Thursday, October 15, 2015

GHC15: Identity and Privacy Presentations

Identity & Access Management: Who is Touching What?

Laura Chapba, VP of Bank of America

Laura found herself with a 1.8 GPA and realized she should not be in pre-med. Major change to tech! Graduated with a 3.1 after LOTS of hardwork and then started her career.  There are two paths you can choose for a career: deep focus and become a subject matter expert, or have fun exploring many careers and move around a lot - like she did. :-)

Laura is using applying for a credit card to demonstrate Identity and access management.  We're pretty good at the provisioning part - verifying identity to issue the card.  There are more problems with deprovisioning - when are you not longer using this card?  Users are not good at identifying this, but credit card companies now automate this. Haven't used it recently enough? They will automatically close your account and give the credit line to someone else.

Now - authentication and authorization is really hard.

How do you authenticate that the person is allowed to use the card?  You could ask for driver's license (NOTE: Thought this was not allowed by merchant agreement?).  Then verify folks have the credit limit is a little trickier.

Case example: Amy moves to NYC and gets a new app, NYC101, which asks to have access to her Facebook account. She authorizes it, and has fun exploring NYC.  Then the NYC101 database was hacked... then hackers knew her mother's maiden name, birthdate and home town. That's enough to get credit cards in her name!  Now... she's a victim of identity theft. :(

So - be careful about sharing this information online!

Why are they looking for women in this space? Looking for people that want to work together on diverse teams. Need people that are willing to collect all the facts before jumping to conclusions and willing to work with sensitive situations.

Identity Toolkit

Hadas Shahar, Technical Program Manager of Google

Identity is a building block of every website you want to build. Most websites allow you to use an ID and password, or use another system to authenticate - like Facebook, Twitter, and G+. Usually you are given several choices and most of us cannot remember what they used.

The login screen is the first impression people have of your website - and usually the most complicated and confusing.

OpenID is making some progress - but we are not there, yet.

One id: take someone's email address first, THEN determine what they used to set up their account on your site in the past and redirect them to that page.  That is, if you previously signed in with username and password - it will take you there.  likewise, if you used google to authenticate, it takes you there.

But  why do we have to type our email address everytime? The browser now remembers your commonly used email addresses (because who has only one?)

This is also hard from a developer perspective - you have to wok with all of the different APIs/systems.

Google Identity tool kit is hoping to lower the barrier to entry, making it much easier for developers to get this right.

Ethical Market Models in the Personal Data Ecosystem

Kaliya Hamlin of IIW
Kalliya has worked on ta report: Personal Data: The Emergence of a New Asset Class. What type of data are they talking about? Relationship, government record, health, communications, education, context data (where are you , who are you with, what are you doing?)... and identity data.

Currently there are a lot of unethical data practices out there.

Data sources: Public, retail, schools, websites... passed on to data brokers who aggregate data about you and resell it.  Then it comes back and effects your life and you never consented.

The individual should be at the center of their own data lives.

We need a personal cloud (data bank, data store). You should be able to put your geolocation data somewhere and have it be YOUR data under your control.  You could even understand yourself better with this data.

Vendor Relationship Management: Rewiring how we interact with businesses today. what if businesses had to come to us to get our information?

We need persistent data store that we can share with trusted vendors.

"Infomediary Services" - an agent that will go on the web and find deals for you. It's great, if you trust these services with our info, as opposed to the entire market having this information and making actions.  Like right now, you can go searching for mortgages or about a life event, but perhaps change our mind or complete purchase decision - but the offers don't stop. There is no way to signal "I'm done" - and now way to remain private.

There is a long standing business model of data aggregation services - like Nielsen and Arbitron. People trust those aggregate services, because they are not sharing my name. They've aggregated the data. Businesses get information without all of those business knowing who I am and everything about me. They don't need that.

We are making this real with a worldwide consortium: pcc.

There is an Identy Workshop in Mountain View CA October 27-29, 2015 and again in April.

Life of PI - Protecting Your Personally Identifiable Information

Alisha Kloc, Security Engineer of Google

What happens with your personal data? We're in an information age, data is everywhere.

In the past, you only needed to protect your credit cards and passwords.  Now, there's so much more - photos, etc.

How is our data kept private? Well... no industry wide standards for user data privacy. This is getting better in the EU, but not so much in the US.

This should be figured out early in the development lifecycle - during design. And they should be reviewed by privacy experts. Products should only ask for the data required to make them work, and keep that data safe.  At Google, they also have privacy code reviewers, to make sure they are properly integrated with privacy protection tools.

we need to make sure we receive that data securely - encryption, encryption, encryption! you have control over your Google data - control is key! [Note: I did not know this - will have to figure out how to do configure this.]

Data must also be encrypted while stored, with restricted access.

You should be able to access your data freely, but others should not.

Google has tightly restricted access to user's data. All requests are audited and reviewed by a team before the data access is given.

All granted access is audited - they will know everything the Google employee looked and and did anything with.

Google does not give you personal info to third parties, unless you tell them to, you have a domain admin, or they are using a trusted partner to process information or the law requires them.

Data is not deleted right away - as often users accidentally delete things. Data becomes deactivated and after a period of time will really be deleted.

Be smart - is a 10% of discount worth giving away your name, email, zip and phone?

talk about this - advocate for change. Let companies know this is important to you as a users. Choose products and services from places that actively protect data.  If you're a developer, work with others and share ideas and try your best to do this right.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!