Click for Full Transcript

Intro  0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:21

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.


Justin Daniels  0:35

Oh, Justin Daniels. Here I am a technology attorney who is passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback, helping clients design and implement cyber plans as well as help them manage and recover from data breaches.


Jodi Daniels  0:54

And this episode is brought to you by Oh, we have like a simple Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, fast ecommerce, media, professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit You ready? For some fun today?


Justin Daniels  1:30

I am getting close to our big trip.


Jodi Daniels  1:33

It is but we’re not gonna talk about okay, yep, let’s stay we’re gonna zero in on David Lucatch, who is the CEO, President and Chair of Liquid Avatar. For 35 plus years now, David has cultivated his expertise as an entrepreneur developing several forward thinking technologies, and taking them to market today, his focus is on his latest adventure, and mission to empower individuals to better manage control and profit from the use of their identity and all related personal data through self sovereign identity are known as SSI solutions. So David, welcome to the show.


David Lucatch  2:12

Thank you. It’s great to be here.


Jodi Daniels  2:14

We’re so glad to have you. So we always like to get started with understanding how you got here. So it sounds like you’ve created all kinds of different technologies, if you can kind of help us understand a little bit of that path and journey. That would be wonderful.


David Lucatch  2:29

Would that be? Well, I think we only have a short period of time. So I’ll keep it brief. But I started in the internet space in the mid 90s, when the internet was just being, you know, born for the general public and really focused on on where consumers needed to be. And, frankly, e commerce didn’t even exist at that time. And we approached Visa MasterCard, I’m from Canada. So we approached them in Canada, and said we’d like to help develop technology to allow Canadians to be able to purchase products online. And it was um, it was a bit of a challenge because for those that know, e commerce might remember that. And most people won’t, that Harry Potter was the impetus for E commerce in the US were scholastic allowed users to buy a book online and get it two days early. And that really was the the the, you know, the tipping point for ecommerce getting started, Canada was a little bit behind our banks are a bit different. And one of the solutions MasterCard and Visa wanted to have was to be able to put a card reader inside a three and a half inch floppy disk. And we said no, we think we can do better. So we we created the packet transfer system that ultimately became the generally used program that that everyone in Canada uses to type in their credit card information. And we went from there and moved into incubators, created abilities for companies to start their own internet based business. And we supported them supported the University of Toronto and some of the people there. And then we moved into artificial intelligence and machine learning and natural language processing, and developed a instant translator for chat and other services that was used by gaming companies and everyone to allow people to chat in one language and receive it another today. Again, it’s very normal, but back then it wasn’t. And then I decided about five years ago to really pursue another passion which was the blockchain industry. But I want to look at crypto we looked at compliance and identity and that has brought us to where we are today.


Jodi Daniels  4:40

One of your favorite topics.


Justin Daniels  4:42

Yes, we will delve into that.


Jodi Daniels  4:46

Indeed we will but before we do I have to admit I did not appreciate that Harry Potter was the impetus for E commerce and our budding Harry Potter fan. Really appreciate that. did go into your blockchain fan. I wouldn’t want to hold you back.


Justin Daniels  4:50

No, I think we should start by asking exactly what does Liquid Avatar do and talk to us a little bit about how taking identity to the next level by leveraging biometrics and, and blockchain?


David Lucatch  5:13

Well, you know, in in, at the beginning of every journey, you’ve got to look at where both the opportunity and the challenges are. And as, as we move into web 3.0, you know, having come from an information based platform, which the internet was originally into socialization, we found that there were a number of issues. One was that I could be anyone and there’s an old meme that it says on the internet, anyone can be a dog, right? So so no one knows who we are, how we do things or where we’re from. And that route of trust has not appeared really on the internet. And companies and organizations have been pilfer, they’ve been swindled, individuals have been bullied and attacked. There’s so many reasons that we have a Root of Trust in real world. And I can see you know, who you are, maybe have met with you, and I can trust you. But on the internet, I don’t know if you’re a doc. So so we looked at where the intersection of identity and, and good practices of the internet should exist. And believing that although we’ve been around the internet since the mid 90s, that the internet has been broken, since that, because you’d never, you’d never run a business and say, if somebody steals from us, don’t worry, we got you covered. And that’s unfortunate what the credit card companies have really had to do, because there’s been no way to verify as someone who uses the card is in fact that person. So so by by looking at the holistic issue, and starting with the human challenge, we’ve put together Liquid Avatar, which allows users to create, manage, control the way that they use identity in the online space. And in fact, in the real world, in compliance with the emerging standards that are starting to appear, whether it’s GDPR, whether it’s CCPA, being European, European General Data Protection Regulation, or the California Consumer Protection Act, or the pan Canadian trust framework, or the CRA in Australia, all of those basically say that the consumer needs to be in charge of their data, they need to manage and control it. And that’s where Liquid Avatar comes in, to help users do that in a way that they own and manage the data, not us.


Jodi Daniels  7:43

So can you help walk us through an example? So how would someone use the product? What does that look like?


David Lucatch  7:50

So let’s take an online example and a real world example. Because that’s probably two ways to look at it. Because everybody thinks of SSI or self sovereign identity or decentralized identity DCI as as an online opportunity. But there are many opportunities to use digital identity in the real world in the conventional world, the physical world. Now, I’m sure both of you drive, but I don’t think either one of you got a driver’s license so that you can buy liquor at a liquor store, right. And so the most common form of identity that’s used to purchase alcohol, or cannabis, where it’s legal or other restricted products is a driver’s license. And none of us get a driver’s license to be able to prove who we are. So, and with the emerging rules, regulations and laws, the information on the driver’s license is really too much information to give to someone who needs to make a decision. If you’re of age to purchase that. Now, I don’t think we’d want our children exposing unnecessarily data in the online world. Why do we expose it in the real world? Why does a clerk need to know where I live to allow me to buy a bottle of of alcohol? It doesn’t make sense. So we’ve designed and have proof of concept. And we’re just moving into market now with a system that allows the clerk to present a user with a QR code and it’s not a transactional QR code. It’s a it’s a QR code that allows a blockchain engagement to start, so the QR code changes all the time. So a clerk presents a QR code to the consumer wants to buy a bottle of liquor. The consumer uses our app to read that QR code. The QR code then asks for the AR consumer to present information to the clerk system, the store system, and usually it’s I an age verification, I don’t need to present my address and I the clerk can ask electronically for what I need or what they Need sorry. And we present back that information. We validate it by using our biometrics to prove that we are who we are. And and the clerk receives a green checkmark or a red X, saying I met that age requirement to purchase that product. So at no time is called predicate proof at no time, did I transfer data to that clerk, telling them things that I didn’t want them to know, I just gave them an indication based on information that was previously verified in a verifiable credential inside the app that I could prove who my age, not who I was, but my age should that clerk standing in front of them without revealing any information, the same can be held true online. So challenges are starting to appear. mainly in Europe, there was an article this morning about Germany. But Europe is really adopting a situation where if you want to consume content that is of an age restricted level, or you want to buy products that are age restricted, you need to prove who you are online by age. And you might have to prove that you are a real person as well. And by using biometrics to in a sure that someone can get access to that app, and then providing assurance through the transfer of verifiable credentials, we can prove that someone is of age.


Justin Daniels  11:25

So thank you, David, can you talk a little bit about how blockchain plays a role, I assume it must be around the data that’s being collected that goes into the QR code and is decentralized?


David Lucatch  11:37

Well, really where it does is, and I’m gonna make, I know, you have a long winded answer, but I’m gonna really now compact this, if you walk into us a, I’m going to use in the US a debit card, because it’s a better example, and purchase something, you’re asked the merchant says, I want to verify that you can pay for that product. So there was a verifier, as the holder of the financial instrument, you present that to the verifier. And usually their payment system, it goes through the processor, that payment terminal, and connects with the issuer being the financial institution that that issued your card, your debit card, and that information, words around checks, balances, does all that stuff. And then it says, We need to know if this is who who holds the card, then you put in a pin. And that’s the that’s the challenger. And and so that process happens in matter of seconds. By going through an electronic network that verifies real information in real time. What the blockchain does is allows that issuer to verify that you own that credential. And it puts the verification that verifiable credential on the blockchain, not the information behind it. But the information that you were the owner so that we can check the blockchain, whether that credential exists for the issuer, that you are, who you say you are, and that you are entitled to use that credential to private and public keys.


Justin Daniels  13:06

So you mean, so that sounds like it’s a different use case for probably non fungible tokens that are designed to do exactly that.


David Lucatch  13:13

I can’t, I have trouble saying that non fungible tokens can do that. Because non fungible tokens are transferable, verifiable credentials are not transferable, and can’t go into more than one wallet. Now, you can use a non fungible token as an access point. But that does not prove that that you are you meet the requirements that may be required outside of that. So an NF, an FTO. Will, will provide you access, but it won’t prove that you that you have the underlying credentials to use it.


Justin Daniels  13:49

Okay, that makes sense.


Jodi Daniels  13:51

So what do you think, in terms of the future, how digital identity is going to evolve?


David Lucatch  13:58

Wow, I think that’s, that’s pretty simple. Um, many of us are used to using now a digital wallet on your phone, and that’s called an edge base wallet. And it’s, it’s really, in fairness, it’s a control wallet by the provider of the phone. So that really isn’t a self sovereign wallet, because I’m not in control of that. And people in the organizations may know what I have in that wallet. But I think what’s happening is, is we’re, you know, right now we carry a very thick wallet with a limited number of credentials in it. And if we have a lot of credentials, we sort of rotate those out. I know that when I go to the USA, I take out my, my Canadian credit cards and put in us credit cards. I mean, we change things over digital credentials, digital verifiable credentials, I can have a stack of them 1000 high and still fitted into a cloud based wallet, which we provide. And so I think the future of digital identity is the ability to prove who I am, where I am, and not only the thing, not only who I am, but where I go in the things that I do are connected to me If I’m in control of that data, no one else. So if I choose to share information that is at my discretion, not at a corporation’s discretion.


Jodi Daniels  15:09

So, earlier you talked about, we don’t know if it’s a human or a dog on the internet, and in the metaverse I see are the same situations and everyone can hide behind whatever cool picture or identity I feel like having then share a little bit about how you envision Liquid Avatar incorporating digital identity. And this Metaverse.


David Lucatch  15:33

We’re already starting that process now. So let’s start with that there’s three different types of identity. The first one is no identity, which is what we’re used to. Everybody just goes on, I’m a human being I’m a dog and cat doesn’t really matter. Someone is on the internet, and ergo could be on the Internet. In the metaverse or other mixed reality platforms, could be in a virtual school could be anywhere. The second one is the ability to prove that I am a real person. Now, we can do that with biometrics. And we can do that with device verification. So that’s a very simple way of doing that. Because that creates one user and one account, because your biometrics and we talked about biometrics, we’re talking initially about facial mapping, we’re not talking about just a picture, we’re talking about facial mapping, we’re not talking about fingerprints, initially, because if I asked you to prove who you are in the real world, you take out a piece of identity. And almost I don’t think you’d have anything with a fingerprint on it. But you certainly have something with a picture on it. And that and that that can be used electronically to create Roots of Trust. So, so the set so first is no identity. Second is a very simple identity that proves that you are a human being. The third one is one that we’re used to if we open bank accounts, or financial accounts, or work with the government, which is what we call KYC. Or know your customer know your client. And that is that is using a passport or driver’s license or national ID card. And we can verify those in 180 countries and prove that they belong to you, because we map your facial recognition against the security features of mapping on that piece of identity. Now, I will tell you that there are countries and there are north of the border where I am in Canada, there are provinces that are moving to digital identity, because it’s it’s faster, cheaper, better, right, you don’t have to issue plastic cards every year or every five years. And if they’re verifiable credentials, and they’re stored in the cloud, if your device is lost, stolen or compromised, they they’re easily recovered. But in the metaverse, we’re starting out with the ability for someone to do some guest services. So you’re not frightening anyone to come in and see what the opportunities are, but you can’t do anything. And then we can do what we call Level two, which is a device and a biometric verification. So we know that the person to the left of us and the right of us is a real person. And the third way of doing that, especially when it comes to areas of vulnerability with children, or other things, or gaming where there’s restrictions, we can do KYC. And so we’ve and we can put data guardianship in so that an underage student would not or child would not be doing their own identity would be supported by a parent. So we’ve worked all of that. And we’re already ready for that today.


Jodi Daniels  18:31

Interesting. I don’t I as a generation that has my physical thing, the idea of losing magnets on a phone I hate to sound like that person of I don’t want to change, but there’s a part of me that feels a little squeamish with that idea.


David Lucatch  18:46

I agreed. That’s why That’s why it’s sort of a crawl, walk run scenario, right? It’s everybody isn’t going to turn over tomorrow. And it’s going to take time. But you know, if I go back, you know, 25 years, nobody wants to use email at the beginning. You know, everyone, you know, if I if I think of really smart people out there thought the internet was a bust, it was going to be just a fad. So we are slowly moving in in direction. You know, I’m sure most people have children out there know that if they want to reach their kids, they’re going to text them, they’re not going to call them. And so when did calling disappear? If you ask them. If you ask a child what a payphone is, you’re not going to get a great answer, or a record player, although they are in kind of sort of coming back. So things do change, and people are naturally resistant to change. digital identity allows me further control over my data and information. And I think we will see a tipping point in the next three years where it’ll just accelerate because we’re already seeing that in Europe. We are so it’s not gonna take long for North America to adopt.


Justin Daniels  19:55

So speaking of time, that’s the perfect segue to our next question, which is, what are the barriers to mass adoption of this kind of identity? You seem to have keyed on one, which is natural resistance, but I have a feeling those pesky regulators and laws might be one of the other issues.


David Lucatch  20:14

Well, yeah. And that’s coming from Laurie, that’s a really good question. But, but, again, I’m not going to talk from from a global perspective. But it when we looked at and we did a good job of being able to connect COVID credentials to a specific user to make sure no one was creating a full a false credential. But we knew that was very, we perceive that was going to be very short lived. In investigating that, we found out that in the United States, there are immunization information systems, and there’s about There’s well over 60 of them, because some of the large cities have their own, none of them are integrated or connected. So that’s a challenge when it comes to information when we take other countries and, and again, I’m not promoting one over the other. In Canada, our health information system is connected to a cart. So we have an integrated system already, when we look at what provinces are already doing, they’re adopting open standards that are being set by industry. So governments are already starting to publish, governing, regulate, and sort of a regulatory framework for how identity would work, and how hixar or HIPAA or P HIPAA, all this will work. It’s all being decided initially by governments, and even in a decentralized environment. Nobody wants regulatory interference until something goes wrong. And then they really want regulators to be there. So I think what’s happened is the governments are softly setting all these frameworks in which organizations like ourselves and and several other leading organizations that were recently identified by by Gartner are using those to develop our services and platforms. So I think we’re embracing partnership with governments and organizations, rather than saying that they’re separate and apart.


Jodi Daniels  22:17

I’d love to piggyback on the privacy regulations a little bit. What are what are you seeing from the different privacy laws? And how these new identities work with the laws? Or how are you seeing kind of any intersection, right? When we talk about biometric data, that’s a really sensitive data point, all the privacy laws keep talking about biometric data. So I was just wondering if you can share a little bit about how it helps or how you’re working through some of those requirements to make sure people are opting in or understanding what they’re doing how you work through that.


David Lucatch  22:53

So so it is a changing landscape. And that’s, that is going to be fraught with, you know, deep wells and a little bit of quicksand. And I think as as industry participants, we see that so we’re trying to move as as quickly as possible. We’ve started with a gold standard, which is GDPR, which is out of Europe. That’s That’s what everyone seems to build against California Consumer Protection Act was, was sort of built on the framework of GDPR. And has gone beyond that. And I think that’s why we’re seeing it’s remarkable, remarkable. And I’m thinking as a privacy expert, you’ll agree, we’re seeing some of the big telecoms and device manufacturer, and California based corporations talk vehemently how they’re there to protect your privacy. And yet your over the years, they have to some of them have been the biggest culprits in in breaching privacy rules. So I think what we’re doing as a company is we’re, we’re working to stay on top of it, we do have privacy consultants that we work with. And what we’re doing is is is notice I said facial mapping rather than pictures, because facial mapping is different data for biometrics, as his pictures are, are often policies or are very explicit. We have them updated regularly. And we know that the landscape is going to continue to change. We we subscribe to the right to you know, to be removed and the right to be forgotten, which are specific rights and different. The evocation of credentials. So there are a lot of things that are are being updated and changing and we’re working diligently to stay within the framework of of the different changing regulatory landscapes.


Jodi Daniels  24:46

It is changing all the time.


Justin Daniels  24:49

Especially when most companies entire business depends upon data collection and monetization. Indeed.


David Lucatch  24:58

So yeah, and we’re seeing that change. I mean, you know, I think a company and I’m not looking to point fingers. But Google has been struggling with that, as they look to remove cookies and come up with new ways to manage manage data and, and topics is one of the recent things that I think they’ve explored. But it is it is difficult. And we’ve seen companies already start to become defunct because of the changing landscape.


Justin Daniels  25:26

Well, David, has we asked all of our guests, do you have a best privacy or security tip you would like to share from your experience?


David Lucatch  25:34

Yeah, yeah, I mean, you know, don’t rely on two factor authentication. So recently, a friend of mine had a custodial account at a major, I won’t say whom, but at a major crypto house that is well known. And between a symport Hack and, and an authentication hack, they lost a substantive amount of money. So I think the key is, is, is you if if you want to keep your data safe, you have to work to keep your data safe. And that doesn’t mean that we all will become victims of of issues. I mean, I was a victim of a sim port hack. And I got I got recovered within 20 minutes because none of my passwords are inside a Google account. So don’t keep passwords inside your Google account. Yet, but But you have to be work you have to work and be diligent at maintaining your privacy and your data because that those are some of your most precious assets.


Jodi Daniels  26:40

So when you are not building companies, and forward thinking for digital identity, what do you like to do for fun?


David Lucatch  26:47

Well, if you can see my background, I am a comic book collector, and have been for well over 50 years. So my my outside passion is is is pop culture and outside of my family, because I spend a limited amount of time I can’t with my family and my dog. But it is it is really in the pop culture realm. I’m an avid comic book collector. And I was fortunate enough this past year to work with a group that I became a comic book writer and publisher. And I will say at our Metaverse, aftermath islands are our storyteller is the CO creator of Deadpool. So we’re really connected to the comic book industry.


Jodi Daniels  27:30

Very exciting. Now if people would like to learn more, or connect with you, where’s the best place for them to go?


David Lucatch  27:36

They go to And I’m on the only David Lucatch on LinkedIn so they can reach me there. That’s probably the best way to reach me. And I look forward to having discussions with anyone that’s interested in this topic area.


Jodi Daniels  27:52

Well, thank you so much for sharing. It’s really fascinating and interesting. We’ll see what the future Metaverse and beyond. Thank you so much for joining.


David Lucatch  28:03

Thank you for having me today.


Outro  28:08

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.