Frequently Asked Questions about our private, open-source protocol
Part of the great thing about working at Atsign is that we get to chat with the developers trying out the atPlatform. So naturally, when user “paulvipond” sent a message in our Discord channel about Atsign, our co-founders were quick to respond. In their follow-up conversation, Paul Armstrong (AKA “paulvipond”), had several insightful questions pertaining to the core infrastructure of the atPlatform that two of our co-founders, Kevin Nickels and Colin Constable, took much delight in answering. The following Q&A is a portion of that discussion.
P: Why should I trust you and your systems?
K & C: Trust certainly has to be earned, so we have started with an open protocol specification and an open-source reference implementation for the full-stack platform that everyone can evaluate and contribute to. As a company, the only thing we are uniquely responsible for is the integrity of the namespace, which does not hold any private information.
The only thing that we have centralized is the verified location of where to go to request permission for access to information from someone. Our basis for trust in our company and the systems and services we provide relies on the fact that we do not have access by any means to anyone’s private data.
P: What is to prevent app developers storing the information they retrieve, or is this accepted practice?
K & C: With the atPlatform, the data is stored per person on their mobile devices and in their own personal cloud microservice. This means that the application developer does not have access to the data as it is encrypted with their personal keys. If the application developer wants access to any data, they are free to ask for it. So, our first strategy is to make it easy for a developer to honor the intent and spirit of the protocol.
P: What about data verification — e.g. telephone number and email addresses? This would be a great feature to remove the burden from applications.
K & C: We did not want to burden the protocol itself with this feature. Instead, we have created the notion of an “attestation” which can validate/verify the ownership of some particular data for use cases that require this. This might be just an email address or phone number, but could also be for more important things like age (over 18), whether a person’s face matches that on a valid passport or driver’s license, whether someone is vaccinated for COVID-19, etc.
P: Who would you regard as your main competitors and how are you different to them?
K & C: Notionally the blockchain cohort making similar claims would be the main ones, but we believe that they are more likely to become adopters over time to provide non-repudiation and to eliminate username/password authentication which has proven to be so risky. Technically, Solid/Inrupt is somewhat similar with their data pods, but they curiously have no built-in encryption at all and are enterprise-focused where we are developer/apps/consumer focused.
P: What’s your revenue model and how do you plan for it to be sustainable?
K & C: Our revenue model is simply to charge for custom atSigns (like a domain registrar). We also offer free atSigns (unlike a domain registrar). We support developers by paying up to 20% commission of the atSign purchases that come from their application as an incentive to create fully privacy compliant applications.