[00:00:00] Jonathan DeYoung: Crypto is for everyone, not just rocket scientists, venture capitalists, and high IQ developers. Welcome to The Agenda, a Cointelegraph podcast that explores the promises of crypto, blockchain and Web3 and how regular-ass people level up with technology.
[00:00:24] Ray Salmond: The idea of scanning one’s eyeball or fingerprint into a metal orb to be stored in a database that verifies one identity, and receiving digital money in return, seemed like the plot of a science fiction film not too long ago. Yet, with the official launch of Worldcoin last year and the launch of several competing solutions, this sci-fi future is actually the very real present.
[00:00:48] Jonathan DeYoung: Solutions like Worldcoin have come under intense scrutiny, with consumers and regulators alike concerned about the potential for data abuse and misuse, hacking attempts, general privacy concerns and ethical concerns as well. But despite this, the burgeoning field of blockchain-based biometric and ID verification continues to press forward.
[00:01:09] Ray Salmond: There is a very real need for people to prove their identity and humanity when interacting with the world, from exchanges ensuring sanctions compliance to adults proving that they are of legal drinking age at a bar. But is there a way to comply with these global regulations while still preserving users’ privacy?
[00:01:28] Jonathan DeYoung: Our guest today believes there is a way and that his team has built it. To learn more, we are speaking with Sebastian Rodriguez, the chief product officer of Privado ID, which develops open-source, privacy-focused tools to, quote-unquote, put users in control of their identity across every digital surface. So, welcome to the show, Sebastian. We’re very glad to have you here.
[00:01:51] Sebastian Rodriguez: Thank you. Thank you for having me. I’m glad to be here as well.
[00:01:54] Jonathan DeYoung: So, I mean, I guess why don’t we kick things off with the very obvious first question. Can you give us a high-level overview of what Privado ID is? A little bit about its history? I believe it was a Polygon-branded project at first and then rebranded. So yeah, just give us kind of the intro to what we’re talking about today.
[00:02:14] Sebastian Rodriguez: Okay. Everything started, I would say, 2017. In Spain, there were some political circumstances that where an election wanted to be called in Catalonia and was being prevented by the central government. And then some guys came together and thought that if people want to vote, they should be able to, and they wanted to create tools for digital democracy or promote voting, etc. The first challenge for that was identity. So they started with identity, and they followed the principle of decentralized identity, and blockchain was just one of the components. It wasn’t at the center of it. The same thing found that if they wanted to use blockchain, then they have that scalability issue. So, they decided to start the ZK EVM, Circom ZK EVM. One of the engineers there, the top engineer was Jordi Baylina, which is well known in the Ethereum community.
So, Jordi just took a detour in their identity project, created Circom in that detour, started the ZK EVM, and then got it acquired. Then, that thing was acquired by Polygon, and the initial project that was identity was rebranded as Polygon ID. Polygon ID wasn’t fully developed at the time when it was acquired by Polygon, so over the last two years, and inside Polygon, the team continued developing it, moving from a protocol that was item three to a product that can be really used by developers and users in the form of Polygon ID. But I think, once the product was ready, we realized that Polygon’s vision and mission wasn’t really aligned with identity. This is a scalability that they’re an infra provider and also being so linked, so close to one chain prevented to be in discussions that would make us more chain agnostic or more neutral, which is an essential requirement of an identity solution that wants to take on Web3.
So, I think a couple of months ago, we announced that... It was announced actually in February, but I think we executed a couple of months ago, we spun off from Polygon and rebranded again to Privado ID, but it’s the same theme. It’s the same protocol, the same products and the same mission. What is Privado doing right now is marketplace of interoperable, verifiable data. That’s a big techie definition, but I think it’s the most accurate one. In the end, trust is generated at some point by an organization, government institution or friends. And that trust in form of trusted data needs to travel safely, privately, securely until the application that has to verify it. And we provide all the tooling for the users, for the verifiers, for the issuers of these credentials to maintain that chain of trust in a way that preserves the user rights.
[00:04:55] Jonathan DeYoung: So walk me through, if you can, an example of how practically some service might use or some user might use Privado. So like, let’s say that I’m, to go back to the bar example, I’m a bar, and I want to verify that users are over the age of 21, and there’s some other service that verifies that users are over the age of 20 — I’m using the US legal drinking age — are over 21. So, where does Privado fit into that situation? How does the bar use this, and how does the identity verifier use this?
[00:05:29] Sebastian Rodriguez: Okay, we have different flows, a physical interaction in the real world or whether there is a remote interaction in internet services, right, or crypto asset providers, etc. So, for the case you’re describing, which is a physical interaction case, the typical flow would be you download your identity wallet, in this case, Privado ID identity wallet, from the app store. You achieve your credential through some organization. It could be your government age verification provider. That credential gets into your wallet, and then when you go to the bar, you just present the credential by you scanning a QR code that contains the question, prove me that you are over 18. The difference here is that the communication happens in a triangle. So the issuer of the credential, let’s say, is your government. Your government gave you your national ID. The national ID can prove that you are over 18. You don’t want the bar or the restaurant to call back a link to their government, because then the government knows where you are using the credential. And a bar or a restaurant is not very important, but if you’re going to casino, some other places that will require verification, you don’t want your government or any institution that have issued that credential to know where you’re using or how you’re using it.
So you need to do these separation of duties. The duty of the issuer is just to make an attestation. That’s it. That’s the end of the communication. And then the duty of the verifier is to ask the question without revealing anything to the issuer or to do any other verifier. The second part is depending on how smart your wallet is presenting that answer. It can minimize the amount of data that shared. You can share just the birth date. You can share the full credential, like your national ID. That is what you would do in the real life. We just present the ID with all the information on it. We can just present our birth date, and that will be less. Or we can present a zero-knowledge proof that I actually meet your requirements, but I don’t need to disclose my age or anything else besides the cryptographic proof. So I would say both by preventing these unwanted connections and traceability, and also minimizing the amount of data that the user is sharing, this is how it would improve this particular experience that you have described.
[00:07:27] Jonathan DeYoung: It’s actually a really interesting point that you just raised, because thinking about this concept and prepping for this episode, I was thinking, okay, what if I’m a woman who’s concerned for my safety, and I don’t want the bouncer at the bar to know my home address? So this could be useful in that situation. But you raise a good point, which is that what if I don’t want the government or the other side to also know how that credential is being used, which I think is super important as well. And you get into things like health concerns where you may need to verify your identification at the clinic, and you don’t necessarily want that to be so easily traced back to you in some sort of centralized government database. So, I guess one more sort of foundational question, and then I’ll pass it off to Ray for his own follow-up questions. Where does the blockchain element come into this, and why exactly do you need blockchain? Because theoretically, couldn’t you do this just using some other sort of server or whatever, where you just still use zero-knowledge proofs, but you don’t actually put anything on a blockchain?
[00:08:30] Sebastian Rodriguez: Yeah, so that’s an excellent question. I love that we ask more often in the crypto space, do we really need the blockchain for this? First of all, I’d like to say that our solution is super light in terms of how much we use the blockchain. We are not creating identities on blockchain. We are not storing any private information on the blockchain. We don’t require users to interact with the blockchain to set up their identities or to interact with them. Basically, you could be a user of Privado ID and never post a transaction onchain, ever. And the same goes for verifiers. The only ones that need sometimes to interact with the chain, I would say maybe once in a while, are issuers. And there are two main reasons why we use the blockchain. These are two features that are very hard to accomplish without the blockchain. The first one is revocations. We have private revocations. You need a public registry to tell the world when the credential is no longer valid. A credential may expire. You don’t need a registry for that. It goes with the credential. But what happens when the issuer wants to tell the world, no, that credential is no longer valid? So, there needs to be a public registry, and the properties of blockchain are very good for that.
We also do that with cryptographic accumulators. So it’s completely private, and nobody can detect anything, if you have or not have a credential in your wallet and looking at the register, at the [inaudible] register. The other reason why we use blockchain, and this is something that most DID methods haven’t solved in an elegant way, I would say, is a key rotation. There is a lot of identities in the Web3 space that are based on your Ethereum address. Your Ethereum address becomes your identifier. Challenge is you cannot rotate your keys. And if your keys are compromised, then everything you have done with that identity is compromised. So, decentralized identifiers can solve that, but then you need to find the mechanisms to rotate keys in the AAs. And for that, we also use zero knowledge and blockchain to provide key rotation, in the case that your identity is compromised. There is another large use case that I see, this is more like a cool feature more than an absolute need, which is we also allow DID, which is your decentralized identifier, which represents your identity, to be controlled by multiple Ethereum wallets if you want. That is very cool, but that also requires that you add these keys and transact onchain.
[00:10:46] Ray Salmond: So Sebastian, in the United States, in Europe, and I’m sure in Asia also there are a handful of genetics and biometric testing, mapping, various service providers. They’re very popular now, but I’m not sure if there’s a robust global regulatory framework for monitoring these service providers and placing boundaries around what they can and can’t do. What are some of the risks that are associated with biometric databases?
[00:11:16] Sebastian Rodriguez: The risks are huge, I would say. Let me put it in a different way. I don’t think we have understood the risks yet because biometrics markers or biometric base identifiers, they have a number of properties different from any other type of identification that we have used in the past. First of all, let me say that I’m not against biometrics technology, right? I think that at some point, as you say in the opening, we will need to prove that we are not only humans but unique humans, right, to a number of services. The proliferation of synthetic identities, automatization, and also the weaponization of these fake news bot farms, etc., the pressure to have trusted identities, the pressure for having that is going to become higher in the next years. So, at some point, we will need to find a way to determine how to have long-lasting reputation. Long-lasting reputation only happens when you cannot create a new account and start from scratch. If you do something wrong, that travels with you. But also, long-lasting reputation that is attached to your biometrics, it shows you that in the wrong hands, it could be a ban forever. It could be a mark forever in your life. You cannot detach yourself from that identifier. So, as I say, I think we haven’t understood completely the implications of this.
To the second question, if I think the regulations are good enough, we have managed to control these companies. The answer is no. Not now, not ever. The regulation may be one strategy, but we have seen what happens. Economic incentives are always winning regulations. If the economic incentives are big enough or even the political winds blow in a different direction... Also, regulation is also flexible. And the challenge is, when you enter in one of these biometric-based identity systems, it’s not only that you’re trusting your government or the laws today, you need to trust the laws in the coming 100 years because your biometric marker is going to be the same, and every trace that you leave now is going to be there for the rest of your life. So maybe you trust your current government. You maybe you trust your current regulations and you think everything is fine, but do you think it’s really fine in 30 years from now?
So I think the only viable strategy is to design things in a way that basically doesn’t allow us to do wrong. It’s technically impossible to do it wrong, even if we change our minds in 10 years from now. There is a well-known practice in business in general, it’s data hoarding. It’s collect as much data as you can because you never know. You never know how you’re going to be able to monetize that. You can, in the future, use pattern recognition to find more business data around it, etc., right? This data hoarding creates dystopic scenarios. So, in my opinion, the principle of trustless design is even more important in identity than the decentralized mantra. Things can be centralized but still can be trustless. We need to review all the trust assumptions that we have in every piece of the design, regardless of whether they are in a blockchain, they are centralized or decentralized. I mean, is it better to be decentralized? Honestly, it helps to make it more trustless. But every trust assumption that we make now will come back from us 10, 20 years later.
[00:14:32] Ray Salmond: Well said. That’s a good perspective, kind of answering the does blockchain, does Privado need to be built on blockchain. Does anything actually need to be built on blockchain? Humans should kind of reexamine what they trust and why they trust it, regardless of whether it’s centralized or not. I like that perspective that you’ve shared. Regarding Privado, how are the credentials issued? Like, how do I get the Privado ID? Is it an NFT? I don’t understand.
[00:15:02] Sebastian Rodriguez: We are providing the infrastructure and the technology to secure that chain of trust, but we are not the issuers. We are not issuing any credential. We are not the source of trust. So you can think about us like you eat a piece of meat at home. There is a guy who raised a cow, but there is like a hundred guys that have to make sure that from the time the cow was dead until it got to your table, it was the chain of cold and preservation. That chain is super important, and it requires a ton of procedures and standards and connections so you can actually trust what you’re eating. Same happens with information. We are not the ones originating that trust.
Our idea is to integrate a marketplace of issuers, and we believe in an open marketplace. We believe that any organization should be able to issue credentials to you. The degree of trust that you put on that issuer depends on the real-world reputation and other aspects that are not technological. It can be a government, can be a business provider. It can be your university, right? But now, once they issue that credential, right, there is a chain of trust that cannot be broken. They need to produce that, sign it, leave it in your wallet. Then you need to create a verifiable presentation to share it with the verifier and all that, taking into account that you need to prove that you’re in control of your authenticators, that you can rotate your keys, the keys can be revoked. All this chain is what we provide. We are not the ultimate issuers of these credentials.
[00:16:28] Ray Salmond: Mhm. What are W3C standards?
[00:16:32] Sebastian Rodriguez: You mean which ones we are using in identity?
[00:16:35] Ray Salmond: Yeah, so I was looking at the website, and it said that the Privado ID is issued following W3C standards.
[00:16:42] Sebastian Rodriguez: Yes. Any identity system, decentralized or centralized, consists of two things: it’s an identifier and attributes. That is how we have digitalized our identities. There is one standard that defines how decentralized identifiers are created. It’s called DIDs. This is for decentralized identifiers. There is a specification of W3C, and that’s the international standard. Decentralized identifiers are decentralized because you don’t need permission from any authority to create them. You can create them locally in your wallet. Same as an Ethereum address. An Ethereum address is basically a decentralized identifier. But Ethereum addresses don’t follow the DID standards, so we adhere to the DID standards. EU ID Wallet, from the European Union, is now debating if they need to include DIDs in the specification or not.
The other part of the identity, which is the attributes, what is said about you, this is the credentials that you get from these issuers. This is basically attestations that are files signed by the issuer, but they also need to follow a standard. So there is interoperability, and all the verifiers can read it and understanding what is the semantics. That standard is verifiable credentials. We also provide tools to create the format. So, for an issuer, we are basically giving them tools to issue credentials to DIDs in the verified credential format. There are other standards that we are following as well, but these are the two most important.
[00:18:00] Ray Salmond: Right, right. It’s kind of a universally understood framework.
[00:18:05] Sebastian Rodriguez: Yes.
[00:18:05] Jonathan DeYoung: So, is that framework scalable internationally, like for Privado or any similar solution to be usable worldwide? I mean, you were saying earlier that the regulation and stuff isn’t completely clear or fleshed out yet, so what would need to happen if it’s not possible now, maybe it is, for something like Privado to be functional in every jurisdiction in the world? Or is that just a pipe dream that might not even be achievable?
[00:18:35] Sebastian Rodriguez: Well, there is a technical aspect, and then there is a legal aspect. For the technical aspect, the challenge with these standards is that they define... They standardize at, I would say, at a very low level, but they leave space for a lot of variability. And that is what has happened. Over all these years, multiple companies have tried to use verified credentials and DIDs, but there are like 150 different DID methods. And then verified credentials, they standardize like the file format, but they don’t standardize, for example, the fields. So, each issuer may use different fields. That is the standardization of the schemas that needs to happen.
So there are several layers that still need to be standardized to have worldwide interoperability. That’s the technical side of it. Good news of that is the European EU ID Wallet is going to be a massive force in standardization because they have decided, in many ways, which of these 200 options is going to be interoperable across all European countries. That’s the biggest organization in the world that is pushing such an effort in the standardization. So I think it’s going to be pretty much like GDPR, right? It’s going to be the gold standard, and it’s going to simplify interoperability a lot. So I think we will see that consolidation of the standards in the next year.
The legal side is different. The legal side, you say, can we be accepted worldwide, compliant? Well, that depends on which use case we’re talking about. I’ll give you two examples. So, first use case is age verification. Age verification also has its compliance rules. For example, in US, they are not accepting AI estimations based on facial recognition as a way of attestation. But in UK, they are accepting it. But that doesn’t depend on Privado, that depend on which issuer you decide to work with. Our mission is to provide a single point of connection. If you’re an application to verify the age of your users, Privado ID is a single point of integration. You only need to integrate Privado and then choose which issuer or issuer you want to work with, and then you can decide to work with two issuers in UK and three issuers in America. It’s like a single interface to connect a full ecosystem of issuers.
[00:20:44] Jonathan DeYoung: Man, there’s so many ways this conversation could go that are all interesting. So, I guess to pivot back to something you said earlier, you were sort of hinting or implying that Privado, or maybe just decentralized ID verification services in general, could be able to help fight against misinformation online. So, is that just because it would help prevent bots from like being utilized to spread misinformation? Or is there something deeper in a way that it would be able to help fight against this?
[00:21:15] Sebastian Rodriguez: Yes, that’s a topic that I love because there is a way of working in this project. I think this is one of the biggest threats to our democracies and all the accomplishments that we have achieved over the last century as a society. I think there are three levels. The first level we win, I would say, is prevent bots. Easy as that. You remember the blue mark from Twitter? That was supposed to do that, but it was implemented in a very naive way or interesting way, I don’t know. It didn’t work, but the intention was good, was right. The percentage of bots operating in these social networks is probably higher than 50% at this point, in some of them. So, just preventing bots, proving that you are human, you are not controlling 300 accounts, that is a big, quick win. That will reduce the noise a lot.
The second layer of that is the content. So first this is we will be able to verify identities and have trusted identities. Second, we will need to have trusted content. There is an initiative, the Content Authenticity Alliance. It’s led by Adobe, I think, but there is all the big software vendors, plus camera vendors, plus new agencies. Everyone is there. And they’re creating content credentials. So these are credentials... It’s not a user presenting the credentials, it’s the content presenting its credentials, right? They started… It’s very interesting because I thought, this is not going to work if they don’t cite this or they don’t link these to identities, to people’s identities. And they didn’t want to do that. They started to say, no, these credentials are going to tell you how the image or the content was produced. Which camera was used, which editing software was used, what were the modifications or changes that they made, etc., etc., right? Nothing about the authors. And then, I think, three, four months ago, I believe, they announced that they are now including authorship in their content credentials.
It makes total sense because you will never be able to trust again the content, you need to trust the source of the content. And this is something that our grandfathers used to do. If you read a newspaper, you would first take into account the newspaper you’re reading, and then you’re trusting whatever you read or not. So, you are questioning the source and then the content. But in the area of videos and images and the speed that we trust, the video is a trustable piece of content for us because it happened, right? It’s recorded. Somebody recorded it with their phone. We don’t know who recorded it. We don’t ask who recorded it. It’s just there, right? It looks like it is recorded by a phone. So we need to go back and say no, no, we need to trust sources, not content. And for that, every piece of content needs to be somehow linked to a reputation.
And this is the third layer of how this can be solved, which is, I think, the most challenging part of it, is how do we build long-lasting reputations, avoiding or preventing that these reputations can work against us when we need to have basic services? So, I want to be a trusted journalist. I want every piece of credibility to be added to my profile, but I don’t want to work against me, for Google to decide to ban from all my services. But the need for this reputation is a fundamental piece of being accountable for the content that we produce.
[00:24:18] Jonathan DeYoung: Listening to all that, it all makes sense. But I guess sort of the thing that pops into my mind is what are the potential surveillance, privacy concerns, etc. that come up if everything I do on social media moving forward has to be tied to an identity. It’s going to tell you which device I uploaded it on, which device I took the picture on. Are we going to be entering into an era where sort of remaining anonymous is just going to be impossible, because everything has to be verified? Like someone out there is going to know that it’s me posting, even if the end-user doesn’t see it? Because I agree, obviously, that bias or misinformation is a huge concern. I mean, I go on social media, I see it, I see it all the time, and AI photos being passed off as real photos, and it’s sparking outrage. And we’ve got foreign nations attacking each other with misinformation. So I guess how do you move forward in this reality, while also... You seem like somebody who values privacy. How do you balance those two things?
[00:25:22] Sebastian Rodriguez: I’ll probably be so hated for this. You will use this. But I think anonymity is overrated. Let me give you some context for that. So, I understand that anonymity is absolutely necessary in contexts where your life may be a danger, your rights are not guaranteed, so anonymity is absolutely needed. How important is for everyone to be anonymous or to have easy anonymity? I think in the future, you will be able to be anonymous, but then nothing that you will say will matter because anonymity will equal to fake. Anonymity will equal to bots and spam and noise. It’s already happening. If you want anything that you say or do to be meaningful or impactful, you will have, at some point, to prove something about yourself. And here’s the question: how do you prove it? How do you prove that you are a human, that you are unique, that you’re over 18? All this is how you prove that in a way that leave a trail over time. That after two years of interacting with different services, we can build a profile of you and tag you wherever you go.
And there are ways. The thing is, the technology is there. I gave you the example of, okay, don’t present data, present proofs. That is basic. I know that zero knowledge is still a new technology or new concept for many people, but it’s been out there for years, and at this point, it doesn’t surprise anyone to say, yeah, you can actually share a proof, you don’t need to ask for so much data. But the other thing is we have other features called pairwise DIDs. I have a DID, this is my identifier. If I present a proof to you, and then I present another proof to this guy, and then this other guy, this other guy, if I’m exposing my identifier every time I present the proof, somebody can trace me. They can build also a profile of what I’m doing, where I’m going. They can find me, right? Okay. We have a feature that just creates a different DID for each interaction. So, it’s impossible to track me across my interactions.
We have another feature which is called context-based proof of uniqueness. So, imagine that I need to prove to you that I am unique. I can give you my passport number because there is only one. You can put it in your database, and the next time I come to you, I try to get a new service, you will go there and say, oh no, you already came here, guy. Sorry, this is one cake per user. You already used yours. But then you have my passport number. Another unique identifier, maybe biometric hash, but that’s even worse. So how do I give you a unique identifier that is not exposing me forever? Well, again, using cryptography, zero-knowledge proofs and different techniques, we can create a context-based unique identifier just for our interaction. It is unique in the context of our session. I will not be able to produce for our interactions. So for you, it is still valid. You can still make sure that you’re not going to give more than one cake to each person. But I’m not exposing either my biometric hash or my passport, or any other things that can be used to ban me from other services.
So, our mission in Privado ID is to make sure that the technology exists so if we do the wrong thing, it’s because there were political reasons to do the wrong thing, not because the technology didn’t exist.
[00:28:15] Jonathan DeYoung: Yeah, yeah, it kind of reminds me what you’re saying of, like, the idea, the general idea of a crypto wallet and address a public key, which you were kind of saying earlier is a form of a DID. Like if you see my Ethereum wallet address or whatever, you can track me, every single thing I do, every protocol I interact with, how much money I have, etc. But if you can’t actually link that to me as a person in the real world, it’s effectively useless, if you want to actually have some sort of impact on me walking around out in the real world. So, I might disagree with you a bit that anonymity is overrated, but I totally understand the point that you’re making.
[00:28:55] Sebastian Rodriguez: Yeah, I knew that was going to sound very controversial. Kind of I was joking, but I think you get the point. It’s not that it’s overrated, but that is not the thing that we should be fighting for. We shouldn’t fight to be anonymous. We should fight for consent. Privacy is not about anonymity. Privacy is about consent. I understand what I am sharing to who. I have the means to minimize that as much as I want. Because if the only alternative to consent is anonymity, then we have fake identities that don’t matter.
[00:29:25] Ray Salmond: So, Sebastian, I’m interested in your thoughts on Worldcoin. What type of challenges have they encountered, in your opinion, and how do you think they’ve navigated these choppy waters?
[00:29:38] Sebastian Rodriguez: Everybody is asking me for Worldcoin because it’s a very controversial project. I guess most people, in other interviews, they expect me to jump on them and start criticizing and hating them because they represent the opposite of what we’re doing. Actually, I have to say, the technology is good. They are using many of the techniques that we use. They are using pairwise DIDs. They are using context-based unique identifiers. Now they are using MPCs as well to delete biometric passes that they have. So, if I would evaluate it from a technological perspective, I would say, look, we are not that different.
Now, if I look to the business perspective, we are completely different. And that’s, I would say, my main criticism to Worldcoin. The Worldcoin model assumes that they will be a monopoly. There is no other way for that to work. Biometric proofs of uniqueness are very special because you can only have one issuer of that, because biometric hashes, they are not compatible. There are some something called biometric templates that they are used in passports, and things like that. But the technology they are using for them to work, they need to be the unique provider. The unique source of uniqueness. That is the scary part, is the business model behind it. It’s not the technology. If they succeed in doing what they are doing, and they become the de facto way to prove your uniqueness in internet, that means that no other source of uniqueness is relevant. And if I ban you, I will ban you forever. That is too much power to have by a private company.
And that’s why we are investing in creating an open ecosystem. Then, you can work with multiple issuers, and you can have different sources of uniqueness. So, if one of these sources fails or acts incorrectly or that’s wrong, the entire ecosystem can switch to another method. And also, we’re trying to avoid the concentration of power and also try to give each country the ability to decide which method of attestations are compliant in their jurisdiction. So, this is my main criticism to them is it’s a winner-takes-all, and that is not good for the type of business that you are doing.
And you asked me about which challenges they were facing. I think for me, the biggest one is a very poor incentive design. If they would tell people that the goal was to prevent bots, to prove their uniqueness, to make a better internet, people will do that because that’s a public good for all of us. But if you are paying people to scan their eyes, any psychologist, any book of incentives will tell you that that is plainly wrong, because basically you are putting a price on their identities. And that price may be super high in countries that need the money, or people, $25 is something important to them. But you are sending really, really the wrong message to the rest of the world. Like we are going to buy your identities. It’s not what they are doing, I know it, but from a psychological, aesthetic point of view is I think it was very poorly designed from the very beginning. And the fact that they started in these developing countries also didn’t help for the acceptance in the Web3 space.
[00:32:38] Ray Salmond: Right. I kind of want to challenge an element of that because, you know, there’s play-to-earn, sleep-to-earn, walk-to-learn. I think we’ve come across some projects that are like biometric-data-to-earn. Being semi-facetious there. But, you know, one of the big things about blockchain, crypto and even outside of the space is privacy and choosing when you give people access to your data, and when you elect to give them access to your data, and that data is used for research, or it’s cross-sold, or the data sets are used to form algorithms, look for patterns, so on and so forth, that you should be compensated for it. And, this is my assumption also, people seem okay with it. Or maybe the marketing that I’ve come across from these companies has led me to believe that people are okay with it. Like we expect to be compensated for our data. It happens all the time.
And then there’s these criticisms of Facebook and other places that sell your data, Robinhood, so on and so forth. They sell your data, and they give you nothing for it. So, you know, you’re saying that there’s some criticism around people exchanging their biometric data or their eyeballs for cryptocurrency. But then on the other side of the coin, we have all these do-this-to-earn projects which are really popular in the Third World also. So, beyond Worldcoin as the primary example, do you think there are other ethical implications of exchanging biometric data for cryptocurrency?
[00:34:05] Sebastian Rodriguez: Yes, and the reason is what you have just said. All these projects, the activity projects that you mentioned, are earn money to do things. They are compensating for things that you do. This is compensating for who you are. These are completely different dimensions. So, when I am playing or I am doing exercise or I’m seeing ads, this is things that I do. But when I am giving biometric data about myself that would allow you or other verifiers to identify me at perpetuity, what I am selling is what I am. And the ethical implication here is I think that there is an asymmetry of information. It’s a massive asymmetry of information.
When I play a game to earn money, I know the scope of my activity. I know what I am selling. I’m selling my time. And I think that is quite obvious, and most people will understand that they are selling their time. When I sell my biometric identity, I don’t think most poor people will understand the long-term implications of this. So, I think there is an ethical difference between this, and there is a line there.
And going beyond Worldcoin case, I think the Worldcoin case is super obvious because you have the Orb, and they decided to go with the iris, and it’s very visual. But you see the Orb, you go there, and the iris, the eye, it’s very science fiction. There is a psychology behind this. But what happened is you mentioned Facebook. What happened with Facebook, I think, is way worse because people don’t realize that every time they put a picture, a video online, there is facial recognition techniques. That is also your biometric, but there is no way out of that. I mean, we will have to live in a world without online pictures if we were to remove that. So, that boat sailed a long time ago, and everybody has hundreds of pictures from different ages online, and it couldn’t be super difficult to reconstruct the life and the evolution of someone. So, I think in that regard, the fine that Facebook got for scanning all these faces and have all these very particular information is a good step forward. But I think most people don’t understand what happens with the amount of data that they are constantly providing online.
[00:36:10] Ray Salmond: Okay. Yeah, thanks for explaining that. I’m curious on whether or not it costs money to generate a Privado ID. How is the company profitable? And I’m asking about profitability because sometimes good platforms get sunset due to a lack of revenue. And crypto, there’s like a number of platforms that we’ve used before that were fantastic, and then boom, they end up winding down because they didn’t make any profit. And considering that I might have given my biometric data, wallet address or other things to these companies while using them, then there’s the concern, well, what happens to all the data? So, it also makes me wonder whether or not Privado users know whether their data is being cross-sold.
[00:36:52] Sebastian Rodriguez: When I joined the identity space, one of my first realizations was that this industry is full of dead bodies and corpses, or rather, the road. And that is because identity is super hard to monetize. And the reason why identity is super hard to monetize is because a lot of big companies are willing to give you an identity for free, for obvious reasons. But people are not used to pay for their identities, and that makes it harder. Even if you’re trying to do the good thing with technology and keeping privacy, users are not going to pay for that. So, let me be straight about that. There is no payment for the users. Doesn’t mean that we are selling that information either. Actually, we have designed the system in a way that we don’t have access to the information, even if we wanted to. Everything is encrypted with the user keys linked to the user authenticators that are in custody of the users. So even if we would turn into an evil company, we wanted to sell all the data that we have, we can’t. We don’t have anything. We don’t see anything.
Now, we do have a monetization strategy. I would say that goes into several rounds. I cannot disclose all of them, but I can tell you the quickest one to go live. It’s going to be a fee over the payment of these credentials. So, these credentials are exchanged between issuers and verifiers. Very often, verifiers pay for that. If you want to verify the age of someone or you want somebody to pass KYC or proof of uniqueness, as an application, you will be paying to the issuer. So, we provide the chain of trust. We provide the verifiability of that process. We provide the payment rates for all that process. So, verifiers can pay issuers in an open ecosystem with privacy, warranties and other type of things that will make it very convenient and safe for both sides. And we will take a fee out of this business.
This is a working business. We are not creating a new category. We are not trying someone to pay for something they are not already paying for. In this scenario, we will act as a private version of Mastercard or Visa. We are a payment rails for the companies to pay each other. We want to conquer the Web3 space because, well, we were born in the Web3 space, and I think we have our early adopters here. We have the people that are willing to take the first step and give us the credibility and the scale that we need. But also, our business model is not only focused on Web3, and we want to also go to non-Web3 companies where the number of users are in the millions. So, we have quite some numbers to make this profitable and sustainable. And I understand people is concerned when you don’t have a clear way of being sustainable.
[00:39:16] Jonathan DeYoung: I’ll just pass it back to you one last time, if there’s anything that you want to say to wrap things up that we didn’t talk about, if you want to direct people to Privado’s social media, how to get involved, any fun product launches that are coming up, anything you want to say to close out the conversation?
[00:39:31] Sebastian Rodriguez: Well, I’d like to say that users shouldn’t be thinking about us too much because a mistake that many of these identity solutions have made, in our opinion, is to think that people will go to their app store or they will go to some website and have an identity wallet just for having an identity wallet, and they will start collecting credentials just for the sake of having credentials, and then look at them like they are really anything. And that’s not how it works. You don’t need to have credentials until you need them, and you need them when you are in the process of doing something. When you want to buy alcohol online, or you want to get an airdrop, in these scenarios, then you need to prove something to an application. So, the decision maker in this case is the application, is the verifier that says, okay, you know what, I need to improve my trust on these identities. So, too many bots are costing me too much money, or I am in risk of being compliant. Or, actually, just the quality of my content will be better if I can trust these identities more than I do today.
So, for those niche applications that face these challenges, the next thing is, okay, I need to find a company, I need to integrate the verification, etc., etc. Well, if you are an application, if you are a verifier, and you find yourself in this kind of situations, there is a better way to just connect to a single provider. There is a better way that will keep the privacy for the users, will give you the flexibility to switch providers, and it’s a single point of integration to a full ecosystem of credentials. So, my last message would be to these applications, if they are not thinking about the level of trust that they put in their users, they should start thinking about it.
[00:41:04] Jonathan DeYoung: Well, thank you so much for joining us, taking the time to talk with us, educating us about everything Privado, decentralized ID, biometric verification, and letting us know that maybe we shouldn’t be as terrified of Worldcoin as everybody seems to be. And I look forward to using Privado to vote in the 2028 elections here in the US.
[00:41:27] Sebastian Rodriguez: Thank you. Thank you very much for having me.
[00:41:29] Ray Salmond: Thanks for coming on, Sebastian. It was an enlightening conversation.
[00:41:32] Sebastian Rodriguez: Thank you.
[00:41:39] Ray Salmond: The Agenda is hosted and produced by me, Ray Salmond.
[00:41:43] Jonathan DeYoung: And by me, Jonathan DeYoung. You can listen and subscribe to The Agenda at cointelegraph.com/podcasts or on Spotify, Apple Podcasts and wherever else podcasts are found.
[00:41:55] Ray Salmond: If you enjoyed what you heard, rate us and leave a review. You can find me on Twitter at @horushughes. H-O-R-U-S-H-U-G-H-E-S
[00:42:04] Jonathan DeYoung: And I’m on Twitter, Instagram, and just about everywhere else at @maddopemadic. That’s M-A-D-D-O-P-E-M-A-D-I-C.
[00:42:15] Ray Salmond: Be sure to follow Cointelegraph on Twitter and Instagram at @cointelegraph.
.png)
