Before PrivID, I wasn’t in cryptography or cybersecurity. I was a recruiter. I worked with the Big 5 banks in Canada, and later with a couple of European organisations that wanted international hires. Over the years I saw first hand what happens in organisations when they get breached, in some cases I put the teams in place: breach after breach, the same story over and over, organisations would announce that they were breached and the data was safe(ish). Being involved in the back-end of the situation, that was not always the case, but that was always the announcement. Companies lost control of your personal data, and you paid the price, sure the companies did as well, but they could just replace the data lost. You, on the other hand, had to think about the impact that stolen or lost data had on your life and what steps you needed to do to fix it. Lives were disrupted. Sometimes ruined.
That’s when i realised that the system was broken. Everyone was running on the same outdated models of cybersecurity. Billions were being spent to maintain a structure that was already broken. By 2017, I started asking a basic question: is there actually a better way to protect people’s personal data properly?
I went looking for answers. That’s when I, almost literally, fell across Zero-Knowledge Proofs (ZKP). It had been staring me in the face for some time. Why? ZKPs were already being used in the cryptocurrency world, and ING was using with them in the banking world. Then I learnt about Fully Homomorphic Encryption (FHE), a solid technology but not ready for the real world, because it took too long to do what it was supposed to do: encrypt data so you could work on it in its encrypted state. ZKP had been around since the mid-80s. FHE was newer. Both had the potential to actually force real change in how data was protected and secured.
But, no one was really using either technology. I had to find a way to make it work.
So I took up something I had left behind, programming. This needed some serious updating of my programming skills, so started hacking away in Python. After about a year, I had a working model. To say it was rough, was an understatement, but it was functional. Naively, I believed that if you built something that clearly solved a real problem, organisations would jump on board.
I was wrong. In a really big way!
What I hadn’t accounted for was inertia. The inertia of apathy. Companies had poured millions into broken technology. Something genuinely disruptive wasn’t welcome. What they wanted was “innovation” that fit neatly into the same old ecosystem. Personal data? They’d already turned it into a product. Breaches weren’t existential threats, they were just a cost of doing business. If your data leaked, they’d simply buy it back from a partner. To them, your personal data was replaceable. To me, that was unacceptable.
So we started PrivID anyway. No roadmap, no guarantees, and terrible timing, right before the pandemic, when smaller organisations we were talking to were about to collapse. But, we believed something simple: data belongs to people, not corporations. Protecting it shouldn’t be optional.
That’s where it began. Stay tuned for Part 2 tomorrow.