Hi, I'm Nick.  Welcome to my internet brain.  I'm a partner at Union Square Ventures where I invest in internet applications and infrastructure.  I live outside of Boston with my wife and two kids, and spend a lot of time in NYC, SF, DC and Europe.

Latest posts

Cryptographic Identity

Last week I wrote about the inherent tension between data portability and privacy, and suggested that one solution would be an exportable “privacy context” that could travel with ported data. Such an approach, however, would require a notion of identity that is broader than a single account at a single company. Rather, it would require the linking of one or more “proprietary identities” (i.e., accounts at tech companies) with some type of “cryptographic identity” (private key) that really “belongs” to that person and represents them in a more holistic and permanent way.

This is not a new idea. Since at least 2017, both Keybase and Blockstack have enabled social media users to attest to a linkage between social accounts and a cryptographic identity. Here’s what it looks like on Keybase, and here’s what it looks like on Blockstack. Neither Keybase nor Blockstack are currently promoting this routine front & center, as it is admittedly a geeky thing that appealed (back in 2017) to identity explorers, but not to mainstream consumers.

But today, we are starting to see some new signs of life on this pattern, and I think we may be nearing some drivers that have the potential to bring it to mainstream scale. They are:

1/ Fun. It may be that some sort of social game figures out a way to bring crypto identities mainstream. For example, 2100 is a project that popped last fall, which let people issue tokens corresponding to their Twitter accounts. Interesting idea, though it seems to have lost some steam, at least for now. Another project that’s looking to connect crypto assets / identity to social identity is Roll, which lets anyone create “social money” connected to their social identity. You could imagine this taking off with social media influencers with large audiences, who are already super good at finding ways to commercialize their online presence.

Combining fun and money can be powerful. And from that, I think some of the more principled / architectural components will become more obvious and valuable over time.

2/ Privacy & Security. Speaking of Keybase, where they have focused more recently is secure, encrypted messaging, as a consumer use case building off of the core infrastructure. Related, are two separate projects called “Dmail” — dmail.io and dmail.online — the former lets you encrypt emails that you send across unsafe channels (like Gmail or any other email client) and the latter is a full system for sending private emails. One of the things you get with a cryptographic identity is the ability to encrypt and sign messages. It makes sense that this will be at the the center of a driving consumer use case. Privacy is more of a mainstream feature every day, and it can’t just be Apple that provides it.

3/ Compliance. Compliance is where this post began, thinking about coming regulations around data portability, interoperability and privacy, and where I’ll end it. While I don’t expect that we will get direct guidance towards cryptographic identity from regulators, it may be that cryptographic identity becomes clear as part of various compliance solutions.

For example, all payments systems need to comply with so-called Know-Your-Customer (KYC), Anti-Money-Laundering (AML) and sanctions rules, including the so-called Travel Rule which requires that both senders and receivers of funds verify identities. On the surface, cryptographic identities are digital bearer assets and would therefore seem to be at odds with formal identity systems. However, it may be that we come to use cryptographic identity components (e.g., blockchain accounts, digital signatures, or even non-fungible tokens) in creative ways to satisfy some of these requirements, vs. traditional methods employed by companies like Persona, Alloy and others today.

To tie it all together: In this week’s “On the Brink” podcast, Nic Carter and Matt Walsh from Castle Island Ventures talk with Balaji Srinivasan about social media handles as property, which potentially combines both the “fun” and “compliance” angles discussed here. It does feel like your online identity, whether it’s a bitcoin or a twitter handle, is a form of property and should be treated as such.

Data Portability and Privacy

Earlier this week, I spoke at a Justice Department / Stanford conference about antitrust issues in the tech sector. Our panel included Patricia Nakache from Trinity Ventures, Ben Thompson from Stratechery and Mark Lemley from Stanford. If you are interested you can watch the whole thing here:

The main point I tried to make was that cultivating the development of blockchain and cryptonetworks is actually a critical strategy here. Regular readers will know that I don’t shut up about this, and I held to that on the panel. This point is painfully absent in most conversations about market power, competition and antitrust in the tech sector, and I will always try and insert that into the conversation.

To me, blockchains & crypto are the best “offense” when it comes to competition in the tech sector. Historically, breakthroughs in tech competition have included an offense component in addition to a defense component (note that the below only focuses on computing, not on telecom):

Credit: Placeholder / USV

The “defense” side has typically included a break up (US vs. AT&T) or some kind of forced openness. Examples of forced openness include the Hush-a-phone and Carterfone decisions which forced openness upon AT&T. Several decades later were the (ongoing) battles over Net Neutrality with the ISPs. The discussion about data portability and interoperability brings the same questions to the applications / data layer.

Data portability & interoperability are important for two reasons: 1/ because they focus on a major source of market power in the tech sector, which is control of data (“break up the data, not the companies”), and 2/ because they represent a category of regulatory interventions that are just as easy for small companies to implement as large ones, unlike heavy approaches like GDPR that are easy for big companies to implement but hard on startups.

That said, when you dig into the issue of data portability, there are some hard problems to solve. I don’t believe they are insurmountable, but I also believe they haven’t been resolved as of yet.

For context, data portability is the idea that a user of a tech service (e.g., Google, Facebook, Twitter, etc) should be able to easily take their data with them and move it to a competing service, if they so choose. This is similar to how you can port your phone number from one carrier to another, or how in the UK you can port your banking data from one institution to another. Both of these examples required legislative intervention, with an eye towards increasing competition. Also, most privacy regimes (e.g., GDPR in Europe and CCPA in California) have some language around data portability.

Where it gets more complicated is when you start considering what data should be portable, and whose data.

For example, within tech companies there are generally three kinds of data: 1/ user-submitted data (e.g., photos, messages that you post), 2/ observed data (e.g., search history or location history), and 3/ inferred data (inferences that the platform makes about you based on #1 and #2 — e.g., Nick likes ice skating). Generally speaking, I believe that most type #1 and type #2 data should be portable, but most type #3 probably should not.

To add to the complication is the question of when “your” data also includes data from other people — for example, messages someone else sent me, photos where I was tagged, contact lists, etc. This was at the heart of the Cambridge Analytica scandal, where individual users exporting their own data to a third-party app actually exposed the data of many more people, unwittingly.

I’d like to focus here on the second category of complications — how to deal with data from other people, and privacy more generally, when thinking about portability. This is a real issue that deserves a real solution.

I don’t have a full answer, but I have a few ideas, which are the following:

First, expectations matter. When you send me an email, you are trusting me (the recipient) to protect that email, and not publish it, or upload it to another app that does sketchy things with it. You don’t really care (or even know) whether I read my email in Gmail or in Apple Mail, and you don’t generally think about those companies’ impact on your privacy expectations. Whereas, when you publish into a social web platform, you are trusting both the end recipient of your content, as well as the platform itself. As an example, if you send me messages on Snapchat, you expect that they will be private to me and will disappear after a certain amount of time. So if I “ported” those messages to some other app, where, say, they were all public and permanent, it would feel like a violation – both by me the recipient and by Snap the platform. Interoperability / portability would change that expectation, since the social platform would no longer have end-to-end control (more like email). User expectations would need to be reset, and new norms established. This would take work, and time.

Second, porting the “privacy context”: Given platform expectations described above, users have a sense of what privacy context they are publishing into. A tweet, a message to a private group, a direct message, a snap message, all have different privacy contexts, managed by the platform. Could this context be “ported” too? I could imagine a “privacy manifest” that ships alongside any ported data, like this:

# privacy.json
{
  "content": "e9db5cf8349b1166e96a742e198a0dd1", // hash of content
  "author": "c6947e2f6fbffadce924f7edfc1b112d", // hash of author
  "viewers": ["07dadd323e2bec8ee7b9bce9c8f7d732"], // hashes of recipients
  "TTL": "10" // expiry time for content
}

In this model, we could have a flexible set of privacy rules that could even conceivably include specific users who could and could not see certain data, and for how long. This would likely require the development of some sort of federated or shared identity standards for recognizing users across platforms & networks. Note: this is a bit how selective disclosure works with “viewing keys” in Zcash. TrustLayers also works like this.

Third, liability transfer: Assuming the two above concepts, we would likely want a liability regime where the sending/porting company is released from liability and the receiving company/app assumes liability (all, of course, based on an initial authorization from a user). This seems particularly important, and is related to the idea of expectations and norms. If data is passed from Company A to Company B at the direction of User C, Company A is only going to feel comfortable with the transfer if they know they won’t be held liable for the actions of Company B. And this is only possible if Company B is held accountable for respecting the privacy context as expressed through the privacy manifest. This is somewhat similar to the concept of “data controller” and “data processor” in GDPR, but recognizing that a “handoff” at the direction of the user breaks the liability linkage.

Those are some thoughts! Difficult stuff, but I think it will be solvable ultimately. If you want more, check out Cory Doctorow’s in-depth look at this topic.

Proof of Transfer (PoX)

Last week, the Blockstack team formally rolled out their proposal for a new mining mechanism for the Stacks blockchain called Proof of Transfer (PoX). In addition to the blog post, you can read the full PoX white paper and the Stacks Improvement Proposal (SIP-007) that details the idea.

PoX is a way of building new blockchains on top of existing Proof-of-Work blockchains like Bitcoin. The Stacks blockchain has always been built on top of Bitcoin, but has thus far used a proof-of-burn (PoB) mining mechanism, which, while benefitting from Bitcoin’s security, requires burning BTC. Whereas PoX requires a transfer of BTC rather than a burn. This has the added benefit of creating a mining incentive pool denominated in Bitcoin.

At a higher level, one of the coolest aspects of cryptonetwork and blockchain technology is composability — the idea that crypto assets and protocols can be freely interconnected in almost any way imaginable, without barriers or permission. Every (public) blockchain, asset, and smart contract is a de-facto API that can be hooked into, built upon, and extended.

This may seem like a minor feature, but I believe this is a breakthrough characteristic. Today, we are seeing this play out most vividly in the DeFi space, where protocols like Maker, Compound and Uniswap interconnect to build new financial products. What Blockstack is doing with PoX brings this approach further to the Web3 / data space. Ultimately, I believe that this approach will enable a broad explosion of not only tech infrastructure but new experience & features, both for consumers and businesses. Zombies eating Kitties is just the tip of the iceberg.

It feels like consumer development in Web3 is moving slowly, and by the user numbers it is. But composable innovation is compounding, and the work that’s going on right now is creating the tools & patterns for what will certainly be huge, exponential leaps in functionality and experience over time.

The Friendly Wake-up Call

Last year around this time, I had a major medical scare which shook me pretty hard. The details don’t matter, but the takeaway was that afterwards I felt lucky to have not had a more serious problem, despite a bad situation that was totally avoidable. I dodged a bullet. It was a wake-up call.

Last week, I was in the Netherlands, and as always, was enraptured by the water. The water is, of course, a major threat to the Netherlands and has been for centuries, so as a result the Dutch have become known for their water engineering prowess and forethought. Thomas sent me this article on 21st century Dutch water management with regard to climate change, which details the Dutch approach to water management. This line stood out:

“During Gustav, the level was all the way up to here,” Van Ledden says, placing his hand just below the top of the wall. “And Gustav was just a friendly wake-up call. In 50 years, if the sea level goes up 1 or 1½ feet, the level for that storm would be here,” he says, holding his hand well above the top of the flood wall. To make sure that doesn’t happen, the Corps is planning to build a giant storm-surge barrier between Lake Borgne and the Gulf Intracoastal Waterway.

A “friendly wake-up call” is something that’s scary enough to set you straight, but not bad enough to do real damage. It is and incredibly useful thing. Hopefully it should never come to that, but I find that it’s human nature to push things to their natural limits until some sort of wake-up call inspires a correction.

Getting Alignment

I am flying home from Europe today (by way of Reykjavik) and as a result, have a lot of time to catch up on things. I have spent the bulk of the day writing up a handful of strategy docs relating to some of our portfolio companies and subsequently chatting about them.

In every endeavor, whether it’s a startup, a family, a venture firm, or whatever, perspectives drift over time. Things get busy, and we all get focused on executing. And things can get a little out of alignment. A little out of alignment is no problem, and of course we are always course correcting as we go. A lot out of alignment, or little bits of misalignment, over time, that aren’t addressed, can cause problems.

What often happens is that strategy develops piecemeal, over the course of meetings, emails, texts and chats. And while important ideas get discovered this way, it’s also easy to leave ideas half-baked, or questions half-answered (if they are even fully articulated at all). So when I have time, I find that trying to summarize a complex topic in a single document is a helpful step in regaining alignment and making sure we are seeing the whole picture the same way. That’s what I’ve been doing today.

This gets harder the more multifaceted a project is, the bigger a team or company is, and the more money that’s being invested (especially in long-lead-time items like hardware). For a CEO, communicating the vision and strategy of the company to the team is most of your our job. Our job as investors is a little simpler: we need to help the CEO do the above. Not easy, but not a communication scaling challenge on the scale of what a CEO needs to do.

Part of getting alignment is having the right communication channels open. For me personally, I get a lot of that through chat/sms/signal. For the folks I work most closely with, that’s the most open bloodline of ideas in development. I think this is especially true for me since I’m most often not physically together with who I’m working with most of the time. So, as I think about it, I tend to stay most aligned with the people and projects where I have the best chat relationship. A challenge here, of course, is that everyone works in different ways. But that tends to work the best for me, and I think for the people I have the easiest time working with, for them too.

But whatever the method or mechanism, the key moment is recognizing that you’re out of alignment in the first place. This almost always feels like an “aha” moment — like, oh yeah, you’re right, we do feel out of alignment on that. It’s actually a good feeling, because its a signal to do some work.

So with that, back to work!

Water

I am in the Netherlands this week, catching up the Leap engineering team which is based here in Utrecht, and attending an IoT conference that Helium will be at in Amsterdam.

I have always loved it here, primarily because of the close relationship to the water. The Dutch have for centuries harnessed the water, both for commercial purposes (extensive canal network for shipping) and for defensive purposes (flooding out the attacking Romans).

At present, more than 15% of the country is below sea level, and only about 50% of the country is more than 1 meter above sea level (according to Wikipedia).

Amsterdam and Utrecht, where I have spent the most time, are intensely connected to the water. Canals weave between all the streets, most of which are also lined with houseboats (including the one I am staying in, thanks to Airbnb). Whereas walking around most other cities where what you notice are cars and trucks, here, you notice boats and bikes. It’s just incredibly beautiful.

I was at a dinner last week and got into a conversation about what is it, exactly, that makes the water connection so powerful. I don’t know if everyone feels this way, but when I am near or on the water, I feel different, better. Whether it’s a beach, lake, river, or canal: being on the water just feels freeing and awesome. Something about the flowing openness of it, I guess.

Of course, being close to the water is perilous. Venice, parts of the Midwest, large parts of Southeast Asia, are all flooding. A quarter of Manhattan was underwater after superstorm Sandy. Water is dangerous, and more is coming.

As far as the Dutch are concerned, I sincerely hope that they can figure out to protect the beautiful way of life they have established here, closely connected to the water. It is beautiful and unique, and I feel lucky to be able to experience it while it lasts.

Regulation and the Tech Industry

Azeem Azhar has a great post up about the brewing conversation about regulation and the tech industry.

There are two main points that stand out to me:

1) In digital systems, ML/AI and data network effects create feedback loops that enable the biggest companies to keep getting better, faster:

and, 2) Regulation favors large incumbents over smaller challengers:

“Regulation is complicated. Dealing with it means dealing with lawyers, hiring compliance people, changing your product roadmap, building new code. Regulation raises barriers to entry. The most regulated industries, finance and health, have seen the deep consolidation and weak flow of new entrants for decades. Regulation favours the large.”

This has created a conundrum. The instinct is to apply thorough and tough regulations to solve for #1. But the chances are, doing so will only reinforce the lead that the big companies have, as per #2.

A good example is the GDPR privacy regime in Europe. As reported in the WSJ (paywall), the advent of GDPR has increased the market power of the big ad players (Google and FB), because they have the best ability to capture user consents and to implement complex compliance procedures:

“GDPR has tended to hand power to the big platforms because they have the ability to collect and process the data,” says Mark Read, CEO of advertising giant WPP PLC. It has “entrenched the interests of the incumbent, and made it harder for smaller ad-tech companies, who ironically tend to be European.”

The solution, we have long argued at USV, is to give simply increase data portability and interoperability. In other words, don’t add burdensome regulation that startups can’t comply with. And don’t break up the tech companies, break up the data. And the simplest way to break up the data is to give users a right to access it in a programmable way. This is what the proposed ACCESS Act would do. I talked about this previously in the Adversarial Interoperability post, where I also showed this diagram:

What this shows, is that throughout the history of computing, what has broken the monopoly power of each era’s dominant firm is the emergence of an “open” technology on top. Open source systems like Linux and open standards like HTTP.

Today, the set of open standards that need to be cultivated are cryptonetworks, cryptocurrencies and blockchains. These are the standards that make it possible to re-architect the data economy, including giving more control to individuals and removing it from companies. By design, crypto protocols replace certain things that companies do with things that any group of computers can do, like this:

So, the ultimate point we have been making is that if you’re worried about the problems with the tech economy, one of the solution paths is through crypto.

That brings us back to regulation, and the current state of play around the regulation of cryptoassets globally. The situation we are in right now is such that within the US, there is a lot of regulatory uncertainty, and as a result, a slowing of the crypto economy. Whereas outside of the US (particularly in Asia), the crypto economy is booming — not just tokens, but exchanges, wallets, and other infrastructure.

Because of all this, I worry that not only do we have the potential to miss one of the most important solution vectors to some of the issues facing the tech industry, but at the same time we (meaning the United States) may also be missing the opportunity to play a leading role in what has the potential to become one of the next major economic and technical platforms.

Mutuality

7 years ago on Martin Luther King Jr’s birthday, I wrote this post about the ideas in his Letter from a Birmingham Jail. Today I went back to the letter and re-read it, and a different section stood out at me, one that is really profound well beyond the context of civil rights:

“Injustice anywhere is a threat to justice everywhere. We are caught in an inescapable network of mutuality, tied in a single garment of destiny. Whatever affects one directly affects all indirectly.”

Dr. King was a brilliant communicator, able to distill deep, profound ideas into memorable phrases.

Today on MLK’s birthday, I’m thinking about the overall lack of progress we have made as a society on the very issues he discussed in his letter, namely the structural segregation and dehumanization of black Americans and other marginalized groups. And also about the other issues facing the planet, like the climate crisis, that represent the same sense of mutuality.

Digital Bearer Assets

I spent time over the past few days with several entrepreneurs who are building crypto or “web 3” applications well outside of the financial space. One of the takeaways for me was of the important role that digital “bearer” assets will play in creating new experiences in web 3.

By bearer assets, I mean that you just show up with them, and they are respected sight unseen by whatever applications are expecting them. Every time I start thinking about this concept, I am reminded of the bearer bonds in the movie Die Hard:

For example: a device that has Helium data credits loaded on it can present itself anywhere on the Helium Network, and it will start working. No user account, no credit card, no contract — just show up holding the token and it will “just work“.

Or, take a subscription that is issued as an NFT on the Ethereum blockchain using the Unlock protocol. I show up with a compatible key and I can see the content. If I give (or sell) the key to you, you can see it.

Or, imagine decrypting content in a Zcash-based application using a Zcash viewing key. Anyone who has a key can see the content, whether it’s a blog post, an email, or a private message.

And of course, this is how it is with Bitcoin. He/she who has the keys (and can sign the transaction) has the assets. No account required.

I think of all of this as a shift from account-based experiences (web2) to digital signature based experiences (web3).

Digital signatures create bearer digital assets. They travel around freely, are transferable, and they are not tied to traditional web2 accounts. Rather than the account (as represented by a login, or a credit card, or a contract) have permissions, digital assets (secured by digital signatures and private keys) have permissions.

I believe that this will enable vastly superior user experiences over time.

Nick Grossman

Get new posts by email