Guest blog: Steve McCown

· 7 min read
Guest blog: Steve McCown

Anonyome Labs was founded in 2014 to give people control and freedom over their personal and private information. Based in California, Utah and Australia, the company has deep expertise in security, identity management, authentication and authorization, cloud, privacy, and cryptography, and equips businesses with cutting-edge privacy and cybersecurity solutions that seamlessly integrate with existing offerings and systems. 

Anonyome Labs Chief Architect and DIF Steering Committee member, Steve McCown, talked to us about how the company is using Decentralized Identity to drive interoperability and usability of their products, his involvement in DIF, and decentralized identity standards work. 

What does Anonyome offer, and who are your customers? 

We started 10 years ago, when we noticed that people’s personal and private information was being collected and used without their permission. There were certain contact points that industry was using to triangulate people’s behavior, such as phone numbers and email addresses. So we developed an app called MySudo that gives users the ability to create contact sets and associated pseudonymous profiles called ‘Sudos’, consisting of an email address, phone number and a one-time or reusable credit card number. 

People already had separate home and work contact details, so we took it further. With MySudo, you can create Sudos for your online purchases, for hobbies, for travel, and so on. Our mission was to create separate IDs, so when a hacker steals data from websites, or data brokers buy and sell your online activity data, they can’t correlate your home activities with your work activities, or your social activities with products you purchase. This increases your privacy by disrupting how your data can be correlated. 

Individuals use MySudo to privately communicate back and forth, share files, and so on — for all their usual digital activities. We also have an Enterprise-grade platform with all the same capabilities, which we license to organizations who incorporate these privacy-enhancing services into their own offerings. There are some very notable companies you would have heard of that are providing a white label version of our privacy-enhancing technologies to their customers. We’ve also been working with national governments to help preserve their citizens’ and commercial entities’ private data. 

What got Anonyome interested in Decentralized Identity? 

Anonyome is focused on creating strong privacy-enhancing and secure identity tools for everyday users.  The MySudo product is a great example of how internet users can control their privacy during everyday activities, such as email, texting, calling, and purchasing.  The critical privacy and security requirements for these elements are greatly enhanced with decentralized identity elements and protocols.  

In a previous job, I worked for the US Department of Energy as a cybersecurity exploit researcher, so that’s part of my mindset. How would someone take advantage of existing identity paradigms? It’s not just about all the good that everyone is trying to accomplish, it’s also about how an adversary might leverage identity technologies for illicit purposes. That concern is what led me to engage with Decentralized Identity and keeping the crypto keys, passwords, tokens, etc. within your own digital wallet. Because if you control the keys, you can better control access to your data assets. 

The other thing that got Anonyome on this track is that strong crypto environments like Signal were emerging as closed ecosystems. If someone wants to use Signal, they also need to convince others to adopt it, too.  For a lot of users, that can be really hard. Decentralized Identity provides a way to create an open encryption environment and keep the strong cryptography while also bridging across ecosystems.

While we may have competitors in parallel spaces, it benefits everyone if we can increase secure communication between applications that users enjoy using — this secure cross talk between applications becomes a rising tide that floats all boats … customers, companies, everyone

Interoperable security is the next evolution that extends beyond closed secure ecosystems, and we’re working to be interoperable with lots of other decentralized identity providers and users. This is why Anonyome has tasked me to work in the standards orgs. If we can collectively solve security and privacy issues at the identity standards level, then we will have a way to realize our goals for secure and private interoperability between applications … and people. 

What is driving Decentralized Identity uptake, in your view? 

There’s tremendous interest in Decentralized Identity. I credit a lot of this to GDPR. The EU has assigned significant liability and penalties for data breaches. Faced with these very large fines, companies are trying to figure out what they need to do to protect users' privacy, since this now affects their bottom lines. While some are doing the bare minimum, others are doing a lot more. There’s also a lot happening in Europe with the Digital Identity Wallet. We want to be interoperable with these standards and the services that implement them.  So we've been reviewing the EU’s Architecture and Reference Framework (ARF) to find out what identity, credentials, proof types and so on we need to work with. 

Privacy at the legislative level is no longer just an EU thing. For example, there are new laws in Utah (US) that mandate that state government organizations can only collect the data they actually need, keep it only as long as authorized and then destroy it unless retention regulations require that they need to retain it. I serve on the Utah Privacy Commission and we’re very strong proponents of this. We will receive presentations from state agencies and give our feedback on what enhances privacy and what needs additional work. There is a real appetite among government officials for better privacy. 

There’s also growing awareness of the potential problems associated with working in the cloud. For example, if you store your data in the cloud, it may be encrypted, but where do the keys go? If you don’t control access to the data access keys (or a provider does this as part of their service), then your information may be insecure without you really knowing it. Recently, there have been some very large data breaches, which seem like about once a month. In response, people are receiving emails saying “your data has been stolen, so here’s 3 to 6 months of free credit monitoring”. This almost seems on the level of “security theater” where companies are doing something, but it’s not very useful and doesn’t solve the problem.

Decentralized Identity can augment many existing services.  For example, DI capabilities can be used to encrypt my files before they are sent to a cloud storage provider.  The cloud storage provider can then work their storage, retrieval, and replication magic without having access to the unencrypted files. As long as I control the encryption keys, my data can only be decrypted by me. 

That’s just what’s possible with file storage. Decentralized Identity is also delivering a wide range of interoperable privacy-enhancing capabilities for communications systems, identity control, access management, digital credentials, and so on. 

That’s what I see happening with DI. If implemented as designed, we’re going to put privacy and security control in the users’ hands. Then we can continue to enjoy many wonderful cloud services while we will be able to control access to our own data. 

What is the value of open standards for Anonyome and your customers? 

We’re huge fans of open standards. We try not to build systems that are proprietary from an interoperability perspective. We strive to ensure that all of our interoperability points are based on industry standards, so that we can communicate with other platforms and they can easily communicate with ours.  Embracing DI standards means if a user wants to use a particular platform, then they don’t have to convince others to use it before it's useful.

As a quick analogy, we’re aiming for the interoperability of email combined with the strong security and authentication of a secure communications application. Pick up any old email app and it will work with most any other, but the security isn’t there. If you work for a large enterprise, they may have put something like S/MIME in place, but when you or I get a regular gmail account, that’s not something we typically add. This is primarily because it’s too hard for users to manage the certificates and so forth. Today, this means that emails are typically transmitted in the clear and not end-to-end encrypted. DI facilitates privacy-enhancing and more secure interactions, which is a key reason why we’re working with these technologies. 

As someone who is involved with DIF, W3C (the World Wide Web Consortium) and the Trust over IP Foundation, what do you see as their respective roles, and the differences between them? 

We’re super excited about each of these organizations.  W3C has spent a great deal of time and effort to create DI’s main building blocks, namely, DIDs and Verifiable Credentials.  W3C is continuing to actively refine and extend these elements in order to facilitate many enhanced DI capabilities.

Trust over IP has created an excellent DI paradigm for illustrating how all of the DI components connect and interact.  These layers depict how DIDs are anchored in a Verifiable Data Registry (such as a decentralized ledger), how DID-based communication takes place, how Verifiable Credentials fit into the ecosystem, and finally how a top layer governance model shows all participants in a system what the systems rules are.

What brought me to DIF was getting involved in DIDComm (Decentralized Identifier Communications).  I see this as one of the main attractions in DI.  As I had been participating for a while, I volunteered to become a co-chair with Sam Curren.  This gave me new insights into the community standards-building processes and in particular key details of the DIDComm protocol.  Later, Sam nominated me as a candidate during the Steering Committee elections and I am honored to have been elected to the SC.

I see DIF as one of the leading development organizations where implementation happens. While other organizations focus primarily on creating a range of standards and documents, which is vital, DIF typically focuses on producing a variety of working software that is based on industry standards such as Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs).  This makes DIF a key provider in the larger symbiotic DI industry.  

All of the various standards organizations are distinct and have different missions. DIF fills a critical void that traditional standards organizations don’t typically emphasize. The term incubator is a little outdated, but that’s part of the role that DIF performs. Everything in DI has started with a few people getting together and having a conversation about how to design, build, or enhance some particular technology element. This leads to standards being created.  At some point, usable code libraries are created using the standard base elements and then those are combined into larger protocols, services, environments, and so on. 

There’s a whole lot that needs to happen in this process, and a lot of that work happens at DIF. 

If your goal is implementation right now, that’s where DIF excels. It’s where companies come to pick up architectural designs and reusable code libraries they can use in their products today.