On the very first episode of the Loop Experience Podcast, Fobi CEO Rob Anson recount the early days of Fobi and talks about what it's like running a...
Fobi Insider - Episode 12: Next-Generation Privacy Is Here
This week we talk about how Fobi is dedicated to staying ahead of shifting privacy standards and practices with Fobi CTO Tamer Shafik.
Blockchain and data privacy.
Both are huge topics at the moment, but how exactly are they related?
As a provider of actionable, market-leading customer data, Fobi is dedicated to staying ahead of shifting privacy standards and practices.
That's why we've joined the ranks of T-Mobile, Cisco, and NEC - by becoming a steward of the blockchain-based Sovrin Ledger, a key pillar behind Self-Soverign-Identity (SSI), which is widely recognized as the future standard of privacy and identity verification on the internet.
Find out how this further enhances data privacy and security for users of Fobi's technology, and why SSI gives Fobi a key advantage in the heated space of data privacy.
On this week's episode of the Fobi Insider (Previously Loop Experience), we talk to Fobi's CTO Tamer Shafik.
The following is a transcript of the conversation between Fobi Marketing Director Devon Seidel and CTO Tamer Shafik.
Fobi CTO Tamer Shafik: I think the old ways of doing access management and venue management are very much on their way out. I think digital credentials are going to be the de facto way of doing that going forward. And one of the core concepts of self sovereign identity is that you own your own identity and you own your own credentials. I firmly believe that the future lies with us having control over our identities and not giving that control over to a single entity or indeed multiple entities. So, we've worked closely with both Apple and Google on this. Created a team and have been working closely with them for several years now. These native wallets are the future of us carrying around our identities and both Google and Apple know this. They are very much connected with these efforts to provide interoperable self-sovereign identities that are in the hands of the user, that the user has control of.
What is really good for us here is that we are preempting this and we are positioning ourselves when that happens to be already using the ledger. We're not waiting for it to happen. We're leading the charge. We're saying, "This is where we think things are going to go," And we're going to back that by starting to use this network now to issue credentials against.
Fobi Marketing Director Devon Seidel: Hey, you're listening to the Loop Experience podcast. Join us for exclusive interviews, behind the scenes updates and all things Loop. Coming at you from the Loop head office in Vancouver, I'm your host, Dev.
Welcome back to the Loop Experience podcast. Our guest today is Tamer Shafik, Loop Insights, Chief Technology Officer. Welcome to the show, Tamer.
Tamer: Thank you, Devon.
Devon: So, Tamer, actually, I can't believe that this is your first time on the podcast. We do have back and forth conversations every day. I feel like I'm always slacking you new questions. So, it's great to actually have you on the show so that everyone else can hear all your great knowledge that I'm constantly asking from you. I want to start off by talking about you first, actually. So, you moved here from the UK about eight years ago, right?
Tamer: That is correct. My wife and I moved to Canada in 2013.
Devon: And when you were over in the UK, were you still working in tech at the time?
Tamer: I was. My whole career has been in tech. I'll give you a brief rundown of that. I started my career back in 2000, working for a small startup in Southampton. And after doing that for a little while, I went into setting up my own startup and did that another and had another go at that. So, I have two startups in the UK, which I founded and exited. And after that second exit, we decided to move to Canada because we were looking for a change and we'd been to Canada a few times and really enjoyed our time here and decided it would be good to live in Canada, at least for a while and see how that went.
So, I joined CGI and came to Moncton, New Brunswick for a job where I was working for one of their clients there, who was Atlantic Lottery.
Devon: That's great. And while you were over there, were there different kinds of aspects... You said that you were talking, working in startups. What kind of technology were you working in?
Tamer: So, most of my career has been spent building web applications and integrating web applications with existing platforms. E-commerce was a very big part of that. The UK experienced a very big e-commerce boom between 2002 and 2008. And we were positioned to take advantage of that and there are a lot of products in the e-commerce space. So, I would say e-commerce is my first love and I still have a passion for it. I love seeing e-commerce done really well and I dislike e-commerce done badly. And I really like the intersection of our technology, Loops technology, with e-commerce. I think that's an interesting space to be in today.
Devon: That's great. And then you were able to actually transition into a position at NTT Data, which is the last position that you came to us from. What kind of projects were you working on there?
Tamer: When I started work at what became NTT Data, it was a company called Sierra Systems, which was a Canadian consulting company. I was based in the Victoria office and almost all of my work was with the province of BC. So, I looked after clients such as BC Justice. That's a attorney general. BC Citizen Services and my teams worked on a lot of the core systems that are used by these ministries to run BC, essentially, to run all the systems that we as BC residents rely on.
Devon: And all of those really tie into, like you said, what we're doing at Loop here. So, my next question is, why did you make this switch to Loop? And it kind of looks like a simple adjustment. Just you love working at startups, you were already working in the technology. Was that really the reason why you moved over to Loop?
Tamer: Yeah. Sometimes the right opportunity comes along at the right time. And Loop came along at the right time. It was a really good intersection between my interest in digital identity and how we prove a person is who they are and who they say they are and give them access to something. And I like what Loop was doing in that space. It was going at a much faster pace as is always the case with private sector. Going at a much faster pace than public sector were able to go out. The opportunity presented itself and I think I was also ready to go back to a startup. Having spent eight and a half years in the corporate world, it was maybe time to revisit my startup roots. I like both. I think there are definitely things to be said for working in a corporate environment. You get structure and you get resources that you don't have in a startup. But if you are like me, enjoy the fast pace of doing things and being able to get products to market quickly, startups are definitely appealing as well.
Devon: And you touched on digital identity there. Can you give our listeners a little bit more insight into what digital identity is and how that's applicable to what Loop is doing?
Tamer: Now you're coming on to one of my favorite topics, I would love to. One of the most important things to us as humans in our civilization is being able to prove that I am who I say I am and that I'm entitled to do the thing that I say I'm entitled to. Historically, we've done this with a piece of paper. So, if you look back over the last couple of thousand years, you've been issued with a piece of paper of some sort that says, "This person is Devon and Devon is entitled to access this building," or, "Access to this country," the passport. "Entitled to drive in this jurisdiction." That worked great for many, many years because it was fairly hard to forge these credentials. So, up until about the seventies, if you had a piece of paper that proved that you are this person and that you had the right to do something, forging it was fairly complex and making a good forgery, a forgery that couldn't be detected was hard.
That all went away in the seventies with advanced print technology, digital print technology. And by that point, anyone could fake anything with a very high degree of accuracy without too much trouble or too much cost. And so, we started looking at add-ons and at alternatives that we could build on top of those systems to provide the same level of assuredness that we had before, before it became easy to forge them. That was going fairly well until the internet came about. And then everything broke again, because on the internet, as they say, no one knows you're a dog or not a dog. As the saying goes. The internet doesn't have a system for providing that level of trust that we expect in the physical world. It's one of the biggest problems of our time. How do you solve identity on the internet? Right now we use passwords and passwords are a terrible way of doing this.
We all know the struggles that come with passwords. Either you use the same password on multiple sites and you can remember it or you use multiple passwords and you can never remember them. You have to use a password manager, which then becomes itself your single point of failure. If you lose access to it, you lose all your passwords or someone gains access to it, even worse. Your entire presence has compromised. Solving that question, how do we give ourselves back a high degree of assuredness in our digital identity online, is one of the greatest challenges and I think it's a great field to be working in today.
Devon: I have a quick question around that. Why do you think it's taken so long for us to either establish a way to do identity easily online? Is it because there's so many different players in the field and so many people want to have their own version of how that identity happens?
Tamer: I think that's part of it. I think there's two answers. Firstly, it's a really complex problem. So, there isn't one simple solution to it. Whatever solution we end up with is going to be a fairly complex solution to a solve complex problem. But also, it is what you just said, which is that there are a whole bunch of players in this space. And I think that's the right thing. It's correct that there should be a whole bunch of players. I don't think any of us would want a single authority owning our digital identity. The question then becomes, how do you provide interoperability between all these players? How can you allow for a system where digital identity is provided by a whole bunch of different issuers and verified by a whole bunch of different verifiers but you have a good level of interoperability between them? So, they're able to trust each other's issued credentials.
Devon: And that leads us perfectly right into our newest partnership with the Sovrin Foundation. First of all, what they're doing is super cool. And I'll let you talk a little bit on that too, but can you give us some background on who the Sovrin Foundation is?
Tamer: Absolutely. I'm very excited about this. So, for those who haven't been following Loop Insights, it has just become a steward of The Sovrin Network. And that's a really exciting move for us. So, I'm glad I get to talk about it today.
Sovrin is a nonprofit whose role it is to maintain The Sovrin Network. And the Sovrin Network is a public ledger, which supports a set of open standards for self sovereign identity, digital identity. I'll dig into a bit more detail of that to explain what it is. So, it's a network which is a blockchain based, Hyperledger based network. That's the technology that sits behind it. It leverages open standards which have been published and adopted by the W3C and is built on Hyperledger, which is maintained by the Linux Foundation. So, all of this is built on open standards and open source software.
That's a really important point because if you want to build a system that is interoperable, that is open for everyone to use, that is not proprietary. It has to be built on open standards and on open source software that's available to everyone. So, this network is a network of nodes, all running Hyperledger on which any organization can publish what's called a DID, decentralized identifier. And this DID is a way for that organization to say, "We're going to issue credentials, which are going to be signed by us and verifiable against our DID that we've published on the Sovrin Network." That means any organization can issue a credential that can be held by anyone and any other third party organization can validate that credential. Can check that that credential was really issued by that organization that issued it.
We, as a company, we've been issuing credentials for a long time now. You know that. We issue wallet passes that give people access to events or to venues or to special offers. So far, when someone has needed to validate one of these credentials, they've had to access our system. So, they take the credential and then they have to contact our service and say, "Is this thing real? Is it valid?"
This latest move enables us to sign these, to back these credentials with a record on the public blockchain, which means anyone can go and validate that credential against that public blockchain. This is a really important point because one, it provides interoperability. It means anyone can go and validate the credentials that we issue without coming back to us. They don't have to go back to the Loop system to check the credential. The Loop issued is valid, but secondly, and this is a really important privacy point. Because they don't have to come back to us, we don't have a record of every time your credential gets validated. So, you're not leaving a trail behind you everywhere you go and of every time you use your credential. It levels up your privacy in a way that any centralized system can never do. It gives you a level of privacy because only the verifier that you've authorized to go and check your credential will go and check your credential. No one else will know about that. It's a transaction that's between you and that verifier.
Devon: What you're saying is very high level and technical. How would we put this in a way for our listeners to maybe understand it in a way of how you would use it as a wallet pass? For example, I have a promotion for brand A, on my wallet pass. I go to the store. I redeem that through either the smart tap NFC check-in or a barcode scan. What is it that Sovrin is supplying to us that really increases the privacy of that transaction?
Tamer: That's good. It's great to dive into an example. So, thank you for giving that. The store where you're redeeming your voucher. In order for them to validate your voucher, they don't have to go and connect to our system. They go and connect to the public blockchain and check it against that. They can immediately see whether it's valid. So, it was issued really to you and they can see if it's been revoked. So, we can revoke a credential and that's available on blockchain as well. That means two things. It means massive interoperability. Those organizations verifying the credential don't have to come back and connect to our system, which means we can expand the use overnight to many, many more organizations. The public blockchain can support a vast number of queries. We don't have to scale our systems because they can just go and query the public blockchain.
On top of it, let's say this voucher that you're using gives you access to discounts and multiple stores. You walk into A store and you get your discount. And then you walk into store B and get another discount, which the voucher also entices you to. Each of those stores is going to validate your voucher against the blockchain. There isn't a single third party who knows that you've been to store A and store B. That's something that's left up to you. If you want to reveal that, you can. It might be in your interest to reveal it because that might open up other discounts to you. But the power is put back in the hands of the user. It's up to you who gets to find out where you've used your discount voucher and not leaving behind this breadcrumb trail of everywhere you go when you use your voucher that anyone can go in mine and backtrack what you've been up to.
Devon: And how is that different than how we're currently using... Let's stay with the coupon or voucher example. How is that different than the current processes?
Tamer: So, the current process that we use is very similar to everyone else's process, which is, I issue the credential. When someone needs to verify that, they go and communicate with my server and say, "Is this credential valid?" And we answer them. That works great but it lacks those two key things. It lacks the interoperability that you get with having it on a public blockchain. And it means that anyone verifying it has to go back to Loop. So, Loop has a full story of what you did with your voucher. That may be desirable in some cases but from a privacy point of view, it's far from desirable because you're leaving behind a full trail, which is available to someone to access. One of the key pieces of privacy by design is not leaving a trail everywhere you go. It gives you, as a consumer, a very high degree of protection because it's not just that you're trusting people not to do anything with that data, it's that, that data doesn't exist in the first place. There isn't a trail to be followed.
Devon: And now, I want to touch back onto specifically the wallet pass. So, you're talking around the privacy and connected to how we use it specifically in the wallet pass. What is the piece that is actually being protected in the wallet pass? Because this isn't just another level of security that we're supplying to Loops wallet pass system. That's already embedded there but this is a deeper level of security. And the way that you're talking about how it ties back to the blockchain, what is the specific piece on the wallet pass that's tying back to the blockchain.
Tamer: Great question. So, right now we have a very secure platform, which we have had in place for years. And it has proven industry security. We issue a credential, which is validated against our network. That credential, you can think of it as a number. You can think of it as Devon's ID number that we've issued you. And it's a specific ID number that's to do with this one thing that we're issuing you this past fall. So, accessing this one event, for instance. Right now, when you go to this event and you want to prove that you have the right to go in, you present this number. It's easy to think of it as a number. So, let's do that. You present this number, the system checks against the central database to find out whether this number is valid or not. Is this a real number or did this guy just make it up on the spot? And if it's valid, then you gain entry. And if it's not valid, then you don't gain entry.
The difference here is that this number can now be checked. You can go and check that it's a valid credential against the public blockchain and anyone can do that. Not just Loop. So, any third party organization that you present your credential to can go and check whether this is a real credential that's been issued to you or not. They can also check whether it's been revoked or not. Right now, if we revoke a credential, it's just not our system anymore and it will come back as having been revoked but only we can check that. Having it checkable against the public blockchain means any organization can go and check that. Any organization that you as a user authorized to go and check it can go and check it.
And the third thing, which is also important, because it's a blockchain based credential, it's immutable. You have a very high degree of assurance that this has not been faked because it's on a blockchain. It's very difficult to go back in time and make changes to an entry that's on the public ledger, in this case.
Devon: I can see how important this will be used. For example, health information or vaccination information. We've used the example of a coupon. Where else might we see Loop using this technology?
Tamer: I think we're going to see a lot of access to venues and access to events. Even as vaccination efforts continue and even as people start to get back to some level of normality, there's still going to be a need for some contact tracing or some level of knowing who was where and when. Even once everything is back to normal and COVID is out of the way, now that we know what we can do as far as access control, as far as venue management using these digital credentials, I would say we're three or four years ahead of where we were this time, last year. On a normal timeline, it would have taken us three or four years to get to where we are today. This has all been accelerated by the work we've had to do over the last year for COVID. So, I think the old ways of doing access management and venue management are very much on their way out. I think digital credentials are going to be the de facto way of doing that going forward.
Devon: And something interesting you said there. We started off talking about how there are so many different companies that may want to own a certain credential or a way that you authenticate or validate an identity. We've chosen to partner with the Sovrin Network. Why is it so important that we've chosen that blockchain?
Tamer: The fact that it is... The sovereign isle, one of the main driving forces behind self-sovereign identity, and one of the core concepts of self-sovereign identity is that you own your own identity and you own your own credentials. Just like in the old days, in the paper credential days, when you'd be issued with a credential and you held it in your wallet and you got to choose when you used it. You weren't forced to use it at various points. You weren't forced to present it. It was always up to you to decide when to use that credential to prove something. That's what self-sovereign identity is about, which is having control over your credentials that you're holding, knowing when you're using them and knowing who you're using them with. Who is accessing them for you to be able to prove something. I firmly believe that the future lies with us having control over our identities and not giving that control over to a single entity or indeed to multiple entities.
And our joining of the Sovrin Network is our way of firstly, contributing to that community who are doing some great works and very important work. It's a community which is made up of not just sovereign, but all of the pieces that sovereign relies on. So, all of the open standards and open software pieces that sovereign relies on, that's the broader community. So, W3C who set the standards for all things web, have spent a huge amount of time thinking about these complex problems and defining architectures for solving them. So, you can go on the W3C site today and read about self-sovereign identity and about DIDs, decentralized identifiers, and about the open standards that are around those. You can also go and look at Hyperledger and look at the source code of Hyperledger and how it works. I think it's these open standards that will protect us as consumers and give the power back to consumers.
Devon: And Sovrin's actually really excited about our partnership because we're using the application in a different way that they haven't seen one of their partners use it yet. Can you talk a little bit more about that?
Tamer: Yeah. So, we're in a unique position in that we're not starting from a point of having no credentials. We've issued many credentials. We have issued millions of these credentials to users already. And we're now going to be able to make them back compatible with this. We're going to be able to sign all of these credentials retroactively and make them verifiable against the public ledger, retroactively.
That's pretty powerful. It adds an extra layer of assuredness to credentials have already been issued. It adds a layer of interoperability to those credentials, which doesn't currently exist. And it adds a whole bunch of users to this network who, in many cases, won't have heard of it. There are a few problems to solve around this. It's quite a complex technical problem to solve. We're pretty much there. We've got a very smart engineering team, as you know, who have been working very hard on how to solve this. And we've got some very innovative approaches to solving it. But to me, what's exciting is we're not building a credential based from scratch. We've already issued all these credentials and they're in the field now. And we've come up with a way of backing those on the blockchain retroactively.
Devon: And I think maybe another reason why it's taken so much development effort is because we're actually one of the first companies that is doing it in this certain way. So, there's no other real company to look at for guidance. Can you talk a little bit more about that side of developing something that we don't have a playbook for but we are working with that network to develop this application.
Tamer: Yeah, absolutely. It's a hard problem to solve, which is why it hasn't been solved. A lot of the self-sovereign identity work has been around building up digital wallets that have all of the necessary functionality within them to enable the sophisticated communications between the credential holder. That's me with my credential on my phone and the credential issuer, the person who issues me, the company issues me the credential and the verifier.
Well, that's great but it requires you to have one of these fairly sophisticated wallets. And there's not many of those in the marketplace yet, in any case. And it really takes a very tech savvy user to understand them and to go and download one and start using it for this. What we're doing here is bridging the gap between the current native phone wallets. So, the Google Pay wallet and the Apple wallet and this new future where these wallets will become repositories of self-sovereign identity. I firmly believe in a few years time, both of these wallets, both of these native wallets will become fully supporting of self-sovereign identity of credentials and DIDs. But right, now they're not. And the layer that we're building, bridges that gap. It allows us to issue the kind of credentials that you can hold in your native wallet today but validate them against a public ledger like Sovrin's public ledger.
Devon: And you've touched on something really important there that yeah, we look at Apple and Google's wallet. And really, the amount of users that they have that are using their applications. Obviously, when Apple and Google look at the future, they want those to be as secure as possible. Can you talk a little bit about the conversations maybe that we've had with those companies and the applications that we're applying to this and this level of blockchain authentication?
Tamer: Absolutely. So, we've worked closely with both Apple and Google on this. Our past creative team has been working closely with them since, for several years now, on evolving those wallets. I'd have direct insights into how they're planning to evolve them. But I think it's fair to say that these native wallets are the future of us carrying around our identities and both Google and Apple know this. And they are very much connected with these efforts to provide interoperable self-sovereign identities that are in the hands of the user, that the user has control of. I'd be very surprised if we don't see evolution of these wallets on both platforms in that direction over the next couple of years. What is really good for us here is that we are preempting this and we are positioning ourselves when that happens, to be already using the ledger. We're not waiting for it to happen. We're leading the charge. We're saying, "This is where we think things are going to go." And we're going to back that by starting to use this network now to issue credentials against.
Devon: I think that's a really key important piece there that you said that we're looking and saying, "Hey, this is what we see the future as. That's what we're moving towards." Can you talk about a few other companies that are partnered right now with the Sovrin Network and who else is believing in this future as well?
Tamer: Wow. There are a lot of big names who are on that Sovrin list. I think on the wallet side, there are a couple of really interesting companies who I personally know and have had conversations with. Evernym has their own wallet, which is a very sophisticated wallet, which supports a self-sovereign identity in a detailed way. Trinsic also has a wallet, which is a very sophisticated wallet and implements the full sets of self-sovereign identity functionality and full DID compatibility. I think a lot of the big tech players are in the space or if they're not already in it, if they're not already a sovereign steward, they are looking at how they can leverage similar technologies. I saw in the news today, in fact, that as Azure has just launched a self-sovereign identity backed active directory solution. Now that isn't using the sovereign ledger. They've spun up their own ledger that they are using as a backend to that. We'll see whether that's the right decision.
But I think over the next year or two, self-sovereign identity is going to be at the forefront. We all recognize how important it is to have control of our data. I think that's something which everyone's now hyper-aware of much more so than they were a few years ago. It's something which we can solve using technology. We know how to solve it using technology. And this is the time to make those decisions. This is the time to make these changes now, so that we build a future where the consumer has control.
Devon: My last question for today, something that we've been asking all of our guests on the show. What's something that you've learned during the pandemic. I know you've probably had a lot more time at home. Maybe it's a hobby you picked up, but what was one piece that you really, a positive that you were able to take away from this time?
Tamer: The biggest thing that I learned that really surprised me is how adaptable we are and how quickly we can adapt to new ways of doing things. Like many people, we pivoted back, a bit over a year ago now, to working entirely remotely, overnight. And we did that without missing a beat. And we just carried on. So, I'd say that the adaptability of humans has been delightful learning for me.
On a more practical level, I've been doing a lot of carpentry and my carpentry is a lot better than it was before COVID. So, that's one good thing for me.
Devon: Why so much carpentry?
Tamer: Renovations. Got to do the renos.
Devon: That's great. Thank you, Tamer, for taking the time to talk with me today. I think that really gave a good in-depth look at what this partnership means with the Sovrin Network and a real technical look at what the application is and how this is supplying such a heightened level of an already secure solution that Loop is supplying.
Tamer: Thank you, Devon, it was a pleasure.
Devon: Awesome. Thank you.
Click here for all episodes of the official podcast of Fobi: ‘Fobi Insider' (Previously Loop Experience).