A

You've had a dynamic where money's become freer than free. If you talk about a Fed just gone nuts. All. All the central banks going nuts. So it's all acting like safe haven. I believe that in a world where central bankers are tripping over themselves to devalue their currency, Bitcoin wins. In the world of fiat currencies, Bitcoin is the victor. I mean, that's part of the bull case for Bitcoin. If you're not paying attention, you probably should be. Probably should be. Probably should be.

B

Gerald Glickman, welcome to the show, sir.

A

Thank you. Great to be here.

B

Freaks. For context of how Gerald and I met, we met outside of the TFTC and pubkey bus in Miami. What was that, four years ago? Five years ago now, at this point.

A

Yeah.

B

At the time you were working in the banking sector helping, correct me if I'm wrong, if you're comfortable me saying this, if not, we can cut it out. But helping cannabis businesses get bank accounts and navigating the regulatory landscape that comes with running a business that is perceived to be uncouth by the government. And so you were on the ground there, correct?

A

Yeah, and went there because they had a crypto banking portfolio that I wanted to support. The bank was called MVP Bank. They're still called MVP bank, but yeah, it was there in a fraud and identity risk management kind of oversight role. So, you know, you're. There was a lot of. We also did gambling, you know, FanDuel and DraftKings. So all the. All the things that maybe big banks didn't want to touch. MVV was all about it.

B

Yeah. And so that's your background. But why we're here to talk today is digital identity. This is something that you've been passionate about, we've talked about for many years behind the scene, and I think we should just jump right into it. I think when most people hear digital identity, their eyes glaze over. But you argue that we're at an inflection point. In your mind, what broke that made this whole conversation about digital identity urgent and what misconceptions do bitcoiners have around it?

A

What broke? Well, start there. Yeah, I mean, I think the model for digital identity broadly in the United States has been breaking for a few decades. Certainly the step change in AI and LLMs generative content has accelerated that to the point where, you know, fraud and identity risk managers, you know, the half life of new controls that they're putting into production is just in a nosedive. But. But fundamentally, the paradigm is broken in and of itself. Like the security model of how we do identity, which is, you know, we're effectively using our identifiers, right, like our name, address, Social Security number, these types of things as our authenticators. Basically using that information and possession of that presentation of that information to prove that we are ourselves or in a lot of cases, somebody else. And this is a fundamentally flawed model. It's based on the assumption that information is a secret. Maybe at one point it was a secret, hasn't been secret for years, decades. Everybody knows their private information is massively compromised. You would think that that would mean that we have to change the way that we do identity verification. I think you'd be right. But we haven't done it. So over the years, I've seen more and more fraud risk managers in the business. These are not bad people. They're trying to protect the corporations that they work for and their clients from fraudsters. But the way that they've been trying to keep that edge and maintain their performance, you know, in these probabilistic systems, is to consume more and more aggregated information, including biometrics. And I've been particularly alarmed at that. That's the type of thing that you don't get back. You know, you can't. You can't rotate your face, you can't rotate your fingerprint. We should presume that information is going to be compromised like all other secret information that we trust centralized third parties to protect. And once that information is compromised and already has been, you're not getting out of that hole and you have no other trigger to pull. So, yeah, I think the model has been breaking. Bitcoiners and many other people all around the world have significant concerns about the proliferation of digital identity. No one can argue that it's a significant vector for authoritarian control. This isn't a hypothesis. We can just look around the world and see this. And, you know, for me, I've historically been, you know, working in financial services and been on the inside. I've also worked at, I, you know, led the fraud team at one of the largest identity verification companies during the height of COVID as well. So I have the public sector kind of experience as well. And, and, you know, we want to make sure that as practitioners in the space, we have a sense of the work that we're doing and how it's connected to the root problem and the systems that we're operating in. And I fear that most people don't. And yes, as these things accelerate globally, I mean, even the United States Many states are rolling out digital driver's licenses. I feel as though it's really, really important for everybody to understand how these things work, how they don't work, and what other tools, technologies, approaches and policies are out there that we should consider, refine and advocate for.

B

Yeah, I guess going from there, it seems that the power structure, whether for nefarious reasons or legitimate reasons, has identified that the system is broken. It cannot persist in its current form. And we need to transition to a new way of verifying individuals, particularly in the digital world, verifying that individuals are who they claim to be in the digital world. And there's a plethora of solutions that have been brought to market. E Verify, obviously, worldcoin and the orb and the preconditions of a digitalized D system that leverages some form of blockchain technology or some government database that consolidates it. And so I think with that context, what in your mind are the proposed solutions today? What do they maybe get right? And what do they get terribly wrong?

A

Yeah. So let's start with kind of both ends of the spectrum. One is pure knowledge based on identification and verification fundamentally broken. Right. Like, we cannot use these systems anymore. Everyone's information is massively compromised. I've written and said before that that security model is, is effectively using your address to your home as the key to your front door. Right. Like, no one would do that. But that's effectively what we're doing. We're using now public information that was once secret as a means of authenticating ourselves. We cannot do it doesn't work. And in many, you know, not even high assurance, but even like medium assurance use cases, like practitioners kind of have moved away from that. But you still see that for low assurance verification use cases in the public sector, it's bad. The other end of the spectrum, I would say is full on biometrics. Like the World Coin piece that you mentioned of like using your identifiers, your biometrics as authenticators as well. And again, you can't give that back. Right. Like you're handing that over to a private corporation. They might make claims about, oh, we delete it. I don't know. I don't know why anybody should believe that, but it's just not a great idea. The things that I advocate for are largely around open standards. These are not my ideas, by the way. These are other people's ideas. They've done the work. I've just discovered them as a practitioner looking for better answers. The approach there is to really use cryptography to secure the attestations that we make, the same way that we secure the rest of digital life with private keys and public keys. This fully satisfies what I call authorship fraud. Basically. How do I know that the attestation that Marty made actually made it? Well, I can grab his public key, I can verify the digital signature. And now I'm not relying on probabilistic inference of taking a picture of a driver's license. I'm using cryptography and math to provably know that you authored this attestation. So that doesn't mean I should trust it. Right, of course. It's just something that you said and I can prove that you said it or wrote the message and signed it. That doesn't mean that I should rely on the message. So that's a whole other thing in terms of trust frameworks and credentials and things like that. But probably my advocacy is around open standards and frameworks that are. And policies that are going to empower people to be able to control their identities. The biggest thing for me, Marty, being a practitioner in the space is, and again, knowing how it works in the private sector and the public sector is just seeing the results. Right. Like in the next hour of this conversation, at least 3,000Americans will be victims of identity theft. This is unacceptable. Like, we're just doing it, right? It's like through no fault of their own, there's this. Something is happening to them because of our approach that is going to have a massive negative impact on their life. It's just unacceptable. As somebody in the space. So, yeah, I'm all about open standards, cryptography, empowering individuals and actually doing a better job at preventing fraud.

B

Yeah, I mean, and just to add to those numbers, I think you've written about it. Three trillion in fraud across federal programs in two decades. 4,000. More than 4,000 breaches per year. Deep fakes, fulling automated systems, and it's only accelerating with AI.

A

Yep, yep.

B

Yeah, so that's what I mean. So I agree. I think this problem needs to be solved. And Matt and I talk about it, particularly on rhr, because we do the live stream via. Via Noster. And then Matt will go to the official RHR account and post a note of the video. And that post, that note comes signed with our, with our private key associated with the rabbit hole recap account. So you know that like, hey, we have access to the private key, nobody else does. We're signing and attesting that this is the real rabbit hole recap of this week. But getting into it, like, obviously Nostr. You can use your real name, but most people use it pseudo anonymously. And so that's what I'm trying to get a better understanding of when, once we transition to a world that is, whether you like it or not, likely going to necessitate the use of digital IDs. What is the spectrum of acceptable types of ideas? I imagine I will keep my Nostr account. I have a web of trust associated with my public address on Nostr. I think I've been using it for five years now. So I think people trust that it is me and know that it is me and I've built up a reputation there. And that reputation associated with my Nostr key should be able to enable me to interact with people that need a degree of trust on the web. However, is that going to be okay with governments, with tech companies, with other actors that may demand a form of digital ID in the future?

A

Yeah, yeah. So there's, there's a lot of, there's so much to talk about here. The first thing I would say is, and to give some credit, my views here are significantly influenced by Christopher Allen, who, who's been in this space for a long time. If you don't know them, you should for sure. But trust, when we talk about trust and digital trust, trust is a contextual thing. It's not a one or a zero concept. And I think the easiest way to think about trust in a digital context is to kind of step back into the meat space and think about how we develop and manage trust in the physical world. And trust is contextual. And usually if you want to engage in some kind of relationship, private, commercial, whatever, it's usually progressive. You're usually sharing more and more information and establishing a higher level of assurance and trust, maybe even getting third parties involved to validate the claims that other people are making if it really matters to you. So I think the context is always the first thing to start with. If it's making a post on social media and knowing that Marty authored it, cool. That's a pretty low risk thing. It's probably more medium or maybe even higher risk for you, but that's you. It's different for me, it's going to be different for everybody else. I think that's kind of always the first thing to start with is there's, I think we're so trained as modern humans to look for a singular answer in all contexts and we just have to stop that right there. This is not how this works. So context is king when it comes to the different methods and what's acceptable in different contexts, both for individuals, for businesses, for states. It's actually interesting. So today there's some legislation going into effect in Utah called steady State Endorsed Digital Identity, which is really interesting. It's also, we could talk about this later about like, no single person or entity is like a universal actor. Like also today, Utah's VPN ban, it's not quite a ban, but it's effectively a ban, is also going into effect. So on one hand we have this super great digital identity infrastructure and bill that protects individual liberties. We'll talk about that more. And on the same day we have this VPN issue going into effect. So it's very confusing if you're just looking at it from a high level, but SETI in Utah would actually allow you to bring your own identifier, like an npub. And as long as you demonstrate control over that public identifier, sign a message with your NSEC private key, the state will actually issue a credential to your public identifier. It sounds like, okay, well, still what, who cares? But it's actually a really kind of profound architectural thing in the sense that it's giving control back to individuals. Because let's say, for example, the state issues your driver's license. The subject in it is your centralized identifier. Let's say you get into a bunch of accidents, you get your license revoked, they have to pull it. For a lot of people, you know, the license in the United States is like your primary identity document. And having that revoked has a significant impact on your life. With this model, you would retain control over your identifier. Now it's just your credential is no longer valid. You can't really present it anymore. But you haven't been like rug pulled in terms of your entire identity.

B

So yeah, your, your credential to drive has been taken from you.

A

Correct? Correct. But not your, the foundation of your, of your digital and physical life when it comes to identifying yourself. So, you know, NOSTR is certainly interesting. There are a lot of different decentralized identity like methods, and basically it all comes down to like, where do you anchor the actual public identifier such that people can get the information that they need about the cryptographic schemes and other things to be able to verify your digital signature. You can anchor an identifier in a lot of different places in a lot of different ways. And these different ways, again, going back to context, are more appropriate given different contexts. But for example, most people are familiar with domain names. You could anchor a Did on a domain name. Pretty easy for institutions. The dependency there is DNS. Most people don't know how DNS is actually managed, but it is centrally managed and controlled. Most people find it acceptable. But there are trade offs with all these things. You can anchor it in a social media public key like nostr, which is portable to a large degree. You're relying on the network of relays. The trade offs there are around correlation and key rotation with that. Specifically you can anchor an identifier on a blockchain which can give you some sense of neutrality and durability. But again you have the public metadata risks there. There are some emerging methods that are more self contained, I would say with no external dependencies. I would point to like carry and XID from Chris Rowan and Blockchain Commons folks, where the continuity there really comes from like signed control over like a key registry that you maintain that you can give to somebody, you can anchor it somewhere else, but it's basically like a log that you can present and it has the cryptographic assurance throughout that whole thing. So it really depends on the context and like where the continuity comes from and the assurances come from. But ultimately like the design choices, like do matter in terms of like who can censor and route and like recover and correlate or like take away your ability to represent yourself in these contexts.

B

Well, I mean it's a perfect point to bring up. What are the, what are the black mirror scenarios that can unfold if we get this wrong?

A

Man, it's really interesting. I think about this a lot is kind of the Jevons paradox of it all. By being an advocate for these tools and advancing the standards and ability for people to be able to do this in an easier way. Yes, the goals are ease of use, but largely the goals are around privacy and individual empowerment. But nonetheless it has to be easier else people won't use it. Given that one of the goals is to make it easier. Going back to Jevons paradox, we don't want to enable a world where we're now being asked to present our papers to go into the public square digitally or physically. So I think one of the guiding principles that I like to kind of true back to is like whatever the rights and norms are in the physical space around identification, we should look to preserve and fight for those in a digital context. So the black mirror manifestation, again we don't have to look far like these things are happening today. You've talked about China, social credit scores, ability to access basic public services and have it impact like, you know, your eligibility for transactions in the private sector as well. Like, we do not want that. We do not want over identification just because identification is now easier. What we're trying to do is make it easier for people to retain their privacy and even claw some of that privacy back and do so in a way that they control and is also can be done, you know, easily. Yeah.

B

And sure you saw me fidgeting over here because as you were saying that this is something that we covered yesterday in the Bitcoin brief. I'm not sure if you saw it, but the Guard act protect the children.

A

Yeah.

B

Trojan horse for digital identity basically in the past, the Senate Judiciary Committee 22 to 0, requiring age verification for all chatbot AI users, bipartisan unanimity to basically try to throw age verification. And I think that's another important topic to bring up is the nefarious ways and framings that governments will use to Trojan horse centralized panopticon digital IDs on the masses. And I think age verification is the number one way that they'll do that.

A

People are not wrong. The fear is grounded. This is, this is often the vector and framing that is presented to the public around safety. Taking the children, what we, what we have to true back to is again the principles of what are the expectations in the physical world and do I have to identify. I don't have to identify myself, identify myself when I go into Walmart as an example. But if I go to Walmart.com like I am like behind the scenes being identified. Right. And there's all. And I've agreed to it, whether or not I understand what I clicked when I said I allow cookies or what. It's such a mess. But yeah, we need to find a way to build and amplify the standards, policies and tools to get us closer back to those real world expectations of privacy. It also is very troubling, not just the age verification stuff, but like I mentioned Utah's effective like VPN ban as well, which, you know, the net effect of that and it's not again, it's not really a ban. It's more nuanced than that. But like the likely result is that like VPNs will be less used and you know, sites will either block users that are using VPNs or you know, in an effort to like mitigate this liability that is now on them, they will attempt to like age verify everyone. Right. And we'll be in this world where it's like a norm to hand over all of your basic personal identification information just to read the news or check the weather. That's we have to make sure we avoid that outcome.

C

So freaks this rip A TFTC was brought to you by our good friends at BitKey. BitKey makes Bitcoin easy to use and hard to lose. It is a hardware wallet that natively

B

embeds into a two or three multisig.

C

You have one key on the hardware wallet, one key on your mobile device

B

and block stores a key in the cloud for you.

C

This is an incredible hardware device for your friends and family or maybe yourself who have Bitcoin on exchanges and have for a long time but haven't taken a step to self custody.

B

Cause they're worried about the complications of

C

setting up a private public key pair, securing that seed phrase, setting up a pin, setting up a passphrase. Again, Bitkey makes it easy to use, hard to lose. It's the easiest zero to one step, your first step to self custody. If you have friends and family on

B

the exchanges who haven't moved it off,

C

tell them to pick up a BitKey. Go to BitKey World, use the key TFT20 at checkout for 20 off your order. That's BitKey World code TFTC20 suffreaks when you take Bitcoin seriously, you start with custody. You want to control your keys, avoid single points of failure and make sure your savings cannot disappear because you or someone else screwed up. That is what Unchained has been focused on since 2016. Unchained is the leader in collaborative multi sig custody and Bitcoin financial services that keep you in control. They secure over $12 billion in Bitcoin for more than 12,000 clients. That means about one out of every 200 Bitcoin sits inside an Unchained vault. Their model is simple. You hold two keys, they hold one key. It always takes two keys to move Bitcoin, meaning their single key can't access your Bitcoin on its own. Just resilient shared custody that gives you institutional grade security while keeping you sovereign. Unchained also lets you trade straight from your vault. Access Bitcoin backed commercial loans, open a Bitcoin IRA where you hold your own keys and set up personal business, trust or retirement vaults. They even offer Inheritance solutions built for long term hodlers. Or opt for the highest level private client service with Unchained signature and get a dedicated account manager, discounted trading fees, exclusive access to events and features, and much much more. If you want a partner that helps you secure and grow your Bitcoin without giving up control, go to unchained.com and use the code TFTC10 at checkout to get 10% off your new Bitcoin multisig vault. That's TFTC tenchain.com.

A

yeah.

B

And I mean, this is. This is something that's been discussed in the world of dids, particularly in the sort of bitcoin slash noster ethos is particularly via zero knowledge proofs. And please step in if I'm speaking out of line, but there are ways to selectively verify that you are 21 without revealing your exact birthday, right?

A

Absolutely.

B

I think that is where not enough focus is on. And it's a shame that, like, web Five Blocks initiative sort of fell under, because I've talked to Daniel quite a bit, and actually talking to him makes me maybe pretty bullish on what they built and how you could do things. I think there's definitely some design choices that they made that others should be paying attention to, maybe go back and see what they were doing. But I think around this selective. The ability to verify that you do meet certain credentials that are necessary to interact in the digital world without actually giving up all the information itself.

A

Yes, 100%. Coin center is also a big advocate for these types of approaches as well. So grateful for Daniel Buckner, Peter Coin center, everybody there who's keyed in on these things and has been doing the work for years and years. But, yeah, outside of a did. Right. So if we think about a did, what is it? It's a decentralized identifier. It's a private, public key pair. Cool. What does that give us? That gives us the ability to verify if somebody authored something. Great. The other piece of this is around credentials. We talked about the state issuing you a driver's license with the subject of that credential being your DID and not your pii. That's fantastic. It's also not enough. We don't want to be in a world where it's like, cool, I have this verifiable credential that I can present and authenticate with with my DID by, you know, using my private key to sign the presentation of the. Of the credential. We don't want to end up in a world where, like, we're basically just now, like, taking a copy of the digital credential and now storing that for seven years instead of a picture of your license, which, you know, it's basically financial services. So the ideal flow, you know, and the tools and technologies are here. Like, they. They exist. They're still emergent around some of the edges. But like we do have the ability to issue credentials such that they have these, these specific proof points in them such that like when I go to the bar, I don't have to reveal my birthday, I just have to selectively disclose the attestation that's a part of my signed credential from the state that says I'm over 21. Maybe that credential also has a picture of my face or maybe that credential requires me to locally like biometrically authenticate myself to the device that the credential is bound to. But there's a lot of different ways that we can, we can, we can build assurance between the credential and the presenter of the credential to ensure that like, you know, the credential isn't like lost, stolen and misused. And there's a lot of things that the issuers of these credentials can do to ensure that like the holders of these credentials can present attestations or verified like attributes of the credential without completely revealing like their whole dossier. Right. So yeah, I think that is, that is the way forward. There's, I can like describe like that ideal flow if you're interested, but that, that's like really what we're aiming for is composability. Right. And the ability to just like share proofs, not documents.

B

Yeah, please explain the flow because I think it's important.

A

Yeah, yeah, yeah, sure. So I think like when I think about the, the ideal flow here, like I think an issuer and you think about an issuer who's an issuer. I could be an issuer. I could say I'm going to issue you a credential, Marty, that says you have a red hat. I have reason to believe you have a red hat. Can be anything. Anyone can be an issuer of a credential or an attestation. What I'm going to do then is I'm going to craft that credential in a standard that allows for privacy preserving presentation of that credential, which is going to allow for selective disclosure and zero knowledge proofs. And it's going to be, I'm going to sign it and it's going to be bound to your public key. You can only present it if you authenticate yourself with your private key. That completely removes what happens if somebody gets a hold of your digital credential. It's useless unless that threat actor also then has the private key, which if that's the case, you have bigger problems. But I'm going to craft the credential in such a way that I'm going to say Marty has a hat. Marty also has a hat that's red and he also has a hat that has a reference to the Bitcoin Park Classic golf tournament from 2023. Different levels of specificity. Then you could selectively reveal them as you choose. Let's say you're going to a bar and they're going to say, hey, only people that possess red hats from 2023 can get in here. That's a very specific request. Right. And honestly, like when you think about going to a bar, like they're looking for a very specific request as well. Like they want to know that you're over 21. They don't care where you live, they don't care what your name is, if you're an organ donor, all that stuff. You have to reveal all that to satisfy the requirements. But like, let's say you're at this place, the bar is, you must have verified proof that you could, you know, own a red hat. I'm going to make that request to you in a format that your wallet and your credential can directly respond to. I'm going to say, please provide proof of red hat ownership. You'll go into your wallet and you'll be like, cool, here's my verified claim from Gerald. I'm going to present this attribute. There we go. Now should the bar trust that Gerald is a you trustworthy source of authoring this information, that's up to them.

B

You're a red hat oracle, man. You're the trusted red hat oracle.

A

Yeah, but again, this goes back to context. Most people at a bar, that attestation needs to come from a state, but in this context, whatever, it's private attestation. You happen to have a credential, you can selectively reveal the component of that. You're going to generate the presentation of that claim with a zero knowledge proof. You present that you don't have to hand over your phone or anything. You can do it via QR or maybe even nsc. And it's like a one to one non space request. That's not a replayable thing. They can't take your authenticated presentation of this credential and use it anywhere else. It's a peer wise presentation. The verifier then validates it. Right. So they, they take a look at, okay, like who signed this? Gerald. Okay, Gerald's like the man when it comes to, you know, inspecting red hats. We trust him. They might have like a, a challenge of some kind. They might, if the credential doesn't include it. Like they want to make sure that the presentation of this credential is in fact like signed by the, by the person or the controller of the did. So you could just authenticate yourself to your phone to sign it if you didn't already do that. And what we've done is we've enabled this club to protect your privacy, satisfy the information that they want and they don't have to call me as a part of digesting that credential. They're not phoning home to some state agency or Gerald's red hat Oracle business to be like, hey, Marty's here at this time at this location. Does he have a red hat? No. Like the credential stands alone by itself. It's anchored to your DID and it's built in such a way such that you can select and present authenticated pieces of it. So that's it. And after that, once they do all that stuff, they don't need to record your name, they don't need to record when you were there. They just need to know like, hey, like this requirement was satisfied and like this guy's in. Maybe there's a timestamp, maybe they provide some sort of like proof verification result if necessary. But like no PII is exchanged, just the proof and like the requirement is satisfied and people move on. So this can be done in a privacy preserving way using, using proofs instead of just like handing over a digital credential itself. And that is the way that, that we should do this for sure.

B

You mentioned that if somebody loses or somebody loses access, not maybe not loses access but somebody else gains access to their private key credentials, that you have big problems. But I don't want to gloss over that because I think that that that is a massive point of friction that is unclear how you solve to me like obviously we see this a lot in Bitcoin.

D

Private key.

B

Losing private keys or somebody stealing private keys is not uncommon. I want to call it rare when I call it, I want to call it most people aren't susceptible to it or haven't befallen that I would imagine. However it does happen and I think this is something that we're still trying to gain a level of comfortability over developing these new skills of handling private public heat pairs and securing them, most importantly. So what's your, what are your thoughts on that and how that evolves?

A

Yeah, I mean as we incorporate these kind of approaches into more and more of our daily life. Like we need to get better here, right? Like not just around individual responsibility, obviously that's a key part of it. But we need to build systems and capabilities and make conscious choices around, hey, if you lose your mpub, that's it. That's all the protocol supports at the moment. There are other DID methods and approaches here which do solve for this or attempt to solve for this thing specifically. They have other trade offs, but I'll point to Carry as an example. They do what they call pre rotation. So basically you have a private key. You can pre rotate your keys and hold multiple private keys such that if you ever lose an earlier private key, you can broadcast a message that says, please disregard, you know, any messages from that in the future, or if it was compromised, etc. So I think that that is like something that we need to get better here across all of these methods, whether it's like, you know, collaborative custody kind of setups that you and your audience are probably familiar with around like multi seg and just the whole, the whole spectrum there. Or building it into the protocol itself like Carrie, where you're, you can, you can pre rotate. Now obviously like if you lose all your pre rotated private keys as well, like what, what do you do here? This is, this is the problem with decentralized systems. There's no hotline to call. But that doesn't mean that we can't build in you know, capabilities and recovery mechanisms in the protocols directly that enable people to like take these precautions. So you'll probably hear that in a lot of my answers. It's never like a one or a zero on these things. Like we should understand the middle ground and like make a deliberate choice that suits our context.

B

Yeah, no, it makes sense. And I'm thinking of something like the big key here, like their social recovery. Maybe there is something you can do with family. Maybe it'd be mandated by state, has to be family members or somebody that's a vetted close friend and you get two of them and if they're willing to sign on your behalf, then you worry about like all right, what if they loot against you? Now I'm rambling, but no, it's a

A

lot of the same like, like systems thinking and like threat vectors in this context as it is with like bitcoin security as well and private key and self custody. So I think bitcoiners are uniquely suited to be able to advance this conversation because like we've already spent years thinking through like all the, how all these threats manifest and like at what level? Certain. You want certain assurances about recovery. Again, for certain contexts, like, maybe it doesn't matter at all. For others, it's like you would never, ever consider doing this yourself if you didn't have these collaborative recovery mechanisms. So yeah, again, context dependent. But there are tools and methods today that, that care for these things. It's just a lot of them are nascent and fundamentally like, constrained. Given the nature of like, hey man, it's entropy. If you lose it and you did it yourself, that's it.

B

All right, freaks, you know me.

D

You know I don't take sponsor money from products I wouldn't use myself.

B

So listen up.

D

The Aven Bitcoin Visa card is one of the most interesting things I've seen in the bitcoin lending space in a long time.

A

Here's the deal.

D

You can get a line of credit up to a million dollars backed by your Bitcoin without selling a single sat. No games, no annual fees, no minimum draws. And your bitcoin is custodied by Bitgo, which is one of the most trusted names in digital asset security. Ava never lends it out. There's no rehypothecation. You stay in control. And guess what? You can lock in a fixed rate for up to 10 years. That's 10 times longer than most lenders out there. Or go interest only for up to five years. Rates start at 7.99% APR. For a product that lets you keep your stack and still access liquidity, it's hard to beat. I mean, the duration in the rates is the best I've seen in the market to date. You also get 2% unlimited cash back

C

every time you use the card.

D

Spend fiat. Keep your Bitcoin the whole game. If you've been stacking for years and need liquidity without triggering the taxable event, this is worth a serious look. Go to aven.combitcoin that's AVN.com bitcoin check it out.

C

Sup, freaks?

D

This rip is brought to you by good friends at Crowd Health. I've been a happy crowd health member for almost five years now. My wife and I have had two children while we've been on Crowd Health. And I actually just got the last bill for our third child funded. It was $6,157. Crowd health negotiated down to $2,309 and we only paid $500. The rest was crowdfunded by the Crowd Health Network. If you're sick of health insurance premiums and having to pay deductibles and getting ripped off at the hospital. Join crowd health. It's an alternative way to pay for your healthcare. It's not health insurance, it's crowdfunded healthcare. Uh, as you can tell, they negotiate prices for you. You pay in cash. It's much cheaper. Overall, we're much happier. They have incredible Perks. Go to JoinCrowdHealth.com TFTC to sign up. Five years on CrowdHealth. Not looking back. Join CrowdHealth.com TFTC Use the promo code TFTC. Once you set up your account, you're going to get $99 a month for your subscription for the first three months.

B

So next up, you've written that the choices made in the next year or two will lock in the architecture for a generation. Why do you believe this? Why do you think this window is so narrow right now?

A

I mean, I'm just looking around, man. Like I see the age verification stuff. I see more and more surveillance in public spaces and in private contexts as well. And I think, you know, you mentioned the angle of safety. I think AI, like fraud risk managers and identity practitioners have known this for a while that like, you know, this is a never ending battle, you know, with these digital tools. But I think it's become more obvious to folks like the level of impersonation risk. And I think that amplifies the likelihood that as a society we will make hasty decisions and buy into simple framings and solutions. Right. Of like, hey, this is a big problem. It's wasting a lot of taxpayer money by the way. It's already wasting a lot of taxpayer money. But like it's probably going to get worse. So therefore this is what we need to do. And you know, I've already seen that for years. Right, like that. Just the pressure that fraud and identity risk managers have to maintain their level of performance to determine if somebody is who they say they are. And there's a lot of pressure to just like do something. Right? And the, the something that we've been doing is on a path where we're collecting more and more biometric information, aggregating more and more signals. We have more and more listening devices around us all the time that are capturing and synthesizing and selling our personal information. We should just be very thoughtful about where that's going to lead us. And I think the advances in technology over the last few years have dramatically accelerated those timelines. So yeah, at a time where we're, you know, half of the states in the United States have some kind of like age verification dates are rolling out digital credentials. Some of them are done well, some of them phone home. Nobody wants that. Right. But, like, this is happening. Right. So there are states in the United States where every time you present your digital driver's license, it's a ping back, you know, to the issuing authority. You know, nobody wants that. Like, but this is. This is what we're going to have. If we don't lean in and put our hands up and say, excuse me. That is. That is not my right and expectation as an American in the central context, and I reject it. Yeah.

B

Imagine the amount of blackmail that they could do. Like, oh, hey, Marty, I know you've been telling your wife that you were going to the library to do some research, but we see that you were actually just going to the bar down the corner. It'd be a real shame if she found out. We're going to need you to do something about that.

A

Right.

B

Of this thing that we want you to do.

A

Yeah. So we don't. We don't want that, and we don't expect that. Right. Like, we. There's been massive, you know, creep, I would say, in terms of surveillance over the last, like, five years, for sure, but really the last, like, 20 years, you know, predominantly through, like, the way that we monetize the Internet. Honestly, like, I started my career in, like, digital marketing and advertising and have, like, early, you know, experience with, like, these private identity graphs and, like, custom advertising and stuff like that. People have had many moments. Like, we as a society have had many moments of, like, new levels of ick. Right? Of, like, oh, I was talking about something with a friend, and then I saw this ad. What the hell is that? And, like, it deeply disturbs people for, like, half a minute. And then they're like, oh, but, like, that is kind of convenient. You know what I mean? So, you know, this is the challenge. Challenge here is basically trying to get people to deeply understand that these are real fears. This is happening today in other countries throughout the world. People have much less freedom because of these systems. And I want to make sure that if we as Americans end up in that spot, it's because we understood the risks and we made the choices. Now, like, fewer and fewer people are actually, like, aware and engaged. But, like, that is never going to stop me. And I hope it doesn't stop people that are listening to this to, like, try to make the world a better place and, like, uphold American values. So, yeah, man, I feel like the window is as open as it's ever been for, like, real change. But it's closing fast.

B

Well, I mean, to your point there, I completely agree. The masses are never going to take the time to dive into the architecture, distributed digital ID systems, decentralized digital ID systems, nor care to weigh the trade off. So that begs the question, who are the necessary stakeholders to get this message and these designs in front of. And obviously I think politicians is the obvious one, maybe Big Tech is another one. But I think maybe Raoul, and correct me if I'm wrong, is the industry which you come from, which is broad prevention and compliance. And that begs the question, what is the state of their understanding around this topic from your perspective?

A

The incentives are not good, man, when you think about, okay, we want to do a few things. We want to actually do a better job with determining if people are who they say they are. Cryptography helps with that massively. Fantastic. We want to enable people to be able to present or like hold and present their own identity related claims. Fantastic. The rub there is the entire identity verification model, like the industry is built on a model where that fully conflicts and subverts their business model. These people are getting paid for every verification that happens. So if you're working inside of one of these companies, and again I work inside these companies, and you come forward and say, you know what I think we should do? We should find a way for people to be able to present these claims themselves such that they don't have to take a picture of their face and upload a picture of their license. You know, for every website that they go to, you know, you're, you're going to hit a wall pretty quickly just given the economics of the business model. So yeah, the, the incentives are, are not good there. Same with Big Tech. Like they're going to move if they need to, but broadly, like this is a source of revenue and like, you know, network effects and control for them, so they're not going to just like hand it over. So that's why I was excited about seti because I think states will likely need to lead the way here at a federal level. We have seen recent requests for comment from treasury on how can financial institutions rely on attestations from other financial institutions in the verifiable credential format. If you've already gone through identity proofing somewhere else, you know, they hand you that credential, you can then use that credential to skip some account opening and like KYC processes at another bank, that would be a good thing. It all comes back to at this point the trust model. Like how do I know as bank B, what bank A did, what their processes were, all that stuff. And this again goes back to the incentives of like, of the context. Right. So identity verification today is a probabilistic process. The things that influence the optimization targets of that probabilistic process in a private sector context are profit and loss. If you're trying to open up a savings account that has a seven day funds availability policy and I have very little risk, I'm going to have different thresholds on the identity verification than if you're trying to open up a mortgage and you want me to write you a check for half a million dollars. Right. So just, just that realization makes you realize that like the, the assurance provided by any financial institution is a function of their own context, which makes it hard for other financial institutions to rely on those attestations because who knows what the context was. So I think there's some standardization work that needs to happen there as well. And you know, we can, NIST and other, other agencies can kind of help with that. But ultimately like, you know, private industry needs to lead here. There's been some good progress and states need to lead because the federal government, you know, is like, they're aware of the problem. They haven't really been doing a whole lot frankly for the last five, ten years.

B

Yeah, well, you mentioned there's some good actors in the private sector making some progress in this direction. You mentioned Carrie earlier. I'm not sure if you believe they're one of them, but anybody else in your mind, is World Coin actually good? Have I been wrong about WorldCoin or.

A

No, no, you've not been wrong. I mean, it's just, you know, there's a reason why it gives people the ick. Right. Like you again, like this is a very real problem, like proving that humans are human and proving that you are who you say you are. Like, this is a very real problem. And I don't know who started that project. Sam Altman? Like, I don't know the people. I do know some people from like the standard space that like worked there for a little bit and then like left shortly thereafter. But no, we should not be using our biometrics as identifiers. It's a great way to authenticate yourself locally on your device. Fantastic. Doesn't leave your device. Excellent. But we do not want to live in a world where you're just walking around and private industry and government can just identify you from just your face.

B

Well, I think it's important that you referencing Face ID on the iPhone there and I think there's a lot of misconceptions about what's happening there. Mainly people think that Apple is storing your face ID on some server that they host. But however what's happening there is like it's a secure enclave thing. So it's biometric verification via the secure enclave that lives locally on your device, which is the right model. Similar to what happens with Bitcoin wallets. Like I have the fingerprint biometric here, but it's stored in the secure enclave.

A

Yeah, yeah. And, and you mentioned SETI as well. Like I'm not a technical expert. There's some things that I don't fully understand around like SETI witnesses and basically how you build that trust graph there because there is no like external dependency or like anchor. So it's like self contained but they have these witness network. So yeah, I don't fully understand it but I am a fan of like people giving it the college try and trying to figure this stuff out. But yeah, broadly we want to be using identifiers that are not our biometrics and are not our personal information and we want to authenticate our ability to use those things locally or with places that we trust a lot. Like maybe that's the dmv. I'll go to the DMV to authenticate myself. I'll let them take my picture, whatever, because I know that they're going to give me a credential that is like of high value for me that I can use in other contexts that other people are going to trust and use and rely on. So yeah, I think that's like my general frame is that like using your biometrics as an identifier is not good. Again see China, like Americans probably, I think do not want to live in that world. It results in a world in society where people are just fundamentally less great. I don't want to live there. I don't want that to happen.

B

Yeah, I mean with the, with the Irish skinned. I mean Minority Report might be my favorite sci fi movie of all time and it's just, I just go immediately there. Like the combination of iris scans and self driving cars, it's just like Tom Hanks or not Tom Hanks, Tom Cruise had to go get a new eyeball transplant to avoid the, the ire of the authorities. They basically had autonomous drones that were able to go around and scan people's eyeballs to confirm who they were. And we're not too far off from that reality right now.

A

Yeah, yeah. And now's the time, right? Like now now that would be like my call to action. Like now, now is the time for people to move past the like, yeah, this is really scary and sucks and like we should avoid this to like, no, these policies and technologies are being developed out in the open now, right now. So now is the time to move past the black pill into the white pill of let's find a way to instill American values around privacy and self sovereignty into these tools and policies such that we don't end up there. Because I think it's fair, you know, to just observe that like directionally, like we are going that way and I, I want people to like be aware of that and you know.

B

Yeah, is minority report predictive programming where they just saying, hey, get ready for this future, there's nothing you can do about it?

A

Yeah, I hope not.

B

I believe not. Because the potential like you're describing why we're having this conversation right now is because the potential to avoid that is very real. The technology is at our fingertips and if apply it the right way, we can get to the future. That's privacy preserving and sovereignty preserving that we would all like to live in. And on that note, yes, let's move towards this. But for anybody listening, myself included, what are the low hanging fruit first steps towards that direction? Is it interacting with policymakers, is it interacting with private industry, Is it just making noise on X or is there some technical implementation that people should begin interacting with to signal like hey, this is the direction I would like to go.

A

Yeah, so there's, thank you for asking. There's quite a few states that are issuing mobile driver's licenses now for those that are like tech savvy and have the ability like find out how that works, like you know, is your state providing you a credential that phones home? Are you locked into a specific vendor, Are you able to selectively disclose attributes of your digital id or is this worse than a physical id? The other things that come to mind are supporting open standards work. So I'm a big fan of the W3C. Manu Sporni has been doing an incredible job there for years and years in the decentralized identity space. Same with Christopher Allen as well. Co author of the original did spec crossover IP, OpenID foundation, decentralized identity Foundation. All these are open to the public. They have open source development model. Anybody can get up to speed, observe, contribute. I would also direct people to the SETI model legislation out of Utah. Take a look at it. There's some great stuff in there that does put some very Real constraints not just on the state, but on the private sector as well. And puts a digital identity bill of rights, if you will, in place to constrain private sector from just willy nilly selling your information. And yeah, just broadly talk about these things and not in a. Again, understanding the fears and the problems is very important. Like we need the motivation there to like understand like why we care about these things but then try to quickly move into like what we can do. And that's kind of where my journey started as well with BPI of just like, hey, like we, these conversations are happening. I remember, I think you read the BPI event last year around summertime and I think on stage Warren Davidson mentioned digital identity akin to the eye of star. Yeah, yeah. And I was like, well you know, I get it, but this is an

B

important point because I think there's a lot of people and I would have included myself in that camp probably like a year or two ago. Just like digital identity avoided at all costs. Becoming abundantly clear with the emergence of AI that we're going to get DDoS by computers and robots and there is going to, whether you like it or not, recognize it or not. We are entering a reality. We are living in a reality where we are coexisting in the digital world with robots. And humans need to be able to identify each other in that system.

A

Yeah. And the ways that we should do that are the same ways that we create high assurance around any other exchange of information, which is we use cryptography. Right. There's no reason why we shouldn't be doing that or the layer zero of humanity, like authenticating people. So yeah, it's not really like a technology pitch, it's more like a values pitch. Like understand what's happening, understand the tools. The white pill is definitely not like everything will be fine. It's like the tools exist, the window is open and the outcome depends on whether or not the people who care show up and support places. Like, you know, Jay Stanley at the ACLU is a, is a great advocate and like fair advocate for these things. Peter at Coin center, obviously your, you know, your local legislators are like always great people to talk to. But like this stuff is happening regardless of whether or not we want it to. Like the worst case scenario is we don't engage and we continue on this trajectory. So that's why it's such an urgent moment for us to be able to put our hands up and say, wait, let me learn about this. We figure out what we're trying to do here and ultimately Apply the physical world test. Right. We want to replicate the rights and norms that we have in the physical space to the digital space. We don't want a digital identity, we want to digitize identity. And that starts with individual control, not like corporate control and walled gardens.

B

Yeah, and that's what I worry. I mean, we're seeing it with AI already, with the hyperscalers trying to position themselves and the technology that they're forging forward as a matter of national security. That needs to be controlled in a way that you create the regulatory moat and the license regime. And you can see in parallel, and you can actually see the same actors, obviously with OpenAI and Worldcoin being loosely connected via the Sam Altman connection, the digital id, saying this is critical to national security and digital security and we need the solution now, by the way, we have one. You should use this. And they have a lot of lobbying power, they have a lot of social cachet because people are very impressed with what they've built. But as we've come to know, particularly bitcoiners, big tech does not always have your best interest in mind. So it is imperative that we fight for these free, open, distributed solutions, for the closed garden solutions that will inevitably be put forth by these actors.

A

Yeah, that's the defense here. Open systems, open standards and software, open tools that everybody can use that level the playing field here and improve the floor for our sovereignty as individuals. Certainly private business is not going to go away here. The public sector also has some challenges because they have an access mandate. Right. We talked about the relativity of assurance in a private sector context being a function of profit. In the public sector, it's like, you know, they, they have a, an access mandate. Right. So they have to like over anchor on like, yeah, it's probably them. So you get error on both sides. And you know, this is where like this, the states and private sector can, can play a role to put these different models forward. And ultimately, you know, hopefully Americans who care about liberty and privacy will step up and make their voice heard here.

B

Yeah, well, that's like the last, last topic because again, going back to Warren Davidson's comments and again, hand up when like Agenda 2030 digital ID, you'll own nothing and be happy. I was a big, like, avoid digital ID at all costs. And I think it's going to force an uphill narrative battle because I think many people have viewed a digital ID as the mark of the beast, the form of the mark of the beast, if you will. And so again, reiterating what I said earlier. But maybe reframing, how do we convince people like, hey, not all digital IDs are bad. They're probably necessary in this world that we're emerging into. Unless you want to go live in the woods, which if you want to, more than happy for you to go do that for yourself. But we do have a society and a reality that is going to exist outside of your cabin in the woods and can go down one path or the other. There's, there's going to be a big narrative and anti propaganda campaign that needs to be waged as well.

A

I've heard you say it many times recently, like, you may not care about the state, but the state cares about you. Like, same context. Rather, the alternative to engagement is not like freedom from digital identity. The alternative is digital identity designed without our input. Right. So we are kind of seeing where that's going. The fight is really over whether digital identity preserves physical world privacy norms or continues to erode or fully destroy them. And our goal is to embed privacy, autonomy, portability, like legal due process and individual control, like, into the technology and policy stack such that the ability for this, like this reality to manifest is severely constrained at a fundamental level. It's going to take a lot of work on a lot of different angles, but it's critically important and I'm hopeful that many people continue to join the fight because it really matters.

B

All right, freaks, join the fight. Gerald, thank you for fighting on our behalf as many of us operate blissfully unaware of the progress that's being made. I mean, I'm more aware than most, but I think most people are blissfully unaware of what's happening. And again, it is uncomfortable because

D

it

B

is a fact that many people, including representatives like Warren Davidson saying avoid the digital id, obviously have Katherine Austin Fitz and many others in that part of the world saying avoid at all costs. And again, I'm sure there will be people that listen to this podcast and say, Marty got turned. He's a spook now. The CIA got to him, he's pushing digital id. That's like the weird thing is again, the ability to use cryptography to selectively reveal attestations of things being legitimate without actually revealing the information itself exist. And in the world of digital id, that is much preferable to the world coin or the phone home to the government to verify and them knowing everywhere you're going.

A

Yeah, we can not just slow the rate of change here. We can actually revert it with these tools in the technology. So that is what's on the table. How much of that we take advantage of will be determined in the next few years. And I think a lot of people, it's very scary. And it's so scary that they disengage. Like I said, that doesn't mean that these efforts are going to stop. So we need the engagement. If it scares you, lean in, learn more, become an advocate and join the flight.

B

Gerald, it's been an honor and a pleasure. Where can more people figure or find out, excuse me, where you're talking about this? Where can they follow you? Where can they keep up with the progression of the conversation as it lays, as it gets, as it progresses?

A

Yeah, so I'm on x. I'm@geraldblickman.com, but you can find me. Always open to talk to people to help them kind of learn more about this, direct them to things that are of interest to them. But yeah, those are. Those are the two spots.

B

All right, well, I'm sure we'll have more conversations about this over the next couple years as things progress. So until next time, thank you for coming, sir.

A

Appreciate you, Marty. Thank you.

B

Beat some love, freaks.

D

Thank you for listening to this episode of tftc. If you've made it this far, I imagine you got some value out of the episode. If so, please share it far and wide with your friends and family. We're looking to get the word out there also, wherever you're listening, whether that's YouTube, Apple, Spotify, make sure you like and subscribe to the show. And if you can, leave a rating on the podcasting platforms, that goes a long way. Last but not least, if you want to get these episodes a day early and ad free, make sure you download the Fountain podcasting app. You can go to Fountain FM to find that $5 a month gets you every episode a day early. Ad free helps the show gives you incredible value, so please consider subscribing via Fountain as well. Thank you for your time and until next time,