‘Neither Mad Max nor Orwell’: ID startup walks a fine line

Just the name, globalID, might arouse suspicions among the tinfoil hat crowd.

To others, the startup’s stated mission may sound like an anarchic hippie’s dream: create a decentralized system of portable, digital identities controlled by the users, not any government or corporation.

In reality, globalID falls in between the two extremes. The company claims its approach can restore data privacy for individuals and expand access to financial services for the poor while helping regulators and law enforcement to locate bad actors.

“If we design our identity systems right, we shouldn’t have to have a world of Mad Max or George Orwell,” said Greg Kidd, a co-founder and the chief executive of globalID, “so that essentially privacy and security could be complementary.”

The San Francisco-based company said Thursday it had raised $2 million in a second seed round, bringing its total funding to $3 million.

Assuming it works as advertised, globalID’s proposed architecture for digital identity could alleviate a major cost for banks: storing and securing sensitive personally identifiable information. Wells Fargo’s recent blunder, in which a lawyer for the bank accidentally leaked confidential information about tens of thousands of clients, brings home the reality that customer data can be a liability.

On the other hand, portable identity would also reduce switching costs for retail banking customers, potentially reducing the inertia that financial institutions have long counted on to retain checking accounts.

“If you don’t have to reestablish the authenticity of a consumer’s identity every time they engage in a financial service, that will reduce the cost of giving access to an account or the cost of switching accounts,” said Michael Barr, a former assistant Treasury secretary for financial services who serves as an adviser to globalID.

Hence, the setup would “enhance competition in financial services,” said Barr, who was a key architect of the Dodd-Frank Act and teaches law and public policy at the University of Michigan.

While there are scores of startups and open-source projects with similar ideas, globalID stands out by attempting to wed the concept of self-sovereign identity to regulatory compliance. This mix of Silicon Valley idealism with Washington realism reflects Kidd’s pedigree: He was an early investor in Twitter and Square, but also worked as a senior analyst at the Federal Reserve Board and as a risk consultant at Promontory Financial Group.

GlobalID envisions a world where PII would no longer be promiscuously shared. (How many strangers have you given your Social Security number, street address or birth date over the phone?) Instead, this data could reside only in two places: an encrypted "data store” on users’ phones and an offline “identity vault” maintained by globalID or a provider it has certified.

Rather than forking over personal information to sign up for services, users could point to third parties’ assertions about that information (e.g., “OVER_18” rather than “born Feb. 13, 1961.”), tied to their names on a public ledger. Rather than typing in a username and password to access a service, users would connect using the phone as a token of their identity.

The identity vaults would serve two main purposes: one, to assist with recovery when a user’s phone is lost or stolen; and two, for compliance purposes. A bank could request information from the vault when necessary to file a suspicious activity report, without having to guard it the rest of the time, globalID says. Financial institutions would still store money, and they would still vet new customers and monitor transactions, but they would no longer have to be honeypots of sensitive personal data.

“Banks have to make this fundamental decision: What business are we in?” Kidd said. “They are in the identity business, in a way. They are a trusted source of attestations. But does that mean that they want to spend all of their time collecting all of this stuff and putting it over there in the vault and trying to defeat the kind of guys that just launched this virus?” — a reference to the WannaCry hack.

The Bank Secrecy Act requires banks to collect a customer’s information and retain it for five years. The law does not specify where or how the data needs to be stored, but it must be easily retrievable, banking lawyers said.

Investors in globalID include Arbor Ventures, CampOne Ventures, and Kidd’s own venture capital firm, HardYaka.

Alka Gupta, another co-founder and globalID’s chief operating officer, said the company expects to make its money in part by charging large institutions a fee for API calls, or data requests. While the ledger of attestations would be a public resource, the company’s application programming interface could deliver the information faster and in “a more digestible format” to subscribers, said Gupta, a former head of strategy at eBay. (A useful analogy might be professional title searchers who know their way around the county clerk’s office.)

Before starting globalID, Kidd was the chief risk officer at the payments technology provider Ripple from 2013 to 2015, and the companies' strategies are similar. Both seek to foster decentralized ecosystems while maintaining enough influence to keep the technology palatable to legacy institutions and their regulators. Ripple’s former CEO Chris Larsen (who broke ground in financial services at E-Loan in the 1990s and Prosper in the 2000s) is another adviser to globalID.

Early adopters of bitcoin, whose attitude toward regulation ranged from indifferent to hostile, viewed Ripple as the cryptocurrency equivalent of Ned Flanders, the goody-two-shoes neighbor on television’s “The Simpsons.” Even so, in 2015 the Treasury Department’s Financial Crimes Enforcement Network fined Ripple $700,000 for BSA violations. Much of the conduct in question predated Kidd’s hiring in September 2013, and early the following year he hired Karen Gifford, a former counsel at the Federal Reserve Bank of New York, as Ripple's first AML compliance officer. To put the fine in perspective, this week Fincen hit a foreign bitcoin exchange with a $110 million penalty for more serious infractions. Ripple lived down its enforcement action, and now has more than 60 bank partners.

While at Ripple, Kidd sought to build an identity system, but the company decided the project was too far outside its bailiwick. In globalID, he’s trying to build a long-term solution to a problem that got his last employer in trouble.

Privacy is likely to become a flashpoint in digital identity as it has been in digital currency. globalID says its data vaults would be a significant improvement from the current system, since the encryption keys would be kept in “cold storage,” disconnected from the internet.

“Nobody could come and do a mass search that could result in a mass data breach,” Kidd said. “But you might be able to ask a question about one identity to drill down to get the PII with due process, but no bulk access to PII.”

Yet users would still have to trust the company to stand up for their rights when the authorities come knocking.

“We need to have the courage like Twitter does when the government comes and says that ‘We want all this,’ and they say ‘Where’s the warrant?’ ” Kidd said. “So we would have that key, but we would have to see a warrant to do it.”

Unlike Facebook, “we’re not in the business of reselling” personal information, he said. “We’re only in the business of meeting your BSA/AML responsibilities, say for filing a SAR. You’ve got to prove that you’re there looking for SAR information.”

Gifford, Kidd's former colleague at Ripple and Promontory and an early adviser to globalID, argues that the data vaults are preferable to the secret “back doors” governments have been demanding from technology companies.

“Better to have a front door people can walk through with appropriate procedures than to have no door,” in which case authorities will still “find a way in,” said Gifford, who was also a co-author of the Windhover Principles, a 2014 manifesto for digital identity that influenced globalID’s strategy.

To hardcore advocates of self-sovereign identity, though, a door is a door, and a nonstarter.

“We’re dead set against that,” said Timothy Ruff, the CEO of Evernym, the company that developed the software for Sovrin, a decentralized identity system that’s being tested by credit unions. “There’s a philosophical difference. … If you build in any kind of back door, it becomes a vulnerability for the entire thing. It’s going to be compromised.”

Philosophical questions aside, startups need users. So far, globalID has a pilot test in the works with Viamericas, an international remittance company based in Bethesda, Md.

Paul Dwyer, the CEO of Viamericas, said a mobile app that takes into account multiple attestations, including the user’s contact list, can be a more reliable proof of identity than physical documents alone. “It’s harder to fake being somebody who has hundreds of contacts,” he said.

Viamericas, which facilitates money transfers to 34 countries, also sees this technology as something that could help the company diversify.

“The other products and services we can offer to our senders and receivers cannot easily benefit from the identity work we do around the money transfer service because the methods of collection and storage of that information are adequate for purpose, but not easily portable,” Dwyer said.

An identity designed to be reusable “will facilitate our entry into adjacent services,” such as stored-value cards, he said.

Barr, the former Treasury official, said such a system would also promote global financial inclusion.

“One of the pervasive problems in the developing world,” he said, “has been how to help people establish who they are for purposes of financial services.”