Home
Member since 2017-07-15T03:50:57Z. Last seen 2025-01-02T20:05:01Z.
2729 blog posts. 128 comments.
蒂費克奇認為,習近平或許已決定是時候迫外國企業表態,外國企業如果想跟中國做生意,就必須依照中國的遊戲規則,他已不用掩飾中國在價值觀上的分別。不過中國國內亦面對不少難題,例如貪腐、貧富不均等,同時很多高官的家人都擁有多本外國護照和豐厚的海外財富。若果欠缺合適的戰略考慮,可能令中國陷入困境。蒂費克奇指,在香港問題上若中國能在早期作出一些象徵性的讓步,很可能已處理好當前的難題,但事實上中國似乎不太了解香港。
NBA球隊侯斯頓火箭隊總經理莫雷的一句Fight for Freedom, Stand with Hong Kong料不到成為中美外交的黑天鵝,頗出乎華盛頓和北京意料之外,其實華府和中南海都不想在貿易談判之際,出現特殊事件,但中共的宣傳部顯然配合了內地憤青網民的民粹愛國主義,把一位不見得是有影響力人物的推特提升至分裂中國主權,傷害中國人民感情的高度,於是民企一於看風駛隽,寧左勿右,急忙與NBA的商業往來,主要是贊助和球星代言人方面,即時割席。內媒聲稱美國各球會的球員,要是沒有了從中國市場賺進的金錢,平均每人要減年薪一至兩成,個別球員更不只此數,譬如一位二級球星Lou Williams(羅省快艇隊)2018年薪是800萬美元,去年與中國成衣商(匹克)簽下贊助合約,自言贊助費比他的年薪還要高。中國贊助商與NBA割席,Lou Williams自必損失不菲。據USA TODAY估計,過去幾年,NBA每年從中國取得五億美元收益,由球會與球員均分。今年七月,NBA與騰訊簽下數碼轉播合約,價值15億美元,為期五年,此外又與央視有免費電視轉播費,財源滾滾而來。中國的體育用品公司如李寧、安踏、匹克等憑中國14億人市場,銳意與Nike、adidas競爭,爭取簽入NBA球星,不惜大灑金錢,例如安踏已購入意大利體育用品公司FILA。這公司在1980年代因資助網球明星波格(Borg),聞名一時,近年已比較沉寂,給安踏收購後,在香港轉趨活躍,剛剛在皇后大道中租入大舖位(原是周生生的中環旗艦店)擴充營業,高價珠寶公司目前負擔不起的租金,竟由球衣球鞋公司代替,是亦香港一景。
中國杯葛NBA造成的國際形象損失,則非金錢可以衡量,不准有正式直播的話,必然掀起盜播之風,令美國更有藉口罵中國盜竊知識產權!中國收益如此吸引,中國憤青以為NBA一定如其他品牌及國泰航空般跪下求饒,怎知道美國人或許不知香港在亞洲甚麼地方,但NBA之言論風雲,卻滲入美國每一階層,由達官貴人至販夫走卒都因Stand with Hong Kong口號,知道中國的霸道。民主黨和共和黨議員意見一致,群起喝止NBA向中國低頭,NBA專員見美國政府群情洶湧,也不向中國道歉了,聲稱NBA尊重每一位成員的言論自由,而每人都要承受言論自由的後果,連當初向中國表示歉意的火箭隊超級球星夏登也轉了口風聲稱贊成專員Silver的意見,特朗普乘機抽水,大罵那些曾經批評他的名人如勇士隊教練Steve Kerr及球星居里以及勒邦占士,只敢罵美國,不敢講中國半句,令這些名人大感尷尬。中國如與NBA斷絕關係,NBA固然蒙受大損失,但中國更加受國際取笑。
Published Mon, Oct 14 201911:37 AM EDT Taylor Locke @ITSTAYLORLOCKE
Jeff BezosGetty Images Jeff Bezos has a nontraditional management style at Amazon, and he says Amazon’s unique twist on meeting structure is the “smartest thing we ever did.”
“Many, many years ago, we outlawed PowerPoint presentations at Amazon,” Bezos said at the Bush Center’s Forum on Leadership in 2018. “And it’s probably the smartest thing we ever did.”
To replace the PowerPoint presentations, Bezos created a new way to hold meetings: Meetings start with each attendee sitting and silently reading a “six-page, narratively-structured memo” for about the first 30 minutes of the meeting.
″[The memo is] supposed to create the context for what will then be a good discussion,” Bezos said.
Those participating are encouraged to take notes, and after the reading period is over, they discuss the memo.
Bezos says the reason for the group reading is that “executives will bluff their way through the meeting as if they’ve read the memo because we’re busy and so you’ve got to actually carve out the time for the memo to get read.”
Bezos is not the only CEO to believe in “silent meetings”: Twitter and Square CEO Jack Dorsey uses a similar method, which includes holding meetings that start with 10 minutes of silent reading from a Google Doc.
“Most of my meetings are now Google doc-based, starting with 10 minutes of reading and commenting directly in the doc,” Dorsey tweeted in 2018. “This practice makes time for everyone to get on same page, allows us to work from many locations, and gets to truth/critical thinking faster.”
As for Amazon, before the memo-based meetings were instituted, “we were doing the more traditional thing,” Bezos said. “A junior executive comes in, they put a huge amount of effort into developing a PowerPoint presentation, they put the third slide up, and the most senior executive in the room has already interrupted them, thrown them off their game, asking questions about what is going to be presented in slide six, if they would just stay quiet for a moment...”
He explained that PowerPoint slides often have “obscure information.” Bezos prefers memos, he says, because each have “verbs and sentences and topic sentences and complete paragraphs.”
In his 2017 letter to shareholders, Bezos said by “tradition at Amazon, authors’ names never appear on the memos. The memo is from the whole team.”
“The great memos are written and re-written, shared with colleagues who are asked to improve the work, set aside for a couple of days, and then edited again with a fresh mind,” he said in the 2017 letter. “They simply can’t be done in a day or two.”
″[It] is harder for the author, but it forces the author to clarify their own thinking,” he said at the Forum on Leadership. “It totally revolutionizes the way we do meetings at Amazon.”‘smartest thing we ever did’ at Amazon Published Mon, Oct 14 201911:37 AM EDT Taylor Locke @ITSTAYLORLOCKE
Jeff BezosGetty Images Jeff Bezos has a nontraditional management style at Amazon, and he says Amazon’s unique twist on meeting structure is the “smartest thing we ever did.”
“Many, many years ago, we outlawed PowerPoint presentations at Amazon,” Bezos said at the Bush Center’s Forum on Leadership in 2018. “And it’s probably the smartest thing we ever did.”
To replace the PowerPoint presentations, Bezos created a new way to hold meetings: Meetings start with each attendee sitting and silently reading a “six-page, narratively-structured memo” for about the first 30 minutes of the meeting.
″[The memo is] supposed to create the context for what will then be a good discussion,” Bezos said.
Those participating are encouraged to take notes, and after the reading period is over, they discuss the memo.
Bezos says the reason for the group reading is that “executives will bluff their way through the meeting as if they’ve read the memo because we’re busy and so you’ve got to actually carve out the time for the memo to get read.”
Bezos is not the only CEO to believe in “silent meetings”: Twitter and Square CEO Jack Dorsey uses a similar method, which includes holding meetings that start with 10 minutes of silent reading from a Google Doc.
“Most of my meetings are now Google doc-based, starting with 10 minutes of reading and commenting directly in the doc,” Dorsey tweeted in 2018. “This practice makes time for everyone to get on same page, allows us to work from many locations, and gets to truth/critical thinking faster.”
As for Amazon, before the memo-based meetings were instituted, “we were doing the more traditional thing,” Bezos said. “A junior executive comes in, they put a huge amount of effort into developing a PowerPoint presentation, they put the third slide up, and the most senior executive in the room has already interrupted them, thrown them off their game, asking questions about what is going to be presented in slide six, if they would just stay quiet for a moment...”
He explained that PowerPoint slides often have “obscure information.” Bezos prefers memos, he says, because each have “verbs and sentences and topic sentences and complete paragraphs.”
In his 2017 letter to shareholders, Bezos said by “tradition at Amazon, authors’ names never appear on the memos. The memo is from the whole team.”
“The great memos are written and re-written, shared with colleagues who are asked to improve the work, set aside for a couple of days, and then edited again with a fresh mind,” he said in the 2017 letter. “They simply can’t be done in a day or two.”
″[It] is harder for the author, but it forces the author to clarify their own thinking,” he said at the Forum on Leadership. “It totally revolutionizes the way we do meetings at Amazon.”
Published Mon, Oct 14 201911:37 AM EDT Taylor Locke @ITSTAYLORLOCKE
Jeff BezosGetty Images Jeff Bezos has a nontraditional management style at Amazon, and he says Amazon’s unique twist on meeting structure is the “smartest thing we ever did.”
“Many, many years ago, we outlawed PowerPoint presentations at Amazon,” Bezos said at the Bush Center’s Forum on Leadership in 2018. “And it’s probably the smartest thing we ever did.”
To replace the PowerPoint presentations, Bezos created a new way to hold meetings: Meetings start with each attendee sitting and silently reading a “six-page, narratively-structured memo” for about the first 30 minutes of the meeting.
″[The memo is] supposed to create the context for what will then be a good discussion,” Bezos said.
Those participating are encouraged to take notes, and after the reading period is over, they discuss the memo.
Bezos says the reason for the group reading is that “executives will bluff their way through the meeting as if they’ve read the memo because we’re busy and so you’ve got to actually carve out the time for the memo to get read.”
Bezos is not the only CEO to believe in “silent meetings”: Twitter and Square CEO Jack Dorsey uses a similar method, which includes holding meetings that start with 10 minutes of silent reading from a Google Doc.
“Most of my meetings are now Google doc-based, starting with 10 minutes of reading and commenting directly in the doc,” Dorsey tweeted in 2018. “This practice makes time for everyone to get on same page, allows us to work from many locations, and gets to truth/critical thinking faster.”
As for Amazon, before the memo-based meetings were instituted, “we were doing the more traditional thing,” Bezos said. “A junior executive comes in, they put a huge amount of effort into developing a PowerPoint presentation, they put the third slide up, and the most senior executive in the room has already interrupted them, thrown them off their game, asking questions about what is going to be presented in slide six, if they would just stay quiet for a moment...”
He explained that PowerPoint slides often have “obscure information.” Bezos prefers memos, he says, because each have “verbs and sentences and topic sentences and complete paragraphs.”
In his 2017 letter to shareholders, Bezos said by “tradition at Amazon, authors’ names never appear on the memos. The memo is from the whole team.”
“The great memos are written and re-written, shared with colleagues who are asked to improve the work, set aside for a couple of days, and then edited again with a fresh mind,” he said in the 2017 letter. “They simply can’t be done in a day or two.”
″[It] is harder for the author, but it forces the author to clarify their own thinking,” he said at the Forum on Leadership. “It totally revolutionizes the way we do meetings at Amazon.”‘smartest thing we ever did’ at Amazon Published Mon, Oct 14 201911:37 AM EDT Taylor Locke @ITSTAYLORLOCKE
Jeff BezosGetty Images Jeff Bezos has a nontraditional management style at Amazon, and he says Amazon’s unique twist on meeting structure is the “smartest thing we ever did.”
“Many, many years ago, we outlawed PowerPoint presentations at Amazon,” Bezos said at the Bush Center’s Forum on Leadership in 2018. “And it’s probably the smartest thing we ever did.”
To replace the PowerPoint presentations, Bezos created a new way to hold meetings: Meetings start with each attendee sitting and silently reading a “six-page, narratively-structured memo” for about the first 30 minutes of the meeting.
″[The memo is] supposed to create the context for what will then be a good discussion,” Bezos said.
Those participating are encouraged to take notes, and after the reading period is over, they discuss the memo.
Bezos says the reason for the group reading is that “executives will bluff their way through the meeting as if they’ve read the memo because we’re busy and so you’ve got to actually carve out the time for the memo to get read.”
Bezos is not the only CEO to believe in “silent meetings”: Twitter and Square CEO Jack Dorsey uses a similar method, which includes holding meetings that start with 10 minutes of silent reading from a Google Doc.
“Most of my meetings are now Google doc-based, starting with 10 minutes of reading and commenting directly in the doc,” Dorsey tweeted in 2018. “This practice makes time for everyone to get on same page, allows us to work from many locations, and gets to truth/critical thinking faster.”
As for Amazon, before the memo-based meetings were instituted, “we were doing the more traditional thing,” Bezos said. “A junior executive comes in, they put a huge amount of effort into developing a PowerPoint presentation, they put the third slide up, and the most senior executive in the room has already interrupted them, thrown them off their game, asking questions about what is going to be presented in slide six, if they would just stay quiet for a moment...”
He explained that PowerPoint slides often have “obscure information.” Bezos prefers memos, he says, because each have “verbs and sentences and topic sentences and complete paragraphs.”
In his 2017 letter to shareholders, Bezos said by “tradition at Amazon, authors’ names never appear on the memos. The memo is from the whole team.”
“The great memos are written and re-written, shared with colleagues who are asked to improve the work, set aside for a couple of days, and then edited again with a fresh mind,” he said in the 2017 letter. “They simply can’t be done in a day or two.”
″[It] is harder for the author, but it forces the author to clarify their own thinking,” he said at the Forum on Leadership. “It totally revolutionizes the way we do meetings at Amazon.”
貿戰無限輪迴又再上演!之前中美拗到火紅火綠,但面對美國經濟數據差,美國總統特朗普選情告急,配合內地經濟數據唔對路,期待已久的中期停火協議終於見影,連同加徵關稅時間又再次大腳踢後,全球股市即回勇,美股標指上周升0.6%,扭轉連跌三周頹勢,亦符合上月底曾寫過的《等待10月下旬見黎明》劇情發展。
貿戰緩和非升市主因
表面貿易戰緩和是升市功臣,但其實只是藥引,正如坊間所講,首階段協議只是中方大買美國農產品、豬肉及一早講掂數的滙率協議等等,根本是毫無新意,還有補貼問題、華為事件及12月另一輪對華加徵關稅問題等等,貿戰根本問題無解決。
至於今次升市主因,明顯是聯儲局縮錯表後修正,死口唔認重啟量寬(QE)所致。回帶睇番上周三白鴿局主席鮑威爾已放風,明示短期內再擴大資產負債表(強調不是QE),上周五更在市場聚焦中美貿易戰及英國脫歐問題期間,鬼鬼祟祟公布每個月買600億美元短債,更表明會最少持續到明年第二季,難道買短唔買長,但又擴大資產負債表就唔算量寬?
白鴿局最新買債計劃會在今日實施,假設如期在明年第二季結束,以每個月買600億美元計,即9個月共掟5400億美元,按上次白鴿局資產負債表縮細7600億美元計,是次放水規模是縮表的最少七成。
況且,還未計隔夜回購操作已買入及將持續到明年1月買入的資產,按現時聯儲局資產負債表3.95萬億美元計,單是泵水5400億美元,負債表規模將會回升至約4.49萬億美元,與歷史高位4.52萬億美元唔差好遠,更何況儲局搬龍門當食生菜,延續QE亦唔出奇。
標指整固後勢破頂
總括來講,維持上周睇法,標普500上破歷史高位3027點唔難,恒指有望彈至250天牛熊線,即27299點,但近日升勢過急,調整過後有望再往上衝衝衝。
至於金價,雖然中美貿易及英國脫歐問題降溫,拖累金價上周一度跌至1474美元,但白鴿局放水消息一出,金價即重回1490美元附近。
不過,短期金價受制下降軌【圖】,但下方支持在1473.83美元,即保歷加通道底部,而保歷加通道亦正在收窄,中國連續10個月增持黃金,同時全球黃金ETF淨持倉續升,黃金白銀仍值得睇好。
2013年5月4日《經濟學人》封面,是身穿清朝龍袍的習近平,題為《Let’s party like it’s 1793》。當年英國馬戛爾尼出使中國,想清廷開放貿易同畀英國人傳教,但乾隆認為天朝撫有四海,英國使團失敗而回。該年也是乾隆末年,清朝國力由盛轉衰,47年後英國帶著艦隊和槍炮重回中國,以鴉片戰爭打開中國貿易大門。《經濟學人》暗示中國國力已見頂,而中國趑趄於開放定唔開放之間,也與當時相似。
面對如此局面,加上警剔蘇聯倒台的教訓,現時中共決策層的行徑顯示,打算越箍越緊,任何事情都強行壓落去。香港發生逆權運動,原本有一萬種方法處理,但執政者行錯第一步,就打算用更大的錯誤去掩蓋。當15歲小朋友浮屍海面,香港人恐懼,香港人哀痛,香港人義憤。如果為咗搵錢安逸需要犧牲他人,這種狗養的錢途不要也罷。運動發展時年輕人有句口號,說生於亂世,有種責任。是甚麼責任?現在可很明確地說,就是為天地立心,為生民立命,為往聖繼絕學。
今年夏天參加了一位老友女兒的婚禮,地點位於倫敦動物園。沒錯,就是位於攝政花園旁的動物園。新娘子是我從小看着她長大的,所以特別高興。
這裏原來有很好的宴會設施,禮堂設在二樓,有大露台,可供賓客喝酒談天。主人家把禮堂布置得很有心思,既有鮮花,也有新人小時候的照片,溫馨親切。
下午2時,婚禮開始,證婚的註冊官談吐風趣,亦莊亦諧,全沒有例行公事的感覺。
禮成後,大夥兒去看動物。企鵝很好玩,有一隻離群獨據水中石塊,昂頭向天,動也不動,像鄙視周圍一眾俗物!長臂猿也很活躍,靈動敏捷,可能活動空間充足,心情舒暢,不會像香港動植物公園裏的猿猴,眼神總是對人充滿敵意。
很快就到了Wedding Breakfast時間了,大家回到禮堂,對名片入座,邊吃邊聽主人家及他們至親好友的講話。到吃完甜品,捧着肚皮(對,不是火腿煎蛋的早餐,而是有前菜主菜甜品的正餐。按傳統新人在婚禮前是要斷食的,所以這是他們頭一頓正餐,故名。現今習俗已改,名稱依舊),外面天色仍亮,還沒到跳舞的時刻。
突然,外面傳來一片「來看llama啊!」的聲音,走下去一看,原來是頭似駱駝身似馬的可愛動物,也就是傳說中的「草泥馬」!小孩子紛紛從工作人員手上接過切碎了的紅蘿蔔,伸手餵給牠吃,小人兒全都樂壞了。而大人也一時沉醉在幸福快樂的氛圍中。
有人輕問:香港怎樣了?我拿起了手機……
任何資產,有時表現較好,有時表現較差。要跑贏大市,部分人認為應該順勢而為,在升市中增持,在跌市中追沽。
另一方面,有人相信,當群眾看法趨向一面倒,反而應該善用逆向思維,在升市中沽空,在跌市中增持,以捕捉趨勢逆轉。
這兩種做法雖然截然不同,但背後都有一個美麗的夢想,或者說美麗的誤會,就是投資者可以輕易捕捉到最佳的投資時機。以基本因素作為依歸,作中長線投資,或許稍有勝算。例如自4月初筆者於seeking alpha分析美國利率走勢,半年以來美國國債ETF(TLT)已上升近兩成。問題是,不少投資者往往執着於一時得失,又對自己期許過高,追求捕捉每一個升跌,結果是被市場左一巴、右一巴,弄得遍體鱗傷。
前文提及積金局現行的預設投資策略,儘管不是為了捕捉投資時機,背後卻隱含對未來情況的判斷。雖非原意,但實際效果卻是逼打工仔與經濟狀況對賭。在年輕時持有風險較高的資產,其實就是「賭」經濟強勁增長,而在年長時持有風險較低的資產,則等於「賭」經濟不景。
這做法當然不合理,因為沒有人有水晶球能夠預測未來的狀況。事實證明,基於買賣時機(market timing)的投資策略,難以長期跑贏大市。
承認無知更具優勢
承認自己的無知,並放棄對未來作出預測的投資方法,表現反而較為穩定,回報與風險比例較高,尤其適合防守型投資者。當中的表表者,非橋水基金的全天候策略(All Weather Strategy)莫屬。
顧名思義,全天候策略旨在穿越經濟周期,在任何經濟環境下都能為投資者帶來穩定的回報。這聽起來當然吸引,問題是如何做到?
經濟狀況主要由經濟增長和物價變化兩大因素驅動,並可以分為4種,即經濟增長較預期高、經濟增長較預期低、通脹較預期高,以及通脹較預期低。各類型資產在不同經濟環境中,會有不同的表現。當經濟向好時,股票及商品的表現較佳,而經濟不景時,債券的表現則較好。換言之,只要在四種經濟環境下,相應選取表現較佳的資產,並給予各種經濟環境相同的權重,便能確保投資組合在任何情況下都有穩定的回報。
具體操作,可以參考橋水基金創辦人Ray Dalio的建議:把30%資金投資美股ETF(VTI),15%購買年期為7至10年的美國國債ETF(IEF),40%分配到年期為20年或以上的美國國債ETF(TLT),餘下15%分別購買商品ETF(DBC)及黃金ETF(GLD)。
理論說完,我們就來看看這組合的表現如何。自2007年1月以來,有關組合的每年平均回報及波幅分別為7.5%及7.4%。其回報與波幅比例與股債平衡組合相若,較標普500指數高接近一倍。值得注意的是,在金融海嘯期間,兩個組合的回報都十分平穩,最大下跌幅度亦遠低於標普500指數。假如把全天候策略及股債平衡組合的的風險調整至標普500指數的水平,更會發現兩者的每年平均回報皆較標普500指數高約7個百分點。換句話說,同樣的投資金額,經過十二年後,結果竟差一倍有多。
筆者持有上述股票,並可能隨時買入或賣出。
作者任職聯合國亞洲及太平洋經濟社會委員會
個人意見並不代表機構立場
金價由去年開始連續4季錄得升幅,在今年第四季終於面對考驗。受資金流向股市拖累,上周五(11日)金價顯著回落,收報1489美元。
截至10月11日,全球黃金ETF的實物黃金持有量連升20個交易日,為2009年9月23日後的最長增持時間。而最新實物持金量約8192萬盎斯,是2013年2月14日後最多,距離2012年12月20日創下的歷史高位(約8272萬盎斯),僅相差0.98%。
ETF實物持金量與金價關係密切,過去3年間兩者關連系數(correlation ratio)達0.843,即接近同步【圖】。值得留意的是,2017年以來,每逢ETF持金量走勢持續急升之後,金價卻普遍會出現較明顯的調整。
這情況其實不難解釋,黃金ETF投資者多數是散戶,他們看到金價上揚,於是不甘後人跟進入市,卻沒有考慮到其實金價當其時已有若干升幅,存在調整壓力,成了大戶沽貨的對象。
投資需求成動力
正因為散戶這種後知後覺的特性,令ETF實物持金量表現普遍滯後金價。當然,今次「悲觀重演」並不代表金價向淡,因為投資需求增加始終會成為推升金價的動力,而金市的整體升勢也未扭轉,在消化了沽盤後,中長線而言,散戶只要沒有因金價回調被「震走」,仍可受惠於金價的反覆上揚。
信報投資研究部
Inside Senior Planet, the tech-savviest retirement community on earth. by Lauren Smiley Aug 12, 2019 Hands on an ipad ADRIENNE GRUNWALD
“All these microaggressions people talk about?” Tom Kamber says. “Just imagine what it’s like when you’re 75.”
This story is part of our September/October 2019 issue
See the rest of the issue Subscribe People knock you out of the way on the street, he says. They attend to the younger guy standing next to you first. Then the job interviews—he’s getting revved up now—when the recruiters ask your age. “Completely illegal question! It’s like asking, ‘Are you really black?’ ‘You seem gay—are you gay?’” Or if the recruiter is sly, trying to hide just how illegal this is, they’ll ask for your graduation year—“It’s such bullshit.”
Kamber is someone you don’t interview as much as witness. He talks at 1.5 times podcast speed. Blink and you’ve missed three sentences. See his bald head and the Art Deco tattoo snaking down his biceps, or watch him salsa at the intergenerational dance party he put on at a New York club, and he seems the world’s least likely director of a senior center. But listen in. Tom Kamber is getting into ageism—“the last ism,” as he calls it—and Tom Kamber has a lot to say about that.
“When you live in an ageist society, your dreams, which might seem totally normal to you, are a threat to other people,” he warns. He’s speaking not only in rapid-fire sentences, but in paragraphs now. “People are trying to hold you back—because they’re afraid of their own aging. Or because you’re competing with them economically. Because they don’t want to have to introduce somebody else’s ideas into their young-person culture,” Kamber continues, his holy roller sermon coming to its emotional peak. “People are a pain in the ass!”
Sign up for The Download — your daily dose of what's up in emerging technology
Also stay updated on MIT Technology Review initiatives and events?YesNo
Founder Tom Kamber Senior Planet founder Tom Kamber ADRIENNE GRUNWALD That’s why Kamber created Senior Planet, a tech-themed community center that preps seniors to hack their way through a world conspiring to keep them sidelined. The glass door reads “Aging with Attitude.” With its sleek grays and wood tables, it rivals the WeWork next door in the Chelsea district of Manhattan.
Kamber is pretty exciting, but the place itself is a beehive. By the time he and I sat down to talk, I’d already bought some fingerless gloves from one of its graduates, Madelyn Rich, a fiber artist and entrepreneur who’d paid for her recent Caribbean cruise with her holiday glove sales, mostly online. In a computer lab, a class was learning to use Google Calendar and Google Hangouts. Rachel Roth, a white-haired sophisticate in aviator glasses, wheeled in a cart of her sea-salt-dusted chocolate almonds called Opera Nuts—she hawks them online and through West Elm, Pottery Barn, and Williams Sonoma—and doled out some samples to the staffers in her signature Chinese-takeout-box packaging.
The post-60 set is here for many reasons. By and large, they do not want your wearable panic buttons and fall detectors, thankyouverymuch. They’re here for the free classes and camaraderie, to learn to find the photos their daughter is putting on Facebook, to grok the smart lock system their apartment building is installing whether they like it or not (and mostly not). They want to plug back into a world in which “technology has run them over,” as Kamber puts it.
Roughly one in five arrive wanting to use technology to work and make money—whether because they’ve gotten bored with retirement or to turn a passion into a side hustle. They want Etsy and Instagram, Google Suite and Microsoft Word. They want to process payments on PayPal, and build a Wix website, and email video clips for acting auditions. They want to open stores aimed at older people like themselves, and launch magazines for curvy women, and drive around Harlem in their own dog-grooming van. They may want to reach their goals even more than younger folks do, because when you get to a certain age, “your horizon is shorter—your dreams become more critical and urgent,” Kamber says.
Hands typing on a keyboard ADRIENNE GRUNWALD But then there are those blocks. Those people being pains in the ass. “When you’re a senior, and you’ve got an idea, and you want to make it happen,” Kamber says, “somebody’s got to help out a little bit.” So for the past 15 years—in a curriculum now getting recognized by the biggest names in aging, spreading across the US and abroad—Kamber’s nonprofit has created a platform of sorts to empower those seniors to “uncork their lives.”
If anyone is uncorked, it’s Calvin Ramsey. After years of toiling in insurance sales, Ramsey was in his early 50s when he decided to give his playwriting dreams one last chance. He wrote a play and then a children’s book about the Green Book, the midcentury guide to businesses across the country that would welcome black motorists in an era of segregation. He managed to get the play produced and the book published barely knowing how to send an email. (It involved a lot of cold-calling and post-office runs.) As his writing career picked up in his 60s, Ramsey made the big move from Atlanta to the middle of the New York theater scene.
Calvin Ramsey Playwright Calvin Ramsey, a regular at Senior Planet. ADRIENNE GRUNWALD Soon after, he walked into Senior Planet—dressed, as he often is, in a natty suit—to take some beginner courses, figuring it was time to stop avoiding the terms of the modern world. First: getting over his fear of “breaking the machine.” Next: email, to send his scripts to directors and actors as his works were staged across the country. “It makes things so much easier!” he says. Then he graduated into the higher-order tasks: Senior Planet’s staffers helped him build a website featuring his work, and he started Skyping about his children’s book with remote classrooms of elementary schoolers.
One day, as Ramsey sat in nearby Bryant Park, Brandon Stanton, the creator of the hugely popular photo blog Humans of New York, approached him for an interview about how his life had taken off in his 60s, and shot his portrait. Stanton advised him to quickly launch a Facebook page to capitalize on the 18 million fans the blog would shortly be pointing his way. Ramsey jetted straight to Senior Planet, the staffers helped him set up an author page, and days later, Calvin Ramsey—the man who until recently couldn’t send an email—had 37,000 followers waiting for his next bit of news.
More older people than ever are working: 63% of Americans age 55 to 64 and 20% of those over 65. Yet it’s unclear whether they are doing so because they want to or because they have to. The age for receiving full Social Security benefits is rising to 67 by 2027. Americans are entering retirement with more debt and less in savings, and the Great American Pension has become a relic of another era. On the brighter side, people are living longer, and a growing body of research makes the point that work—at least some of it, on your own terms—makes those extra years more enjoyable. For example, researchers at UCLA and Princeton found that seniors who rarely or never “felt useful” were nearly three times as likely to develop a mild disability or even die during the study.
I dropped in on a Senior Planet course called, bluntly, “Work.” The class was learning to use Google Hangouts, and as the lesson wrapped up, a woman with a sharp bob, named Jean McCurry, stopped to talk. She still serves on a couple of boards after a career in higher education, she told me, but pines for the collegiality and structure her old job gave her: “The accountability and responsibility—you really miss it when you retire.” McCurry mentioned a friend older than herself who got a job teaching online courses for a state university, noting, “That’s how she remained relevant in her 90s.”
She was optimistic about getting back in the game, but I couldn’t help feeling a little worried about the daunting discrimination she would face. The ageism of the era is perhaps best exemplified by Mark Zuckerberg’s infamous assertion back in 2007 that “young people are just smarter,” but it’s not just anecdotal: in a 2017 study by the Federal Reserve Bank of San Francisco, researchers invented résumés for fictitious applicants of various ages, and sent them in response to real-life ads for janitors, salespeople, and security guards. They found that in nearly every job category, the older applicants got fewer callbacks than the middle-aged applicants, who got fewer than the young ones. The drop-off was particularly marked for older women; the researchers speculated—depressingly, but not surprisingly—that women’s physical appearance is more important in service-related careers, and women’s physical aging was judged more harshly than men’s.
Madelyn Rich knitting Fabric artist Madelyn Rich ADRIENNE GRUNWALD With such obstacles to getting a job, and a desire to control their own schedules after years on someone else’s clock, it’s not surprising that some folks take the entrepreneur route.
I found Michael Taylor in the Wix class. Taylor looks like Samuel L. Jackson, with a white-flecked mini-fro. He’s a 71-year-old who could pass for 45; he even once got accused of fraudulently using a senior card. When he closed his antiques store in 2009 because of skyrocketing rent and dwindling sales, he didn’t want to stop working. His grandfather retired at 84, and “a year later, I saw somebody that wasn’t there before—I saw an old man,” he recalls. “And I’m like, ‘If that’s what retirement does for you, I don’t want it.’ So I plan on working until God calls me home or just until I can’t work any longer.” Still, he faced that familiar problem: “I found getting a job is not that easy if you’re not the 20, 30, or mid-40s candidates.”
So in his 60s, Taylor says, “I asked myself, what do I want to do when I grow up?” In 2010, he enrolled in the New York School of Interior Design, earning a bachelor’s and a master’s and sometimes marveling at his own gumption: “One day I was sitting there studying for a final exam, and I said to myself, ‘You’re studying when you should be worried about dementia setting in!’”
Michael Taylor Michael Taylor used OATS classes to get his new business up and running ADRIENNE GRUNWALD He heard about Senior Planet through someone in his yoga class on the Lower East Side. Part of the coursework was learning the new digital tools of his trade: he pulls out a Surface tablet to show me room renderings he created in design software. He also learned to build his business website. He navigates around the work-in-progress, showing me the page showcasing before-and-after photos of his first job—the apartment of a friend who wanted an upgrade for maximum Airbnb monetization. “I like what I’m seeing here,” he says, considering the photo layout, making a note to Photoshop out the creases in the sofa.
Taylor has had to make certain adjustments in order to land lucrative clients, including refining his self-presentation. He doesn’t lead with his age, and he doesn’t mention anything before 1970. A friend advised him not to grunt when he stands up, and at one meeting, Taylor “accidentally” dropped his keys to show how nimbly he plucked them up. “You don’t want them to think ‘Is he going to make it?’” he says. He laughs at himself, and then puts in his earbuds and takes a call from a client.
“I said to myself, ‘You’re studying when you should be worried about dementia setting in!’”
On a Monday morning, a class called “Startup!” was diving into a lesson on online marketplaces. A goateed instructor named Roberto was explaining to his dozen students how to increase “arbitrary value” on a platform like Etsy—things like a compelling story that subtly convinces the buyer the product is worth paying more for. Ageism once again popped into the discussion. A woman with a crown of curly hair, who travels to class from Brooklyn, was trying to ramp up her business in hand-sewn lace pillows and curtains. She wondered whether her company’s public face should be younger: “I’m thinking about vanity. If my product was high-end, I’d consider whether I’d be doing it, or having a friend of mine or a niece do it.”
Roberto asked them to practice pitching their startup to the group. Several ideas were aimed at their own needs—a grocery store focused on saving folks from a long walk, a dog-grooming van that could roll up to your front door, a handyman aimed at Bronx seniors on a fixed income. But it wasn’t just by seniors, for seniors. One woman who had promoted jazz shows in Harlem for years wanted to learn how to price her services; another wanted to open a bar. At the end of each pitch, the students clapped enthusiastically.
Entrepreneurial advice was not what Kamber had originally thought seniors wanted. In the early aughts, he was the New York director for a social-justice-oriented nonprofit when he started tutoring a woman in her late 70s to get online. The idea grew into an organization called Older Adults Technology Services (OATS) in 2004. Kamber, who taught the first class at a public-housing computer lab himself, secured funding from the city to develop the curriculum, and used focus groups to ask seniors what they wanted.
Madelyn Rich Madelyn Rich is a fabric artist of Senior Planet ADRIENNE GRUNWALD Their responses revealed that the root problem wasn’t about how to use technology. They didn’t want to simply learn how to email or join Facebook; they wanted a way to beef up their social network after their partner or friends had died. They didn’t just want to surf the web; they wanted to contact their member of Congress or apply for benefits. In short, their desires weren’t about tech, but about what tech would let them do. “We realized it was actually about aging,” Kamber says. “It’s about aging, stupid!”
Kamber raised grant money, hired professional instructors, and spread the programming—all free—to 40 computer labs across New York’s five boroughs. OATS launched the first Senior Planet space in 2013, a Manhattan hub of community and energy.
Some of the earliest students, like Rich, the knitting entrepreneur, found the center’s dynamism a welcome departure from the typical senior center. Still, she told staff what she really needed help with was selling her wares online. When volunteers from Google visited the center one day, one of them asked Rich—she slows her voice as if talking to someone who might have trouble keeping up—“Do. You. Want. To. Open. A. Gmail account?” Rich told him she was already on Gmail; she wanted to see the Google Analytics of her website. “His eyes just lit up!” she recalls.
Senior Planet staffers helped Rich get on Etsy, and she met Rachel Roth, who first strode into the center as she was in the throes of launching Opera Nuts. The two women suggested that Senior Planet let them hold a market in its prime office location to sell their wares, and together they launched the Senior Planet Holiday Bazaar. Rich and Roth now call each other to troubleshoot their website woes as their respective businesses take off.
Madelyn Rich pointing at a computer monitor displaying an instagram page ADRIENNE GRUNWALD Kamber’s brainchild is expanding. OATS has opened centers in rural upstate New York, Maryland, Texas, and Colorado. There’s also a center in Israel, with talk of others in Spain and Japan.
In June, I visited the new center that had opened in a renovated space in downtown Palo Alto, California, called Avenidas. Oculus VR headsets sat ready for classes that would begin in July, and slideshows of members in other cities (like Rachel Roth) flashed on TV sets freshly mounted on the walls. Kamber, who’d flown in from speaking at a conference in Russia, addressed a room packed with startup founders who’d launched apps serving older users, as well as 150 Silicon Valley seniors. Kamber told them a story of one of Senior Planet’s New York participants, an actor whose faltering hearing made it difficult to find out about auditions over the phone. Learning to email for the details instead, he extended his career by years.
Back in New York, the seniors continue dropping by even when they’re not enrolled in a class: sometimes to take advantage of tech help, or to organize a lobbying trip to Albany, the state capital, for more funding, or to see, say, Calvin Ramsey present his latest show.
One morning in June, Ramsey strode in wearing a linen suit and his black sunglasses and took a seat at the bank of computers. The following night, he’d be talking to people half his age at the National Writers Union about how to market their work. “This whole writing thing has been an out-of-body experience,” he said, wide-eyed.
He turned to the task of the day: sending out a teaser for his new play about the first black graduate of Yale. Ramsey opened a Word document and chicken-pecked out letters with two fingers. Diligently, he attached the announcement to an email and added dozens of recipients. Then he thought of more people, and added them; then he thought of even more, and added them, too. He finally pushed “Send,” saying “Psheeew!” like a spaceship taking off. Within minutes, replies started coming back, filled with congrats.
Lauren Smiley is a journalist in San Francisco covering humans in the tech age.
Share Author Lauren Smiley
Popular 01. Jarhead author: Drones and robots won’t make war easier—they’ll make it worse 02. Powerful computer vision algorithms are now small enough to run on your phone 03. I tried to hack my insomnia with technology. Here’s what worked. × You've read 2/3 of y
KEY POINTS Money market funds have pulled in $322 billion over the past six months, the fastest pace since the financial crisis. The good news: Shortly after that gloomy period of 2008, investors had the buying opportunity of a lifetime. Investors are flocking to the relative safety of money market funds at the highest level since the financial crisis-era collapse of Lehman Brothers in 2008.
The industry has pulled in $322 billion over the past six months, the fastest pace since the second half of 2008, bringing assets to nearly $3.5 trillion, according to data from FactSet and Bank of America Merrill Lynch.
On the bright side: That was a period which preceded the buying opportunity of a lifetime for stock market participants. In March 2009, Wall Street kicked off a bull market, still intact, that would break records for longevity.
“You could be contrarian and say [the money market flow is] positive, because if the market actually steadies itself and there’s a detente [in the trade war], that money’s going to go back into the equity market,” said Quincy Krosby, chief market strategist at Prudential Financial. “From a contrarian standpoint, it would be helpful.”
Total money market assets assets are now at their highest level since September 2009.
The funds have seen inflows every month this year except for April, with assets growing nine of the past 10 weeks as the stock market has wrestled with myriad issues, primarily involving the trade dispute with China and lingering worries that the U.S. is heading toward a possible recession.
Facing a constant drumbeat of headline risk, investors have headed to the mattresses as a way protect cash until the storms clear.
“There’s been enough headlines, whether you’re talking politics, trade concerns or whether or not we’re heading into recession for the money to go into those markets,” Krosby said.
Stocks, in fact, have been on a roller coaster for the past year, tumbling at signs of a break in the U.S.-China talks then rallying on any ray of hope. The Dow Jones Industrial Average surged more than 400 points Friday on some positive sentiments out of the White House that this week’s trade talks could yield fruit.
Then and now
If the good news can continue, and the economy holds off a recession, that means there will be plenty of dry powder on the sidelines to fuel another acceleration on Wall Street, due to the big move to money markets.
The two eras, though, bear only passing resemblance.
While there has been noticeable churning in the market since the tariff exchange began, 2008 and early 2009 saw history-making periods of volatility, with the Cboe Volatility Index hitting a high that has yet to be broken. The U.S. and global economy was in shambles, and investors were sent to money markets as a way to protect capital when nothing seemed safe.
Investors who stayed in the market are coming off a period of huge profits and a market that could stall if the fragile levers of growth fail to move the right way.
“You’re looking at geopolitical events that are totally binary,” said Mitch Goldberg, head of ClientFirst Strategy. “I think most people in this bull market may feel like they’ve made enough money and if they miss a little upside, they’re with that, and that’s what this reflects.”
Money market funds have benefited even as yields have fallen amid Federal Reserve rate cuts and growth fears. The funds are now yielding about 2%, down from 2.47% at the beginning of 2019, according to Moody’s.
Goldberg said the influx to the funds may not necessarily reflect investors waiting to put money to work but rather a tired market where money may sit for a while as the uncertainty plays out.
“This isn’t mom-and-pop reconfiguring their investment portfolios today,” he said of Friday’s rally. “This is electronics. This tells you why you shouldn’t get overly bearish, you shouldn’t get overly bullish. You have to moderate yourself and take into consideration your own economics, your risk tolerance, time horizon and financial goals. This, too, shall pass.”
Permissioned networks built by MultiChain partners in live production
This is a write-up of a talk given at the Consensus 2019 conference. A video of the talk is also available.
In the four years since the first alpha version of MultiChain, hundreds (if not thousands) of proof-of-concept and pilot projects have been built by our partners on the platform. While many of the early ones were pointless blockchains, over time we have seen a consistent rise in the proportion of projects using the technology appropriately. Now we rarely hear about a blockchain-based application which lacks a good answer to the question: “Why not just use a regular database?” What a relief!
Proof-of-concepts and pilots are all well and good, but to my mind, the most important signal comes from solid enterprise blockchain projects that make it to live production. To be clear, this means networks containing multiple blockchain nodes belonging to multiple parties, where more than one of these parties is involved in generating real transactions and participating in the blockchain’s consensus algorithm. Without these characteristics, the blockchain is providing little or no value compared to a centralized database.
This article is a survey of ten of the most interesting permissioned blockchain applications built on MultiChain that are in production today. Each application will be described briefly, along with an explanation of why it made sense to use a blockchain and some numbers to give a sense of scale. Note that confidentiality agreements prevent us from revealing some of these projects’ details, but we’re telling you as much as we can. After reviewing the ten projects, I’ll finish with a list of five important lessons that I believe we can learn.
Ready? Then let’s begin…
Blockchain #1: SAP for Pharmaceuticals
Some medicines bought by large customers such as hospitals don’t end up being used, and are returned to wholesalers unopened for resale elsewhere. However this process brings a significant risk of counterfeiting, where the so-called “returns” have been faked somewhere along the way. To help combat this problem, every box of drugs can be shipped with a barcode label that identifies its contents and origin, with the barcode being recorded in a database for future verification. But who should be responsible for managing this critical database of drug shipment barcodes? In Europe, a centralized EU-level body was set up for this purpose, but there is no corresponding governmental entity in the USA.
To solve this dilemma, SAP built a blockchain-based solution on top of MultiChain, where multiple drug manufacturers and wholesalers have their own node, granting them direct access for reading and writing the chain. Each barcode is recorded as an item in a MultiChain data stream, allowing it to be looked up directly by scanning a printed label. The system is already running live and has been successfully tested to scale to 1.5 billion recorded barcodes and 30 million verifications per year.
Blockchain #2: TruBudget
When donor countries finance public projects in developing countries, it’s vital to keep track of important events in each project’s lifecycle, including tenders, contracts and disbursements. Both the donors and recipients want to maintain these records in a database for easy searching, but who should be in charge of that database? Neither side in the relationship is politically comfortable with ceding full control to the other, so this has often led to both parties maintaining their own records, and trying to keep them in sync. The picture is complicated further when there are multiple donor countries partnering together.
TruBudget is an open source application which uses a MultiChain blockchain to solve this dilemma. Each of the important stakeholders maintains its own node, writing important events to streams while sharing an identical picture of the project’s progress through their own front end. The system was commissioned by Germany’s Federal Ministry for Economic Cooperation and Development and developed by Accenture and KfW, Germany’s third largest bank. Two blockchains are now running in production for projects in Brazil and Burkina Faso respectively, with each expected to record up to 300 projects and 5,000 events per project.
Blockchain #3: Connected Health
In order to improve patient care and reduce bureaucracy, an Indian state government is implementing an electronic medical record system to enable information sharing between hospitals and other healthcare facilities in the state. When designing the system, two particular concerns arose. First, how can the records be secured against loss or tampering? Second, how do we ensure that the information is available locally in each city, in the event of a temporary loss of Internet connectivity?
These requirements were solved together by building the system on a blockchain rather than a centralized database. MultiChain streams are being used to store the medical records – currently with text only but with richer data such as images to be integrated later on. Participating cities will have their own nodes running locally, which take part in the consensus process. The system was built by RapidQube and is already in early production, with around 2 million records stored for over 50,000 people.
Blockchain #4: Collateralizing livestock
In many developing countries, farmers find it difficult to access affordable loans, even if they own valuable assets such as cattle that could serve as collateral. In order for a farmer’s cow to be used in this way, it must be identified and tagged, immunized against diseases and insured against potential mishaps. In addition, each cow can only be collateralized once. All this requires extensive data coordination between a country’s animal healthcare system, insurance companies and financial institutions, each of which has different incentives and governance structures.
FarmTrek is a blockchain-based solution developed by InfoCorp which enables this coordination to take place without being controlled by a central party. Each major stakeholder runs one or mode MultiChain nodes which work together to store and secure the data written to streams. Each cow is physically tagged with a tamper-proof NFC (near field communications) device, which connects to an Android mobile application used by the farmer to sign transactions and publish them to the blockchain. The project is now in live production in Myanmar and expected to scale to 100,000 farmers within two years, with an additional pilot in the works in Rwanda.
Blockchain #5: Tagcash KYC
As in many countries, when somebody opens a new bank account in the Philippines, the bank must perform rigorous KYC (know your customer) checks to verify the customer’s identity and residence. This costs time and money, meaning that banks and other financial service providers would benefit by sharing KYC information through a single database. Once built, this database can also form the basis of a credit scoring system, by adding information about customer loans and repayments (or failures thereof). Unfortunately, the Philippines has no centralized KYC and credit scoring mechanism, so this integration has been difficult to achieve.
In order to address this problem, Tagcash has created a blockchain-based KYC and credit scoring solution, using a network of nodes belonging to banks and smaller fintech companies. Some nodes have write privileges while others are permitted to read only. The information is stored within MultiChain streams, using a hash of each person’s name and birth date as a unique key for identifying their data. With the initial roll-out, around 100 records are being written per day, and this is expected to grow to 10,000/day over time.
Blockchain #6: Bureau Veritas Origin
With increasing awareness of food supply chain scandals, interest has grown in giving consumers greater transparency into how their food is sourced, processed, transported and stored. The goal is to create a comprehensive record of the steps involved in preparing an item for sale, and to enable consumers to access this information directly. To increase transparency and prevent tampering or corruption, it is preferable not to centralize control of this database at any individual company or location.
Bureau Veritas, a global company focused on testing and certification, has partnered with Atos Worldline to develop Origin, a blockchain-based food traceability solution. Nodes are run by multiple companies within the food supply chain, with data written to streams in a proprietary binary format. The finished products are labelled with QR codes, which consumers can scan in order to browse a web-based summary. With the initial roll-out, up to 100 records are being written per day.
(To avoid a common fallacy, it should be emphasized that the sources of data still need to be trusted when using a blockchain. The chain only improves the security of that data once it is stored.)
Blockchain #7: ILSBlockchain
An insurance linked security (ILS) is a bond which enables an insurance policy to be covered collectively by a group of investors. For example, the owners of a ship could pay a premium to the holders of an ILS, but if catastrophe strikes and the ship sinks, those holders lose some or all of their original investment. As with any financial asset, digitizing ILS ownership allows sales and transfers to take place efficiently. This is traditionally achieved using a custodian such as Euroclear, but the cost can be prohibitive for smaller insurance policies in the $10-20 million value range.
This problem was solved by Solidum Partners who issue and track ILS bonds on a MultiChain blockchain, removing the need for a highly regulated centralized custodian. Each bond is issued as a MultiChain asset, with participants transferring and exchanging these assets on a peer-to-peer basis. Nodes are run by the bond trustee, investors and reinsurers, with the consensus generated by a small group of senior participants. So far, four bonds have been issued on the blockchain, for over $50 million in total value.
Blockchain #8: Air Quality Chain
When it comes to collecting environmental data, three particular challenges need to be addressed. First, each type of data is generated in a different location, due to the need for specialized equipment. Second, the data must be stored safely and reliably for the very long term, to enable trends and changes to be analyzed. And third, different types of data may need to be cross-referenced in real time, to create a full picture of anomalies at the moment they occur.
These requirements can be addressed together by using blockchain. The Air Quality Chain project, implemented by Baumann, aggregates data on levels of ozone, radiation and air quality in Austria, using a network of nodes which collect data from multiple sources. Raw data is written directly to MultiChain streams, and so automatically replicated to all of the nodes in the network, which collectively ensure that it cannot be lost or modified. The system is running in production and collecting 2.7 million records annually, containing around 4 GB of raw data.
Blockchain #9: Deepshore Archive
Metro Group, the world’s fourth largest retailer, is required to archive all point-of-sale data for internal and external auditing purposes. Whereas Metro used to rely on a single vendor for this purpose, they recently migrated to a more flexible model, where the data can be redundantly stored on a number of different cloud providers. This gives them much greater freedom and the ongoing ability to negotiate over pricing.
However, this fragmentation presents a challenge in ensuring that all of the data is stored correctly and cannot be changed. To solve this problem, Metro have deployed a blockchain-based system, built by Deepshore, where a hash and some other metadata for each data set is stored in MultiChain streams for verification purposes. Multiple nodes are running in different subsidiaries and locations within the Metro Group, so even though this is an “internal blockchain”, control is effectively decentralized within a vast organization. The system is already running live and notarizing approximately 9 million datasets per day.
Blockchain #10: Fantastec SWAP
Growing up in the 1980s in the UK, collecting football stickers was hugely popular. We spent our pocket money on packets of random stickers, containing the faces of players, team photos and badges, and swapped obsessively with each other in at attempt to complete each year’s album. Fantastec has now developed a digital equivalent, where users download the SWAP app and purchase limited edition “cards”, complete with player videos and interactive statistics. Naturally, this application needs some database to keep track of card ownership, but it wasn’t clear where this database should be hosted. On the one hand, each participating football club should maintain its own database, to guarantee the authenticity and rarity of its issued cards. On the other hand, much of the product’s value derives from the ability to swap cards that were issued by different clubs.
This dilemma was solved by building the system on a blockchain, where each club has its own node that issues its digital collectibles as MultiChain assets, all of which are tracked together on a chain that is managed by consensus. The system, which makes extensive use of MultiChain’s built-in atomic exchange functionality, was built by Fantastec with assistance from partners such as PricewaterhouseCoopers. SWAP was recently launched with three big-name partners: Real Madrid, Arsenal and Borussia Dortmund. After less than 3 months it has grown to 15,000 users with over 250,000 collectibles issued.
Lessons learned
Now that we’ve reviewed ten of the most interesting MultiChain-based networks in production, what can we learn from this group as a whole? What differentiates these projects from the hundreds and thousands of proofs-of-concept and pilots that never made it to the next stage?
Lesson #1: Focus on new applications
While there has been much talk about blockchains as an upgrade for existing systems, for now at least, we’re primarily seeing them deployed in new applications. I can think of two related reasons why this might be.
First, blockchains are still a new technology, and are perceived as more risky than centralized databases. This uncertainty can be tolerated when building new applications, which inevitably comes with some risk of failure. However, it makes blockchains less attractive for replacing something that is already known to work.
Second, any running centralized application must already have a trusted intermediary, who has presumably proven their reliability over time. While moving to a decentralized architecture might save money in bypassing this intermediary, this has to be weighed against the cost and risk of rebuilding the system from the ground up.
Lesson #2: Find a strong motive
Every application implemented on a blockchain must answer a crucial question: Why use a blockchain instead of a centralized database or file server? Blockchains will always be slower, less scalable and more complex than centralized systems, as a result of their fundamental design.
So if you have a suitable trusted intermediary who can host an application centrally, you should use it! The only reason to use a blockchain is if there is a strong motive to avoid this kind of centralization. In practice we see four main types of motive appear:
Commercial concerns. The participants in a network do not want to grant too much power to a competitor or some other central body, who could charge a lot for the service. Regulatory requirements. Some regulation prevents the deployment of a centralized system, or would render it too expensive in terms of compliance. Political risks. There is no place where the database could be hosted that would be politically acceptable to all of its users. Secure replication. Multiple copies of the data need to be stored for redundancy, so using a blockchain provides the additional benefit of proven synchronization and tamper resistance. Lesson #3: Think about data in general
Early discussions about enterprise blockchains were triggered by the rise of cryptocurrencies, in which the blockchain allows users to directly hold and transfer a virtual asset while preventing double spends. While some of the production networks we described (#7, #10) are using MultiChain in this way, the majority are doing something fundamentally different – building a decentralized architecture for storing and securing data.
Any database or file system, whether it is holding structured or unstructured data, could be implemented on a blockchain. Each piece of data can be stored in full on the chain, or notarized as a short on-chain hash (fingerprint) which serves to verify the data which is delivered off-chain. Unlike in asset use cases, there is no notion of ownership changing over time. The blockchain’s sole purpose is to enable some information to be stored and secured by a group, without relying on a central party.
In data-driven applications, “smart contracts” are the wrong transactional model, since they require every piece of data to be represented as a message sent to a contract, rather than being validated and then directly embedded (or hashed) in the chain. The central issue is the scale and speed with which information can be stored, indexed and retrieved.
Lesson #4: Look beyond “transformation”
For too long, the enterprise blockchain narrative has focused on buzzwords like “revolution” and “transformation”. But in reality, if we look at those blockchain projects that actually make it to production, only a few are doing things that would be impossible to achieve using more traditional technologies such as centralized databases, replication and point-to-point messaging. So what exactly is being transformed?
In most cases, a blockchain is being used simply because it’s the most appropriate and convenient tool for the job. It enables a new application to be easily built on top of a unified data store, while avoiding some concern about that store being centrally controlled. The blockchain provides additional robustness and tamper resistance, whose value outweighs the complexity and cost of running multiple nodes. While this all might seem rather unromantic, since when has enterprise IT been anything else?
But there is an additional, more subtle, part of the story. In rare cases we see projects being built on a blockchain, where there is no immediate justification for that choice. It turns out that the application’s users are happy for it to start out centralized, but want to keep their options open for the future. Using a blockchain (even with one node!) rather than a database allows the intermediary to be swapped or removed just by adding or removing nodes and changing some permissions. All this can happen with zero downtime and without touching the application’s code.
Lesson #5: Be very patient
With all of the noise surrounding blockchains, it’s easy to forget just how new this industry is. MultiChain, along with most other enterprise blockchain platforms, only reached a version 1.0 release in mid-to-late 2017 (it’s now at version 2.0.2). Since it’s quite common for enterprise IT projects, whether based on blockchains or not, to take two years from initiation to go live, it’s no surprise that the number of real blockchain networks in production is still rather small.
Indeed, two particular phenomena demonstrate just how early things are. First, we often find our partners performing the most basic tests on MultiChain just to convince themselves that it actually works! Second, we see some participants in production blockchain networks lacking the confidence to take responsibility for their own node, instead relying on some third party to host it on their behalf.
So as with any other new enterprise technology, people working in the blockchain space should hunker down for the very long term. I expect it will take another ten years before blockchains are commonly considered as an alternative for information system architectures, and another ten after that before they reach their full potential. By then, bandwidth, storage and cryptography will be so cheap and fast that it may seem quaint (if not ridiculous) for shared applications to store their data in only one place.
Where shared ledgers add real value in enterprise IT
Almost a year after first releasing MultiChain, we’ve learnt a huge amount about how blockchains, in a private and non-cryptocurrency sense, can and cannot be applied to real-world problems. Allow me to share what we know so far.
To begin with, the first idea that we (and many others) started with, appears to be wrong. This idea, inspired by bitcoin directly, was that private blockchains (or “shared ledgers”) could be used to directly settle the majority of payment and exchange transactions in the finance sector, using on-chain tokens to represent cash, stocks, bonds and more.
This is perfectly workable on a technical level, so what’s the problem? In a word, confidentiality. If multiple institutions are using a shared ledger, then every institution sees every transaction on that ledger, even if they don’t immediately know the real-world identities of the parties involved. This turns out to be a huge issue, both in terms of regulation and the commercial realities of inter-bank competition. While various strategies are available or in development for mitigating this problem, none can match the simplicity and efficiency of a centralized database managed by a trusted intermediary, which maintains full control over who can see what. For now at least, it seems that large financial institutions prefer to keep most transactions hidden in these intermediary databases, despite the costs involved.
I base this conclusion not only on our own experience, but also on the direction taken by several prominent startups whose initial goal was to develop shared ledgers for banks. For example, both R3CEV and Digital Asset are now working on “contract description languages”, in Corda and DAML respectively (earlier examples include MLFi and Ricardian Contracts). These languages allow the conditions of a complex financial contract to be represented formally and unambiguously in a computer readable format, while avoiding the shortcomings of Ethereum-style general purpose computation. Instead, the blockchain plays only a supporting role, storing or notarizing the contracts in encrypted form, and performing some basic duplicate detection. The actual contract execution does not take place on the blockchain – rather, it is performed only by the contract’s counterparties, with the likely addition of auditors and regulators.
In the near term, this is probably the best that can be done, but where does it leave the broader ambitions for permissioned blockchains? Are there other applications for which they can form a more significant part of the puzzle?
This question can be approached both theoretically and empirically. Theoretically, by focusing on the key differences between blockchains and traditional databases, and how these inform the set of possible use cases. And in our case, empirically, by categorizing the real-world solutions being built on MultiChain today. Not surprisingly, whether we focus on theory or practice, the same classes of use case arise:
Lightweight financial systems. Provenance tracking. Interorganizational record keeping. Multiparty aggregation. Before explaining these in detail, let’s recap the theory. As I’ve discussed before, the two most important differences between blockchains and centralized databases can be characterized as follows:
Disintermediation. Blockchains enable multiple parties who do not fully trust each other to safely and directly share a single database without requiring a trusted intermediary. Confidentiality: All participants in a blockchain see all of the transactions taking place. (Even if we use pseudonymous addresses and advanced cryptography to hide some aspects of those transactions, a blockchain will always leak more information than a centralized database.) In other words, blockchains are ideal for shared databases in which every user is able to read everything, but no single user controls who can write what. By contrast, in traditional databases, a single entity exerts control over all read and write operations, while other users are entirely subject to that entity’s whims. To sum it up in one sentence:
Blockchains represent a trade-off in which disintermediation is gained at the cost of confidentiality.
In examining the four types of use case below, we’ll repeatedly come back to this core trade-off, explaining why, in each case, the benefit of disintermediation outweighs the cost of reduced confidentiality.
Lightweight financial systems
Let’s start with the class of blockchain applications that will be most familiar, in which a group of entities wishes to set up a financial system. Within this system, one or more scarce assets are transacted and exchanged between those entities.
In order for any asset to remain scarce, two related problems must be solved. First, we must ensure that the same unit of the asset cannot be sent to more than one place (a “double spend”). Second, it must be impossible for anyone to create new units of the asset on a whim (“forgery”). Any entity which could do either of these things could steal unlimited value from the system.
A common solution to these problems is physical tokens, such as metal coins or securely printed paper. These tokens trivially solve the problem of double spending, because the rules of physics (literally) prevent one token from being in two places at the same time. The problem of forgery is solved by making the token extremely difficult to manufacture. Still, physical tokens suffer from several shortcomings which can render them impractical:
As pure bearer assets, physical tokens can be stolen with no trace or recourse. They are slow and costly to move in large numbers or over long distances. It is tricky and expensive to create physical tokens that cannot be forged. These shortcomings can be avoided by leaving physical tokens behind, and redefining asset ownership in terms of a ledger managed by a trusted intermediary. In the past, these ledgers were based on paper records, and today they tend to run on regular databases. Either way, the intermediary enacts a transfer of ownership by modifying the ledger’s content, in response to an authenticated request. Unlike settlement with physical tokens, questionable transactions can quickly and easily be reversed.
So what’s the problem with ledgers? In a nutshell, concentration of control. By putting so much power in one place, we create a significant security challenge, in both technical and human terms. If someone external can hack into the database, they can change the ledger at will, stealing others’ funds or destroying its contents completely. Even worse, someone on the inside could corrupt the ledger, and this kind of attack is hard to detect or prove. As a result, wherever we have a centralized ledger, we must invest significant time and money in mechanisms to maintain that ledger’s integrity. And in many cases, we require ongoing verification using batch-based reconciliation between the central ledger and those of each of the transacting parties.
Enter the blockchain (or “shared ledger”). This provides the benefits of ledgers without suffering from the problem of concentration. Instead, each entity runs a “node” holding a copy of the ledger and maintains full control over its own assets, which are protected by private keys. Transactions propagate between nodes in a peer-to-peer fashion, with the blockchain ensuring that consensus is maintained. This architecture leaves no central attack point through which a hacker or insider could corrupt the ledger’s contents. As a result, a digital financial system can be deployed more quickly and cheaply, with the added benefit of automatic reconciliation in real time.
So what’s the downside? As discussed earlier, all participants in a shared ledger see all of the transactions taking place, rendering it unusable in situations where confidentiality is required. Instead, blockchains are suitable for what I call lightweight financial systems, namely those in which the economic stakes or number of participants is relatively low. In these cases, confidentiality tends to be less of an issue – even if the participants pay close attention to what each other are doing, they won’t learn much of value. And it is precisely because the stakes are low that we prefer to avoid the hassle and cost of setting up an intermediary.
Some obvious examples of lightweight financial systems include: crowdfunding, gift cards, loyalty points and local currencies – especially in cases where assets are redeemable in more than one place. But we are also seeing use cases in the mainstream finance sector, such as peer-to-peer trading between asset managers who are not in direct competition. Blockchains are even being tested as internal accounting systems, in large organizations where each department or location must maintain control of its funds. In all these cases, the lower cost and friction of blockchains provides an immediate benefit, while the loss of confidentiality is not a concern.
Provenance tracking
Here’s a second class of use case that we repeatedly hear from MultiChain’s users: tracking the origin and movement of high-value items across a supply chain, such as luxury goods, pharmaceuticals, cosmetics and electronics. And equally, critical items of documentation such as bills of lading or letters of credit. In supply chains stretching across time and distance, all of these items suffer from counterfeiting and theft.
The problem can be addressed using blockchains in the following way: when the high-value item is created, a corresponding digital token is issued by a trusted entity, which acts to authenticate its point of origin. Then, every time the physical item changes hands, the digital token is moved in parallel, so that the real-world chain of custody is precisely mirrored by a chain of transactions on the blockchain.
If you like, the token is acting as a virtual “certificate of authenticity”, which is far harder to steal or forge than a piece of paper. Upon receiving the digital token, the final recipient of the physical item, whether a bank, distributor, retailer or customer, can verify the chain of custody all the way back to the point of origin. Indeed, in the case of documentation such as bills of lading, we can do away with the physical item altogether.
While all of this makes sense, the astute reader will notice that a regular database, managed (say) by an item’s manufacturer, can accomplish the same task. This database would store a record of the current owner of each item, accepting signed transactions representing each change of ownership, and respond to incoming requests regarding the current state of play.
So why use a blockchain instead? The answer is that, for this type of application, there’s a benefit to distributed trust. No matter where a centralized database is held, there will be people in that place who have the ability (and can be bribed) to corrupt its contents, marking forged or stolen items as legit. By contrast, if provenance is tracked on a blockchain belonging collectively to a supply chain’s participants, no individual entity or small group of entities can corrupt the chain of custody, and end users can have more confidence in the answers they receive. As a bonus, different tokens (say for some goods and the corresponding bill of lading) can be safely and directly exchanged, with a two-way swap guaranteed at the lowest blockchain level.
What about the problem of confidentiality? The suitability of blockchains for supply chain provenance is a happy result of this application’s simple pattern of transactions. In contrast to financial marketplaces, most tokens move in a single direction, from origin to endpoint, without being repeatedly traded back-and-forth between the blockchain’s participants. If competitors rarely transact with each other (e.g. toy manufacturer to toy manufacturer, or retailer to retailer), they cannot learn each others’ blockchain “addresses” and connect those to real-world identities. Furthermore, the activity can be easily partitioned into multiple ledgers, each representing a different order or type of good.
Finance-vs-Supply-Chain-Transactions
Interorganizational record keeping
Both of the previous use cases are based on tokenized assets, i.e. on-chain representations of an item of value transferred between participants. However there is a second group of blockchain use cases which is not related to assets. Instead, the chain acts as a mechanism for collectively recording and notarizing any type of data, whose meaning can be financial or otherwise.
One such example is an audit trail of critical communications between two or more organizations, say in the healthcare or legal sectors. No individual organization in the group can be trusted with maintaining this archive of records, because falsified or deleted information would significantly damage the others. Nonetheless it is vital that all agree on the archive’s contents, in order to prevent disputes.
To solve this problem, we need a shared database into which all of the records are written, with each record accompanied by a timestamp and proof of origin. The standard solution would be to create a trusted intermediary, whose role is to collect and store the records centrally. But blockchains offer a different approach, giving the organizations a way to jointly manage this archive, while preventing individual participants (or small groups thereof) from corrupting it.
One of the most enlightening conversations I’ve had in the past two years was with Michael Mainelli of Z/Yen. For 20 years his company has been building systems in which multiple entities collectively manage a shared digital audit trail, using timestamping, digital signatures and a round robin consensus scheme. As he explained the technical details of these systems, it became clear that they are permissioned blockchains in every respect. In other words, there is nothing new about using a blockchain for interorganizational recordkeeping – it’s just that the world has finally become aware of the possibility.
In terms of the actual data stored on the blockchain, there are three popular options:
Unencrypted data. This can be read by every participant in the blockchain, providing full collective transparency and immediate resolution in the case of a dispute. Encrypted data. This can only be read by participants with the appropriate decryption key. In the event of a dispute, anyone can reveal this key to a trusted authority such as a court, and use the blockchain to prove that the original data was added by a certain party at a certain point in time. Hashed data. A “hash” acts as a compact digital fingerprint, representing a commitment to a particular piece of data while keeping that data hidden. Given some data, any party can easily confirm if it matches a given hash, but inferring data from its hash is computationally impossible. Only the hash is placed on the blockchain, with the original data stored off-chain by interested parties, who can reveal it in case of a dispute. As mentioned earlier, R3CEV’s Corda product has adopted this third approach, storing hashes on a blockchain to notarize contracts between counterparties, without revealing their contents. This method can be used both for computer-readable contract descriptions, as well as PDF files containing paper documentation.
Naturally, confidentiality is not an issue for interorganizational record keeping, because the entire purpose is to create a shared archive that all the participants can see (even if some data is encrypted or hashed). Indeed in some cases a blockchain can help manage access to confidential off-chain data, by providing an immutable record of digitally signed access requests. Either way, the straightforward benefit of disintermediation is that no additional entity must be created and trusted to maintain this record.
Multiparty aggregation
Technically speaking, this final class of use case is similar to the previous one, in that multiple parties are writing data to a collectively managed record. However in this case the motivation is different – to overcome the infrastructural difficulty of combining information from a large number of separate sources.
Imagine two banks with internal databases of customer identity verifications. At some point they notice that they share a lot of customers, so they enter a reciprocal sharing arrangement in which they exchange verification data to avoid duplicated work. Technically, the agreement is implemented using standard master–slave data replication, in which each bank maintains a live read-only copy of the other’s database, and runs queries in parallel against its own database and the replica. So far, so good.
Now imagine these two banks invite three others to participate in this circle of sharing. Each of the 5 banks runs its own master database, along with 4 read-only replicas of the others. With 5 masters and 20 replicas, we have 25 database instances in total. While doable, this consumes noticeable time and resources in each bank’s IT department.
Fast forward to the point where 20 banks are sharing information in this way, and we’re looking at 400 database instances in total. For 100 banks, we reach 10,000 instances. In general, if every party is sharing information with every other, the total number of database instances grows with the square of the number of participants. At some point in this process, the system is bound to break down.
So what’s the solution? One obvious option is for all of the banks to submit their data to a trusted intermediary, whose job is to aggregate that data in a single master database. Each bank could then query this database remotely, or run a local read-only replica within its own four walls. While there’s nothing wrong with this approach, blockchains offer a cheaper alternative, in which the shared database is run directly by the banks which use it. Blockchains also bring the added benefit of redundancy and failover for the system as a whole.
It’s important to clarify that a blockchain is not acting just as a distributed database like Cassandra or RethinkDB. Unlike these systems, each blockchain node enforces a set of rules which prevent one participant from modifying or deleting the data added by another. Indeed, there still appears to be some confusion about this – one recently released blockchain platform can be broken by a single misbehaving node. In any event, a good platform will also make it easy to manage networks with thousands of nodes, joining and leaving at will, if granted the appropriate permissions.
Although I’m a little skeptical of the oft-cited connection between blockchains and the Internet of Things, I think this might be where a strong such synergy lies. Of course, each “thing” would be too small to store a full copy of the blockchain locally. Rather, it would transmit data-bearing transactions to a distributed network of blockchain nodes, who would collate it all together for further retrieval and analysis.
Conclusion: Blockchains in Finance
I started this piece by questioning the initial use case envisioned for blockchains in the finance sector, namely the bulk settlement of payment and exchange transactions. While I believe this conclusion is becoming common wisdom (with one notable exception), it does not mean that blockchains have no other applications in this industry. In fact, for each of the four classes of use case outlined above, we see clear applications for banks and other financial institutions. Respectively, these are: small trading circles, provenance for trade finance, bilateral contract notarization and the aggregation of AML/KYC data.
The key to understand is that, architecturally, our four classes of use case are not specific to finance, and are equally relevant to other sectors such as insurance, healthcare, distribution, manufacturing and IT. Indeed, private blockchains should be considered for any situation in which two or more organizations need a shared view of reality, and that view does not originate from a single source. In these cases, blockchains offer an alternative to the need for a trusted intermediary, leading to significant savings in hassle and cost.
In most discussions about blockchains, it doesn’t take long for the notion of “smart contracts” to come up. In the popular imagination, smart contracts automate the execution of interparty interactions, without requiring a trusted intermediary. By expressing legal relationships in code rather than words, they promise to enable transactions to take place directly and without error, whether deliberate or not.
From a technical viewpoint, a smart contract is something more specific: computer code that lives on a blockchain and defines the rules for that chain’s transactions. This description sounds simple enough, but behind it lies a great deal of variation in how these rules are expressed, executed and validated. When choosing a blockchain platform for a new application, the question “Does this platform support smart contracts?” isn’t the right one to ask. Instead, we need to be asking: “What type of smart contracts does this platform support?”
In this article, my goal is to examine some of the major differences between smart contract approaches and the trade-offs they represent. I’ll do this by looking at four popular enterprise blockchain platforms which support some form of customized on-chain code. First, IBM’s Hyperledger Fabric, which calls its contracts “chaincode”. Second, our MultiChain platform, which introduces smart filters in version 2.0. Third, Ethereum (and its permissioned Quorum and Burrow spin-offs), which popularized the “smart contract” name. And finally, R3 Corda, which references “contracts” in its transactions. Despite all of the different terminology, ultimately all of these refer to the same thing – application-specific code that defines the rules of a chain.
Before going any further, I should warn the reader that much of the following content is technical in nature, and assumes some familiarity with general programming and database concepts. For good or bad, this cannot be avoided – without getting into the details it’s impossible to make an informed decision about whether to use a blockchain for a particular project, and (if so) the right type of blockchain to use.
Blockchain basics
Let’s begin with some context. Imagine an application that is shared by multiple organizations, which is based on an underlying database. In a traditional centralized architecture, this database is hosted and administered by a single party which all of the participants trust, even if they do not trust each other. Transactions which modify the database are initiated only by applications on this central party’s systems, often in response to messages received from the participants. The database simply does what it’s told because the application is implicitly trusted to only send it transactions that make sense.
Blockchains provide an alternative way of managing a shared database, without a trusted intermediary. In a blockchain, each participant runs a “node” that holds a copy of the database and independently processes the transactions which modify it. Participants are identified using public keys or “addresses”, each of which has a corresponding private key known only to the identity owner. While transactions can be created by any node, they are “digitally signed” by their initiator’s private key in order to prove their origin.
Nodes connect to each other in a peer-to-peer fashion, rapidly propagating transactions and the “blocks” in which they are timestamped and confirmed across the network. The blockchain itself is literally a chain of these blocks, which forms an ordered log of every historical transaction. A “consensus algorithm” is used to ensure that all nodes reach agreement on the content of the blockchain, without requiring centralized control. (Note that some of this description does not apply to Corda, in which each node has only a partial copy of the database and there is no global blockchain. We’ll talk more about that later on.)
In principle, any shared database application can be architected by using a blockchain at its core. But doing so creates a number of technical challenges which do not exist in a centralized scenario:
Transaction rules. If any participant can directly change the database, how do we ensure that they follow the application’s rules? What stops one user from corrupting the database’s contents in a self-serving way? Determinism. Once these rules are defined, they will be applied multiple times by multiple nodes when processing transactions for their own copy of the database. How do we ensure that every node obtains exactly the same result? Conflict prevention. With no central coordination, how do we deal with two transactions that each follow the application’s rules, but nonetheless conflict with each other? Conflicts can stem from a deliberate attempt to game the system, or be the innocent result of bad luck and timing. So where do smart contracts, smart filters and chaincode come in? Their core purpose is to work with a blockchain’s underlying infrastructure in order to solve these challenges. Smart contracts are the decentralized equivalent of application code – instead of running in one central place, they run on multiple nodes in the blockchain, creating or validating the transactions which modify that database’s contents.
Let’s begin with transaction rules, the first of these challenges, and see how they are expressed in Fabric, MultiChain, Ethereum and Corda respectively.
Transaction rules
Transaction rules perform a specific function in blockchain-powered databases – restricting the transformations that can be performed on that database’s state. This is necessary because a blockchain’s transactions can be initiated by any of its participants, and these participants do not trust each other sufficiently to allow them to modify the database at will.
Let’s see two examples of why transaction rules are needed. First, imagine a blockchain designed to aggregate and timestamp PDF documents that are published by its participants. In this case, nobody should have the right to remove or change documents, since doing so would undermine the entire purpose of the system – document persistence. Second, consider a blockchain representing a shared financial ledger, which keeps track of the balances of its users. We cannot allow a participant to arbitrarily inflate their own balance, or take others’ money away.
Inputs and outputs
Our blockchain platforms rely on two broad approaches for expressing transaction rules. The first, which I call the “input–output model”, is used in MultiChain and Corda. Here, transactions explicitly list the database rows or “states” which they delete and create, forming a set of “inputs” and “outputs” respectively. Modifying a row is expressed as the equivalent operation of deleting that row and creating a new one in its place.
Since database rows are only deleted in inputs and only created in outputs, every input must “spend” a previous transaction’s output. The current state of the database is defined as the set of “unspent transaction outputs” or “UTXOs”, i.e. outputs from previous transactions which have not yet been used. Transactions may also contain additional information, called “metadata”, “commands” or “attachments”, which don’t become part of the database but help to define their meaning or purpose.
Given these three sets of inputs, outputs and metadata, the validity of a transaction in MultiChain or Corda is defined by some code which can perform arbitrary computations on those sets. This code can validate the transaction, or else return an error with a corresponding explanation. You can think of the input–output model as an automated “inspector” holding a checklist which ensures that transactions follow each and every rule. If the transaction fails any one of those checks, it will automatically be rejected by all of the nodes in the network.
It should be noted that, despite sharing the input–output model, MultiChain and Corda implement it very differently. In MultiChain, outputs can contain assets and/or data in JSON, text or binary format. The rules are defined in “transaction filters” or “stream filters”, which can be set to check all transactions, or only those involving particular assets or groupings of data. By contrast, a Corda output “state” is represented by an object in the Java or Kotlin programming language, with defined data fields. Corda’s rules are defined in “contracts” which are attached to specific states, and a state’s contract is only applied to transactions which contain that state in its inputs or outputs. This relates to Corda’s unusual visibility model, in which transactions can only be seen by their counterparties or those whose subsequent transactions they affect.
Contracts and messages
The second approach, which I call the “contract–message model”, is used in Hyperledger Fabric and Ethereum. Here, multiple “smart contracts” or “chaincodes” can be created on the blockchain, and each has its own database and associated code. A contract’s database can only be modified by its code, rather than directly by blockchain transactions. This design pattern is similar to the “encapsulation” of code and data in object-oriented programming.
With this model, a blockchain transaction begins as a message sent to a contract, with some optional parameters or data. The contract’s code is executed in reaction to the message and parameters, and is free to read and write its own database as part of that reaction. Contracts can also send messages to other contracts, but cannot access each other’s databases directly. In the language of relational databases, contracts act as enforced “stored procedures”, where all access to the database goes via some predefined code.
Both Fabric and Quorum, a variation on Ethereum, complicate this picture by allowing a network to define multiple “channels” or “private states”. The aim is to mitigate the problem of blockchain confidentiality by creating separate environments, each of which is only visible to a particular sub-group of participants. While this sounds promising in theory, in reality the contracts and data in each channel or private state are isolated from those in the others. As a result, in terms of smart contracts, these environments are equivalent to separate blockchains.
Example rules
Let’s see how to implement the transaction rules for a single-asset financial ledger with these two models. Each row in our ledger’s database has two columns, containing the owner’s address and the quantity of the asset owned. In the input–output model, transactions must satisfy two conditions:
The total quantity of assets in a transaction’s outputs has to match the total in its inputs. This prevents users from creating or deleting money arbitrarily. Every transaction has to be signed by the owner of each of its inputs. This stops users from spending each other’s money without permission. Taken together, these two conditions are all that is needed to create a simple but viable financial system.
In the contract–message model, the asset’s contract supports a “send payment” message, which takes three parameters: the sender’s address, recipient’s address, and quantity to be sent. In response, the contract executes the following four steps:
Verify that the transaction was signed by the sender. Check that the sender has sufficient funds. Deduct the requested quantity from the sender’s row. Add that quantity to the recipient’s row. If either of the checks in the first two steps fails, the contract will abort and no payment will be made.
So both the input–output and contract–message models are effective ways to define transaction rules and keep a shared database safe. Indeed, on a theoretical level, each of these models can be used to simulate the other. In practice however, the most appropriate model will depend on the application being built. Does each transaction affect few or many pieces of information? Do we need to be able to guarantee transaction independence? Does each piece of data have a clear owner or is there some global state to be shared?
It is beyond our scope here to explore how the answers should influence a choice between these two models. But as a general guideline, when developing a new blockchain application, it’s worth trying to express its transaction rules in both forms, and seeing which fits more naturally. The difference will express itself in terms of: (a) ease of programming, (b) storage requirements and throughput, and (c) speed of conflict detection. We’ll talk more about this last issue later on.
Built-in rules
When it comes to transaction rules, there is one way in which MultiChain specifically differs from Fabric, Ethereum and Corda. Unlike these other platforms, MultiChain has several built-in abstractions that provide some basic building blocks for blockchain-driven applications, without requiring developers to write their own code. These abstractions cover three areas that are commonly needed: (a) dynamic permissions, (b) transferrable assets, and (c) data storage.
For example, MultiChain manages permissions for connecting to the network, sending and receiving transactions, creating assets or streams, or controlling the permissions of other users. Multiple fungible assets can be issued, transferred, retired or exchanged safely and atomically. Any number of “streams” can be created on a chain, for publishing, indexing and retrieving on-chain or off-chain data in JSON, text or binary formats. All of the transaction rules for these abstractions are available out-of-the-box.
When developing an application on MultiChain, it’s possible to ignore this built-in functionality, and express transaction rules using smart filters only. However, smart filters are designed to work together with its built-in abstractions, by enabling their default behavior to be restricted in customized ways. For example, the permission for certain activities might be controlled by specific administrators, rather than the default behavior where any administrator will do. The transfer of certain assets can be limited by time or require additional approval above a certain amount. The data in a particular stream can be validated to ensure that it consists only of JSON structures with required fields and values.
In all of these cases, smart filters create additional requirements for transactions to be validated, but do not remove the simple rules that are built in. This can help address one of the key challenges in blockchain applications: the fact that a bug in some on-chain code can lead to disastrous consequences. We’ve seen endless examples of this problem in the public Ethereum blockchain, most famously in the Demise of The DAO and the Parity multisignature bugs. Broader surveys have found a large number of common vulnerabilities in Ethereum smart contracts that enable attackers to steal or freeze other peoples’ funds.
Of course, MultiChain smart filters may contain bugs too, but their consequences are more limited in scope. For example, the built-in asset rules prevent one user from spending another’s money, or accidentally making their own money disappear, no matter what other logic a smart filter contains. If a bug is found in a smart filter, it can be deactivated and replaced with a corrected version, while the ledger’s basic integrity is protected. Philosophically, MultiChain is closer to traditional database architectures, where the database platform provides a number of built-in abstractions, such as columns, tables, indexes and constraints. More powerful features such as triggers and stored procedures can optionally be coded up by application developers, in cases where they are actually needed.
Transaction rules Fabric MultiChain Ethereum Corda Model Contract–message Input–output Contract–message Input–output Built-ins None Permissions + assets + streams None None Determinism
Let’s move on to the next part of our showdown. No matter which approach we choose, the custom transaction rules of a blockchain application are expressed as computer code written by application developers. And unlike centralized applications, this code is going to be executed more than one time and in more than one place for each transaction. This is because multiple blockchain nodes belonging to different participants have to each verify and/or execute that transaction for themselves.
This repeated and redundant code execution introduces a new requirement that is rarely found in centralized applications: determinism. In the context of computation, determinism means that a piece of code will always give the same answer for the same parameters, no matter where and when it is run. This is absolutely crucial for code that interacts with a blockchain because, without determinism, the consensus between the nodes on that chain can catastrophically break down.
Let’s see how this looks in practice, first in the input–output model. If two nodes have a different opinion about whether a transaction is valid, then one will accept a block containing that transaction and the other will not. Since every block explicitly links back to a previous block, this will create a permanent “fork” in the network, with one or more nodes not accepting the majority opinion about the entire blockchain’s contents from that point on. The nodes in the minority will be cut off from the database’s evolving state, and will no longer be able to effectively use the application.
Now let’s see what happens if consensus breaks down in the contract–message model. If two nodes have a different opinion about how a contract should respond to a particular message, this can lead to a difference in their databases’ contents. This in turn can affect the contract’s response to future messages, including messages it sends to other contracts. The end result is an increasing divergence between different nodes’ view of the database’s state. (The “state root” field in Ethereum blocks ensures that any difference in contracts’ responses leads immediately to a fully catastrophic blockchain fork, rather than risking staying hidden for a period of time.)
Sources of non-determinism
So non-determinism in blockchain code is clearly a problem. But if the basic building blocks of computation, such as arithmetic, are deterministic, what do we have to worry about? Well, it turns out, quite a few things:
Most obviously, random number generators, since by definition these are designed to produce a different result every time. Checking the current time, since nodes won’t be processing transactions at exactly the same time, and in any event their clocks may be out of sync. (It’s still possible to implement time-dependent rules by making reference to timestamps within the blockchain itself.) Querying external resources such as the Internet, disk files, or other programs running on a computer. These resources cannot be guaranteed to always give the same response, and may become unavailable. Running multiple pieces of code in parallel “threads”, since this leads to a “race condition” where the order in which these processes finish cannot be predicted. Performing any floating point calculations which can give even minutely different answers on different computer processor architectures. Our four blockchain platforms employ several different approaches to avoiding these pitfalls.
Deterministic execution
Let’s start with Ethereum, since its approach is the most “pure”. Ethereum contracts are expressed in a special-purpose format called “Ethereum bytecode”, which is executed by the Ethereum Virtual Machine (“EVM”). Programmers do not write bytecode directly, but rather generate or “compile” it from a JavaScript-like programming language called Solidity. (Other languages used to be available but have since been deprecated.) Determinism is guaranteed by the fact that Solidity and Ethereum bytecode cannot encode any non-deterministic operations – it’s that simple.
MultiChain filters and Corda contracts choose a different approach, by adapting existing programming languages and runtime environments. MultiChain uses JavaScript running in Google’s V8 engine, which also forms the core of the Chrome browser and the Node.js platform, but with sources of non-determinism disabled. Similarly, Corda uses Java or Kotlin, both of which are compiled to “Java bytecode” which executes within a Java Virtual Machine (“JVM”). For now, Corda uses Oracle’s standard non-deterministic JVM, but work is under way to integrate a deterministic version. In the meantime, Corda contract developers must take care not to allow non-determinism in their code.
How does Ethereum’s purism compare with the evolutionary approach taken by MultiChain and Corda? The main advantage for Ethereum is risk minimization – a built-for-purpose virtual machine is less likely to contain an inadvertent source of non-determinism. While any such oversight could be fixed by a software update, it would be disruptive to any chain that was unlucky enough to encounter it. Ethereum’s problem, however, is that Solidity and the EVM constitute a tiny and nascent ecosystem in the wider context of programming languages and runtime environments. By comparison, JavaScript and Java are the top two languages on Github, run on billions of digital devices, and have runtimes that have been optimized over decades. Presumably this is why the public Ethereum blockchain is considering a transition to eWASM, a deterministic fork of the emerging WebAssembly standard.
Determinism by endorsement
When it comes to determinism, Hyperledger Fabric adopts a completely different approach. In Fabric, when a “client” node wants to send a message to some chaincode, it first sends that message to some “endorser” nodes. Each of these nodes executes the chaincode independently, forming an opinion of the message’s effect on that chaincode’s database. These opinions are sent back to the client together with a digital signature which constitutes a formal “endorsement”. If the client receives enough endorsements of the intended outcome, it creates a transaction containing those endorsements, and broadcasts it for inclusion in the chain.
In order to guarantee determinism, each piece of chaincode has an “endorsement policy” which defines exactly what level of approval is required in order to render its transactions valid. For example, one chaincode’s policy might state that endorsements are required from at least half of the blockchain’s nodes. Another might require an endorsement from any one of three trusted parties. Either way, every node can independently check if the necessary endorsements were received.
To clarify the difference, determinism in most blockchain platforms is based on the question: “What is the result of running this code on this data?” – and we need to be absolutely sure that every node will answer this question identically. By contrast, determinism in Fabric is based on a different question: “Do enough endorsers agree on the result of running this code on this data?” Answering that is a rather simple matter of counting, and there’s no room for non-determinism to creep in.
Fabric’s determinism-by-endorsement has a number of interesting consequences. First, chaincode can be written in many different programming languages, since these don’t need to be adapted for determinism (Go, Java and JavaScript are currently supported). Second, chaincode can be hidden from some of a blockchain’s participants, since it only needs to be executed by clients and endorsers (the database itself is globally visible). Finally and most notably, Fabric chaincode can do things that are forbidden in other blockchain environments, such as checking the weather using an online web API. In the worst case, where every endorser gets a different answer from this API, the client will fail to obtain enough endorsements for any particular outcome, and no transaction will take place. (It should be noted that Fabric team members still recommend using deterministic logic inside chaincode, in order to avoid surprises.)
What price does Fabric pay for this flexibility? If the purpose of a blockchain is to remove intermediaries from a shared database-driven application, then Fabric’s reliance on endorsers takes a big step away from that goal. For the participants in the chain, it is no longer enough to follow the chaincode’s rules – they also need certain other nodes to agree that they have done so. Even worse, a malicious subset of endorsers could approve database changes that do not follow chaincode at all. This gives endorsers much more power than the validators in regular blockchains, who can censor transactions but cannot violate the blockchain’s rules. Blockchain application developers must decide whether this trade-off makes sense in their particular case.
Determinism Fabric MultiChain Ethereum Corda Model Endorsements Adapted runtime Purpose-built VM Adapted runtime Languages Go + Java + JavaScript JavaScript Solidity Java + Kotlin Code visibility Counterparties + endorsers Blockchain Blockchain Counterparties + dependents Enforced No Yes Yes No (for now) Conflict prevention
So far, we’ve discussed how different blockchain platforms express transaction rules in code, and how they deterministically ensure that every node applies those rules identically. Now it’s time to talk about a third aspect of our showdown: How does each platform deal with the possibility that two transactions, which are valid in and of themselves, conflict with each other? In the simplest example, imagine that Alice has $10 in a financial ledger and broadcasts two transactions – one sending $8 to Bob, and the other sending $7 to Charlie. Clearly, only one of these transactions can be allowed to succeed.
Two models
We can begin by grouping MultiChain’s and Corda’s approach to this problem together. As described earlier, both of these use an input–output model for representing transactions and their rules, in which each transaction input spends a previous transaction output. This leads to a simple principle for preventing conflicts: Every output can only be spent once. MultiChain filters and Corda contracts can rely on their respective platforms to enforce this restriction absolutely. Since Alice’s $10 is represented by a previous transaction output, this single-spend rule automatically stops her sending it to both Bob and Charlie.
Despite this similarity, it’s important to point out a key difference in how MultiChain and Corda prevent conflicts. In MultiChain, every node sees every transaction and so can independently verify that each output is only spent once. Any transaction which performs a double spend against a previously confirmed transaction will be instantly and automatically rejected. By contrast, in Corda there is no global blockchain, so “notaries” are required to prevent these double spends. Every Corda output state is assigned to a notary, who has to sign any transaction spending that output, confirming it has not been spent before. A blockchain’s participants must trust notaries to follow this rule honestly, and malicious notaries can cause havoc at will. As with endorsements in Fabric, this “single-spend as a service” design has advantages in terms of confidentiality but reintroduces intermediaries, going against the blockchain grain. (It’s important to clarify that Corda notaries can be run by groups of participants using a consensus algorithm, so the integrity of the ledger can still be protected against individual bad actors).
Let’s move on to Ethereum. To recall, Ethereum uses contracts and messages rather than inputs and outputs. As a result, transaction conflicts such as Alice’s two payments are not immediately visible to the blockchain engine. Instead, they are detected and blocked by the contract which processes the transactions, after their order is confirmed on the chain. When processing each of Alice’s payments, the contract verifies whether her balance is sufficient. If the transaction paying $8 to Bob comes first, it will be processed as usual, leaving Alice with $2 in her account. As a result, when the contract processes the second transaction paying $7 to Charlie, it sees that Alice lacks the necessary funds and the transaction aborts.
Outputs vs contracts
So far we’ve seen two different techniques for preventing conflicting transactions – single-spend outputs in MultiChain and Corda, and contract-based verification in Ethereum. So which is better?
In order to help answer this question, let’s consider an example “1-of-2 multisignature” account which holds $100 on behalf of Gavin and Helen, and allows either of them to spend that money independently. Gavin instructs his application to pay $80 to Donna, and a few seconds later, Helen wants to send $40 to Edward. Since there are insufficient funds for both payments, these transactions would inevitably conflict. In the event that both transactions are broadcast, the outcome will be determined by whichever makes it first into the chain. Note that unlike Alice’s example, this conflict is accidental, since no one is trying to break the application’s rules – they simply had unlucky timing.
In considering the likelihood of this conflict occurring, the key question is this: After Gavin sends out his transaction, how long will it take Helen’s node to know that her payment might fail? The shorter this period is, the more likely Helen is to be stopped from attempting that payment, saving her and her application from a subsequent surprise.
With the input–output model, any conflict between transactions is directly visible to the blockchain platform, since the two transactions will be explicitly attempting to spend the same previous output. In MultiChain, this happens as soon as Gavin’s transaction has propagated to Helen’s node, usually in a second or less. In Corda, the output’s notary will refuse the request to sign Helen’s transaction, since it has already signed Gavin’s, so Helen will instantly know that her payment will fail. (Although if the Corda notary is itself distributed, she may have to wait a few seconds for a reply.) Either way, there is no need to wait for a transaction to be confirmed and ordered in the blockchain.
What about Ethereum’s model? In this case, there is no immediate way for the blockchain platform to know that a conflict will occur. While Helen’s node may see Gavin’s transaction on the network, it cannot know how this will affect Helen’s own transaction, since from its perspective these are simply two messages being sent to the same contract. Perhaps ten seconds later, once the final ordering of the conflicting transactions is confirmed on the blockchain, Helen’s node will recalculate the actual instead of the expected outcome, and her application will update its display accordingly. In the meantime, both Gavin and Helen will be left in the dark.
But we shouldn’t conclude from this that the input–output model always works best. Consider a variation on our example scenario, where both Gavin and Helen request smaller $40 payments from the original balance of $100, at exactly the same time. In the input–output model these transactions would conflict, since they are both spending the same database row containing that $100, and only one of the payments would succeed. But in Ethereum, both transactions would be successfully processed, irrespective of their final order, since the account contains sufficient funds for both. In this case, Ethereum more faithfully fulfills Gavin’s and Helen’s intentions.
Read-write sets
Finally, let’s talk about Fabric, whose endorsement-based approach is a hybrid of these two techniques. As explained earlier, when a Fabric “client” node wants to send a message to a contract, it first asks some endorsing nodes to execute that message on its behalf. The endorsing nodes do so in a similar way to Ethereum – running the contract against their local database – but this process is observed rather than immediately applied. Each endorser records the set of rows that would be read and written, noting also the exact version of those rows at that point in time. This “read-write set” of versioned rows is explicitly referenced in the endorsement, and included in the transaction which the client broadcasts.
Conflicts between Fabric transactions are resolved once their order is finalized in the chain. Every node processes each transaction independently, checking endorsement policies and applying the database changes specified. However, if a transaction reads or writes a database row version that has already been modified by a previous transaction, then that second transaction is ignored. To go back to Alice’s conflicting payments to Bob and Charlie, both of these transactions will read and modify the same row version, containing the $10 with which Alice started. So the second transaction will be safely and automatically aborted.
Fabric’s approach to conflict resolution works just fine, but in terms of performance and flexibility it combines the worst of the previous two models. Because endorsements convert transactions into specific read-write sets, Gavin and Helen’s simultaneous but compatible $40 payments would lead to a conflict that Ethereum avoids. However, Fabric does not gain the speed advantage of the input–output model, since endorsers execute contracts against the most recent version of the database confirmed by the blockchain, ignoring unconfirmed transactions. So if Helen initiates her payment a few seconds after Gavin, but before Gavin’s has been confirmed on the blockchain, Fabric will create conflicting transactions that a pure input–output model avoids.
Conflict prevention Fabric MultiChain Ethereum Corda Model Read-write sets Single spend Contract checks Single spend Verification Independent Independent Independent Trusted notaries Speed ~10s (confirmation) ~1s (propagation) ~10s (confirmation) 0~5s (notary) A complex choice
In this piece, we reviewed many of the different ways in which Corda, Ethereum, Fabric and MultiChain address the key challenges of “smart contracts”, or application code that is embedded in a blockchain. And each platform has different answers to our three core questions: How are transaction rules represented? How is code executed deterministically? And how do we prevent conflicts?
So who is the winner of our smart contract showdown? It should be obvious by now that there is no simple answer. Each platform represents a complex multi-way trade-off between flexibility, simplicity, performance, disintermediation, safety and confidentiality. So the choice of platform for a particular application has to begin with a detailed understanding of that application’s trust model, the types of transactions it involves, and their likely patterns of conflict. If you find someone pushing a specific smart contract solution before they know the answers to these questions, I suggest politely but firmly insisting that they adopt a “smarter” approach.
特首林鄭月娥在本周的行會前見傳媒,表示零售、餐飲和酒店這三個旅遊相關行業面對嚴重衝擊,她希望業主和地產商抱着同舟共濟、共度時艱的精神,對受影響的商舖和租戶提供紓緩。
當市民聽到林鄭向業主和地產商的呼籲,相信只會感到特首是一位偽君子,因為整個反送中運動的罪魁禍首是這位只會「please my boss」和目空一切的特區揸fit人。如果沒有她強推修訂《逃犯條例》,香港也不會發生過去四個月的亂局。如今林鄭假扮善人,真是令人憤慨,假若我是業主,肯定會對她說:「香港市民要為你犯上的錯誤埋單,你又於心何忍呢!」
不過,當林鄭宣報啟動緊急法為反蒙面法立法,筆者對林鄭已沒任何期望,原因是在不緊急的情況下,採用緊急法根本是一個管治完全失效的例子。眾所周知,香港的強項是制度優勢和法治,但特區政府竟然採用一個「核彈治蒼蠅」的方法來推出反蒙面法,究竟林鄭有沒有考慮過緊急法對香港的制度優勢所帶來的嚴重破壞?筆者可以告訴大家,這次特區引用緊急法已重創香港金融中心的聲譽,特別是投資者和國際企業已感覺到現政府做事無規無矩,此外,過去幾個月警方對示威者和市民使用的龐大鎮壓力量已遠遠超乎一個法治社會可以接受的水平,因此,香港的金融中心地位真是岌岌可危。
雖然中央早已感到中港矛盾日深,但卻低估香港市民對《逃犯條例》修訂有如此巨大的抗拒,反映香港人仍希望保持一貫的制度和生活模式。誠然,香港市民在回歸祖國後,對一國兩制是有期望的,無奈經歷過去幾年的社會急劇改變和「千禧一代」快速冒起,整個社會意識形態已明顯改變,尤其是對社會不公產生強烈惡感。此次修例正好引爆這個深層次問題,令香港步入一個前所未見的政治危機。
採用緊急法可說是無辦法中的辦法,掌權者必須認清楚局勢才可以實施這法例。無奈,林鄭政府不但管治無方,而且更缺乏危機感,所以才會低估由修例所帶來的社會強烈反彈,現在更動用緊急法來止暴制亂,顯示政府高官已失去判斷力。筆者看見這個情況,真是感到無限悲傷。
香港一旦失去金融中心地位,即是中國也會失去唯一的對外金融窗口,對中國的經濟發展將帶來難以估計的衝擊。雖然中央希望發展深圳作為國際金融中心來代替香港的地位,但在缺乏制度優勢下,這個計劃是難以成功的,尤其是要中國接受完全資訊自由和採用西方法政制度,這根本是不可能在中短期內發生的,大家可以想像,如果香港不能保持其獨特性,便只會變為一個典型內地城市,對投資者和國際企業來說,香港已失去其珍貴的價值了。
http://www.acecentre.hk 關焯照 經濟學家、冠域商業及經濟研究中心主任