E125 - Johnny Lee, Principal & National Practice Leader, Forensic Technology, Grant Thornton LLP
Your browser doesn't support HTML5 audio
33:40
SUMMARY KEYWORDS
blockchain, people, technology, digital assets, privacy, web, decentralized, hash, cryptocurrency, data, debbie, ai, arena, elements, output, thoughts, investments, crypto, world, cases
SPEAKERS
Debbie Reynolds, Johnny Lee
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show, Johnny Lee; he is the Principal and National Practice Leader of Forensic Technology at Grant Thornton LLP. Welcome.
Johnny Lee 00:44
Thank you, Debbie. Great to be with you.
Debbie Reynolds 00:47
Well, this is great. I'm excited to talk to you for a number of reasons. So we've known each other for a number of years, we've collaborated on stuff together, and we recently ran into each other at a networking event by happenstance in Atlanta, which is so funny, because I went, hey, what are you doing down here? You're like, oh, I live down here. And I was like, oh, my God, I had no idea because, you know, we see each other on like webinars, we run into each other, and people just don't know where other people are. So that's true. That's true. It's very nice to have you here. So you're the guy to talk to about digital assets. And so this is something that I definitely want to talk about this year. I think it's a hot issue. I think a lot of people don't really understand it and everything. But before we get into that, I want you to tell people about yourself, your career journey, and how you position yourself in this area of technology around digital assets.
Johnny Lee 01:53
Yeah, I'm happy to so I got my start as a self-taught software developer and database guy and did some networking administration. And then had a brief flirtation with the law; I went to law school and spent some time in the district attorney's office here in Fulton County, Georgia. And really, through that sort of combination of technology and law, realized that the place for me was in the consulting world, mostly because, as my father so charitably puts it, I have a short attention span. So I need project-based work, not something that you know repeats itself on a very often basis. So I left the DHS office and went to Arthur Andersen and stayed with them, as we say it, until the firm left us in 2002. And then joined a spin off of Arthur Andersen and then landed at Grant Thornton in 2010. With the specific design of joining their forensic technology practice because I felt that that was the intersection of my two great passions, the law and technology. And it's been an interesting ride; we've changed our stripes a number of times over those 13 years. But presently, our focus is really the use of applied advanced technology to forensic agendas. Those are typically investigative in nature, but not always; we collaborate on some complex regulatory compliance matters and a fair amount of litigation consulting as well. But usually it involves a healthy quantum of data analytics work. And over the last six or seven years, a great deal of analytics, technology, and applied technology to the cryptocurrency arena. So that's the Reader's Digest version. I hope that makes some sense.
Debbie Reynolds 03:51
Yeah, it makes perfect sense. I didn't know you were a DBA. I was too. I guess my passions are technology and law. I'm on the technology side more. I think we have that in common. I guess I'm starting at the top level, and we're going to drill down and talk about this. So I think where I want to start is Web 3.0 or kind of more decentralized computing. So what's happening in technology, I feel, you tell me whether you agree or not, is that there are these new architectures that are brewing because of the fact that the Internet, the way that it has developed, can't support the things that we want to do in the future? And so part of that is more about computing power possibly having like more decentralization. I feel like when people talk about Web 3.0 So we started talking about like, maybe crypto, you know, crypto is already here, I think part of that, that play, the future will be around more privacy and security, and then also control for the individual. So tell me just your version of how, like Web 3.0 and decentralized finance and cryptocurrency, how that all plays together?
Johnny Lee 05:25
Well, I'll do my best. It is a confusing landscape. But you know, the way I try and simplify it for myself, which is hopefully helpful because it helps keep me straight on the distinctions between some of the categories you were mentioning, right? Some of these are architectural phenomena. Some of these are technological phenomena. Some of these are sort of intersections of those two things. So in my simple way of framing it, I view Web 1.0 or one dot zero as static webpages; right, you had to know the address you were visiting, if you landed on that URL, you were presented with a static set of content. It was sort of a one-way interaction, where the author, you know, committed something to writing once, and it was presented to the world, and only those with the address could digest it, web to sort of evolved from that where the content could be more dynamically presented based on a modicum of user interaction, right, perhaps a login, perhaps a search query. And the back end was not statically committed, and it wasn't, you know, fixed to a particular web address; it could be dynamically presented. And I think Web 3.0 is an elaboration on that same theme, but intrinsic to the Web 2.0 story is the fact that someone has to own that back end. And that ownership comes with control. And so, while it was an epoch or a leap forward in terms of technological advances, it introduced a tremendous amount of centralization. And so what Web 3.0 promises, and I'm not sure it's fully delivering this yet, but what Web 3.0 promises is that that back end that Web 2.0 introduced, which allowed for a dynamic presentation and a modicum of privacy and security, can now be housed in a storage mechanism that isn't owned or controlled by any one party, and is immutably written. And so, I think that's an architectural commentary, right? It doesn't explain blockchain. But it explains the architectural advances between Web 1.0, 2.0, and 3.0 as sort of evolutions of each other. And we're really early in this adoption. I know that gets that kind of comment gets thrown around a lot. But if you think about where we are, you know, the Satoshi white paper came out in 2008. And it is, you know, just now beginning to realize some of the most promising aspects of decentralization in that architecture, right, where the back end is literally replicated in some cases in some blockchain networks across millions of nodes. And so the tamper-proof nature of that and the immutability of the way it's recorded presents some really valuable use cases. Many of the things we've been reading about the Web 3.0 and crypto arena that are not so flattering or positive over the last six or eight months have very little to do with the architecture or the technology and have to do with things that are much more intrinsic to human nature, like fraud and misbehavior. And so I think there is a lot of promise I'm not an evangelist, necessarily. I don't think blockchain technologies are an answer to everything. I think, in many cases, the use cases do not speak to blockchain technologies. In many cases, if you're simply introducing a distributed ledger, you may be just building a very slow database. So you have to look at the nature of blockchain; you have to understand that it solves for two really specific things it stalls solves for questions of trust, where the participating parties in the network don't necessarily trust each other. And it solves for a particular kind of resilience, that decentralization sort of augurs as the answer to everything, so I'm a light skeptic in terms of blockchain. I think it's a remarkable advancement in technology, but I don't think it's the answer to everything.
Debbie Reynolds 09:31
Yeah, I agree with that. I agree with that. I want to talk a little bit about digital assets. And so cryptocurrency is under that umbrella. So talk to me a little bit about digital assets, how they're different in this kind of, you know, going from Web 2.0 to Web 3.0 worlds, just for the audience to understand.
Johnny Lee 09:55
Yeah, you know, it's a very broad category. So again, To simplify things in my mind, I distinguish blockchain as a sort of operating system, right? It's a technology that allows for lots of different kinds of applications. And I think cryptocurrency is a category of application, right? Digital assets is sort of a superset of that. It doesn't include, it incorporates cryptocurrency, but I see them as slightly different animals, sort of an overlapping Venn diagram. So when you start talking about cryptocurrency coins or tokens, those are definitely digital assets. But you have to examine the underlying blockchain on which those assets are created and maintained. And you have to look at the nature of what it's designed to do, right. Some of these blockchains are designed for slow, methodical, you know, bulletproof recording mechanisms like Bitcoin, and others are much more designed for extensibility. Smart contracts come to mind, right, that can, in some contexts, be considered a digital asset, like Ethereum. And other blockchains still are designed for throughput, right? Look at Hadera, for example, as an example, that's designed for a higher transaction per second rate than those other two blockchains. So I think the use case becomes important. And that is what's so confusing about this arena with some 20,000 different coins and tokens in circulation. Many of them just don't pass the smell test as having any real utility, most of them, I would say, but some of them really do. But you have to hold the context pretty closely to appreciate that. And that's not something that the journalism in this space often gets, right. Or the people who are sort of curious and entering into the waters for the first time really appreciate.
Debbie Reynolds 11:56
Yeah, I love to talk about when I read stories about crypto or blockchain and the press; a lot of times, they're just completely wrong. Like they're just factually not correct. Right. And maybe they're trying to tell sometimes a story that gets people interested, you know, eyeballs on articles and stuff like that. But I think there's just a lot of misconception there. What are your thoughts?
Johnny Lee 12:27
I think that's a pretty astute, you know, example, right? When you look at some of the latest stories coming out of the FTX collapse. And by the way, I should have said this at the outset. But let me say it here, you know, these opinions are mine alone; they may or may not represent those of my firm. But I think to your question, there have been, you know, innumerable instances of so-called news stories that are not empirically based, right? The journalism in this space has been borderline reckless in many instances. And in some cases, the conflicts of interest are more than just suspected; right, we saw investments in a news outlet from the former CEO of the FTX platform. So, you know, I don't have all the facts there. But it doesn't look good, right? It certainly doesn't speak to the kind of objectivity that we've come to attach to real journalism. It's not to say that everything that came out of that news outlet should be discounted, right? Because from all appearances, it doesn't look like the people doing the investigative reporting knew about these investments. So I don't mean to taint that outlet, and I won't name them here. But I think it's important to do your own research. And where we look at the industry where it is today, it's really akin, Debbie, I think, to where we were in the early days of the.com Arena, where, you know, candidly, stupid amounts of money were being thrown at business cases, that didn't make any sense. And I think that's largely endemic to the way the industry is dealt with today, you've got investments and things that could be revolutionary or could be just the next flavor of the month with regard to fraud on the market. It's really hard to tell without doing your own research and getting grounded in the space.
Debbie Reynolds 14:30
Yeah. And my view, even though you add a kind of a technology layer to the story is still you know, garden variety fraud, right? Take money for one purpose and use it for something else. That's what fraud is,
Johnny Lee 14:48
This goes back to human behavior before we even had the word technology; you know, this is old. This is part of, you know, interacting in society. So I think it's important from that perspective to appreciate where we are with regard to regulation, where we are with regard to professional skepticism, where we are right with regard to skepticism regarding our own investments, whether you're a retail investor or an institutional investor. And that notion of do your own research and what diligence is good enough? It's always harder. It's always a steeper curve for newer arenas and newer technologies. So I don't see that as distinguishable here from any other advancement over the last 100 years.
Debbie Reynolds 15:34
Yeah, I agree with that. So let's swivel here to privacy and cybersecurity as it relates to digital assets. So you have talked about architecture. And I think architecture is very important, especially in the future, when we're thinking about ways to enable people to do kind of decentralized computing and stuff like that. But then also, there can be a benefit there to privacy, because it's not like like, in the past, everything was in one big bucket, like we talked about, like web two, right? Where everything, you know, you have to go to the mothership to like get anything done. And so I think there's an opportunity with more decentralized, you know, finance or decentralized computing to bring in more elements of privacy by design, security by design; what are your thoughts?
Johnny Lee 16:36
I think the technology holds a lot of promise. But I go back to my earlier statement that context matters, you know, and you can't just throw blockchain at a solution and expect it to solve for privacy. Because in 9 out of 10 use cases, all you're doing is building a really tedious database, right? Because it's encrypted, because it's distributed, because it's immutable. It's not fast. So you have to hold that close when you're building the solution you're trying to solve for a privacy problem. Now, Blockchain or more, particularly the cryptography that can be stored in blockchain does hold a lot of promise for privacy. And there are some really innovative privacy-based solutions that are coming to market. And one of those technologies, which you know, this, this is flirting with 40-year-old discoveries at this point, but mathematician Dan Merkele established what was called a Merkle tree, using what is effectively a one-way algorithm, right, so I take Debbie's first name, last name, date of birth, and Social Security number, and each one of those four elements first name, last name, social and date of birth, gets run through this algorithm, and that output creates a hash. I cannot reverse engineer that hash into Debbie's date of birth. But it is going to be the same hash every time I run it through that algorithm, I feed in the birthdate, and it gives me the same hash every time. And when I concatenate those four elements into yet another hash, that's a, you know, perhaps a 56-character, alphanumeric string of gibberish that's not useful to anybody. And yet, it is that combination every time. So if you want to present that hash as proof that you are who you say you are when you're looking at your medical record or settling with your gym to pay your monthly bill, those are all things that are accomplishable without ever compromising the underlying data elements. And that kind of cryptography I think holds a tremendous amount of promise for both decentralized storage of otherwise highly sensitive data elements. But also the disintermediation of the people and companies who historically have always been intermediaries in that mix.
Debbie Reynolds 18:59
Yeah, since you touched on it, I just wanted your thoughts on this. I'm going to go deep tech nerd here. So hashing. Hashing can be tricky because sometimes people don't really understand that. So, you know, I think one of the other things that will come up with Web 3.0 is interoperability. And we know that hashes can be different based on what people decide to hash. So what are your thoughts about that?
Johnny Lee 19:33
I think it's a great insight and, you know, like the other technological touch points we've discussed here, right? It's not a panacea, you have to have naming conventions, right? Take an address, for example, right? And an address has spaces in it. It has differences in capitalization, you may abbreviate road rd or spell it out any distinction, even a space is going to give you a different hash value. So you have to be very selective not only about the data elements you're submitting to the algorithm for a hash output but also in how you normalize data before you do the hashing. Because otherwise, you may deny someone access to her credit report, when they are in fact, a legitimate applicant or a legitimate reviewer. If you've gotten that wrong, so I'm not saying that these things are easy, but as you well know, as a data governance maven, that's the whole shootin’ match, right, the ability to compare like items to ensure whether you're doing a defensible deletion gambit, or whether you're looking for information as a privacy review, or in active litigation for discovery purposes, right have to be very careful and circumspect about the search criteria, the confidence level you ascribe to that output and what you do with it. And you have to be able to show your work turn by turn and that that upfront work is not sexy. And it gets glossed over frequently. And I think there's a real detriment to that when you start to see the outputs, being mismatches, where otherwise they're actually comparing, like data elements.
Debbie Reynolds 21:20
Yeah. Oh, cool. Thank you for that. I love to geek out about stuff like that. Also, I think let's bring AI into this picture. So AI comes in as well, where we're seeing a lot of regulations and proposals around the world where they want to see more transparency in AI. And I think that's a good thing. But then also we have these architectures that are saying, well, let's be, you know, less central, and you know, more decentralized, which I think will bring more, the data won't be as available as it once was. So I don't know, I feel like there's a dichotomy brewing here around having more visibility and transparency, even interoperability with different things, but then also being able to have systems that can work like independent of a mothership. What are your thoughts?
Johnny Lee 22:21
I think that's a great framing Debbie. I think it's akin to the world, you and I, you know, shared for the last well, I won't say the number of years because it's depressing to say out loud, but I think it's very similar to the kind of arguments that you and I have been sort of seeing in the discovery arena for well over a decade, right? With this, the so-called AI that is called predictive coding, right? Unless you're clear about what the black box is actually doing within the black box, you're gonna have a tough time explaining yourself to opposing counsel or a CT to defend the outputs and the classifications of the reviewed content. And I think it's a really good analogy with AI because it is just another flavor of AI. With AI, that's what's currently being sort of championed, and much talked about; I mean, I can't log into LinkedIn without hearing about ChatGPT and 9 out of 10 posts. It's kind of exhausting. I think there are some challenges about the inputs to that particular technology. And I think those disclosures need to be known right on what was it training itself. So there's a lot of really interesting and novel legal notions and concepts that are going to unfold on the court side; there's already a, I think, a suit by Getty Images claiming that the AI was trained on copyright-protected information and therefore constitutes an infringement. I may be getting that slightly wrong, but that's just a bit. And I think those kinds of things need to be explored, right? It's a very tantalizing black box. But what it does and how it does it is going to be the stuff of discussion in legal circles for the next decade because there may be biases that need to be brought to bear. There may be tweaks to the technology to cure for faulty data inputs, biased outputs, or both. It's a really fascinating arena, but there, we've just skimmed the surface, I think.
Debbie Reynolds 24:51
Yeah, I agree. As you're talking about this, one thing that I think is coming up now that I think is gonna, just royal the late the legal profession around technology is a lot of the technology in the legal sphere has been centered around a document. Yeah. And I think in the future, the thing that we thought was a document will not exist. I mean, I think ChatGPT is an excellent example. I mean, it's basically free text. So is it even a document? Do you know what I'm saying?
Johnny Lee 25:32
I think it is. But I think some of the Applied Technology is remarkable, right? Because it doesn't in many cases, the things it's deriving value and context from aren't in the document itself. They're metadata, or they're from pictures, or the AI itself is generating a new picture that you've instructed it to paint. And, you know, from what is that drawing as a corpus of input? And what is the copyright status of that output? Is it the person who requested it to be drawn? Or is it the owner of the AI? I mean, these are really fascinating legal concepts that I think are so novel that they're going to take a long time to fully sort out.
Debbie Reynolds 26:21
I agree with that. Well, tell me is there, what is there in your realm of work that maybe you hear about the press or hear people talk about that is very misunderstood that you can help clear out for us?
Johnny Lee 26:35
Oh, wow. Trying to be politic, I think it probably comes up most often, Debbie, in our work in digital assets. Yes. There's a lot of mythology about this space and a lot of misunderstanding about this space. I think the thing I'd like to help rebut most of all is that you know, digital assets is only a playground for criminals and charlatans. I think that's a really heavily discounting kind of take on things. And I think there are certain, it's hard to, with a straight face, say there haven't been colossal issues of fraud and misrepresentation, especially in the last three years. And I don't take that position at all. But to write off the entire technological advances and industry, and it very much views itself as an industry, I think is premature. And I think that people who are very invested in this and seeking to actually make real contributions and actually do it in a compliance-leaning fashion and try and stay on the right side of the regulatory arc. I think we're going to see some amazing things coming out of there. So that's kind of a high-level gloss. But if I were able to sway any one person, I would aim for that.
Debbie Reynolds 28:07
Yeah, I agree with that, as well. And it makes me, you know, when I hear about people, sort of equating just because something is cryptocurrency, that it's like fraudulent, or whatever. It's like, that's not a true statement. And then also, I think the thing that people really need to realize is a lot of these technologies, regardless of what they want to do with it, you know, these things are out, and they are going to develop, and they're going to continue to grow regardless. So it's like you're gonna end up dealing with this one way or another. So I think we can't put our heads in the sand like an ostrich and say, oh, you know, I don't really want to do anything with this or whatever because it's happening regardless.
Johnny Lee 28:50
Yeah, we didn't shut down hedge funds because it made off or closed energy companies. Because of Enron, I think we need to take a breath and distinguish between fraudsters and people who misrepresent what they're doing and the actual underpinning that could be revolutionary here.
Debbie Reynolds 29:07
Yeah, I agree. This is an exciting time for you to be in this space. So I'm glad you're working there. So if it were the world, according to you, Johnny, and we did everything you said, what would be your wish for either privacy, security, digital assets, blockchain, or crypto? What are your thoughts about the future?
Johnny Lee 29:34
Well, given that I'm on a privacy podcast, I would love it if more people took better and greater ownership of their own privacy. I think that would be the way to change a lot of the bad things we see in this world, right that our trust in centralized organizations to keep our stuff protected and the kinds of things we give away by simply browsing the Internet if we're not careful. It is kind of staggering. And I know my family is sick to death of hearing all of these things. But I would wish that people appreciate what happens to their private information when they give it away willingly or otherwise.
Debbie Reynolds 30:21
That's a great answer. I don't know why. Why do you think that is? I have two thoughts about that.
Johnny Lee 30:27
Why do you think people? Yeah, the basic answer is that it's hard. Right? And it's inconvenient. If that's the basic answer. That's not really charitable to your listeners. But I think that's the basic answer. The other is that I think the people consuming and monetizing these data are not clear about either of those things, how they're consuming it, and how they're monetizing. And how many people get sold your content without your consent or knowledge. I think that if people had a better insight into that marketplace, they might change some of their behavior.
Debbie Reynolds 31:01
Yeah, I agree with that. I don't know. I feel like people, I guess I'm of two minds about this. Like maybe these are two polar opposites. So I feel like some people feel like they already have privacy. So it's not something they have to fight for. And then other people, like you say, maybe they're exhausted. They're like, oh, I can't fight against Google or the man because they're taking all my data, stuff like that. So part of his fatigue, and some of it is just not having enough knowledge about kind of what happens with your data.
Johnny Lee 31:35
Yeah, and, you know, for most of us, I mean, goodness knows how many actual times my personal information has been compromised, but I'm a relatively circumspect person when I interact with the Internet. My family and close friends think I'm paranoid, but that's a professional hazard that I embrace. That's fine. And not everyone needs to be that heightened, you know, in their awareness, but I think just having some appreciation for basic hygiene, you know, get a password manager, use a VPN. Be careful about clicking on links, those sorts of basic things. They can really protect you in the long run. And I think those victims who have been victimized by identity theft, I know they would, in retrospect, be willing to give that, you know, five minutes a day, more attention, just to not go through that exercise ever again.
Debbie Reynolds 32:36
Yeah. Very deep, very deep. Well, thank you so much for being on the show. This is amazing. Thank you for dropping some knowledge. I feel like this is a widely misunderstood area that we need people like you speaking about it so that there's more understanding and people kind of start to grasp it better.
Johnny Lee 32:56
Well, Debbie, it's always a pleasure to reconnect. Please keep doing the good works here. Love your podcast.
Debbie Reynolds 33:01
Thank you so much. Thank you so much. I'll talk to you soon.