of you, and it's got a bunch of questions for you. Well, approved request is just those questions put into a form that your agent can understand. So all you have to do is scan a QR code, your agent will pop up and go. Here's what they want to know. Do you want to tell them or not? And you just go, yes or no. If they ever asked for something it's not in your wallet, it's smart enough. The whole thing we're designing is for you to go," Oh, they're asking for a credential I don't have but here's where I can go get it." And so there's just this process you go through steadily, just like with our real world wallets. You steadily accumulate the credentials you need but the most important thing about it, that's very different than conventional credentials. And like, if I go to a bar and they want to know I'm old enough to drink, I have to show the bartender a driver's license or a passport.
Jon Prial: Yes. And now they have your address and those other that you didn't want them to know, they just wanted your birthday.
Drummond Reed: Exactly. Built into SSI done right, I want to point out. It's not always done right but we're trying to establish the best practices is a capability called selective disclosure. And it basically says," It doesn't matter what's all on your credentials, the verifier just ask what the verifier needs to know and that's all they get."
Jon Prial: Right. Beautiful.
Drummond Reed: The classic example is if the bartender needs to know, or the bouncer you're over the legal drinking age in that town or country or wherever, right?
Jon Prial: Oh.
Drummond Reed: Whatever that drinking age is, all they need to know is Greenlight, yes. Red light, no. And that's all they'll need to find out and it can happen under a second. Now to finding the marketplace, it's not just B2C or B2B2C or C2C. This is C in the middle of everything, which I've never been inaudible picture before.
Jon Prial: It's absolutely is.
Drummond Reed: It is. Well, we talk about the trust of IP foundation when we began it May we made it very clear. What we're building here is the trust layer for the internet. So just like the internet goes every place and it connect any two devices anywhere for any reason, those devices and the people or organizations or connected things that are on those devices that are communicating, if they need to establish trust, it needs to work the same way everywhere. So absolutely, C2C, B2C, all of IoT, it turns out that SSI as much as we think it's about for people, the world of IoT of connected devices needs it even more badly.
Jon Prial: Of course, because Amazon shipping a Nest Thermostat with admin and password is they'll use their ID and password was not a good thing.
Drummond Reed: Not a good thing.
Jon Prial: So my worry then, not my worry but something I want to ask you about is how to get to agree to set of standards. So I've spent time on standards boards. It's not fun because companies are trying to put their best interest in front and maybe beat another company that's sitting next to them at the table. How do you work through all the challenges of getting a consistent set of standards in place?
Drummond Reed: Boy, is that a loaded question.
Jon Prial: But not inaccurate, sadly.
Drummond Reed: Unfortunately it is all too accurate. One of my favorite people in the industry O'Neil John at the department of Homeland security here in the U. S. who has been driving digital identity standards for a long time, wrote a great blog post on cyber forge about that, I think it was two weeks ago when he talked about," You have to have standards organizations" but boy, they're filled with politics and you just can't get away from it. So my recommendation... I actually had a call with O'Neil about what he posted there. The best you can do is you can establish a really strong vision and attraction for what problem the standard is solving and get everyone to align around that. And when anyone tries to veer from," Well, okay, but we want to do it our company's way," you have to come back and get the community pressure to go," Yeah, but that's not getting us all to where we've agreed. We want to go." And I'm very happy to say that with the standards, there are two key standards around SSI and the first one was called verifiable credentials or VCs for short. And I mean, there's a whole movie I've told the leader of that. That's going to be a Netflix series someday. The battle he had to fight to get that accepted even as a working group of the W3C, the world wide web consortium. And he almost didn't make it, I mean, but it finally got approved. And then he had to fight all the way through together others of us that joined it to finally get it to be a full W3C standard, which happened last September. That's why this area is now exploding because there is a W3C standard format of these digital credentials. The second one is called DIDs, decentralized identifiers. And that's one I started working on four years ago and it's now we're halfway through the full W3C working group. So about a year from now or towards the end of next year, it'll be a full standard but we'll pretty much be done this Summer and then it's just all approval processes. And on that one, there's been a lot less contention job because everyone understands that we need this new type of identifier. So you are in control of your wallet and your credentials and not your ISP or your Telco, or Google, or Facebook, or some internet giant. You have the power and then that's why they call it self- sovereign identity.
Jon Prial: Perfect. So the key for this one for me is network effect. So obviously, is there a big win out there that you think can happen with a, I don't know, an Apple or someone else that would help or a large enterprise company or a bank that would begin to help you really get some momentum going, or do you have that already?
Drummond Reed: So the short answer is, yes. I think that is what is coming and the answer do we have it already? I have to reply. No comment. As in, there are certain relationships that Evernyms in that definitely would represent very large populations of potential adopters. I'm certain the same is true for other companies focusing on the SSI space because you hit Jon, exactly the right word, network effect. The analogy I've been using for a while now is the growth of the adoption of verifiable credentials. And SSI will be very much like the growth of the web. Somebody had to grade the first website and the second and the third, and then start creating links between them. And that's exactly where we are now. I'll give you an example. We have worked for three years with Sue Ledger is a consortium of the credit unions that came together to say," How the credit unions are going to use blockchain technology to solve industry- wide problems?" And they decided to focus on the first one was self- sovereign identity. That just help squeeze out fraud and make it a lot simpler and safer for our union members to use, not just their own credit union but in the other credit union and the worldwide network of credit unions. And they just reached the point about two months ago of starting to issue those grinches after all the work on the infrastructure we had to put in place. And now they've got a line of credit unions that want to start saying," Oh, yeah, okay. Now we see how it's working. We understand. The members love it, let's start scaling it." So I think we're going to see it industry by industry. We actually have a specific term we'll use it's the adoption of verifiable credentials. It's driven by ecosystems. Credit unions are one ecosystem in the financial services space. It won't be one bank, it will be a group of banks in their ecosystem and say," Hey, this is the best solution. Another place where there's, I think huge traction is coming is healthcare.
Jon Prial: Great.
Drummond Reed: It's just very, very costly to prove out information and if there're mistakes made, whether it's obviously your medical data or your payment data, then it just costs a lot of money and that waste can be squeezed out with the introduction of digital credentials.
Jon Prial: Great. Sounds like you're breaking through companies that might consider typical dinosaurs, but it looks like you're getting a moving in by getting them together. I'm not sure what a cohort of dinosaurs are called if they're a gaggle or a pods, inaudible.
Drummond Reed: They're called inaudible.
Jon Prial: So I think I'd like to just go back a little bit higher level and have you parse for me Evernym, the company you work for and sovereign foundation. I think people find very interesting, the differences and how you spend your time.
Drummond Reed: Sure. Exactly. That has been an area of confusion because my company respect network was working on a piece of this. I started it in 2011 and it was these agents and the protocol they would use to talk between your digital wallets now, but it wasn't blockchain based what I was working on. And then I and others in the digital identity space started to discover the power of blockchain to enable these decentralized digital credentials. And so did others in the industry and Evernym came out of stealth in, I think it was 20, yeah, 2015 towards the end and was working on something very similar. They were the blockchain components. So once I discovered them within, I think it was two months, we decided to merge the companies and build it together. And they had this vision of," Hey, for this to adopt, we need a blockchain that's really designed expressly to support self- sovereign identity. But of course it needs to be a blockchain needs to be distributed around the world and that can't be owned or operated by any one company. So I had quite a bit of experience. One of the reasons they bought respect network is I and the teams I've worked with have been working on internet standards for identity, like an organization consortium, like Open Identity Exchange and OpenID Foundation, Information Card Foundation. So I said," Hey, what we need to do is set up international non- profit organization, not to run this network. It's actually run all the nodes of the blockchain are operated but what we call stewards around the world, but to broad governance for it to be basically the community governance." So we recognized that we needed to start this international non- profit foundation to govern this new network blockchain ledger. And we got it kicked off in September, 2016. And it has a set of individual trustees of the foundation from around the world. And that was the start of the sovereign foundation. And a little less than a year later in July of 2017, we had the first 10 stewards had agreed to come together. We had the Hyperledger Indy codebase. The code that Evernym had originally written for this blockchain was contributed to sovereign foundation who in turn contributed to Hyperledger because it was a larger community for open source. So the Hyperledger Indy codebase and 10 stewards around the world, and we had a big ceremony of starting up the sovereign blockchain. And it has run continuously since last day of July in 2017. So the sovereign foundation is a completely separate, independent non- profit that now has gone through a whole second generation. I'm no longer on the board. I was one of the original trustees, but now there's a new board and it's in its second generation of growth as a governing organization for a blockchain network. And the only thing Jon, that blockchain network does is it just holds the, what we call the cryptographic roots of trust. The DIDs of all the different organizations issuing verifiable credentials. You don't put any credentials or private personal data on that blockchain at all.
Jon Prial: Right. One question for you. And I'm not sure if this shows that I don't quite get it yet. I get that I can identify myself, identify myself to my bank. My bank can't share it with another bank. It's point to point, and it doesn't get distributed. I always have to authorize where it goes somewhere. But it makes me think about identity and what identity means. And I'm thinking about the challenges sometimes when things are anonymized. And I think about trolling and fake news, and putting a digital signature on a post of some sort. Is this at all relevant to that space, or am I asking a question that's kind of irrelevant?
Drummond Reed: No. It's highly relevant. It's very highly relevant. The reason for a number of those problems we've talked about is the fact that we don't have any strong ways of proving digital identity, it's the problem with account- based identity. If the only way you can prove something about yourself today is to prove you have an account someplace, then all of the public discourse and things that happen where it's not tied specifically one account, that's where we have so much fakery and trickery. And it's just very difficult to have real confidence in that. When you have SSI infrastructure, when you have digital credentials and you have the selective disclosure capability, what you can then do is you can, regardless of where it's happening, you can require the participants to prove something about themselves. So you can still be not technically anonymous but pseudoanonymous because... And what it is, I call it, it's pseudoanonymous accountability. If there's a news story out there and you're like, well, did it really come from a verifiable source even though it might be a whistleblower, you need to know it's a real person who has certain real associations. You just don't know who they are.
Jon Prial: Fascinating.
Drummond Reed: Well, they can prove that with verifiable credentials. And now there's a way that news stories and news filters can require that. There is a whole... That was actually brought to the verifiable credentials task force at W3C. How do you use for fake news? And they produce a short report to deal with fake news.
Jon Prial: That's great. Is it similar somebody I've been following over the years to the MIT solid project with Tim Berners- Lee. Is this different or similar?
Drummond Reed: That's a great question. And there are a lot of similarities. It's a decentralized identity and personal data sharing solution. That's based on the W3C semantic web technology that Tim has led for a long time. It has this idea of a pod, which is a little like a wallet. A pod is more for all your personal data and personal information you might want to share. And your personal digital archive, like your portfolio, documents you've written emails, all of that.
Jon Prial: Super set for sure. A big super set it would be.
Drummond Reed: A big super set, but like Apple's iCloud only it's your cloud.
Jon Prial: Got it.
Drummond Reed: Some people have called it the personal cloud. And part of that could be digital wallet and credentials that you can share. The SSI movement is more based on," Hey, let's just start with strong proof of your ability to prove about your identity and your relationships and control." It's more the digital wallet information than all the rest of it. But there's a lot of intersection and synergy with those. And so we have talked at conferences with Tim and his team about using, and he's a big fan of the open standards that we're developing at W3C.
Jon Prial: Awesome. So for someone that's interested, why would they pick up the phone and call Evernym? What would they be getting today?
Drummond Reed: So Evernym is, again because we started there, we are fully focused on SSI. It's our entire focus, it's our obsession. So what we are doing, even though we've contributed massively to the open source, primarily in the Hyperledger Indy, Ursa and Aries projects, what we have built is a stack of software for issuing and verifying digital credentials and then software for the wallet to hold them. And that is an app called connect. me. It's a general purpose wallet you can get on the Apple app store or Google play. What we're doing is working with customers in many cases, ecosystems, as I said, that's where adoption is starting. And initially a lot of what they want to do is just learn about the technology experiment, try POCs and we did a lot of that we had a whole program for working with companies. We probably have more than 100 different companies go through that. But then as they've matured, what we build out is really a production platform for industrial grade issuance and acceptance of the verifiable credentials. And we now have a mobile SDK because what we found is many companies and developers, they want to have their own app. They want to integrate credentials into their app or their own user experience. Makes total sense, and so you're going to have a general purpose wallet or a specialized embedded wallet. So now we've produced a mobile SDK that's, there's huge amount of interest in, so our job is really to provide the underlying plumbing for, it might be a retail supply chain situation or in healthcare that they would want to use credentials for. One of the popular recent topics, of course has been COVID related credentials, whether it's test Prudentials, or preparing for vaccination, all the things you'll need around going back to work. We provide the plumbing. We work with both the end customers. And now we're working with a number of large integrators because integrating all this into your back end systems and your processes, it's very much like the transformation you went through when you adapted your company to the web. You said," Okay, we want to have this new interface now." It's like," Okay, we've got a new solution for digital trust."
Jon Prial: That's great. So Drummond Reed, thanks for taking the time. This was a fascinating discussion. This is a new space. I'm sure we're going to hear a lot more about this over time. So I really appreciate your time and thank you so much.
Drummond Reed: Oh, it's my pleasure. It's an area I'm very passionate about. I spent 20 years on it and you get to a solution that really has world changing potential. You want it out there, so very happy to talk to you about it.
DESCRIPTION
In real life we identify ourselves with a passport, driver’s license, or other government ID - and we use the same ID in multiple places. But digital identity isn’t so easy, and doing digital credentials badly can leave users and systems vulnerable.
Drummond Reed is our guest on this episode of the Georgian Impact Podcast. He is the Chief Trust Officer at Evernym - a company at the forefront of a rapidly growing movement to decentralize digital identity. Their approach is called Self Sovereign Identity or SSI, and it makes the process of proving your identity in a digital space much more straightforward.
You’ll Hear About:
- Self Sovereign Identity or SSI, and how a Digital Wallet and Digital Agent will streamline the process of sharing the necessary credentials within the digital realm.
- The role biometrics play as one piece of the “chain of trust” of authentication.
- How SSI differentiates itself from federated identity when it comes to privacy and security.
- The possibility to store not only your credentials in your digital wallet but also micro-credentials.
- The growth and adoption of verifiable credentials and SSI.
- The different roles of Evernym and Sovrin Foundation.
Who is Drummond Reed?
Drummond has spent over two decades working on Internet identity, security, privacy, and trust frameworks. He joined Evernym as Chief Trust Officer after Evernym’s acquisition of Respect Network, where he was CEO, co-founder, and co-author of the Respect Trust Framework. Drummond has served as co-chair of the OASIS XDI Technical Committee since 2004, the new semantic data interchange protocol that implements Privacy by Design. Prior to starting Respect Network, Drummond was Executive Director of two industry foundations: the Information Card Foundation and the Open Identity Exchange, the international not-for-profit clearinghouse for Internet trust frameworks. He has also served as a founding board member of the OpenID Foundation, ISTPA, XDI.org, and Identity Commons.