The evolution of digital identity systems is critical in an era when data breaches and privacy concerns dominate headlines.
CCN talked to Shady El Damaty, co-founder at Holonym, a digital identity-focused protocol, to discuss the transformative potential of decentralized identity systems, zero-knowledge proofs, and the future of privacy in the Web3 space.
El Damaty’s journey into digital identity is unconventional. With a PhD in neuroscience, he initially focused on solving data-sharing challenges in scientific research.
“My background is actually a little bit atypical… I was interested in looking at digital identity from the perspective of patient medical records. Specifically, how do we build better data sets for scientific analysis across different data consortia?” he explained.
This led him to explore decentralized science (DeSci) and Web3 architectures in 2020 and 2021, where he “built really some of the very first functional implementations of what science running on Web3 architecture could look like.”
Holonym’s early success came from addressing practical challenges in the Web3 space. One notable client was the former U.S. presidential candidate Andrew Yang, who launched a DAO called Lobby 3 to raise crypto funds for political campaigns.
“Andrew Yang… launched a DAO to raise crypto funds for political campaigns… The problem was that if they were going actually to use this for campaign finance, they needed to KYC all of the DAO members,” El Damaty recounted
Holonym stepped in with a zero-knowledge KYC solution, enabling users to prove U.S. residency without exposing sensitive data. “We stepped in and helped them out by… having users do ZK KYC and proving that an address was a US resident so that the treasury funds that they voted on could actually be used.”
El Damaty highlighted the vulnerabilities of traditional KYC (Know Your Customer) systems, which often rely on centralized data aggregators.
“Most existing models of KYC all do the same thing… they verify whether a government ID is valid… There are three or four data aggregators that let you interact with government databases,” he explained.
These systems create “giant honeypots” of valuable data, making them prime targets for hackers. “It happens all the time. It happens to the best, right? Even Coinbase has suffered a massive data breach,” he added.
Holonym’s approach is different: it prioritizes user control and minimizes data exposure.
“Wherever we can, we have a client custody of data… You do the verification, the computation occurs on the device, and you just share a proof that the computation ran correctly,” El Damaty said. This ensures that sensitive data remains with the user, reducing the risk of breaches.
Zero-knowledge proofs are at the heart of Holonym’s technology, enabling privacy-preserving identity verification. For users unfamiliar with the tech, El Damaty keeps it simple:
“We don’t explain it to them at all, actually… Just understand that this is a privacy-enhanced technology.” The computation happens on the user’s device, and “they might need to wait a little bit longer for the computation to occur… but not much longer.”
Holonym has also developed innovative solutions like “proof of clean hands” for Aztec, a privacy-focused Layer 2 blockchain.
This allows users to prove they’re not on sanctions lists without revealing their identity. “Proof of clean hands basically lets you prove that your hands are clean, that you’re not on a sanctions list… and it does so with ZK,” El Damaty explained. This balances privacy with compliance, ensuring pseudonymity unless a valid court order is presented.
When asked about the most dangerous types of identity leaks, El Damaty didn’t hesitate:
“It’s absolutely biometrics… any sort of leak of iris data, fingerprint data, like face matched with other likeness… is really dangerous.”
He warned of threats from both individual hackers and state actors. “On the flip side, the worst side is actually state actors… actual governments that now know everything about you,” he said, citing examples like tracking consumer behavior or monitoring compliance with state-approved activities.
Holonym’s design mitigates these risks by avoiding centralized data storage. “If a hacker was trying to get your information… there’s nothing there for them to hack… They would have to break post-quantum encryption to do so,” El Damaty noted, emphasizing the impracticality of such an attack.
El Damaty offered practical advice to non-expert users looking to protect their digital identities. First, “do a scan of the dark web… use tools like Have I Been Pwned” to assess data exposure.
Second, privacy-enhancing browsing tech, such as custom operating systems on devices like the Google Pixel, can be adopted, which allows users to block trackers.
“I can prevent trackers… creating profiles on me,” he said. Finally, for crypto users, he advised caution with on-chain activities: “Your entire on-chain history is like a fingerprint… use privacy tech whenever you can… [and] make sure you’re constantly rotating your keys.”
El Damaty identified RPC (Remote Procedure Call) endpoints as a significant vulnerability in the blockchain ecosystem.
“The biggest one that people have been talking about… is the RPC endpoints… whoever’s running that service or that server… can see all the associations between everyone,” he explained.
These centralized points, used by providers like Alchemy or Moralis, create risks that decentralized solutions like DRPC (Decentralized RPC) could address, though such solutions are still in development.
For those skeptical of Web3 identity systems due to scams or complexity, El Damaty emphasized the technology’s roots in everyday applications.
“The government already uses cryptography. If you have a passport, it has Web3 technology in it… a cryptographically signed attestation from the government,” he said. Web3 builds on this by distributing trust across a wider infrastructure, enhancing individual sovereignty through encryption and privacy.
Looking five years ahead, El Damaty envisions a world where privacy is the default.
“Transactions will probably be by default private, identity will be by default private… There’ll be no centralized honeypots where people can just hack,” he predicted.
He expects greater adoption of zero-knowledge proofs, driven by their post-quantum security properties and growing concerns over data breaches, such as India’s Aadhaar system. “If you’re a government setting up a digital identity system… you’re thinking about security,” he said.
Integration with Traditional Systems
El Damaty sees immediate opportunities for Web3 identity solutions in traditional systems, particularly with mobile driver’s licenses.
“There’s an opportunity right now with the digitization of mobile driver’s licenses… there’s a big opportunity for app developers to integrate privacy-preserving tech,” he noted.
Financial markets, hesitant to fully embrace blockchain without privacy guarantees, are also poised for transformation. “The emergence of Maiden and Aztec… is really going to push institutions to adopt privacy technology,” he added.
El Damaty’s vision is clear: decentralized identity systems, powered by zero-knowledge proofs, pave the way for a more secure and private digital world. “This tech specifically is intended to enhance individual sovereignty and power through encryption and privacy,” he emphasized.