letstalkbitcoin #21

0:14
This is Episode 21 of Let's Talk Bitcoin, and like last time, this episode is a
little bit different. Most of the time, I speak to guests and hosts over the
internet, eyes fixed on screens, talking to people from around the world.
0:27
John Light is a recent transplant to Northern California, and after meeting at
Bitcoin 2013, I asked him up to the LTB homestead, tucked into a canyon outside
the Napa valley, surrounded by steep redwood forests.
0:42
Microphone in tow, we sat on the bank of a creek and talked about the future of
identity in a networked world.
0:47
Today's show is important.
0:50
Granularity is a concept worth understanding. Imagine the seaside, waves
crashing the shore. As a whole, it's a singular object, a beach, it has its
place, and it doesn't move, it's enormous and persistent. At a granular level,
it's billions of tiny pieces of sand; tidal impacts can move individual grains
enormous distances, relatively speaking.
1:19
We talked about identity in this context. It's not about the beach. It's about
the individual pieces of sand. Each one is a detail, attribute, event. They're
you. Right now, you pick either the beach, or no beach at all. But that's about
to change.
1:45
Privacy. You know, there was a time before Facebook, and a time before social
networks in general, and a time before frankly websites where everything you put
on them was owned by the website.
1:57
I think that we might be moving back towards a time when suddenly this type of
granular control over your own identity is possible, and it's because of
concepts like personal clouds.
2:09
I'm sitting here today with John Light, one of the good guys so to speak, working
on this identity problem and this personal control problem.
2:19
John, how did you get into personal clouds?
2:21
John: When I started my blog, p2pconnects.us, which is a blog about peer-to-peer
technology and how I think it can help solve a lot of problems that are going on
in the world today, the very first blog that I wrote, it was called "universal
reputation rating systems: the future of trust in a networked society".
2:42
I wrote that based on technology that I saw coming out which was essentially
bringing all of people's social profiles together into one place to create what
I'm calling right now a universal reputation rating.
2:59
Basically it pulls your ebay, your air b and b, your Facebook, your Twitter, it
puts it all together and it creates a score for how likely you are to be trusted
based on all the connections that you have, all of your past history in the
marketplace.
3:16
I saw that as a trend; the first company I came across was called TrustCloud
that did this, there's more: there a website called connect.me which offers a
reputation rating system.
3:29
It doesn't necessarily pull together all of you different social profiles like
TrustCloud does, but it gives people a way to endorse you for different
activities to show that to other people, "yes, I'm vouched for in this way" and
now LinkedIn has even incorporated something like that, where people you can
endorse you for different skills, and so that's kind of how I got interested in
reputation, and through researching for those blog posts that I wrote about
that, the second one was called "universal reputation rating systems: problems
and solutions," where i go into some of the pitfalls that could be encountered
with a reputation system like this and then maybe some solutions for how that
can be worked, and as I began researching for writing these articles, I came
across this concept called personal clouds, where the personal cloud is like
your singular place on the internet to put all of your identity information,
all of your social information and financial information -- everything that you
would possibly need on the internet into a one secure encrypted environment,
and then that identityi, that place marker on the web has its own reputation and
and what the connect.me service is trying to do is trying to serve as one of the
primary reputation providers for the personal cloud ecosystem. No matter where
you are on the internet, you're going to be able to carry around this reputation
that you've spent a lot of time and a lot of effort building up.
5:08
Rather than having to create a whole new reputation every time you join a new
community, like a new forum or a new marketplace or whatever. So right now we're
starting to see the beginning of this, with social sign on where you can
actually use Facebook and other social networks to log in to places, but that's
still not good enough. Facebook itself is a walled garden that you can't really
export your data from and take to other providers, whereas with personal clouds
you're going to be able to do that. If you don't like your current personal
cloud provider you can just take all of that data that you spent so much time
accumulating and organizing, and just export it and drop it right into another
cloud service provider, or you can post it yourself. When I came across this
concept I realized that is going to do for the internet why Bitcoin is doing for
money, or what torrents are doing for file sharing. It is going to create a
purely p2p, peer-to-peer environment where people are in full control of
everything that's coming in and out, and that's to me I think really important,
especially you know right now, after the news has come out about Edward Snowden
leaks, where we find out that these companies which people have been entrusting
with their data aren't just sharing it with advertisers, it's going to
governments.
6:36
For people everywhere else that's not in the USA, a government that's not even
their own government. It's really important that people be given the tools to
take control of their data, and control of their privacy, and personal clouds,
I see, are a way to start doing that.
6:53
Adam: Talking about social networks, and services that keep data for you, you're
talking about how they expose your data to other people in various places, why
is that? Why is that the situation that we find ourselves in, what happened in
the development of infrastructure up to this point?
7:11
Personal clouds are something that will be out in the next months or years, but
this is a problem clearly that we've had for a while so why did it take until
now to start addressing it?
7:22
John: The development of Diaspora, which was intended to be a decentralized and
federated social network tried to start tackling this problem years ago. It's an
open source project so there's no real money or monetary incentive for people
to fully develop it, so while the developers have done a really good job of
building a really great product it's not perfect and it's not anywhere near as
advanced in terms of security and granularity as personal clouds as a platform
will be. Diaspora could be looked at almost like a proto personalal cloud.
8:02
Along with services like personal.com where you can upload a bunch of your
financial and medical and personal data and it's all encrypted, but you can't
really share it on such a granular level like personal clouds are going to be
able to, so there's a lot of services that have tried to address this problem
from different angles, but no one has yet really been able to bring it together
to a holistic system, a holistic platform like personal clouds have.
8:30
Now how do we get here? Well in terms of Facebook, they don't have any other
revenue model other than to sell your data to advertisers; that's kind of
Google's play as well, you know their revenue model is taking your data and then
using it to serve you advertisements; it's a part of the revenue model you know.
They don't think that they can charge people to use their services so instead
they give it to you for free and then their customers are actually the ad
companies.
8:58
You're not the customer you're the product when you use social networks. Part of
the challenge for personal clouds is going to be to find out whether people are
willing to pay for privacy. I'm willing to pay for privacy but is, you know, the
average social network user? That remains to be seen.
9:15
It's really just a matter of changing the incentives away from being
incentivized to sell data or even just give it wholesale over to malicious
governments, and instead have an incentive to keep it private because the data
owner is the customer not the product.
9:36
Adam: Does privacy matter in the modern age?  I mean I think if there's
something that the recent revelations about state spying is concerned, basically
all the stuff that's been coming out about how data is so insecure, it's really
made me wonder, you know I do a lot of business on skype for example, I do a lot
of communication on skype, and that's totally a compromised platform and so I
just kind of assume at this point that whatever I do I better be comfortable
with somebody out there, anybody out there being able to look at it because
there just isn't much they can be done about it.
10:05
I mean do you think that this is something that even can be tackled reasonably,
or have we passed the point of no return?
10:11
John: I think that's a really good question, especially as people, despite
knowing what's going on with these social networks continuing to use them.
10:20
It's an implicit acceptance of the status quo. I think it's dangerous,
personally. Is privacy important? I think it's very important.  I think people
should be able to have an on and off switch for privacy, instead of it just
being you know off all the time and then than having to jump over insane hurdles
to get it to that on position.
10:42
One of the most dangerous things about a lack of privacy on social networks is
it's not just the individual pieces of information that go on to the social
networks, it's the aggregation of this information. If you just put a few status
on Facebook and maybe some location things on Foursquare, and you text a few
people on your cell phone, individually those things might not seem so harmful
but you put it together and all the sudden I know who you're hanging out with,
where you are, where you're not, meaning that if you're not at home your home is
open to burglary or wiretapping or any other kind of malicious activity where
people could then, you know exploit these openings in the various communications
platforms that we have, in order to commit serious crime against you. If you're
a young attractive individual and you suddenly develop a stalker who has a
little bit of technological savvy they might be able to find you when you're
alone, and that's a serious concern.
11:42
It hasn't developed to be something where that's a common occurrence yet, I
haven't personally heard of anyone using such an aggregation of information to
do this stuff yet, but
11:53
Adam: it's all out there
John: the threat is there, you know, and it's really not even just what this
government is doing with our data, who's the next guy that's going to be
elected, or gal? If Edward Snowden could have access to this information, who
the hell is Edward Snowden? I have no idea, I didn't elect him, and yet he had
any access to all of this information, he said he could get dossiers on the
president if he wanted to, and read the president's text messages if he wanted
to.
12:18
That's really scary because all it would take is some criminal organization to
infiltrate the NSA, literally just have one of their young members just go to
college for info sec, go into the military just through the whole step process
and say you're going to be our inside guy, they get behind the controls of this
huge surveillance apparatus and rub their hands together, and just start
clicking away and instead of leaking information to The Guardian, they leak
information to their bosses.
Adam: But they've solved this. You might not have seen this but they've got a
solution to this leaking problem, you see it's called the buddy solution.
So anytime anybody needs to access confidential data in the same way that Mr.
Snowden did the process will be that there will be someone else who will have to
sign off on it, and that will make it 100% secure, it can never be compromised
at all, and if that doesn't work, they're going to the three-man system so it's
yeah, I mean you're totally right.
13:18
There are something like five hundred thousand people who have Top Secret
security clearance, and that's ridiculous you know, how can something be a
secret when that many people know?
13:25
John: It's really not just those individual situations, the systems themselves
could become compromised to outside attacks, where you don't even need an
inside man. I mean the government is pretty good at the building an intranet,
where you need inside access in order to see some of this information, but
it's only a matter of time before something like Stuxnet or Flame or any of
these really malicious viruses is able to find their way into these systems and
just expose everything. Maybe it's not even just a concerted effort to
take information and give it to a particular organization, but just to dump all
of it.
14:04
I mean what happens when that happens? I mean it's just, again it's not the
individual pieces of information that matter, it's the aggregation, it's being
able to build a behavioral profile where I don't just know what you're doing
right now, I can predict what you're doing for the next month because I know
exactly what you do every morning, I know when you go to bed, I know who you
hang out with, for some people they have crazy lives and those things are hard
to predict but a lot of people are creatures of habit, and these kinds of
attacks become very easy, you know. It's just, that's what really concerns me,
is that people are going to be exposing themselves in ways that they can't even
imagine because they're only looking at it one instance at a time, they're only
experiencing it one instance at a time, they don't have this bird's eye view of
what the whole picture looks like and frankly I think that if governments can
have this bird's eye view, the people who they're collecting data on should be
able to as well, so that we can get this kind of full picture of "oh my god."
15:09
I can tell what this is leading to, now that i can see this whole profile on me.
Facebook has already introduced social graphs, so you can kind of start to get a
picture. I know this person, they know this person and this is what our whole
thing looks like, but you add it in with cellphone data, you added in with your
Gmail accounts, you add it in with everything else that's being collected, it's
a really scary picture.
15:37
Adam: You use the word aggregation of data a couple of times, the term
aggregation of data a couple of times but I think that the way that I would say
that is it's about the centralization of data because like you said, it turns it
into a target. I mean it's just like Facebook is a huge target for being
attacked because they house so much personal data, if that's true one has to
imagine that systems that are designed to collect and combine data from all of
these different enormous sites on the internet, communities on the internet,
would of course be an even larger target, just because there's so much data,
in the same way that web wallet services are bigger targets than Bitcoin wallets
on computers.
16:13
John: That's a great point. It is this centralization really that is the key
issue. You know with personal clouds you're still taking all of that data and
aggregating it into one place, but it's your personal cloud which itself
you're going to be to self-host, you're going to be able to host it with
third-party providers...
16:32
Adam: Okay so we've talked about, we've kind of talked around personal clouds
now, but I think it's relevant to go back and talk about them in a more basic
way. I'm a user, I buy into what you're saying, that privacy is an issue that
I should be concerned about, and so what does this system look like that's
different, how is it different, how am I interacting with this personal cloud
in a way that lets me do the things that you're saying I can use it to replace?
John: That's a really good questions, so I consider myself an enthusiastic end
user, I'm not a programmer, so I'm not working on this from a technological
level, but this is what it's going to look like and this is why i'm so excited
about it: so you're going to have a platform, let's just for an example say that
you're hosting a with a third party, which most people will do just like they
host email with third party,
17:21
so this third-party provider, when you first sign up with an account you're
going to get a user agreement which should and will have a framework, it's
called a trust framework, which outlines exactly what and what not that company
can do with your data. Not will do, can do.
17:45
Adam: Is that different than current, when Facebook you know puts their terms
of use out, are they saying "this is what we will or won't do" but not talking
about what they can't, or are you just saying that that's important particularly
in this case?
17:57
John: I think it's important particularly in this case. All of the data will be
encrypted by default; there's only so much that the company will be able to do
with it anyway. I can use an example of one of the existing trust frameworks.
How i found out about this concept was through a company called The Respect
Network, which is building a network of cloud service providers who all agree to
what they call the Respect Trust Framework, which has five principles including:
how the data is stored, you know how the data is protected at the security
level, interoperability at the protocol level
Adam: Now when you say interoperability you mean the ability to...
18:38
John: For all of these personal clouds to talk to each other, regardless of who
the service provider is. Redundancy: if their server goes down, your data is
still safe somewhere else, and that is about how the data is actually handled.
Several other points as well, I don't have them memorized. It's very basic, five
principles and then they elaborate from there to describe exactly how they're
going to fulfill each of these principles, and that's going to be the the basic
contract that you're going to be getting into with these cloud service
providers.
19:09
The important part is that your data is encrypted by default. The kinds of uses
that cause service providers envision this platform being used for require it.
They would be breaking multiple laws if they didn't. Things like HIPAA, the
Health Insurance something Privacy Act, laws that governs the privacy of data
online around financial institutions.
19:37
Health, financial, those are the two probably most sensitive and high-risk kinds
of applications with which these cloud service providers are expecting their
users to trust them with that kind of data.
19:49
Adam: So on the health side, what does that look like, what's a scenario where a
personal cloud is useful to me in a health capacity or a medical capacity?
19:56
John: Sure, let me just tell the story of how the personal cloud is going to
work: so when you sign up for a personal cloud provider, they give you that
agreement, you kind of look at this and you say "do I agree to this? Yes i agree
to this" and then you start to fill out your basic information and upload some
basic data about yourself, a name, a bio, your contact information, maybe attach
some credit cards and debit cards and bank accounts, and from there build
relationships with other personal clouds.
20:32
As you start to build relationships, each new relationship that you have you'll
be able to give them full granular access to the data you have stored in your
personal cloud.
20:44
So what your family sees will be different from what your best friend sees, will
be different from what your co-workers see, will be different from what your
doctor sees, and so on and so forth in the case of creating a relationship with
your doctor, instead of your medical records going into a filing cabinet which is
stored behind his desk, they're just going to be dumped right into your personal
cloud, and then as the doctor needs that data to do his job you have a specific,
what would be caught a link contract which governs when and for how long that
data will be available to the doctor.
21:24
So maybe his office is only open from nine to five so the link contract says
that he can only access your medical records from nine to five Monday through
Friday and then the rest of the time that connection is completely sealed off
by the encryption.
21:39
How this constant decryption and reencryption of data occurs is currently being
built into the the personal cloud platform, that's one of the the big challenges
of building this kind of system is at the protocol level, building privacy in so
that these features actually work.
21:58
There's already a protocol called XDI, I believe XDI, which will govern how the
data is exchanged. In the instance of connecting with a friend, basically when
you add them to your personal cloud network, you are going to give them specific
permissions to access specific data.
22:21
You know you guys listen to the same music, so you let him access your music
files that you've uploaded. You don't care if he knows your bio, so you give
him permission to access your bio. He knows your real name so you give him
access to your real name.
22:34
Now let's flip this around, and say it's not your best friend that you're adding
to your personal cloud network, it's this new person. You just met them, maybe
instead of seeing your full name they just see your first name, instead of
seeing your real picture maybe they see some stock picture of a blank face, or
something like that and they don't see your full bio, they just see your
professional bio, something you don't mind being public. Things like that.
23:03
As you gain trust with somebody you can open them up to have access to more
information, and then from there it could be called personal cloud because
it's not just accessible from one centralized location, it's something that is
going to be usable across devices, so that my smartphone could access my
personal cloud, my tablets, my computer, any0 kind of technology platform that I
have which has access to the internet will be able to access my personal
cloud. I'll be able to authenticate to the personal cloud so that it lets me in,
and then I can control everything from there.
23:59
Advertisement: If I showed you a website where you could easily purchase
electronics from the world's largest distributor with Bitcoins at zero percent
markup, would you think it was too good to be true? Good news: it's real, and
it's at BitcoinStore.com. Choose from half a million items, save money over
Amazon and Newegg, and convert your Bitcoins to real-world items. You can even
buy with privacy; all they need is a shipping address. But don't take my word
for it, see for yourself at BitcoinStore.com.
24:32
Let's Talk Bitcoin is an experiment focused on getting new ideas into the
conversation. If you like what we're doing, visit letstalkbitcoin.com for
episode-specific tip jars. If you'd like to sponsor the show, please contact
[email protected] to start the conversation.
24:51
I hope you're enjoying this diversion from our usual segmented format. As
always, it's an experiment and your feedback is appreciated. Let's get back to
the conversation.
25:04
Adam: I've been trying to think of what a good analogy is, and I started with: I
have a file cabinet, right, tons of personal information, tax returns in it and
receipts, all sorts stuff that I don't really need most of the time but that
occasionally I need to dig out because I need to send it somewhere or you know
like mortgage stuff or verification or taxes or things like that, to a certain
extent what you're talking about here is like a smart filing cabinet that lives
in the cloud, where you can make keys for it, you know make keys for this filing
cabinet that you can give the different people that, they're like smart keys,
it's automated.
25:43
John: It's more like each individual piece of data, each individual file, if
you want to call it that, is a locked with a different key, and you give
specific keyrings to specific people to unlock specific things.
26:03
So you might have three different bios, you might have the one that is for your
LinkedIn or you know your professional network, you might have one for your
family and best friends, and you might have one for the public at large, or just
new people in general. So each of those are locked with different private keys
and so you're going to be able to share those with different people.
26:26
Again, I'm not a coder so I don't know how this is actually being done, but
these things aren't being encrypted with symmetric cryptography, because then
the people that you get it to could just share the keys with anybody and then
anybody else could come in, and unlock the file.
26:41
So instead what I think a personal cloud is going to do is going to make a copy
of the data, encrypt it with the other person's public key, and then send it to
them. So that they can then decrypt it with their private key when they log in
to their personal cloud.
26:55
Adam: Okay, I see, so there never is any unecrypted data on the net, you're not
releasing anything, it just gets encrypted under a different specific person or
organization's key.
John: Exactly. Unless of course, you set it to public, and then it's like
Twitter, it's just all out in the open. For certain things, like I use Twitter, I
don't mind having a public-facing website, my blog is public, my consulting
website's public, so there are things that I don't care about sharing with the
whole world, but there are also things that I'd prefer to only keep between
myself and selected individuals.
27:34
Those are the kinds of things that personal clouds are going to be especially
useful for, because right now when you send a direct message to somebody on
Facebook or when you text message somebody, if you're not using encrypted text
messaging, then that's just clear text sitting in multiple other servers,
the NSA server, your service provider's servers, and every sever in between your
ISP, your cell phone company, all these different servers.
28:01
With a personal cloud, instead it's just going to be all a bunch of cipher text
sitting on all of these servers, and you know good luck trying decrypt all of
it.
28:09
Adam: Well you could try, but...
John: when everything encrypted, how do you know what to target? Are you going
to spend 10 years trying to brute-force something, only to find out it says "I
like pudding," or "meet me at Starbucks at 3"? It's going to make these efforts
for collecting data just look absolutely silly.
28:34
All of a sudden they don't even know who to target anymore. You know I read
recently that right now, encrypting your data by default makes you a target.
They're much more likely to hang onto it and build a nice little profile on you,
and spend some effort trying to decrypt your stuff, especially when most of your
communications aren't encrypted, but then selected conversations are.
28:57
But when everything is encrypted by default, all of a sudden it becomes kind of
like "boss, what do you want me to do here?"
29:04
John: So we have to move the baseline basically, right now it's abnormal if you
encrypt, few people do it because it's a hassle and when you do do it, then it's
because it's something that you actually need to encrypt, you feel like.
29:18
John: For the most part, I mean for most people.
Adam: That's the perception, I'd say.
John: That's the perception, for sure.
29:25
John: I have used text-secure and RedPhone and GPG with all my friends who were
willing to download it, and thankfully a lot of my friends have been willing to,
since I've learned about this stuff and it is kind of just like encrypt by
default. Why? Because we can. And because the picture of somebody trying to
brute-force something and then seeing "I like pudding" at the end of it is just
so hilarious in our minds.
29:48
We're already beginning to see steps people are taking towards actually going
through the learning curve of figuring out how to use these encryption tools and
using them. Specifically since these Snowden leaks came out. When it actually
becomes something that people don't have to work to do, when it's just that's
the default mode of behavior, when it's going on behind the scenes and you don't
have to think about it, then that many more people will be doing it. I mean I see
personal clouds being like the next not Facebook, but the next Personal
Computer.
30:20
It's not just an evolution from social networks, it's an evolution of the
platform from which you do all of your work. Because think about it: Google
itself, okay, Google's kind of a company I love to hate because I'm a Gmail
user, I use Google Docs for various things (nothing sensitive obviously), but
when it's handy I use it, it's kind of the default search engine, I've been using
Startpage and Duck Duck Go more, in Mozilla it's the default search engine and
they get kind of the best results because they are the biggest monstrosity of a
search engine.
30:55
There's a lot of things I love about Google but there's also a lot of things
that I hate about Google, particularly their revenue raising model where they
take all this stuff that I do with them and then sell it to someone else so that
they can serve me ads, I mean that's just...
Adam: Would you pay for search?
31:09
John: I would pay for a Google account if it gave me access to all of the
things that they do. I mean I pay for internet, I pay for cell phone service why
wouldn't I pay for a personal cloud provider which is going to protect my data,
and that's the value that these personal cloud providers are going to be selling
to their customers.
31:31
You're going to get all the features of all these other services that you use,
minus the part where they take all of your data and give it to the highest bidder
or give it to whoever's pointing guns at them or whatever the case may be.
31:43
Adam: so, you said that this is not an evolution of technology broadly but an
evolution of the personal computer, and I'm very curious for the thought behind
that because I don't really see the connection there. Isn't a computer more
about what enables you to do in terms of hardware capabilities? What do you mean
by that?
John: Cloud computing and cloud processes, cloud services in general are
advancing at such a quick pace where you'll be able to be delivered
software-as-a-service, or anything as a service really, from a cloud provider.
You'll be able to manipulate software that's stored on their machines.
32:23
It doesn't matter what kind of machine you have really. You could have
something with like a Pentium 4 or something.
Adam: So this is the Xbox One concept that they've been very interested in, where
yes the hardware itself is not that impressive, I'm not sure if you're familiar
with this, the next release of the Xbox console that's coming out,
32:39
John: Yes, please explain
Adam: Is not that powerful overall, but what it does is it hooks up to the cloud
where in the cloud supposedly there are between two and three additional Xbox
Ones worth of processing power available, so that the thought is that even
though your hardware isn't that impressive this cloud is impressive, and so
people can build up games with the idea that it's not your hardware but the
hardware that you have plus some hardware in the cloud, and that overtime rather
than upgrading the hardware they'll just upgrade the cloud so you won't need to
buy another box.
33:13
John: Exactly, so your personal cloud platform is a shell, it's a shell within
which you store minimal amounts of data, and I say minimal meaning it's like
your whole life on a kilobytes processing level it's really easily digestible
by pretty much any machine that exists right now, my smartphone could handle
this storage of this data, you know what I'm saying?
33:34
And then it's these other servers of the service providers that you need for
doing your financial transactions are doing your gaming or doing your
marketplace activities or whatever, they're going to be kind of like the
communities that you still kind of carry around your identity to all of these
different places, but they're just getting the relevant info that they need out
of your personal cloud, so they're not actually storing any of the data it's all
in your personal clout and they just kind of take what they need to do the
minimum function that you're asking for.
34:07
So in the case of a marketplace, it pulls your reputation information, it might
pull your address if you need to have stuff sent to you, they might pull your
email so that, if there's even email, I mean in reality these things will be
able to send messages to each other, so email itself might not even be
necessary as a service one day.
Adam: So when you're talking about email, and how these can send messages but
it's not email, how is it different from email, is it more like a personal
message, I mean diseases is this a semantic differention?
John: It's still an address, it needs to know how to get this message from
a point A to point B, but the address isn't @gmail.com, it's your home address,
kind of.
34:51
This is your place on the network, and this is how it finds you, and that's what
XDI, it's short for eXtensible Data Interchange protocol is going to do.
35:01
The whole personal cloud platform is built off of a semantic data graph
35:07
Adam: Okay, what does that mean?
John: Basically what it means is that all of your things are individual points
on the graph, all individually addressable, and so that's how they find, other
personal clouds find your stuff. So that no matter who your cloud service
provider is, the actual addresses, it still can be found on the network.
35:27
Adam: So is this like everybody has a unique name, and so through that unique
name as long as you know the name you can find the person and connect with them,
make one of these contracts with them?
35:38
John: Yes, okay yes essentially. Like I say, it's your singular identity that
you're able to take anywhere so that no matter who your cloud service provider
is all of the links that you've given out to other people to find your stuff are
all still valid.
35:53
That's the most important part is that, you know if I delete my Facebook all the
sudden you can't see anything that I ever had on Facebook ever again, whereas
with personal clouds, as long as I have a personal cloud that's active online,
on the internet somewhere you can access it. The addresses don't change. The
links don't change.
36:17
Adam: So let's talk about finance for second, that was one of the other
categories that you brought up. In the last couple years I've had my identity
stolen twice without ever having lost my credit card, so that implies to me that
there's a minor security problem with transactions that happen on the internet.
Would personal clouds have saved me from all of that headache, or are they just
a replacement but they can't really fix some of these problems?
36:40
John: I would say it depends on what actually occurred. There's a possibility
that you are man-in-the-middled, that's kind of very sophisticated attack that
is usually very targeted because they're trying your browser...
36:51
Adam: I'm pretty boring, and I was even more boring when I was I doing this,
I've got to think it was something--
John: It had to have been something more like on the other, server side.
Adam: How would it work?
37:00
John: Okay so it depends on what you're actually doing and what the whole
financial ecosystem looks like, because you know if we're talking about Bitcoin
exchanges there's like no personal identity information to steal, if you're
talking about lines of credit, banking, and things like that...
Adam: So then let me ask a better question, what I'm saying is I want to go to
amazon.com and I want to place an order for something and buy it and I don't
want to store my credit card with them because I'd rather not have my credit
card on file with them, or pick someone less reputable than Amazon.
37:31
John: sure sure, let's even go with the amazon example because Amazon is a
company that stores people's credit cards and debit card information so that
they can do like one-click shopping stuff like that. Instead of Amazon storing
your credit card details, your credit card would be in your personal cloud and
you have a link contract with Amazon, which says that when I'm signed in you
have access to this information, and only when I'm signed in.
37:59
They don't take that information and store it while you're signed in, they just
have access to it so when you click that one-click shopping thing, order here,
just real quick your credit card is processed, your address information is sent
to the merchant, as soon as you log out that link is closed.
38:19
They don't any longer have the credit card number or anything, infact they don't
even need the number because they're not a credit card processing company. They
have probably a third party.
38:28
Adam: And then it's over, that's what they needed it for.
John: And then it's over, that's all you need it for, exactly. Now credit cards
themselves, you know like the whole credit card network is clear text, I don't
know if anyone knows that but when you run your credit card all of the
information that's going back to the credit card company, it's not encrypted,
it's clear text, that's what cryptocurrencies are competing with right now. So
if you want to use that by all means, just know what you're allowing yourself to
get into.
38:57
You know when you bring something like cryptocurrencies into the picture then
the risk of fraud becomes even less, because the private keys could
theoretically be stored in your personal cloud and only when you are logged
into your personal cloud could those private keys even be accessed, from there
you can you know send money to people and stuff like that but then you're not
even giving up any information whatsoever, it's peer-to-peer, so there's no
third party that you even need to think about trusting with your personal data.
39:29
So that is exciting to me. The social networking stuff is really cool, being
able to have my health care information downloading straight from my personal
cloud, that's all really cool, but what I think is really powerful and really
exciting is that this is going to enable a true peer-to-peer marketplace to
emerge, where I don't even need amazon.
39:47
Amazon's just another walled garden. Instead the merchants are going to post
things to their personal clouds, make them public, and then I search for those
things in my personal cloud, and the personal cloud service does a dictionary
discovery lookup through the whole semantic data graph I was talking about
earlier, and finds all of the things that match my search query and serves them
to me and then i can narrow it down even further to say, you know I don't just
want dresser, I want a black dresser. I want a black dresser with six drawers.
And then the search continues and continues till it gets down to exactly what I
want.
40:24
I buy it right there from the merchant, me peer-to-peer.
40:29
Adam: Let's say that we get to this post-Amazon world where Amazon is no longer
required because you have these personal clouds both you personally and let's
say me as a vendor, what does that world look like, how do we find each other,
are we negotiating...
40:52
Are we literally negotiating you know, do we have a contract where you in
advance so that you're able to look at my store, or am I just putting it out
there, how how does that work?
41:02
John: you know, most merchants on the internet, they have a public facing
website.  I mean there are some private organizations where you need to have to
have a membership to have access to their storefront, but for the most part on
the internet and in the physical world, merchants doors are opened to any
customer who's willing to come in and take a look around. Similarly, on the
personal cloud network merchants will just have all of their product postings be
public, and you know I, as a customer, can do searches as I described earlier to
find exactly what I'm looking for, and then those merchants are competing with
every other merchant who's offering what I'm looking for.
Adam: So geography comes into play here for physical objects, so it'll be
easy or automatic to filter if you're looking for something physical that you
know you're only looking within a certain number of mile radius, or shipping
cost radius, like how would you define terms like that?
42:00
John: Yeah I think the search that you are conducting to find these things can
be that granular, just like Amazon, their sidebar shows you know categories and
then price ranges and you know, things like that, you'll be able to categorize
these things by the best price, closest location, and the personal cloud is
going to be able to serve that information to you because it knows where you're
at if you tell it where you're at, it knows where the merchant's at because the
merchant has uploaded their location information and you know their shipping
costs and the product costs are going to be transparent, so you'll be able to
organize your search results based on whatever criteria looking. For maybe you
don't care about price, maybe you care about high quality so you look for the
best-rated item, or something like that.
42:54
Adam: Whenever I'm my tablet, I'll have something come up and it'll say
such-and-such application would like to know your location. Is that the sort of
thing also they could be stored in the personal cloud, because I'm really
tentative to give a lot of publishers that sort of information about me, I
don't really want them to know where I am and that's not something that's
important to me.
43:12
But there are some things like map applications for example where it would be
useful if in fact I did give it access, so sometimes you just say okay well
screw the privacy issues I guess I might as well do this, can personal clouds
help in that situation too?
43:26
John: Yes. If you do you choose to give a third party a location, your link
contract will be governing exactly what we can do with that information and if
they break that contract then it's just like breaking a legal contract where you
know there are there are reprecussions, now it's not a legal contract in the
sense that you're not going to take them to court, these things will all be
handled within the trust framework that the company has agreed with essentially
and these things will be handled by social pressures within the trust framework.
43:56
If they abuse their privileges of getting certain access to data they might get
locked out of the trust framework, and then no longer will people who agree to
that trust framework ever do business with that entity ever again.
Adam: So they have to maintain a good reputation otherwise it can potentially
endanger their relationship with the entire network.
44:16
John: Exactly. Exactly, because this is a peer-to-peer environment, if I trust
organization A, who also trusts organization B, who I have no relationship with
right now, then by extension I can trust organization B because we're all kind
of agreeing to the same trust framework. If that trust framework is broken by
organization B, then organization A has the power to cut off that relationship
entirely and then everyone else who would have have contact, some sort of
connection with organization B, no longer does. They're now like a quote-unquote
stranger, they're not a friend of a friend, they're a stranger, and so they have
to kind of start from the ground up to build up a good reputation, or find
another trust framework provider who is willing to extend them the benefits of
access to their trust network. And these trust networks themselves will be
federated, so that the trust framework providers work with each other to kind of
prevent bad actors from just being able to jump from one to another to another
to another. Very quickly it becomes a very accountable scenario where everybody
in the network is accountable to basically everyone else.
45:45
Announcement: Why do you listen to Lets Talk Bitcoin? We'd really like to know.
Are you a new user trying to learn the basics? Are you from the world of finance
seeking clarity on investment opportunities?  Are you an entrepeneur looking for
opportunity in a world of confusion? Write and tell us your story.
[email protected]
46:21
Announcement: Like the fortune teller says, may you live in strange times. And
we certainly do. Do you have a project or passion that falls into what I loosely
as define as "technology or philosophy that can change everything"? We want to
hear from you. [email protected]
46:43
Adam: In theory it seems like the primary weakness of this is that if someone
ever gets your key, gets your ability to access your personal cloudiness, then
it's just as bad as if someone gets your Bitcoin keys, gets your Bitcoin private
keys and basically they can do anything that you can do, which in this case just
as you have full control, so does anyone compromises your personal cloud. Is
that a concern?
47:07
John: That is a concern for sure, that's a concern in any sort of environment
where you need to authenticate yourself, and authentication is provided
remotely, where you know it's not like YOU, the physical individual, walking up
to a window and saying "hi, I want access to this stuff" but instead it's like
this abstract version of you going over internet lines to then authenticate with
some cryptic string of letters numbers and symbols.
47:40
At the start I'm sure that the authentication will just be like, two-factor by
default, almost assuredly. From there, authentication technology itself is
getting really interesting with biometrics. I've seen brain wave authentication,
I mean we could end up with something where we're looking through a heads-up
display, not like Google Glass, Google Glass is very primitive, but something
even more advanced where we have a full field of vision where we're just seeing
the graphical user interface in our field of vision, and as a little node that's
pressing against our temple, and then authenticate by thinking of a certain
thing while blinking three times or something like that, you know I mean the way
the technology is going I think that the market will definitely find a way to
make authenticating into your personal cloud very difficult for somebody to
break, but very easy for you yourself to get in to.
48:40
Much like right now, let's take this whole thing offline, pre-internet days.
All this same information exists, your financial data, your health data, your
relationships and all that still exist but in analog form. A lot of this stuff
is stored in vaults. Can vaults be broken? Yeah. They can be broken. Someone
can install a hidden camera and watch you put in the combination, or somebody
could just rubber hose cryptography-style you know just beat it out of you, any
number of different kind of attacks could be launched to compromise your
personal data even when it's stored an analog fashion.
49:16
Adam: It's just a difference of accessibility really, because the difference
here almost entirely is just that in the case of analog data someone actually
has to be there at the vault to do it, and from the from the cloud side of data
they just have to be on the internet, they just have to be connected, and so
that's I guess the thing, is that there's a much larger pool of people who
potentially can go after information, but I think that you're right, that's not
something that's really restricted to personal clouds, that's just, and again
it's about centralization to a certain extent, it's because you've got all this
information there that makes it more valuable than it is spread out all over
everywhere.
John: That is correct, and that's why the barrier to getting information should
be that much greater to scale for somebody who doesn't know the the private keys
you know like that personal cloud providers would perhaps require that your
password have one capslock, one special character and one number or something
like that--
Adam: Yeah, and be like eleven characters long
John: and be like eleven characters long.
50:17
And you know say, this isn't just Facebook this is like your life, this is the
only password your ever going to need to remember ever again, but it better be
damn good. Instead of just being twelve characters it should be a line from your
favorite movie that you'll never forget, or something like that...
Adam: But not that because that's human readable and so if it's human readable
then it's brute-forcible but, but I understand what you're saying.
50:40
John: And then when you add in something like what I was talking about earlier
like brain wave authentication then you don't even need to remember passwords,
it's literally just you and nobody could possibly replicate that unless again
they found you and held a gun to your head and said "authenticate and send me
all your everything," you know and people can do that now with analog data so
it's like...
Adam: Make them an offer they can't refuses so to speak
John: Exactly and so I don't see, some kind of new threat models emerge, but when
it comes down to it I don't think it's a show stopper, I don't think it's going
to get in a way of this technology becoming that next evolution from the
personal computer to the personal cloud that I forsee it being.
51:23
Adam: So we started this conversation talking about trust, talking about how in
a system where you're meeting new people and you want to do business it's really
difficult to do anything when there's no trust in the system, and so we have
systems like Bitcoin that come around, look at this problem they say okay the
solution is to simply remove all the trust from the system, to not trust anybody
and to make it entirely about what is real and what is now, so with Bitcoin the
analogue here is ownership, is if you have a Bitcoin it's not like I owe you a
Bitcoin and so then you have to rely on me to give that to you, if you have it
then you have it, if you don't then you don't, it's very straightforward either
on or off, no middle ground.
John: And I would actually even amend that to say it's not ownership, it's
control. You don't own your Bitcoins, don't pretend you do, you only control the
private keys, and that control could be easily be lost if your system--
Adam: But isn't that control ownership? I mean, what defines ownership?
52:17
John: I mean, it's semantics, really. It's semantics more than anything. Control
is ability to manipulate whatever it is that we're talking about
Adam: Okay, sure, I'll buy that
John: and i would even go so far as to say exclusive ability at that moment in
time. Multiple parties can be wrestling for control of certain things, and with
Bitcoin coin flip as you said it's very binary, you either do or you don't.  you
know when your private keys are compromised, the Bitcoins are leaving your
account immediately and you'll never see them again, unless you can find the
wallet they moved to get those private keys, and you know.
Adam: A little bit of Spy Vs. Spy.
52:56
John: I mean it was just a semantic thing I wanted to throw out there, just for
the listener to maybe ponder a little bit.
Adam: Well I think that's a well-made point, you know but trust is hard. Trust,
you know another analogue to it beyond control is faith. Because it means that I
have faith in you, if we're trusting one another, that you will follow through
on what you're saying. When you have nothing that actually mandates that you do
it. The solution that that you advocate is reputation, and reputation that isn't
necessarily tried your social security number, or tied to exactly who you are
you know in real life but just that's tied to past actions. And I think it's a
really interesting idea to differentiate between trusts that is built on
identity, versus trust that is built on action and I wanted to know what you
thought about.
53:48
John: Well we have to connect those two things, because how do you know that
the past actions over here were undertaken by the same person that's over here
that you're trying to trust, and so there are identities involved, it's just not
necessarily identities as we think of them today.
Adam: well you said identities, I think that's kinda what I'm getting at here is
that again we get back to this idea that it's about action rather than identity.
Action can lead to identify, if you somebody who does something and and that's
the thing that you do, you build an identity around those actions, it's not that
the identity necessarily has to come first, it's just you're right they do get
tied together.
John: This is this is true and that's a good point that you make right there, is
that in reality identity isn't just a piece of paper that says a name and a
social security number and an address, it is who you are and what you do no
matter how many different pseudonyms we have on the internet, we are seeing
ego-consciousness undertaking actions in many different venues, in real life and
on the internet.
54:51
Personal clouds, the way that they're going to enable this full granular control
of identity, it's going to allow for people to build a reputation around a
singular, what I'll call a cryptographic identity. Because ultimately that's what
this whole this whole thing is built off of, is cryptographic authentication.
So you'll be able to have a reuptation rating that's built around this his
cryptographic identity and then the face of that identity can vary depending on
what context you are entering into.
55:22
So again what your co-workers see might be different from what your family sees
from what your best friend sees, your reputation score which is associated with
your personal cloud, is the same no matter which which of these things you're
facing. You might not show your reputation score to everybody, but you're not
going to really be able to change it. Depending on the reputation provider, of
course. If you control it then you can manipulate the numbers say whatever you
wanted directly, the reputation ratings,
55:51
Adam: So we get back to that verifiable thing.
John: So we get back to that verifiable thing, where the whole personal cloud
network is built off of this trust framework, basically you--
Adam: When you say trust framework I think that another way to put that would be
it's built on a set of rules right, rules by which people are judged, by which
actions are judged you know, because if you're generating score you have to be judging
things, you have to be saying this is something that gives you more points,
verses this is something that does not give you more points.
56:19
John: With the basic trust framework in place where you contract with a personal
cloud service provider, they describe to me exactly what they're going to do
with your data, and if they ever break that contract then everybody else whose
party to that contract, being you know all of their other members, all of their
business partners, all these people are going to see that reneging of the
contract, and respond to it. Whether it's with ostracism, or demanding that you
be compensated, any number of different steps that can be taken to pressure this
organization into to make the situation right.
57:02
If they refuse then comes the ostracism, where they're just booted out of the
network and they have to create this reputation from scratch or try to find
somebody else who will trust them into a new network, right but if they know that
they they have a reputation for deleting all of your data, or you know not
backing it up,
57:22
Adam: being a bad actor
John: being a bad actor, if they have a reputation for being a bad actor then
they're either going to get trusted into a network and put on a very tight
leash, or they're just not going to accepted at all. And so very quickly bad
actors are kind of weeded out of the system.
57:41
Adam: And it's important here to note that this is possible because there's a
lot of competition in the space, that's the idea, is that all this is
essentially an open interoperable platform and so it's not like Facebook where
Facebook does something wrong and you're like "oh, well, I'd like to quit
Facebook but where would I go?" You know, all of my data is there.
57:54
John: Exactly. So the competition part is very important because without
monopolies and cartels can easily form. Because this is an open peer-to-peer
platform, why would I do business with a bad actor when I have all of these
really good candidates over here that I can deal with?
58:16
People are going to have to watch their behavior. They really are going to have
to work hard to build trust and then keep it.
58:26
Adam: Yeah, the keep it part is really an interesting point, because like you
said, again going back to Facebook, I don't mean to harp on them so much,
Facebook didn't start off with this model, where they were sell your customers'
data, monetize everything possible because you can't figure out how to make
money from any other way but is that once you've got the network effect there,
then there's all this built-in incentive to stay, including your data, so
everybody else is there.
58:49
Because all these cloud providers are interoperable and it won't matter you
know, I can talk to you on G+ while I'm on Facebook in this sort of situation,
then again the network effect is no longer applied on a company by company basis
or a provider by provider basis, instead is almost just the entire cloud, the
idea of personal clouds or enterprise clouds is the thing that has the potential
to get viral rather than any particular provider in the space.
John: Exactly, and that's what's important to note about personal clouds, is
that kind of like Skype or like Bitcoin, it's a viral technology where you need
other people to be participants in the network for it to be tangibly valuable to
you.
Adam: Like a language
John: Like a language, the concept might be like a million dollar idea in your
head but if no one else is using it then it's not a million dollar idea, just
like Bitcoin,
59:46
early adopters of Bitcoin saw something that was really awesome, that has a lot
of potential, nobody's using it, so I'm going to send ten thousand Bitcoins to
get a couple pizzas.
59:58
Nowadays we look at that like crazy, you're insane. That's because the network
is that much more valuable and therefore Bitcoins itself is that much more
valuable. And so similarly, early adopters of personal clouds, it will be a
tight-knit community, we're all just kind of like talking to each other, and
talking about how great personal clouds are going to be one day, trying to on
board is many of our friends and family as possible, it's not going to be
anywhere near as much friction as trying to get people to start using Bitcoin
because as soon as your friends are using it, its valueable. You know, I don't
do business with my friends, using Bitcoin with my friends doesn't really, it's
like a novelty, it's like "hey I can pay you back for lunch you got me the other
day", you know stuff like that but like for the most part I'm doing business
with for the most part strangers, just people I trust because they have a good
reputation on the internet.
60:47
Which goes back to the reputation part. But you know with personal clouds,
they're immediately valuable once you start having like that tight-knit, if just
my friends and family are using it it's valuable to me
Adam: It's still valuable even at that low-level, local level
John: In fact, that is one of those reasons why it's most valuable. That's who
I'm having sensitive conversations with that I don't want Facebook's or Google's
employees reading in on.
61:11
Adam: let's play a dangerous game here, tell me the future on this, how far out
are we from a normal person being able to go and sign up with a personal cloud
provider and get into this system?
61:20
John: I did an interview with Drummond Reed, who was the cofounder of the Respect
Network that I referenced earlier, Respect Network is a network of cloud service
providers who are all agreeing to that Respect Trust Framework which governs how
data will be used.
61:40
Drummond said that beta testing will begin in the fall of this year. And that
beta testing, I am a member of developer alpha testing of a personal cloud
platform which was designed, I believe by Newstar in collaboration with Project
Danube, they were signing people up at the Internet Identity Workshop which I
attended earlier this year.  You know, I signed up right there on the spot and I
played around with it a little bit, it's pretty cool.
Adam: So not too far out
John: But yeah, really not too far out. This isn't like the singularity, where
we have to wait for twenty years to see if it happens, this is something that's
going to be available to people on a commercial level by next year at the
absolute latest.
Adam: So John Light, for people who want to get in touch with you or get
involved any of your projects, how can they find you?
62:35
They can reach me on twitter, @lightcoin, or through my blog, www.p2pconnects.us
62:47
Adam: Thanks for joining us on LetsTalkBitcoin today.
John: Thanks for having me on, Adam.
63:03
You've been listening to Episode 21 of LetsTalkBitcoin, if you liked, loved or
hated the show we want to know what you think. Please email all feedback to
[email protected]
63:12
Thanks to John Light for being the exclusive content provider for this episode.
Music for this episode was provided by Jared Rubens, and Lucas AMKC.
63:23
Stay tuned for Episode 22 of LetsTalkBitcoin, releasing Tuesday July 9th.
Thanks for listening.