 So our speaker is the Chief Technology Officer at An-an-an-anatomy-anatomy labs. I practice at about 20 times and I just butchered it. So the speaker is also from Australia where the Prime Minister says the laws on mathematics no longer applies. So it seems all of our pseudo crypto only works outside of Australia. Good thing you're here. So here's the speaker to present on this talk. The future is fake identities. Ladies and gentlemen, Paul Ashley. Thank you. Does that sound all right? Does that sound good? So what I'm going to talk today about is some work we've been doing over the last three years. So An-an-an-anatomy labs is a start-up that was started just over three years ago, has an office in Australia and an office in Salt Lake City as well. And the name An-an-an-anatomy, and it is badly spelled, but that's really, you know, when we came up with that name at the start like three years ago, it was because we were thinking about anonymity, right, about anonymity and so we thought, Anotomy Labs kind of sounds right. But I'll kind of give you a little bit of background of why the company was started. So if you have a look at the way the internet has evolved over, you know, over the last, I guess, 20 years, there's a couple of sort of major problems with it. One of the problems is this kind of sense of permanence, permanence. If you have a look at, you know, if Harry and I are going to have a discussion, we can each express opinions, we can sit in the back and talk. And it's kind of ephemeral, like that, the fact that that happened and the opinions we gave sort of just disappears, and that's what the real world is. You can have conversations with different people and no one's tracking it, no one's like keeping track of that. But if you take it to the internet, it's the exact opposite. Everything you do online is kept permanently. And, you know, it's pretty unfair to people. So I even saw when I arrived into the U.S. on Monday, I saw, you know, headline Republican congressman, please explain tweets from 1990 or, no, it was a blog from 1990. And I thought, well, it's pretty unfair because at that age he was probably 20 years old and he was probably drunk and, you know, who knows what else was going on. So the sense of permanency is, I think, a real problem for people. So everything you search on every time you send messages, every time you go shopping or sell something, you're kind of leaving this digital exhaust everywhere. So I think that's a really big problem. The second problem is, is the problem that there's a complete imbalance, right? It's asymmetrical, the relationship between, say, yourself and the data brokers. Do you think about the big companies, the Googles, the Facebooks, data brokers? Is everything okay? The data brokers, there's an asymmetrical relationship to the average person. Like once you've gone online and done something and they have your data, you've lost control of that data. They can do whatever they like with it. They can aggregate it. They can sell it. They can advertise to you. You really have no control and, you know, there's a couple of ways, you know, they've been trying to address that, government regulation with privacy policies and all that on websites. But at the end of the day, let's face it, anything you do online that's captured by another organization is pretty much out of your hands. So I think we looked at the internet and said, well, there's problems in two of those spaces, right? There's permanency of the data and the fact is that you can't control your own data. So what's Anonomy Labs all about? I'll just bring all this up. So we're all about trying to give people back control to say, well, I can decide what about me is exposed in any transaction I'm doing. Like if I'm emailing, if I'm texting, if I'm calling, if I'm shopping or selling or dating or whatever, I'm going to decide what it is about me that's kind of made public. And this is the idea of, you know, anonymity. Full anonymity means the person at the other end or the company at the other end knows nothing about you. And then there's kind of different grades all the way down to having full, you know, your full data being exposed. And depending on the transaction, you're going to be somewhere in between. So what we're trying to do, so we're effectively a software development company, and we're trying to build tools to enable you to have anonymity and to the level that you want to have it and be able to control what of your personal data is exposed out there. So if you have a look at the moment, when we started the company three years ago, the topic was pretty hot, but it's nowhere near as hot as it is now. Like literally every day, you can see, you know, different stories about either the government or a big company, you know, Facebook or whoever invading people's privacy or major hacks or anything. So this has become a really very hot topic in kind of in normal people now. Normal people understand that there's a problem, which even when we started the company three years ago, wasn't as as short as that. But you have a look at some of these even, there's even stories about things like signal. If you ever look at the signal app, people saying that's a great app, look at the security protocols and look at all that. But then people start to think, well, even even that privacy app is asking for your cell phone number. Right. And if I've got your cell phone number, I can go to a data broker and get 100 pieces of data on you. Right. They also, you know, want to have access to your address book and share it with other people. So even privacy apps are sort of starting to come under a bit of question about whether or not they're really doing the right thing. And obviously, you know, if you're giving your data to Yahoo and, you know, they have 500 million user accounts deleted. So again, you've lost control of your data. You don't even know where it is. And then, you know, this happened, you know, in the last six months, and all of a sudden it went up higher again. All of a sudden people were starting to think about end to end encryption, all this. But I don't think anybody actually knows whether it's going to be worse or better. Like it was already pretty terrible. And now, like when Trump comes in, is it going to be better or is it going to be worse? I don't think any of us really know. But I think the situation is pretty much the same. You still got your, all of us are in a really a spot of weakness in that anything we do online is captured and sold and traded. So this is, you know, this is kind of our statement, living your life online shouldn't mean leaving it online. So just because you want to do all these things online, or even offline, offline might be, I want to sell something on Craig's list, or I want to go dating or something. It doesn't matter what sort of interaction you do. You don't want to suffer all those things on the right. You know, identity theft, you don't want to be mined. You don't want to suffer credit card fraud and all those kind of things. So there's a bunch of things that you want to protect yourself against. So how did we come up? What did we come up? So that was kind of the why. What about the how? Now, how are we going to do this? So we, the bunch of us, you know, hate to admit it, but we've all been working in security more than 20 years. And some of us may be more like 25. And, you know, if you think about computer security, one of the, one of the fundamental technologies that's used in computer security is this idea of a proxy. So whether you're in government or whether you're in a company or the university, and you're sitting in your lab in the university and going out to the internet, odds are you're going out through a proxy server. And the idea of that proxy server that can control the traffic that's coming through, it can look for malware that's coming back and all that, and give your computer protection from the internet. So what we did is we've applied the same concept to identity and said, well, what you need is one or more proxy identities, right? When you go out to the internet, don't go out with your primary identity. And by primary identity, it's like my name, my home address, my cell phone number, my email address, maybe my IP address, all those things that really identify me. And our argument is you should have one or more proxy identities and do all your interactions online and offline with a proxy identity. So in the same way, the proxy identity is protecting the primary identity from the internet and all the people and organisations that you're dealing with. So we have this, we use the term pseudo. I mean, we came up with the word pseudo because of kind of pseudonyms and that kind of technology, but pseudo is what we call this proxy identity. And I've just got a few examples here. So where you might want to use these proxy identities. So one example is I've got to go and sign up to some sort of program on the internet. And I do this all the time. It might be that I'm signing up to download a white paper or I'm signing up for something that I want to get points through. And then I make a decision. Do I really need to give all my details to that organisation? You know, every time you go to sign up for anything, they just want everything. But do I have to give my information? Why don't I give my proxy identity information? So what I do, depending on the situation, I either give my real name or I give a different name. And I certainly do never give out my cell phone number, never give out a personal email address. And so we have the concept of you should give out your pseudo details when you're doing that sort of thing. And here, another one, create and delete temporary phone numbers for calling and texting strangers. There's a whole lot of different reasons why you need to talk to strangers, right? You might be dating, one of those online dating. You might be, you know, getting some work done at house and you have to give a number to a plumber. And if there's a stack of these situations, you might be on Craig's list and you need people to call you to talk about what you're trying to sell. So all of these, all of these reasons is you need to give them a phone number, right? So in that case, I might say, well, I'm still going to be Paul Ashley, but again, I'm going to give them a pseudo phone number. So I'm going to use my pseudo that I used for selling for those interactions. So that's another example. The old disaffected WhatsApp user. So if you look at the history of WhatsApp, this is a great example of a privacy app gone bad. When WhatsApp started, it was a closed community. They went and had it all the nice crypto and everything was great. And then and they had really good strong privacy. Then Facebook came in and bought them and Facebook said, don't worry, everyone, everything's going to remain the same. Until like a year later when Facebook said, we're actually now we decided we're going to mine all that WhatsApp data. So now they know who all the WhatsApp users who's talking to each other. And as I said, even though they have end to end encryption, the metadata is probably more valuable to Facebook than what's happening in the messages, even if they can't look at those. So there's that kind of use case as well. So one of the things that makes us think about is if we've got two people who want to communicate, they should be able to email to each other end to end secured message voice, voice calling or video calling to each other and everything should be end to end encrypted. And then even purchasing. So you want to be able to purchase online. I want to be able to go on to a site and not use one of my plastic credit cards. So we thought about that if we allow you to create a virtual credit card, completely anonymous has no link back to you and then you can go and use that when you're shopping. So again, you got that barrier between you and who you're dealing with. Searching, the way we look at searching is you should be able to search as and as a proxy identity or as a pseudo. What that means? What does compartmentalized browsing means? It means if I'm in pseudo one and I'm in the browser, then I'll collect cookies and bookmarks and history and all of that. And then when I change over to pseudo to all of that gets put away, you bring up the state for that pseudo and now I'm browsing as that pseudo and again, I'll get cookies and all that and then want to swap to the next one. It's compartmentalized again. The idea is there's no way that anyone can track you across your browsing across your identities. Great use case. People use it a lot for work. So I'm at work and I need to give phone numbers to all sorts of strangers. Give again, give a pseudo. Use your pseudo work number for that. Good way to protect children because, you know, you can go and create accounts in a pseudo name and email and all that and the kids can go online without giving any information about themselves. And in general, I think the philosophy here is never again go online with your real information. Only go online with pseudo information and that way your footprint is being reduced. And so the chances of you having identity theft and all these other problems has been reduced. So we have a pretty important, what we call our taxonomy, which sort of explains how we're doing this. So imagine you're at the top there and you've got a real name and a cell phone number and you've got your personal email address and you got a bunch of credit cards. That person then creates a bunch of these pseudos, right? And each of those are either in the same name or a different name. They'll have different phone numbers, different email addresses. They'll each have different virtual credit cards attached to them. The idea is now you can go out with these proxy identities and start to do all these things. So example, I come to RSA or come to Black Hat, right? So I might want to spin up a phone number and an email address for Death Con or Black Hat and I start to give it out to people and I'll get their details and I'll put it into my RSA address book. And then at the end of the conference, I'll decide which of those people I want to interact with to go forward. I might even then promote those address details up to a pseudo or even up to my primary details and then the rest of stuff I might just put away and then I might just delete that email and phone number. So kind of that relationship has stopped. And then I might have a different pseudo with different details for work and parenting. So I have a son who plays soccer. So all my interaction with all the parents and the club and all those things, I do through a pseudo. So at the end of the season, right, I can just stop that if I want and all the people I've interacted with, I can decide whether those people I want to interact with in the future. So it gives you an idea of what we're trying to do here and then shopping again that you do it again in a compartmentalized way. And so if you look at that my actions, we want to be able to browse as a pseudo, call as a pseudo, messages as a pseudo, email, purchase. I want to be able to mute them. Mute them means even though I've used this pseudo to sign up to shopping, if they send me any email or messages, I just kind of don't want to be bothered with that. So that's what muting means, filtering means being able to look at all your pseudos and see what's coming in. I might be able to delete a pseudo. If you delete a pseudo, then everything's gone. I might want to reset or archive pseudo details. So these are all the kind of things that you might want to do with the pseudos. And the idea is everything offline and online, you're now doing with pseudos rather than the real person. And that's a concept of the proxy identity. So just an example here. So if you have a look on the left there, so that's me. And I've got all that primary identity information. Then for each of my pseudos, I have an email, phone, even we want to get to delivery address. So you can have a delivery address and, you know, cross-stocking. You know, we might have a separate address book for the pseudo, virtual credit cards and a separate pseudo-based browser. So you imagine each of your pseudos, and personally I have about five or six pseudos and each one of those has all that information. It's different. And then even you can even go to a step further where you say, when the pseudos get to apply to different accounts and situation, I then want to be able to do what we call with activities is I want to be able to easily create an account within a pseudo. I want to store that information so I know what pseudo information I use for an account. And then again, depending on a situation, I might want a separate email, phone, address book, virtual credit card depending on the situation. But the idea is is you can apply these pseudos very easy to the real world. And then we thought, you know, what are the pseudo capabilities? So this is really everything that we're building. So if you look at pseudo management, I want to be able to create a pseudo. I want to be able to outfit a pseudo. Outfitting means giving it a name, giving the pseudo an email address, a phone number, all those sort of capabilities. Having an activity feed so I can see what all my pseudo's are doing and eventually be able to delete a pseudo if I want to. So some pseudo's you might keep for all time. Other pseudo's you might create just for a situation when it's finished. You delete that pseudo so all traces that's gone. And then we talk about in-network and out-of-network. So if you've got your pseudo, I want to be able to call out-of-network so I need to be able to call any sort of number. I want to be able to SMS, MMS to that number. I want to be able to email from that pseudo. And then we've got in-network on the right there. In-network means the other end's also got a pseudo and you want to be able to communicate. So then we believe everything should be end-to-end encrypted so end-to-end encrypted messaging, email, voice and video as well. And then on the payment side, we want people to be able to easily spin up virtual credit cards that can have, you know, that can be one time, multiple use, reloadable cards and be able to fund those through multiple sources. If you have a look at like pseudo-pay at the moment, we allow you just to buy a virtual credit card with Apple Pay, right? And that keeps you, keeps you completely anonymous to the place that you're purchasing from. And then browser, again, I talked about compartmentalized browsing. On top of that, you need to do an address protection so you're going to need either a VPN or a proxy or Tor or something to go with that when you're doing that browsing so they can't track you through the network. And then you need to be able to do things like blockads, block trackers, stop fingerprinting and all that. And the idea here is to make it really difficult for an organization to track you between different pseudos. And my activities is what I talked about is we want you to really easily be able to create a pseudo-based account somewhere, store that information away and be able to launch into that account as that pseudo at any time. So it's kind of the thing. And if you have a look at the platforms, iOS, if you have a look at iOS, you can go at the App Store and you'll see pseudo. You'll see pseudo-pay. We're sort of finishing Android at the moment. We're just about released a web version and we're going to do desktop stuff as well. So something that's really important to us is that we don't know who you are. Like if we're really going to provide a level of anonymity to you, then we can't even know who you are, right? So the idea is, is we have no idea who you are and then hence when you're interacting with our pseudos out there, there's no way they can somehow use us to try to find that out. So here's all the things that we don't do and it's actually different. If you have a look at most of the other security apps, you know, if you look at telegrams and the signals and the WhatsApp and all that, they don't do these things. So this is one thing that makes it a little bit different. So the first thing is we never ask the user to register an account, right? You'll never see in our apps you're doing any registration. We don't ask for phone number. We don't ask for email address. So we don't ask for your cell phone number. We don't ask to get access to your contact so that we can share with everyone. We don't never ask for any of your personal information. So there is no personal information that we are capturing on any of our users. IP address information. So anything that we do see, we make sure that's gone. We delete that. So if we do see any you're coming in through an IP address, we make sure that's deleted. So if anyone comes in later to our back end and says, oh, I want to find out what's going on, we literally don't have any information about you. And we don't sell any of the user's information to third parties like data brokers, advertisers or anything like that. And we never hold cryptographic keys. If you have a look at a lot of technologies and you've seen in a few examples, especially around secure emails, they hold the user's cryptographic keys. So we make sure that we never hold your keys. So the only way that someone can attack you in the system is they've got to get access to your device, like your iPhone or your Android phone and get access to that. So what we've tried to do is make the attack surface very, very small. And a lot of our philosophies in that, there's actually a podcast that's really good called the Privacy and Security Podcast. And a lot of the concepts that we've tried to implement they talk about on that podcast. So it's something that I would recommend. So what are the apps we've got? We've got one app called Sudo app, which is a basically a communication app for your identities, for your proxy identities so you can spin them up. You can see this person's got about five identities. You can call, you can text, you can email all of that from your identities. We also have another app called Sudo Pay, which is really about you creating virtual credit cards. So you can go anytime and create a virtual credit card. And it happens just at the right time that I'm finished ready for questions. That's OK. I think I'd like to open it up for questions. Come out. If you can come out to the microphone, that'd be great. That's perfect. That's what I want to give people time. Yeah. Excuse me. The the Sudo Pay, can you comment more about how that actually works? What sort of dollar values or or currencies can be used? Could I use this to launder money? You know, things like that. OK. So a few different questions there. So in terms of requesting a virtual card, I think at the moment we allow virtual cards up to about $500, I think. And at the moment, it's only US currency, but we're going to be adding like Canadian currency, EU currency and other countries that currencies just go along. But at the moment, the way the way you buy a virtual credit card is if you pick if you download Sudo Pay in iOS app, it just says you want a card. What's the value? Let's say it's $200 and then we get you to buy it from us using Apple Pay. Right. And the idea is, is we've not captured any credit card information. The only thing that's gone to the payment processor is like this Apple token. And we're trying to create this level of distance between you and the virtual card and then the virtual card to where you're going to use it. I think the idea is like what we're trying to achieve with that virtual card is if you go and use a card somewhere, so I'm going down to an online bike store and I want to use the card. You don't have to give any of your information because that card can't be linked back to you. And in fact, it gives you kind of that protection of your credit cards because even if that site gets hacked, you know, you'll have used that credit card. Maybe there's a little bit of balance left on it, but you're not exposed by it. Normally, the idea is you get a card, you purchase something and then we just refund the balance, whatever you've got left on there. So that's how it works. What about money laundering? So I think money laundering is a problem, but there's a lot of protections in the system against money laundering. So there's a whole bunch of places that you can't use pseudo-pay cards, that the banks won't let you use pseudo-pay cards. So for example, you can't use pseudo-pay cards to go online and buy other cards. So there's a lot of protections already in the kind of the banking system for that sort of, and we have a bunch of kind of algorithms running in our back end that we can try to detect when people are trying to do it. The main reason, the main thing people want to try to use it for is money laundering, right? If they can use it for money laundering. So we put protections in our back end. We've been kind of taught a lot about how to put protections in and the banking system already has a lot of those protections. So they usually can pick up money laundering by behavior. Even if they don't know who the person is, they can say this card is being used in a suspicious way. Great talk. I think many of us probably have done this on the amateur level for ourselves trying to do it. I love the way you've done it. So you have a dashboard. You can manage your identities. You remember them. A couple of questions for you. So I'm assuming because you don't know anything about us when Facebook buys you, it doesn't matter because you don't know who we are. I can tell you now we will not be bought by Facebook or Google or one of the big data brokers. Like it's not going to happen. But yeah. So do you think that because of you mentioned my laundering, do you think for other reasons that intelligence services or others will become very interested in kind of pushing you to sort of give them information? Yeah, so the question is about will other organizations be interested? Probably, you know, police forces, government, things like that. And I think the answer is I suspect yes. But I mean, the way we do it is like we're not anti-government. We're not anti-police. We're nothing like that. We're not we're not we're not trying to be, you know, anti-government, you know, special. What we what we do do is if we get requested for information like lawfully, we will respond into that lawful request. Right. The the answer, though, in probably just about every occasion is we probably don't have very much that can help someone because we're not keeping data. We don't know who you are. We've never asked for your cell phone number. We've never asked for an address or an email or anything. So it's the amount of information that we have. Maybe there's some breadcrumbs that this is what we've got, but it's pretty minimal. My last question for now. So have you thought about inventing a time machine because right now you're from this day for people can use you, right? But they've got a breadcrumbs on the internet from before and all the things they've done, which, you know, I'm sure there's various ways to come. Is that have you thought about how you can help you clean up their past as opposed to just going forward? No, no, we've really thought about a lot about that, but I'm not sure that we're going to try to do that. What we're going to try to do. So give you an example. Let's say you have an account in your name somewhere. What we would say is delete that account. Go and create a fresh account under a pseudonym, under with your pseudo, with the phone number, email address, perhaps a different name, maybe even the same name. It depends what you want to do. But it's like we're saying replace it. And I know personally I've been using Pseudo for probably 18 months. It's been out in the app store since January last year. And I think I've pretty much replaced every single account not to ever use my cell phone number, home address, email address or anything like that again. So it does take a little bit of time to clean up all the things, all the mistakes you've already made. Thank you. Two questions. One, in relation to data removal, given that you will eventually have users from the EU, what is GDPR compliance look like for anonymity? Sorry. Anonymity? Sorry, for the company, for your company. And the second question is, what's the company's business model, given that you're not hawking data for money? So in terms of the GDPR, I've got it right, GDPR. Our expert is here, our Chief Security Officer who's been doing all our GDPR work. What was the other part? Business model. Our business model, so how do we make money? So even if you go into PseudoApp now, what you'll find is you can spin up Pseudos for free and you can get some certain amount of phone number, but there's a limit to that. And once you go over that limit, then you'll start paying like a cost you $0.99 to reset a number. If you're calling to kind of an expensive location, you've got to buy credits in the app. So there is parts, places in the app where we can do it because we want to get to a place where we can recover our costs through some of those things. So people going, okay, I want to spin up a new number. We'll charge 99 cents and that might cost us 30 cents to have spin it up or whatever. So there is parts in the app where we can already get revenue, but there's quite a bit already free in the app in that you can get like nine Pseudos now with phone numbers, but it's after that where you'll start to get charged. And depending on who you're calling and stuff like that. GDPR, I guess you could take it offline with Neil because he'd be much better to answer that question or I could get him up here, but maybe we'll just go to the next one. Why did you choose Apple Pay as your payment process? So this was in our initial version. We're going to be adding other funding sources. So our first funding source, there's kind of a couple of reasons. One is, so if you're going to get a $200 virtual card off us, we need to get $200 off you. And so we thought about how could we do that one way? And we wanted to do that without having to know who you are. So one way is we can try to capture a credit card detail in the app and then pass it down to our payment processor to do that. And we're like, a couple of problems with getting a credit card. One is it sort of gives us a breadcrumb to who you are. And the second thing is it kind of opens us up a little bit more to fraud so I can steal your number and buy a pseudo pay card, et cetera. So we went with Apple Pay because it sort of gives us both protections. It protects us a lot from fraud because to use Apple Pay to buy something, you've got to put it into your Apple and it checks with the bank account and does all that. And at the same time, it gives us complete protection because we don't have any personal information. We've not had to capture a credit card. We don't know anything. All we get when you do an Apple Pay is like this long Apple Pay token. It's like this long. And we pass it off to the payment processor so they know how to process that. So it protects us in that. We haven't had to get your credit card information. So we're not exposed to fraud but it also, it kind of fits our philosophy of not knowing anything about you. And just one last question. What kind of analytics do you store on the back end? So like what kind of metadata or analytics kind of algorithms? Like what aggregation would you be doing on your back end? So on the back end, I mean we do, we are interested in a couple of things, right? One is we use Mixpanel in the app itself to understand what features people are using. Now that doesn't tell us anything about the user. We just know that no one's using this or someone's using this. So we kind of understand things like, people got five screens into onboarding and dropped out or something like that. So that's the Mixpanel side. But again, we're not capturing it. We're very, very sensitive about not capturing anything about the user. And in the back end, it's sort of this general things we want to know. So we don't capture any phone numbers or anything like that but we need to know things like, in general, like what are the top email domains that people are using? Because that kind of tells us how people are using it. So if you have a look at the moment, we know that out of our users, Craig's list is like the highest. Like if you think about what you might use suit identities for, it actually exactly matches up what people use it for. So they use it for dating. They use it for shopping. They use it for selling. I think that's kind of, and so we kind of want to understand what are the top email domains because that tells us where people are using it. So we're not using analytics. We're using analytics just a little bit to understand how customers are having problems in the app and things like that. So there's always, you always want to capture a little bit of that data. So if anyone's got questions, you have to come up here. Oh, we ran out of time. Okay. Thanks, Harry.