Click to Listen to this Episode on Spotify
Mathieu: Jimmy, thank you for doing this with me.
Jimmy: Thank you for having me on; I’m looking forward to it.
Mathieu: We’re doing some cool stuff in the self-sovereign identity space, and we’ll get to that in a few minutes. I was curious — I know you come from the crypto space. It seems that a lot of people in the self-sovereign identity community come from crypto backgrounds. Conversely, there are a lot of people in the self-sovereign identity community who try to distance themselves from crypto, but there is some tie there. Did you come from the crypto space?
Jimmy: I’d say, technically, yes. Although, at this moment, all of that is very nuanced. It’s logical that a lot of people come from a crypto background, because the whole idea of decentralization and everything associated with it, is the same mentality that’s carried over. I think it’s good that crypto and SSI have been parting ways a bit.
I entered the crypto space in 2015-2016 through Bitcoin and then Ethereum; mostly being super-interested in the technology, and just geeking out, diving into it. At some point, I met my co-founders from Tykn, and they came from the same space. We saw this big identity problem, and I thought, “Okay, can we marry this idea of decentralization with the problem of identity and privacy and everything?” That was at a very naive stage in early 2017, when everything to do with self-sovereign identity and decentralized identity began to emerge. All those ideas are still very rudimentary; you just hash a certain identifier, and you put that on the chain. No one had said, “Maybe that’s a privacy concern and a correlation concern.”
Everyone was very excited about the potential of these ideas. We built some early proofs-of-concept on Ethereum; at a time when you didn’t have ERC 725, it was just ESC 20s. We saw that this is a lot more complicated than it should be when you’re talking about people needing to have tokens in their wallets to interact with this. The UX was truly a nightmare, even conceptually.
At the time, people also had this idea of verifying credentials when paying for things like gas, which didn’t seem like a very good idea. At a certain point, we saw a group of like-minded people within Sovrin, which had only a couple of other stewards at the time (I think we were the ninth when we onboarded in June or July 2017). They’d been working on this concept of self-sovereign identity for a while. We hooked in on that; we saw, “Okay, these guys have done a lot of work that we thought we still had to do.” So, we dove into that and started flying the sovereign/SSI flag. Shortly after that, we started working with The Netherlands’ Red Cross through the 510 data team. For us, that was a very valuable experience in needing to make these things work for people on the ground floor and for high-stakes situations. That was very valuable from the perspective of privacy and the implications. We didn’t want to have any perverse incentives, which you also see in certain models. For example, this is one that’s still around: it’s the idea of data marketplaces. In the humanitarian sector, at least, people were pitching this idea of data marketplaces, where refugees and people who’d been struck by disaster could sell their data. They would get money for it, and then they could use that to sustain themselves. That sounds good, in the sense that, “Oh, you’re empowering people with the power of data; we are giving all this data away anyway, and now — power to the people who can use this to get financial freedom.” But, when you’re talking about people who have been put into such a situation, they will, of course, always sell their data. That’s a perverse incentive, because, at that point, they don’t really have a choice — which doesn’t scale very well. Coming face to face with those realizations was very good for us early on.
Mathieu: We came from the crypto space as well; it was similar to Tykn, in that we had done some early POCs on Ethereum and on some other chains. It was the same problem back in the early days: “Yeah, let’s just throw everything on here, let’s disregard anything else. Yay for immutability, yay for not being able to rewrite data and history, let’s go!”
Then, you realize quite quickly that this doesn’t work. It doesn’t even work for a use case of buying gas, or going to buy a bottle of alcohol. It is interesting; people who come from that space, they get decentralized identity, or they get self-sovereign identity. It’s more the concept, and not necessarily the implementation, the technology, or the governance, or everything that you could go into. Conceptually, it makes sense. I believe that many people who are advocates for crypto get that right. You gave a presentation earlier this year at the North American Bitcoin Conference. I attended that conference in December 2017, which was when the Initial Coin Offerings (ICO) were peaking, and it was crazy.
Jimmy: We were there at the same time, then. It was probably January 2018, the one in Miami.
Mathieu: It was crazy! There were close to 100 presenters at that conference, and half of them were ICO pitches. It was unbelievable.
Jimmy: That was nuts. We were actually one of the companies presenting, but we weren’t presenting an ICO, and so we stood out in that way. We actually had a booth there as well, and that was the conference where we unveiled our collaboration with the 510 global initiative of the Red Cross, which was done the month before. There were so many ICOs. I was there with Khalid, and I remember the guys next to us. They didn’t really feel right to me; there was something about how they interacted with people that was very defensive. Two months later, they were indicted for securities fraud for 40 million or something.
Mathieu: You can still see some of those classic memes today in crypto: there’s a guy at a party with a Bitcoin Christmas sweater and a guy with an Ethereum sweater, that comes from around that timeframe. It was just pure craziness.
Jimmy: That was peak madness, because that’s when the market had topped the week before. It was just all-round “Lambo Moon” hype madness.
At the same time, barring those projects, a lot of good things have come out of this as well. What was exciting about that time to me, is that I looked around and saw, “Okay, most of these projects; it’s ridiculous, and they shouldn’t exist.” At the same time, I saw that the underlying technology was still so early, and in a way, it was really shitty; there wasn’t much you could do with it. But to me, this was something that’s super early that’s still going to evolve a lot. You could start to ideate what things might look like in five to ten years. So, in that sense, I’ve tried to remain optimistic but also neutral. I can tell you that a lot of the information is pure hype, and in the short term, that’s going to go very wrong. But then, in the long term, there’s an element of this that’s going to survive, and that element is going to be super interesting.
It’s the same with Non-Fungible Tokens (NFTs) — a huge hype. A lot of it doesn’t make sense, in that it’s non-persistent. Much of this art is hosted on centralized domains, and the tokens themselves just contain pointers to the centralized domain. If that domain goes down, or if some of these marketplace startups shut down in five to ten years, then your art is gone, and your token’s worthless. That doesn’t make any sense to me. There’s an underlying idea that some of this art that’s created is generative and some not, but it’s actually stored on chain, which is a lot more persistent. I find it interesting that some art will be fully persistent. If we think about how much we are interacting on Zoom and other platforms nowadays, it’s not weird to think that in five years, we’ll get into this “metaverse” idea.
Jamie Burke from Outlier Ventures wrote about the “Open Metaverse” and being involved in these virtual worlds. Of course, having scarcity there is a good idea, just like in the real world. Then that idea becomes appealing, but at the same time, a lot of it is now is hype and it shouldn’t really exist. To clarify, I don’t mean it shouldn’t exist at all; of course, it should, but it doesn’t have persistent, lasting value, and will go through the same cycle.
Mathieu: If you’re thinking about the NFTs today, it’s the same thing as the ICOs were, three years ago. The properties behind it are amazing; the ability to be able to tokenize and create liquidity around pretty much any type of unique asset is quite interesting. Forget “just art”: imagine being able to borrow against it, and to lend against it. There are so many cool things you could do with that. When you went back to the virtual conference this year, you pitched self-sovereign identity to the crypto crowd: How did you approach that?
Jimmy: I try to approach it from a neutral point of view. Oftentimes at these conferences, people pitch their own project or at least shill it, and there’s some financial motivation behind it. The organizers have said, “Don’t do that; try to keep it informational and educational.” That’s what I tried to do. In a couple of slides, I talked about some of the stuff Tykn’s been doing, just from a use case perspective. Really trying to keep it straightforward, as an explanation of how this really works from a high level: how credentials flow, and data flows, and what hits the underlying ledger, and what doesn’t. But then, you already saw in the comments, people asking, “Oh, what’s this project? What’s the token?” No token, no ICO. Just a tech company, building tech stuff.
Mathieu: But, by the way, it could bridge a significant gap between the institutions and crypto, so you want to pay attention.
Jimmy: I wonder when that’s really going to happen. I thought maybe that in this cycle, there would be more of this linkage between the crypto space and SSI space because they’ve separated. I thought maybe some of these SSI use cases would start to drip into the crypto space, even just for KYC (Know Your Customer). But now, because of more decentralization in the crypto space, with decentralized exchanges and such, you see that, in fact, demand for KYC is becoming less and less — they’re actually moving away from it. For instance, ShapeShift moved to working with decentralized exchanges. Is there really a demand for that now in the crypto space?
I don’t know. Maybe by the time where you have to essentially dox all your wallets, then it might become more interesting. Maybe once it’s necessary to prove that you own certain wallets that becomes interesting, but so far I haven’t really seen that — which is slightly surprising to me. On the other hand, throughout the bear market, blockchain crypto had a bad rep; so, perhaps it’s good that SSI moved itself away from that. In my opinion, that was rational and a good move, because blockchain and that idea of SSI were so strongly connected. There were many misconceptions. There were journalists writing about us, who vaguely understood blockchain and they vaguely understood the premise of SSI. They made assumptions that you could take someone’s identity and put it on a blockchain, and then it can’t be lost anymore, and it’s there forever.
Of course, that isn’t how it works, and that’s not a good message to perpetuate. We got flack from people, saying, “Ah, Tykn’s putting personal information on channels.” No. This is the opposite of what we do. I would be calling these journalists asking, “Oh, could you please amend this in the article? Thank you for writing about us, but could you please correct this?”
Mathieu: But, people get stuck here. I see this often: as soon as the word blockchain enters someone’s mind, they really get stuck on blockchain. It’s not unimportant, but it’s not what you should be focusing on when we’re talking about decentralized identity or self-sovereign identity.
Digital Identity for At-Risk Populations
Mathieu: Let’s go back in time to the founding of Tykn: You, Khalid, and there was a third person, I believe. A lot of companies come out of a real -problem. It seemed like this one was a perfect example of a real-world problem; an early contributor to the project, who lost his identity. Would you mind talking through that, and how Tykn came about?
Jimmy: Yes, that was one of the motivations. He struggled through this problem himself; being a refugee and coming to The Netherlands, without having a birth certificate or anything to prove his history. As a refugee in The Netherlands, there are certain processes with many steps that are required. You go through ten, eleven different kinds of interviews, with different institutions. You have this whole sheet of interviews that you go through to establish things such as your age and everything else. He did have a passport, so he could still have something to show, but for most of the requirements, he didn’t. That lack of track record did impede his ability to integrate better, and to get access to certain opportunities along the way. Of course, while he was within these refugee camps, he saw that there were many people who were worse off, who just had nothing to prove about themselves. Perhaps from a place of good-natured naiveté on our side, we thought — okay, we can solve this.
I feel that a lot of companies are born out of the idea of underestimating how big the problem is: “Oh, we can do this!” Of course, the problem is way bigger than one company could strive to solve, but it did put us on that right track. What’s important for me, and what’s always been important, is to at least make some sort of impact on the status quo to make it better than it is. Maybe we can’t retroactively give billions of people an identifying document — you can’t retroactively give someone a birth certificate. But, you can try to help those people to have a higher degree of access to the current systems without needing that document. To me, that has become an important part of the motivation within Tykn. Of course, there are big regulatory, legal, policy implications. When you’re talking about legal documentation, it’s very hard to change. It will happen eventually; at least, I think that it will happen over time, but that’s not something you can change within the timeframe of five years. Over the past four years, we’ve spoken frequently with policy-makers within different governments. We have worked with different governments through giving awareness sessions, and with large institutions within the ICRC (International Committee of the Red Cross) and IFRC (International Federation of Red Cross), with the United Nations, the Dutch government, the Turkish government. We’ve tried to at least create that awareness and create a discussion. On that front already, it’s done quite a bit of good.
What we were talking about, at the time, was really the far end of the scale for them: the idea of self-sovereignty and coming from a very puristic point of privacy and data control. Some of the things that stuck practically, were the ideas of things such as data minimization. There is a looming idea of what they call ‘surveillance humanitarianism.’ It’s growing to be a more important term and idea, as the opposite of ‘surveillance capitalism.’ It’s the idea that by digitizing a lot of these humanitarian aid processes, you are also gathering a lot of data about different people who are at risk of being exposed. You can get a lot of insights into these populations, which can be dangerous. You’ve seen it with the Rohingya people; through the best humanitarian efforts, they became a lot easier to identify. I don’t think that was even a tech problem, but just because of the humanitarian intervention, suddenly, these people became very centralized in certain areas, and they had identification cards. Suddenly, they were an easy target for genocide. That’s of course on the worst end of the spectrum, but it’s also not strange to think that a lot of this tech is being tested in the field. I feel that we’re putting privacy concerns on the back burner, coming from an idea of, “Oh, these people don’t have much anyway”; they are almost entirely digitally excluded. So it doesn’t really matter that much if we don’t safeguard their privacy optimally, or if we store all their information in a central database, or collect their biometric information. That scales very poorly, especially when you’re talking about Sub-Saharan Africa which is digitizing at lightning speed. Over the course of twenty years, it becomes quite dangerous. For us, that’s why that sense of control, data minimization, privacy has to be there as a first building block. Seeing that the conversation has started flowing over the past couple of years, that makes me feel good at least, because it’s a conversation that we didn’t see four years ago. We are definitely not the only ones that have been pushing this.
There are a lot of activists in that space that have been contributing to making this impact. I have personally seen that ‘click’ once we’ve explained it, but at least those core principles got stuck somewhere and are identified as something we have to take seriously. So at least the idea of self-sovereign identity can already produce quite a bit of good.
Mathieu: I guess that naive optimism when jumping into anything is probably not a bad thing, because if you knew the complexity underneath, you might have stayed away from it, right?
Jimmy: Yes, I think about that a lot. If I had known what was coming and what was ahead in 2017, I’d probably have said, “I’m going to do something else, and just sit on my crypto.” Honestly, I would have been better off if I did that. But I have no regrets at all. We actually talked about that this morning during our stand-up. Of course, in the beginning we had to bootstrap a lot before we started raising funds, and even then, we barely paid ourselves out in terms of salary or anything. I was compensating for that within crypto, and even through the bear market, I sold a lot. I’m thinking now that I could have probably just retired at 25, which I don’t think is a good thing, necessarily.
Mathieu: I think you guys are clearly trying to make a social impact here, and it’s quite important. Anything that falls outside of that, it’s nice to think about; maybe, it hurts sometimes to think about the missed opportunities.
Jimmy: Yes. I don’t think about it too much. What we’ve been doing with Tykn is much more fulfilling to me, and I wouldn’t trade it for a second. So, no regrets.
Mathieu: When I think about privacy, I like to break it down into just two pieces: one being control, or having the ability to control what happens. The second piece is all about transparency or traceability. That could happen with centralized systems but it could also happen with decentralized systems, as well.
Going back to the early days of Tykn; you’re looking to empower people to have control, and transparency and to own their identity. Is that the project that you guys did with the Turkish government? Was that along the same lines?
Jimmy: Exactly. We put that press release out a couple of weeks ago. This is a project that we started in 2019, at least in the research and conceptual phase. We took part in this UN/Turkish government-led accelerator for identity companies to tackle some of the aspects of the refugee crisis in Turkey. Turkey has taken in a lot of Syrian refugees, and they want them to integrate into society. Of course, there are several different facets to different problems within that whole sphere. We went to Turkey multiple times; we went from Istanbul to Gaziantep, which is very close to the border. In Gaziantep, out of the 2.5 million people that live there, 500,000 are refugees. Surprisingly few are still in refugee camps; they’ve put in a lot of effort to be able to integrate them into society.
We went there with a bunch of assumptions, and again, with a certain degree of naiveté. They have this temporary protection card. We know it’s hard for them to move across different geographical areas and to do certain things because they need to get this card updated, and sometimes, they don’t have the mobility. We knew that smartphone penetration was very high amongst the refugee population; a lot higher than people assume. It’s about 94-95 percent, and a lot of families have multiple devices: iPhone, iPad, they love Apple products. We thought, “Okay, we’ll just digitize this temporary protection card and that’s a job done. They can receive the money on their phone, and they can update it remotely, etc. etc.”
However, we got to talk to the refugees on the ground floor, and the people around that; with people from government to local NGOs to United Nations (we try to talk with everyone). Then, we saw that this didn’t even come close to being the actual most pressing issue. They thought the card was annoying, because it’s a piece of plastic that’s just a bit too big to put in your pocket. Further, they said, “that’s annoying, but I don’t really care about that; I have bigger things to worry about. I can’t get a job on paper; my eight-year-old daughter is working full-time in a textile factory for 30 euros a month,” and so on. Those were very heavy and shocking conversations, as they always are. I had a conversation with a colleague about this: the difference between knowing, and understanding. You can know a lot of these facts, and read them from reports and articles, and see them on the news. Understanding: we probably never will, because we’ve never had to go through those experiences. At the least, we can approximate understanding once you have those conversations face-to-face, and when you sit at the table with people and they tell you their eight-year-old daughter is working almost full-time in a textile factory.
We started to look at, and think about this. We saw that one of the pain points was that there’s a work permit application process that employers need to go through in order to employ a refugee. This process is a bit cumbersome; quite long, usually. What often happens, is that the employer passes this process onto an accountant. You have to pay an initial fee for this work permit, and then you have to pay a recurring fee, and then the accountant also charges markup. The way that the accountant does this application process, is that the employer basically gives their information from their portal. Essentially, they give government identity portal login information to the accountant, who also has a lot of other data. The accountant charges a surplus on top of it.
This is not very legal, but what we saw happening often, is that the costs of this work permit were being passed on to the refugee. We started working it out, and we’ve found that for a refugee, oftentimes they end up with less money if they actually work on paper. Of course, that’s a huge disincentive to work, when you can still get your emergency social credit every month, and work under the table and get paid more, because you need to sustain your family. So, we thought maybe we shouldn’t work with the refugees directly, but maybe we should focus on this part with the employers. If we make this work permit application process easier for them to do, then it would give more incentive to hire refugees, and they would be the primary social benefactor. The UN really liked that idea, and the Turkish government really liked that idea.
We started working that out with our product Ana, and we ran a pilot on that in Istanbul, with the Istanbul chamber of commerce, INGEV (a local NGO), and the Ministry of Labour. Essentially, we made it super easy for an employer to receive a certificate of business ownership, and then use that with a statement from an accountant, to be able to apply for a work permit within the application. The pilot was received very well, and it’s now escalated to the top of the presidency office, where we’re now talking about how we can move this forward within their digital transformation framework.
Turkey is very advanced in terms of its digital infrastructure. For some reason, that is not on a lot of people’s radar. For example, Tubitak, which is the research arm of the Turkish government: they’ve been working on indie wallets and sovereign desk networks since 2018.
Many other governments are not thinking about it even now, and they were already looking at that three years ago. So, in that sense, they are very advanced. That’s why it’s been such a pleasure to work with them, because they already know everything. I remember meeting their chief researcher at a UN function somewhere in Ankara, and I was talking to someone else. I was talking about self-sovereign identity, and trying to obscure the terminology a bit to make it easier to understand, like “explain it like I’m five.” This guy came over and said, “Hey, are you talking about self-sovereign identity? Are you talking about Sovrin? Because then we need to talk.” I said, “Yes, absolutely,” which was a really nice moment.
Mathieu: It’s nice when you can skip that education part; when people are already sold on the concepts. Now, we could focus on what the economics are, and what the business case is.
It seems that going on the ground there really helped you guys understand the dynamics within that ecosystem; to figure out how the economics work. That’s the crucial piece to figure out, if you’re going to make anything work. There’s another key piece too. I know you guys put a lot of focus on UX and design as a company. There are many conversations happening around design in the SSI space. Even just around wallets: more specifically, how do you internationalize wallets? It’s more than just having a switch that you flip the language; people use things differently in different countries. I’m sure that was noticeable as well in Turkey, or with Syrian refugees, around how they use technology. Even looking at intricacies within the apps; how can you make it a better experience, get more engagement, and get more usage?
Would you mind speaking about the importance that you guys place on that, and then how it’s resulted in Ana? I know we’ve talked before, about cloud products and browser products. How does that all tie together for you guys?
Jimmy: It’s a shame Khalid isn’t here, because he’s the chief UX-er. There are some huge things that we’ve seen there, which were very valuable in terms of learning. Like a lot of other SSI companies, we went being a bunch of geeks working on the whiteboard, to actually having to speak with people and understand, “If we built this, could you use it?” Oftentimes, in the beginning, the answer was “no.” Then, you find out that across population groups, there are a lot of user experience assumptions that we make nowadays. Many things are very intuitive and natural for us now, because the digital products that we’ve been using for the past ten years have certain interactions that are just completely logical to us: filling out a form, scrolling, having it go back using a button. All those things seem very natural to us, but it isn’t inherently natural for a lot of other population groups. When you actually go to test those designs, you see people get stuck. One thing we saw within the Syrian refugee population was that they are a lot more tech-savvy. As I said, a lot of them have iPads; they have iPhones. Syria was generally a technologically advanced society, so they understand those interactions a lot more and there isn’t as much of a gap.
However, with some of the design work with the Red Cross, we did see people for whom it wasn’t ‘intuitive’ when having to scroll and fill out certain forms. You have to think hard about, “Okay, how can I make this as intuitive as possible,” and that also inspired some of the designs for Ana. This probably won’t come as a big surprise, but a service or product that is used almost ubiquitously across population groups is WhatsApp and Facebook. Even people who didn’t understand any other apps; they understood WhatsApp, they understood texting people, and they understood Facebook and Facebook groups. Many other areas are sometimes quite abstract, and didn’t quite ring globally. Some of the interface within Ana, we try to make it seem like it’s a WhatsApp flow: when you go through certain parts of the onboarding, for instance. It was the same with one-to-one, which the Red Cross project ultimately ended up being called: one-to-one, or cash-based aid.
From an SSI perspective, we took a lot of learnings from that, because we came face-to-face with some of the realities of having to go into the field and making it useful for people. We saw pretty early that the puristic view of SSI, in terms of having everything stored on edge wallets — when you go to somewhere in Sub-Saharan Africa, that’s going to be pretty difficult, when there’s maybe one phone in a village and it’s not even necessarily a smartphone. It’s very easy to say, “Oh yeah, but within SSI, everything has to be stored on the edge wallet.” What we saw was that if you make that this hard requirement, and keep working from that, then all these population groups are just going to be left behind more and more.
SSI for Privacy and Security Concerns
For those cases, perhaps it makes more sense to take some of those qualities of SSI in terms of having a higher degree of control and being able to guard that, and have these guardianship models where the information isn’t per se stored locally. For instance, that would allow them to use a feature phone, which is what we’ve been working on: being able to accept credentials and verify credentials using a feature phone, which inherently needs some sort of SSI cloud infrastructure. Obviously, the credential isn’t stored on the feature phone, on the edge in that case. That does open up a lot of these interactions and use cases to these population groups. It’s also better than the status quo, which is something we feel strongly about. Perhaps it’s not in the puristic sense of ‘pure SSI,’ but it is much better than the status quo.
As long as you take certain aspects into account, such as: not having that degree of correlation, still having that degree of privacy, operating from a starting point of user control, and data minimization — they still have the portability. From that point of view, it is a lot better than the status quo, and it’s important to be able to see that nuance across different sectors and within SSI. We’ve also seen it from the other side, within enterprises where they didn’t especially want to have something pure SSI, because they wanted to get certain insights. That’s not a popular idea within SSI for good reason, I think, because that’s something we ultimately want to move away from.
Mathieu: That doesn’t apply for business reasons or for regulatory reasons; there’s no reason why data could not be received and stored and used. Going back to what you’re saying, about removing certain correlations, minimizing the data, and ensuring the user control and transparency, and the different privacy properties, and all the other principles we live by. As long as that’s built into the architecture of what you’re doing; if you want to do business with a bank or with an employer and they need certain information — it’s up to you, to opt into it.
Jimmy: Yes. Opt-in, and be able to opt-out, as well. That’s important to me, within SSI as well as complying with GDPR. It’s good that we can request our data back, and request it to be forgotten. I don’t know about you, but I don’t have a list anywhere of companies who have my data, or that I’ve interacted with. So, even being able to have that, and having a ‘nuke’ button that says, “Okay, opt out of all of these,” that would already be pretty great.
At a minimum, becau se of the principles of SSI, I think that things like that will become a lot easier within the next five years or so. Ultimately, perhaps it’ll even become a requirement.
Mathieu: On the consumer side, I like what you said about taking messaging into consideration, inside of the user experience. Messaging is the killer application of mobile technology; there’s nothing more used than that. So, I love that this makes sense to literally everyone in the world. If you could try to incorporate a bit of these digital credentials within a messaging experience, it’s very intuitive. It makes sense, and doesn’t force someone to learn something new or get used to using something new, it’s just easy.
Jimmy: That’s something we need to build on. We’ve all become very excited about SSI because of its potentially disruptive properties. You start ideating about what society would look like, in a perfect utopia where this is the norm. You have the people who go a step further, and they’re suggesting, “Oh, maybe we don’t even need governments anymore, because we could just attest to our own existence.” But, at the end of the day, if you build something that’s so completely different, the regular person will just not understand how to even use it, or why I would want that.
A lot of people say, “Oh, but I trust my government,” or “Oh, but I trust my bank, why would I want to step away?” We still see it in crypto: it’s “Oh, I don’t feel comfortable with that. I like having everything in my bank,” and that’s super logical. However, I think that working within SSI, it becomes very easy to have your nose to the whiteboard, and forget that there are other people out there who aren’t as intimately familiar with the technology, its propositions, and the ideology around it. Most people simply want things to work more smoothly, and perhaps as a secondary goal, they want to be less at risk.
This is something that we’ve also seen. In a lot of SSI companies, including us in the beginning, much of what we were saying was based around privacy and security. To many people, that isn’t an appealing value proposition. That assumption is baked-in to a lot of products when you use your bank. They assume with all these regulations it’s all good; it’s a bank, it’s secure and private until proven otherwise. For a lot of people, it’s never proven otherwise. Many people don’t get their identity stolen, so they’re sure it will all be fine. That’s the paradox in The Netherlands; they did some research on it, and found that there’s this privacy paradox of people. Everyone’s concerned about their privacy, but no one necessarily takes the proper actions to ensure that degree of privacy and online security, and even things like password management. I still meet people who have no idea that they shouldn’t reuse passwords. These are people my age, and they just have no idea why that would be risky.
That’s something we have to consider as well. When you put this out there, a lot of people simply want things to go more smoothly, and they don’t necessarily have a strong opinion on how that happens. Many people don’t understand why biometrics may be bad, especially if we consider what’s happening in China. It has taken quite a lot of education of the tail risks of implementing something like that; of having all your biometrics in a central database that can be accessed by governments and who knows else. They only see, “Oh, but wouldn’t it be great to walk through the airport, and they scan your face, and you get on the plane.” From a user experience point of view that could be pretty great, but then from a point of view of privacy and security, maybe not.
Mathieu: At our company, we laugh every time we ask a company we’re talking to about their security. “I don’t know, we hash our data, and we do this and it’s quite funny, To your point here, it comes down to the lowest friction and the most utility. I saw numbers the other day: today there are 2.8 billion people who use Facebook products, and they’re awesome to a lot of people. Why would they not want to use them, when there’s so much utility to it?
Jimmy: That’s also a point. It’s really hard to get away from that grip now. Even if I think about it myself; I still have a Facebook profile, just because my grandparents have a Facebook profile. Especially now, because my grandfather’s pretty sick and it’s magic; it’s the only way for him to see me, and my sister in the UK, and my parents in Spain. We can all see him at the same time while he’s in bed. To him, it’s magical. For me, that’s huge, so it does bring a lot of good things to people’s lives. But then, most people don’t understand the potential risks of having that power within Facebook. We spoke briefly about things like the Open Metaverse in the future. Facebook is already making a big bet on that with Oculus and all these other devices that you’ll need a Facebook account to use. They’re already extending that control which in the long term is very scary. A lot of people don’t inherently care about that, because they just want to receive that utility, which is logical.
Mathieu: For sure. We’re having these utopian conversations about self-sovereign identity and how everything’s going to be on the edge; everyone’s going to own their keys, everyone’s going to own their credentials. There are similar conversations if we jump back on the crypto side; we want to have the right principles baked in.
Over the past decade, the rise of cloud, mobility, and connectivity have created so much usability and so much utility. It’s lowered friction for so many things that you have to use these products. Again, to your point earlier about still interacting with banks: banks are custodians of your money, your fiat money. There are several issues with banks, but they do provide very valuable services. The same thing should be true when we talk about identity and credentials. It’s crazy to think that people are going to store their credentials on an edge wallet, similar to the way the maximalists store their crypto on an edge wallet. That’s such a small percentage of the population, and it doesn’t work well. So, how do you bake the correct principles that we’re advocating, into existing models and augment them? We’re not jumping from 20 percent to 100 percent, but we’re jumping from 20 to 25; we have some goals to get to 30, and to keep improving that. I love what you guys are doing and how you guys are thinking about that, with your product suite and your vision for the future.
Jimmy: We’re totally aligned on that. I think ultimately, as you said, it’s a very puristic view that’s come from the crypto space, where it’s natural. You have to manage your own keys, unless you want to keep it on a centralized exchange— which historically hasn’t gone very well. Then, you have these hardware wallets and where you store it, which is essentially on the edge, or at least your keys. If that’s for a regular user, that’s not going to fly, it’s not going to happen.
I have many friends and family who are now diving head-first in crypto — of course, because things are at all-time high. I even have to persuade them to spend 80 euros on a hardware wallet, so that it’s not on an exchange and they’re not at risk of huge loss. When you have something like that, but storing it in something like MetaMask, they already find that more comfortable. Ideally, you would use MetaMask with a hardware wallet. That way, you could have it in your browser, but you can still sign it with your hardware wallet, that is, your physical wallet.
I think for identity, something will need to happen where I can at least sign it with my phone, perhaps. Most of the applications are just browser-based, even for different use cases. We talked about this last time, in terms of different stakes and levels of assurance needed. For certain use cases you wouldn’t even need to sign it off. I would love it if a “one-password solution” were able to integrate verifiable credentials. I would simply use my one password, and be able to access all these services. In a way, you could say that approach defeats the point of decentralization, but for a lot of use cases that makes a lot more sense. There’s so much nuance in this, because it’s such a new space.
I think we’ve only seen the tip of the iceberg of the change that this technology will provoke. Take the example of your diploma: we use our diploma to get access to certain job opportunities. You use the presentation of your diploma to provide that you’ve put in the work. But, what we mostly use it for, is signalling; we put that information on our LinkedIn profile. It’s the same with our job history. I might use an employment statement to get a mortgage or something, but mostly, it’s on my LinkedIn profile for signalling. That is data that I want to be public information, and what most of us want to be public information. So, we should have an option to make certain credentials public. I should have the power for myself, to turn that off and make it private again. I should have the option to not disclose that to anyone at all, but then I also should have the option to make that public. A lot of those things, it’s still relatively new and we’re only just thinking about this.
It’s the same with peer-to-peer credentials. I started thinking about that, when my girlfriend was from Canada. She said that in Canada (and you probably know more about this than I do) if you want to get a new passport, you need to get a bunch of people from your circles to attest that you exist. You need to get five people to say, “Oh yes, I know Mathieu. He’s my brother, or he’s my colleague, or he’s my friend, or he’s my neighbour.” Of course, for some applications, p2p credentials would be quite interesting. There are so many other uses that we haven’t even thought of yet. So, yes, I think within that nuance, we’re going to see a lot of billion-dollar companies spinning up within these little corners. This is what excites me about SSI, because it’s still so new. It’s so young and so early, relative to what it will look like ten years from now.
Mathieu: Yes, I totally agree with you. I would love to have a further conversation with you; there’s a bunch of other stuff we could talk about. I think the whole concept of using verifiable credentials for signalling is quite a funny one, if you look ahead. I love that idea. Thinking about the peer-to-peer credential: you start talking about the value of relationships, and how that could start building up. I think we could go on for a long time on these subjects, but Jimmy, I want to thank you so much for doing this with me today.
Jimmy: It was a pleasure, it was really nice. Maybe we do need to have a part two, someday. Let’s plan for that.