This Isn't New (Update #10)
Dear Footprint Family,
I want to start by saying that I hope everyone had a great Thanksgiving. If you’re on this email list, I’ve been lucky to cross paths with you. I do believe we are the sum of the interactions we’ve had; I truly am grateful to you all for shaping me.
When we raised our seed round (a process which started ~a year ago!), we often got posed a version of the question: “this makes a lot of sense, why hasn’t it been done before?” I gave a lot of answers at the time: business model innovation, the rise of fintech being the tide to lift the boats that are the infrastructure to power them (I am very bad with idioms so that likely made no sense), increased consumer awareness around data privacy, etc.
Whether it was hubris or blissful ignorance, I don’t think any of them were good responses in hindsight. It’s not that they weren’t at least partially right. But the true answer is that Footprint isn’t new. Owning that—the fact that we are not visionaries with an original idea—leads to a far more powerful story. One which involves the history of online identity, combined with the technological advances of the past 24 months, and a new business model. All of which have hatched Footprint.
Believing Footprint is fully novel belies a strange truth: in my opinion, it’s good Footprint isn’t the first attempt at putting people in control of their data. I’m definitely not smart enough to come up with that crazy of an idea—if something feels “obvious”, I would hope people have tried and there would be real reasons it failed. But if unique events flipped the external influences to enable a new effort to be successful, well I think that is a better thesis.
Like always, this update is not me saying Footprint will work. But this answer--and the thinking behind it-- makes me more confident it will.
A (Brief) History of Identity Documents
Some of the earliest historical documents for entrance to foreign lands date back to Ancient Babylon. Around 450 BC, King Artaxerxes gave an official a letter “to the governors beyond the river” to ask for safe travel to lands abroad. The Han Dynasty (202 BCE- 9 CE) had passports (zhuan) that were required to move through the realm into certain provinces. There are countless more examples, but in short, we’ve had documents to allow us into new domains for longer than we’ve had the wheelbarrows and the concept of corporations.
Once we agreed we should have a version of identity documents, the question became how do we prove we are the person denoted on said documents. Modern passports are very much a British invention. King Henry V got the first passport in 1414, but they did not go mainstream until
a viral TikTok trend pretty much the World Wars and broader immigration into the US in the early 20th century. Today those passports have integrated circuits and photos. How did we let people prove themselves in ancient times? Roman citizenship was often validated by name (only citizens could have three names, with your tribe name being one of them), language, and even clothing. People often demonstrated their citizenship not with papers, but through their social relationships. If there was an inquiry to a census (where records were kept of citizens), you would often prove yourself by having witnesses—often from your tribe—vouch for your identity.
Fast-forwarding a few millennia, we enter the modern digital age. While historical societies had centuries to cultivate passports, we had mere decades to think about digital identity. Tim Berners-Lee’s work around hypertext enabled the first safe web browsers to launch in the early 1990s, just three decades after the creation of the Arpanet in the 1960’s. In 1991, Phil Zimmerman published his proposal for Pretty Good Privacy, an internet built off a “web of trust” through public-key cryptography.
A New York Times article from 2001 describes how the first two years of the 21st century brought groundbreaking legal cases in France and Italy which declared “that national boundaries do indeed apply to the virtual world as well as the physical one.” This was a tad problematic. Vinton Cerf, a senior VP at WorldCom who was instrumental in building foundational layers for the internet, said "the Internet was designed without any contemplation of national boundaries," and that "the actual traffic in the Net is totally unbound with respect to geography.” As The Times mentions, in 2001 IP addresses were the closest thing the internet had to passports.
This topic of the history of identity documents will be covered more broadly in a future update. For now, I hope those who have taken this dive with me see that humans have long sought to identify people as they crossed borders and that historically identifying those people often relied on a third party. As the internet has become ubiquitous during a small blip of human evolution, we’ve had to quickly apply how we view physical boundaries into the digital world. Often, our approaches and terminology are borrowed. IP Addresses are not passports. But humans like to map concepts between realms. So they became passports to the internet for a moment. And while there are some like Zimmerman who from the start were working on internet privacy (and laying the groundwork in modern cryptography for a road to be blazed decades later by one Alex Grinman ;)), in short, there were not many solutions.
Companies Trying to Put People in Control of Their Data
Let’s play a game. I have a side-by-side below of two companies. One is us. The other was founded in 2009 and is no longer in operation. Can you tell which one is which?
Company A is Footprint. Company B is Personal Inc., a brilliant idea started by industry veterans. Going back to the 2001 NYT article, a wave of GPS companies was started in the proceeding years as borders and internet technology began to increasingly intersect. The creators of The Map Network, a company in the space that was acquired by Nokia in 2006, then took on the next challenge of internet boundaries: our personal data. They started Personal in 2009. The company would raise $30M, before merging with Digi.me in 2017. The combined company was acquired by the World Data Exchange a month ago (October 2022). Along the way, Personal would win numerous accolades on their quest to put people in control of their data. In 2012, they were named by TechHive as one of the top five web apps/services at SXSW. In 2015, the National Law Journal named their Chief Policy Officer as one of their 50 "Cybersecurity & Privacy Trailblazers”.
I truly think the people at Personal were visionaries. As Doc Searls wrote in The Intention Economy: When Customers Take Charge, it was a bold and groundbreaking move by Personal.com to call users “owners”, especially at a time when there was much debate about whether data could be “owned” at all.” Searls would continue to note that “Personal’s terms had no precedent and modeled a new legal position, both for vendors and for intermediaries.” That precedent would not happen for another seven years in the EU with GDPR and for another decade in the US with CCPA.
As you can see in the above table, there are a lot of product similarities. Personal built a data vault (for consumers), and the ability to one-click different forms. They also had a “Secure Share” which had primitive permissioning, where they created “a live, private network, allowing registered users to share access to data and files through an exchange of encrypted keys without the risk of transmitting the data or files through non-secure, direct means.” To further the parallels on the consumer side, they gave people the ability to revoke access to their data.
As was written in a 2011 Economist article, “Personal aims to store all of that securely, using a system of containers called "gems", which you pick out and arrange on your screen like apps on a smartphone.” Examples include people sharing “gems” of food allergies to dinner hosts in advance of a dinner, or sharing a one-time house alarm code with a babysitter. Other suggested use cases ranged from sharing more secure information with a spouse to fill out a mortgage application, car maintenance information, and eventual connections with government agencies to automatically bring in information.
Why It Didn’t Work Then
Looking back, there are numerous reasons why Personal didn’t work when it launched, spanning from the business model to the law. I do think the company was quite literally ahead of its time. As I mentioned above, it existed in a world with data privacy regulation that lagged behind by a decade in the US. This meant they likely faced a harsh reality: companies didn’t care until regulators did. It is easier to store data in plain text than encrypted, cheaper to simply not build vaulting, and more efficient to use resulting time savings to let engineers focus on other priorities. Regardless of the questionable legal rights of consumers at the time to own and request data, this backdrop meant a key part of a business model around vaulting was not present.
This is even reflected in coverage, which accordingly paints Personal as a consumer tool. Fast Company wrote that Persona’s Data Vault was “a tool that will simplify our lives.” Compare this to how TechCrunch quotes our focus on how Footprint can help companies “offload the cost and risk of all of the security that has to happen around storing that data.” Of course, the end goal is to help people control their privacy online. But that is really only viable by having a B2B motion, and better yet one now written into law. Despite KYC stemming from the Patriot Act, it has really only seen a rise of enforcement in the digital realm in the last ~decade. Furthermore, too early a focus on consumers leads to both too much breadth and an earlier need for network effects.
CNet described the plethora of use cases Personal aimed to solve for people, resulting in a very wide net they had to cast in data forms to be collected. As Rafe Needleman wrote in 2011, data entry was a huge problem for the company: “it is a total drag to collate all this data. And I think the response rate when people request gems from other people…will be too low to make the system truly useful.” In order to work, Personal needed a network effect quickly. The Economist (paywall) in 2011 said their “success will depend first and foremost on whether it can get a lot of people quickly over the initial hump of entering lots of data.” Due to business model constraints, the onus was on people to go out of their way to create the network effect the company needed to work. When people fill out KYC forms, they have to enter fairly standardized information. Footprint can focus on solving one big issue (how to onboard users and store their data) that impacts thousands of companies; Personal had to find thousands of use cases that may have only been applicable to a handful of people.
To go full circle in this section, it’s worth highlighting that the lack of legal precedent at the time also reflected a paucity of consumer momentum to see companies move in this direction. There was not zeitgeist for better consumer privacy controls on the internet; people still were learning what the internet even was. In a 2014 Time Article five years into the company, Personal said that while they still intended the bulk of their revenue to come from B2B, they had to start with a B2C model to help mollify consumer concerns. As a company official said, “people wanted to pay to subscribe to the service, so that they know they’re not the product.” This is reflective of those early days of Facebook when people were learning what it meant to be the product. But times are different now.
Why It Could Work Now
The world looks a lot different now than it did in 2009. For us, one of those key differences is the legal landscape has changed (GDPR, CCPA, etc.), and companies can no longer be laissez-faire about how they store consumer data. Consumers also care a lot more about digital privacy, and have the right to act on that new concern. It is much easier for us to operate in a world where companies—whether they like it or not—must find an efficient and effective way to securely store PII.
Technology has also made prodigious leaps not just in the decade, but in the last two years. AWS released nitro enclaves (which we use for vaulting) October 28th 2020. Apple introduced passkeys this fall (after the initial POC was released last June). We likely would not have felt comfortable building our security before enclaves, and it would have been significantly riskier to make identity portable before passkeys and FIDO2. I think this also answers the question of why the competitors you may think of when it comes to us didn’t build Footprint. The three companies we see the most were founded in 2012, 2015, and 2019; this technology just didn’t exist back then. If it did, maybe they build something closer to what we did. And if we started Footprint earlier, maybe our tech would have resembled theirs.
And lastly, a different legal landscape and technological possibilities unlocked a new business model. Personal was built in a time before companies cared as much as they do about PII storage. Therefore, Personal needed to sell a plethora of consumer use cases which required a network effect from the start, resulting in them trying to start B2C before becoming B2B. Our current competitors built tools before identity could be portable. Their business model thus made a lot of sense: extract as much value as possible from each onboarding given that touch points with consumers aren’t continuous.
Footprint, by luck of time, has less constricting restraints. We’re B2B first, and don’t require a network effect to sell a meaningfully improved product to enterprises. Developer experience, UX, and fraud signals don’t require a network effect. All the while, our pricing enables us to have a long-term view and incentivizes early adopters to in time generate that network effect. Unlike Personal, we’re also able to be hyper-focused on solving a handful of salient problems nearly universally facing our customers, instead of needing hundreds of reasons to bring people to their platform. Conversely, I’ve written about how our business model lets us have a new philosophy and approach for KYC and fraud. Because we can make identity portable, we can make recurring revenue through security and as a result not have misaligned incentives in maximizing value for the first KYC.
I didn’t know of Personal when we raised the seed round, though had come across Digi.Me. I had also seen ID.Me, perhaps the closest parallel to us in doing a B2B2C model (though with a different GTM and mission behind it). So, it is not that my answer around the novelty of the idea when we raised was deceptive; I just don’t think it was the right response.
I’ve written a bit previously (in Update 6 on Dreams + Failure, and the most recent update on Vicissitudes) about the power of owning negative narratives. In the two years between writing the first business plan for Footprint and raising the seed round, I spent a lot of time defending why the idea was novel. Whenever someone would counter “isn’t this similar to X”, I’d instantly go into defense mode. It was not fun to consider that others were already building this, or worse yet had failed in doing so because the idea couldn’t work.
But with distance, I’ve realized the best answer is that the idea isn’t all that new or innovative. We’re just lucky to be building it at a unique moment in time. One where developments in both the legal landscape and technology (the launch of Nitro Enclaves + FIDO2) have created a window where something like this can be built. And most importantly, I am surrounded by an incredible team that can execute on its promise.
Goals From Last Month
Make 1+ hire on frontend
- We did not achieve this goal. We interviewed 30+ candidates and reached out to hundreds for the role. We continue to improve our process, but that doesn’t really matter. Accountability starts at the top, and I blame myself for not working on a frontend pipeline over the summer before this was a need. Alex and I are working on our headcount plans for next year this month to make sure such a mistake does not happen again.
Have three more companies integrate in the sandbox
- It is very fun seeing more companies try out Footprint. We’ve now had close to half a dozen test out our sandbox.
Be on track to have multiple data vendors integrated EOY
- We have signed with one data vendor and hope to sign with a second next week; both will be integrated EOY
- We have two others who we expect to be integrated with EOY, but the contracts likely won’t be signed until early next year for us to have prod access
- Overall, the data vendors are one of our larger upfront costs (quite literally from legal fees and more figuratively in time spent) and true moats (it is very difficult to get these deals done + we are the first-ever federated idv companies to sign with them). I think we were a bit ambitious in how quickly we would get them given these constraints. For example, you can’t move forward in credentialing until you have SOC 2 Type II, which we started the month after the raise and got completed within 8 months by this October. We moved as fast as we could with auditors, but there are no levers to expedite that. With that said, having two integrated by EOY is great and allows us to go live.
Bearing data vendor timelines, launch our decisioning engine into production
- We are making steady progress here, and we’re pending our production go-live data vendor
Launch our newly updated dashboard with embedded risk signals and manual review mode
- It’s live! We’re still iterating here, but the first version is sandbox ready.
Launch our Footprint’s mobile integration
- It’s live and our we’ve released our getting started guides + docs
Release our new customizable/styled embedded Footprint flow
- It’s live! This was a herculean effort by Footprint’s design and product engineers. We cannot be more blown away by how easy it is to customize the Footprint flow to your product’s aesthetic. We support over 80 variables of customization and the best part is that you our docs are interactive: we show our real embedded flow in-line for developers to test. Check it out here! [Developer Experience == UX]
Make progress on our live production my.onefootprint where anyone can claim their footprint identity!
- We’re excited to launch this one — we’re calling it Footprint Live. It’s nearly ready to show the world (waiting for data vendor go-live) and will be where the first portable Footprint identities are claimed.
Goals For this Month
- Make 1 hire on frontend
- Continue to get companies in sandbox to get live feedback
- 🤞go-live with vendors and launch Footprint Live
- Add device/user/browser fingerprint into our decisioning + dashboard
- Improve our Footprint embedded integration to make the UX even more seamless (demo coming soon)
- Launch Selfie + Document scans as part of our embedded IDV flow
- As we prepare to go live next year, we would love to offer Footprint as a perk to the portfolios of our investors. For those of you that offer them, we’d love to extend an offer to your portcos of 1000 free verifications on Footprint.
Where We Could Use Help
- Recruiting frontend engineers
- I truly mean it: if you find us a frontend engineer this month, we will adopt a penguin in your honor at the SF Zoo!
- If you’d like to crowdsource some reasons to join, feel free to send these wonderful posts written by our own amazing team members (Pedro’s post | Rafa’s post)
- Customer Intros/Discovery
- Including below some intros we are looking for:
- This month’s criteria
- Frontend engineer intro: 5 points
- Series C+ Customer Intro: 3
- Series B Customer Intro: 3
- Series A Customer Intro: 3
- Seed Intro: 2 points
Subscribe to our newsletter
Receive updates on new blog posts & investor updates