GiD Report#184 — Every company is an identity company

Published in

GlobaliD

10 min readNov 2, 2021

Welcome to The GiD Report, a weekly newsletter that covers GlobaliD team and partner news, market perspectives, and industry analysis. Check out last week’s report here.

This week:

The age of digital identity
Gensler: “DeFi will end poorly” without regulations
Meme of the week — Meta edition
Tweet of the week — Crypto edition
Headline of the week — Dinosaur edition
Stuff happens

1. The age of digital identity

There was a time when every company became a tech company. Soon after, every company was a fintech company.

We’ve now reached the stage where every company is going to be an identity company. Mark Zuckerberg’s Facebook — wait, I mean Meta — wants us to ditch our monitors and smartphones for VR goggles so we can engage with each other in an all encompassing digital reality called the metaverse.

But we’re not going to get there without figuring out digital identity first.

For years, identity has been an afterthought for most companies. Need to check for age? Just tell me your birthday. We won’t actually confirm that it’s your real birthday, but at least we asked, right? Or you might outsource identity to Facebook or Google. But those platforms don’t care about identity — they care about ad dollars and engagement. You only need an email, any email, to create an account — real or fake. If you decide to manage identity yourself, your company’s servers are now the target of hackers and if headlines from the past few years are any indication, the hackers are pretty good at stealing our data.

As the stakes of our social and business interactions online have increased — with the pandemic pouring gasoline on the trend — the status quo isn’t good enough anymore.

For responsible parents, age restrictions matter. Kids are too smart for the honor system. But having to send a photo of your driver’s license to a questionably secure server every time you want to watch an R-rated movie or access a restricted service hardly makes for a convenient and safe experience.

David McCabe from the NYTimes has a new report on the end of anonymity as companies start to take identity more seriously (via /rcb):

People in Japan must provide a document proving their age to use the dating app Tinder. The popular game Roblox requires players to upload a form of government identification — and a selfie to prove the ID belongs to them — if they want access to a voice chat feature. Laws in Germany and France require pornography websites to check visitors’ ages.
The changes, which have picked up speed over the last two years, could upend one of the internet’s central traits: the ability to remain anonymous. Since the days of dial-up modems and AOL chat rooms, people could traverse huge swaths of the web without divulging any personal details. Many people created an online persona entirely separate from their offline one.
But the experience of consuming content and communicating online is increasingly less like an anonymous public square and more like going to the bank, with measures to prove that you are who you say you are. This month, lawmakers in Washington, which has lagged other world capitals in regulating tech companies, called for new rules to protect young people after a former Facebook employee said the company knew its products harmed some teenagers. They repeated those calls on Tuesday in a hearing with executives from YouTube, TikTok and the parent company of Snapchat.

Taking identity seriously is necessary and responsible. But relying on outmoded frameworks to do so is problematic.

The first problem is friction:

Richard Errington clicked to stream a science-fiction film from his home in Britain last month when YouTube carded him.
The site said Mr. Errington, who is over 50, needed to prove he was old enough to watch “Space Is the Place,” a 1974 movie starring the jazz musician Sun Ra. He had three options: Enter his credit card information, upload a photo identification like a passport or skip the video.
“I decided that it wasn’t worth the stress,” he said.

The second problem is security:

Critics of the checks worry that the requirement will force users to give sensitive information to websites with limited resources to prevent hacks. Outside companies that offer age checks would be vulnerable, too.
“Either way, that’s still a treasure trove of data that’s exploitable,” said Daly Barnett, a staff technologist at the Electronic Frontier Foundation, an online privacy and free speech advocacy group.

Self-sovereign identity (SSI) addresses both those problems with one stone. Verify your age once and now you can use that credential over and over without re-submitting any personal data. Friction problem solved.

Moreover, a company only needs to know that you’re, for example, over 18. They don’t need to know your birthday. They don’t need to know your ID number or your driver’s license’s expiration date. None of that personal information needs to be shared.

And because it isn’t being shared, there’s no “treasure trove of data that’s exploitable.” Instead, your data is safe with you. You control it, you own it.

Some companies like Twitter, as the NYTimes reports, are sticking to their guns in order to protect the original charm of the internet:

Some services are resisting the checks. Twitter allows users to disclose their birth date but does not require it. If users want to view adult content — nudity is prevalent on the service — they must click through a warning but don’t have to prove they are 18 or older.
“At the heart of Twitter is the belief that there’s a huge value to the public conversation of people being able to speak pseudonymously to the world,” said Nick Pickles, a senior director of global public policy strategy at Twitter, “and also not requiring a significant amount of personal information to be provided before you can use online services.”

But in light of smarter identity frameworks such as SSI, that becomes a false argument. Why not have it both ways? Ensure that only adults are accessing adult content while also ensuring that those who want to remain pseudoanonymous can stay just that — and not have to share a “significant amount of personal information” as a ticket to entry.

One thing’s for certain — the digital age we live in will only get more digital. But in order to get to a more constructive future, we need to get digital identity right.

Every company will now have to be an identity company.

This is a seminal moment in the history of the internet. The paths we choose will have a tremendous impact on our daily digital experience.

Relevant:

2. Gensler: “DeFi will end poorly” without regulations

First, here’s the FT:

Global authorities have taken the first step to bring decentralised finance under regulatory oversight after rapid growth in the blockchain-based alternative to the traditional financial system.
Standards setters for anti-money laundering said on Thursday that creators, owners and operators of decentralised finance services should comply with rules designed to combat money laundering and terrorism financing. The Financial Action Task Force, or FATF, urged national regulators to apply standards to individuals who “maintain control or sufficient influence” over DeFi apps, it said in a report.
The guidance from FATF, an intergovernmental body based in Paris, is the first effort by global authorities to address the rapidly expanding world of decentralised finance, which has grown fivefold this year to $100bn locked up in projects, according to data group DeFi Pulse.

Now, here’s SEC Chief Gary Gensler via Yahoo:

My broad thoughts are it’s one of the innovative areas in this crypto movement. I mean, we start with Satoshi Nakamoto who was pressing up against the definition of money and ledgers, sort of an old, thousands of years old technology, money and ledgers.
But decentralized finance has started to press up some other innovations. While that’s all interesting, it reminds me a lot about when peer-to-peer lending came along about 15 years ago. People said, well, I’ll lend money to you and it would just be peer-to-peer. And we had to take 3, 4, 5 years to bring it within an investor protection, and in some cases, banking regulation.
And I would say that’s what we’re going through right now. The same process, hopefully, we get to the other side where whatever innovation it’s there survives. But again, the public is protected. We protect against financial stability concerns as well. There’s a lot of lending going on. There’s a lot of trading going on. And without protections, I fear that it’s going to end poorly.

Finally, the bad news for DeFi:

The first ugly truth about DeFi regulation is that it will inevitably come too late. Systems like UniSwap and Celsius were built in ways that challenge the fundamental premises of conventional financial regulation, but regulators will not be quick to shift their models to conform with the reality on the ground. Meanwhile, DeFi systems continue to grow, guaranteeing they’ll face increasing scrutiny.
Jai Massari, a partner focused on trading and markets at the law firm Davis, Polk and Wardwell, predicts a three-step process of reconciling those conflicting truths. Call it the Stages of Regulatory Grieving.
“I think it starts off with enforcement,” she says, “because enforcement is easier than regulation.” Those enforcements could be similar to recent actions that have led to large fines for crypto exchanges like Kraken or services like Tether. But they could also go further to include criminal charges against individuals, on which more below.

In the short term, some DeFi services might be incentivized to continue operating in a Mad Max world in order to gain market share versus platforms that adopt a more compliant approach. In the long run, it will make sense for DeFi to get ahead of regulations and be compliant yesterday — what we call Green DeFi.

Again, that begins with digital identity — and for decentralized finance, it would make a lot of sense to adopt a decentralized form of identity.

Every company is an identity company — including DeFi.

Oh yeah, that includes Tether, too:

Stablecoin issuer Tether announced on Tuesday that it has begun a trial partnership with Notabene to help it combat money laundering in cross-border transactions.
The partnership with the startup, which provides software to crypto exchanges to help them identify their users and track transactions, will help Tether to comply with the Financial Action Task Force’s (FATF) “travel rule,” which requires financial institutions to exchange customer information for both senders and recipients of relevant transactions.
The FATF is a Paris-based global, money-laundering watchdog. Its guidelines for crypto compliance have expanded to include exchanges and stablecoin issuers, which are known as virtual asset service providers, or “VASPs”.

Relevant: