Web3 is so far behind in terms of reliability and security

Danny Crichton:
Hello and welcome to Securities, a podcast and newsletter devoted to science, technology, finance, and the human condition. I'm your host, Danny Crichton, and today we're talking about Web Three Infrastructure and Regulations. A super interesting topic. This is where the action is these days in the crypto world. And joining me today are two special guests. First from Lux Capital, Grace Isford. Welcome to the program.

Grace Isford:
Thanks Danny.

Danny Crichton:
And one of our Lux portfolio founders, Ann Jaskiw of Tactic.

Ann Jaskiw:
Thanks for having me Danny.

Danny Crichton:
So Ann, you recently joined the Lux portfolio, so welcome. I'd love to hear your background because you started not in the crypto space. Tell us a little bit about Flatiron Health and how you moved into the Web Three area.

Ann Jaskiw:
Yeah, absolutely. At Flatiron Health, a lot of what I worked on was taking messy data, albeit out of electronic medical records, cleaning it up and turning it into something regulatory grade for the FDA and life sciences companies. And actually that's quite similar from a raw technical perspective with what we do at Tactic now. I'd always liked the academic angle of crypto, love the math. Long before I had actually read the Satoshi White Paper. And I think what really interested me about Ethereum specifically was I worked in security for a while and I dealt with OAuth, I dealt with identity providers and sort of logging into things and it's just a pain from a technical perspective. And then of course your identity, all your scopes and claims are tied to something central, usually Google or Facebook or Microsoft Active directory. And what I saw with Ethereum was sort of like a login to the internet.

And that seems to be not what people always talk about in crypto, it's a lot of token prices. But that to me of federating your identity to a distributed system was just so cool. And I felt like I had to do something in the space. So I started poking around, started building something and got to the point where I was ready to make a real company. And part of that of course is setting up your FinOps stack. And I kind of wasn't sure how to do it if I had tokens floating around. So what I thought was going to happen was I'd buy some crypto on Coinbase or whatever, centralized exchange, I'd presumably have a team of people with their various meta masks and would be throwing crypto around. Whenever you write something to the ETH chain, you're minting an NFT, and the price of Ethereum has changed since you bought it, which inevitably it has. Turns out that's a realized loss or gain. And it was something I wanted to track.

I didn't really see a lot of solutions out there and started talking to the great network I had met of crypto founders and was like, "Hey, so how do you close your books every month? How would you pass an audit? What if you go public? How does this work with the SEC?" And pretty universally the answer was "if you figure it out..." Yeah, it was, "if you figure it out, definitely let me know." And so that is how Tactic was born.

Danny Crichton:
So let's talk about a little bit of the Web Three infrastructure stack. So I mean this has been a thesis for the last couple years. Obviously people always get distracted with NFTs and crypto prices and the crypto winter, then the crypto summer, and then the crypto winter again, yacht parties. But I feel like we're actually building something really fundamental here with the actual infrastructure side and it feels like a lot of things are changing. So I'm curious, does the state of Web Three today, what are you seeing in late 2022?

Grace Isford:
We talk a lot about Lux, about what the larger crypto world doesn't always pay attention to, which is the things that are objectively better. So that's the infrastructure, what we can point to in security, reliability, exchanges, network, compute, financial infrastructure compliance, where we can offer a 10 x better experience or really point to that is solving a problem, making a better technology, solving a hard technical problem, really on the tech frontier. What struck me about tactic was kind of the stickiness of the problem they were solving. And it's a technical problem. As Anne mentioned, very hard to keep track of B2B crypto payments today. It's mostly that manual process and existing status quo providers don't have the technical capability to really track and be able to go from end to end from payment to logging your books.

Danny Crichton:
Obviously we've talked about companies that are publicly traded. I think Tesla is a good example. Block is another one who have had at least Bitcoin holdings or in I guess Tesla's case they also had Dogecoin or maybe that was just Elon Musk. I can never keep track. They're basically the same at this point. But what will Tactics sort of empower companies to do beyond just holding one token?

Ann Jaskiw:
I think it's more about the transactional nature. So right now, if you're a major enterprise, I don't want to trivialize holding Bitcoin on your balance sheet. If you just buy some Bitcoin and it sits there, you may have to do some impairment, but it's not super complicated. The point where things are moving around frequently, you have prices fluctuating, maybe you're international, that's when there's a new level of complexity. So if I am a tech company building something on chain, that is very much when this becomes just totally untenable.

Danny Crichton:
And when it comes to the regulators themselves, is this something that they're paying attention to these days or is it still sort of a laissez-faire situation?

Ann Jaskiw:
I think there's just increasing regulatory scrutiny every day on this, which is why the problem is really burning.

Danny Crichton:
I want to pivot a little bit as a conversation. So this month there was a big story which was the Ethereum chain had quote unquote the merge.

Ann Jaskiw:
The merge.

Danny Crichton:
The merge.

Ann Jaskiw:
What was that? I didn't hear about that one.

Danny Crichton:
Yeah, exactly. That's actually a good sign because I feel like if it actually had failed, it would've been front page news all over the internet and all over the front page of major newspapers. Ironically, it actually went extraordinarily well in the immediate hours and days following it, and let's talk a little bit about this because this has been Vitalik's dream for I guess since 2016, 2017. So six, seven years later, his vision of moving from a proof of work to a proof of stake model has been implemented. What does that do for Ethereum and the Web Three ecosystem more broadly?

Grace Isford:
Yeah, I think the big headline here is that Ethereum has proven its ability to actually update its architecture and evolve in a meaningful way and kind of continue to execute on that ambitious romance of Vitalik. As a user of Ethereum or Blockchains, it's really not going to affect you too much.

I think the two or three biggest takeaways I've thought about is one, making Eth more energy efficient. For those who don't know already reduce energy consumption by 99%, very meaningful because of that transition, you mentioned. Making it more secure. You don't have to be a sophisticated minor to secure networks and validate, so I think overall exciting but net for an average user on Eth, not going to affect you too much, which is a good thing.

Ann Jaskiw:
I think in terms of enterprise adoption, what's really interesting here was to see an upgrade of this magnitude really succeed. So the open source success people always point to that got adopted was Linux. Traditionally, as someone who has worked in security, when you evaluate a vendor, you're always a little shaky on pumping in something open source because maybe it's just maintained by two random guys and if they get bored, suddenly a core part of your infrastructure is gone and you hear about people splitting, getting controversy in different packages and it's just this scary dependency to build. So even sometimes small changes go awry, things go stale. And I think something happening of this magnitude and this complexity where really nothing went awry, it will inspire a lot of confidence into people who are a little scared to build critical infrastructure on a centralized project.

Danny Crichton:
I will say, I'm going back to April 2014 when Heartbleed, a very famous bug in the open SSL software and we had this massive gaping hole and basically every computer system because open SSL is used for anything to encrypt basically communications on the web. So if you use a web browser, you almost certainly use open SSL, Cross, Mac, windows and Linux. And then we found out that there was exactly one human, one engineer somewhere who was actually coding all this and was doing all the work himself. And so there was an initiative to get more folks to focus on this open source software.

But Ann, I agree with you a hundred percent that the fact that Ethereum, which is a community of now thousands of people who have both contributed code, who are part of the design community, who are building it and moving it forward, were able to come to quote unquote consensus in a fun way.

Grace Isford:
Pun intended.

Danny Crichton:
And that was my bad pun of the day. Consensus around the future of the trajectory is a really good sign. I'm curious, when you look at a lot of these open source projects, there is this term of the BDFL, the benevolent dictator for life. So in Python it was Guido for a long time, many different programming communities have this sort of dynamic. Is Vitalik still playing that role of the BDFL for Ethereum?

Grace Isford:
I think he's a very important figure. And you think of all the figures in the crypto Blockchain worlds right now. Of course Satoshi who people can't really put a face to, but Vitalik has really served almost as a mayor or spokesman for a lot of the ecosystem. So I do think he has influence strong readership of his blog and in fact will probably gain a bit more recognition for successfully completing act two of the merge.

Danny Crichton:
So I want to talk about a little bit more of the Web Three stacks. So obviously we're in 2022, it's not completely new, wasn't weeks old, it's now been a couple of years. What's going well? Where are the pockets where there is good infrastructure? It seems like there's good platforms and APIs and similar in the category of accounting, there's clearly gaps and there's more to come. Where are the pros and where are the gaps?

Grace Isford:
I think there are a lot of gaps.

Ann Jaskiw:
This is grace announcing the launch of her new infrastructure company.

Grace Isford:
Well, I mean, I've spent a lot of time in the data and developer infrastructure stack and a lot of that stack has parallels to Web Two and often overlaps with Web Two. So it's less about how advanced is Web Three, but also where existing Web Wwo companies that are mature, reliable, scalable, porting in to web Three, but if you think of the whole comprehensive stack, my immediate reaction to that question is we are so far behind in terms of reliability, security, scalability, and why I need a lot more companies building, and also why I'm excited to invest in this space.

Ann Jaskiw:
Yeah, and to add to that, I think automated testing, auditability, smart contract audits, that type of stuff, I think we're still seeing a scary number of people effectively test things in production, which to be fair is all over the Web Two space as well. It's just a little scarier when there's programmable money.

Danny Crichton:
Right, exactly. Well let me ask you Ann because obviously you, you're coming both from a data governance provenance background as well as a security background in the context of Flatiron Health. And when I think of healthcare, I think of among the highest bars for data protection in the country, it's under HIPAA, everything has to be very careful and protected, lots of rules. How is that culture being translated into the crypto world? Is it still the wild west or have the standards sort of risen from your perspective in the community?

Ann Jaskiw:
We've been surprised by how many people we've met in this space, especially on the finance and operations side who take this very seriously and desperately want to do the right thing. But regulatory guidance is still quite nebulous. So it's not easy. But I will say a lot of the typical paradigms in and outside of text still apply of principle of lease privilege, basic role-based access controls. What I think a lot of people forget about security is, you know, think of a nebulous hacker somewhere in a basement in North Korea when really it's just like someone shared their Netflix password with their roommate and it turns out that's also their work password to all their data.

Danny Crichton:
Right, I'm remembering a tweet I was reading recently that was basically if one employee clicking on a phishing email compromises your entire network, something very wrong is with the company and not with the employee.
So Ann, following up from that, I also want to talk about, I mentioned HIPAA and we're talking about data protection and providence, but obviously a lot of those rules tend to be very localized and there's huge data sovereignty issues going on around the world was actually a subject I covered a lot when I was a managing editor at TechCrunch of how the world is sort of separating into different fragments. So India has its own rules, China has its own rules, US is splitting off. Europe is sort of becoming a one rule super continent of sorts, but it's on its own and has very different setups in the United States. When you think about the Web Three world, it's among the most democratized, it's the same chain everywhere. You can't kind of separate the chains. There's no Ethereum chain of Europe versus an Ethereum chain of India, et cetera. How do you handle different national regulatory regimes in the context of an international chain?

Ann Jaskiw:
So I think the answer is I don't know, which is a little unsatisfying and that's actually why Tactic focus is very much on the US market right now because it's very possible that every European country will come up with something different like we saw with GDPR. I don't know how effective it is. I think you get a lot of popups and accept cookies and some headache for engineers, whether it is globally moved the needle for data privacy is a different question.

Grace Isford:
I'd agree that internationally, we don't have strong conviction yet. I'm excited though about the US regulatory tide and the attention to crypto. I know a lot of people are afraid of what regulatory action the US will take. We've seen a lot of stuff in the last few weeks from the SEC and beyond around crypto and cryptocurrencies being recognized.

Danny Crichton:
Well I think what's interesting is twofold. One is regulators are starting to poke around. So before the show we were talking about Gary Gensler, but Gary Gensler was here in New York a couple of weeks ago and he was saying that he feels comfortable giving up sort of non-security token sales over to the commodities future trading commission and they keeping the securities under the SEC banner. So that was a huge sort of block over the last couple years is basically which regulatory agency would control token sales. I mean it looks like that's getting cleared up a little bit in DC, but on the flip side I'm finding that more and more crypto founders are becoming, I guess you would call it pro-regulation, not pro bad regulation, but making the rules clearer, allowing people to be able to do their jobs. So I'm thinking of Sam Benkman-Fried of FTX who has been very hard on trying to get the CFTC to regulate this similarly with others in the space.

And then Brian Armstrong of Coinbase who I guess in the Coinbase app now has a segment for being able to vote for candidates to learn more about the elections which are coming up in the US in a couple of weeks. And so to me it seems like people are really engaging on the regulatory issues, but that means you also have to build the infrastructure now because the regulations are going to come in the next two or three years. It's building time this second in order to get underway.

But I'm going to go back to Ann. So when you think about the accounting side of things, is this almost exclusively at the federal level or are you also seeing state level regulations show up in your world as well?

Ann Jaskiw:
Definitely both, and different states are at different stages. I think we all know some crypto people who've moved down to Puerto Rico because of the favorable laws there.

Danny Crichton:
Why are different states handled in different ways?

Ann Jaskiw:
The same reason they handle different ways in Fiat. You have state taxes in some places you may have sales tax, income tax. It's just a different way we do regulation, the same way sort of like the EU exists and all the countries have their different rules based on cultural values or whoever's been elected or whatever the electorate chose.

Danny Crichton:
And so when you think about accounting for, say token sales, does that also include accounting for the geographies, those token sales take place?

Ann Jaskiw:
Right now, accounting rules for geographies don't quite work because Ethereum's not collecting your IP address and can't say like, "Oh, by the way you're in New York add some level of sales tax. NFT sales tax is an increasingly hot topic and candidly no one knows what it means, but it's definitely going to be a thing."

Danny Crichton:
I was going to say NFT stands for no effing tax. So where do you predict that's going to go in the next couple of years?

Ann Jaskiw:
I mean, I think there definitely will be some regulation around it. I think state officials, federal officials can't just see all these massive transactions happening and ignore them and not try to take a cut of that pie. I think it just makes sense. And I think most people in the NFT space, the same way Amazon sells goods and calculates tax for you based on the zip code you enter will have to implement some form of KYC for many reasons. But tax will have to be a part of that.

Danny Crichton:
I'm reminded of the early years of the internet when Amazon didn't collect sales tax. I mean if you remember back in the 1990s, 2000s, we went online because you didn't have to pay local sales tax and technically you were supposed to pay it. You're supposed to fill out your form and say out of state tax and you fill out the little thing and you technically have to do that definitely for cars and these big large purchases because goes there filed with the government. But Amazon had this competitive advantage for years of not having to collect sales tax until these laws sort of got up to date. So I imagine if the e-commerce economy I think took almost a decade to catch up to the collection and monitoring of tax data, my guess is it'll be very similar in the crypto world as well.

Grace Isford:
But to that end, I think that's why Tactic is so well positioned because irrespective of which a regulatory goes, they're seen at this unique point in the immune system as kind of this universal crypto data ledger that can be flexible based on which way regulatory goes. I also, on the regulatory question you asked earlier, I would reframe it a bit more to compliance and risks. So thinking more in terms of the safeguards and how companies can build applications to help know who the user is or the risk they post to the platform rather than harsh regulatory rules. I think a lot of these things can be positive and that's why a lot of founders are excited about them when framed in the right way.

Danny Crichton:
Well, and we heard earlier this month that the Justice department was going to form a national network of prosecutors focused on crypto crime, mostly about major crimes, but it is example of it doesn't just have to be tax collection, it doesn't have to just be what tokens do I have and where are they? It's also about tracking those flows over time because there's going to be increasing need to actually have an audit trail, having compliance, making sure you know who your customer is because a lot of folks aren't looking to be part of any sort of dark economy. It's just part of modernizing our modern FinTech stack. And that's been our thesis here as well is that this is supplanting hopefully credit cards, other middlemen, et cetera. And so as the regulations catch up, as the compliance software catches up, I think we're going to have a much stronger economy going forward. And thank you so much for joining us.

Ann Jaskiw:
Thank you so much for having me Danny.