Full transcript of the session:

Scott: Alright. We’re rolling? Okay. We talked about identity. How big a problem is identity when it comes to legal agreements?

Chris: To some extent in the out there in the everyday world of litigation, if an individual walks in to court, and says, “I am Chris Wray,” and swears that I who I say I am, that may suffice. Of course, when the value is more serious, when you’re dealing with corporate entities, their people have usually formal registers. That’s solving the problem for them. Those are usually nation, state maintained register of the corporate entities. That’s your point. That allows you to pin down with sufficient clarity for litigation purposes that a trading entity is what it says it is.

I think we move into more edgy cases as we look at commerce on the block chain.

Scott: Yeah, on the blockchain it becomes more difficult because there’s really no human contact. Everything is basically nothing more than a hash. Identity can start to become a bit more obfuscated, and it’s easier for somebody to pretend to be somebody that they’re not.

Don’t we have these problems today?

Chris: Absolutely.

Vinay: Identity fraud, huge issue. Credit card fraud is what, one percent of all transactions or something?

Scott: Even more than that in the United States.

Vinay: That’s identity fraud.

Vinay: It’s a very hard to untangle too. Once identity fraud has been committed, if two people have been using the same set of credentials, trying to disentangle who took, which actions, very, very difficult.

Scott: Isn’t, let’s say credit cards because they’re great example, they basically self insure. They self insure by basically charging an interest rate and the settlement infrastructure charges fees for the merchant on the transaction, and they use that to basically offset the risk. They’re kid of okay with the fact that they get defrauded on a one percent basis, because the cost of actually making that any better would actually be higher than the cost that they’re actually paying and so they say, as long as it’s under control, that’s okay. They’re constantly trying to figure out ways to make it better, but only to the degree it’s economic.

Isn’t there a solution like this for the blockchain?

Vinay: On the blockchain, the problem is that everyone thinks they already have a solution to identity, which is keypairs. You generate a public key at home. You’re the only person who has the secret, that allows you to sign your documents and so on. The public key can verify those documents. That’s our identity solution.

That’s how we do identity. End of story model. That has run very successfully for all the block chain stuff up until basically now, when we begin to see more desire to tie real world identities to block chain identities. What we’ve got is different desperate communities, that almost understand what identity means already, so when they come together to have the conversation about identity, everybody assumes the problem is solved because everybody agrees that they have an identity solution. The fact that these things are immiscible like oil and water, we still don’t have actually the tie together.

Scott: Isn’t the problem that is not that we can’t have some kind of hash system that basically gives you some concept of identity, but that the identity could be that you’re representing to be could be actually fraudulent.

Vinay: Yeah of course. Identity fraud is a huge industry.

Scott: Huge industry. Actually, then creates a situation where what you have is an ability for people to defraud some system or defraud some contract or get pain in ways, where they shouldn’t be. Isn’t this even at the heart of some of the thefts of funds that have occurred on the block chain from-

Vinay: Absolutely. Over and over again. I mean, the flip side of this is access to markets. Imagine that you have this fortune to be a Nigerian professor of law attempting to refinance a house you owned in Florida. Imagine the amount of identity information you’d have to provide even to get a mortgage lender to talk to you. All of your initial first contacts sound like spam.

Scott: Yeah.

Vinay: That problem that you happen to fall into a demographic, which is associated with identity fraud, and then you can’t even get people to respond to your inquiries, as a legitimate inquiry. All of that stuff is basically false negative and false positive filters. Because we don’t have a definitive solution on identity, what we have a bunch of kind of rules of thumb, and a lot of them produce pathologies.

The credit cards just pay off enormous amounts of criminal activity, rather than closing those systems at a technical level, because it’s a better business decision for them to do that. It still supports an enormous identity fraud market with enormous amounts of personal cost associated with it. That’s all an external cost to the industry.

Scott: Isn’t the problem with that is that the alignment of the interests in actually dealing with the fraud are really not well suited, right?

Vinay: This is the key.

Scott: You have the merchants and what not who are actually the ones being defrauded, and you have the individuals who are the people that have credit cards being defrauded, but the actual credit card companies aren’t. They basically tax the system in a way that they basically.

Vinay: Transparent.

Scott: They’re really not out anything, right? For them, it’s just a question of well is it worth spending a little bit more to reduce the number of instances on this? Am I basically keeping that in some kind of balance that makes sense on a PNL?

Vinay: Yes, exactly.

Scott: That’s how they basically look at it. In the block chain, can’t we look at this in a different way that aligns these interests in some new fashion, such as injecting in an additional party who would have actually a concern and would have the same concern of the other parties being defrauded, like an insurance company?

Vinay: There’s two levels of the identity problem in the block chain space. There’s a bunch of statutory requirements for identity, where if you and I are doing a transaction and I’m a bank, I need to know who you are and I can’t get rid of the liability associated with that. I can hire somebody to do the job, but if they make a mistake, I’m directly criminally liable.

That’s kind of zone number one and that’s a really hard one to cooperate in. On the other hand, there’s commercial insurance, where if I rent you the apartment, and the apartment comes back damaged, I need to be able to make a claim, and if I don’t know exactly who you are, I still need to know who your insurer is and I need to be able to claim against them.

In a lot of instances, what we’re doing is commercial risk. It’s possible for me to proxy out knowing who you are for knowing who your insurer is, ad then your insurer knows who you are, or if there’s some kind of confusion, they pick up the tab. I think that for a lot of what we want in the block chain space, this identity insurance model, where we just relate to the insurer rather to the individual, just smooths out what’s in the commercial risks. It still leaves the financial services’ law requirements for hard identity. I think that as we go forward, there’s going to become an increasingly complex dialogue with regulators about to what degree is the blockchain an environment which provides them with the technical tools they need, to allow hard identity to flow across the network in the same way that for example credit risk can.

Scott: Rob, you’re involved with the thinking here that Vinay and you have been doing together on this problem. What are your thoughts?

Rob: Well, I think the question about identity is really very complex precisely because nobody really means the same thing twice when they talk about identity. They can often mean legal identity, but they might mean identity in relation to a role that a person is playing or in relation to an asset that a person controls.

Scott: The father of a child or the spouse of another party, that’s what you mean by role, right?

Rob: Yeah. The question that I want to answer is not what’s your name, when were you born, what are your biometrics — but are you authorized to perform this action on behalf of the company that you’re representing? Do you in fact actually represent that company? Do you have the legal rights to make the offers that you’re making? That I think, zeroing in on that question, zeroing in on the rights that people have, I think is the way that we can solve this problem in a way that’s commercially sensible, that actually gives people the results that they want without requiring mass disclosure of information.

People are becoming very sensitive. Obviously, recent hacks involving widespread identity theft, where the idea of spreading our information around to multiple parties just to be able to do business with them, is quickly becoming to be seen as unacceptable.

Scott: There’s a lot of blockchain solutions trying to solve identity and trying to do things to basically handle that, to basically give people back self-sovereign identity and what not. They don’t actually address the pieces like the role piece, do they?

Rob: No.

Scott: This is where we get, in commercial environments, where I have to know that you actually have the authority to actually bind the corporation into a contract.

Vinay: Absolutely. It’s not just who you are, it’s what authority are you carrying at the time.

Scott: Exactly. Have you gotten the proper endorsements from the board of directors or from the proper shareholders or what ever the issue might be in order to basically do this.

Vinay: Are you carrying the staff of authority or not?

Scott: That’s correct. In order to merge block chain law and in smart contracts and legal law, we actually have to have a system that addresses these things, don’t we. These are the things that actually happen in the real world today.

Vinay: Yeah. How we approach this, the branches of computer security thinking pre-blockchain, that are really good fits for that kind of problem. There’s a branch called capability-based operating system design, which is beautiful, beautiful, beautiful, technical representations of those kind of authorities and credentials. Even that work hasn’t been brought into the blockchain mainstream yet. We’re in a position where some of these problems are tractable in insurance. Some of them are tractable in capabilities. Some of them are tractable in things like statutory registers, being integrated into blockchains. With all of this stuff, we keep coming back to this question of what we mean when we mean identity?

When we pull that apart, and we say it’s authorization, or it’s authentication, or it’s statutory to compliance or it’s a legal, it’s a passport number or whatever it happens to be. As we get people to be more precise about what it is they want and what they mean, we can kind of check box through these problems one at a time as we build technology and connect pieces together. Right now, I think it is a very, very swampy area with a lot of bad thinking. Some of it driven by confusion in terminology, and some of it is just that the keypair solution is so fantastic for the problems that it solves, that it’s quite hard for people to accept that there are problems that it looks like it solves but just doesn’t.

Scott: Doesn’t.

Vinay: It’s a real sharp drop off when you get to the edge of what you can do with cryptography and identity. You just come off the cliff and you’re left with nothing.

Chris: I mean, contract, often the identity we care most about is as the holder of the relevant rights for the performance of that contract. In a way, we don’t really care about misidentity of the person or entity holding the rights, if we’ve got the right rights holder. That means we can if necessary litigate against or arbitrate against that rights holder, and ultimately stand a chance of getting our hands on the asset. It’s who controls the right rights, relevant to the performance of the contract, that really matters in a commercial contract.

Vinay: The last time we solved this problem was about 20 years ago, where we stood up these things called certificate authorities and they were identity bureaus. You as a company, went to the certificate authority and says, “I’d like you to give me digital certificate so I can accept credit cards on the internet.” They then would check your identity and your brand, Dun & Bradstreet number. They’d make sure that you were a corporate officer and they’d look at your passport. You’d pay $1,500 and they’d give you the digital certificate.

That approach, enabled basically a trillion dollars of value to be created. The entire e-commerce world came from solving that identity problem. The idea that in the block chain space, there’s going to be a similarly enormous reward for solving the identity problem and it’s going to be another layer of global infrastructure just like the HTTPS certificate authorities. That seems very rational and credible to me.

I think it’s going to be a bit more fiddly and a bit more schleppy than the HTTPS thing was, because it turns out, that when you look at this globally, you’ve got to handle the different jurisdictions, and the subtitles that all the different identities look like, but as we make progress down that, I think every step will liberate enormous chunks of value that can make new block chain processes possible.

Scott: Yeah. At Sweetbridge, we’ve looked at this problem and realized that we can both follow the people in the industry that seem to be over emphasizing this, to the point that it is trying to be done beyond the way it’s being done in the real world today, or trying to ignore it to say it’s not real and doesn’t exist. They don’t really need to worry about it, because everything ought to basically be autonomous.

When you deal with business transactions, you can’t ignore it.

Vinay: Absolutely.

Scott: That’s why we’re going to have to be entirely KYC and we’re going to have to take identity very seriously in Sweetbridge and look at it, because Nike isn’t going to want to find out that some supplier of theirs is involved with doing something with slaves that are children. If that ever hit the wire, it’d be a disaster for their brand. The idea of anonymity in supply chains and commerce, actually most businesses do not want this.

Vinay: No.

Scott: They absolutely don’t want this.

Vinay: Under no circumstance.

Scott: In fact, I don’t believe that’s actually what most people want, because most of actual activity and business happens through trust networks. It is then trust networks that you actually have affinities of trust, that are created because of relationships that we’ve had with people and the longer those relationships have existed, and the more substantive those relationships have become, over time the greater amount of trust that we put in them, and the more informal we tend to be able to be about how we came to do things. I think that’s kind of the key to the problem.

Vinay: I would agree. I would agree.

Scott: Alright. Good?

Vinay: Done.