At the recent Ubuntu Community Summit, I asked Mark for advice on how we tackle trust in the metaverse:
1:08:29 Me: My question relates to the open source metaverse, and by metaverse I mean three things:
- the existence of interoperable digital communties,
- digital connections between the physical and the virtual, summarised by things like digital twins, IoT, virtual worlds, and
- the development of infrastructure.
I’ve been working on this for about two years now and I see people really struggling with this concept of openness, how to do this and I see a lot of blockchain and crypto people talking about open and in my opinion getting it incredibly wrong. So as a stalwart of the open source community, do you have any words of wisdom to help us figure this out and tackle these misunderstandings and how the open metaverse could really look?
1:09:31 Mark Shuttleworth: It’s a really interesting question. There seems to be a theme that hounds me or maybe it’s just a theme that I’m very interested, in which is Trust. What is the nature of trust?
When I was a student the internet was just getting started, it spread down to Cape Town, and it was there, it just wasn’t evenly distributed. I was very interested in the question of how people would come to trust each other to transact. Small businesses on the internet but also to to communicate privately on the internet, and that was kind of the first wave of crypto. There was some great, crazy but brilliant Australians that had started openssl, and they were giving the world technology that’s still pretty critical to almost everything that we do on the internet, for better or worse.
I built a business on top of openssl essentially that was all about trying to solve one part of the trust problem which was who are you actually talking to. The reason that was successful was because I knew that a German would be better at understanding how to assess and decide the truth of German corporate identity than a South African or an American would, so I built a distributed approach – it was centralized distributed, it wasn’t web3 – it was designated people in lots of different countries who I trusted to do that work.
That question of trust keeps coming up. The certificate authority industry I think destroyed its own credibility and now we have a new set of mechanisms for essentially internet connection trust – let’s encrypt and the like and we’re back to kind of fundamental questions of who do you trust, why do you trust them.
In software this is perhaps even more important because software that you can’t trust can be totally and utterly corrosive. I think if you’re naive about trust you can be gutted in deep meaningful ways – financially, reputationally, we’re in a sense in a very dangerous digital world right so this is a really really important question. I think even though it’s not widely understood this is the heart of why we started working very much on better ways to encapsulate software and better ways to know who the software you’re running is actually coming from.
All the things that I loved about our infrastructure .debs and so on in the 90s are still true and they’re still important but in a sense those things are not enough for a world where in fact you need to consume software from all over the internet all the time. They just aren’t enough and there are some very difficult almost PhD philosophy grade problems. Many of the commenters on Reddit attacking this problem do not have PhDs in Philosophy. One of the key tensions here is the tension between freedom to do whatever you want, and certainty about what it is that you’re building on and those two things are fundamentally in tension and there is no simplistic answer as far as I can tell. There is no simplistically good, universally satisfying answer, there just is none.
If you say, look, actually I want to be able to stick software on my laptop from any .deb repository in the world you are actually saying you have no idea who has root on your machine that is, what you’re actually doing and a lot of people don’t understand that. So then some people say “oh but I’m a really really clever person I actually do understand those choices so you should design an entire system which lets me do that”, I’m thinking well okay but tell me about the the consequences of those choices for people who are not as confident, who are not as self-assured, perhaps some might say not as deluded about their ability to make those choices or potentially people who have much more to lose than you do. You get to this very difficult set of questions; what can we do, what should we do in the work that we’re doing?
There’s a sort of a deep principle at heart which is that if we want to try to do something about that, we have to expose ourselves to the risk of criticism, to the risk of making mistakes because we have to take the risk of making choices. There is no way that I’ve found to get past that. Every time I get into a discussion with someone, it comes back to those questions: What are we willing to bring to the world? Are we willing to put our own reputations on the line in order to try to make a platform where more people can go faster if they trust us? Think about it, when you join the Ubuntu Community you’re asking people to trust you in a very very profound way, an extremely profound way. The same is true for us as a company right and so we have to be okay with that and then we have to do as much with that trust as we can ethically, to amplify the impact that we can have in the world for other people. It’s a super interesting question.