4 October 2023: Turning Bank ID into Caller ID – The Communications Risk Show

The global banking system may have already solved the problem of spoofed phone calls and online identities; the solution just needs to be explained to telco regulators and internet engineers. The story begins in the aftermath of the banking crisis of 2007-08, when the leaders of the G20 countries sought to prevent the same thing ever happening again by instituting a Financial Stability Board to monitor global banking. One challenge they faced is the impossibility of knowing how much financial risk is being taken unless you first know about all the banks that exist worldwide, and which banks own which other banks. This was addressed with the creation of the Global Legal Entity Identifier Foundation (GLEIF) in 2014. Some of the problems faced by the global comms industry have similar issues at root. For example, US agencies like the Federal Communications Commission would like to reduce illegal robocalls but they never had a registry of all the comms businesses that make and convey calls within the USA, and their attempts to build a registry for foreign telcos are unlikely to ever succeed. But what if the recipient of a phone call could tell who was phoning them because they were shown a secure digital signature that corresponds to the Legal Entity Identifier (LEI) of the originating business? Such a method could obviously be applied to stopping scammers from impersonating banks, but could also be adopted by many other businesses too, and could eventually be generalized so that everybody has their own identifier, using the same technology and series of codes.

The potential to extend the telecoms use of the methods underpinned by GLEIF are discussed with three expert guests:

Stephan Wolf, CEO of GLEIF
Timothy Ruff, blockchain pioneer and General Partner at Digital Trust Ventures
Randy Warshaw, veteran telecoms executive and CEO of Provenant

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hi there, this is The Communications Risk Show and I'm your host, Eric Priezkalns.
Every Wednesday, we discuss the risks faced by comms providers and their customers with
experts from around the world.
Our shows are streamed live so you can join the conversation too.
To send a message, just type into the window immediately beneath the live stream at tv.commsrisk.com.
Messages are anonymous, so include your name if you want it read out.
The show is also streamed live to LinkedIn and a few other platforms too, we'll try
to keep an eye on any comments over there.
I'll read out as many of your questions and observations as I can.
Today we'll be talking about some important developments in the interface between the
finance sector and telecoms, whose eventual significance may extend much further.
We'll be joined later in the show by Stephan Wolf, CEO of the Global Legal Entity Identifier
Foundation GLEIF, a supranational not-for-profit organization set up by Financial Stability
Board as part of the response to the 2008 banking crisis.
Timothy Ruff, a pioneer of self-sovereign identity technologies and general partner
at Digital Trust Ventures.
And Randy Warshaw, a veteran executive in the telecoms industry and the CEO of Provenance,
a business that is leading the charge for verifiable legal entity identifiers that would
tell phone and internet users exactly who they're dealing with.
Complicated stuff, but well worth watching.
But before we bring them on, here are my regular co-presenters, Ed Finegold and Lee Scargall,
to discuss some recent news from around the comms industry.
Ed joins us from Chicago, he's an industry analyst, widely published author, and a strategic
advisor to tech and telecoms businesses.
And Lee joins us from Bahrain.
He's an executive consultant who has managed risk on behalf of comms providers in the Middle
East, Europe, Caribbean, and Asia.
Welcome Lee.
Hi Ed.
Great to have you back on the show again.
I want to get straight into this big topic that's been generating a lot of internet traffic
for comms risk, people reading it from all around the world.
Another IMSI capture fraud case found, this time in Oslo, Norway.
Sounds a lot like, a lot of similarities between this case and the case that was discovered
in Paris at the very end of 2022, with fraudsters driving around a device that connects to mobile
phones in the vicinity.
This time the arrested suspect, a 25 year old Malaysian citizen, had only been in Norway
for a short period, was only caught because he was driving around the government quarter
of Oslo, leading to his detection by specialist equipment used to prevent espionage.
His name not disclosed, but is understood to be a student in Australia.
It was originally charged and investigated for espionage, but it appears law enforcement
jumped to conclusions because of how they caught him.
It's since turned out that his interrogation leads the law enforcement authorities to believe
his crimes are actually economic and fraudulent in nature, with the IMSI capture also driven
around Norway's second city, Bergen, in addition to the capital.
So we don't have a lot of information about this particular crime, but there's a lot of
similarities here between what we've been talking about before, in terms of IMSI captures
being used for blasting our SMS messages in Southeast Asia, and also the behaviour of
the Parisian gang, who were discovered at the end of 2022, when they were driving around
effectively false base stations, using them to send SMS messages, in that case, for as
part of a phishing scam involving a fake insurance website.
Lee, question for you.
It's become pretty standard for the authorities in most countries to try to minimise the burden
on themselves by warning the public to protect themselves from fraud, warning the public
about messages, warning the public about calls, shifting responsibility to the potential victim
by making them more aware of fraud.
But Norway's authorities here, very tight-lipped about what this particular fraudster was trying
to do, what particular scam he was pushing whilst driving this car around Norway.
Can you speculate, Lee, as to the reasons why authorities would not warn the public
about a fraudster driving around a radio device like this, and what he's up to?
Well, this isn't the first time that IMSI catches have been caught, actually, or detected
in Oslo.
So back in November 21, I believe it was, one of the biggest newspapers there, the Aftenposten,
they actually detected two IMSI catchers, and they were located right in the centre
of Oslo, right near government buildings.
Now, they contacted the secret services and the police who were actually able to use this
type of equipment, but they both denied it at the time.
So there was some kind of speculation that it could have been some foreign agents spying
on the government.
So I think this has actually led to the original charge where this Malaysian, he was actually
charged with espionage, but then they downgraded that to economic and fraudulent in nature.
Now, I don't really know why the authorities are not warning the public.
I can only speculate that they don't have the resources to deal with it themselves.
So they might not want to talk about it.
Isn't that, wouldn't that be a shocking indictment though?
I mean, one can see that the situation in France blew up enormously in the media after
that story broke.
It took a little while for people to understand the significance of what was happening.
But when it became apparent that hundreds of thousands of people's phones had been connected
to by the IMSI catchers that were driven around Paris, it became so huge that we started to
have rap singers singing songs with IMSI capturing the title of it because the phrase becomes
so common, so widely used, so associated with, shall we say, a cool type of organized crime.
Whereas in Norway, it's as if they don't want to, the big story was the espionage, but now
that it seems to be that hundreds of thousands of people, again, when you look at the population
of Oslo, when you look at the population of Bergen, hundreds of thousands of people may
have been potentially hit, no one wants to seem to talk about what they were hit with.
What was the message?
What was the threat?
I find that perplexing that there's just no warning to people to say, if you're asked to
type your name into a website or whatever, don't type it in.
It might be fake.
I'm completely perplexed.
Are you as perplexed as me?
It could be a cultural thing.
I think, you know, from the Norwegians that I know, they seem to be a lot more reserved
than the British, right?
So maybe they just don't want to talk about it.
I don't know.
But it's a different case when you compare what happened in Norway to the way it's been
reported in Paris.
It's completely different.
Now, Ed, let's bring you in here.
Several individuals have observed on social media that the story has not been broken outside
of Norway, that news media has basically ignored this story outside of Norway.
Pretty similar to the situation with the Paris gang, where there was very light news coverage
of what happened in Paris outside of France, although the story is so dramatic.
You could base a Hollywood movie on it with gangs of fraudsters, you know, driving around
old ambulances, 400,000 Parisians, you know, attacked, big, big splash in the French news,
hardly mentioned anywhere else, or so much so that, you know, part of CommsRisk has been
getting a lot of traffic from people like Google, because they're citing CommsRisk stories
to explain what's happening, because they can't find more mainstream stories on this
particular topic in the English language.
What is it about cyber risk, network interference, or the particulars of this story?
And I'm asking you here as a man who's well, you know, written a lot, well respected author,
who's, you know, a man whose words are read by many people.
What is it about this story or the nature of this beast that means the public in other
countries may only be interested or only be told about it when it's affecting somebody
in their country, as opposed to very clear global threat, very clear global expansion
of this crime from one country to country already happening?
I mean, certainly it's complicated, right?
Part of it is it, I think, requires expertise in multiple different areas to understand
it. And I think that's part of what makes it not as accessible in some cases.
But your example of what happened in France would be a really strong counterpoint to that.
Why did that one go viral and not others?
So right away, my first assumption that I would have would get shot down.
My next assumption is like, is it a bury the head in the sand kind of thing where there's
already so much gloom and doom, you know, from so many angles through media being
communicated to you that this is just another gloom and doom story that's not making it
to the top. I mean, it could be something that's that simple.
But if those are my guesses to answer your question, I want to answer kind of a parallel
question with research, with some research that I've actually done.
OK, fair enough.
All right. So I've been I've started talking to folks who are members of the show
community. People have been on the show about, you know, some of these issues in more
depth. I mean, we should take advantage of the expertise.
So, for example, I spoke with Tom Walker this week, and one of the things I took away from
that very useful conversation.
And thank you, Tom. Tom is doing I want to get this right.
Fraud victim, fraud victim rights dot org is what Tom is doing now.
And then we're, you know, giving him some support, at least some moral support in what
he's trying to do. But talking with Tom, he was talking about the fact that his experience
working with prosecutors is that they aren't really interested in these cases.
And so the law ends up not being enforced.
They're not sexy. They're complicated.
They can be hard to prove.
It's just not top of their list.
And the law ends up not being enforced.
So that was kind of an eye opener is one reason.
Here's another reason I was researching.
And I had a chance to chat a little bit with Carson, Carson all about this.
So I was looking at some analyst coverage of the security technology landscape, and I'm
familiar with writing reports like that, just more so in the telecom OSS and BSS space.
And what I found from the descriptions I read and was kind of validated from talking to
Carson is that the security tech landscape is pretty chaotic.
It's kind of immature and disconnected, given where the threats are.
And it would probably benefit from a structure, for example, like what TM Forum is doing
with open digital architecture, just to bring some kind of common structure so that we
don't just keep adding pieces that are disconnected silos where the seams are attacked.
Right. And that was one of the takeaways, again, of like, there's a lot of complexity
there that breeds the problem.
It's hard to describe. I think that's part of the reason why.
Here's a third one, though, that popped up, Eric, which is that and this is, I think, part
of the reason that this continues to perpetuate.
And it's not necessarily I'm seeing my Internet connection is unstable.
If you're losing me, forgive me.
The third one, though, is that I'm seeing examples where white hat hackers.
are turning to ransomware because the companies that they've infiltrated and gone ethically and
said, hey, we did this, let us help you solve these problems, have been unwilling to pay for
the service and have shrugged their shoulders. And they've then turned to ransomware and said,
we told you, and now you're going to have to pay us, which isn't great, but it's an interesting
shift in the market where it's just become very profitable to go that route, both because the
law is not enforced and because the victims aren't willing to pay for it upfront. So all those things
just in doing initial research this past couple of weeks has opened my eyes to how much, to your
point, there's a lot of shrugging, there's a lot of not understanding, and it all kind of piles up to
it being ignored, this festering problem that's ignored. Hold the thought, let's have a quick
ad break and then we'll come back to this topic. It's time for an interesting fact from our
sponsors Symmetry Solutions and their PRISM fraud intelligence team. Most mobile operators are
conscious of the revenues made from roaming, but do they always monitor all of the associated frauds?
The experience of the PRISM team shows that the abuse of mobile station roaming numbers, MSRNs,
is something that telcos may overlook. MSRNs are allocated to each subscriber when they're roaming,
and this allows calls to be connected from the home network. These special numbers are susceptible to
hijacking, though they are not meant to be used like conventional phone numbers. If an MSRN is
hijacked, then the genuine customer can be denied service, leading to a loss of revenue and complaints.
The fraud detection team at Symmetry Solutions continuously collects compromised MSRNs that are
waiting to be hijacked. Their current database includes 55,000 unique numbers of this type,
spanning 191 countries that are available for misuse now. It's crucial that you protect your
MSRNs to continuously provide a high level of service that your customers expect and deserve.
To learn more about how to protect yourself and your customers from crime, speak to the PRISM
fraud intelligence team at Symmetry. The URL is SymmetrySolutions.co.uk. Now let's get back to
this topic of IMSI captures. I'm not sure I entirely agree with both of you guys, I have to say.
I think what this is about is that the authorities like to publicize themselves when they can do
something that gives credit to themselves, and they are dazzled by the headlights of this crime.
They don't know what to do about it. They can't find somebody else to shift blame to. They can't
blame the telco, because this has nothing to do with the telco's network and the telco is not
aware of it. They can't blame the handset manufacturer. Somebody else is using a radio
device to impersonate a base station, and therefore it appears as though the device will
connect to the apparent network. It's the same kind of technique that the law enforcement agencies
use, spy agencies use anyway, to gather information. So there's an extent to which
the crooks have just found a cheaper version of what has already been taking place in society in
terms of surveillance of phone users, particularly degrading their connection down to 2G to evade the
higher levels of security that's involved in more advanced networks. So I think there's a degree to
which nobody wants to talk about it because they can't see a winner from this topic. The telcos
can't be blamed, the law enforcement, the effort involved in actually policing this is enormous,
and you can't just say, be warned, consumer, because you're going to have panic. Panic,
because on the one hand, when it becomes appreciated that these things can be blasting
out messages left, right and center, it's going to crash the market for sending out more general
messages from business. Panic, because the same kind of device, a more sophisticated version of
the same device, is not a one-way sender, it's also a grabber of your information. Lee, do you
think part of the problem here is that this is linked to the fact that when you're aware that
a radio device could be driven around your city, it could also be used to snoop on your calls,
your messages, start interfering with your privacy too? Yeah, I mean, what worries me about this,
Eric, is the price points to do this, right? So if you look at some of these SMS blasters,
right, you can pick them up for less than $2,000, right? So the barriers of entry are getting lower,
right? Even some researchers in Italy, they've actually developed a 5G IMSI catcher, but
technically it's a soupy and a sucky catcher because IMSIs don't exist, right? Using a Raspberry Pi 4
and some SDR software, right? So now this is getting really cheaper by the day, right? So
imagine the day when you can buy a Raspberry Pi 4 off the internet, download some software off
GitHub, and you can build your own IMSI catcher. In fact, before the show, I was on the Hackers
Arise website and there's already a tutorial on there telling you how to do this using OpenBTS.
And we're making a society that's more and more connected all the time. So the notion of some
kind of alien device interceding in the network, the potential risks become hard to imagine.
What happens if your connected car is not connected to the right network? What happens
when your home IoT devices, say smart meters and things like this, which quite often use
mobile network technology rather than Wi-Fi in your own home, what happens when they start
connecting to the wrong network? We have opened Pandora's box by encouraging for what seemed like
good reasons, good business reasons, good reasons in terms of making society better,
saving energy in a case. We've encouraged increasing reliance upon networks, and now
we've got people driving cars around cities interceding, placing themselves in the middle
of networks. We're too scared to talk about this topic because we don't have an answer other than
rolling back to where we were. What do you think, Ed? Do you think I'm exaggerating here or I think
this is going to grow and grow? And I think this is something where we just don't know
how to get a handle on it. So we prefer to talk about other things instead.
Ed, what do you think? I agree with you. I think it is like this big,
scary bogeyman, right? Or bogeyman, depending on how you pronounce it. It's this big, scary thing
that's on the other side of your phone for most people, and they don't necessarily understand how
the phone works or how the stuff works, but it's not hard to imagine that there's this evil monster
that can ruin your life in multiple ways, and you're on your own. And so I think that that
aspect of it is probably overblown if you can accept the fact that you are kind of in your
digital life, always walking in a dangerous neighborhood, and you have to take steps. And
you may live in a place that's very, very safe, right? And you don't think about your physical
safety or even your property safety. You don't lock your doors and everything else. In the digital
world, you need to have that mentality very, very strongly. I mean, look, we had the pandemic. We
had the conspiracy theories during the pandemic. 5G being dangerous. Bill Gates wants to put chips
inside of you to monitor your behavior. So clearly, there's a fraction of society that's susceptible
to those kinds of messages here. This isn't such a stretch for the conspiracy theorist. This is
actually a lot more believable. Somebody's got a device in the back of a van, in the back of a car,
on the back of a moped, I understand, in Southeast Asia. They're driving around. They're connecting
to your device. They're gathering information about you. They know where you are. They know
your phone number. They're able to send messages. They're getting between you and the network.
This isn't such a stretch in terms of generating a lot of fear. And let me point out,
I've seen adverts aimed at lawyers. Adverts aimed at lawyers saying that they need the same kind of
technology we talked about being used in Norway that catch this particular criminal. Same technology
because it's somebody placing an IMSI catcher outside of the lawyer's office in order to intercept
the communications of the lawyer and the lawyer's clients, implying, hinting, that maybe law
enforcement may break the law or overstep the boundaries of what they're allowed to do. So again,
this doesn't require a great deal of paranoia if you're now selling to lawyers the technology to
stop IMSI catchers. And frankly, sadly, there has been privacy abuses by law enforcement, by
surveillance organizations. We had a report not that long ago from the Department of Homeland
Security in the USA saying the Secret Service and Immigration and Customs Enforcement Homeland
Security investigations did not always obtain court orders required by federal statute when
using cell site simulators during investigations. In other words, put simply, law enforcement
professionals trusted with some of the most privacy-invasive technology that exists in the
modern world broke the law when they were using it. So you don't need to be a completely off the
rails conspiracy theorist to say, well, if the law enforcement people can abuse your privacy,
if criminals can afford devices like this for a few thousand dollars, we don't have a simple
solution. Because what's the solution apart from getting a radio blocker out? Or as I say, I'm
going to be living in a Faraday cage in the middle of the woods in future, because this is the only
way we'll be able to preserve ourselves. Is it not, Lee? Yeah, I think if you are a journalist
or a lawyer or somebody handling sensitive information, then they should be using something
like end-to-end encryption. But this still doesn't stop. We were talking about what
these IMSI catchers can do. You can still send somebody a smishing message
using an SMS blaster. So you can target the phone with particular spyware, such as
Pegasus or Predator, and then you can take over that phone in different ways. And you can do
that by location. And that's what we've seen in particular in Norway, what's happened
in particular around the government buildings there. Now, if you're looking to protect
yourself, here's another plug for Carsten Noll. You could download Snoop Snitch by SR Labs.
That's very good. That notifies you about the network security. It also tells you if there's
IMSI catchers located nearby, or you could buy an Armadillo phone or use Graphene OS.
Well, I've got, I mean, you've been all over the world, Lee, and you know about different
legal regimes in different countries. Is there anywhere in the world where they just ban IMSI
catchers? Because I think part of what I find shocking about this is that these devices can
be openly purchased. They're openly purchased over the internet. Is anybody actually cracking
down on the supply of these devices? On the supply? No. I mean, you can readily go
on the internet and you can download, so you can buy them from, as it happens, from Malaysia.
be a real big problem over in Malaysia, right? Now, you know, personally, I'd like to see
stiffer sentences handed out to people who were caught using them, right? But get this,
we were talking about they've been driven around in taxes. A couple of weeks ago,
we were talking about driverless taxes, right? So, you know, can you see a day when these IMSI
catchers, they're going to be put inside and just driven around, and then the driver's not
even going to get caught in the act, right? Or even worse, they're going to be put on a drone
and flown around. Fly a drone around, yeah. It's a frightening prospect. I'd love to have your
comments to the audience on this one, but we're going to take another quick ad break before we
bring on our guests for the interview for today's show. And as always, our sponsored features from
good people at OneRoute, experts in call authentication, fraud prevention, and geolocation.
Each week, OneRoute takes us on a trip around the world via the phones in our pockets. So,
here's Geoffrey Ross of OneRoute to take us on a journey to the extraordinary land of Kazakhstan.
Producer James, roll VT. Hey, everyone. From OneRoute, I'm Geoffrey Ross, and this is the
world in your phone. Let's talk about Kazakhstan. Officially known as the Republic of Kazakhstan,
this country has an array of large canyons, beautiful mountaintops, pristine mountain lakes,
seamless deserts, and ancient structures. The region can be a rather mysterious territory for
most people, but it is one of the most beautiful countries to visit. Did you know that in April
2023, Kazakhstan's Ministry of Digital Development, Innovation, and Aerospace has a new accessible
internet national program, which is designed to remove digital inequalities between rural and
urban areas. The accessible internet project aims to bring the percentage of villages with
access to internet services up to 97% by the end of 2027, which will also result in providing more
than 5 million villagers with modern telecommunication services. Some other interesting
facts that I've found. The border between Kazakhstan and Russia is the longest continuous
land border in the world at just over 7,500 kilometers. Kazakhstan has the first and largest
space launch facility. The first satellite sent into space, Sputnik 1, was made in and launched
from what is now Kazakhstan. Apples possibly originated in Kazakhstan, and there are still
wild apple forests in the country. The country is home to 120 different ethnic groups and
nationalities, and is home to the 15th largest lake in the world. It was the first country to
domesticate horses, and nearly all of the elements from the periodic table can be found in Kazakhstan.
Be sure to subscribe to OneRoute on YouTube, where you can catch up on the world in your phone,
and watch the OneRoute Roundup, the show that spotlights individuals and companies making a
positive difference in the telecom industry. One more fun fact I found out about Kazakhstan.
The national drink, kumis, is made from fermented horse milk. And on that note, Eric,
back to you and the Communications Risk Show. Cheers.
Thanks, Jeffrey. It's amazing what I've learned from Jeffrey's videos about different countries,
and I hope you all feel the same way. I love the idea of wandering around an ancient forest
where apples first grew wild, long before this fruit started to be cultivated worldwide.
But times do change. What is universal today was previously unknown to most of humanity,
and something that's currently unknown to most of humanity may become universal in our lifetimes.
That's my segue to the next topic of conversation, which is about some developments
you've probably not heard about, but which could lead to profound changes
in how we interact over networks while solving some of the most serious issues we face when
using networks. It's not going to be easy to explain, so we've got three experts that I'm
going to introduce now to do just that. They are, from left to right, Timothy Ruff, General Partner
at Digital Trust Ventures, Stephan Wolf, CEO of the Global Legal Entity Identifier Foundation
and Randy Warshaw, CEO of Provenance. Now, let's get straight into this topic, Stephan.
You're the CEO of GLEIF. So GLEIF, it's a long acronym. It's got something to do with legal
entity identifiers. What's the role of GLEIF? What's a legal entity identifier,
and why, very briefly, do we need them? Thank you, Eric, for having me here today.
I'm happy to answer your questions, and I'll try to be brief. In the aftermath of the financial
crisis, remember back then, 2008, it became very clear that the banks had no idea who their
customers were. Data was scattered around the banks in I don't know how many master files.
So the regulators came to the conclusion that actually the G20 nation leaders endorsed the
regulators in this thought process to create some kind of a global business register.
Now, a global business register cannot be a government organization because there is no
global government and no global taxpayer, and that's why the closest analogy to this was chosen
with a committee of over 70 financial regulators from all around the world, central banks and
others. They are responsible for policies and everything else. Then there is the
issuance of identity, like in a business register, which today are almost 40 different
organizations around the world. Then you need someone in the middle who orchestrates this and
manages the whole network, and that is what Blythe is doing. The LEI, the Legal Entity
Identifier, is an ISO standard, which has become the norm in finance already for identifying who
you're doing business with. Okay, great, succinct answer. Thank you so much. Randy, let's bring you
in here now. What is the difference between a legal entity identifier and a verifiable legal
entity identifier? What relevance does the latter have for telecoms?
Thank you for asking, happy to be on the show here. Maybe a quick opening is that the thing
about the verifiable legal entity identifier is that it creates a binding between an identifier
and an entity, which could be an organization, a person, a thing. The easiest thing to equate it to
in my mind is a social security number. They're issued in an analog fashion, we all get them,
and they're all over the internet. Now, ideally, I shouldn't care that somebody else has my social
security number. The VLEI addresses that problem of somebody getting access to your number,
because if somebody has my social security number, they should need to have to prove that that number
was issued to them. If they had to do that, I wouldn't worry that anybody had my social security
number, because I'm the only one who could prove that it was issued to me. The VLEI as a verifiable
version of the LAI accomplishes that same thing. Help me out as I jump in here, my very simple way
of understanding these things. This is really about, say, having a label, a name tag that we
attach to things, to banks in the first instance, but not just banks. And the verifiable bit is that
you can't incorrectly attach that label, because you can verify this label really does belong to
that thing. That's my simple way. Have I got it right, Randy? Yes. And I'll just add one more
little piece, is that the mechanism where it becomes bound is digital signatures. I sign it
when I present it to you, you verify my signature, and the only one who could have signed it was me.
So we can get into that more, but that's where digital signatures come into play as the
cryptographic proof or guarantee of authenticity, that you're talking to the right party that you
think you are. Okay. So we're really getting into the complicated stuff already. This is,
I'm going to bring in Timothy here before we dive too much into the complicated stuff.
And we talked a little bit before the show began, Timothy, about things like
organizational identity. I'm going to give you the hospital pass, I'm afraid,
to use an English phrase. How do we make this work? How do we make this labeling work? How do
we make this attachment work? Where does it begin? How does it roll out in practice, Timothy?
Well, like any other technology, it stays hypothetical and academic and fun to talk
about, but not really useful until it's actually really useful somewhere, right? So it has to
actually solve a problem. And in this case, what the VLI does is it enables a representative of
any organization. I mean, imagine you're just an employee, or you might be the CFO or the CEO,
or whatever your authority is. It enables any representative of an organization to prove their
authority to represent that organization. I mean, it's really a binding of three things. It's the
entity through the LEI, the representative, their identity, it might be their name, it might be their
title or something like that, and the authority that they carry. And so once you have that,
and it's usable in the digital realm, you can use it for just about anything. The use cases
explode, because this is one of the problems that we have with digital trust is that when,
I mean, just let's talk about telecom. When a phone call or a message originates from an
entity, and I'm talking really about A2P traffic, so not so much about person-to-person traffic.
I think most of the fraud is A2P, it's application-to-person, or where organizations are
sending a lot of communication to people. And I know that's a term from the text message space,
but I think it applies to voice just as well. But most of the fraud is being committed by
organizations, not person-to-person. It's some organization, and they're really trying to pretend
that there's someone that they aren't. It's an impersonation of some kind. And so by being able
to prove that a communication actually came from an entity that was authorized to send it and
represent that entity, it just solves one problem after another from a fraud standpoint in telecom.
And that's just telecom, and that's just A2P. It goes on and on and on. There's many other places
that can solve problems and be adopted. Okay. I've already got a question in here from the
audience, and I think maybe Stephan, you can help with this one most of all. Your organization's
set up by bankers, central bankers, but what you do, is it available to other organizations as well?
Can other kinds of businesses, entities also obtain an LEI from Glyph?
So thank you for this question, because there's a lot of myth around that.
The LEI system originates from the financial crisis, and that's why financial regulators
have the highest appetite to solve a problem of identification. But the LEI system is use case
agnostic. So the vast majority of companies that have an LEI are not financial institutions.
They are their customers. So for instance, a Nestle in Switzerland deals with a chocolate
producer in Brazil. And for that business relationship, they need financial instruments.
They also need physical products and services, and they can use the LEI across the board. So the
LEI is not...
So it's not tied to finance as an application, and it's also not tied to central bankers
as the originators.
It's actually G20 mandate for the G20 nation leaders to overcome some of the very pressing
needs in our world.
And now we've created the framework, but it's not limited to the financial services sector
at all.
Anybody in theory could obtain an LEI and start using it to validate the communicate
who they are and communications come from them.
Absolutely.
Let me give you a practical example where this is at the moment in the rollout phase.
That's international supply chain.
You know, we have bill of ladings, letter of credit, certificate of origin, and in all
these documents, you need identification.
Today we do this blue ink on white paper.
In most cases.
In the future, we want to do this digitally, and then you need digital signatures as Randy
rightfully pointed out.
And that's where the VLEI and the LEI together can create huge benefits for B2B, but also
B2Consumer kind of scenarios.
Okay.
Randy.
Can I?
Yeah.
This was actually the motivation for my first conversation with Glyph is that I saw what
the legal entity identifier was doing across the G20 financial sector.
And I thought, this is what telecom is missing in an international context.
When we have traffic flowing cross borders and cross jurisdictions, what is the mechanism
that will be recognized anywhere?
And here in the LEI was a mechanism recognized by the highest value institutions across,
you know, the G20 nations.
So that was the fit actually that drew our initial conversations for the applicability
of the LEI to telecom.
Ed, do you want to jump in?
Yeah.
And I don't want to derail Randy's thought here, because I think that the train is very
important.
But one of the questions I want to ask is, who owns your VLEI or organization's VLEI,
if anyone?
And just asking the reason I asked that in context of what you were talking about is
because on the purpose of the show, we're looking forward towards the replacement of
a phone number, right, and in this purpose, which you do not own, right?
It's used as a digital identifier that you do not own.
And that's why I'm asking, does someone, can someone own the VLEI?
How does that work?
May I ask the first, may I answer the first part of the LEI?
And Timothy, you might want to chip in for the VLEI.
Okay, great.
Thank you.
The LEI is owned by the registrar.
It's completely open, it's an ISO standard.
So if you, for instance, obtain an LEI on behalf of your company, this LEI belongs to
you.
It's a lifelong experience.
It will never be reused, it will never walk away.
Even when your business is long retired, we will still keep a record for historical reasons
in our file.
So the number belongs to you and cannot be used by anybody else.
And in order to protect this from fraudsters, that's where the VLEI comes in.
Yeah, the VLEI, it's interesting.
The answer is similar to, does your passport belong to you or does your driver's license
belong to you?
People don't understand that in the world of digital identity, or just even just regular
identity in the physical world, when you say that your name is something or your authority
is something, it's not believable until that is attested by some third party, right?
If I just say my name is Timothy Ruff and here is my title or here's my authority, it's
not believable.
I have to give you something that actually came from someone else.
So to say that I own my passport, yes, I control my passport, but if there's something wrong
with my passport or I commit a felony or the government wants to take that away, they can
take away my passport.
And when someone goes to verify it, it won't work.
And so there's kind of this joint ownership.
Yes, I control my passport, but it can be revoked by the issuer who is using their reputation.
In the case of a passport, it's government's reputation as an attestation that I really
am the person that I claim.
So with the VLEI, it's the same thing.
The representatives of the organization get to carry around verifiable credentials that
were issued by a trusted organization.
In the case of the Glyph ecosystem, that would be a qualified VLEI issuer like Provident,
and they do it under the accreditation of Glyph.
So it really goes back to Glyph.
The reputation of Glyph is saying that I, Timothy Ruff, really am who I claim in the
context of my authority to represent an organization.
Now could that be revoked if I turn out to be a fraudster or something?
Yes, it can, just like a passport can.
But I remain in physical control of the digital artifact, if that makes sense.
It does.
What's the question?
Throw out there real quick.
If I may, real quick, what Stephan was saying that struck me that's very different from
the phone number, for example, is it can't be reused or ported or issued to someone else
is one of the key differences.
So I'll shut up now, Eric, please.
No, it's great.
I'm loving all the energy here.
We've got lots of questions firing in from the audience, too.
So I want to keep up as much as I can with those.
One of the questions here, which I think is an important one, let's do it now before we
go too far into the technicality of the debate, Nora asks, how does this make a difference
for the phone user?
Randy, do you want to take that one?
Sure.
The difference it's going to make for the phone user is that when you receive a call
or a text message, you're going to be able to truly know who's calling and if they are
authentically that entity or an imposter.
And so that is a benefit to the brands who don't want to have their reputations damaged
by imposters.
So the brands are all for that.
They don't want to suffer the reputational damage.
And for consumers, we want to know that it really is our doctor calling or whomever is
calling.
We want to know that there's an authenticity behind the representation.
So the efforts to represent on a phone through a phone call with Starr Shakin or with text
messages through some kind of branding, all of that is heading in the right direction.
But you need that cryptographic verifiability.
And the way that you get that is by having that information included in the communication
so it gets presented to the end user.
And let me compare this with the Internet.
We all know about fake news and fraudsters and phishing attacks and all of that.
So we believe this is the Internet thing, right?
But we believe also that this is very likely to happen in the voice space.
And then the telecom operators and the telecom companies become right in the middle of this.
And my view on this, this is my personal view, is like Google and the others always say we're
just a platform.
We have nothing to do with the content.
This is not going to work for eternity, right?
So people will become responsible for what's going over their wires.
And then you're absolutely right.
Then you want to know it's authentic.
Well, I think perhaps, you know, one thing, again, I'll try and put myself in the position
of an audience member who's coming to this completely fresh, is that we've had a situation
where American consumers are being told about improvements being made upon preventing scams,
preventing people being imposters, countering impersonation fraud.
And yet there's been some criticism recently that your phone, your handset will tell you
that somebody's a suspected scammer and people may complain they've been incorrectly
labeling those calls.
And of course, some people are being incorrectly labeled as spammers when they're not spammers.
Some people, of course, are not being labeled when they deserve to be labeled.
What is it that the user sees that gives them that confidence, that sureness that this
communication can be trusted unlike the others?
Well, it's a very good question, and to get to the best answer, I believe that we need
to get the handset manufacturers on board with it.
And until that happens, where we can actually do handset verification of it, we're dependent
on the last leg of it, which is the terminating operator.
Okay?
So right now, that is what we're focusing on, is making sure that terminating operators
can cryptographically verify the origin of the call or message and even all of the steps
that it passed through in its routing so that they can assess the legitimacy of that call.
And then the way that it works right now is that they can pass an indicator to the handset
that could present a checkmark, for example.
There is a movement in voice to actually do an out-of-band way of presenting a logo and
the brand name and the reason for the call.
All of those, we're very close to doing it on the handset, but that would be the holy
grail is to get to the handset.
So we're not quite there yet, and that requires cooperation with the handset manufacturers
of software providers on it.
But I think that if we can demonstrate end-to-end from the enterprise to the terminating service
provider that this does in fact work, that that will be the push and the motivation to
get it extended to the handset.
And really the principle that we're after in all of this, even outside of Telco, is
end-verifiability.
You want any person, ideally the endpoint, but anybody along the way to be able to independently
for themselves, do the verification without requiring dips into third-party databases,
which let's face it, some people provide less costly services and the quality of their data
might reflect that.
There can be perfectly well-intentioned repositories that are out of sync and you're going to get
a different kind of response from it.
The optimal solution is for the enterprise to be the holders of the telephone number
authorization, I have the right to use this number, the text message campaign authorization,
this is a sanctioned campaign, and as long as that is valid, let the originator present
that material in a way that can be verified anywhere along the chain.
Although it sounds complicated, this is happening today.
Within telephone calls and text messages, additional metadata is being passed, so it's
not a heavy lift in order to do that.
One thing I like about this, apologies Timothy, I'll let you jump in in a second.
One thing I like about what you're doing, and I believe that this will be a success,
is that we're not talking about a solution that's specific to voice or a solution that's
specific to SMS, we're talking about all forms of electronic communication.
It can be applied across the board.
So, stepping away from some telecoms modes of communication, how would this work in a
domain
of the web at the present?
Is it already something that you can see
the results of on the web in terms of,
if somebody has a VLEI,
I as a user can go on the web browser and go,
I really know that this is from that particular person.
Timothy, do you want to jump in?
Let me just throw one thing out super quick
because I think it ties into the first part
of today's webinar, which was on MC Catchers.
And so my question is that MC Catcher
is basically being an imposter.
It's impersonating a mobile cell station, right?
So if you had a verification
that that is an authorized cell station,
then your phone would connect to it, right?
And if it can't prove that it's authorized,
then you don't utilize that.
So it could apply to that problem.
And that's why it's so profound.
It's absolutely so profound.
So Timothy, again, help me out here in terms of something.
Is it something that tangibly people could see the results
today with the web browser,
irrespective of what software is running
on a mobile phone handset?
Would web browsers be able to use the technology
that's already been developed here
to give me some confirmation
that when I'm contacted electronically over the internet,
I'm getting that from my bank
as opposed to somebody who's impersonating my bank?
Yes, they can and they will.
I don't know if they'll be the first adopters
of the technology, but they will.
And let me tell you where things are headed generally.
So I'm a partner in a venture studio
and we launch different ventures from the startup phase
as co-founders from the very beginning stages
in different industries.
Telecom is just one industry
where we're bringing the technology.
So when you say, hey, you know,
how useful is this in other places?
Let me give you an example.
Just over the last week,
there've been a number of A-list celebrities,
including Tom Hanks is the one
that came in just like two days ago,
who was putting something out in the universe,
say, hey, this advertisement,
I can't remember what it was advertising,
is not me, it's fake.
It's a deep fake.
It's not me.
And he has to like go out there and say,
no, that's not me.
It looks so much like me, sounds like me.
It's not me.
And one of the startups that we have
is in the entertainment industry
to allow celebrities to digitally sign
their digital content.
And what this enables anybody to do
once they choose to do it
is verify signature on something.
And so what does that signature tell them?
They can actually see this content
really did come from Tom Hanks.
And what happens is, here's if you game this out,
anything not signed becomes suspicious.
And this is where the world needs to go in telecom.
Signed traffic, we know where it came from.
Anything unsigned becomes suspicious.
If it's suspicious, it now should be more expensive.
It should be delivered more slowly.
It might be blocked.
And so going back to the question
that was submitted to you,
the person was acting,
what is the user experience of a person
who is maybe receiving a call
that might be an impersonator, an imposter?
And the answer is,
we don't know what that user experience
should look like yet,
but here's what we do know,
that the terminating handset
now has the ability to distinguish
between signed traffic and unsigned.
They can choose to block it.
They can choose to deliver it with a warning.
They can choose to just show the user,
this is a check mark and this one is not.
I mean, these are all user experience decisions
that the handset people can decide what they want to do.
But the beautiful thing is,
is now the terminating side
will be able to determine between signed and unsigned.
And it's the same thing with Tom Hanks.
If he starts to digitally sign,
and he's not the only one,
there's a bunch of them.
I mean, we have a startup dedicated
to this problem for celebrities.
And, but he will begin to digitally sign his content.
And now anything not signed by Tom Hanks
is immediately suspicious.
It's the same problem,
industry after industry, after industry.
I want some of that for myself as well,
because my stuff gets ripped off too.
So that's great.
Apologies, Stephan.
I'll start with you, Dropsy speaking.
I'm so fascinated about this
because we're talking about identity at the moment.
Of course, the LEI is identity for businesses,
but it goes further than that.
Let me give you just an outlook
of what's going to happen in the next few years
with 5G and 6G in particular.
This is all about devices talking with each other
on behalf of somebody else.
My car talks on behalf of me with the garage, right?
Where I want to have a repair or something like that.
So we need in the future at a much higher degree,
much higher degree, delegate authority to things.
And this technology is not just about people.
It's about things as well.
It's one integrated kind of approach,
a protocol based approach, by the way.
It's not a central platform or anything like that.
It's a protocol that can be used for exactly that.
Delegation of authority doesn't stop
with the CEO of a company.
It goes by far deeper into organizations
and their services.
I would tell-
I need to-
Okay, go ahead.
I'll let you.
I'll indulge you.
I'm desperate to get my questions out of it.
Go ahead, Randy.
Just a quick one on delegation going back to Telco
is that the model is still the same
because in Telco, you've got external marketing agencies
that launch campaigns on behalf of an enterprise.
So who's sending the message?
Okay.
Same thing with call centers, contact centers.
You've got Nike call centers in India, I'm sure.
And they're making inbound calls into the US.
It's Nike, but it's not Nike, right?
So Nike is delegating authority.
How do you express that?
And how do you present to the user that it's Nike?
Anyway, I just wanted to tie in delegation.
No, thank you.
I appreciate that.
I think I want to make one step back
because this relates to a lot of things
we've talked about previously on this show.
And I want to ask Stephan specifically about this.
We talk about technology sometimes
as if technology is the solution,
but crooks, criminals, bad actors,
they typically work around technology.
They don't break the technology.
They find some weakness elsewhere.
And so on this show, we've talked many times
about it's not good enough to have a signature
attached to something if the signature was used too loosely
that anybody could use the signature.
You don't solve the problem of impersonation fraud
if somebody who is impersonating somebody else
attaches a signature as if they're the originator,
the genuine article.
So Stephan, I want to come back to you.
I think this is a big, important point here
in terms of the relevance of this being a global solution
to impersonation fraud.
Stephan, my question for you is,
we know the confidence in know your customers controls
has been undermined by the rolling out of technology.
And then the know your customer controls
weren't strong enough.
So technology got used.
The indicators there, you can trust this,
but it shouldn't have been applied.
It's all about the work that's done to check
who the customer is, who the user is, who the origin is.
What is it about what you're doing
that gives that additional confidence
that the LEI will only be issued to the identity
that actually deserves the LEI?
And let me give you an example, Bitcoin.
Bitcoin is out there.
The genie is not going to go back into the bottle, right?
Everybody can use it, can buy it, can trade it.
In an anonymous fashion,
it's a nightmare for some central bankers, of course.
There was never, ever a reported case
where Bitcoin itself was compromised
due to the nature of the cryptographic algorithms
that are underneath Bitcoin.
What has been compromised were central platforms,
trading exchanges, these kinds of wallet providers,
these kinds of things.
So whenever you go into a centralized platform
with services to somebody else, it becomes dangerous.
And that's why we need to go to the protocol layer.
And this protocol must be,
someone talked about encryption and signing.
These kinds of mechanisms will protect all of us.
And if the technology is advanced enough,
and I hope that I can speak for what we're doing
with the protocol that we're using, Kerry,
then it's even quantum proof.
And you can do rotations of keys
and all these kinds of things that are unthinkable today.
Timothy, you wanted to jump in.
Yes, very much so.
This cannot be solved with technology alone.
Digital signatures and verifiable credentials
are a garbage in, garbage out system.
If you don't know who signed something,
it doesn't do you any good, right?
You have to know who signed something.
And so how do you control?
If you're verifying something,
the digital signatures is not a complex technology.
It's been around for decades.
I mean, yes, it's advanced mathematically,
but the idea is very simple.
Someone signs this with a digital key,
called a private key.
Someone else verifies it with a public key.
The basic concept is,
if you know who signed it with the private key,
how do you know who really did that?
Because the mathematical operation
to verify with the public key is very straightforward.
It's been around for a long, long time.
So the breakthrough here is not frankly
a new breakthrough in cryptography.
This is old cryptography, old math.
The breakthrough here is really in policy.
And so Stephan, you buried the lead.
You buried the amazing thing in your answer
about Glyph and the VLEI.
And that is the, it is the standard
through which the entity is vetted
and the controls that are there.
And this is a policy standpoint.
This is an administrative standpoint.
This is not the math or the technology yet.
This is, what are the administrative rules
that make sure that an LEI actually gets
to an entity that really is that entity?
That's the first part.
Then the second part,
if you're going to give a human being
a verifiable credential,
and you're gonna say, you really are the CEO.
You really do have this authority.
What process is anyone going through
to make sure it's really the CEO
before you give them that credential?
And this is really where Glyph excels
because they have on the VLEI side,
which is the verifiable credential side,
they have what's called
an ecosystem governance framework
with very stringent rules
about what's an acceptable process
and what is not an acceptable process
to verify that a CEO really is a CEO
before you give them the credential.
And then the process of issuance of the credential
and how those signatures happen and are exchanged,
that is very carefully controlled.
It has to happen according
to a very carefully controlled ceremony.
Because remember, garbage in, garbage out.
If you don't control the issuance
to the CEO of the credential,
then the delegation from there is just as messy, right?
You have to control the issuance
to the very top level credentials of the organization.
And this, frankly, it's this combination
of policy and technology together.
You cannot have just a policy
that says something has to be done,
and you can't just have a technology sitting there.
It's the combination of policy and technology
that really is the beauty, I think,
of the whole VLEI system.
And then there's the law.
So the governance framework has very clear language on liabilities and the liabilities
can be enforced with the law. So you see, these are the three layers. You have the law,
you have the governance framework, and you have the technical implementation.
And that gives us a good feeling that we have addressed the question that you just raised.
And that's him and I've tried to answer. Let me actually write this back.
Let me follow up real quick, if I might, Randy. Sorry, if I may. Sorry. Thank you. No,
so quick follow-up for Stephan and Tim, just we were talking about. So
I wanted to ask the question, this one, I think is probably the wrong way to ask it,
but I'm just going to go. Can a person, or I'm thinking like a household or a customer,
you know, like if you're coming at it from where I usually come from, like a billing system or
CRM point of view, can that person be in organization with something like a VLEI
wherein, and so Stephan, you were talking about how you will delegate authority to devices and
applications that do things for you. So that what I'm trying to think forward here is that it's not
just the individual identity. We talk a lot about replacing the phone numbers and individual
identity. What you're talking about is this bigger structure. Like think about where we're going.
The digital identity we need to establish for you that we can communicate is actually more similar
to the organizations we're talking about, because it's not just you, it's you, your devices, apps
that do things for you, maybe your kids and other things that where you might control the permissions
of what authorities they have. Is that the way to think about this when we start
shifting this concept into more of like a personal type of use? The short answer is yes to all, and
we're not doing anything else but mimicrying what's around there for hundreds of years.
You know, look at what's on paper and the law and the governance around that. Now we want to do
things digitally, and then you need a digital equivalent of that, and that's what we're trying
to do with Avelion. It's that simple. Lee, if I can bring you in here, you've done some reviews
for countries where you've looked at this issue of risk in the digital domain, the online domain,
what's come up in terms of new technologies. Is this a potential game change compared to
some of the risks that you've been helping governments look at and solutions to them?
Yeah, I mean, it sounds very interesting. I mean, it has so many kind of use cases where you could
actually apply this technology, and I'm just thinking now it's like, you know, every kind of
banking transaction I do online, something like this could be applied to, right? So, you know,
and I think that that is a really good solution you have here, and it's a big issue. It's like,
as you're saying, Eric, is like, you know, we look at, you know, digital identities or identity of
people. It's one of the biggest risks, right, that we have online. So, yeah, I mean, it sounds
something really interesting you have here. I'll connect it to a very practical example,
if I could real quickly, which is the approval of text messaging campaigns right now
involves basically entering corporate or enterprise information in order to know that
that's a legitimate entity. But the problem is that that information is generally publicly available.
So, theoretically, anybody who gets that information can fill out an application form
with the correct information for a subway franchise, and what gets vetted? The subway
franchise, not that person. So then, if that is approved, this person, whoever filled out the
information, is given basically an entrance ticket to go start sending text messages. So,
there's no binding between the individual and the organization. You want to know that this person
coming to apply for a campaign for that organization has a binding, a delegation
of authority from that organization. They're authorized to get approval for that campaign.
And it goes back to what Timothy was saying about garbage in, garbage out,
because if you leave this door open at the very beginning, you're going to get garbage all the
way through. You could give a ticket to a complete imposter, and until they get caught,
they can do a lot of damage in a short amount of time. So, this delegation and this binding
and the end-to-end nature of it is the only way that we're going to secure networks and secure
people and their interests and allow people to make informed decisions about what's
coming to them digitally. It's very powerful. May I add one thought to this? We're talking
about fraud and all of that, but that's just one side of the metal. The other side is,
think of the business opportunities of straight-through processing.
I mean, you can really revamp your entire relationship with others in a straight-through
world when you have verifiability. And that is the carrot in front of all of us, right?
To find the right use cases, to create the business cases, and to make simply money with it.
I want to add something to that. Eric, if you don't mind.
There's something technically beautiful here that I think is going to be a little bit
hard to believe by your audience, but it is absolutely characteristic of this technology.
And that is, with digital signatures, verifiable credentials, and the way the VLEI is implemented,
it is... Randy used the term earlier, but I want to make sure your audience knows this because
it's going to be a little bit hard to believe. It is end-verifiable, meaning that the signed
thing, a piece of data, could be a phone call, could be a message, could be a document, video,
whatever it is. The signed thing can traverse untrusted networks and mechanisms. It doesn't
matter how it gets from A to B, because when it finally gets to B, it is just as verifiable as
when it was originally signed at A. And it can hop, hop, hop, hop, hop. It doesn't matter.
It can go through completely untrusted means. It can go over the public internet. It does not matter
how it gets to B. The signature will still verify. And so, the implications here for
international traffic are really, really profound, whereas you have something like
stir shaken for voice, which is very much a national solution. And it suffers, unfortunately,
from the garbage in, garbage out problem, because there is not a strong identity vetting. And so,
yes, there are things that are signed, but it is things that were not strongly vetted. So,
you have the garbage in, garbage out problem. So, when you have something that is international,
that can go hop, hop, hop, that is completely end-verifiable, with a strong vetting at the
beginning, so you know that quality got in there from the original signature, it has just profound
implications for telecom and, frankly, every other industry. That is why we are so excited
at our Venture Studio about this technology. Let me give you some feedback. Sorry, go ahead, Eric.
I got to jump in here, because I'm not getting the chance to read out any of these questions
from the audience. We are getting some great information, but I want to share some of the
comments that are coming through. Anonymous person wants to thank you in particular, Randy,
for your insights into NMS, SMS. They say that you forgot more about SMS than 99% of SMS experts
know, so take the compliment there. Dan says, and I think this is probably a question for you,
Stephan, but I'll read out another question as well afterwards. Dan asks the question,
do all banks currently have LEIs worldwide, or is it in process, the rolling out of LEIs to all
banks? And riffing on what you've just said there, Timothy, an anonymous question, does this replace
technologies like Stir Shaken, which are currently being rolled out on the national level? So maybe,
Stephan, you take your question first. The LEI system globally covers roughly 90%
market capitalization, so all the big shops and their subsidiaries have LEIs around the world.
It's also used in sanctioned regimes, these kinds of things, so it's rather broad. The
opportunity to grow is in the SME space. Okay, thank you for that. And Timothy,
do you want to take this as you were talking about this? Is this anonymous commenter basically
right in saying, this is the death knell for some of the other things the telecoms industry
is currently doing? This will replace, make it relevant. I've got a question for Randy.
Go, Randy. Okay, Randy, sorry. It's not rip and replace, actually. The big problem with Stir
Shaken in particular that you mentioned is you're not getting a high-quality attestation.
There's no strong guarantee or strong assurance that you're going to get a high-quality
attestation, and that's because you have a gap. You have a gap between the enterprises who are
actually originating the traffic or through their delegated contact centers, and it's finally
reaching the service provider who's going to put it on the network, and now they're trying to make
a decision, hmm, how should I label this call? And they're not basing it on anything verifiable
that came from the originator. So it fills the gap, and it will strengthen the Stir Shaken
attestations, which mean that Stir Shaken will work better. Is that right? I'm going to challenge
you on this point, because Stir Shaken is not just technology, it's the governance, and surely you
render the governance of Stir Shaken irrelevant. I'm not sure I did. I mean, the problem with Stir
Shaken is that it's not really cross-jurisdictional, right? And so what might work in the framework of
the U.S. doesn't necessarily apply to other countries or international calls. It also
doesn't have a high enough standard for the originally signed attestation, right? There's
no consistent standard for how you give an A or a B or whatever, and it suffers from the garbage
in, garbage out problem. And then the additional point, which again is what drew me to Glyph and
the LAI from the beginning, is that right now, let's just say that the cryptographic verification
comes from certificate authorities, which vary in quality, vary in level of security, and vary in
their ability to be recognized across borders and jurisdictions. And by moving up to Glyph as a route
of trust formed by the G20 and governed by the Financial Stability Board, we're actually dealing
with an internationally recognized source of truth for it. But is that not therefore
replacing the governance? Because you now have a completely new foundation for governance compared
to, as you've said, as we've described, these national piecemeal solutions that are focused on
particular forms of communication, like say voice. You've got now a truly global structure
that doesn't rely upon any national authority, any governance authority of a particular country.
It can work from one source to one recipient, irrespective of where they are.
the world so long as the LEI has been issued and so long as the technology is in place for the
recipient to verify the LEI. Exactly. I mean the implementation could vary from country to country
but as long as you are starting with that source of truth and the cryptographic strength and the
end verifiability it will work anywhere. And there's something critical to add about the
standard here in the open source nature. This kind of thing could be possible
in a proprietary way and let me just explain how that might look. Some proprietary company may say
if everybody in the world uses my service I will vouch for who's calling and I will help you verify
you can ping my services and it's totally proprietary and I'll do it but the one
condition is everybody in the world has to use me. That's what a proprietary or platform-based
solution would be. But what we're talking about here is actually uses open source and open source
technology and open standards that anybody can use so it's not dependent on any one person's
platform. So you could have the originator that's signing a communication in one country using one
provider or maybe even building it themselves that they want to use in the open source technology
and someone somewhere else who receives it or even different players along the path that each
hop could verify their piece. They can endorse, they can sign further, they can notarize, they can
add more signatures and any actors anywhere downstream can verify that communication
without using the same provider as the signer because it's a protocol not a platform.
And we should not forget that telephone calls today are not done anymore on landlines and
big telephones. We use smartphones and the integration on the smartphone
you know and the ecosystems that they come with is another challenge that we have to address.
I think you're going to succeed guys. Let's put it that way. We've run out of time for the
interview but it's just a shame because I'm sure we could go on and on and on and I don't have time
for all the comments from the audience. So apologies to the viewers who didn't get their
question read out but I'm sold. I just want one of these LEIs myself. I just need to get one of
these myself and I'm totally convinced that you will succeed. The question is just at what rate
it gets adopted or what speed at which it gets adopted but the sheer global nature of what
you're offering, the very fact it can be applied universally and universally in the sense of
across modes of communication as well as university as across the planet. I think I
can't see a reason why we wouldn't want to support and adopt the approach that you are advocating
and I look forward to having you guys hopefully back on a future episode to give the viewers an
update with progress because I think that's the only real question mark is how quickly will it
be adopted? What do I need to do to adopt it? People likely asking themselves does my telco
need to do something now in terms of that so that's really the only question I think.
The critical question about that is telecom is notoriously slow unless they've got regulators
forcing them to move more quickly and so I think the key point is can telco move quickly enough to
stay ahead of the regulators otherwise it won't be it'll be the regulator's choice. The beauty of
what we're doing I think is that it comes from a regulatory environment. It fits the regulator's
interest so I think we have a good match but let's move fast and let's not let the regulators
make their decisions about what telco knows best. We can't afford to waste time looking at the scale
of the problems that we face. The very fact you mentioned say it's irrelevant to something I
didn't even see the connection myself before we did the show in terms of this technology being
connected to something like an IMSI catcher. It can be applied as Stephan's pointed out across so
many different use cases, so many different requirements can be fulfilled. It addresses
so many problems. I can only say I wish we had more time to talk about it guys.
Thank you so much all three of you for joining me on the show. Stephan Wolf, Randy Walsh or
Timothy Ruff it's been a pleasure to have you on today's show and we look forward to having you
back in future. Thank you so much for having us for joining us today. Phew that is all we have time
for today. Thank you audience for watching. I know it's fantastic and thank you all those questions
that were submitted. Again apologies didn't have time to read them all out. Tune in next Wednesday
October 11th and we will be bringing back two of our favorite guests from previous shows.
Kenyan telecoms consultant Joseph Nderitu and Nixon Wampamba currently at MTN Nigeria.
They'll be chatting about the recent denial of service attacks launched by the hacker group
Anonymous Sudan against networks in Kenya, Nigeria and various other countries and about the broader
risks as ordinary people place more reliance on networks to do simple everyday tasks like paying
their bus fare, doing their grocery shopping, obtaining credit and interacting with the
government and vital services. You'll be able to put your questions to Nixon and Joseph if you
join us for the October 11th live stream beginning at 11 a.m U.S East 4 p.m UK Nigeria 6 p.m in Kenya
8 30 p.m in India. If you visit tv.commsrisk.com and click on the relevant link you can save the
next show to your diary or subscribe to have all shows saved to your diary in the right time zone
for you. Thanks again to today's guests Stephan Wolf CEO the Global Legal Entity Identifier
Foundation, Timothy Ruff General Partner at Digital Trust Ventures and Randy Warshaw CEO of
Provident. Thanks as always to my co-presenters Ed Finegold, Elyse Gargill and to the hard-working
producer of today's show James Greenley. It wouldn't be possible to do the show without him.
I'm Eric Priezkalns and this has been episode seven of the second season of the Communications
Risk Show. Recordings of all our previous episodes can be found at tv.commsrisk.com. Visit our main site
at commsrisk.com for news and opinion about communications risks worldwide and if you've
not downloaded them already go to the Risk and Assurance Group website at riskandassurancegroup.org
for the most extensive catalogs of frauds and leakages in the industry.
Thanks for watching we'll see you next Wednesday.