Introduction

As the promise of decentralized technology intertwines with the increasing need to comply with data privacy regulations, a paradigm shift is underway – web3 is now facing intense scrutiny and a call for self-regulation. Demands for user privacy and data security are gaining momentum, particularly within DeFi which until now, has often operated in a regulatory gray area. As web3 matures and builders explore new use cases for value generation, growth for the ecosystem now hinges on one crucial factor: Decentralized Identity.

Julio Santos, Co-Founder and CTO of Fractal ID recently spoke with Rachel Wolfson of Cointelegraph in an interview at APEX that explores the growing relevance of decentralized identity, regulatory challenges, where the idOS fits in, and the Fractal ID vision to build the user-owned data identity layer for web3. 

Read the key excerpts in this blog post!

Watch the full interview here: https://www.youtube.com/watch?v=4YO5RU9tV4g

What are the main objectives of Fractal ID?

The blockchain industry is where we started from day one and it’s where we’ve worked with different clients and projects. This is a very particular space in many ways. It’s got its own ethos, its own type of user, and its own tech stack. We are an identity verification company first and foremost. Before we started to build, we started to understand, which in turn has helped us to thrive now. We’re not part of this growing graveyard of decentralized identity projects that became deserts because nobody bothered with the mess that is identity, regulatory compliance, and user support. We did that and this is what is causing us to win today. 

What we’re building now is something that we call the idOS – the identity operating system. It’s the culmination of all of our learning and all of our experiments. It is a chain-agnostic protocol for self-sovereign data management. With the idOS it’s your keys, it’s your data – you are in control of what your profile says, who gets to say things to it, and who gets to see what’s in there. You can always at any point, edit, delete, or create data for yourself, which nobody else can do. For dApps, we are making sure that user data is something that can be shared with them with your consent and without you having to download extra tools like data wallets. 
The best part about this is that we’re not building it for ourselves as a way to provide our service. This is an open system. We’re building this with, and Aleph Zero, Kwil, NEAR, Gnosis.  It is a common good, where other identity verifiers like us can come in and permissionlessly issue credentials for their users. We’re doing this because it is just the right thing to do which, incidentally, is the best possible way of complying with data privacy regulation.

Why is decentralized identity important in web3 and why are we seeing an increase in its relevance now?

Everyone is coming to terms with the fact that this is no longer the wild west where nobody’s looking. We’re under huge scrutiny with calls for self-regulation. So the idea is, let’s figure it out ourselves before the law falls on us and I think identity is a core part of that. Today, a lot of the blockchain is still about financial products and those fall under umbrellas of regulation that DeFi isn’t really prepared to deal with very well. That is why we are building what we are building. 

We’ve been trying to launch a system like this for the past five years and now finally people realize that identity would be core to web3. That is because even though it’s poorly done in web2, identity is also core there, and all of the value that’s generated is primarily generated around identity. Everyone is starting to understand that if we’re gonna do more than just finance and compliance, like other types of value generation, bringing identity optionally to web3 is something that is going to unlock all of that.

How is Fractal ID addressing user privacy and security in the blockchain space?

That’s a very dear topic. As the CTO of Fractal ID, it is my responsibility to make sure that the users we have stay protected. I am right now in control of a database with over a million passwords that I have access to. For six years we haven’t had a single data leak, which I’m very proud of but I’m still vulnerable to the classic $5 wrench attack and it is still possible if somebody went through me to get access to all of this. 

What we’re doing with the idOS is that we’re making sure the data that is stored is not something that we can or anybody can see – it is encrypted using public key cryptography with the user’s key, so that only they can actually decode this data, and then potentially share it with somebody else. Because it is not written on-chain, it allows for a key rotation for users to change the password that they want to use to re-encrypt their things in the future. This completely dissolves this honeypot where normally if you get access to a web2 company or a web2 database, you can get access to everything that is in there. However, with the idOS, it doesn’t really matter even if in the unlikely scenario, you find a way to get in. Each single piece of data has its own key that belongs to the user, it is not a honeypot in any way. They are as private and secure as they can get. 

There are obviously a lot of fantastic decentralized identity solutions and storage solutions out there but what folks aren’t thinking about so much are requirements with regard to, say data locality within GDPR. I can’t use simply IPFS as my database for my user data because that will violate a lot of provisions. What we’re doing with the idOS making sure that this doesn’t happen. 

For example, node operators right now have to sign agreements containing the GDPR standard contractual clauses with us to ensure that the data is processed in certain ways and that the data is hosted in certain places, but even if it weren’t, it’s all encrypted, and everyone is safe. This is something that nobody has built before and it’s something that is becoming harder and harder to deal with because everyone is looking to offload the storage. That is what we’re here for; identity or otherwise.

Has it been challenging to ensure compliance with certain data rules and regulations in different regions? 

If you ask me in the short term, I’m going to say no. It was a breeze, but that’s because we’ve been doing this for 5-6 years. We’ve always had a very smart legal team that is very excited about crypto and the possibilities that it brings. We’re constantly trying to find ways to present solutions to regulators where they can see that their goals can be met in a way that is better for everyone. If only decentralization is more adopted and we have researched exactly how to deliver technical solutions that are advanced and decentralized without scaring away the regulators, and in fact, show them how this furthers our goals even more, they have the mandate to protect us.

Fractal ID is being utilized for dApps within the web3 ecosystem, but do you hope to see some web2 companies adopting the technology as well?

As a business person, sure, I suppose that’s revenue, but to be honest, I don’t really care. I would much rather see those web2 companies become web3 companies and then adopt our service. Companies in the blockchain space have very different needs and one of them is they built their backends on-chain. They’re not web2 backends. They can’t call off API’s and so, all of our tech stack, and the way we deal with our clients, users & community is geared towards the web3 ethos, so we don’t do any outreach or entertain any leads from the web2 space, because it’s really not what we care about. We’re not going to need them because web3 is going so fast.

How does XRPL stand out from other blockchain platforms? Why is it a good platform for use cases like Fractal ID?

XRPL was built with a very specific ethos and care in mind. Take deposit authorizations – you can make it so that only folks that you will allow can transfer XRP to you, or token trust lines for example. All of these are primitives of the metric and this makes sure that you can’t just be sent a token and suddenly be seen to own the token that you never wanted in the first place. So this insight, that your address is also part of your identity and ergo it should also be fully yours to control is something that you will see in the XRP roadmap from the beginning. Now with this new proposal, the XLS-40d with the DID on-chain is yet another confirmation that decentralized identity is something that XR PL pays attention to. What we’re building is eminently integratable with a DID primitive in XRPL and we do look forward to working together to make sure that our solution is also available there.

TL;DR

• Blockchain is still about financial products and those fall under umbrellas of regulation that DeFi isn’t really prepared to deal with. Bringing identity to web3 will unlock new use cases. 
• The idOS is a chain-agnostic protocol for self-sovereign data management – your keys, your data. The idOS allows other identity verifiers to come in and permissionlessly issue credentials for their users. 
• Data in the idOS is encrypted using public key cryptography with the user’s key who has absolute control over decoding and sharing the data.
• Fractal ID’s tech stack and interactions with clients, users & community are geared towards the web3 ethos.
• The insight, that user addresses are part of their identity and should be individually controlled is a shared synergy between Fractal ID and XRPL.

Explore more about the idOS — the identity layer of web3 — on the website, social media, GitBook, and GitHub.