Phillip Shoemaker thinks we’re at a critical turning point for the web, with identity and privacy being core, foundational priorities. Imagine an internet where it's easy to provide just the data you want or need to exchange. Envision being able to protect your anonymity, no questions asked. Shoemaker isn’t exactly new to the topic of turning points for the web. He grew up in Cupertino, around the corner from Apple headquarters. His dad was an engineer at IBM. He eventually ended up working for Apple in 2009 where he helped the company navigate one of the biggest turning points in internet history — the launch of the App Store In today’s podcast episode, we reflect on Shoemaker’s career experiences and discuss why he’s now focused on decentralized networks of trust.
Shoemaker spent his childhood in Silicon Valley and learned Assembly when he was just 16 years old.
In his early 20s, he applied to work at Apple and was continually rejected. So he went to work for seven startups instead.
Finally, in 2009, Shoemaker ended up at Apple overseeing the review process for the App Store.
After seven years at Apple, Phillip became interested in cryptocurrency after discovering his personal information on the dark web.
His interest grew in the topic of self sovereign identities, which led him to become CEO and co-founder of Identity.com.
Phillip and Ben reflect on the utility of Web3 in gaming.
Follow Ben and Phillip.
Thank you to lifeboat badge winner Marchingband for their answer to the question about running C or C++ code from Node.js in an efficient way.
[intro music plays]
Ben Popper Hello, everybody. Welcome back to the Stack Overflow Podcast, a place to talk about all things software and technology. I am your host, Ben Popper, flying solo today, doing a quick Memorial Day podcast, or Canadian Thanksgiving if that's where you're located. My guest today is Phillip Shoemaker, formerly the Apple App Store Director, and now Executive Director at Identity.com. Phillip, welcome to the program.
Phillip Shoemaker Hey, great to be here. Thanks, Ben.
BP So the first thing we do when we have a new guest on the show is just kind of situate people. How did you first touch a line of code or get involved with working in technology companies? And after you bring us through a little bit of those early stages, what was it that brought you to Apple and the App Store?
PS Yeah, that's great. First time I touched a line of code– wow, that was a long time ago. But I was fortunate enough to be born in Silicon Valley. Cupertino, California is where I was raised. And I was fortunate enough that my very first computer I bought was an Apple II, but my father was an employee at IBM and got very unhappy with that and made me return it. So the very first thing I did was start playing around with MS-DOS, programming on the PC using Peter Norton's guide to programming. And it just changed my life. To me it was all about video games. I wanted to write a better video game than what was out there. So that's really what I started jumping into. And learning Assembly at 16 was tough, but at the same time it really helped set my mind on what I wanted to do moving forward.
BP That's very cool. The family loyalty brought you back to Windows. We've spoken with a lot of people on this podcast. It's always great, they ran out of video games or they wanted to make a better one. Some people had Neopets that they wanted to give to their boyfriend or girlfriend, and one guy was running a forum for Tony Hawk Pro Skater 6 or whatever, and that need to create and the love of the video games and the want to be part of a community then eventually led them to code. I guess you eventually set your father's dictates aside because you did end up at Apple. Tell us a little bit about how that happened and how you made your way to the App Store world.
PS Yeah. I always loved the Mac. When the Mac first came out I was hooked. The user interface, all of that about it was something I'd always wanted to work on. And I applied for a few jobs when I was in my early twenties at Apple that they didn't hire me for, but I went through seven startups. I was at Palm Computing working on handheld computing.
BP Oh! Know all about it. Very cool thing.
PS Yeah. I mean the Palm Pilot to me, I had a Newton before that, and for me my test was always, can I get to somebody's address in my handheld device before a friend could get it in their paper planner? And with the Newton I couldn't. It took me a minute to get to something somebody could find in their planner in 10 seconds. The Palm Pilot changed that for me. You just pressed contacts, one letter and I was at that person's record. So for me, that changed everything. And for me it was all about something as a companion. Not replacing my PC, but as a companion to it. To me that was the holy grail at the time. So I did seven startups, worked at those, and then ultimately I was at a startup that was founded by the same people that founded Palm, Jeff and Donna. And it was an artificial intelligence company called Numenta, and that's when the iPhone came out. And here I am hiding an iPhone because I'm with the people that created the Palm Trio and nobody was supposed to have an iPhone in this company. All of us engineers were hiding them. And it was then that I realized that when they announced the App Store I said, “I need to be part of that.” Because for me, it was 2008 and we were in a recession, engineers were getting hurt. I mean, a lot of my friends had gotten laid off from jobs and I saw this as a way to help level the playing field. Let's give them the ability to make money without working for the man. That's kind of how I looked at it. And so I quit and I started writing apps for the iPhone, and they were terrible apps. I mean, we were just trying to see if something would stick. And the rejection letters I got from Apple were fearsome. I mean, they were angry rejection letters from the legal team. You thought you were going to get sued early on. And so I started writing letters back saying, “Here's what the problem is with your review process. Why does it take three weeks to get into the store? It should be fast.” And it was at that point that Eddy Cue at iTunes reached out to me and said, “We need to talk,” and that started a long interview process. And I met with everyone, I met with Steve and all of his direct reports, and ultimately they made the decision to hire me and I jumped at the chance. But I didn't know that was going to change the world as much as I saw. I saw it as something to help developers, and it did a lot more than that.
BP Yeah. No, it's created a humongous ecosystem and entire companies that are built around it, not just individual developers. What was your initial role when you started there? What part of the App Store were you focused on and what did you grow into?
PS I was brought in to be the first director to run the App Store. The first full-time new hire to just focus on the app store and the first thing to focus on was the review times. People were submitting an app and three weeks later it might get approved, but more than likely it got rejected. So imagine you do all this hard work, you submit an app, and then you sit in silence for three weeks. It's not like they're reviewing it for three weeks. They had such a backlog that they would review it in five minutes and reject it because it was something that was against the rules. But that's the problem. There were no rules defined in the early days. So my very first day there I said, “Okay, here's what we need to do. Let's write some rules. Let's look into the ways that people can fool us– there's different ways to fool app reviews. And let me reach out to some of the prolific developers submitting apps to the store.” So I reached out to a bunch of developers and just had them come in. I bought them lunch at the cafeteria and just started talking to them and man, were they unhappy. I mean, this was in the first two months, three months of the App Store and developers were really unhappy because there were no defined rules, they didn't know what they were allowed to do. Typically, somebody would look at the store and say, “Oh, there's no app that does X,” and so they would do it thinking that they were the first. But little did they know hundreds of apps like that were submitted and we just rejected them all because they were against the rules. The rules that nobody knew.
BP Right, some roadmap of these are the reasons apps like this might get rejected, or these are the things you really need to check for before you send it in. I guess those were security legal concerns. You mentioned maybe things you were looking for that were a little insidious. What were the key rules that you were able to lay out that made that review path easier and in that sense, developers more productive through that ecosystem?
PS Yeah. Now you look at it and there's about 150+ review guidelines, there's significant numbers. But I like to always say it's always distilled down into three main buckets. The first bucket is you’ve got to protect Apple's brand. That's number one. If you have an app on there that you hurt babies or children or fuzzy little creatures, that will hurt Apple's brand. That will reduce Apple's stock price and that's something that Apple doesn't want. So the first thing is you can't mess with their brand. Two, you can't hurt the user. We had games that in the middle of playing a game it would say, “Hey, you need to enter your social security number to continue,” and people would do that for some reason to play a game. But there was no real reason why these things had to happen.
BP I mean if you're right at breaking that high score in Candy Crush you're going to put in whenever they ask you. Not Candy Crush but you know what I mean. They've got you over a barrel.
PS That’s right. “I’m so close!” And the third thing was just getting Apple’s cut. Apple needed their cut of the money. Those are kind of the three main buckets that we've always been looking for in the App Store team and they're still doing it.
BP So I guess one last question before we move on to your new role. When you look at the ecosystem for app stores today, there are two sort of dominant players in the mobile world, but there are very large and interesting app stores that exist, for example in the PC gaming world, or you might even say in the smart television world. So when you look at that ecosystem, having worked inside of it and built one of the largest and most important ones to date, what do you find interesting? When you look at app store ecosystems today, what either excites you or frustrates you, or you get a sense of maybe this is where we should be headed?
PS Yeah. One of the things about Apple’s App Store is they hired a ton of people. We hired a lot of people to physically look at each and every app. A set of eyes is on every app. There's no automated review. And I think that's one of the things that Google does really well. They've modified their automated review to the point that it's pretty spectacular, so being able to do that is critical. These are for companies that are reviewing apps without ever seeing a line of code. If we saw the code, at least we would know what they were trying to do. But then again, that would make review times a heck of a lot longer because you're reviewing code. So that's a problem. So one of the things is automated review has gotten so much better, machine vision. Back in the day, if you wanted to do a little machine vision, you're like, “We're just looking for pornography in an app,” and the way most of those work is percentage of skin tone in an image. And so that's great, but if you do a headshot, that's almost all skin tone.
BP Right, so you get a lot of false negatives.
PS Yeah, all false negatives. So machine vision and automated review are really interesting, but I am fascinated by the TVs. All the TV companies and cable companies now, we see Comcast, we see Spectrum, all coming out with types of app stores for their televisions, which I'm fascinated about because they want to do the right thing. They want to put these things out there, but their rules are even more onerous than they were at the App Store so I wonder about their success.
BP Yeah. No, that's an interesting point. They have smart TVs, they want to have an app store, but being an old line telco they might still have quite a bit of bureaucracy that they need to wade through before they're an agile tech competitor, so I know where you're coming from on that side.
PS That's right. Well have you seen also that some of the blockchain companies are doing dApp stores? Saga is a phone coming out by Solana and they're going to require a dApp store, and so I'm really excited to see what they're going to do, because the required barrier of entry I would think for a DeFi, somebody who's going to be touching your money, that's got to be a high bar. You want to jump through a lot of hoops to be able to get these companies in because they have the ability to take your money.
BP Yeah, you make a good point. I think one thing we did see, and we kind of just went through a crypto cycle of boom and bust, was these massive exchanges that would get built up like a Uniswap or an FTX and things that would come online, and they weren't an app necessarily but they were a new protocol or a new token and people would widely adopt them, not really knowing very much about them. Some of them promised amazing returns and some of them turned out to be not so secure. So it would be interesting to see a company like Solana which has a lot of credibility in the industry try to do an app store where maybe there is some kind of review process, but they still get the best of decentralization. So tell us a little bit about your jump to this new world of Web3 and identity in particular.
PS Yeah. When I was at Apple, if you were coming in as a company, you went through the whole, you had to get a Dun & Bradstreet number, et cetera. So there was some vetting and we knew you were a real company. When it comes to individuals, you need an email address and a credit card, and a name– and the credit card can be a prepaid card so you can make up whatever name you want to for yourself. And an email address is easy to get. So we were constantly playing a game of Whack-a-Mole with these developers because they would do something bad, we would terminate their membership, and they'd reappear under a different name in a matter of minutes and submit a similar app that might go to a different team member who approved it. So these guys were getting on the store and it was a constant game of Whack-a-Mole. So that was my first foray into the problems with internet anonymity. I've always loved the anonymous nature of the internet. I can go to a forum, speak my mind, and it might not necessarily reflect back on my own reputation because I'm just trying some things out, et cetera. But with the app store it was a big problem. So when I left I wanted to focus on identity for that reason, but for other reasons. There's privacy concerns. The way that my name got out as the head of the App Store was through David Copperfield. I helped out the magician with an app and he tweeted my name saying, “Thanks to the head of the App Store,” and he puts my name, and then I started getting stalked, death threats.
BP Oh my gosh. David Copperfield make me disappear now, please. Yeah, that's hilarious.
PS Exactly. He definitely made me appear. And so it was those kind of things, people stalking, I've been sim-swapped. In 2016 I was playing around on the dark web and I found my identity I could purchase off Silk Road at the time, and that just fascinated me. It's like, “Okay, where are they getting this information? Oh, it's these honey pots of PII.” So I wanted to end this. So I started researching. I've been into crypto for a while. My friend Bill sent me the White Paper in 2010. I was fascinated by it. And then I invested in like 21e6, which became earn.com that Coinbase bought. And I invested in BitGo as well. So I really liked this space, but 2016 is the year I really dove in head first and started looking into identity solutions. In 2017 I ran into Civic and around 2018, Vinny and I met up for coffee. He's the CEO of Civic at the time, and we decided let's join forces, let's split out our protocol and make it a non-profit. And so I jumped at that chance and that's what we did, and we're plugging away on these protocols right now.
BP Very cool.
BP Everyone hates passwords, so that's why Auth0 by Okta wants to build a world without them. Catch our live keynote at Oktane Online for free, where they discuss how developers can get rid of passwords forever. It's happening November 9th, so register for your free ticket at auth0.com/oktane.
BP Yeah, I noticed you were quoted recently in an article. I myself also started reporting and thinking about Bitcoin in 2010, and for a long time, and still to this day I think for people who are perhaps less deeply involved in the space, one of the promises that holds out that people are attracted to is anonymity, a decentralized network of trust where transactions can occur, and I think a lot of people still associate Bitcoin with things like Silk Road. But to your point, in some ways the transactions are actually more traceable. If you can follow one wallet to another, and in the case of companies that aren't really following good Web3 practices, when it comes to then the legal system, all of that stuff is suddenly out in the open and a lot of people's identities and financial transactions might be exposed. So how would a service like yours help either Web2 companies who are looking for solutions or Web3 companies who are trying to build natively in that sort of style, protect folks’ identity and provide them with anonymity online? Not just anonymity, but anonymity that is also functional and lets you log in here or hold an account there, or transfer money here.
PS Beautiful question. It's a tough problem to solve. As you said, the transparent nature of blockchain is phenomenal. That's what brought a lot of us there so you could follow the money if you need to. But at the same time, if you're going to publicly expose someone's name and their wallet, well then you pretty much know everybody that they've ever sent money to. And I had a friend back in the day that would follow your wallet and if he saw that you were accessing Silk Road or sending money to some of these nefarious things, he would have no business with you. He wouldn't invest in you, he wouldn't do anything like that. So it's always been out there, but the fact that we see this first Chapter 11 filing for this company, and they list names here, they redact a whole lot, but they still leave in the name and the wallet address. And now suddenly you know how much money they have, you can see where they spent it. And that’s just old school versus new school. When this happens, problems happen. So the way this happens is that these crypto exchanges or technology services are required to have a database of PII. A database of all their users, a driver's license, numbers, passport numbers, et cetera,
BP KYC, know your customer, get that in there for compliance.
PS Exactly. And if you look at a Coinbase– Coinbase, great company– of course they have a centralized database of their users. Now it just blows the mind that these companies that espouse the virtues of decentralized currency are not taking on decentralized identity. To me that's what it's about.
BP I've been down this road speaking with other guests and just joking about Satoshi, whoever they may be, rolling in their grave. As these companies move towards their IPO or working with more institutional clients from the Wall Street firms, they did in some ways have to play by those old school rules and lost, as you point out, some of what initially attracted people or initially made it powerful in a new way. Maybe not new, but the pendulum was swinging back to a different style. So I totally feel you on that. So let's say I'm a developer and I'm interested in building in true Web3 fashion. If I were to check out Identity, what are the access points? Am I talking about an SDK, an API? How are you helping developers or organizations that want to utilize this stuff make the best of your platform?
PS We have a variety of protocols, but the one we're focused on right now is what we call the gateway protocol. And this is essentially a two-sided protocol, a developer of a dApp or a web service who wants to identify their customers. It's very simple to implement the API from that perspective and say, “I want to validate my customers as they onboard.” And then it connects to the back end to one of what we call our validator partners, or gatekeepers, and these are ones that are actually doing the identity validation. So on the back end it could be a company like Onfido or Socure that do KYC for a living. Now what happens is that then there's an exchange of information through this protocol. People send in a picture of their driver's license, it gets vetted by the backend company. They ultimately do an AML verification. Does the ID match up with local data records? Are all the holograms on the ID? They do that standard fraud check and if everything's kosher they put a stamp of approval on the blockchain through our service, and then the credentials get sent back to the user for their storage, most likely on their phone. And once you have it on your phone, you're in complete control. It's what we call self-sovereign identity. When somebody wants to query your wallet they'll query the wallet saying, “Okay, I want to know who this guy is. Oh, it's really Ben Popper. We want to get his age. Is he over 21?” And that's the level of disclosure you give. Right now, and I know people all use this same analogy, but when you go to a bar, you have to show them everything about yourself by your driver's license. They get your whole birthdate, your full name, all this information.
BP Home address, yeah.
PS Exactly. They just need to know is he of age? That's all. They don't need to know your exact age. And that's what we try to do. So we want the person to be able to disclose what they think is appropriate for this. If you're getting a bank loan, look, you're going to need to give a lot of information. If you're trying to buy a beer, they don't even need to know your name. They just need to know you’re the person.
BP Yeah, I like that. You want to atomize these different data types so that you only need to give what's necessary, and obviously if you had to go through some big financial transaction with a traditional institution, maybe you have to give up a lot. But if you're maybe interacting with dApp and they just want to make sure you're 21 for their terms of service, then maybe you can just verify that. That's very cool.
PS Exactly. So we have this protocol, you think of it as a marketplace, and ultimately we have Socure, we have Onfido in the back end. Onfido goes through Civic. Civic is the largest user of our protocol at this point. And we're adding more of those service providers on the back end so we can support the world. Socure is US, Onfido supports a variety of countries. We want to move to Europe, et cetera, and have all these different providers on board, but it's really simple for the dApp providers to be able to integrate us and start identifying their customers. But that's all this whole regulated stuff, this KYC AML. I think the cooler piece is that there's a lot of use cases where you don't need to KYC the person. You don't need to know their driver's license, all of this. You just want to know, do they really have a degree from Brown? Do they have a degree in virology? If you're going to listen to someone give you advice online, I kind of want to know what some of their credentials are. Should I be drinking bleach to cure me of covid or not?
BP You would be surprised how easy it is to trust people on Twitter. Yeah, you'd be surprised.
PS I struggle with it, to be honest. I really see this as a life and death battle between Web2 and Web3 right now. I heard somewhere recently that somebody said all the brands we know are going to be gone in 30 years. You won't be eating at a McDonald's. It'll be something else, something else will take over. Now, I'm not sure if that's true. I look at it from the web perspective and I believe that wholeheartedly to be true. These brands, these big Web2 brands that we've known for the last 20-30+ years I think are going to get replaced by ones because the whole business model is changing. I like to say, ‘not your keys, not your identity.’ It's a similar thing with the crypto world of the wallet. Not your keys, not your crypto, because who owns my identity? Facebook would probably argue that they own me and companies like that. How many PII honey pots has my data been in and been hacked? I mean, a lot. And I don't like that. I want to be able to flip the script and let us start earning. If you want to monetize and sell advertising to me, et cetera, you should be paying me. These are all the kinds of how the script is completely flipped in Web3, and I think this is the future. This is a huge critical turning point for the web and if we do it right these Web2 giants could jump in and join, but they're just not engineered to support this model. That's why I think it's all going to be new guys.
BP Yeah, I don't like to go see haveibeenpwned. It's not a fun thing and it's a terrible place to visit and realize how many times it's happened to you. And I guess just to sort of reflect a bit on how you guys started this in gaming, the thing that always strikes me is the area where the metaverse is furthest along is gaming. The way people would pay for skins or virtual real estate and how much they care about their character in Fortnite or Roblox. If those companies started to adopt some of the Web3 ideas and began to allow you to take your own keys, your own credits, your own avatar between those worlds, that could be really powerful because people do invest so much time and money in those. But right now they each have their own walled garden and that is sort of to their benefit. So it'd be interesting to see them maybe adopt some of those ideas.
PS That’s right. Yeah, they make such a good amount of money from these kind of things that for them to have to completely change their business model on the fly, that's why I see companies like Star Atlas as a really cool upcoming game that's going to be play to earn. You'll be able to make money there, you'll be able to sell your wares, et cetera. I mean, look. I know that with Axie Infinity it was amazing in the beginning and then bots took over and now people aren't making as much money there, but fix the bot problem and look, I’ve got a great product to do that, Identity.com will help. But these are the kind of things that for me, I think there are ways to solve it rather than scrapping the whole industry and saying play to earn doesn't work. Much better solutions.
BP All right, everybody. I want to thank Phillip for coming on, and it is that time of the show. I'm going to shout out the member of the Stack Overflow community who came and helped us. They won a lifeboat badge for rescuing a question with a score of -3 or less. Now that question has a score of 3 or more, and their answer has a score of 20 or more. Speaking of anonymity, thanks to Marchingband, “How do I run a C or C++ code effectively in Node.js?” All right, if you want to know about efficient C++ in Node.js, Marchingband has the answer for you. This question was asked four years ago and has helped almost 12,000 people, so we appreciate you coming on the community and spreading some knowledge around. I am Ben Popper. I am the Director of Content here at Stack Overflow. You can always find me on Twitter @BenPopper. You can always email us, email@example.com with questions or suggestions. And if you like the show, leave us a rating and a review. It really helps.
PS I'm Phillip Shoemaker, Executive Director of Identity.com. You can get me at @PBSIdentity on Twitter or just come to Identity.com.
BP Very cool. All right, everybody. Thanks for listening and we will talk to you soon.
[outro music plays]