The Gap Between Knowing and Doing: Takeaways from the KNOW Identity Conference

Next: E-Crime Congress: The Confluence of Fraud Risk and...
Previous: Privacy, Regulation, and Data Fingerprinting
Writer Emily W.
March 30, 2018

Emily serves as the VP of Research at Terbium Labs. With a background in International Relations, Emily alternates between quiet rants about Russian politics and foreign policy, while crafting blog posts about the realities of the Dark Web (hint: red rooms aren't real).

Technology is stretching the current paradigm of identity, and, while the way ahead is unclear, we will only adapt if we do so collectively and without using fear. Panelists at the KNOW Identity Conference this week stressed the need for a new approach to identity technology, and a new tone in consumer education, all without a clear consensus of how to get there.

Earlier this week, the second KNOW Identity Conference, hosted by One World Identity, took place in Washington, D.C., bringing together the government and private sector to discuss the challenges around identity, authentication, and digital security. The conference sprawled through the Ronald Reagan building, offering individual keynotes and a host of diverse panels for more than 1,200 attendees.

Two themes emerged: we need to update how we think about identity and empower consumers to take charge of their own security.

First: Our current concept of identity will not withstand the inevitable advancement of the digital economy.

Quite simply: we need better identities. Right now, we think of identity as being made up of two sets of information: static data, immutable and often assigned at birth, and established sets of account credentials. The static data—our dates of birth, social security numbers, and names—is powerful, precisely because it is unchanging. Credentials are messy, often re-used between sites, and accounts can be used to authenticate other accounts.

Panelists advocated a series of possible solutions in turn: passive biometrics, identities tied to mobile devices, and, of course, blockchain and distributed ledgers. While everyone agreed that the current system is untenable - that it opens gaps for identity theft and unrealistically burdens consumers with account management - the panelists split on how best to approach the problem.

One moderator posed the question this way: imagine, he said, we’ve solved the problem of digital identities and authentication. How did we get there? What does it look like? Panelists had ideas of what it would look like - unsurprisingly, this future was largely based around each of their own technologies—but were in short supply of answers to exactly how we get there. Jonathan Smith, CTO and Co-Founder at Civic Technologies, argued that blockchain technology can remove personal information from the identity process. You no longer need to prove who you are, he argued, but that you match the identity that you claim to match. Identity would be a smooth, disassociated binary (either a match or not), rather than a series of individual checks on static data. On the same panel, Rodger Desai, CEO at Payfone, argued instead that mobile devices were the most seamless solution to develop new identities around: more people have mobile devices than any other type of identification, he argued. Even those without homes, without identity documents, without financial accounts, even those individuals have phones.

One panelist stood out in taking a more holistic view of the issue. Alex O’Rourke, a partner at McGuireWoods LLP, repeatedly stressed that the right to be known is a human right, and that any concept of developing a ubiquitous identity must be universally accessible. If economic development is truly a global benchmark, advancements in identity technology must develop to include everyone, not just for those with existing access to capital or technology.

Second: Education is not sufficient—we must empower consumers in order to be effective.

Dan Prieto from Google Cloud Services spoke frankly in a panel on Wednesday: There is no shortage of fear in security, and no shortage in communications, he said, but there is a shortage of recommendations.

If the industry continues to rely on the idea that security is necessarily complex and difficult to explain, companies strip the utility from consumers and prevent them from taking part in securing their own identities. As long as the security industry insists that consumers are uninterested, unwilling, or unintelligent, the industry will scapegoat them for an inability to orchestrate a more elegant solution. The security industry must shoulder the responsibility to educate consumers and to empower them to take an active role in the security process. It is too easy, and too convenient to pitch customers a solution based on fear and mystery, only to then turn around and complain that consumers just don’t get it. This resonated with us at Terbium Labs because we work in a segment of the industry that relies heavily on images of hackers in ski masks to sell security messaging. The industry is setting consumers up to fail out of fear, hesitation, or uncertainty, and then chastising them when they do just that. We only make progress if we make progress together, and progress in security cannot be based on fear.

On the same panel, Jessica Wilkerson, from the Energy and Commerce Committee, echoed Dan’s sentiments. There’s an attitude of “let’s not frighten the poor children” toward consumers, she said, and that attitude has to change. We couldn’t agree more: consumers aren’t experts in this field, but that does not mean they are helpless or disinterested. It is the responsibility of the security community to make security accessible, tangible, and realistic—something we consistently build into the work we do at Terbium Labs.

KNOW Identity is already set to run for a third year, establishing its third conference in Las Vegas in 2019. The conference has a lot of potential for continued growth, and we at Terbium Labs look forward to the continued conversation around building better identities.

events September 06, 2018
Sharks and Shpiony: A Conversation with Andrei Soldatov and Irina Borogan, Authors of The Red Web

As part of our Black Hat programming this year, we had the distinct honor of hosting journalists Irina Borogan and Andrei Soldatov for an evening of discussion on security, surveillance, and the state of...

events August 30, 2018
Risk, Cyber Crime and Strategic Security: Highlights from Black Hat 2018

Members of the Terbium Labs team once again made the summer trek to Las Vegas for Black Hat USA in search of the latest developments in information security.