WEBVTT

00:00:00.000 --> 00:00:03.379
All right. Let's unpack this today. You know

00:00:03.379 --> 00:00:05.839
that that weird feeling when you get a text from

00:00:05.839 --> 00:00:07.900
a number you don't recognize? Oh, yeah, the generic

00:00:07.900 --> 00:00:09.980
ones. Right. Exactly. It says something super

00:00:09.980 --> 00:00:12.699
generic like, hey, it's me. I lost my phone.

00:00:13.000 --> 00:00:16.879
And for a split second, your brain does this

00:00:16.879 --> 00:00:19.199
this little calculation like, is this my mom?

00:00:19.339 --> 00:00:22.199
Is this, you know, a buddy from college or is

00:00:22.199 --> 00:00:24.039
this a scammer sitting in a basement halfway

00:00:24.039 --> 00:00:27.059
across the world? It's that is this real calculation.

00:00:27.059 --> 00:00:32.130
And I mean, we are doing it dozens, maybe hundreds

00:00:32.130 --> 00:00:34.689
of times a day now. Exactly. And that split second

00:00:34.689 --> 00:00:37.570
of hesitation, that is the sound of trust breaking.

00:00:37.710 --> 00:00:40.030
Because we are living in a moment where the line

00:00:40.030 --> 00:00:42.570
between human and machine isn't just blurring,

00:00:42.810 --> 00:00:46.189
it's actively dissolving. We're seeing CEOs in

00:00:46.189 --> 00:00:49.210
videos saying things they never said. We're hearing

00:00:49.210 --> 00:00:51.350
voices of family members that are actually AI

00:00:51.350 --> 00:00:53.710
clones. It really just feels overwhelming. It

00:00:53.710 --> 00:00:56.090
feels overwhelming because the tools we use to

00:00:56.090 --> 00:00:59.130
navigate the world are eyes, our ears, our gut

00:00:59.130 --> 00:01:02.259
instincts. they are suddenly totally unreliable.

00:01:02.479 --> 00:01:04.640
We are operating in this digital environment

00:01:04.640 --> 00:01:08.019
that has zero native way to verify who or what

00:01:08.019 --> 00:01:09.540
is on the other end of the connection. We're

00:01:09.540 --> 00:01:12.560
just flying blind. So today's deep dive is really

00:01:12.560 --> 00:01:15.189
about fixing that. We're unpacking a presentation

00:01:15.189 --> 00:01:17.510
by Daniela Barbosa from the Linux Foundation.

00:01:18.109 --> 00:01:20.390
And usually, when we talk about AI and security,

00:01:20.549 --> 00:01:22.670
it's all doom and gloom. Yeah, the robots are

00:01:22.670 --> 00:01:24.790
coming. Run for the hills. Run for the hills,

00:01:24.890 --> 00:01:27.730
exactly. But this source is different. This is

00:01:27.730 --> 00:01:30.629
about the architectures of trust, like the actual

00:01:30.629 --> 00:01:32.930
blueprints being drawn up right now to rebuild

00:01:32.930 --> 00:01:35.129
the internet's foundation. And it's a massive

00:01:35.129 --> 00:01:38.609
topic. But I love how Barbosa grounds it immediately

00:01:38.609 --> 00:01:41.150
with an analogy that I think we need to start

00:01:41.150 --> 00:01:43.030
with this because it reframes the whole problem.

00:01:43.049 --> 00:01:45.150
She talks about driving on a highway. Oh, the

00:01:45.150 --> 00:01:47.709
car analogy. Let's visualize this for everyone

00:01:47.709 --> 00:01:50.370
listening. Say I'm doing 70 miles an hour on

00:01:50.370 --> 00:01:54.390
the freeway. There is a two -ton metal box three

00:01:54.390 --> 00:01:57.510
feet to my left. I don't know the driver at all.

00:01:57.670 --> 00:01:59.230
No idea who they are. I don't know if they're

00:01:59.230 --> 00:02:02.670
angry or tired, drunk, texting. But I don't swerve

00:02:02.670 --> 00:02:04.750
off the road in a panic every time a car passes

00:02:04.750 --> 00:02:07.719
me. Why is that? because of infrastructure. You

00:02:07.719 --> 00:02:10.939
aren't trusting the person inside that car. You're

00:02:10.939 --> 00:02:13.240
trusting the system that put them there. You

00:02:13.240 --> 00:02:15.479
trust that they had to pass a test to get a license.

00:02:15.819 --> 00:02:17.939
You trust the car had to be registered, had to

00:02:17.939 --> 00:02:20.500
pass safety inspections. You trust the painted

00:02:20.500 --> 00:02:24.300
lines on the road and the threat of traffic enforcement

00:02:24.300 --> 00:02:27.879
if they cross those lines. There is this layered

00:02:27.879 --> 00:02:31.560
architecture of rules and credentials that makes

00:02:31.560 --> 00:02:34.819
the chaos manageable. And her entire point is

00:02:34.819 --> 00:02:36.919
that the internet just doesn't have that. Not

00:02:36.919 --> 00:02:39.379
at all. I mean, the internet was built on the

00:02:39.379 --> 00:02:42.300
principle of move fast and break things. It was

00:02:42.300 --> 00:02:44.919
designed for connectivity, not security. It's

00:02:44.919 --> 00:02:47.919
like a highway with no lanes, no licenses, no

00:02:47.919 --> 00:02:49.960
speed limits, and everyone was wearing a mask

00:02:49.960 --> 00:02:52.439
so you can't even see who they are. And for a

00:02:52.439 --> 00:02:54.300
long time, we just patched over that with passwords

00:02:54.300 --> 00:02:57.139
and databases. Which brings us to the first really

00:02:57.139 --> 00:02:59.629
major insight from the source material. We got

00:02:59.629 --> 00:03:01.569
to talk about why the old way, the password way,

00:03:01.870 --> 00:03:05.969
the database way, why it's failing so spectacularly.

00:03:06.210 --> 00:03:08.669
Barbosa dropped a stat that honestly made my

00:03:08.669 --> 00:03:10.629
jaw hit the floor. Oh, you're talking about the

00:03:10.629 --> 00:03:14.460
2024 health data breach statistic. Yeah. 275

00:03:14.460 --> 00:03:17.259
million people. It is staggering. In just one

00:03:17.259 --> 00:03:22.080
single year approximately 275 million individuals

00:03:22.080 --> 00:03:24.740
had their protected health information compromised.

00:03:24.900 --> 00:03:28.819
Wow. That averages out to about 750 ,000 records

00:03:28.819 --> 00:03:31.650
stolen every single day. That's effectively the

00:03:31.650 --> 00:03:33.789
entire adult population of the United States,

00:03:33.870 --> 00:03:35.810
give or take. But let's go a bit deeper than

00:03:35.810 --> 00:03:38.310
the number. Why is this happening now? Is it

00:03:38.310 --> 00:03:40.490
just that hackers are getting smarter? Hackers

00:03:40.490 --> 00:03:42.909
are getting smarter, yes. But the architecture

00:03:42.909 --> 00:03:45.530
itself is practically hitting them. We currently

00:03:45.530 --> 00:03:48.849
store data in centralized databases, these massive

00:03:48.849 --> 00:03:52.349
servers held by hospitals, banks, social media

00:03:52.349 --> 00:03:55.370
companies. In security terms, we call these honeypots.

00:03:55.550 --> 00:03:57.569
Honeypots. I actually really like that image.

00:03:57.689 --> 00:04:00.560
It's perfect because it explains the whole If

00:04:00.560 --> 00:04:03.259
you're a hacker, why would you try to rob 1 ,000

00:04:03.259 --> 00:04:05.259
individual houses to get a little bit of cash

00:04:05.259 --> 00:04:07.680
when you can just rob one bank vault and get

00:04:07.680 --> 00:04:09.560
everyone's gold at once? Right. It's a single

00:04:09.560 --> 00:04:12.080
point of failure. Exactly. Centralized databases

00:04:12.080 --> 00:04:14.939
are sitting ducks. And we, meaning the users,

00:04:15.139 --> 00:04:17.839
we aren't exactly helping, are we? I felt personally

00:04:17.839 --> 00:04:20.399
attacked by that password stat she cited. The

00:04:20.399 --> 00:04:23.819
Forbes report. Yes. She said 78 % of people use

00:04:23.819 --> 00:04:26.980
the same password across multiple accounts. And

00:04:26.980 --> 00:04:29.180
look, I am completely guilty. I have like 100

00:04:29.180 --> 00:04:31.779
accounts. I can't remember 100 complex codes.

00:04:32.100 --> 00:04:34.360
So I use variations of the same thing. And that

00:04:34.360 --> 00:04:37.160
is the human error fiction point. But here is

00:04:37.160 --> 00:04:39.860
the new variable that changes everything, AI.

00:04:40.459 --> 00:04:42.860
Barbosa describes AI as a threat multiplier.

00:04:43.420 --> 00:04:46.139
In the past, hacking a password took time. You

00:04:46.139 --> 00:04:48.319
had to type it in, guess it, brute force it.

00:04:48.720 --> 00:04:51.779
Now, AI can guess passwords at lightning speed.

00:04:52.240 --> 00:04:55.019
But even worse, it can bypass the human verification

00:04:55.019 --> 00:04:57.180
layer entirely. This is the deep fake issue.

00:04:57.319 --> 00:05:00.100
Correct. If I call your bank and I sound exactly

00:05:00.100 --> 00:05:01.899
like you because I've cloned your voice from

00:05:01.899 --> 00:05:04.279
the three -second video you posted online, the

00:05:04.279 --> 00:05:06.500
bank teller's trust radar is totally useless.

00:05:06.639 --> 00:05:08.920
Because they think it's me. Right. The old system

00:05:08.920 --> 00:05:11.240
relied on something you know, like a password,

00:05:11.800 --> 00:05:15.040
or something you are, like your voice. AI can

00:05:15.040 --> 00:05:18.319
now fake both of those things effortlessly. If

00:05:18.319 --> 00:05:21.000
we can't trust our eyes and we can't trust the

00:05:21.000 --> 00:05:23.899
centralized databases, we clearly need a completely

00:05:23.899 --> 00:05:26.639
new model. And this is where the deep dive gets

00:05:26.639 --> 00:05:29.399
really sci -fi, but in a highly practical way.

00:05:29.879 --> 00:05:32.399
Barbosa uses the example of autonomous cars,

00:05:32.639 --> 00:05:35.040
specifically those Waymo taxis in San Francisco,

00:05:35.120 --> 00:05:37.839
to explain how trust actually should work. This

00:05:37.839 --> 00:05:40.139
is such a brilliant visualization of machine

00:05:40.139 --> 00:05:42.740
to machine trust. Picture an intersection in

00:05:42.740 --> 00:05:45.699
San Francisco. It's foggy. There are no stop

00:05:45.699 --> 00:05:48.889
signs, no traffic lights. Just two robot cars

00:05:48.889 --> 00:05:50.829
approaching each other at speed. It's a digital

00:05:50.829 --> 00:05:53.829
game of chicken. In a way, yeah. But think about

00:05:53.829 --> 00:05:56.410
the constraints here. They can't hesitate. They

00:05:56.410 --> 00:05:58.389
can't roll down the window and wave the other

00:05:58.389 --> 00:06:00.490
guy through. They can't make eye contact. Right.

00:06:00.490 --> 00:06:03.470
No human cues at all. None. In milliseconds,

00:06:03.730 --> 00:06:06.550
car A has to tell car B, I am a certified Wemo

00:06:06.550 --> 00:06:09.269
vehicle. My software is up to date. I am traveling

00:06:09.269 --> 00:06:11.230
at 30 miles per hour. I intend to turn left.

00:06:11.410 --> 00:06:13.930
And car B has to believe it instantly. Instantly.

00:06:14.209 --> 00:06:17.720
Because if car A is lying, If it's actually a

00:06:17.720 --> 00:06:20.060
hacked car trying to cause a crash or it's a

00:06:20.060 --> 00:06:23.560
malfunctioned peaceful, people die. So they don't

00:06:23.560 --> 00:06:25.759
rely on looking at each other. They exchange

00:06:25.759 --> 00:06:28.579
cryptographic proofs. They verify credentials

00:06:28.579 --> 00:06:31.120
mathematically. And this all happens faster than

00:06:31.120 --> 00:06:34.170
a human could ever blink. Much faster. And this

00:06:34.170 --> 00:06:36.250
right here is the North Star for the new internet.

00:06:36.629 --> 00:06:39.089
We need to treat every interaction, logging into

00:06:39.089 --> 00:06:41.850
email, buying shoes, reading the news, with that

00:06:41.850 --> 00:06:43.810
exact same level of cryptographic certainty.

00:06:43.930 --> 00:06:45.649
So moving away from just taking someone's word

00:06:45.649 --> 00:06:48.050
for it. Exactly. We need to move from, trust

00:06:48.050 --> 00:06:51.129
me, I'm a doctor, to... Here is a mathematically

00:06:51.129 --> 00:06:54.149
unforgeable token proving I am a doctor. OK,

00:06:54.189 --> 00:06:56.329
so let's get into the toolkit here. How do we

00:06:56.329 --> 00:06:58.470
actually build this? The presentation threw around

00:06:58.470 --> 00:07:00.850
some acronyms that we really need to decode for

00:07:00.850 --> 00:07:03.670
everyone listening. DDs and VCs. Let's start

00:07:03.670 --> 00:07:06.629
with a DDI. OK, so DD stands for decentralized

00:07:06.629 --> 00:07:09.170
identifier. Think of it as a permanent digital

00:07:09.170 --> 00:07:11.269
name tag that you completely control. How is

00:07:11.269 --> 00:07:13.629
that different from my email address, like hostname

00:07:13.629 --> 00:07:16.550
at gmail .com? Your email address is rented.

00:07:17.069 --> 00:07:19.759
It belongs to Google. If Google decides they

00:07:19.759 --> 00:07:21.980
don't like you tomorrow, or if they shut down

00:07:21.980 --> 00:07:25.220
the service, your identity just vanishes. You

00:07:25.220 --> 00:07:27.920
are essentially a digital serf living on their

00:07:27.920 --> 00:07:32.060
land. The DID is entirely different. It's anchored

00:07:32.060 --> 00:07:34.379
on a decentralized network, like a blockchain

00:07:34.379 --> 00:07:36.980
or a distributed ledger. No company controls

00:07:36.980 --> 00:07:39.060
it. It's yours. So it's like owning your own

00:07:39.060 --> 00:07:41.629
house instead of renting an apartment. The landlord

00:07:41.629 --> 00:07:43.810
can't just kick you out. Yeah, exactly. You hold

00:07:43.810 --> 00:07:46.870
the keys. Okay, so I have the name tag, I have

00:07:46.870 --> 00:07:49.670
the house, but a name tag doesn't really prove

00:07:49.670 --> 00:07:52.649
anything. I can write astronaut on a nametag,

00:07:52.750 --> 00:07:54.310
but that doesn't let me fly the space shuttle.

00:07:54.449 --> 00:07:56.850
I need actual proof. Right. And that is where

00:07:56.850 --> 00:07:59.990
the VCs come in. Verifiable Prudentials. These

00:07:59.990 --> 00:08:02.410
are the digital equivalents of the plastic cards

00:08:02.410 --> 00:08:04.829
in your physical wallet. Your driver's license,

00:08:04.990 --> 00:08:07.470
your university diploma, your Costco membership,

00:08:07.689 --> 00:08:10.970
your gym pass. But digitized. Digitized. But

00:08:10.970 --> 00:08:13.310
strictly better than digitized. See, right now,

00:08:13.329 --> 00:08:14.850
if you take a photo of your driver's license

00:08:14.850 --> 00:08:16.709
and email it to someone to prove who you are,

00:08:16.970 --> 00:08:19.050
that's just a dumb image. Right. It can be faked.

00:08:19.199 --> 00:08:22.040
It can be photoshopped. It can be intercepted.

00:08:22.319 --> 00:08:25.800
A verifiable credential is a piece of code signed

00:08:25.800 --> 00:08:30.620
by the issuer. So the DMV cryptographically signs

00:08:30.620 --> 00:08:33.539
your digital license and you store that in a

00:08:33.539 --> 00:08:35.480
digital wallet on your phone. And this leads

00:08:35.480 --> 00:08:37.419
to my absolute favorite part of the presentation

00:08:37.419 --> 00:08:39.299
because it solves a problem I think we've all

00:08:39.299 --> 00:08:42.139
had, the student discount problem. This really

00:08:42.139 --> 00:08:44.019
clicked for me when she explained it. It's the

00:08:44.019 --> 00:08:46.519
perfect example of what the industry calls selective

00:08:46.519 --> 00:08:49.559
disclosure. Walk us through it. Okay, so In the

00:08:49.559 --> 00:08:51.799
old world, the way we do it right now, say you

00:08:51.799 --> 00:08:54.559
want to discount on some software. The site asks

00:08:54.559 --> 00:08:56.600
for proof you're a student. You upload a picture

00:08:56.600 --> 00:08:58.820
of your student ID card. What did you just give

00:08:58.820 --> 00:09:00.740
them? Well, I gave them everything on the card,

00:09:00.940 --> 00:09:03.600
my full name, my student ID number, my campus

00:09:03.600 --> 00:09:06.100
address, the expiration date, and probably my

00:09:06.100 --> 00:09:08.600
date of birth. Now ask yourself, does the software

00:09:08.600 --> 00:09:11.120
company actually need to know your birthday to

00:09:11.120 --> 00:09:14.120
give you 10 % off? Do they need your campus address?

00:09:14.379 --> 00:09:16.860
No. They just need to know, is this person a

00:09:16.860 --> 00:09:20.399
student? Precisely. In the new world, using verifiable

00:09:20.399 --> 00:09:23.379
credentials, your digital wallet talks to their

00:09:23.379 --> 00:09:26.279
site. The site asks, are you a student? Your

00:09:26.279 --> 00:09:29.059
wallet checks your credential, sees the university's

00:09:29.059 --> 00:09:31.600
signature, and sends back what we call a zero

00:09:31.600 --> 00:09:34.279
-knowledge proof. It essentially says yes. Just

00:09:34.279 --> 00:09:37.799
yes, nothing else. Just yes. It proves the statement

00:09:37.799 --> 00:09:40.440
is true without revealing the underlying data.

00:09:40.659 --> 00:09:43.059
The vendor knows you're a student, but they don't

00:09:43.059 --> 00:09:46.059
know your name, your age, or your address. You

00:09:46.059 --> 00:09:48.559
get the discount. They get the assurance, and

00:09:48.559 --> 00:09:50.919
nobody gets to hoard your private data. That

00:09:50.919 --> 00:09:53.440
is a massive shift. We go from data hoarding,

00:09:53.620 --> 00:09:55.580
where companies collect everything just in case,

00:09:55.919 --> 00:09:58.500
to actual data minimization. And think about

00:09:58.500 --> 00:10:00.960
the security implication here. If that software

00:10:00.960 --> 00:10:03.679
company gets hacked next week, what do the hackers

00:10:03.679 --> 00:10:06.320
steal about you? Nothing. Just a log saying this

00:10:06.320 --> 00:10:08.720
user was verified. Exactly. The honeypot is empty.

00:10:09.120 --> 00:10:11.500
There was nothing to steal. Now, I can hear the

00:10:11.500 --> 00:10:13.779
skeptics listening right now thinking, you know,

00:10:13.779 --> 00:10:16.539
this sounds great in theory. But is anyone actually

00:10:16.539 --> 00:10:18.759
doing this? It sounds like some futuristic concept.

00:10:19.139 --> 00:10:21.360
And that is where the Bhutan case study comes

00:10:21.360 --> 00:10:23.860
in. This isn't just a pilot program in a lab

00:10:23.860 --> 00:10:26.120
somewhere, is it? No, this is actual national

00:10:26.120 --> 00:10:30.070
policy. In October 2023, the Kingdom of Bhutan

00:10:30.070 --> 00:10:32.929
launched the National Digital Identity Wallet,

00:10:33.230 --> 00:10:36.029
or NDI. Why Bhutan? Smaller nations can often

00:10:36.029 --> 00:10:38.710
pivot a lot faster on infrastructure. They looked

00:10:38.710 --> 00:10:41.330
at the landscape and decided to basically skip

00:10:41.330 --> 00:10:44.029
the centralized database phase entirely and go

00:10:44.029 --> 00:10:46.070
straight to self -sovereign identity. So how

00:10:46.070 --> 00:10:48.210
does it actually work for the average citizen

00:10:48.210 --> 00:10:50.370
in Bhutan right now? They download the wallet

00:10:50.370 --> 00:10:52.990
app, they secure it with biometric, so a face

00:10:52.990 --> 00:10:56.059
scan or a fingerprint, and once they're in, the

00:10:56.059 --> 00:10:57.940
government issues their credentials directly

00:10:57.940 --> 00:11:01.500
to that phone, their tax ID, their national status,

00:11:02.039 --> 00:11:04.519
banking details. So the data physically lives

00:11:04.519 --> 00:11:06.700
on the phone? That's the key. It's at the edge

00:11:06.700 --> 00:11:09.440
of the network, not in the center. If a citizen

00:11:09.440 --> 00:11:12.019
needs to prove to a bank that they are tax compliant,

00:11:12.460 --> 00:11:14.860
they beam that specific credential from their

00:11:14.860 --> 00:11:17.659
phone to the bank. The bank verifies the government's

00:11:17.659 --> 00:11:20.120
digital signature and the transaction is done.

00:11:21.039 --> 00:11:23.740
No central database was pinged and no physical

00:11:23.740 --> 00:11:26.259
papers were handed over. It's flipping the whole

00:11:26.259 --> 00:11:28.259
model upside down. Instead of the government

00:11:28.259 --> 00:11:31.159
holding my data and me asking permission to see

00:11:31.159 --> 00:11:34.100
it, I hold my data and I grant permission for

00:11:34.100 --> 00:11:36.480
them to see it. It is a fundamental shift in

00:11:36.480 --> 00:11:39.740
power dynamics. And frankly, it's the only way

00:11:39.740 --> 00:11:43.019
to secure data in an AI world. You can't breach.

00:11:43.930 --> 00:11:47.450
275 million records if they are stored on 275

00:11:47.450 --> 00:11:50.110
million separate devices protected by biometrics

00:11:50.110 --> 00:11:52.269
because you'd have to you'd have to hack 275

00:11:52.269 --> 00:11:54.350
million individual phones right economically

00:11:54.350 --> 00:11:56.830
impossible for hackers okay so we've solved or

00:11:56.830 --> 00:11:59.070
at least we have a really good blueprint for

00:11:59.070 --> 00:12:02.029
identity proving who I am but we still have the

00:12:02.029 --> 00:12:05.529
other side of the AI coin deepfakes Content.

00:12:05.990 --> 00:12:08.450
Because if I see a photo of a war zone or a video

00:12:08.450 --> 00:12:10.950
of a politician accepting a bribe, how do I know

00:12:10.950 --> 00:12:12.970
that is real? A digital wallet doesn't really

00:12:12.970 --> 00:12:14.490
help me there. Right. And this is the second

00:12:14.490 --> 00:12:16.370
pillar of the architecture, content provenance.

00:12:16.789 --> 00:12:19.350
We are moving from identifying people to identifying

00:12:19.350 --> 00:12:22.269
the history of media itself. Barbosa highlighted

00:12:22.269 --> 00:12:25.610
the C2PA standard. The Coalition for Content

00:12:25.610 --> 00:12:29.039
Provenance and Authenticity. Which is a bit of

00:12:29.039 --> 00:12:31.659
a mouthful. It is, but the tech is completely

00:12:31.659 --> 00:12:34.399
revolutionary. The best example she gave was

00:12:34.399 --> 00:12:37.720
the Leica camera, specifically the Leica SL3S.

00:12:37.820 --> 00:12:40.200
She said it has authenticity built in. What does

00:12:40.200 --> 00:12:42.200
that actually mean? Is it just like a digital

00:12:42.200 --> 00:12:44.639
watermark? No, watermarks are easily cropped

00:12:44.639 --> 00:12:47.259
out or faked. This happens at the hardware level.

00:12:47.919 --> 00:12:50.600
Inside the camera, there's a secure cryptographic

00:12:50.600 --> 00:12:53.120
chip. As soon as light hits the sensor and the

00:12:53.120 --> 00:12:55.919
image is captured, the camera cryptographically

00:12:55.919 --> 00:12:58.860
signs the file. Almost like a digital wax seal.

00:12:59.200 --> 00:13:01.519
Exactly like that. It stamps the file with metadata.

00:13:01.960 --> 00:13:04.899
Who took it, when, where, using GPS, and with

00:13:04.899 --> 00:13:07.159
what specific camera model. And if you take that

00:13:07.159 --> 00:13:09.759
file and open it in Photoshop to, say, add a

00:13:09.759 --> 00:13:11.940
tank or remove a person, the seal breaks. Well,

00:13:11.960 --> 00:13:13.720
it doesn't just break though, right? It updates.

00:13:13.860 --> 00:13:15.120
Right. That's a really important distinction.

00:13:15.240 --> 00:13:17.299
It creates a manifest. If you edit the photo,

00:13:17.559 --> 00:13:19.960
the file history will say, original taken by

00:13:19.960 --> 00:13:23.080
Leica at 2 p .m., edited in Adobe Photoshop at

00:13:23.080 --> 00:13:25.779
4 p .m. So as a viewer, I could theoretically

00:13:25.779 --> 00:13:28.399
click a little info icon on the image and see

00:13:28.399 --> 00:13:31.679
that entire journey. That's the vision. Imagine

00:13:31.679 --> 00:13:34.740
scrolling through your news feed. You see a shocking

00:13:34.740 --> 00:13:37.500
photo from a conflict zone. You hover over it.

00:13:37.700 --> 00:13:40.240
If it has the C2PA credentials, you can see the

00:13:40.240 --> 00:13:42.539
chain of custody from the photojournalist's camera

00:13:42.539 --> 00:13:45.519
to your screen. And if it doesn't have it, you

00:13:45.519 --> 00:13:47.879
should be extremely skeptical. It's like an ingredients

00:13:47.879 --> 00:13:50.200
label for digital content. We know what's in

00:13:50.200 --> 00:13:52.419
our food. We absolutely should know what's in

00:13:52.419 --> 00:13:55.559
our news. And it extends to AI too. She briefly

00:13:55.559 --> 00:13:58.799
mentioned the Hedera AI Studio. If an AI generates

00:13:58.799 --> 00:14:01.700
an image or even makes a decision on a loan application,

00:14:02.299 --> 00:14:05.100
we need an audit trail. We need a public ledger

00:14:05.100 --> 00:14:07.720
that permanently timestamps it so we know, this

00:14:07.720 --> 00:14:10.490
was made by a machine. Transparency really seems

00:14:10.490 --> 00:14:12.470
to be the recurring theme here, but there is

00:14:12.470 --> 00:14:14.929
a snag. And Barbosa was very honest about this

00:14:14.929 --> 00:14:17.710
in her presentation. The world is a massive place.

00:14:17.889 --> 00:14:19.950
There are hundreds of countries, thousands of

00:14:19.950 --> 00:14:22.409
companies. If Bhutan has one wallet system and

00:14:22.409 --> 00:14:24.730
the EU has another, and Google builds a third,

00:14:24.909 --> 00:14:27.269
do they actually talk to each other? The interoperability

00:14:27.269 --> 00:14:30.669
challenge, yes. This is by far the biggest hurdle.

00:14:30.870 --> 00:14:33.190
If my digital driver's license only works in

00:14:33.190 --> 00:14:36.509
my home state, it's useless for travel. We cannot

00:14:36.509 --> 00:14:39.190
afford to have these walled gardens of trust

00:14:39.190 --> 00:14:42.070
where your identity gets stuck inside one corporate

00:14:42.070 --> 00:14:44.429
or government ecosystem. So what's the fix? She

00:14:44.429 --> 00:14:46.490
used an analogy I use every day but never really

00:14:46.490 --> 00:14:49.529
think about? Email? The SMTP analogy. Think about

00:14:49.529 --> 00:14:51.450
it. You can be on Gmail. I can be on Outlook.

00:14:51.769 --> 00:14:53.769
Someone else can be on a corporate Yahoo server.

00:14:53.830 --> 00:14:55.909
We can all email each other perfectly seamlessly.

00:14:56.190 --> 00:14:58.250
We don't need to be on the same platform to communicate.

00:14:58.409 --> 00:15:00.590
Because there is a shared underlying language.

00:15:00.769 --> 00:15:04.730
A protocol. SMTP. Or Simple Mail Transfer Protocol.

00:15:04.919 --> 00:15:07.919
Barbosa argues we desperately need an SMTP for

00:15:07.919 --> 00:15:10.240
trust. She calls it the Trust Spanning Protocol,

00:15:10.419 --> 00:15:13.440
or TSP. She gave a really heavy emotional example

00:15:13.440 --> 00:15:15.659
of why this matters, the refugee scenario. I

00:15:15.659 --> 00:15:17.740
think this is so important because it takes this

00:15:17.740 --> 00:15:20.440
out of the realm of just cool tech and puts it

00:15:20.440 --> 00:15:22.419
firmly into human rights. This really brings

00:15:22.419 --> 00:15:26.059
it home. Imagine a refugee fleeing a conflict

00:15:26.059 --> 00:15:28.080
zone. They have to leave their home quickly,

00:15:28.440 --> 00:15:31.379
their physical papers are burned or lost. But

00:15:31.379 --> 00:15:34.559
they have a digital wallet issued by a UN agency

00:15:34.559 --> 00:15:38.120
right on their phone. So they have a VC, a verifiable

00:15:38.120 --> 00:15:40.740
credential that says, I'm a refugee. I have these

00:15:40.740 --> 00:15:43.620
skills. This is my medical history. Right. Now

00:15:43.620 --> 00:15:45.740
they cross a border into a European country.

00:15:46.340 --> 00:15:48.460
The border control agent is using a completely

00:15:48.460 --> 00:15:50.879
different software system. Maybe it's a proprietary

00:15:50.879 --> 00:15:53.500
government system. If those two systems can't

00:15:53.500 --> 00:15:55.580
talk to each other, that refugee is basically

00:15:55.580 --> 00:15:58.620
back to square one. They are undocumented. They

00:15:58.620 --> 00:16:00.940
can't prove who they are. But with a trust spanning

00:16:00.940 --> 00:16:04.240
protocol? With TSP, the EU system can ping the

00:16:04.240 --> 00:16:07.240
UN credential, verify the cryptographic signature

00:16:07.240 --> 00:16:09.820
across different platforms, and instantly accept

00:16:09.820 --> 00:16:12.759
it. It acts as a universal translator for trust.

00:16:12.980 --> 00:16:15.039
That's not just convenience. That's dignity.

00:16:15.460 --> 00:16:17.440
That is the literal difference between being

00:16:17.440 --> 00:16:19.860
a ghost in the system and being a recognized

00:16:19.860 --> 00:16:22.360
human being who can access services. It allows

00:16:22.360 --> 00:16:25.279
trust to travel. And in a global economy, trust

00:16:25.279 --> 00:16:27.659
has to travel. If your credentials die at the

00:16:27.659 --> 00:16:30.399
border, you aren't truly free. So let's recap

00:16:30.399 --> 00:16:32.220
the stack here for everyone listening. We have

00:16:32.220 --> 00:16:34.820
the wallets, the DIDs, to hold our data. We have

00:16:34.820 --> 00:16:36.980
the credentials, the VCs, to actually prove who

00:16:36.980 --> 00:16:40.379
we are. We have the provenance, the C2PA standards

00:16:40.379 --> 00:16:43.019
to prove what content is real. And we have the

00:16:43.019 --> 00:16:45.279
protocol, the TSP, to make sure everyone speaks

00:16:45.279 --> 00:16:47.679
the same language. The blueprints are absolutely

00:16:47.679 --> 00:16:50.320
there. The foundation is being poured right now.

00:16:50.899 --> 00:16:53.860
But Barbosa's final point is that this isn't

00:16:53.860 --> 00:16:56.559
a spectator sport. Yeah, she listed a lot of

00:16:56.559 --> 00:16:59.139
organizations. Hyperledger, the Open Wallet Foundation.

00:16:59.600 --> 00:17:01.240
She's basically looking at all the developers

00:17:01.240 --> 00:17:02.940
and business leaders in the room and telling

00:17:02.940 --> 00:17:05.640
them, you have to build this. Because if we don't

00:17:05.640 --> 00:17:08.680
build it, or if we let one single big corporation

00:17:08.680 --> 00:17:11.920
build it just for themselves, we end up right

00:17:11.920 --> 00:17:15.319
back where we started. Centralized, vulnerable,

00:17:15.599 --> 00:17:18.619
and controlled by a very few people. This infrastructure

00:17:18.619 --> 00:17:21.519
needs to be open source. It needs to be a public

00:17:21.519 --> 00:17:24.240
utility. It needs to be exactly like the physical

00:17:24.240 --> 00:17:26.880
roads we drive on, available to everyone, owned

00:17:26.880 --> 00:17:29.299
by no one. There was one last concept she left

00:17:29.299 --> 00:17:31.279
us with, and I think it's the perfect place to

00:17:31.279 --> 00:17:33.619
land this deep dive. It's an idea that sounds

00:17:33.619 --> 00:17:36.000
so simple, but is actually totally mind -bending.

00:17:36.359 --> 00:17:39.839
First -person credentials. Oh, this is the ultimate

00:17:39.839 --> 00:17:42.259
paradox of the AI age. Explain what it is for

00:17:42.259 --> 00:17:45.240
the listener. It is simply the ability to cryptographically

00:17:45.240 --> 00:17:47.759
prove that you are a human being. Not who you

00:17:47.759 --> 00:17:51.079
are. Not, I am John Smith. Just what you are.

00:17:51.240 --> 00:17:54.900
Exactly. Just, I am not a bot. Think about it.

00:17:54.920 --> 00:17:58.440
In a future where 90, maybe 95 percent of all

00:17:58.440 --> 00:18:01.680
internet traffic is AI agents talking to other

00:18:01.680 --> 00:18:04.779
AI agents, spamming each other, generating endless

00:18:04.779 --> 00:18:08.099
content. human attention is going to be the absolute

00:18:08.099 --> 00:18:10.140
scarcest resource on the planet. So being able

00:18:10.140 --> 00:18:12.619
to raise your digital hand and say, hey, I actually

00:18:12.619 --> 00:18:14.980
have a pulse is going to be incredibly valuable.

00:18:15.000 --> 00:18:16.740
It's going to be the ultimate premium status.

00:18:17.079 --> 00:18:19.579
Being able to verify I am a biological human

00:18:19.579 --> 00:18:22.359
allows you to access spaces, communities or services

00:18:22.359 --> 00:18:24.819
that are designated humans only. It prevents

00:18:24.819 --> 00:18:27.119
swarms of bots from influencing elections or

00:18:27.119 --> 00:18:29.900
crashing stock markets or just overwhelming social

00:18:29.900 --> 00:18:32.460
networks with noise. It's wild to think that

00:18:32.460 --> 00:18:34.400
proving your humanity is going to be a technical

00:18:34.400 --> 00:18:36.920
feature. We used to worry so much about the Turing

00:18:36.920 --> 00:18:39.160
test. You know, can a machine pass as a human?

00:18:39.240 --> 00:18:41.799
Now we have the reverse Turing test. Can a human

00:18:41.799 --> 00:18:44.700
prove they aren't a machine? We need more technology

00:18:44.700 --> 00:18:47.339
to preserve our humanity. That is the great irony

00:18:47.339 --> 00:18:51.130
of all this. But it's also the hope. These tools,

00:18:51.369 --> 00:18:53.730
these architectures of trust, they aren't about

00:18:53.730 --> 00:18:56.430
controlling people. They are about empowering

00:18:56.430 --> 00:18:59.190
people to own their digital lives in a world

00:18:59.190 --> 00:19:01.789
that is becoming increasingly artificial. So

00:19:01.789 --> 00:19:04.009
for you listening right now, next time you unlock

00:19:04.009 --> 00:19:06.890
your phone with your face or you use a digital

00:19:06.890 --> 00:19:09.009
boarding pass at the airport or even just drive

00:19:09.009 --> 00:19:11.230
down the highway, I want you to think about the

00:19:11.230 --> 00:19:13.529
infrastructure behind it. Think about the invisible

00:19:13.529 --> 00:19:15.990
lines of trust that keep everything moving safely.

00:19:16.430 --> 00:19:19.289
and realize that the Wild West era of the internet

00:19:19.289 --> 00:19:22.049
is finally ending. The roads are being paved.

00:19:22.650 --> 00:19:25.509
The real question now is, who is deciding where

00:19:25.509 --> 00:19:28.349
those roads go? And if you are in a position

00:19:28.349 --> 00:19:31.430
to influence that, if you write code, if you

00:19:31.430 --> 00:19:34.450
lead a team, if you make policy, you should really

00:19:34.450 --> 00:19:37.230
look into the Open Wallet Foundation and Hyperledger.

00:19:37.730 --> 00:19:40.890
Look into C2PA. Because as Daniela Barbosa made

00:19:40.890 --> 00:19:43.789
so clear, trust is the only currency that actually

00:19:43.789 --> 00:19:45.750
matters in the age of AI. It's the one thing

00:19:45.750 --> 00:19:48.150
we just can't automate. It really is. That's

00:19:48.150 --> 00:19:50.589
a great point to end on. That's it for this deep

00:19:50.589 --> 00:19:53.170
dive. Stay curious, stay skeptical, and most

00:19:53.170 --> 00:19:55.349
importantly, stay human. We'll see you in the

00:19:55.349 --> 00:19:56.450
next one. Thanks for listening.