The blockchain’s salad days

I’m not sure if you’re supposed to have a favourite supply chain fraud or not but I do, and it is the famous case of the vegetable oil that almost bankrupted American Express (and went some way toward making Warren Buffet a multi-billionaire). The essence of the story is that a conman, Anthony “Tino” De Angelis, discovered that people would lend him money on the basis of commodities in the supply chain. His chosen commodity was vegetable oil (see How The Salad Oil Swindle Of 1963 Nearly Crippled The NYSE). Amex had a division that made loans to businesses using inventories as collateral. They gave De Angelis financing for vegetable oil and he took the Amex receipts to a broker who discounted them for cash. So he had tanks of vegetable oil and Amex had loaned him money against the value of the oil in those tanks, the idea being that they would get the money back with a bit extra when the oil was sold on. Now as it happened, the tanks didn’t much contain oil at all. They were mostly water with a layer of oil on top so that when the inspectors opened the tanks and looked inside they saw oil and signed off whatever documentation was required. Eventually the whole scam blew up and nearly took Amex down, enabling the sage of Omaha to buy up their stock and make a fortune.

Fortunately for us and unfortunately for conmen like Tino, the supply chain is one of the many industries that the blockchain is going to disrupt. As my good friend Michael Casey and his co-author Pindar Wong explain in their recent Harvard Business Review piece on the topic (Global Supply Chains are about to get Better, Thanks to Blockchain in HBR, 13th March 2017), blockchain technology allows computers from different organisations to collaborate and validate entries in a blockchain. This removes the need for error prone reconciliation between the different organisation’s internal records and therefore allows stakeholders better and timelier visibility of overall activity. The idea discussed in this HBR piece (and elsewhere) is that some combination of “smart contracts” and tagging and tracing will mean that supply chains become somehow more efficient and more cost-effective.

An aside. I put “smart contracts” in quotes because, of course, they are not actually contracts. Or smart. Bill Maurer and DuPont nailed this in their superb King’s Review article on Ledgers and Law in the Blockchain (22nd June 2015), where they note that smart contracts are not contracts at all but computer programs and so strictly speaking just an “automaticity” on the ledger. (Indeed, they go on to quote Ethereum architect Vitalik Buterin saying that “I now regret calling the objects in Ethereum ‘contracts’ as you’re meant to think of them as arbitrary programs and not smart contracts specifically”.) 

Using the blockchain and “smart contracts” sounds like an excellent idea and there’s no doubt that supply chain participants are taking this line of thinking pretty seriously. Foxconn (best known as the makers of the iPhone) are a recent case study. In March 2017 they demonstrated a blockchain prototype that they used to loan more than six million dollars to suppliers. I should note in passing that the article didn’t make it clear why they were using a blockchain (as opposed to any other form of shared ledger) or why they were using a shared ledger rather than a database but, like Merck and Walmart and many others, Foxconn is a serious business that sees promise in the technology so we should take the case study seriously.
While I was reading about Foxconn, and a couple of other related articles in connection with a project for a client, I started to wonder just how exactly would the supply chain industry be disrupted? How would the blockchain have fixed the salad oil problem? It’s very easy to think of a fancy fintech setup whereby smart contracts took care of passing money from the lender to the conman when the tanks were certified by the inspectors but as sceptical commentators (e.g., the redoubtable Steve Wilson of Lockstep) frequently point out, transactions using blockchain technology are only “trustless” insofar as they relate to assets on the blockchain itself. As soon as the blockchain has to be connected to some real-world asset, like vegetable oil, then it is inevitable that someone has to trust a third-party to make that connection.

Trusting these third parties can be a risk. Another of my favourite scandals (I have quite a few, I should have mentioned that) is the horsemeat scandal that swept Europe on the 50th anniversary of the salad oil scandal. Basically horsemeat was being mixed with beef in the supply chain and then sold on to the suppliers of major supermarkets in, for example, the UK. One of the traders involved was sentenced to jail for forging labels on 330 tonnes of meat as being 100% beef when they were not. Once again, I am curious to know how a blockchain would have helped the situation since the enterprising Eastern European equine entrepreneur would simply have digitally-signed that the consignment of donkey dongs were Polish dogs and no-one would have been any the wiser. It is not clear how a fintech solution based on blockchains and smart contracts would have helped, other than to make the frauds propagate more quickly.

The reason that I am interested in scandals like this one is that the tracking of food features as a one of the main supply chain problems that advocates hope the blockchain will solve for us. Work is already under way in a number of areas. I understand that Walmart have carried out some sort of pilot with IBM to try to track pork from China to the US and another pilot was used to track tuna from Indonesia all the way to the US. But if someone has signed a certificate to say that the ethically-reared pork is actually tuna, or whatever, how is the shared ledger going to know any different? A smart contract that pays the Chinese supplier when the refrigerated pork arrives in a US warehouse, as detected by RFID tags and such like, has no idea whether the slabs in the freezer are pork or platypus.

If you do discover platypus in your chow mein, then I suppose you could argue that the blockchain provides an immutable record that will enable you to track back along the supply chain to find out where it came from. But how will you know when or where the switcheroo took place? Some of the representations of the blockchain’s powers are frankly incredible, but it isn’t magic. It’s a data structure that recapitulates the consensus of its construction, not a Chain of True Seeing with +2 save against poison. So is there any point in considering a form of shared ledger technology (whether a blockchain or anything else) for this kind of supply chain application? Well, yes. We think there is.

Let’s go back to the first example, the great vegetable oil swindle.  Had American Express and other stakeholders had access to a shared ledger that recorded the volumes of vegetable oil being used as collateral, the fraud would have been easily discovered. 

“If American Express had done their homework, they would have realized that De Angelis’s reported vegetable oil ‘holdings’ were greater than the inventories of the entire United States as reported by the Department of Agriculture. “

via How The Salad Oil Swindle Of 1963 Nearly Crippled The NYSE

Interesting. So if the amounts of vegetable oil had been gathered together in one place, the fraud would have been noticed. What could that one place be? A federation of credit provider’s databases? A shared service operated by the regulator? Some utility funded by industry stakeholders? How would they work? What if the stakeholders instead of paying some third party to run such a utility used a shared ledger for their own use? It would be as if each market participant and regulator had a gateway computer to a central utility except that there would be no central utility. The gateways would talk to each other and if one of them failed for any reason it would have no impact on the others. That sounds like an idea to explore further.

How might such a ledger might operate? Would American Express want a rival to know how much vegetable oil it had on its books? Would it want anyone to know? The Bank of Canada, in their discussion of lessons learned from their first blockchain project, said that “in an actual production system, trade-offs will need to be resolved between how widely data and transactions are verified by members of the system, and how widely information is shared”. In other words, we have to think very carefully about what information we put in a shared ledger and who is allowed to say whether that information is valid or not. Luckily, there are cryptographic techniques known as “Zero Knowledge Proofs” (ZKPs) that can deliver the apparently paradoxical functionality of allowing observers to check that ledger entries are correct without revealing their contents and these, together with other well-known cryptographic techniques, are what allow us to create a whole new and surprising solution to the problem of the integrity of private information in a public space.

It is clear from this description that a workable solution rests on what Casey and Wong call “partial transparency”. At Consult Hyperion we agree, and we borrowed the term translucency from Peter Wagner for the concept. For the past couple of years we have used a narrative built around this to help senior management to understand the potential of shared ledger technology and form strategies to exploit it. Indeed, in some contexts we focus on translucent transactions as the most important property of shared ledgers and as a platform for new kinds of marketplaces that will be cheaper and safer, a position that you can find explored in more detail in the paper that I co-authored with my colleague Salome Parulava and Richard Brown, CTO of R3CEV. See Towards ambient accountability in financial services: shared ledgers, translucent transactions and the legacy of the great financial crisis. Journal of Payment Strategy and Systems 10(2): 118-131 (2016).

As you might deduce from the title, in this paper we co-opt the architectural term “ambient accountability” to describe the combination of practical Byazantine fault tolerance consensus protocols and replicated incorruptible data structures (together forming “shared ledger” technology) to deliver a transactional environment with translucency.  As Anthony Lewis from R3CEV describes in an insightful piece on this new environment, it is much simpler to operate and regulate markets that are built from such structures.

The reconciliation comes as part of the fact recording; not after. Organisations can “confirm as they go“, rather than recording something, then checking externally afterwards.

From Distributed ledgers: “Confirm-as-you-go” | Bits on blocks

In this way the traditional disciplines of accounting and auditing are dissolved, re-combined and embedded in the environment. Smart contracts wouldn’t have disrupted Tino’s business, but ambient accountability would have uncovered his plot at a much earlier stage, when the near real-time computation of vegetable oil inventories would delivered data on his dastardly plot. You’d hardly need Watson to spot that inventories greater than the United States entire annual production ought to be looked into in more detail.

Perhaps we need to shift perspective. It is the industry-wide perspective of the shared ledger, the shared ledger as a regtech, that makes the disruptive difference to supply chains, just as it is the shared ledger as a regtech that will reshape financial markets by creating environments for faster, cheaper and less opaque transactions between intermediaries that have to add value to earn their fees rather than rely on information asymmetries to extract their rent. As the World Economic Forum’s report on the Future of Financial Services says, “New financial services infrastructure built on [shared ledgers] will redraw processes and call into question orthodoxies that are foundational to today’s business models”. We agree, and if you want to make this a reality for your organisation, give me or my colleagues at Consult Hyperion a call. We will provide help, not hype.

Incidentally, the brilliant Maya Zahavi from QED-it will be explaining how ZKPs can transform supply chains at the 20th annual Consult Hyperion Tomorrow’s Transactions Forum on April 26th and 27th in London. Run, don’t walk, over to that link and sign up now for one of the few remaining delegate places and to be kept up-to-date in the future, sign up for our mailing list as well.

[Sincere thanks to my colleague Tim Richards and to my former colleague Salome Parulava for their helpful comments on an earlier draft of this post.]

Enough with the “Britcoin” already!

Yesterday we were chatting about the Governor of the Bank of England’s comments about central bank digital currency. I said I thought this was a good thing. Other people think the same.

The new Positive Money report on Digital Cash recommends that central banks should issue digital cash for six main reasons: it widens the range of options for monetary policy, it can make the financial system safer, it can encourage innovation in the payment system, it can recapture a portion of seigniorage, it can help to develop alternative finance businesses and it can improve financial inclusion.

From Are central banks a relic of the Industrial Revolution? | Consult Hyperion

As it happens, Dr. Ben Broadbent, who deputy governor of monetary policy at the BofE, appeared before the Lords economic affairs committee today. He was scheduled to

“explore the prospect of a central bank digital currency and the effect it could have on commercial banks”.

From House of Lords asks BofE deputy governor: Time for ‘Britcoin’?

This was part of a session that also included evidence from my good friend Simon Taylor, formerly of Barclays Bank, and the noted financier Blythe Masters who is in charge of Digital Asset Holdings (DAH) and you can see it all online here.








OK, so far so good. I’ve written about this topic in exhausting detail before, and the truth is I’m rather a fan of a strategic and planned shift towards digital currency. But the article goes on to say…

Earlier this year Broadbent floated the idea of using distributed ledger technology to enable individuals to hold digital currency accounts with the central bank.

From House of Lords asks BofE deputy governor: Time for ‘Britcoin’?

Surely use or otherwise of distributed ledgers is tangential and irrelevant to the issue of digital currency. The payment mechanism has nothing to do with the currency. So, if Dr. Broadbent means that the Bank is thinking of using a shared ledger to manage personal accounts for individuals, where account transfers are settled instantly in central bank balances, then all to the well and good.

I simply do not see the efficiency of “a digital form of legal tender” as being evidence that the government might issue a UK cryptocurrency as some in the Bitcoin world have said.

From Britcoin or Brit-PESA? | Consult Hyperion

On the other hand, if Dr. Broadbent means that the Bank his going to set up a shared ledger that will be implemented using a blockchain that incentivises consensus-forming work with an on-chain asset (i.e., a Bitcoin-like Britcoin) then I think he must have been inadequately briefed. Why on Earth would a central bank abandon its money supply management duties to a cryptographic algorithm? That makes no sense at all.

Since the latter explanation is implausible — and if you listen to his evidence to the Lords you will notice that deputy governors of the Bank of England are very well-briefed indeed — the only explanation for the “Britcoin” tag is journalists confusing digital currency and cryptography and jumbling up the use of double-permissionless shared ledgers with double-permissioned shared ledgers. I suppose it’s an easy mistake to make, so let’s put it to bed once and for all. Here is  a handy cut-out-n-keep guide:

Birch-Brown-Parulava Colour


Would the Bank of England get behind a Sterling-backed Bitcoin? I think not. In fact, I think I’m coming round to Robert Sam’s thinking about the role of Bitcoin in the greater scheme of things with respect to the co-evolution of money and technology. Robert wrote a very good note about this called “Some crypto quibbles with Threadneedle Street” in response to one of the early Bank of England research notes about Bitcoin back in 2014, suggesting that, as he put it, “digital currency with a deterministic money supply function” is not a feature but a limitation of early cryptocurrency designs (and that a capped supply function such as Bitcoin’s is a “bug” on economic grounds).  

As to the key question of whether a central bank or someone else should provide money, Robert alludes to the problem with the marginal cost of the production of competing private monies, what I often refer to in blog posts and talks as the big problem of small change. The problem is this. If privately produced money is successful as a means of exchange and earns a profit for its producer in the form of seigniorage (it is hard to see how cash replacement can earn transaction fees so in the long term I imagine these to be asymptotic to zero) then it will invite competitors and those competitors, provided the monies they produce are reasonable substitutes for each other, will drive down the cost of the private money to its marginal cost of production. In our digital world, however, the marginal cost of production is to all intents and purposes zero and so that private companies will bail and only the state can deliver the a sustainable money as a means of exchange (remember, this has nothing to do with it being a currency or not).  

Hence it is very difficult to imagine how competing private currencies that are nothing more than direct substitutes for national fiat currencies can obtain any traction at all. This nudges me further towards thinking that if the imperfections of fiat currency are to be addressed in the free market it will be by currencies that are more closely linked to the communities that use them and that embody some values of those communities. I often use the example of a gold-backed interest-free electronic currency for the Islamic diaspora as a simple thought experiment, a sort of hard ECU for the new millennium, a currency that will be widely used but never exist in physical form.  But that’s for another time.

Suppose, however, that we stay with fiat currency and central banks. Now, if Bitcoin is to be used in that role (i.e. as a medium of exchange) it’s volatility is undesirable but that does not mean that it needs to display the long-term stability that is required of a store of value. That’s a different function of money and can be implemented in a different way. It does however mean that Gresham’s Law will come in to play and drive Bitcoins out of the marketplace (to speculators, at least in the short term) and that no-one will hold them for transaction purposes. As far as I can tell, this is where we are now anyway.  

So what does all of this mean? Well I’m not sure I have any more insight into this than any other commentators but my take on it is that while the marginal cost of production of Bitcoin is undeniably higher than the marginal cost of production of other kinds of private money, that doesn’t really mean anything because Bitcoin will never be used as money in the same way. On the other hand it does mean that it is hard to imagine why anyone who wants to produce private money, and in particular a digital version of a fiat currency, will use it even if they want to use a shared ledger for other reasons (something I personally favour). On the contrary, since we have no reason to suspect that the proof-of-work and blockchain structure is the best consensus mechanism, it seems more likely that if (say) the Bank of England were to decide to implement a digital sterling, then it is highly likely that they would use some other mechanism that relies on validators (e.g., commercial banks) rather than miners. Let’s come back to this in a minute.

I don’t think there’s ever going to be a Britcoin. Central-bank digital currency is about balances and an appropriately private protocol for moving value between accounts. My prediction is that this would look more like the bastard child of Ripple and M-PESA than a blockchain cryptocurrency with a 1-1 reserve in Sterling. And guess what…

As I was sitting down to finish off this post, what should flow in through the internet tubes but  Bank of England Staff Working Paper No. 605 by John Barrdear and Michael Kumhof, “The macroeconomics of central bank issued digital currencies”. This is referred to in Dr. Broadbent’s evidence to the House of Lords. It says that (amongst other things) that 

We study the macroeconomic consequences of issuing central bank digital currency (CBDC) — a universally accessible and interest-bearing central bank liability, implemented via distributed ledgers, that competes with bank deposits as medium of exchange. In a DSGE model calibrated to match the pre-crisis United States, we find that CBDC issuance of 30% of GDP, against government bonds, could permanently raise GDP by as much as 3%, due to reductions in real interest rates, distortionary taxes, and monetary transaction costs. Countercyclical CBDC price or quantity rules, as a second monetary policy instrument, could substantially improve the central bank’s ability to stabilise the business cycle.

Did you see that? Permanently raise GDP by as much as 3%. Scatchamagowza. Permanently raise GDP by as much as 3%. Why aren’t we doing it right now! Let’s draw a line under the money of the past and focus on the money of the future.

Money Typology v2


I’ve read the working paper and while I don’t understand the economic model at the heart of it (I have no idea what “credit cycle shocks policy rate corridors” are) I do understand the implications and the observations of the authors. I have come to similar conclusions but from the technological direction. Since the observations of the Bank from an economic perspective correlate so closely with my observations from the technological perspective (I think I may have mentioned that I’m writing a book about this at the moment) I think I’ll finish here just by highlighting a few key points that I have mentioned on the blog before.

  1. A monetary regime with central bank-issued national digital currency (i.e., digital fiat) has never existed anywhere, a major reason being that the technology to make it feasible and resilient has until now not been available. 

  2. The monetary aspects of private digital currencies (a competing currency with an exogenous predetermined money supply) are undesirable from the perspective of policymakers. Also the phrase “digital currency” is perhaps a regrettable one as it may invite a number of misunderstandings among casual readers.

  3. Digital fiat means a central bank granting universal, electronic, 24 x 7, national currency denominated and interest-bearing access to its balance sheet. The Bank says that they envisage the majority of transaction balances will continue to be held as deposits with commercial banks and observes as I did above that digital currency has nothing to do with shared ledgers, distributed ledgers or blockchains.

  4. The cheapest alternative for running such a system would clearly be a fully centralised architecture (M-PESA in Keyna is the obvious example) but as the Bank notes this will come with increased resiliency risks that are likely to be deemed unacceptable. However, options that are distributed but permissioned would provide an improvement in the efficiency of settlement and serve to improve resiliency relative to the status quo, both of which would represent a reduction in cost the real economy.

  5. The key feature of such a  permissionless shared ledger system is that the entire history of transactions is available to all verifiers and potentially to the public at large in real time. It would therefore provide vastly more data to policymakers including the ability to observe the response of the economy to shock sort of policy changes almost immediately.

There is no sane argument against digital fiat. Let’s get on with it. And let’s have no limit on the number of different currencies that the ledger might hold.

Sharing ledgers

Like many of you I am sure I never miss The Economist “Money Talks” podcast, which is how come I happened to hear about the bankruptcy of an Indian airline. A first glance a normal, run of the mill corporate failure…

Inaugurated in 2005, Kingfisher Airlines… never made money, not in one year. On 20 October 2010, the Directorate General of Civil Aviation (DGCA) suspended its licence to fly. Some 3,700 employees were left contemplating their future. More importantly, a clutch of largely public- sector banks is looking at writing off loans worth roughly Rs 6,000 crore as bad debt.

From The art of flying on froth | Tehelka – Investigations, Latest News, Politics, Analysis, Blogs, Culture, Photos, Videos, Podcasts

Well, these things happen. The more cynical among you might just note this as another example the subverted corporatist version of capitalism that we are familiar with today, where profits are privatised and losses are socialised, and put it to one side. But the story has a particularly fascinating trajectory and one of that is relevant to the kinds of discussions going on at executive level amongst some of Consult Hyperion’s customers. Here’s why. It’s the story of an unshared ledger. Kingfisher Airline’s corporate records have vanished.

The airline’s missing accounts—apparently stored on servers seized by a vendor who had gone unpaid—is an unwelcome complication for those who had hoped the Kingfisher saga might be inching towards some sort of resolution.

From Flying blind | The Economist

Now, I hate to say it, but this is one of the few news stories that I have seen recently that actually points out a genuine use case for shared ledger technology and as far as I can see (from my single source of truth, my Twitter feed) no-one picked this up. Set against the common vague management consultant stuff about how “the blockchain” is going to transform the health care industry, the refugee crisis and insurance, this is a real example of a use case that is not based on fantasies about reduced costs or improved performance or the eradication of intermediaries or “code is law” but the solid reality of  a consensus computer in operation.

So, imagine that Kingfisher had adopted something along the lines of Ian Grigg’s “triple entry” system. There’s a permissioned shared ledger that is maintained by, amongst others, the airline itself, the 17 creditor banks and the airline industry regulator. The airline and the banks update their own double-entry accounting systems using the data from the shared ledger.

If the airline goes bust or vanishes into a black hole or is infiltrated by ne’erdowells, it doesn’t matter, because everyone has a copy of the shared ledger. The banks can see that there are transactions with other banks, but may or may not see what those transactions are without permission. I assume that when a bank lends a few million quid to a company one of the first things it does is send in expensive finance-type persons to find out what other loans are outstanding and under what terms, so I don’t see my the transactions would be encrypted but I know nothing about corporate finance. But even if they were, then under warrant the regulator and law enforcement agencies would be able obtain the escrowed transaction keys needed to decrypt transactions of interest. You can sort of see how it would work. Back here to my fantasies about encrypted open books, translucent databases and shared ledger applications. Everyone would be able to see that assets exceed liabilities even though no-one (other than the relevant parties) could see what those assets or liabilities were.

If I were casting around for a practical proof-of-concept in the world of the shared ledger, I would certainly consider such an example. In this case we have a system where there are trusted participants who may become untrusted, records that must be immutable beyond the lifetime of their creator and real money to shared amongst the stakeholders. Think of all the money that could have been saved on auditing, forensic accounting and compliance! Money that could have instead been spent on customers, employees and suppliers of discretionary services.

So that’s why I used this particular story to help develop narrative in a couple of client meetings this week. As it happens, though, the story has even more to it as an exemplar. But first, a word about identity… Remember, names are attributes not identifiers. I’m a Dave Birch, but that doesn’t necessarily make me the Dave Birch in any specific instance. Now back to the story. The creditors want their money back so they are going after the guarantors of the loans made to Kingfisher where they have some evidence of the loan and the guarantor. Fair enough.

Last month it emerged that one of the aggrieved banks froze the accounts of three customers it alleged had guaranteed loans to the carrier in their role as board directors of Kingfisher. In fact, it blocked a destitute farmer, a vegetable stallholder and a security guard with similar names.

From Flying blind | The Economist

Ruh roh. So much for Know-Your-Customer (KYC). I’m sure this kind of problem will not recur, because India now has the Aadhar universal identity service. I’m sure that future loan guarantors will have to present their Aadhar card and be biometrically-identified as part of the loan process. This was, after all, part of the original vision for the Indian UID service, made clear back in 2010.  

“Lack of identity is hurting people and blocking progress. Aadhar (the brand name for UID) can serve as the know your customer guidelines that banks have. It can reduce friction for the poor person who is trying to access public services like banking,” Nilekani said…

[From UID can be an enabler of financial inclusion: Nilekani-Finance-Economy-News-The Economic Times]

But in other jurisdictions where universal identity is not yet the rule, some alternative might be needed. Perhaps here the shared ledger, which may in the long term be seen as a #regtech revolution and not a #fintech revolution at all, might also provide the necessary infrastructure (as I suggested in my presentation on “CRUDchains” at the Dutch national blockchain conference earlier this year). So now we have an interesting — but practical — model to work with. A shared ledger for the accounts that is linked to a shared ledger for the KYC. Anti-money laundering implemented as a process that constantly traverses both chains, not a set of expensive procedures.

I’m think I might use this example to test some of the ideas we are developing around shared ledger structures and blockchain (and other implementations) with some of our clients and partners, but as always I’m genuinely curious to hear what you have to say about the potential here.

Blockchain as a public technology service

When people say “blockchain” they mean different things. And some of the things they mean are just absolutely, categorically different. Implications of public open blockchain designs and private blockchain designs vary drastically. I emphasis this distinction because it is key – the different designs assume and imply totally different things.

Both types are important but for different reasons, for different markets and for different use cases. I think we have passed the time when “Bitcoin bad – Blockchain good” seemed an eye opener. What this kind of argument did is it drew the attention of financial incumbents from the Bitcoin-like permissionless space to the private, permissioned space. Which makes sense for their business models. But I think they are not paying enough attention to the permissionless space. I think you are not either!

A brave slide from the Consensus conference in New York this year (unfortunately, can’t remember the name of the speaker! – let know and I’ll update), where I chaired the panel on post-trade and my colleague Dave Birch chaired panels on Identity. This illustrates that “Bitcoin bad, Blockchain good” is not set in stone.

I bet you hadn’t anticipated such a steep rise of Ethereum (the price of native Ethereum currency soared 10 times from the beginning of 2015 and Ethereum’s market cap reached 1.5 billion dollars). You may have even missed the creation of the first human-free organisation. Even if you try to keep an eye on the public blockchain world, you only get reminded of its existence when Bitcoin price surges to its 2-year high (it now trades at over 700$) and all the mainstream media cover this.

Both public and private shared ledgers (Blockchains) are essentially shared book-keeping (and computing) systems, one class – open for everyone to use (public), another – restricted to a certain group of members (private). And this is it. Open for everyone to use means lower entry barriers, it means identity-free and regulation-free shared book-keeping (and computing). What could be restricted by identity policies and financial regulations goes around this. You can, say, restrict a person from buying bitcoins by setting high KYC requirements to online exchanges (for users not to be able to change dollars for bitcoins if they are not KYC’d). You can even cut his or her internet connection. You can issue a court order to close a business that accepts bitcoins as money. And so on and so forth.

A lot of this effort looks similar to trying to stop the Internet, but I suppose the regulators can dream!

Public technology service and native digital rights

“Proof-of-work is inefficient”. So what? Let it go! Think of what’s the idea behind it and what it tries to achieve, regardless of this inefficiency. Regardless – because even if proof-of-work is not ideal, there are other permissionless technologies already developed and many more that are work in progress. Some of best minds in the world are looking to provide the benefits of permissionless shared ledger environment without the drawbacks of original Bitcoin’s proof-of-work. Just assume that they will solve that problem and move your thinking on.

What the blockchain delivers is permissionless book-keeping (and computing) public technology service (with the unchangeable and transparent transaction history as an incredibly valuable side effect). When I say “public service”, I do not mean that a company or public organisation provides it, I mean technology itself and collaborative user effort provide it. In a sense – everyone and no one. The protocol acts as the service provider.

And this is crucial. In traditional financial world, the basic value transfer layer that cryptocurrencies (i.e. everyone and no one) provide as a public technology service, is provided by companies – service providers, and is not accessible to anyone. For example, PayPal provides digital value transfer service.

Here I want to make a point that permissionless cryptocurrency systems have a promise of a digital environment in which value transfer is intrinsic, embedded on the protocol level – and so, for users the ability to make a transfer could become what I call a native digital right. Just to give you an analogy (it’s not a very accurate analogy but you’ll like it!) – take a guess what you see on the picture below. Well, it’s a standard residential elevator in my mother country Georgia, where you need to pay every time you use it! Up and down. Every time up, every time down!

Georgian elevator. Each time you go up and down, you need to pay!

So maybe we all (all internet users) live in our kind of Georgia, where every time we want to make a deal (economic agreement) in the online world we have to go through a cumbersome process and pay an unreasonable fee (each time!) for it. We need to get our bag out, fill in our card details, merchant’s acquirer (if it’s a merchant – even more obstacles with peer transfers) needs to send a request, card issuer needs to approve the transaction etc. Our today’s economic life online is based on this very complex e-commerce domain. And to me, it looks a lot like Georgian elevator. Think about it: on top of the obvious, that elevator only accepts certain denominations of Georgian coins – very specific, and is broken every once in a while – so even if you want to use a paid elevator sometimes you just can’t. So familiar.

How great would it be if we had a native digital right to make a value transfer online that noone could take from us (or grant us!), on a protocol level. How many applications could be built on top (at Consult Hyperion we call them SLAPPs -shared ledger applications)!

Persistence of permissionless

At the heart of the public shared ledgers is value transfer. This is because in order to assure the liveliness and self-sufficiency of the system, while providing non-restricted access to it, there needs to be an intrinsic economic incentive for those who maintain it. In other words, there should be a positive value to maintaining consensus. Most public shared ledgers for this reason can be described as currencies (decentralised cryptocurrencies) because they provide this incentive as a reward on the ledger in the ledger’s own “money”.

The canonical example of such a decentralised cryptocurrency is, of course, Bitcoin (remember, there are hundreds of them though!).  As Bitcoin was intended to exist and evolve out of the reach of regulatory, corporate or any other centralised command, the technology includes mechanisms that ensure it persistently “survives” and proves its robustness and self-sufficiency. (Disclaimer: I’m not a Bitcoin maximalist)

This persistence is a differentiating characteristic of a public shared ledger system. The technology does not need people at tables making decisions in order to survive, it is “permissionless” (nevertheless, the way it evolves to an extent is influenced by “people at the tables” – just different people).

Virtual economy

Potentially the principal implication of this persistence is the permissionless ascent of alternative virtual economy on top of decentralised protocols. Cryptocurrencies are not just a new form of payment – but rather, it’s a potential foundation for a new virtual economy, with new forms of economic interactions coming into place. When I say “new”, I don’t mean substitutive – I mean additional.

Virtual economic activity could become something fundamental to the Internet. Similar to the way the ability to communicate transformed into the ability to communicate over the Internet – it could grow into the ability to make friction-less economic arrangements (“economically” communicate) in the virtual world.

Thanks to the shared ledger technology and “smart contracts” innovation, not only the emergence of alternative economy is permissionless (and so – non-stoppable), but if it happens at certain scale, the very nature of economic relationships in this economy could be drastically different from what we are used to. A good depiction of such transformation is content monetisation on the web through the use of “invisible” micropayments. Another good example is seamless online payments in video games:

Breakout Coin provides for seamless in-game payments anywhere in the world, while the blockchain technology behind it, Breakout Chain, uses smart contracts and sidechains to enforce these financial agreements between parties.


Shared ledger technology could even turn our things (as in “Internet of Things”) into active economic agents through smart contracts.

Public shared ledger technology may help to turn a big part of our (as it seems) non-economic life into an economic activities. 

Although there are many “if” in that, we should not dismiss this possibility quite yet and keep an eye on the permissionless space. You can observe or get involved, but it would be a mistake to put your head in the sand and deny that something incredible is happening.

Putting “identity” on the “blockchain”. Part 3: Define the transactions

Now onto part three of our week of thinking out loud about putting identity on the blockchain. In part one we found a problem that could be solved using some kind of identity infrastructure. In part two we came up with a model of digital identity that we could use to explore a potential solution to this problem. Now, we are going to think about how that model could connect with some kind of shared ledger in general and with a blockchain or, indeed, the blockchain.

Our starting point is to observe, as my colleague StevePannifer said in his presentation at the Cloud Identity Summit in New Orleans this week, a ledger is a record of transactions. Therefore, we must think about the identity transactions implied by the model that we looked at in part two before we start to think about how to store them in a shared ledger. We start by observing that identity transactions are the “CRUD” (that is the Creation, Reading, Updating and Deleting) of identities. Since our model includes three kinds of identities it admits the possibility of three distinct sets of CRUD transactions that might be stored in the shared ledger as shown in the picture below.

 3D Domain ID Blockchain

The first category relates to the mundane identity CRUD of people, things and organisations. We could take some physical characteristic of these such as a fingerprint, a photograph or a serial number and store these in a shared ledger. This may be a good thing to do, but my first thought about this is that actually we probably want to avoid storing such things in the ledger or at the very minimum storing them in unencrypted form. I have to spend some time thinking this through, but it’s not immediately obvious to me that storing the binding between the digital identity and the mundane identity on the ledger moves us forwards.

The second category relates to the digital identity CRUD. Remember from part two that I am imagining the digital identity as being, essentially, a key pair. We need to store the private key somewhere safe and provide an authentication mechanism so that control over the digital identity can be asserted. Then we need to provide the public key for a variety of uses. Now, a key pair sounds very much like a wallet on a block chain and it is certainly a plausible hypothesis that this could be an implementation of digital identity. However it suffers from the same general category of problem as does cryptocurrency, which is the problem of the storage and protection of the private key. Either you have to look after the private key yourself, which is a degree of responsibility that I for one am most unwilling to accept, or you have to trust somebody else to look after the private key for you (e.g. your bank).

In practice, this would mean that the key pair is held by some third-party and while the idea of having sovereign control of your digital identity in some sort of blockchain is an appealing prospect if you are a 20-year-old computer science major MIT, I remain unconvinced that is a mass-market solution especially in developing countries. Here, I feel that the example of M-PESA (as we were discussing on Twitter yesterday) is illustrative. M-PESA, which was launched remember by a telco not by a bank, stores cryptographic keys in the tamper-resistant SIM in a mobile phone and this strikes me as being the plausible mass-market solution. In an M-PESA-like system, the SIM generates the key pair and gives up the public key but the private key is never disclosed. Uunfortunately this means that if you lose your SIM you may have messages that you can no longer read so we need a more sophisticated mechanism for a workable mass-market infrastructure! 

The third category relates to the virtual identity CRUD. Remember in the model that I sketched out in part two, I made the assumption that all transactions are between virtual identities. Now the transactions associated with a virtual identity, if they were to be stored in a shared ledger, would then provide a record of that virtual identity’s activities. Those virtual identities need not identify the binding between the digital identity and the mundane identity. So, I could have a digital identity that I use for work and one for home and one for play. I use my play identity to obtain an adult identity from some grown-up website and that identity might well contain attributes that it has obtained from other credentials (that I am over 18, for example) but not my name.

Then the history of that virtual identity is in effect a kind of reputation. If you ask me for my reputation on some sharing economy platform, I can point you to a entry in the shared ledger. This gives you a public key. You can do two things with this key right away. First of all, you can use it to encrypt a challenge for me (because in order to answer the challenge I must have control over the corresponding private key). Secondly, you can look through the ledger to find transactions associated with that public key (to find out, for example, when the virtual identity was created) and whether is has been deleted.

You can also check the digital signature on the virtual identity to confirm who created it (i.e., was it really Barclays Bank or AirBnB or whoever).

 The ability to check the reputation of a counterparty in this way seems to me to one of the fundamental benefits of such an identity infrastructure and central to a functioning online economy.

If I find a seller labelled as John Doe, I really have no interest in discovering their underlying identity: that takes time and effort. If there are positive comments about them from people whose opinion I value then I will do business with John Doe. If there are negative comments, then I won’t. And it won’t matter to me whether John Doe has badge from the local council, the government or some other body’s approval. My decision will be based not on what anyone thinks, but on what everyone thinks.

This comes from an article I wrote for “The Guardian” a fair few years ago (“Reputation not Regulation”, 2nd Nov. 2000, sadly longer online but  you can download a PDF here). On this, I don’t think my opinion has changed much. The ideas that I was putting forward back then we constructed to support economic activity with both security and privacy as priorities. If anything, my views about building security and privacy into the identity infrastructure have become more entrenched since then.

Now, in the “old” PKI model, if I presented you with a virtual identity you would have to go to the issuer and check the certificate revocation list (CRL) or access an Online Certificate Status Protocol (OCSP) responder to see if it is still valid. In order to minimise the traffic, the issuers would basically need to issue virtual identities with short expiration dates which would mean people, organisations and devices constantly having to obtain new certificates. Now, this in itself is I think workable. But in the shared ledger version of this story, there is no need to query the issuer because the history of the virtual identity is in the ledger.

In the model we’ve been building up this week, then, reputation can be interpreted as the history of a virtual identity, the complete list of “CRUD” transactions stored in the shared ledger. Does this seem like a reasonable model to proceed? If so, tomorrow I’ll think out loud about how to implement the shared ledger for identity.

Putting “identity” on the “blockchain”. Part 2: Create an identity model

I’m continuing my week of thinking out loud about identity on the blockchain. In Part 1, we came up with a real problem that needs fixing and explored the idea of a financial services passport. In Part 2, we’re going to put forward an identity model that could form part of solution to that real problem. The starting point for the thinking here is that as part of some recent work for a client, at Consult Hyperion needed to create a simple digital identity model to facilitate discussion around the provision of digital identity services to support financial services. In order to do this we revisited three basic concepts of identity infrastructure. These are the mundane identity (the “real world” physical entity that the digital identity is connected to), the digital identity itself and the virtual identities that are used to interact online (all transactions, in this model are between virtual identities).

The reason for this three part model for identity is that it is a fundamental rule of systems analysis, going back to the earliest days of data modelling, that you cannot have many-to-many entity relationships. Since there may be multiple physical entities relating to multiple virtual identities (an obvious example is a company, where a number of people have executive control over a number of virtual identities that are used to transact with other companies, government, regulators and so forth), we introduce digital identity as the linking entity to enable a workable identity management infrastructure.

This part of the model should be familiar. You probably read about it a few years ago in “A Model for Digital Identity” by Neil McEvoy and me in that indispensable tome “Digital Identity Management: Technological, Business and Social Implications“, edited by yours truly. (It’s on pages 95-104, for ready reference.) In that chapter, Neil and I put forward this idea of digital identity as the bridge between mundane and virtual identities for a variety of reasons anchored in the entity-linking structure, one of them being that the use of multiple pseudonymous virtual identities is a great way to move forward past some of the apparent paradoxes of identity and a great way to think about identity in an online world.

Anyway, I wanted to use this model to explore the issue of biometric authentication. This was because Isabelle Moeller from the Biometrics Institute (below centre) had kindly invited me to give at talk on the topic of biometrics and digital identity at their 2016 Asia-Pacific Conference in Sydney and then take part in a panel discussion with Victoria Richardson from APCA (who was unfortunately caught up in other things on the day but the excellent Nick Cliff stood in for her) and Mandy Smith from ANZ (below left). Since the audience would be mainly people with experience and interest in biometrics, I thought (correctly, as it turned out) that a simple of model of digital identity would be needed to anchor my talk and give context to the central part of the presentation, which was about biometrics as a convenience technology when combined with mobile as an authentication platform.

 Asia Pac Biometrics Institute

 To make that simple model, I chose to map the three identity entities to three different domains where a binding is required (hence three domain digital identity, or “3D-ID”). You can see the three domains and the three bindings in the picture below. In the identification domain we do the complex and expensive binding of the person or organisation or thing to the digital identity. In the authentication domain we bind the digital identity to a person or organisation of thing that is entitled to use it. In the authorisation domain we bind the digital identity to the virtual identities that interact online to execute transactions. For the purposes of simplicity, think about the digital identity as a private-public key pair and think about the virtual identities as public key certificates that take the public key from the digital identity and link it to attributes to form credentials.

3D Digital ID Model

So who might be a provider of digital identity, given that the binding of digital identities to mundane identities is complex and expensive? Well, here’s what Neil and I wrote in the book nearly a decade ago: 

One could certainly imagine niche identity issuers springing up across both horizontal and vertical sectors (the government, from this perspective, becomes a special case of a niche identity issuer) where economics or other pressures dictate.

An obvious case would be that of banks.  Since they are already covered by “know your customer” (KYC) and other legislation, they are perfectly capable of issuing digital IDs that might be widely accepted.  These and other digital IDs would then be used to create one or more virtual identities (eg, an employer creating an employee identity), most likely through brand-based businesses using white-label services.

To illustrate what we meant by this, think of the example of a dating site. The dating site needs to know that I am a real person, but it doesn’t need to know who I am. If it knows who I am, then it has a responsibility to look after my identity, which I’m sure it doesn’t want. I don’t want it either, because when the dating site is inevitably hacked I don’t want my identity smeared all over the web. So when I go to create my account at the dating site (in others words, when I go to create my dating virtual identity) I can present my bank virtual identity. The dating site forces an authentication (using, for example, FIDO) and once it gets the positive response it can then take the public key from the bank virtual identity, add attributes that it can attest to (e.g., date joined, name chosen, etc) and sign that with its own private key. This creates a new dating virtual identity at minimal cost. (We’’ return to the point abut correlating public keys across virtual identities when we come back to think more about implementations.) Take it from me, it all works, provided you have somewhere to store the private key. Sound familiar? Well, we’ll talk about digital identity and the blockchain in another post soon.

The focus of my talk was that the arrival of biometrics as a convenience technology in the authentication domain transforms the usefulness of this model in the mass market. There’s a world of difference between creating a new account at the dating site and then being asked to look at your phone (face biometrics are especially popular amongst older people, for example) and being asked to get out a dongle, insert your EMV card, enter your PIN, read a code and then type it into a web page. And, as an aside, one of the most interesting presentations I saw at the event was about he use of the phone and the touch screen to perform continuous background authentication so that when a service provider forces an authentication on the device, the customer may well have to do absolutely nothing at all!

One more thing about the model. On re-reading that chapter (which was first drafted a decade ago), I couldn’t help but notice that Neil and I had already had an inkling that the paths of the Internet of Things and digital identity would cross. We wrote:

People will account for only a fraction of the digital IDs associated with stuff, and a lot of stuff will be interacting with virtual identities: after all, a vending machine dispensing chocolate may not need to know anything about a person, but one dispensing cigarettes certainly does.  Since it would be ludicrous (and an open invitation to identity theft) to insist that people present their real identity to a vending machine, it is the attribute (eg, “is_over_18” or something similar) bound into the virtual identity that is the critical element in enabling the transaction.

Rather forward thinking, if you ask me, especially since on my last trip to Frankfurt I discovered that there are cigarette vending machines in the street that require customers to present their actual identity cards (well, someone’s identity card, anyway) in order to purchase!

Cigarette Machine in Frankfurt

What the machine should do, of course, is require you to present your “adult identity” (that contains no identifying information and merely testifies that you are over 18) and then force an authentication against that (via Bluetooth or whatever). As we all know, in a commercial transaction of this nature, your “real” identity is your least important attribute.

Putting “identity” on the “blockchain”. Part 1: Find a problem

I have to give a presentation about putting identity on the blockchain, even though no-one seems entirely clear what “identity” means or, for that matter, what “blockchain” means. So I thought I’d try and experiment in thinking out loud this week, using your feedback to try and finish the week with some consistent model of a solution that will solve a known and understood problem. A tall order. But there’s lots of work being done in this area and I’ve been reading some very interesting papers and posts. I think it’s a worthwhile experiment in the week of the Cloud Identity Summit and I’m hoping that colleagues and friends in New Orleans will be coming up with some new ideas in this area too.


There has been a lot of discussion recently about the idea of using the blockchain to “do something” about identity, so I thought I’d put together a few blog posts with some of our thoughts on the topic, gathered from a few of the different projects that we are involved with. Lots of people seem to think that putting identity on the blockchain is a good thing to. But, as many other people have pointed out, in order to come up with some kind of idea as to what exactly the blockchain is going to do is first necessary to come up with some idea about what the identity problem is and then come up with some more specific ideas about how exactly a blockchain (or, more generally, any other form of shared ledger) might solve them.

The idea for this blog post began when my colleagues were putting together some ideas to present at the Open Identity eXchange (OIX) meeting in London few weeks ago. I thought it might be useful to contribute some of our thoughts around that presentation, in their incomplete form, to structure further discussion around this topic. First, the identity problem. Actually there are lots of different identity problems so I thought I’d choose a specific one I’ve been working with recently. As the chair of the techUK payments group (techUK is the trade association for the British technology industry), I’ve been taking part in the Financial Services Passport Working Group that started discussing the issue a couple of years ago. This is a good example of a very specific identity problem and a community that is looking for solution.

Let me illustrate what the problem is with a personal example. I’ve been a customer of Barclays since 1977 and they know absolutely everything about me and my financial history. My salary has always been paid into the same Barclays current account. My mortgage is currently with Barclays and were I to have any savings they would probably be with Barclays to, since I’m extremely lazy. Now suppose I go to open account with the NatWest. The fact that I’ve had an account with Barclays the 40 odd years will count for absolutely nothing and they will treat me as if I’d just arrived as a refugee. I have to produce some form of identity documentation (which they might well be incapable of verifying: I have literally no idea how the counter staff at NatWest go about checking whether a Romanian passport is real or not) as well have some proof of address, which normally comes down to that well-known high security fundamentally British identification document, a gas bill.

Now suppose I go to get some pensions advice from a financial adviser or look into changing my mortgage to get a better deal or decide to open one of those ridiculous Individual Savings Accounts (ISAs) that the Chancellor of the Exchequer has created so that rich people can salt away tax-free money for their children and thus drive up house prices even further to no general economic benefit to the nation. In any of these cases I would be faced with the necessity to provide my financial identity all over again. So what can be done about this? It’s hardly a new problem.

“An adviser to a new charitable incorporated organisation that spent more than a year trying to open a bank account has blasted Barclays for its onerous demands and disproportionate due diligence.”

Barclays slated after CIO takes a year to open a bank account

Well suppose when you open your first bank account and the bank goes through all of its complex know your customer (KYC), anti-money-laundering (AML), counter-terrorist financing (CTF), politically exposed person (PEP) checking and credit referencing and then decides to give you an account. Suppose at that point the bank gave you some kind of financial passport (put to one side what this actually is or what data it contains or where that data might be stored) that you could use to open accounts at the NatWest, change mortgages, open a savings account or obtain financial advice simply by proving that it is your financial passport. Then it becomes a simple problem of authentication and we have a variety of strong authentication mechanisms available to us (even without some proper National Entitlement Infrastructure as I have long called for). The cost savings to the industry from not having to continually repeat identification procedures would be substantial and the convenience afforded to the consumer notable.

So why doesn’t this happen? Well, that’s a good question. We started to look at it a generation ago and the assumption was, at that time, that we would use public key infrastructure (PKI) to solve the problem. I know, I know, people have been going on about this sort of thing for years (here, for example). So, I open a bank account and the bank generates a key pair. The private key is kept in tamper-resistant hardware (at the bank, so that I can’t lose it) and the public key is used to form a variety of public key certificates (PKCs) or what I prefer to call “virtual identities”. Each of these identities contains a number of different attributes that are attested to by whoever signed the certificate.

Now I wander into the NatWest and present my Barclays virtual identity, perhaps by using my mobile phone or smart card, and all NatWest have to do is to validate that I am rightful owner of the private key associated with the public key in the certificate. They can do this in a variety of ways, but let’s say for sake of argument they send a message to my phone that is encrypted using the public key in my Barclays virtual identity and my Barclays app on the phone demands strong authentication and gets it and reports back. NatWest would also have to check that the public key certificate I’m presenting to them hasn’t been revoked so this means they have to query the Barclays Certificate Revocation List (CRL) in some way either as part of the challenge to the app or in a separate step.

Problem solved.

Or a least it might have been, had anybody ever implemented any of this stuff. Identrust gave it a go in the corporate space, defining a complete set of standards and more importantly the business rules that go around them, but nothing ever happened in the customer space. I did think for a while that, because the cryptography used to support chip and PIN is the same as the cryptography needed to support this kind of PKI, it would be efficient to add something along the lines of the financial passport to the debit cards in widespread use. I have a vague memory of being involved in some discussions around this with one of the UK banks a decade or so ago and as I recall (and my memory may well be imperfect) the reason for not doing it was that debit card production was outsourced to one particular supplier and they had no interest in raising the cost of the cards issued by a couple of pence in order to save the bank a ton of money in the branches or to combat fraud. I shouldn’t think things have changed much by now. And persons of a suspicious nature may well want to believe that banks don’t want to make identification easy and portable because they see it as a way of locking in customers, but I am sure that they would not engage in this kind of behaviour.

So if we’re not going to implement the financial services passport that way then how can we implement it? In the techUK working group that’s been looking at this we were really focusing on a couple of obvious architectures that all simplify down to the centralised architecture and the federated architecture. In the centralised architecture, the banks will all chip in to build a central database somewhere, perhaps run by BACS or some other industry body, and that would hold the details of the identity, the identity verification processes that had been completed and the relevant keys and certificates. So I go into NatWest to open accounts and I authenticate myself to the financial services passport database and Bob’s your uncle. This would have course require some coordination between banks and everybody else, and it would have to be pretty reliable otherwise it would turn into a honeypot for criminals and fraudsters, but it’s a plausible hypothesis.

Another way of doing it would be a federated solution where each bank holds its own database of the financial passports that it has issued and other banks can query that database using the normal protocols of federation in order to gain access to the data under controlled circumstances. I used to think that this would be the best of way of moving forward, decoupling the banks in this way, despite what it meant in terms of having to sort out liability agreements. I remember a survey for VocaLink a couple of years ago in which some two-thirds of respondents said that they saw value in the establishment of that centralised KYC utility, and I was sure they were wrong. There’s no need for a central KYC utility, I thought, when we could have a federated identity linked to verified attributes infrastructure (i.e., a reputation infrastructure).

There would be no need for NatWest to actually store my Barclays financial services passport, they would just need to store a pointer to with the records showing that they had checked. Then if I subsequently get arrested for fraud or Barclays closes my account because I turn out to be associated with money-laundering, we need some mechanism for informing all the other people who are depending on that passport that it is no longer but I’m sure it’s not beyond the wit of humanity to come up with some sort of semantic federation that could take care of this.

In recent times, however, a new possibility has wandered into the discussion. Yes, the blockchain. Well, a blockchain. Or to be more precise, some form of Shared Ledger Technology (SLT).

Consensus 2016 Identity Panel

What if we could use shared ledger technology to build this record of financial services passports but but in such a way that no institution owned it, that it had no central system to go down, that it could resist intrusion or attempts at fraud from compromised members of the network, and that it could provide a platform for new products and services that we can’t really imagine at the moment? Personally, I think the shared ledger may well a plausible solution to this problem and having chaired a discussion on identity and personal security as well as a superb panel on identity at Consenus 2016 in New York I’ve been thinking harder about what shared ledger technology could do for organisations in this field. If we take our layer-based model (the “consensus computer” and the applications that we are going to run on it) and begin to think what kinds of identity-related content might be useful, I think we can get somewhere.

Let’s start building the models that we need to think this stuff through clearly. I think we should start with our model of the Shared Ledger that we are going to use to store “identity”. I think Consult Hyperion’s “4×4” model works very well, so we’ll use that.

Revised Four Layer Model (High Level)

So in this emerging paradigm, our thought processes then drift on toward the content of this ledger. I saw some interesting demos at Consensus. Deloitte and others had started to build blockchains with defined content assets and these were interesting. But let’s say for sake of argument that a ledger is a record of transactions. The ledger isn’t simply a write-only file containing copies of driving licences and passports and whatever else, it’s a record of transactions that link entities identified at the communications layer with a variety of identity attributes through transactions, developing a reputation associated with that identity. This, I think, is the kind of architecture that Cambridge Blockchain explained to me when I bumped in them last year and it seems a reasonable starting point, congruent with our ideas about the kinds of transactions that might be entered into a shared ledger.

Thus, a blockchain can act as a provenance protocol for data across disparate semi-trusting organizations.

From Will Provenance Be the Blockchain’s Break Out Use Case in 2016? – CoinDesk

We have to be careful with what we are putting in the Content layer, naturally. We don’t want to turn the shared ledger into a resource for despots and confidence tricksters. Hence it is reasonable to ask whether anyone should be able to look at my financial services passport or whether it should be encrypted in some way so that only “authorised” entities can decrypt it. My first thought is that we may want to go for something like this, which is why I prefer to call the Content Layer of our model translucent rather than transparent.

A distributed and irreversible system for trust management, which stores personal data, could offer a hotbed for doxing and identity theft – and even undermine an individual’s right to be forgotten.

From What Airbnb’s blockchain proposal means for privacy

Indeed it could, which is why it should not store personal data in the clear. So, to end this problem statement of our thought experiment, let’s recap: what we will be storing in the shared ledger is not identity itself but some kind of identity transaction and when you come and present your financial services passport to a bank, you will do it by proving that you have control of the private key that corresponds with the public key that is linked to the relevant identity transactions (e.g., Barclays KYCd Dave Birch). 

Reasonable starting point? Your thoughts?

Shared ledger applications and the Bouvier-Sams boundary

Way, way back in October 2015 (and that’s a million in blockchain years) I read a piece by Pascal Bouvier. It contained an interesting term.

Robert Sams inspired this post. As we were discussing stacks (software, IT) and the draw backs of the bitcoin blockchain architecture  recently in London, we slowly gravitated towards a new term… Consensus Computer (CC).

From A New Framework For Distributed Ledgers Or Dare I Say Consensus Computers (CC) | FiniCulture

Having finished working on our four layer shared ledger model with my colleagues Steve Pannifer and Salome Parulava at CHYP and having used that model with clients in a few different countries to help management begin to formulate strategies around shared ledgers, and the blockchain, I thought it might be interesting to add this (i.e., Robert/Pascal’s formation) to our model to see if helped us to think more clearly and have more effective communications.

It did.

So here’s the new version of Birch-Brown-Parulava four layer shared ledger model with the Bouvier-Sams boundary (as I now call it) in place.

BPP New Four Layer CHYP

I’ve now used this with a few groups to help them to think about the potential for “smart contracts” in a variety of real-world applications and it’s proved rather useful so I think we’re going to stick with it for a while. By encouraging people to see smart contracts as applications, I think it sets up a different context for conversation. Smart contracts are not really contracts (or smart). Indeed, as my good friend Gideon Greenspan pointed out yesterday, you wouldn’t necessarily store contracts on a blockchain anyway.

As mentioned earlier, R3CEV’s Corda product has adopted this third approach, storing hashes on a blockchain to notarize contracts between counterparties, without revealing their contents. This method can be used both for computer-readable contract descriptions, as well as PDF files containing paper documentation.

From Four genuine blockchain use cases | MultiChain

When you think about smart contracts as a new class of application, however, you begin to see what the new architecture can bring to the party. The ability to execute general purpose code on the consensus computer means that, just as the ability to executer general purpose code on conventional computers did,  people will create some amazing things that we can’t imagine right now. I’m looking forward to that, and I’ll be talking about this sort of thing on the Distributed Ledger Technology panel this afternoon Cards & Payments Australia, hope you can join us.

You can’t handle the (single) truth

Another week, and another tidal wave of blockchain articles that I’ve been trying hard to keep up with. After chairing the session on the R3 Initiative at Money2020 Europe in Copenhagen, I’ve been surveying the ledger landscape to help our clients to develop their roadmaps. 


I wonder if the blockchain is going to be important or not? Better get reading. Over the last few days I’ve had some time on planes, trains and buses to look through a whole bunch of articles on the subject.

Blockchain: a short-lived illusion or a real game changer? Experts discuss if, and how, blockchain can revolutionise payments

From EPC | Newsletter – Article

I read this article, and just like most of the other articles I read, it really doesn’t explain either how or why the blockchain might revolutionise anything. (It uses the blockchain, a blockchain and ledgers as interchangeable terms, which bothers, me.)  I don’t really want to be known as the Victor Meldrew of the Blockchain (Michael Salmony of Equens is already there!), and I don’t mean to offend, but I do want to make a serious point: what is the point of the thousands of articles like this? Not to mention the articles about how the blockchain will / will not (*delete where applicable) mean the end of the stock exchange, child poverty or delays in firefighters using lifesaving equipment. OK, it was rhetoric, but when I told the students at the London Business School that most of what I’d read about the blockchain that day was (and I quote) “drivel”, I wasn’t exaggerating much. 

These “blockchain will change banking / insurance / land registries” articles suffer from two fundamental flaws in my opinion:

They lack a basic model to facilitate communication between business and technologists so that the business idea that they are putting forward can actually be understood by anyone who might have an idea about how to deliver it, and

They lack an understandable narrative about the use of the new technology that might stimulate the development of those new business ideas.

This is why I think that some of the work that I’ve been involved in recently is so important, because it addresses both of these points in a manner that experience seems to indicate is of great benefit. I’ve been out and about using Consult Hyperion’s “4×4” model of the shared ledger technology (SLT) to help our clients to understand and explore the new business models that might be available to them. As you’ll recall, this “4×4” model works by thinking of the shared ledger as comprising four layers and the architectural choices that can be made in these layers give us four different kinds of ledgers to think about in business terms.

Revised Four Layer Model (High Level)


I think that the most important narrative is one of transparency. I’ve written before about “The Glass Bank” as a way to think about new kinds of financial markets built on radical transparency. Richard Brown of R3, my colleague Salome Parulava and I have a paper in the forthcoming Journal of Payments Strategy and Systems set out the basic model and the concept of “ambient accountability: which, I certainly think, will help to set the agenda around SLT in the coming months. 

Transparency isn’t the only emergent property of SLT, of course. It also connects with the “single source of truth” without the need for a single point of failure. Goldman Sachs, for example, have spoken about this.

Overall, Duet’s comments were broad and positive, with remarks aimed at illuminating for his audience what Goldman Sachs saw as its biggest opportunities. To this, Duet answered that it was the blockchain’s ability to provide a “single truth” to the many institutions that need to share information on asset transfers.

From Goldman Sachs Director: Blockchain Provides ‘Single Truth’ For Banks at CoinDesk.

Who might benefit from shifting to this sort of technology? Well, Goldman Sachs might. They’ve just been fined for some problems to do with the transparency of securities holdings.

Goldman told those customers that it had arranged to borrow, or believed it could borrow, the security to settle the short sale, a process known as “granting locates.” Goldman, however, had not performed an adequate review of the securities customers had asked it to locate, the SEC said.

From Goldman Sachs to pay $15 million to settle SEC stock lending case at Reuters.

This is a good example of a specific problem that might be avoided to everyone’s benefit using the single source of truth that the Goldman chap referred to above. If an investment says it has a contract to borrow some stock, then customers could easily seem for themselves that contract is in a shared ledger and they could easily check that the counterparty either has the stock or has a contract to acquire the stock in time. And the regulators could have a simple application that checks whether an investment bank claiming to have such a contract has a “Turing complete” set of contracts in place, and the regulator would have the necessary decryption keys in place to look into contracts that they might see as suspicious.

In fact, thinking about it, in an environment of real ambient accountability, the system itself would not allow an investment bank to enter into an agreement that could not be fulfilled. A bank could not do a deal with customers on the basis that it had arranged to borrow stock unless it actually had. The contract with the customer just wouldn’t work if the “chain” is broken. I hope this won’t take all of the fun out of investment banking but hopefully it will make it safer for the rest of us. Bearing in mind that I don’t really understand shared ledger applications, investment banking or the SEC rules about anything, it all sounds easy to me.

This is the sort of thing that R3, Intel (we have been working on a very interesting project for Intel in the blockchain space), Ripple and Michael Salmony will be discussing in the shared ledgers session at our 19th annual Tomorrow’s Transactions in Forum in London this week. So if you want to tap in to the leading edge of serious business discussion on the topic, come along. As always, the Forum (this year sponsored by our friends from WorldPay, VocaLink and Oslwang) will be limited to 100 people, so head on over to register for a place right now. I think there are a couple of places left and thanks to the amazing generosity of the sponsors, it’s only £295 for both days – you’d be mad to miss Barclays, Mondo, Fidor, Equens, Clearmatics, the FCA, Shell, Samsung Pay, World Remit, Visa Europe, Curve and many others in an environment of genuine discussion, debate and learning. See you there!

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights