Contact Tracing is the concept of identifying persons who may have come into contact with an infected person and it is seen as a critical component of managing the spread of COVID-19, a particularly contagious and serious threat. Contact Tracing can be done manually, in cases where contact is known and limited, like within a hospital room. Or, it can be managed automatically in situations that are less well regulated using a proxy for a person – like a phone.

Is it possible to allow our phones to automatically gather our sensitive medical data and make it accessible to an app, without completely destroying personal data? While there are myriad bad ways to do this, Google and Apple are trying to do it in a way that most respects personal data privacy. We’re going to dig a little into what they’re doing and what privacy concerns still arise.

On May 20th, Apple and Google released an API that apps from public health organizations can utilize for the purpose of Contact Tracing. The API will let those apps use a phone’s Bluetooth to keep track of whether it has been in proximity with another contact tracing app user who later turns out to have been infected with Covid-19.

The apps will broadcast unique, rotating Bluetooth codes. The codes are derived from a cryptographic key that changes every day. This ensures that the users stay unique, and that their identity is hard to uncover, based on the frequency of code rotation.

The apps then monitor other contact tracing apps they come into contact with, and record the anonymous codes issued by those devices.

When a user reports a positive COVID-19 diagnosis, their app uploads the keys that were used to generate their codes.

All other apps download the daily keys and use them to recreate the codes they generated. If it finds a match with one of its stored codes, the app will notify that person that they may have been exposed.

This exchange is outlined below by Wired.com (https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/):

The positives are that the phones stay anonymous, the data exchange is voluntary, and the reporting is completely opt-in. However, there are still a few possible attack vectors, as outlined below.

Privacy Concerns and Responses

Correlation Attack: User is identified by matching their image to the codes broadcast in their proximity.

This would require recording the person’s face while catching the code, then matching the code to the bluetooth signals passing by. This is not going to expose a high number of people, but is a potential risk.

Identification through additional data: App could choose to collect IP address, location, etc. to ID the user.

This could be mitigated by Apple and Google vetting any apps using their API. Otherwise, the user would need to be able to choose not to opt into the app.

Ad targeting based on beacon data: Companies set up their own beacons to track infected customers

This is possible but not super useful to companies, who have much more detailed data on their consumers buying habits. Companies could market based on COVID-19 remedies, but this is going to be a small benefit to the company.

All told, the risks to privacy are fairly well mitigated by Apple and Google’s choices about how to deploy this API. The biggest risk will be to ensure that the apps that are using the data aren’t augmenting it with additional information that could reveal the person behind the anonymous codes. This will mean it’s up to Apple and Google to vet the apps, or up to the end user to ensure they are selective about what supplementary information they grant to the app or which apps they’ll trust to be privacy protecting.

There’s another element to the success of these apps – how well will they actually work given the protective nature of Apple and Google’s solution?

Efficacy Concerns and Responses

So, what’s the conclusion here? The privacy issues are relatively low, as long as apps don’t ask for extra data (or Google and Apple prevent it.) But the downside is that efficacy is also low for an opt-in app. This isn’t necessarily the fault of the high privacy approach, but more a reflection of how hard it is to get a large enough section of the population to use an app to make the result effective. It doesn’t hurt to have it, but other options, like manual contact tracing in local areas might be a more efficacious way to track people on a local level. Then, the locally collected data can be aggregated to create a clearer picture of the state of the virus.

Sources

• https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/
• https://www.wired.com/story/apple-google-contact-tracing-wont-stop-covid-alone/
• https://www.wired.com/story/apple-google-contact-tracing-strengths-weaknesses/
• https://www.forbes.com/sites/zakdoffman/2020/05/12/forget-apple-and-google-contact-tracing-apps-just-dealt-serious-new-blow/#18ab44c72172

Marla Hay 

Sr. Director 

Product Management – Privacy & Data Governance 

Salesforce

The Color of 2020 is Blue

At specific points in history, life shifts: rhythms change, patterns of behavior evolve rapidly, and cultural values reshape themselves. The current global pandemic is one of these societal salients.

It’s not the first time that this kind of transformation has taken place, of course, and examining a similarly radical revolution can inform how we view the current environment. If the color of the world is indeed changing, then it’s only appropriate that one of the parallels that we examine be the astonishingly rapid rise of the color blue.

In the beginning, blue did not exist.

Red, white, and black were the colors of ancient cultures; from cave paintings to the dyeing of fabrics—blue was more difficult to source, process, and manipulate, and so it remained a second-rate color, especially in the western world.

The lack of blue in art and clothing meant that blue had little symbolic value; even up until the high Middle Ages, it was not even used for depicting the sky—most artists showed the sky as red, gold, or white. Whereas some colors took on cultural significance because of their widespread usage (the example of a small girl dressed in red, taking a pot of white butter to her grandmother, dressed in black in ‘The Little Red Riding-hood’ story comes to mind), blue was nonexistent in terms of meaning.

All of this, however, changed within a few decades in the 13th century. Artistic expression was driven by development of the “Chartres blue”, a new, brighter, and more luminous blue in glass form, which heralded a widespread adoption of the color in stained-glass windows in churches throughout Europe. Advances in clothing production also elevated the status of blue in textiles. A massive increase in production of woad, the raw material used in dyeing fabric blue, along with the associated rise in demand for the color, led to entire regions such as Languedoc (France) and Thuringia (Germany) becoming wealthy as they specialized in the production of blue and its associated products. By the end of the 13th century, a stable, bright blue cloth was widely available.

And as blue became more widely available, its semantic impact skyrocketed. Blue embedded itself into religion, as the new color was used to represent the robes of the Virgin Mary. It was also incorporated into the heraldry of various important families, and royalty was no exception to this affection for the new color. While the King of France was the first to adopt blue into his royal color palette, it was soon in use by the King of England, and later by kings in Germany and Italy.

In just a few short decades, then, blue went from having no cultural significance to representing some of the highest values of society: the purity of the Virgin, the power and prestige of royalty. The spectrum of meaningful color had expanded in short order, and the world was different as a result.

The world we live in is currently undergoing a similar seismic change. Previous patterns of working and living have been forcibly modified. One of the most foundational of these movements comes at the hands of “shelter-in-place” orders being enacted in various parts of the world: employees, no matter their industry or profession, are being forced to work from home.

The concept of working from home is not novel. With the adoption of mobile devices and the increase in broadband availability both in private and public areas, a small segment of the workforce had already adopted this model. Like the color blue, however, it was a secondary option, and its cultural impact was limited.

The spectrum of work has now shifted. Shelter in place orders have forced a global workforce to work from home. What had been an alternative mode of work has now become the primary—all within a few short months, if not weeks. Remote work is the color of 2020, and it is likely here to stay. Once blue arrived, innovation and investment drove production and created entirely new industries, and the forced adoption of this new mode of work will force a similar chromatic shift. People have a new color in their palette, and the world will be shaded differently.

In the wake of this transformation, the cultural impact of this shift awaits. In short order, blue came to be associated with health, power, and affluence. Will the same soon be said of working from home?

Certainly, from a business perspective, the value of this new way of working is already evident, particularly for organizations that have already developed the infrastructure to accommodate a pattern of remote work. This is not merely an installation of IT services such as a VPN, but also requires reconsideration of the established security mindset. While many of them may not have the scale to handle a complete and immediate transition to home-based employees, their transition to this brave new world will be smoother due to their preemptive investment in a revised security strategy.

This new approach to securing resources deemphasizes perimeter defense and elevates the role of identity. Various systems and names have been introduced (or reintroduced) to facilitate the practical development of these systems; zero trust and CARTA are a few strategies among many that attempt to translate this vision into a practical reality.

Businesses that have already begun this shift are likely to be less impacted by the maelstrom of change; while none welcome this new reality, organizations well-equipped for this new cultural value will be healthier in both the short and long term. Fewer disruptions in their business and continuity in their economic model will mean that they have a stronger chance of not just surviving, but being in the ascendancy as the crisis transitions into a different, hopefully milder, phase.

Even organizations with a solid security strategy, however, are subject to market forces. It is possible that the new dominance of remote work will alter the landscape of enterprise. Just as the rapid proliferation of the internet drove some organizations into the stratosphere and left others behind to languish in the “brick and mortar” mindset (the easiest example of this dichotomy is Amazon and local booksellers), working from home at this sort of scale has the potential to divide enterprises into strata of success. As a result, remote work may become semantically linked with health and with power—or their business-speak equivalents “profitable” and “innovative”—similarly to the new connotation blue acquired after it was employed by religion and royalty in the Middle Ages.

But the more profound potential for the cultural impact of working from home centers around individuals. In just a few short weeks the quarantine has shone a bright light on existing inequalities that are all-too-easily ignored.

The pandemic is revealing a caste system, one of whose demarcation lines is the ability to work from home. This flexibility is primarily dictated by both the availability of reliable broadband access and the specific occupation in question. Rural residents with limited network access, or those in specific sectors: the service industry, shipping and transport, food distributors, and government officials often have no viable option to work from a remote location—to say nothing of the healthcare workers who find themselves thrust to the front line of the pandemic.

For others, the ability to continue to work while staying home confers a wide range of benefits. The first is obvious: steady employment. With unemployment rapidly escalating, the pandemic is already having an effect on economies worldwide. If working from home means retaining a job, this primary benefit lays the foundation for the others that follow. The second advantage lent by remote work may be a bit more hidden: continued education for their children. Schools in 130 countries have closed, disrupting the learning of over 1.2 billion students. The same reliable network access which allows them to continue working also provides for the continued education of their children and puts those pupils at an advantage to their peers. Finally, the most striking benefit that working from home while quarantined bestows is a better health outcome. If the point of stay at home orders is to prevent interaction with outsiders, preventing the spread of COVID-19, then complying with these guidelines and working from their homes ensures that those individuals and their families are less likely to fall ill.

These are not minor benefits: affluence, education, and health. And if the pandemic and working from home are revealing an existing caste system, it is also reinforcing it. Those with the ability to work from home are finding their wealth protected, their children keeping pace academically, and their expected health outcomes confirmed.

After only a few short weeks of stay at home orders, both businesses and individuals are already associating a work from home model and increased health, power, and influence. As the quarantine continues, that connection will only strengthen. COVID-19 has transformed remote work from a relatively unused mode of employment to the only viable option, and the benefits that that model currently conveys will ensure its association as not just a possibility, but as a preferred way to work for many.

After a long period in relative obscurity, blue’s popularity exploded; the spectrum of the world expanded and blue rose to become the world’s favorite color in the space of a few short decades. Starting as an afterthought, it came to be strongly associated with positive ideals and well-being. Blue’s ascendance was astonishingly rapid, but the rate of worldwide change in this early portion of 2020 makes it seem glacial: the global pandemic has the potential to establish working from home as a cultural value—and to equate it with health, affluence, and power in only a few short months. The color of the world is swiftly changing once more.

Mike Kiser

Global Security Advocate, Office of the CTO 

SailPoint

The Experience of Identity 

Or The Art of Getting out of the Way

Most people basically don’t care about online security and privacy – at least, until something goes wrong. Most people care about getting stuff done. When most people go online, they do so to interact with friends or colleagues; to shop; to do work; to use local or national public services; to file taxes; to fill in school applications; to play games…. In other words, for most people, ‘real world’ and ‘digital world’ overlap and intersect in increasingly fluid ways. And just as in the real world, if we put barriers in the way – no matter how well-intentioned – most people will make a choice to use someone else’s service.

Let’s take the exceptions, first. It is certainly true that if I want to, for instance, open a bank account, or apply for certain benefits – in person, at a bank branch (if you can find one!) or regional government office – I may need to present one or more ‘proofs of identity’. The exact process will differ from country to country, but the basic principle is the same. Yes, it’s a little annoying… but it doesn’t happen very often, and we all (mostly) understand why we are being asked to follow the process. Most important: the ‘cost’ to us, in terms of the inconvenience, in most cases balances out against the value we ascribe to the service.

Likewise, when we go shopping (IRL) the process of buying something is generally pretty quick and simple. I don’t have to answer a bunch of questions, or agree to terms and conditions, or figure out whether or not to tick the box to accept marketing information. I pick my items, hand over my cash (or tap my card, or whatever) and I’m done. Barrier to entry very low – ease of transaction very high – everybody wins.

Unfortunately, we have developed habits over several years of making it really hard for most people to do simple things online. I’m sure we all have our own favorite egregious example. Here are a couple of mine, suitably anonymised.

Exhibit One: an international budget hotel chain. They have an app for making reservations. On the opening screen of the app, they provide this nice consent box:

Two problems here. The first is rather fundamental: I’m prevented from booking a room unless I agree to receive marketing. Well, that’s just naughty. The second problem is more subtle: I have to agree to the terms and conditions before I open the app. Imagine this as a phone booking instead:

Prospective customer: Good morning, awesome hotel! I’d like to book a room, please.

Ostensibly awesome hotel: Sure! We’d love to have your business! Before we do anything else, though, I need to read you our privacy notice (which is only 10 pages long) and our commercial terms and conditions (we have a great new version of these which is only 8 pages long!), and then you have to agree to it all. Is that OK?

Prospective customer for a different hotel: (decides this is not such an awesome hotel, and hangs up)

Not very awesome hotel: oh dear, there goes another customer

Being cynical, one rather imagines that the hotel chain is hoping that people will just check the boxes as a quick way to skip over the barriers here; and they are probably right. But even then – leaving aside the dubious ethics and legality – it’s not a great experience. What I want to do is to make a reservation!

Exhibit 2: MFA. So let’s be clear. There’s no question that MFA is a lot better and a lot easier to use than it was. There’s no question that MFA makes a tremendous difference in terms of things like account takeover. But here’s the rub. Most people don’t care. Case in point: in my spare time I manage a set of online services for a local charity. Our users are smart people, but they are not technologists. We use three different platforms to run the charity; two quite specific to the org, and one which is a very common business services platform. And we use online banking. The online banking service and two of the three platforms offer MFA (or, at least, 2FA). They all do it differently. The bank and one of the charity platforms have (different) custom solutions. The common business platform uses an industry standard solution… but the onboarding process, especially for non-technical people, is byzantine. As a result, it has taken over 12 months to get a team of 10 people properly configured. No-one is happy, because there are multiple systems to contend with (none of which are particularly user-friendly) and we’ve only succeeded because the threat of non-compliance with GDPR best-practices has forced individuals into action.

There are plenty of other examples – one which gets quoted a lot is the ‘having to create an account before you do anything’. This particular design pattern, I’m pleased to say, appears to be on the decline. I’ve had several online shopping experiences recently where the choice to create an account was just that: a choice. Presented to me after I completed my purchase. And you know what? In one case, I knew I was unlikely to visit that particular store again, so I saved myself the time – and in so doing I also saved the company from having to maintain and secure an account for me which was going to serve no useful business purpose!

And that’s the point. We – and the business leaders who inform the projects we work on – have fallen into habits and patterns which, in many cases, had sensible security or privacy or operational purposes behind them but which ended up getting in the way of the customer. And we could have – we can – do things differently. Standards like FIDO and WebAuthN and SAML and OpenID Connect (and many more) certainly help. We should take care not to compromise security and privacy in our efforts to improve usability. But we should start to prioritise designs which actively help users get things done. Which, more often than not, means getting out of the way.

Andi Hindle

Independent Consultant

IDPro Board Member

The post IDPro Newsletter – May 2020 appeared first on IDPro.

“A terrific example of this was the standing-room-only experience in the Introduction to Identity sessions held at last year’s conference in Washington D.C. IDPro helps enhance the overall experience for attendees at the conference and, in exchange, we get a terrific canvas upon which to share our mission to ‘globally foster ethics and excellence in the practice and profession of digital identity’, engage our members and stakeholders (and hopefully future members), and share our progress as an organization.” – Lance Peterman, IDPro treasurer and board member 

This year, due to restrictions from the COVID-19 pandemic, Identiverse will be held virtually as a series of webinars timed to accommodate a global audience. Most presentations will offer a live Q&A and will also be available on-demand. This month, IDPro members will be presenting the following topics at Identiverse: 

Week 1: June 15 – 19 

• Monday, June 15, 10:15 – 11:05: Hearts, Minds and Wallets: The War Over Digital Identity

10 years ago no one was interested in the notion of “digital identity”. You had accounts and passwords and it was an irritating administrative function to manage all those accounts for customers, citizens and humans in general. In the last two years the war for the hearts, minds and wallets attached to a humans’ digital identity have set the stage for open warfare in 2020 and beyond by organizations and industries that see that value in being the creator and manager of a digital identity standard. What does it mean for the US and the world when champions for SSI and banks and payment processors and social media and governments and healthcare networks are all racing to create an operationally sustainable unique digital identity? Will there be tensions and challenges between these different actors when it comes time to recognize the credibility and authenticity of each other’s standards? Richard Bird regularly spends time across 5 continents working with governments and large companies, navigating the complexities of the rising interest and demand for true digital identities. He’ll share his observations in an effort to prepare you for the disruption this will create in our practices, designs and architectures for security, privacy and consumer and citizen rights.

• Speaker/s: Richard Bird

• Monday, June 15, 12:00 – 12:25: Stop Blaming the End User! Using Empathy and Understanding to Deliver Better Identity Experiences

As Digital Identity technologists, we’re used to rolling our eyes at onerous (and downright unfriendly) user experiences. But we know our SMS OTPs from our TOTPs. We’re experts at navigating complex password policies, for registration and resets. We know when to share our biometric and other sensitive data, and when to be more cautious. But spare a thought for the average user. They’re often described as the weakest link in security. We shouldn’t be blaming them. They’re bemused, confused, and sometimes livid about the hoops we make them jump through. This session will take you on an amusing and honest appraisal of Digital Identity Experience from the end user’s perspective, in their own words. Build empathy to connect with their problems by walking a mile in their shoes. We will cover user registration, authentication, password reset, account recovery and more. I’ll present a ToDo List for improving user experience, based on current industry recommendations. We owe it to society to protect end users and their data, and build trust. Cost-effective and user-friendly identity experiences are the ultimate goal. So let’s reflect on our shortcomings and get serious about improving the status quo!

• Speaker/s: Mark Perry

• Tuesday, June 16, 12:30 – 12:55: Maximizing Failover Efficiency & UX in Your Multi-Region Deployment

As the industry iterates beyond simple cloud deployments, application & identity architects confront new challenges in deploying and managing complex application instances which span the globe across multiple provider regions. Rapid failover from one region to another is a critical component for these distributed applications- but did you know how much your cloud DNS service and DNS architecture impact the speed that traffic can be rerouted from one region to another? In this talk, Jon Lehtinen shares his experiences testing several DNS architectures, and highlights how different resolution methods, failover policies, and other seemingly inconsequential components greatly impact how instantaneous- or not- your failover can be.

• Speaker/s: Jon Lehtinen

• Wednesday, June 17, 10:00 – 10:50: Identity: The Next Ten Years

The future of the standards and services we build is unwritten. We are curious about the future because we shape it. But from the works of our hands to a world 10 years hence is an unknown path. In this talk, Mr. Glazer will discuss what the future of identity could look like in 5 to 10 years: * What previous predictions about identity’s future got right and wrong * Where standards adoption will be * How associated technologies will impact our industry * What a discontinuous future might look like

• Speaker/s: Ian Glazer

• Wednesday, June 17, 11:00 – 11:25: Radiant Logic: How Verizon Media Navigated Acquisitions & Turned Identity Into a Business Enabler

Verizon Media reaches over one billion people around the world with a dynamic house of 50+ media and technology brands. After acquiring AOL and Yahoo’s businesses, the company now employs about 10,000 people. However, extensive firewalls made it difficult to collaborate across the newly merged entities in an increasingly cloud-first environment. This presentation will discuss how they enabled authentication in a zero trust environment by following the principles of least privilege. By federating identities and creating consolidated identity views, allowing over 1,000 applications to authenticate and get complete user profiles without any changes or customization to the applications.

• Speaker/s: David McCluskey, Bryan Meister

• Wednesday, June 17, 12:00 – 12:25: Browser Features vs Identity Protocols: An Arms Race?

In an attempt to protect users from excessive tracking and surveillance, the last couple of years have witnessed major browser vendors introducing increasingly restrictive anti-tracking measures. Identity protocols and features got caught in the crossfire, however, forcing identity software vendors and developers to hastily introduce changes to restore functionality that browser changes broke. Is this the new normal? What will we do when a change will break an identity feature beyond repair? This session will review the main browser changes that have affected identity over the last few years – Chrome’s SameSite and Safari’s ITP2 in particular, interpreting them as part of a larger trend and attempting to predict what the future will look like for identity customers and practitioners.

• Speaker/s: Vittorio Bertocci

Week 2: June 22 – 26

• Monday, June 22, 10:30 – 10:55: Beyond Bearer Tokens with HTTP Message Signatures

Digital signatures on HTTP messages? That aren’t broken by proxies, or TLS terminators, or gateways that reorder the headers just for fun? That’s exactly what you get with HTTP Message Signatures. This session dives into what they are, how they work, and how they can augment or replace existing API protection mechanisms such as bearer access tokens and cookies.

• Speaker/s: Annabelle Backman

• Monday, June 22, 12:00 – 12:25: The Blurring of Business Logic and Authorization

The idea of “fine grained authorization” has been around for several years now. Twenty years ago, there was a proposed standard, XACML that was focused on these fine grained decisions, and a language that could express the underlying policies. However, it never gained widespread acceptance. There is also a problem that the line between fine grained authorization, and business logic is a very hazy line. As consent and user managed access controls become more widespread, so the line between business logic and policy becomes even more blurred. I will talk about some of the reasons for the low acceptance of fine grained policy, as well as examining how the hazy line can be more easily defined. I will also address techniques that can be used to bring these different needs closer together.

• Speaker/s: Allan Foster

• Tuesday, June 23, 10:00 – 10:25: Customers and Partners – Seamless and Secure Experiences for Every Relationship

Organizations going through digital transformation need to manage and secure the identities of users beyond their organizational boundaries, including partners, customers, and citizens. They want a single solution that that is user-centric and flexible, secure, and scalable enough to support global users authenticating with any kind of identity, that doesn’t require deployment of multiple disconnected…read more »

• Speaker/s: Robin Goldstein

• Wednesday, June 24, 10:00 – 10:50: Fireside Chat: You Don’t Really Own Your Identity

You own and control your thoughts, your words and your actions. But in a modern society that’s intent on verifying everything in the midst of a global crisis like the COVID-19 pandemic, where your movements impact the health of others, what do you really control? Join Esther Dyson and Andre Durand as they explore this topic in a thought-provoking conversation.

• Speaker/s: Andre Durand, Esther Dyson

• Wednesday, June 24, 11:00 – 11:25: Ping Identity Presents: How to Measure the Unexpected Value of Customer Identity

Customer identity professionals speak in terms like IdPs, SPs and OIDC. Business leaders understand terms like customer acquisition, revenue, and customer lifetime value. This disconnect can make it difficult to convey the value customer identity investments can provide and get the resources you need. Join us in this session as we walk through a sophisticated business value calculator that translates customer identity enhancements into the results they’ll drive for your business. We’ll show you how to take inputs from your business—like login and registration abandonment rates, average customer expenditure, and profit margins—and use them to calculate the effect various customer identity enhancements will have. We’ll show example use cases from several industries and give you the opportunity to input numbers from your own enterprise to see what effect customer identity will have on your business. This session will arm you with a powerful conversation to have with your business that will convey the value of customer identity and raise your status within your organization.

• Speaker/s: Dustin Maxey, Vikas Mundada

• Friday, June 26, 10:00 – 10:50: Modern Identity for Developers 101

Modern identity promises to solve some of the thorniest problems that historically plagued handling authentication and access control in applications. That sounds great in theory, but how do things really look when the rubber hits the road – what does it take to incorporate modern identity in your applications development practice? Come to this session to learn the basis of modern identity development and be better equipped to understand and participate to more advanced developer themed sessions, at Identiverse and beyond.

• Speaker/s: Vittorio Bertocci

View the full Identiverse agenda here and register to attend . Also, join the IDPro Identiverse slack channel to discuss hot topics and network with digital identity professionals. If you need an invite, or if you’re not receiving the email list messages, contact membership@idpro.org. Stay tuned for more information 
Follow IDPro and Identiverse on Twitter for updates. There may be some surprise speakers planned, as well as some virtual social events (still to be announced). If you’ve never attended Identiverse in-person before, this is a great opportunity to learn from some of the best identity practitioners. We hope to “see” you at Identiverse!

The post IDPro at Identiverse Virtual 2020 appeared first on IDPro.