Three identity-related jobs later, I now consider myself quite nicely “niched” in identity. I (finally) understand most of what I’m talking about (it only took a couple of years!) and I’m excited about where identity is headed. One unexpected side effect of my equally unexpected foray into identity: the emergence of privacy as a concern…a concern enough that I felt compelled to put myself out there on social media and share.

Privacy Breadcrumbs

I’ve always been a bit hesitant to share too much of myself online. I’ve been known to put on the detective outfit, get my magnifying glass, and go down the rabbit hole of high school classmates on a Friday night, and I didn’t want anyone returning the favor. I also had a strong sense of wanting to protect my child from a life documented online at a time when a child’s first presence online is a line on a pregnancy test or an ultrasound. Of course, I knew that my identity was not as simple as a username and password. My digital identity was the entire footprint I was leaving behind online. With every photo uploaded, every search query executed, every app downloaded on my phone, I was leaving a lot of information behind, and I had no control over what that information was or how it was used. 

Completely opting out of online life wasn’t an option for me, but I also felt that there was a great imbalance between the personal data we constantly give away in exchange for using a service and the reward it has for large tech companies. The fact that this tradeoff wasn’t transparent to me–and I worked in digital identity, for goodness’ sake–bothered me. How can I expect my friends who know nothing about tech to understand what is really happening with their data when I don’t know what is really happening with our data? 

The Privacy Learning Curve

One of my most engaged-with posts. I guess we’ve all had this experience!

It was time for me to take a deep dive into the world of data protection and transparency in technology. 

• Why should I care if someone hacks into my account, as long as they didn’t buy anything?
• Does Alexa really listen to us? 
• When you download an app, what is all of that data being transferred in the background without your knowledge? Is there any way of knowing for sure? 
• Why should the average person care? After all, we’re not that interesting and we have nothing to hide, right? Alexa can have my grocery list. She can listen to the dinner table conversations about daycare and taxes. 

These are some of the questions and concerns (or lack thereof) that I’ve heard over the past year or so when I’ve talked about my privacy and data protection work. It’s been really interesting, and honestly, somewhat frustrating, to try to confront these huge questions about technology and how it is so tightly integrated into our lives. I’ve covered everything from dark patterns with cookie consent to using password managers to covering your laptop camera with a camera cover. In fact, one of my most viewed reels is identity related – I did a reel of myself authenticating with a YubiKey.

Practical Privacy Education for All

A sample of Hannah’s Instagram content

I aim to bring practical privacy education to the masses. Most people are not going to buy a Raspberry Pi and set up a DNS block. Heck, most people are not even going to bother switching off precise location tracking to apps on their iPhones. I try to give people tangible things that they can do to protect their data while still acknowledging the very real fact that most of us live at least a portion of our lives online in the media we consume and in the ways we stay connected with people. My audience is not us ID Pros, although I hope you find it interesting. My audience is our friends and families who have no idea what we do for a living and just know it’s “computer stuff”.

Advocacy

I’ve found my privacy and digital footprint education attempts to be rewarding. I’ve had people tell me that they had no clue what was going on with their personal data. But now that they’ve learned, they’ve been more careful about what they share online.  It’s been uncomfortable for me on some level. I have never enjoyed sharing myself online, and now I am sharing videos of myself. I hate hearing my voice on the podcasts I’ve been on. It’s a human thing, I think that none of us like our own voices. I’ve pushed through the discomfort because I believe that sharing this information and advocating for more transparency in technology is not something that everyone is equipped to do. Thanks to my background in digital identity, I believe I have the experience and knowledge to know just how important our identity is, including all of the breadcrumbs we leave behind as we traverse this crazy thing called the internet. And the least I can do is leave behind something useful.

About the Author

Hannah Sutor is passionate about all things digital identity and privacy. She currently works as a Senior Product Manager at GitLab, focusing on authentication and authorization in a DevSecOps context.

Hannah has spoken at various conferences on digital identity, privacy, cybersecurity, and devops workflows. She is also a content creator; writing articles and creating engaging, easy-to-digest content on these topics for those without a technical background.

She lives outside of Denver, Colorado, USA, and enjoys bad reality TV just as much as she enjoys a walk in the woods.

You can find her educational posts on Instagram.

The post Identity Practitioner by Day, Warrior for Privacy at Night appeared first on IDPro.

The conference this year will have a particular focus on Trust, which the Oxford English Dictionary primarily defines as a “Firm belief in the reliability, truth, or ability of someone or something; confidence or faith in a person or thing, or in an attribute of a person or thing.”

Questions of trust lie at the very foundation of our identity systems.  We trust standards bodies to develop protocols that will be useful, practical and secure.  We trust developers and vendors to build products, solutions and services that will implement those standards in performant, scalable and extensible ways.  We trust providers to deliver robust services that we and our customers can rely on.   We trust executives to listen and to support and fund the crucial work that we do.  And, of course, we develop and implement mitigations in case our trust is misplaced.

But trust is broader than this; and trust goes both ways.  As consumers and as citizens, we would like to trust that organisations won’t collect information they don’t need; that they will handle that data safely and properly; that they will keep pace with rapidly evolving best-practices in identity, security and privacy.  A world in which that trust is not assured is an uncomfortable world at best; and many people today live, work or interact in circumstances which are not inherently trustworthy. 

The OED has a secondary definition of Trust.  “To take on (also upon) trust (formerly also †to take up in (also upon) trust  †to receive in trust and variants): to believe or accept a statement, story, etc., without seeking verification or evidence for it.” (Emphasis added).  

Over the past 24 months, we’ve seen an explosion in digital identity assurance and verification programs.  Mobile drivers’ licenses, COVID and other healthcare passes and certificates, digital boarding cards, facial recognition for age verification and in-store check-out… the list is long, and it is growing.  As a result, we’re also seeing an explosion of interest in governance and interoperability within and between use-cases and sectors: trust frameworks, attribute mapping and matching, account linking and more besides.

These advances hold great promise to make our lives more efficient and connected; to reduce friction, and fraud, and risk.  But a balance is needed, too.  Trust is a fragile thing—hard to gain, easy to lose, difficult to rebuild.  Organisations and institutions must take care not to overstep the bounds of our trust, lest they lose our engagement and, in the end, our support.

Trust is an important topic, but it’s certainly not the only issue of note in the industry!  The topic focus each year for Identiverse infuses but does not dictate the agenda and the event.  New and emerging standards and architectures; deployment stories and leading practices; identity for connected devices; new approaches to privacy, security, devops, engineering; sector-specific identity practices in healthcare, manufacturing, government, education, financial services and more; and specific identity-related disciplines like CIAM, auth’n, auth’z, self-sovereign, IGA…. That list barely scratches the surface: and your proposals on these and many other topics will inform and contribute to the agenda.

This year’s content committee and I look forward to seeing your proposals; and I trust that we’ll be able to get together in person in Denver in June.

Andrew Hindle

Independent Consultant, Board Member IDPro

Andrew is an independent consultant specialising in digital identity, cyber security and privacy. He is a founding member, and Chair of the Board, of IDPro; he participates as a voting member of the User Managed Access Working Group at Kantara; and he is an active member of the Open Identity Foundation (OIDF).  Since 2015, he has been Content Chair for Identiverse®. Andrew has over 20 years experience in the software industry in a range of technical sales, pre-sales, product marketing and business development roles. He maintains CIPP/E, CIPM and CIPT privacy certifications with the IAPP; a CIDPRO certification from IDPro; and holds a BA in Oriental Studies (Japanese) from Oxford University and an advanced professional diploma in corporate governance. Outside of the world of identity, Andrew is Chair of Trustees for his local scouting group, rides regularly with a local road cycling group, and plays keyboard, guitar and bassoon (not at the same time) with more enthusiasm than skill, and for an audience of one. Andrew is based in the UK.

The post Identiverse® 2022 appeared first on IDPro.

Last month, we sat down with Heather Flanagan, Body of Knowledge Editor for IDPro. This month, as we continue our series of posts “Getting to Know IDPro,” we interviewed George Dobbs, Board Member and Chairman of the IDPro Body of Knowledge Committee. George shared his experience in the identity industry, why IDPro is so important to the ecosystem, and much more.

IDPro: Can you share a bit about yourself and how you got involved in the identity industry?

George: I took a math major in college and got an opportunity to work on computing jobs for the school administration. It was remote computing in the sense of dial-up with an acoustic modem.  That led to a job with a company that sold computing time with a similar set up. Back then, companies would pay high fees to get access to storage and computing. When microprocessors became powerful enough for basic tasks, there was a demand for the skills needed to set up basic computing tasks based on such devices as the TRS-80 and eventually the first IBM PC. After a  five-year stint as self-employed, I moved to an insurance company where I got involved with local area networking (LAN). Novell Netware 2.x was all the rage at that time and that was my first exposure to digital identity. As the 80’s turned into the 90’s, the bindery turned into a directory. In the 90’s the Novell packet technology and directory were overtaken with TCP/IP and Microsoft’s Active directory. I got involved then setting up gateways and firewalls. Eventually it came time to have customer and agent logins to websites. This was a new use-case that gave me the opportunity to design and build and as I moved on to another company, there was a reprise of the project. At a third company the same need came around again, but by the 2010’s the nature of the project was heavily influenced by defensive needs; financial institutions, through the internet, had become regular targets for fraud.  

IDPro: What brought you to IDPro and what prompted you to join the organization?

George: I first got involved with others in the identity space with the Network Application Consortium in the late 90’s. That’s where I first heard of the Jericho project and the concept of identity as the new perimeter. I think the concept was done a disservice by the terrible name – “boundaryless computing” – that someone came up with, but the idea was prescient. Boundaries and zones remain part of the toolkit but identity has become a key aspect of security. So when I heard Ian and Sarah call those at the Cloud Identity Summit to action, I figured the need for protection from fraud and other attacks is a good reason for collective action, so I joined IDPro.

IDPro: Can you explain your role in IDPro?

George: I’ve been a board member since the first board was seated. It seemed clear that the most important thing to take on was the Body of Knowledge so I helped by framing how that would work in our organization and forming a committee of which I have been the only chair to date. We drafted a “table of contents” and defined a process to find and select the Principal Editor which was accomplished about 18 months ago when we found Heather. Heather has met and exceeded our expectations, so my role has changed from first mover to something more akin to guide or coach.

IDPro: Why do you think IDPro is important for the identity industry and ecosystem? 

George: My first response is that the very notion of an identity industry is only now being incorporated into mainstream thinking. In the past, if it was thought of at all, it was as part of the “information security” domain. There have been many attempts to improve the identity landscape over the years but what IDPro attempts to provide is a big tent into which all sorts of topics and roles relating to the identity industry can fit and be knit together. Hopefully this allows players from government, industry, education and even concerned citizens, to provide foundational knowledge for the next generation and – perhaps more importantly – provide guidance to society as a whole as we move more fully into the inevitably digital future.

The post Getting to Know IDPro appeared first on IDPro.