Digital: Disrupted: Is Your Online Identity Protected?

Episode Transcript:

Paul Muller: If you haven’t ever received an email saying, “your account may have been compromised, time to change your password,” from one of the many service providers you use on the internet daily, well, I want to come and live on whatever planet you have migrated to. The reality is, as we have talked about on this podcast many times before, cybersecurity breaches are a near daily occurrence. And whether it's brute force or phishing, someone will eventually gain access to your password somewhere. And if you've reused your password like many of us do, that means you've got to go everywhere and reset them. It's incredibly painful. Predictably, the tech companies have created a raft of tech solutions to what, let's face it is a technical problem, and that's password managers, multifactor authentication. You've probably heard about things like passwordless and others. All of these revolve around this notion of digital identity. I guess the question is, is the cure worse than the disease?

Well, before we get into it, a quick shout out to Rocket Software for making today's episode possible. If you haven't already, checked them out at rocketsoftware.com to see why over 10 million IT professionals rely on them every day to run their most critical business applications, processes, and data.

Hey, welcome to Digital: Disrupted. I'm your host, Paul Muller, and today's guest is, well, a bit of a triple threat. He's the author of Loyal: A Leader's Guide to Winning Customer and Employee Loyalty, which is a hot topic right now, but we're actually not going to talk about that today because he's also the CEO of Nametag, which is a business that's trying to solve the identity authentication problem through a slightly different lens. So please welcome to the show, Aaron Painter. Hey, Aaron. 

Aaron Painter: Hey Paul. It's an honor to be here. I've listened to many of the podcasts. I'm a big fan of the show.

Paul Muller: Well, thank you for that. I appreciate it. We're going to jump into the topic of, well, many things. I want to have a little chat with you about Loyal, and obviously we'll talk a bit about digital identity and what that means to the future of all our listeners and the internet. But before we do that, we have a little thing we like to do called the Lightning Round. Don't worry, we don't actually hit you with lightning, although that would be a fun thing. I'm going to have to make a note to talk to our producers about that. Are you ready to play the game? 

Aaron Painter: All right, bring it on. 

Paul Muller: Let's do this thing. All right. First up, Aaron, what would people say is your superpower?

Aaron Painter: Probably listening, but it's ironic on a podcast when mostly I just get to speak.

Paul Muller: Well, and you know, you wrote a whole book about that. We will get into that topic. The most disruptive technology of all time?

Aaron Painter: I would say right now it's AI without a doubt. That's something we use heavily in our product and, as you know, it's just sort of overtaking society at the moment in excitement

Paul Muller: And for whatever reason my phone has decided that every sentence, every second sentence I say, it doesn't understand what I'm trying to say and Siri joins in. It's fun. The best quality a leader can have?

Aaron Painter: The ability to listen. I do argue that in my book, but it's fundamental in creating both employee loyalty and then eventually how those employees interact with customers.

Paul Muller: Amen. Your advice to people starting their careers?

Aaron Painter: I’d say focus on learning by doing and from others because it's an investment in yourself. And I think often in a world of choice, at least for those that are able to, sometimes it's better to choose a learning opportunity over one for slightly more income because I think it pays dividends over time.

Paul Muller: Yeah, it's one of those, I think it's probably one of the best bits of advice that's ever been uttered on this show. And I mean no disrespect to previous guests, but there is a certain inherent risk in that we tend to, I suppose it's wired into us, isn't it? We tend to sort of reach for the obvious in the near term. Would you agree?

Aaron Painter: Yeah, I think especially early in career though, there's this, there's still so much to learn. You're coming out of a school or university setting where you've been trained in kind of formal academic topics and this ability to absorb just businesses, how business is done, the colleagues, how they interact, how they treat customers, the type of solutions that come up and how things are solved. There's so much learning that can happen on the job and from those people around you. And so prioritizing, hey, am I going to work with other smart people, people that I'm ethically aligned with and I'm going to be able to learn from? I just think can pay so many dividends long term.

Paul Muller: Yeah, and do it all early in your career because you've really got nothing to lose in the first couple of years of your career, I think. Learn as much as you possibly can in a job. Take the opportunities, there's no waste of time. Even a waste of time's not a waste of time, because you've learned what a waste of time looks like.

Aaron Painter: Microsoft now, Satya talks about it as a learn-it-all culture as opposed to a know-it-all culture. And I think that summarizes it really well too, just thinking, how can I learn, every conversation, what can I take from this to make things better?

Paul Muller: Brilliant advice. Your first thought that comes to mind when you think of trust?

Aaron Painter: Identity. I think you need to know who you're trusting.

Paul Muller: Let's get into that topic in just a minute. And finally, if you could use technology to solve just one world problem, what would it be and why?

Aaron Painter: Impersonation fraud. I think in today's digital world, it's just everywhere. And it's affecting everyone. It's affecting companies and individuals alike, and we just have to find a way to build more trust to these digital channels.

Paul Muller: All right. Yeah, you've got me where I live. Let's jump into this thing. First question, where do we find you, Dave? You've mentioned Microsoft, I'm assuming you're in Seattle. I don’t know why.

Aaron Painter: Yeah, that’s a fair guess, I'm in Seattle. I spent nearly 14 years at Microsoft, mostly working with companies and partners on how to use technology in new ways. But I was all around the world. When I started at Microsoft actually, I was only there for a couple of years in Seattle and the rest of my time was in different parts of the world. France for four years, Brazil for a couple of years, China for five and a half years. And then very, very heavy in what we were then calling kind of emerging markets, became an executive sponsor for what we think of as geo expansion. So it was, when do you open Microsoft in a new country? Ultimately that became 31 new countries. When there's one person or three people and what do you sell and how do you transact the building new frontier businesses for Microsoft? I loved it, loved mission alignment. And then I left it to go run a large cloud computing consulting firm based in the UK called Cloud Reach and then left in 2019 December just before the pandemic and founded Nametag in early 2020.

Paul Muller: Fabulous. Alright, we're going to get into it in a second, but I feel we should just pay some homage to Loyal. In fact, we should probably get you back to do a whole podcast on it I'm sure, because right now we're sitting in what is, I mean we talk about the war for talent, which sounds incredibly kinetic, but there definitely is this issue of post great resignation, post COVID, post work at home. I think Prof Galloway is someone I personally spend a lot of time listening to. He talks about the fact that I think there's 1.7 job vacancies for every person in America of working age at the moment. So, we've got this shortage of skills available. It's just never been a more pressing time to think about both customer retention but also employee retention. What’s your take?

Aaron Painter: Yeah, my take is that they're closely related and that when an employee feels listened to and heard and like their opinion matters, they feel respected and ultimately that's an environment they want to be in. And when they feel like their opinion matters, they carry that to how they engage with customers. And the best I've seen it is there's a company called Warby Parker that's in the US and now spreading globally, bringing eyewear directly, buy it online, visit a store maybe, and it was phenomenal when getting close with them and watching the culture they had internally where managers celebrated employees from their first day, you’d stand up and you'd share something that was kind of a vulnerable moment as a way to build trust even within the internal employee base. But then when you would watch them engage with customers, they were just hungry for customer feedback, they were hungry for their customers to give them some tidbit or some kind of learning because they knew they could carry it back internally in their management chain and their colleagues would appreciate it. And that virtuous cycle where employees feel connected and like they're listened to, carries within an employee's willingness to listen to customers. And that creates loyalty all around.

Paul Muller: What is your take on, as a leader and a manager, because those words I can imagine potentially lead to actions that could result in something that starts to smell and feel like consensus culture where we all need to be listened to and it's one thing to be listened to, but then you want to see action taken on the things you've said. Oh, you get frustrated that you're always talking and nothing's ever getting done about it before too long, everyone's got a voice and the whole thing turns into Blancmange. Thoughts?

Aaron Painter: Yeah, I tend to think that diversity thrives when you have different voices and opinions, and you need to have an inclusive culture that allows for those different voices to be heard. But it's not necessarily that just because you're sharing an opinion, you're right, but you're entitled to a perspective. And when you listen with sort of a curiosity to understand, hey, I hear your point, help me understand where that's coming from, what's driving that? What did you hear? What was the customer conversation that informed that? Or the classic examples, you're late for a meeting. Okay, you're late. That might be a fact. But the impact is that it's hard for us to get started to have a productive session. Help me understand why you were late. Oh well you know what this time everyday conflicts with when I dropped my kids off at school or oh, this happened. You don't necessarily know what was driving someone's action or maybe even the perspective that they shared. But when you listen with this sense of, help me understand, it allows things to get better, it allows things to improve, it allows for constructive dialogue, and I think can push a culture forward.

Paul Muller: Yeah, well said. If you're interested, it'd be great to get you back to talk a bit more about it. It's a hot topic for me personally at the moment with one of the businesses I lead, so I'd love to get into the discussion.

Hey, let's jump onto identity though because it is an equally pressing topic for me personally. It's a bit of a hot button as you picked up. Before we jump into the discussion in detail though, I think maybe we need to spend a bit of time for our listeners just getting some terminology straight. You used the words identity fraud to describe the one world problem you'd solve. What do some of these terms mean? Identity, for example, versus authentication versus access. They're words that get thrown around really quickly and especially if you are not baked in some of these technical terminologies, it can all seem a little bit like gobbledy goo you switch off and start doing something else.

Aaron Painter: Identity as a word can mean many things. How we come across, how we want to be presented, what we want to be referred to as, our beliefs. There are a lot of things in that word identity. And the more time I spend in this space, the more I realize that the term is also very confused from a security perspective. Identity can be an email address. Well, you can go create a new Gmail address in seconds and be anyone you want to be. When I think of identity, I really think of knowing who a person is and verifying that person. And so, we spend a lot of time on ID verification as a way to say, who is the person authentically behind a screen or a device. And so that's the particular area that we zoom in on. And when I think of impersonation fraud in particular, that's the downside. It is simply too easy to impersonate being someone else today if you're online or calling into a call center for example. You don't really know who's on the other end of that phone or who's behind the keyboard. And that's a risk.

Paul Muller: Yeah. So, let's talk about this because this seems like a simple enough topic, and I mentioned whether the cure is worse than the disease because you get pretty heated pretty quickly when you talk to some of the internet Illuminati about how things should and shouldn't happen when it comes to digital identity. And there's a whole bunch of issues with regards to personal safety and other things associated with both pros and cons. So let's get into it, but maybe we start by just laying up why you think identity is such a hot topic for you in terms of it was the one thing you would try and solve if you could solve anything. Why is this such a big deal to you?

Aaron Painter: I think more and more important things have gone digital and more of our lives exist through digital channels. And for me, this became very real at the start the pandemic. I had several friends and family who had their identity stolen and in trying to be a good friend and son, I said, let's reach out, we can fix this together. Let's get on the phone, let's call these companies. And I realized that in today's day and age, you could do almost anything from your mobile phone except actually prove who you really are. And the outcome of every conversation was “Come to the branch, oh well the branch is closed, okay, well can you fax me a copy of this?” or “hey, what street did you live on in 1970, this or these bizarre security questions.” And unfortunately, the answers to the questions and data breaches. So, they're sort of publicly available at this point and there's just not a way to trust who's on the other end of that phone or screen. And that experience is the front lines of how we protect people's digital accounts today. And that to me is just a fundamental fear that I think we all have to live with. And unfortunately, it's been making society frankly unsafe through digital channels today.

Paul Muller: Yea, and I think, you go one step further with that, which is, I actually had a very close friend and business associate, he was at the office the other day and I said, what's up man? And he's like, oh, just had the worst experience. I'm like, what was it? He said, well, my wife was trying to sell something. I think it was on eBay or one of the various sites, so let’s not pick on eBay, just trying to sell something. It was a PlayStation, I think. And the buyer was overseas. This person who said his wife's not particularly digitally literate, it's not her thing. The buyer of the good said, oh, I need to send you some money, I'll need your bank details. And so, starts off pretty simple, shares the account details. Again, should have been a bit of a red flag, but you know, you need to know the bank account in order to send wire money to it. Then says, ah yeah, my bank's not letting me do it. I'll need, what's your username? Basically, what's your user id? And again, second try can't get in. The bank said they'll need your password so they can log in to send you the money and literally sends the money. And I'm not kidding, this is where it gets super bizarre. They then called back and went, yeah, you would've been texted a little password, could you send us that as well? Cause we can't do anything until you send us the multifactor authentication. Did that and then they cleaned out their bank accounts. And I bring this up because I guess the other thing we're dealing with here is, you and I have a technical background, we understand what it is we are talking about when we talk about identity and trust and the need to protect certain things, but if we talk about, let's just imagine it's 7 billion other people, not all of them have that level of understanding and sophistication. How do we make this simple, I guess is the question? We talked about things like passwordless, we’ve got vendors trying to simplify the problem, but we need to remember that the person on the street, the typical person on the street, doesn't necessarily understand some of the sophistication and complexity of what they're dealing with here.

Aaron Painter: In some ways the solution is somewhat simple to me. It's that in person, we've established a way to do this, right? When you go somewhere and they need to know who you are, they ask to see your government issued ID. Yeah, there are issues around some people that don't have IDs in certain parts of the world and economies — completely fair — but in many developed societies, the adult population has government issued IDs and when you go into a place, you go into the bank to do a transaction, you go into a restaurant or a bar establishment that needs to make sure you're over a certain age, there's a standard way to do it. Here's my ID, a person looks at the ID, they look at you. Maybe AI technology can do that a bit better, but at least it provides a grounding of, okay, I know who I'm engaging with, I know who I'm dealing with. Use it at the bank counter, use it at the hotel check in counter, use it at the airport.

And it's sort of this concept to me that safe communities know their members. If you want to protect an account, you need to know who it is. If you go to an event and you register to get your, ironically, a name tag or a name badge you might wear in the event, someone says, can I see your ID? Great, I know where you're coming from. I'm going to print you a name tag to wear that we have verified who you are so that others in this room can trust you. Yet when you go online and you go to digital communities, we don't have that same experience universally today. And it's the solutions that have been built to do it aren't built to prove someone's identity. They've been built largely for regulatory, kind of know your customer financial laws and that's simply not sufficient to stop fraud.

Paul Muller: And in fact, let's jump into, there's another element to it. I want to get onto the fraud thing in just a second but, if you were to read the media again, if you're a layperson, you'll look at things like, let's just talk about passwordless as a single instance or password managers or, well in fact even if we look at what Apple's doing with the obfuscation of who you are by creating temporary email addresses for you to use, you are getting the opposite situation. You're getting this almost rampant anonymity. Password managers and things like passwordless are not the solution to an identity problem. Would that be a fair statement?

Aaron Painter: Yes. I would say enormously so because the only way to do secure authentication — back to the definition of that word — or logging in securely let's say or signing in, is if you have a smart approach to recovery and that recovery, or in some case the provisioning or the setting up of that password, is where the risk occurs. And so, all these different solutions, passwordless, we've read about pass keys are in the headlines today, and Apple and Microsoft and Google have committed to try and create a passwordless future. They're all wonderful until you read the FAQ and they say “oh, don't worry, you still have your password,” because if you log in on a different kind of device, you're going to need your password to log in. So, we haven't actually eliminated passwords of those kind of technologies and in all of them we've created this risk of what about when someone's locked out?

And so, this is the issue you've seen that's taken a lot of the enterprise security world by storm in the last few months with Okta and this so-called Octopus breach and attack where people have been using 2FA. But unfortunately, if you're using this concept of an authenticator app or getting a pin that you type in, let alone if it happens to come over SMS, an even worse problem, but those methods themselves, they verify someone's holding a device, they don't actually verify who the person is. And so, when you call up and say, I got a new device, I didn't get the text message, my authenticator app doesn't work, they have no idea who you are over the phone and they're going to reset access to that person based on very primitive methods. It's all about the recovery.

Paul Muller: Yeah, I hadn't thought about it through that lens. Let's talk a bit about this issue of why this problem hasn't been solved. Because if we talk about my ability to drive on the road, I get a government issued driver's license. It's not like Ford says, oh, you know what? We need to identify who you are. Here's the Ford driver's license. And then General Motors comes up and goes, well actually you just bought a General Motors, you know what? You don't want that pesky Ford ID, chop that one up and how about you take a General Motors one and then Kia comes along and they're like, oh, both of those are outdated. We've put a chip in ours, get rid of theirs and use our ID. But if I think about the way identity works online today, people who are trying to solve the problem, and I'd argue utilizing my Google or my Facebook ID or my Apple ID across multiple services is a proxy. What I was just speaking about is it seems as though the vendor community is racing to provide a solution to a problem that is normally the domain of government. Now I recognize you're one of those vendors, so I'm probably grabbing for the third rail here, but do you want to reflect on that statement?

Aaron Painter: No, I agree with you. I think governments do have a role that they can play. They've solved it in the physical world. There's a lot of fun reading back to hundreds of years on the evolution of the passport and identity documents, a whole separate fun conversation. But for the most part, it hasn't gone into digital domain. Countries like India, Estonia, Portugal, Singapore to a degree, some are getting progressive and have done things that are good steps in the right direction. The problem is I don't think we can wait for governments universally to get this right. I think the problem is so significant now that at least in building our solution, we said, how can we take something more universal that people have today and bring that into the digital world while you're eventually waiting for governments and others to catch up?

Paul Muller: Yeah, I mean I've got one here. I was just thinking about it in Australia, of course we've got mygovID, which I'm sure you're aware of, and that gives me access to all my government services, but the minute I go to log into my bank, they're like, oh, forget that we want a different authenticator and we've got a different app we want you to use. The balkanization seems to be making the problem worse, not necessarily better. The other thing that I guess pops up as we talk about identities are some of the downsides of this. I mean I think about, well there's two examples that get used most frequently. We'll put the simple case first before we get to the more nuanced one. And the simple case is and I guess if I look at the reason why Apple have created the ability for me to use multiple email addresses across multiple services, basically creating a new email address, virtual email identity for each service I use is to reduce the amount of spam I'm getting to be able to manage how my identity might be misused. Wouldn't having a single digital identity, I'm taking the counter case here because I'm for it by the way, but wouldn't that introduce the problem that once my identity gets out there, I'm going to be spammed to death and my email box, my physical and digital life, are just going to be inundated with junk mail of various sorts.

Aaron Painter: Yeah, I think a little bit comes out of the problem you're trying to solve. And you're right, we can hypothesize what the thought was on masked email addresses or other things and maybe the goal of cutting down spam. I view the goal as protecting your account and we want to make sure the right person gets into accounts that they legitimately own to create safer experiences, whether those are online communities or just making sure your digital assets are safe. I think a little bit it comes down to how you do it and even like we talk about advances in government, I mean India is a fantastic example, I think created a digital identity platform. But you're right, if you were advocating for V2 of that, you would probably move forward to greater degrees of consent, greater degrees of limiting what's shared, greater degrees of re-verification. There are a lot of things that come into how you implement it, but our focus is today on solving a problem that I think is a real world one, which is people get locked out of these accounts or they're trying to access their accounts and you don't necessarily know if they're the legitimate owner. And that's something we think we can do with very high fidelity using advanced technology.

Paul Muller: All right, so let's talk a bit about that before I jump into my second question then, which relates to the national identities. So, give me an example of how having a next generation or a re-imagination of authentication would help me in a situation like customer support where we often get people trying to do things like reset passwords and so forth so that they can steal someone's account. Because that is the problem is once you've got this single digital identity, it becomes a really tempting honeypot for the bad guys to go after.

Aaron Painter: Yeah, I mean I would say you actually have a single identity today, which is probably that document, your driver's license or your passport, and so you kind of have one today, right? But one of the beauties is you hold it physically and so the risk starts to come in when someone might try and help you in a customer support scenario or that bad actor you were talking about on text message earlier might say, oh, send me a copy of it. Well, that's the best we can do today, right? Let me send you a PDF or a photo of my identity document. Okay, that's the starting point, unfortunately then that's getting out there and it doesn't necessarily verify that you are the owner of the document and you're the person in front of it. And that's where we believe, again, technology can play a role. It's not fundamentally new to be able to scan/take a picture of your ID, maybe take a picture of yourself and have technology try and match the two of those up.

The problem is that the technology that's been doing that for the last 10 plus years is based on primitive things. It's based on, for example, webcams. It's allowing you to hold up a photo of yourself or a picture of your ID to a webcam. And unfortunately, that allows for things like digital manipulation. That allows for people to hold up a photo of you instead of it actually being you. It allows someone to inject a manipulated document where you took someone else's ID and put your information on it. And so, we feel that's just fundamentally not a secure way of doing things. But it works for most of today's needs, which are KYC — know your customer regulation. Did you make an effort to check their ID? You did? Great. When you open that bank account, they asked you for an ID, that's the best way? Sure, flash in front of a webcam, but when you call that same bank now and you want to transact or you want to get back into your account, maybe because you've lost access to it somehow, they don't actually have a method to know who you are. They don't go back to the same KYC approach. Those that have tried have found it doesn't work and sort of stuck with security questions, knowledge questions, will send you a pin in the mail, come into the branch and those sorts of things. So, we wanted to create an experience that was similar to what someone might do for that KYC flow, but in a high-fidelity experience that's meant to prevent fraud.

Paul Muller: Now, you've got me absolutely curious now, so what's the difference? Give me an example of what a day in the life would feel like if we were to I guess, adopt your approach, the Nametag approach?

Aaron Painter: Yeah, fundamentally, it's not that magical, but it is novel at the least today. And then we put a lot of technology around it. It's mobile phones. Modern mobile phones have a lot of very advanced technology, among them. Incredibly advanced cameras that we take great selfies with, but they can do a lot of other things. And so instead of asking someone to flash something in front of us in secure webcam, we bounce everyone to their mobile phone, and we use the advanced sensors, we use the advanced technology, the secure enclave where you keep encrypted information. We use the advanced cameras and AI on the device to go through a process of verifying someone's identity. Turns out it feels slicker, it feels more modern, it's faster, it's a great experience, but it's also incredibly more secure because it shuts down those digital manipulation threat vectors. And then it allows us to focus on physical manipulation. Has this physical identity document been manipulated in any way? And so, we can use the advanced tools in mobile phones today that are frankly as advanced, if not more advanced, than what you see at large airport kiosks for immigration. So, your question of flow might be you call customer support, instead of them asking you security questions, they might say, hey, you seem to be at this phone number. I don't even care if it's your phone number. I'm going to send you a text message link. You get that link; you tap on the link and this experience pops up on your mobile phone that is using something incredibly novel called an app clip from Apple, Android has a similar called an instant app. And it's essentially a mobile phone app that you don't have to go to the app store to download. And so, it just pops up. It feels like it's part of the phone operating system, but it's giving us all the advanced security features and all the advanced toys that exist in that modern mobile phone. So, we can validate someone's government issued identity document, we can scan and match their face, make sure that they line up and look at a whole bunch of other things to create essentially an anti-fraud security approach that just feels quick and easy.

Paul Muller: Sounds amazing. And if I'm understanding you correctly, where your focus is is not on being that centralized provider of identity or have I got that wrong?

Aaron Painter: In the absence of good digital platforms, government issued initiatives, for example, that we can import, yes, we say let’s try and be universal. So, if you have a driver’s license, you have a passport, we help you take that form of trusted identity that you got from a government official who you went and met in person and you brought multiple papers and you took a photo in their office. We say, let’s use that as our root of trust. Let’s apply really good smart AI-based technologies to analyze those documents to analyze, make sure it’s you, and then give you a sort of reusable credential that you can take with you and be very thoughtful about what you’re sharing with whom. A classic example might be you’re going into that bar, they only need to know that, in the US at least, you're over 21, other countries are different. They don't need to know your home address, they don't even need to know your name. They just need to know that you're of age to come into that bar. And there are many other scenarios online. They actually don't need all the information in your ID. We call that privacy masking. You should be able to limit what you share and then only offer consent for sharing that with a specific company for specific purpose. And so, we want the credentials to be reusable, but we're using someone else's credential. We're using a government-based root of trust document and then you to make sure that we can create that successful kind of binding and allow you to verify yourself and those kinds of high-risk moments in particular.

Paul Muller: And just to make sure I'm clear on this, when I go to create a new account, for example on my pick an internet service that you love, a SaaS product you love, I'm going to log on, let's just pick on Slack for example. I'm going to jump onto Slack for the first time. And it says, type in your username and password, or if you don't have one, you can automatically create one using your Google ID, your Facebook ID and my Nametag ID? Will it look a bit like that in your ideal world?

Aaron Painter: We fundamentally have that option. We call it sign in with ID. And so, you might think of it as a high value secure offering that if you have something online that you want to protect, have someone sign in with ID instead of Google instead of a Facebook where you don't necessarily know who the person is. And if so, it would send a prompt to your mobile phone if you've used it before, we have an ability to make it more expressed. You don't have to scan your ID, in which case you just take another image of your face. We have a technology we patented called Selfie Chaining that allows those two to be compared, and then suddenly you're in. The other use cases, maybe continue to log in with Google. But let's say then suddenly you want to do something that's a higher risk activity, like change the address, request a payout, make a payment. We've logged in as normal, but that might be a moment where the bank, let's say, says, hey, we need to make sure it's you. And they would send that prompt to your phone and allow you to verify it’s you. Or maybe you continue to log in with Google all along and username and password, but you got locked out and you call customer support, you email for help. They might then send you that link and it would pop up and ask you to verify it’s you and then they would recover access to your account. All just different ways to implement, frankly, the same solution.

Paul Muller: So, on that note, given multiple ways to implement the same solution I think it was Andrew Tanenbaum once said, the nice thing about standards is there are so many to choose from. How do we avoid the further balkanization of identity? And I'm imagining other competitors will be listening to this podcast going, that's a great idea, I've got a better idea or a different idea. I'm going to create a competitor. And before too long, there is no single ID, there's no interoperability of identity because we were just doing the last podcast, we were talking about the metaverse and the idea that as I move around various elements of the metaverse, how I've got to create a different identity for different providers and there's no single view of who I am and therefore I can't take my digital goods from one place to another because they are blocked. They're simply not recognized due to the identity gap or the identity, as I said, balkanization. What are your thoughts on that?

Aaron Painter: I think in some ways we live in an idyllic world. I love interoperability, I love transferability. But that's not necessarily the problem that we're facing today. I would argue in the metaverse for example, the problem is not the ability to carry my identity between metaverses. The fact is that every metaverse is using some sense of identity where they don't really know who I am. And you have something actually universal that carries between them, it's email today. But I would argue email doesn't actually know who the person is. And I think metaverse platforms in particular, let alone all social communities, have a responsibility to know who their members really are. If you want to operate by a pseudonym or an alias, great. But that platform should know who you are. Otherwise, it's hard to police and prevent things like harassment and account theft and other things. And in fact, sadly that's what we're starting to see in metaverse environments because you are essentially anonymous. And so, I'm not worried yet about transferability between metaverses. I'm worried about bringing trust and safety to the metaverse. That's where we're focused.

Paul Muller: Yeah, look, I couldn't agree with you more. And I mean, just take a very simple topic, it's horrific, but especially for the young people involved, things like cyberbullying and this whole issue of the fact that anonymity there actually positively encourages it. I would argue in no other sphere of life are we able to carry on behaviors like that in an anonymous way. And I think that's the social contract we have with each other is, I can bully you, but you'll know exactly who I am and where I live. And you can take action. But in the cyber world, it's the wild, wild west.

Aaron Painter: I often equate it to the old town square. If someone goes down in the town square and they start yelling things that you don't agree with or that are inappropriate, you might not know their name, but you might recognize their face. They say, ah, that person's back again, I know who it is. There's a sense of accountability to that person. And maybe a police officer comes or intervenes. You know who that person is, they're not totally anonymous, but in online spaces we allow the opposite, oh, you didn't like what I had to say? Great, I'll be back in five minutes. Lemme just go create a new account. That doesn't create a safe space. And so that's what we're focused on, aside from just high value scenarios, I need to make sure, oh, I'm the only one accessing my bank account, let's say. Or that my colleagues are the only ones accessing our corporate network. If they get locked out and they call our help desk for support, I want to make sure I'm letting the right person back in because that's an incredibly secure environment I value. And today all the technology platforms out there are failing at keeping those accounts safe because they haven't solved this issue of recovery. 

Paul Muller: And I think the recovery one is a really important one. Want to talk about the second scenario and it's the one that I think gets trotted out most frequently when we talk about digital identity. Sure, you can anticipate where I'm going, which is what do we do? We need anonymity digitally as a firewall against oppressive, repressive, authoritarian governments harassing minorities or harassing their people. George Orwell I’m sure would have something interesting to say about all of this. What are your thoughts when it comes to this issue of the risk of authoritarian governments in a single digital identity? 

Aaron Painter: Yeah, I'm in favor of market economics being able to decide and differentiate, right? I'll call out a platform, for example, Reddit. If Reddit wants to be a platform based on total anonymity and regulators are okay with that, and you can say anything you want in just an open town forum with no accountability? Great. That is Reddit's market differentiation. If you wanted to go start a different platform where you knew authentically who the people were and their identities were verified so that their words could be trusted, ala the transformation undergoing Twitter, we could discuss whether it's been done the right way. But it was a little bit how Twitter was. You could be anyone. You could have a Twitter handle, you create a new Twitter handle. And Elon has wisely identified, I don't know if he will equally wisely implement, but wisely identified that there's a concept of being verified.

And I don't agree with their approaches that they're so far taking on verification because I don't think they are sufficient. But the concept of knowing at least who is behind that handle creates a safer community. And so, I think there are various ways, I think if you want to differentiate and have something that's totally anonymous, great, and I think the market can choose to allow that to flourish. But what I don't like today is that there isn't an option. It's that every platform is based on anonymity or pseudonyms. And almost none of the platforms know who they are. Look at dating. Dating is another one of these fascinating ones. You're building a relationship with someone virtually that if it goes well, you're going to go meet them in person, but you actually don't know who's behind the profile. That's a classic scenario where if you want to be an anonymous dating platform, more power to you. But gosh, all the dating platforms today are essentially anonymous. If you want to have a safe and trusted dating experience, there isn't a good platform you can choose today who's doing the right thing to actually verify the identity of its users. And that to me is an enormous trust and safety risk.

Paul Muller: On the internet you could be a dog, as the old saying goes, right?

Aaron Painter: Or a bot.

Paul Muller: Or more likely a bot. And I guess one of the topics that we've had that we've talked about a lot on this show, we've prosecuted it multiple times, is this issue of ties, I guess, to what appeals to me to be the rapidly declining level of discourse in general, but talking about bots also specifically this issue of misinformation, disinformation, that's been appearing because of things like nation states, bots, attackers, and the inability as you point out I guess on numerous occasions to identify that these people are who they say they are. Maybe it's possibly even bordering on rhetorical now, because I imagine that that's one of the other benefits that we gain from a more authentic, higher fidelity identity experiences that we can reduce the amount of misinformation, disinformation that's able to proliferate. Would you agree?

Aaron Painter: Yeah, I would. And again, if there's a place for anonymity, and let's take Twitter again as a, I wouldn't call it a microcosm cause I'm not sure they're ideal, but it's certainly a little bubble where if you want to have a Twitter and that person is “I am an anonymous news informant and you might want to listen to what I say or not,” great, you know what's there. But there's equally someone saying, hey, I am this person. I am a journalist, I am a citizen reporter. I am just a person with an opinion and you know who I am. And therefore you can trust the words that I say. That's the concept of a digital town square, or that's the concept of a safe online community that mimics what safe, physical, real-world communities do. I believe there's room for both, but we need that option. We need the ability to create safer communities.

Paul Muller: All right. I love it. Are you ready to talk a bit about business?

Aaron Painter: Sure.

Paul Muller: Great. So, what you're trying to do is incredible. I mean, you’ve got me jazzed, I'm really excited for it. And I specifically like where your moral compass is intersecting with your convenience compass, I think it's fabulous stuff. You are but a small company trying to, what I would argue is change the world. How the heck do we make this real? Because I don't know how many users you've got at the moment, but as I mentioned earlier, there's 7 billion people on the planet. That's a really big bogie to go for. How do you make your vision a reality?

Aaron Painter: Today we focus on where the pain is strongest. And so, companies that have high value things to protect, whether that's access to their employee accounts, whether that's high value customer accounts, they're the ones where we're getting the most immediate traction. And whether that's today, we have large cryptocurrency providers that are saying, gosh, I loved having my anonymous wallet till I got locked out. And then the platform says, well, how do I make sure I'm letting the right person back in? Great example for it. We have banks, we have insurance companies, we have one of the most interesting ones now is a large-scale internet domain provider that does, you know, register domains and turns out every day, hundreds of people call and often try and take over, particularly high value domains where they say I'm actually the owner of it. Can you redirect that domain to this address?

And that company, like many, didn’t previously have a way to verify who that person was to say, can I trust that they're the rightful domain owner? So, these high value scenarios and we just see them in more and more places, and that's where we're seeing a lot of momentum. The other thing that I think has been really interesting on the social platform side, which we didn't expect, I think we went into this with this value proposition to many companies saying, create a safer platform, create a safer, more trusted community. And everyone says, wow, this is fascinating. Are we going to be first? Who else is doing this? And while the discussions have been going on with that, the age verification laws have emerged in the UK in particular and now in California. And so, it's creating a little bit of a GDPR effect where California and the UK, at least in many societies, are pushing this need to keep minors off of platforms and it's causing a lot of pressure to say, are you taking the right steps to make sure you're keeping your minor safe? And so, age verification turns out to be a really interesting proxy to move to true verified profiles. And so that's where we're in a ton of fun conversations right now with various social platforms around complying with the regulatory changes that have happened for age verification, which I think if they go the right way and we can implement smoothly the right way, I think will lead to a safer internet for many of those platforms.

Paul Muller: And fair enough, I suppose where my question was getting at, and that's a great example, is the future where Nametag is right up there in your mind with those things like me in my Google account, my Apple account, that Nametag is basically becomes a universal verb. I've got to Nametag this and if so, is there only room for one form of authentication in the marketplace or do you see this being an area where there'll be a number of different ways of solving the same problem? Hence why I'm sort of pushing on this 7 billion thing is do we all need to have the same underlying technology for this thing to ultimately work the way we need it to work?

Aaron Painter: I know that the problem isn't solved with today's existing solutions, and so we're focused on how do we build a great one? How do we let it help companies and kind of solve the pains that they're facing? And we go one by one by there. We don't need a large base of users in order to provide value. I think we went into this, that was an early thought of, gosh, how do we go get a hundred million users at a time? And instead, we have companies that are like, I don't need that right now. They're like, I need to make sure that my users are the ones that I think they are. Can you help me implement that? I don't care if anyone else uses Nametag, I need Nametag because of problem X, Y, Z. And so that's where we're really laser focused in, is in solving those pain that companies are feeling today. And as that grows, certainly it makes it easier, and then the next time maybe a user goes to that company, it's a faster experience. Maybe they can use it at another company, a great even more express experience, but we're really working on solving each company's pain point to create safer relationships with their customers.

Paul Muller: And if I understand you correctly based on, and I'm really glad you went into that level of detail, is what I think I'm hearing is it doesn't require that every provider be using Nametag in order to get interoperability for a single identity. It's a way of, as you say, reauthenticating, reproving myself to that particular provider. Multiple providers can be using different ways of solving that problem, some optimal, some suboptimal, but so long as the more important ones, as you say, domain providers, et cetera, are doing a thorough job of vetting my ID, that ID which is then able to be transferred or sorry, how do I put this succinctly? Reused between multiple services. Have I got that roughly right?

Aaron Painter: Yeah, that's right. That's right.

Paul Muller: Amazing. Incredible. Well, look, it's been a huge pleasure having you on, really stimulated a lot of thoughts on my mind. I'm sure I'll be thinking about this episode for a few days to come. Where can people go to learn more if they're interested in learning more about the history of identity and the future of authentication?

Aaron Painter: LinkedIn's kind of our hub, so we're creating a bunch of content. We love engaging with people who are passionate about this stuff like yourself and certainly others. So please engage there, check out the content, follow Nametag. Reach out directly to communicate with me, same thing. We are super passionate about this space and frankly just creating a trusted and safer internet. And so, people that share that passion, that's where to find us.

Paul Muller: You're on a mission and I love it. Hey, speaking of love, the shows sponsor Rocket Software. Big shout out to those guys. They've got a set of values they talk about that matter to them. They're the company values, empathy, humanity, trust and love. I'm just curious, it doesn't need to be one of those four. What matters to you right now, Aaron?

Aaron Painter: Yeah, it is very much aligned to our mission where I would think of, we are trying to build a safer and more human internet. And so, actually, I think it aligns really well to some of the Rocket software values.

Paul Muller: Well, thank you so much for taking the time to join us today. It's been a huge pleasure having you here. Thanks again to Rocket for bringing us another episode of the Double D — Digital Disrupted — and thanks for listening in. If you like what you've heard, give us a thumbs up. It just makes a massive difference on whatever pod catcher you happen to be listening on. You can hit me up at Twitter. We've mentioned Twitter. It hasn't imploded yet. I used the word yet. That gives me a 50/50 bet there. You can hit me up with Twitter @xthestreams or the show sponsor, Rocket @Rocket. If you've got any questions for our guests or ideas for topics you'd like to hear covered on future episodes. With that, we'll see you all next week. Stay disruptive, everyone.