The Sovereignty Stack: Re-thinking Digital Identity for Web3.0

For this episode of METACO Talks we discussed digital identity with Greg Kidd, co-founder and CEO of Global ID. Greg is a serial entrepreneur who is probably best known for founding and taking public Dispatch Management Services Corp, the world’s largest on demand dispatch network for urgent deliveries. In a highly interesting career so far, Greg was also Chief Risk Officer at Ripple Labs and a senior analyst for the Board of Governors of the Federal Reserve in Washington. In his latest venture Global ID, Greg is acting on his long-held belief that people’s identity should be truly portable and owned by individuals themselves rather than corporations or governments.

In this episode, we discussed, among others:

[00:01:29] The “Sovereignty Stack”

[00:04:02] Digital identity and how Digital IDs should work

[00:14:47] How Digital Identity impacts Decentralized Finance

[00:24:06] Second order benefits of a truly portable and self-sovereign digital identity

 

Disclaimer: This is not investment advice.

Full transcript

[00:00:00] Adrien: Welcome to the 23rd episode of METACO Talks; our series of live conversations with the people at the forefront of innovation around decentralized finance. Today, we move one step beyond our usual focus on banking and crypto, and that is because today we have a special guest, Greg Kidd.

Greg’s background is incredibly rich in achievements, that whatever I say is probably going to be an understatement but allow me to try and give a fair description of everything he achieved. First of all, Greg is a serial entrepreneur, having founded multiple startups with one of them exceeding into the public markets. He then went to become an early-stage investor. A very inspired one, I might add – in companies like Twitter, Square, Coinbase, and Filecoin. I think I should give you a call Greg, next time when I decided about my investments. He was also the XCRO at Ripple, and a senior analyst for the board of governors at the Federal Reserve in Washington.

His latest venture as founder and CEO is GlobaliD, the neutral and portable digital identity framework that allows individuals and entities to securely and privately manage all their permissions and money, transcending borders and institutions.

Greg, welcome again to METACO Talks. Hello!

 

[00:01:27] Greg: Thank you for having me.

 

[00:01:29] Adrien: Greg, I want to start with something which may be a stupid question, but for me every identity is already digital. Even my passport has some form of a chip and it holds digital information. When you speak about digital identity, what do you mean by this?

 

[00:01:48] Greg: We’re talking about a special kind of digital identity, which we call self-sovereign digital identity, which means you own your identity and how to cache it locally, could be on a phone, could be on a card – as opposed to a form of identity that the government owns, or Facebook, or some other top-down player owns.

The question is how do you get credentials in your hands that can’t really be taken away? Where you go out, you go on an Easter egg of credentials. You might collect them about your phone number, your government ID, your bank account, your social media; might even be vouchers for your friends. But once you have them, could be your graduation diploma, you don’t have to keep going back to your university to get them to prove that you graduated to another institution. You ought to be able to prove your identity for purposes of whether it’s sending messages or moving money or any permission. It could be medical records, could be voting, but it ought to be in your hands as opposed to you being dependent on some higher power.

 

[00:02:52] Adrien: In a way you’re saying that my identity is the sum of all my attributes, all my achievements. Is that what you mean?

 

[00:03:01] Greg: There’s an expression in philosophy called a bundle of sticks. Our identity is really that bundle of sticks. It could even include things like, I own a particular bicycle that I really identify with. It’s all those attributes that persist over time, and if you can’t prove them and if you can’t control, you’re not in control of your identity. If you have to ask someone else’s permission to prove or establish your own identity, once again, you’re not really in control of your identity.

When we talk about digital identity and self-sovereignty, we’re talking about a form that you can control, and that also should be a form that’s interoperable. It shouldn’t live within one app. You want to be able to take those credentials in any other platform. We’re not anti-company or anti-government, but any company or government that’s willing to recognize those credentials should be able to identify you, authenticate you, and then authorize you to do the things you want to do.

 

[00:04:02] Adrien: Can I compare this to: Bitcoin is to money what your initiative and company is to identity? It’s a way to decentralize, make peer-to-peer, put you in control of your assets and potentially who you are?

 

[00:04:17] Greg: Bitcoin is a great analogy. Bitcoin is decentralized. Anybody who has that private key can basically verify that they control that Bitcoin address, that Bitcoin account. Now, that is a bit of a mad max version of self-sovereignty, because you’re not identifying who you are, you’re just identifying you have a key. In the mad max world, when somebody asks to get gasoline or food, and you’re saying, “Well, why should I give it to you?” They say, “Because I have a gun and mine’s bigger than yours.”

Having that private key when nobody else has that private key gives you a certain form of power. But it’s not based on identity, it’s based on the kind of power you have. If you find a $20 bill in the street, you can go out and do as much as you can do with $20. It’s a bearer bond instrument. But it does establish the concept that there’s nobody in charge up top, that you’re in charge of your destiny. We’re just taking it to a form that isn’t just a bearer bond, just a promise and a proof that you have a private key. It is that you can say you are who you are, you have the credentials that you are who you are. Yet you don’t even have to say who that person is. You can prove that whether you’re a member of a particular club, you might be over a certain age, you might have a credential to fly a helicopter. You can prove all those things without having to sacrifice your privacy and say who you are.

You can say who you are if you want to, but you ought to be able to prove your identity to a level to get the permissions you want without having to give up your most private information and details. That’s an extension of self-sovereignty that empowers you to be over control of your identity and not just give it up; to basically only relay on a need-to-know basis what information is necessary for you to authenticate yourself and authorize the permissions that you’re seeking.

 

[00:06:12] Adrien: That makes perfect sense. Why would I tell Netflix that I am from Switzerland if I can just prove that I’m 18 years old to watch the latest action movies?

I think it opens dozens of questions to ask, but let’s just start with a very short introduction. You have this background, which is extremely versatile. You’ve been involved in multiple crypto companies. How did you go from working at Ripple, investing in many of the successful crypto ventures, and now being again an entrepreneur and moving into identity? What’s the logical path here?

 

[00:06:45] Greg: Well, I wish I could say it’s a perfectly logical path, but it’s more of, if you’ve ever seen the movie Forest Gump, where he just stumbles into one thing after another. I have to admit, when I heard about Bitcoin, it was very interesting. But there was no Bitcoin company. You couldn’t join a Bitcoin company. When Ripple came along, it was the first company where there was something to join. I heard about it in a poker game. One of the players at the poker game knew Chris Larson and the crew that was starting Ripple. I went to them.

I think I was the 10th person at Ripple that said, “Hey, I think you need a chief risk officer, and it can help you with compliance.” People back then were like, “Well, why would we have to worry about compliance and risk?” I’m like, “I’ve got to tell you, the regulators, when they hear about this and figure this out, they’re going to be coming to you. You might want to get ahead of that.”

It was just a chance to be involved in crypto with an actual company, where you could go to work, have a desk, sit down and learn more. I was very fortunate to learn about crypto from some of the early Bitcoin innovators. They were just trying to create a form of crypto that had two additional fields in the spreadsheet. Bitcoin is just what account, and how much? Ripple added also what’s the currency and who’s the issuer? It was just the next step, and that was my intro to crypto.

I was fortunate to be around Y Combinator when the founder of Filecoin came along, and he had this little white paper about proof of stake. Now everybody takes proof of stake for granted now, but there was an original white paper. This was the only guy in Y Combinator that didn’t have a team. But he had a white paper. I could only understand the first paper, but I had that attitude maybe I ought to put a little money into that. That’s how I got to be that first investor in that first round of Protocol Labs.

The same thing happened for Coinbase. Again, Brian was in Y Combinator. He and his founders split. One made custodial wallet, that’s Brian; the other went the other way to start www.blockchain.com, the largest non-customer. Both good ideas. Just happened to be at the launches where those things were happening. Pretty much the same thing, like a big one now is Solana, which is the fastest blockchain. It’s the cheapest blockchain. When I met Anatoli, he had an accent and I had to ask him, “Where are you from?” He said, “I am from the Soviet Union.” I thought that was an interesting answer. Again, he had proof of history, which is a way of basically using an atomic to put a bunch of events together very quickly so that you can have a blockchain that is blisteringly fast.

Fortunate to be around at the start of proof of work, Consensus, which came from Ripple; proof of stake, which came with Filecoin and Protocol Labs; and then proof of history. I don’t know anyone else who just happened to be at those barbecues, but I was just lucky enough to be there just like Forest Gump.

 

[00:09:33] Adrien: Well, I really hope you invite me to your next with them. It feels like it’s a good environment to be in!

You spoke about Bitcoin as a bit the mad max, in the sense that you have your private key and this is the only way to authenticate against network. But then you speak about self-sovereign identity. I asked myself, “How do I protect this?” Is it also with cryptography and therefore with a private key? If it is with a private key, then why is it less of a mad max approach to authenticate?

 

[00:10:00] Greg: The funny thing is there’s authentication, which means you have the technical private key to match with the public key. That’s what’s always happening under the hood. But just because you have the private key doesn’t mean you didn’t get it by like knocking somebody over the head with a brick, taking the private key and using it. We do still live in a world, in some parts of the world, of law with rules. The concept of authentication and authorization is based on being the actual, legitimate, legal owner of that key. We don’t live in a world where we go around, we can only remember so many numbers. We live in a world of words. Words means like the name; your public key could be your name, and the private key should just be buried away, not like a password that’s easily hackable.

If you want to bring things up and have them be trusted and not mad max, yet still secure, we need to go to things like language, which is matching a username, just like we have in Twitter or Skype, to something that we have but isn’t hackable. A phone number and email address, those are not great secure systems. But if we embed something into a mobile phone or onto a card, and we also have controls that know when those things are being used in a pattern that looks unusual, you can give backups and multikey environment to other friends of yours. You don’t have to give it to a central authority. We can begin to build something that’s much more human than just the public private key pairing of Bitcoin.

That’s the technology of the cryptography that’s under the hood, whether it’s Bitcoin or any of these other chains that have come. But some of these other chains have added functionality. Or in our case, what we’re asking is, what do blockchains look like where identity is built in at the chain level rather than thought about later on at the wallet level? We’re asking for the first time: why don’t you start building some chains where you can’t do a transaction or hold value, unless there’s some level of verification? That doesn’t mean we know who you are. We just know that you’ve gone through a proof, and we can show the level of proof you have without having the keys to get in there.

Anybody can come to GlobaliD with a warrant. A government can come, somebody can put a gun to my head and they say, “We want all your data!” I’m like, “Here it is.” They say, “Where are the keys?” I’m like, “I don’t have them. We just wrote the protocol. We didn’t give a key to ourselves.”

Or the Chinese government can say, “We’re really mad you have all this encrypted data in China. We need access to that.” Well, here’s the key, if that’s what it takes to compete in China. We’re not going to unencrypt the data if they just say that by law in China they have to have a copy of the key. That’s China, that’s not necessarily the world I want to live in. That’s like the Orwellian world. There’s the mad max world. I don’t want to live in the Facebook world either, which is the creepy Facebook world.

I also have to admit, I’m not that excited about the GDPR world of Europe, where every time you go to a website, you’re just clicking on another button as if that’s doing something. This concept of the right to be forgotten, I don’t know whether people in Europe just watch the movie Back to The Future too often, that after you’ve shared some data and you tell someone to forget about it, that cleans up the problem. I come from the Nancy Reagan world. Nancy Reagan was just like, “Just say no.” Don’t share the data in the first place. Share zero knowledge proof. They don’t need the data, unless they actually have a request by a regulator to file a suspicious activity report and go through an audit. Give people access to the data, don’t create a bunch of honeypots of data. That’s really the situation that Europe’s in.

None of these situations: the GDPR approach of Europe, the creepy Facebook approach, the telegram mad max approach, or the Orwellian Chinese approach, is anywhere near the world I want to live. I want to live in the Star Trek world, where when you come to the door they know to open it. But if you’re Klingon or a Romulan, the door doesn’t open – except in later episodes when those guys are allies.

You’ve got to build in that solution those missing episodes that explain how the Star Trek world operates. That’s what we in these portfolio companies that we’re investing in, are working on today. That’s why it is a super exciting time to be involved in DeFi now, NFTs, identity. This is it. This is the chance to build that future world, and have it be an alternative to the legacy rails, which are 50 years old, that we’ve been just been milking for the last five decades.

 

[00:14:47] Adrien: You’re preaching to the converted. How do you see your platform connecting to an existing service? First of all, is it a form of blockchain? Is it a database? Is it a decentralized database? What infrastructure do you need, and is it something that blockchains need to explicitly embed in their protocols, or is it something which is an open protocol that anybody can plug to GFI, to smart contracts, or any other use case in this decentralized finance world?

 

[00:15:13] Greg: Just taking a step back, GlobaliD, there’s a lot of identity companies out there. We’re customers of those other identity companies. A company like a Verif or an Onfido, or even Trulioo that can roundtrip a phone number, or a Plaid that can connect you to a bank account – many of those services are out there. All we do is direct people to those services. We build in the links to those, so they can go and collect that Easter egg.

Then we run a namespace. The namespace is really simple: it just makes sure no two people have the same name. You can have multiple names, you have multiple identities, but no two people or groups can have the same name. The role we’re playing is much like what Network Solutions did back in the 1990s, when they created a namespace for the worldwide web to hide away all the complexity of IP addresses. The only alternative to that back then was to go to the walled garden of Copy Serve or American Online – those all sucked. But at the time they were at least something that an average person could use because the internet was too confusing for the average person or average business until the worldwide web came along. It created DNS, the domain name system. What the domain name system was for the internet, which meant it was one domain name system. Didn’t matter if you were a Chinese business, or a Brazilian business, you still had done duh and duh dot com.

We’re just doing for identity. It doesn’t matter what company or where you live, just pick a name and make sure nobody else has it. Go collect a bunch of Easter eggs, and that’s your identity credentials.

But what we’re also adding to that, which is a pain in the ass, takes a lot of time, and we’re not that good at and trying to get better at, is what good is identity if you can’t do something with it? One of the things we do with identity, we communicate with other people, and prove. Like, when I come to this Zoom call, am I who I say I am, or was I just someone who had the password? How do I prove that it’s me, and that my identity is my ticket in? I can message, I can do audiovisual calls, we can document so we don’t have MeToo moments and we don’t have Black Lives Matter moments, because we can create a trusted record of our interactions.

Then a very special case of messaging is moving money. How do I prove I control these funds, I can send these funds, I can spend these funds I can move these funds? We think that when you get an identity, you ought to get control over all your messages and media, as well as all your money and value. You should never be in a situation where somebody just takes away your identity and you lose your history of all your messages or all your media. We need to be censorship resistant. Same thing with. Shouldn’t everyone who has an identity automatically have a noncustodial wallet? It doesn’t mean you can’t have a custodial wallet too, but shouldn’t you have something so that anybody who wants to send you value, they don’t have to ask you an account number? They just send it to your name because they know you at least have a noncustodial wallet. Maybe you have a custodial wallet too, and you can set your router as to where it ends up, but nobody should need to know anything about your accounts. They just need to know you’ve got a bucket, an in-basket, whether it’s for a message coming to you, a file, money.

To us, identity is more than that name and the credentials. It’s the ability to do things with it. The basic building blocks for that is messages and money. We try to build out that infrastructure. It’s still not all there. It’s not to the level that you would expect if you were using already WhatsApp or a wallet, pick your favorite wallet whether it’s Square or whatever. That’s the goal. We’re not looking to be the best in those areas, just like we’re not looking to be the best in audiovisual calls or Slack-like groups, but we expect those things to be part of your bundle of goods, your basket of sticks, that are what you can do with your identity. Everybody ought to have that seat at the table. That’s baseline.

That’s the scope of what we’re doing. It’s an ambitious scope. It means that there could be a world that’s different from Facebook. A world where when you join groups, you know the other people in the group aren’t a troll or a dog or whatever, and yet you’re not having to like give up all of this identity information either to other people in the group or to Facebook and face align a life of spam and ads.

I feel partly responsible because I was around at the beginning of Twitter. Twitter’s become part of the polarization forces in the world today. A lot of adverse behavior happens, and part of that is because while we democratized so that anybody could publish, we didn’t really have very good identity controls. Now we’ve had a bunch of nefarious effects on things like election outcomes and whatnot. I feel guilty about some of the things that I’ve been associated with, that we dropped on the world that had unintended consequences. I have a lot of crosses to bear.

 

[00:20:19] Adrien: What does it mean practically for the techies that are listening to us? How do I integrate your service? How do I use it in a completely different environment? Let’s say, I’m now an Ethereum smart contract user, and I want to authenticate myself to that liquidity pool or to this decentralized exchange. How will I connect my identity to this other service?

 

[00:20:40] Greg: Let me put this statement out there to anybody who’s working on smart contracts, whether the building on top of Ethereum, or building on top of Solana: who’s going to sign your smart contracts and what are they going to sign it with? You can have a title registry for all the diamonds in the world or all the cars or all the art, and if that registry is just signed with a bunch of private keys how do you think that’s going to work for compliance? Things like money laundering? You’re going to have to sign it with something that goes back to a real person. It’s called the UBO; the ultimate beneficial owner. You’re going to have to green DeFi. You’re going to have to make DeFi be green.

Right now the regulators are over their heads. They don’t really know how and what to do about DeFi, but they can really mess you up, and they will really mess up DeFi if they think it’s just an end run to avoid all the compliance and controls that are meant for the custodial world.

What GlobaliD is, it’s just a way, instead of giving out a private key, you give out a private key that is part and matched with an identity. The identity can be very lightweight. It might just be round tripping a mobile phone number, but it is saying that in the smart contract, to complete the smart contract, it’s not just enough that you get a private key and you’re off, and anybody with that private key in the future, if it’s something that gives a commission when you resell, that as long as you have the private key you get the money. Well, you can do that. But I can sure as hell tell you, that’s not going to be compliant. While that’s technically authentication and money will be paid out, you can be sure that guys with guns and badges are going to come knocking on the door. They won’t come knocking on the door for five bucks or ten bucks, but this gets to scale, when Colonial gets shut down those anonymous Bitcoin addresses are not so much anonymous. When people really want to track you down and you’ve been involved in silk road or ransomware; the Americans, the Russians, the Chinese, all these other countries, they’re not stupid. They can look through a tumbler, they can use Chainalysis, they can use AntChain. If somebody steals a big enough amount of money for me, I’m going to be involved in tracking it down, and you can be sure the authorities will be too.

We’re trying to get ahead of that. Developers who want to be on the green side of compliance, I strongly suggest rather than trying to solve this problem from scratch, look at a neutral solution like GlobaliD. We’re not committed to any set of identity providers. Just pick whatever identity providers you want, tell people to come with that credential, and that’s your defense. That’s your explanation. That’s your playbook to show to officials that say, why did you build the system with no controls?

We DeFi. We love that’s it’s bottom up; we love that everybody gets a seat at the table. But we’re not doing this as an end run around compliance. Right now, all these DeFi wallets on Ethereum generally don’t have identity built in. Everything that’s happening on DeFi is basically without identity. Then everything with custodial wallets is generally with identity. That doesn’t make sense. Why shouldn’t the credentials for non-custodial wallets and smart contracts be as good or better than what we have in the custodial legacy world today? We can build a better diamond registry; let’s do it.

 

[00:24:06] Adrien: I agree. I’m going to ask you a tricky question. Well, maybe for you it’s not tricky. Identity solutions, I think I’ve seen hundreds of companies that have tried to emerge in these markets, and way before DeFi became a thing. Many of them seem to have remained at the stage of great technology, but have failed at getting mass adoption that makes it a standard. How do you see that today the stars are aligned, that you have potentially better adoption of decentralized protocols that would benefit from identity? What are the arguments that you feel are making it now the right timing for such technologies to emerge?

 

[00:24:46] Greg: Well, most of the identity companies today, and some of which have been very successful, like SAS companies – they sell identity solutions to exist in corporations or digital wallets – they’re basically building siloed solutions. It’s like we got in the time machine and went back to the day of America Online. Each of them had an identity solution that worked within their silo.

But what that means is, if you’ve ever seen the movie Highlander, where there’s this guy, he’s got the sword, he’s got to defeat all the other people that have a sword, and at the end one sword to rule them all, you have to believe that your identity solution is going to kill everybody else’s, and then they’ll have interoperability because everybody else is dead. I don’t think that’s generally the way it turns out in history for a whole bunch of reasons.

All those solutions, no matter how technologically good or robust they are, they’re in a silo. You can have an NBA Hotshots, but you’ve got to do everything in NBA Hotshots. It’s like in Europe now. I’ve been traveling, you’re going to have a European COVID credential, America’s got COVID credential. You have all these COVID credentials that live in COVID apps, but it doesn’t work when you go between countries. You need a COVID credential that any app can read. Don’t build the credential that only works within the app. The types of identity solutions that you need to build have got to work with your competitors. They have to inter operate.

That concept of interoperation, it is anathema to most identity companies, just like the concept that Facebook and Twitter would work together so that when you make a video and vine on Twitter it works on Facebook. But if Facebook is going to go and blow up things that work perfectly well just because they can, phone companies aren’t going to cooperate so that an M-Pesa like solution in Kenya can work across Africa. Guess what? You’re not going to make any progress. Doesn’t matter if you have the best technology in the world. If you have a foundation of proprietary anti-competitive behavior that’s going to work against interoperability, you’re not going to get innovation that’s inclusive. Those are all the I-words: interoperability, innovation, inclusiveness.

The current generation of leaders, whether in identity companies or social networks, or that run the mobile operating systems, they don’t play nice in the sandbox. Just like banks don’t play nice with phone companies, don’t play nice with merchants, right now, and just like the internet was before the worldwide web came along, everything is in silos. The people that are invested in those companies, it’s very unlikely that they’re going to disrupt themselves by making their current stacks open. They can talk about it, but look at what they do. Look at what all those industries do. Look at what Visa and MasterCard do, no matter how many platitudes they say.

My next conversation at Money 2020, the topic is a little touchy, because they gave me a little runway. It’s called When Do You Need To Litigate To Innovate? Some of these innovations, it’s not about the technology. Technology has got to be there, but you’ve got to be willing to take on these firms the way that Epic Games took on Apple You’re going to have to knock on the door and not say, “Please sire, could I do this little?” You’re going to have to say, “No, we’re going to sue you, because we need access, and we need open solutions rather than closed solutions.” We’re very early on in that period of time. But I am seeing a few identity companies, most are still the traditional ones just looking to sell their next SAS client, but I do believe, and DeFi will demand solutions that are interoperable. DeFi is interoperable itself.

We have this tipping point that started to happen at the end of 2020, and it’s gaining momentum in 2021. It is a blast seeing all sorts of new forms of value come to the market. I have never seen such a bevy of opportunity as I have in the first half of 2021. I’m really excited about the rest of this year.

 

[00:29:06] Adrien: Well, Greg, this has been a fantastic discussion. I want to finish on a simple question, which is: how fast do you think now these new identity solutions and GlobaliD are going to be adopted massively to a point where you can really use it for DeFi, you can use it for Netflix, you can use it to cross the borders? When is this happening?

 

[00:29:26] Greg: Well, we need another crisis, like COVID. COVID sped all this up. A lot of bad things about COVID, but one thing that COVID did change is now everybody’s working from home and they don’t have to go to the office anymore. How privacy and security, how payments work, everybody’s starting to move away from – that accelerated everything way beyond my imagination.

COVID is like tapering out now. We’re not getting any more after fumes. It just depends on when the next crisis comes that causes us to figure out how to take things to another level. It might be climate change, whatever. But I am really excited about the next five years ahead. I expect in this period of time, that people will start to have things like a noncustodial wallet, that isn’t just a geeky technical thing. It’s a seat at the table.

I’m predicting that within five years, a lot of people will hold a certain amount of value and will do a certain amount of their transactions with funds that are electronic, controlled by them, that don’t rely on any other custodian. They’ll just rely on themselves. It’s not because they’re geeks, it’s because the non-custodial world will have access and acceptability. It’ll start to compete with what’s out there in the custodial. You know what? It’ll pay a lot better interest rates, because staking and whatnot, is much better economic returns when you have your money invested in something that doesn’t have all the intermediaries skimming everything off. I’m excited about the next five years.

 

[00:30:59] Adrien: That’s a great conclusion, Greg. Thank you very much for your time. It’s been a fantastic discussion.

For everybody that’s listening today, the next METACO Talks is going to be in two weeks, like usual. You’ll find the recording of this session on our social networks and on our website. Please feel free to connect to the notes and to register for the next episode. Thank you all.

 

[00:31:19] Greg: Thank you. Take care.