Verifiable credentials bridge the universe and metaverse (and Britney showed us how.)
While it is clearly the case that the world of decentralised finance is home to flagrant criminality, outrageous fraud, tax avoidance, money-laundering and no end of flim-flam, we should lose sight of the fact that a new and valuable infrastructure is emerging and that it will open up new services and new business models that will transform the way that we interact. The new technology, technology that provides a means to execute completely secure transactions in complete insecure environments, is game changing. And in this, as in so many other ways, Britney Spears was a pioneer whose place in history is assured.
Younger readers of a cyber-disposition may not remember the time when Ms. Spears was the biggest pop star in the world and dedicated fans of the celebrated songstress could buy her fan club smart card kit. Twenty years ago, a British start-up called Internet PLC launched the Britney SmartFlash card kit. The $29.95 SmartFlash kit came with a card and a USB card reader. When the card was inserted into a reader, a web browser launched and the viewer was taken to a secure web site where they could see information about coming tours and other promotions. When the card was removed, the site closed. The fan club sold more than 25,000 of these kits before they were discontinued.
Yes, that’s right, Britney launched a smart card, and I have one of them. Fearing that I would end up on some police database, I bullied my sister-in-law into joining the Britney fan club on my behalf and ordering one of the kits for me.
(But as a marker for how dull my life is, I should reveal that wasn’t interested in Ms. Spears music: I wanted the smart card reader!)
At the time Britney took her brave step, my colleagues and I were involved in a number of leading-edge smart card developments in the payments space, so we had plenty of cards and readers at our disposal. The reason that indulge in this nostalgic discussion her kits here is that they stood out to me for one very simple, but vitally important reason: they worked. I wrote about my experience with the kit a few years later, reflecting on what happened when some of the leading financial institutions of the time (eg, American Express
- We plugged in a well-known financial services company’s smart card reader. It didn’t work. We downloaded some drivers, reloaded the software, rebooted. The card reader was visible to the software, but nothing happened when we put the card in, so we gave up.
- We plugged in the Britney smart card reader (actually, as I recall, a rebadged GCR 400) and it worked first time. We inserted the Britney card and it launched Explorer and took us straight to the members-only section of the Britney web site.
- We then tested the financial services card that we were working on and it worked perfectly in the Britney reader. In other words, having installed the Britney reader we could now carry out secure financial transactions on line.
Let me re-emphasise my point here: it worked. And it was designed for 9-year old girls to use. And once the user had been motivated to install the Britney smart card reader, when they would never in a million years have bothered to install a Wells Fargo
I always wondered why business didn’t exploit Britney’s trailblazing smart card expertise. It would have been relatively trivial to use a $5 smart card reader, an EMV card and a few bytes of application code to create a Britney-like online experience. Plug in the reader, insert your debit card, your default web browser takes you to your bank home page. (The software to do that, client-side certificates, was present in almost all web servers and web browsers at the time.)
Since then the chip cards have gone contactless and vanished inside mobile phones with near-field communication (NFC) goodness, but the crucial reason for using them to store credentials remains the same: they cannot be cloned. There are billions of smart credit and debit cards out, billions of SIM cards. They are used for that straightforward reason: they are unique and it is computationally-infeasible to make an identical copy of any of them.
You can probably see where my clumsy analogies are going. It is time to tell this story, not because I loved my Britney Spears card (indeed, I still do), but because it is a useful weathervane for the metaverse. To borrow the historian David Edgerton’s phrase, when I was talking to brilliant Evin McMullen of Disco about business models enabled by the new security technologies of digital wallets, blockchains and verifiable credentials, I was struck by the shock of the old. In the days of the Britney card all the fans needed to know was that if you had the card you could see stuff, if you didn’t have the card then you couldn’t see stuff. The card was a secure proof that you were a member of the fan club and it worked online. It was, in essence, a verifiable credential and no-one who used it had to know how it worked.
(Incidentally, if you haven’t watched Evin’s outstanding talk about verifiable credentials at Denver ETH earlier this year, you will find it twelve minutes extremely well worth your time.)
VCs For VIPs
I said at that time that where Britney has blazed a trail, others would surely follow, but it has taken a generation to get us to the point where her vision can be realised at population scale. An NFT that is a JPG of a chimpanzee wearing sunglasses, whatever. An NFT that is a JPG from Brittany, meh. A VC from Brittany that means you can access part of her web site that is invisible to the hapless VC-less multitudes, now you’re talking. An VC that gets you into the VIP area at the next Brittany show, now you are talking bank.
If that VC is the modern day equivalent of the Britney smart card, then the modern day equivalent of the Britney smart card reader is a digital wallet capable of storing VCs so that they can be presented under user control as the metaphorical card is pushed into the metaphorical reader. I’m not sure how to persuade customers to install a Barclays VC Wallet, but if those customers can be persuaded to install a Lady Gaga Wallet, then we might be able to put a Barclays VC inside and use it for safe and convenient access to online financial services while abandoning the 1990s security theatre of passwords, text messages and the maiden names of grandmothers.
The challenge for our industry is to make it so that it is as easy in terms of customer proposition, installation and use as that branded card and USB reader, both built on international standards, were in practice. Britney set us a high bar, but I think there are some people out there who can reach it.