ISMG Editors: Are We Closing in on a Federal Privacy Law?The State of Passwordless in 2022, New Identity Technologies Anna Delaney (annamadeline) • June 17, 2022
In the latest weekly update, Jeremy Grant, coordinator of the Better Identity Coalition, joins three editors at ISMG to discuss important cybersecurity issues, including where we are with passwordless, if we are getting closer to a U.S. federal privacy law, and next-gen authentication technologies.
The panelists - Mathew Schwartz, executive editor, DataBreachToday & Europe; Anna Delaney, director, productions; Jeremy Grant, managing director, technology business strategy, Venable LLP; and Tom Field, vice president, editorial - discuss:
- What domino effect - if any - we have seen since Microsoft, Apple and Google announced their joint endorsement of the FIDO protocol a few weeks ago;
- The likelihood of the U.S. Congress delivering on a federal privacy bill;
- New identity technologies and innovation.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the May 27 edition discussing highlights from the ISMG London Summit and the June 3 edition discussing what's hot at RSA this year.
Anna Delaney: Hello, I'm Anna Delaney and welcome to the ISMG Editors' Panel. And this week, we are joined by a very good friend of ISMG. And that is, of course, the excellent Jeremy Grant, managing director of technology business strategy at Venable, also coordinator of the Better Identity Coalition. And also with us, familiar faces, Tom Field, senior vice president of editorial, and Mathew Schwartz, executive editor of DataBreachToday and Europe. Welcome, Jeremy, delighted to have you join us.
Jeremy Grant: Thanks. Good to be here with you.
Delaney: So Jeremy, where are you? I'm going to take a guess. Maybe, Lisbon.
Grant: I'm in Lisbon, which is where I should be two weeks from today, if all goes well. Although I am most definitely not where Mathew is. We were just talking before this started. RSA was the super spreader event for COVID. So assuming I recover, I will be there in two weeks and definitely not at RSA.
Delaney: Wishing you a speedy recovery, Jeremy, and it was great to meet you in person as well.
Grant: Most definitely! Long overdue.
Delaney: So Mathew, you are, perhaps, in San Francisco?
Mathew Schwartz: Yes. I am flashing back to San Francisco. Just to Jeremy's point, we had worried that 2020 would be the kind of RSA doomsday scenario. But it seems like there's a fair few number of people coming out of the event this year, unfortunately, who did catch it this time. So far, so good for me, but fingers crossed. And it's a lovely event. It was wonderful to see people again in person, to get to meet Jeremy, and just to have a bit of chat with everybody.
Grant: Hearing all the people who've got it, there's a famous line from the rapper Nas, where he says, "I don't sleep because sleep is the cousin of death." And I'm thinking RSA is the cousin of death this year, given all the people who have emerged with disease and pestilence coming out of it.
Schwartz: That's not the transform tagline they were going with, Jeremy.
Grant: Cousin of death. It's going to be the theme next year.
Delaney: So, Tom, are you in Maine? Is that where you are?
Tom Field: I am. That's because I had COVID pre RSA. And I was unable to travel this year, because I didn't want to be the super spreader. So I stayed home. And while you folks were opening your studio in San Francisco last week, I stepped out on my front porch and captured this sunrise. So yes, I'm in Maine. Will be here for a while. Jeremy, I'm here to encourage you. I came through in a good five to eight days, and I think you'll be fine too. And you'll be in Portugal soon.
Grant: I'm looking forward to that. Thanks. Feeling well enough to be with you today.
Delaney: Take lots of rest. But of course, Tom, you were there in spirit because you were helping us so much on the ground. So we appreciate that. Well, guess where I am?
Field: I have an idea. But I'll keep that to myself.
Delaney: Well, after four intense days in the studios at RSA, I thought catching my plane back to London. I thought I need air and I need nature. So this is what I found. I guess it's along the coast and around the Muir Beach. But that was a glorious finale.
Delaney: Yeah, around that, sort of driving around. So, forgive my lack of geography here. But anyway, I loved it. Jeremy, back to RSA for a moment, even though you probably don't want to talk about it for a while now. But from an identity perspective, what were the highlights for you and observations really?
Grant: Beyond meeting you in person and talking identity?
Field: Close the conversation right there.
Grant: Yes. I'll say RSA has become a conference that I go out for the week. I rarely go to the conference. I did speak this year. And I think the highlight for me was that panel, I got to moderate a great panel with Lisa Lee from Microsoft and Dr. Rébecca Kleinberger, who's a researcher with the MIT Media Lab. Looking at voice, talking about voice both as a substitute for the keyboard but also as an authentication tool, and looking ahead to all of the security concerns around it. I'll say it's not particularly rosy in terms of when you're looking at voice but looking ahead to say perhaps applications in the metaverse where voice will be the keyboard. You're not going to be typing while you're wearing headset for example. And what might that mean? So good discussion, good audience participation in questions. And that was a real fun panel to dive into for 45 minutes.
Delaney: And Jeremy, just before passing the baton to Tom, did you learn anything new this year?
Grant: I think the main thing I learned was just how little I knew about voice and Dr. Kleinberger. She's done some TED talks online. She's not a security researcher. She's a voice researcher, and I think looks at the topic from a bunch of different dimensions that most of us have never thought about, including apparently to be making any of the sounds I'm making right now. I'm coordinating. What did she say? More than 100 muscles in my body all at the same time. So, fun fact, you can break that out of the party sometime and see how close people can get to the number.
Delaney: I'll keep that one. Tom, over to you.
Field: You know, given what Jeremy has just told us, I've had a heck of a workout already today. I'm feeling good. Jeremy, I want to ask you a couple of questions that we've discussed in previous conversations. But given that you've just come back from the cybersecurity Mardi Gras, you might have some different perspectives. One is about passwordless. Given the conversations, you've been able to have, the presentations you've seen, how would you now describe our current state of passwordless?
Grant: So I would say that was the other highlight I didn't get from RSA was the big FIDO seminar on that Tuesday, which was four hours talking all about the new announcement around passkeys and multidevice credentials, and how you're basically seeing all the platforms double down on their commitment to expanding their commitment, to the FIDO standards, to finally kill the password. So I think I used the phrase, talk to my hand. There's an old Parliament record, “Standing on the verge of getting it on.” And that's how I would describe things right now. We've been talking about this for years, there's been a lot of hype, a lot of interesting individual solutions that are out there, but most of them are proprietary. Now you got Apple, Google and Microsoft, who basically collectively make the operating system on everything we're using. And a lot of devices as well, saying, "this is how we're going to do this going forward, building off of FIDO standards, and leveraging some new innovations around the passkey concept." I think this now means that in the next 18 to 24 months, you'll start to see consumer experiences where the default is, rather than create a password, you'll be asked to create a passkey that will be synced instead across your devices, and you'll never have to use the password again. It's pretty exciting.
Field: I'm glad you didn't describe the state as the cousin of death. Thank you. Jeremy, a few weeks ago, we spoke immediately after Microsoft, Apple, and Google came together in support of the FIDO protocol. So a few weeks later, can you describe the significance of it then? What, if any, domino effect do you now see, now that we have this endorsement?
Grant: I think Dominoes is probably a good analogy. I think what you're seeing is a lot of people are looking at this and trying to parse the announcement to understand what's underneath it all. But there's been good buy in across the board. I was excited when the announcement came out a few weeks ago. Jen Easterly, who's the head of CISA, contributed a quote to the press release, she's been on a real crusade. Boston's more than a feeling, AD said to promote more than a password, Bob Lord from CISA came and spoke at the FIDO seminar at RSA. I think we're getting an impact or inputs on the FIDO side from other governments as well, looking into this and saying, "this is actually really good advancement forward." And I think a lot of big players in the private sector as well … I would say that the mood is one of excitement. Not that there aren't questions, I think, underneath the core announcement that everybody's rallying together, there's also some change in terms of how cryptographic keys for login are going to be used. I think that the big trade off on the FIDO announcement has always been one: when you look at authentication based off cryptographic keys, which is what FIDO is, what happens if you have several devices. And what you're seeing now is the platforms are going to find ways to securely sync to the credentials across the devices, which makes it a lot easier for your everyday user to go passwordless. And I think what I'm seeing is a lot of heads nodding, saying, "okay, there's some security versus usability tradeoffs here, but the security benefits, because it's so much more usable, are far outweighing than any security downsides from this, and so a lot of good excitements.
Field: Very good! I'm going to stick with the music theme, pass this on to my colleague, Mathew, and I will invoke the Grateful Dead as we keep on "Truckin".
Schwartz: Picking up the musical baton, in the immortal words of Richard Marx, "Right here waiting," is how we have been for such a long time when it comes to a federal data privacy law. Now, this week, we had Representative Cathy McMorris Rodgers, from Washington, saying she sees the best opportunity we've had to pass a federal data privacy law in decades happening now. We've got bipartisan legislation that would bolster consumers on privacy rights and is gaining momentum. So some of the tech industry, the tech giants, and advertisers think the protections afforded to consumers in the current draft of the bill might be overly broad, typical tension there. But after decades of lawmakers at the federal level, failing to pass such a privacy bill, do you think it could now be in reach?
Grant: So we've covered Richard Marx, Nas, Parliament, and the Grateful Dead. I used to run a free form radio station back in Ann Arbor, but I'm not sure I ever had a set that had all of that. So I will not say privacy is “Standing on the verge of getting it on,” like Parliament, like passwordless. But there has been some real movement the last couple of weeks in Washington, and I think it's worth paying attention to. I've got a copy of the discussion draft right here, because I've been combing through it for identity and cybersecurity elements, a bipartisan privacy bill that has been introduced by or will be introduced by what people are calling three of the four corners. So based in Washington, DC, to dive into Congressional lingo for a bit. You've got the chairman and ranking member of the Senate Commerce Committee and the chairman and ranking member of the House Energy and Commerce Committee, and those of the committees that have jurisdiction to write a privacy bill. In the Senate side, ranking member of the lead Republican Roger Wicker, along with you mentioned Cathy McMorris Rogers and Frank Pallone, the Democrat and Republican, have all come together around that draft I was holding up, which is called the American Data Privacy and Protection Act. So the fact that you have a bipartisan bill that's in the House and Senate, even if you don't have the support of the Senate Commerce chair, Maria Cantwell, it's pretty notable. And I think a lot of people are paying attention. There was a big house hearing yesterday where they dove into the bill and got a lot of feedback. It's in an interesting spot, in that, as you pointed out, a lot of folks in industry, in the advertising space, are saying it's terrible. The ACLU is also saying it's terrible. I started my career as a Senate staffer in the 90s. One of the rules of thumb was if you have a bill, and everybody hates it on all sides, pass the bill, because that means that you've actually done something right. If nobody's happy with it, that might be the right policy. I'll say going through the bill, it's not ready to pass. It needs a lot of work. There's a lot of problems with it right now. But at a high level, the concepts they're laying out if, you're drawing this fire from different parties, maybe you're onto something. And so I do think that there's just not enough time between now and the elections. Congress, for all purposes, will shut down in mid-September — getting ready, so people can campaign for the midterm elections. But what you're seeing here, even if the House and Senate flip, and you have Republicans in charge next year, is an outline of something that could be a bill that could advance. And so I think people are certainly more excited in DC, everybody's paying attention to this draft, taking it much more seriously than anything I've seen in the last few years, because they realize that this could be the starting point for a comprehensive privacy bill.
Schwartz: I was struck by the last Congressional session. I think we had at least a few dozen bills that touched in some way on privacy. And there's been a real shift, even if some of them are, or a lot of them, most of them are in passing. It seems like there's a groundswell toward data privacy rights, hopefully coming in at some point.
Grant: Yeah, I'll say a big challenge on this has always been wanting to do with California. You're trying to get a bill passed by the House, you need Democrats to do it. I think one in four members of the Democratic caucus is from California, and you want them to vote to preempt the laws already in the state. So what this new bill would do is carve out California, but also carve out the Illinois privacy law that has gotten a lot of attention. And so there'd be a couple of carve outs, but not a lot. From a policy perspective, it’s a little hokey, but when you start to look at the political compromise it might take to pass a federal law, that's an interesting approach.
Schwartz: Wonderful. One more question for you. And I can't think of his own transition, although maybe it'll come to me. But you were talking about voice back to the future. What other new identity technologies are you tracking? New is old, old is new, whatever, are you tracking for this year? Next year? What do you think we'll see some more innovation?
Field: Marvin Gaye; "What's going on?"
Grant: There we go. I was going to go with Men at Work, "Who can it be now?" Excellent identity song if there ever was one. So in terms of new stuff, I'll say, there are some companies that are looking at some things around what I call next-generation authentication. Where do we go from beyond FIDO that are pretty interesting, but very early stage? But I think 2022 and 2023 are going to be focused on the deployment to FIDO and passkeys and the further refinements of that concept. I think passwordless is going to transform a lot of things. And then the second is on the identity verification side. To give a preview, I'll be at the Identiverse conference in Denver next week, leading the panel looking at bias issues and face recognition and how it's impacting the identity verification market. Companies that can demonstrate that they work well across every age group, every ethnicity, every sex, with all of the concerns we've seen from Congress and in the press and advocates and just the general public this year around that. I think identity verification technologies that can demonstrate that they work equitably, across every different type of population is going to be a big deal in this space.
Schwartz: In the immortal words of The Who, "Who are you?"
Grant: Yeah, not a great identity song. One of the best identity events of my life was when I was at an identity standards meeting in Phoenix, and we realized The Who was in town, and so we all had to go see them.
Schwartz: Happy ending.
Delaney: I'm going to ruin this medley, I think, with no song, but maybe you can help me out. Jeremy, you told me earlier today that you've done some analysis of the new privacy law. Any identity issues that you want to highlight?
Grant: Yeah. Going through the bill, I think there's a few things that stand out. And you know, we're within the Better Identity Coalition looking through it and looking to reach out to the sponsors to talk about what I would call some perfecting amendments. Because I think there's some things that they're looking to do in there that maybe weren't drafted, as carefully as they could be. One that stood out essentially says there's a bunch of things that are just flat out restricted, and it puts limits on the collection, processing or transferring of social security numbers, except when necessary to do a few things, including authentication. And I read that and was a little horrified because you never want to use an SSN for authentication. Authentication requires a secret and the social security number stopped being a secret a long time ago. You do want to use it for identity verification, or if you need to have a use case where you need to essentially resolve an individual to unique identity. So there's what, probably 35,000 Tom Fields, only one hopefully has his SSN. And I need to use it for that. But I never want to ask Tom for the last four, because the Russians have that, and the Chinese have that, and a lot of other people can get it on the darkweb for about 87 cents. So I think getting that right terminology in there in terms of where you do and don't want to use SSN. Our point back to the sponsors was, you want to codify the use of the SSN for authentication. That seems like it's a terrible idea. Beyond that, they've got some restrictions, just in terms of biometric information, where again, they call it a bunch of exceptions where you can use it, but identity verification is not one of them. They say you can't be transferring passwords, that's more sensitive information. But we want to point it out to them; it's not just passwords anymore, there's other authenticators as well. And so you want to keep that information also protected. And then I think there's a bigger set of issues, which is this bill, like GDPR, like the California laws, that would give individuals data ownership and control, essentially, the ability to go to a company. I could go to ISMG and say, "I want to see what information you have on me," or "I don't like that, I want to correct it, I want you to delete it, I want you to move it somewhere else?" If ISMG doesn't know that it's me making that request, that's a great attack vector for an adversary to come in and steal that information. There was a great paper at BlackHat, a couple years ago, where a couple of researchers showed how they were able to steal information by making GDPR requests to companies. So just to show that this isn't just theoretical. The sponsors of the bill did a good job, I think, and pointing out that if your company can't verify the identity, you don't have to submit that data. And we want to point out to them, "look, that's good, because identity verification is hard." But if you want to recognize this ideal that we actually can give people true control over their data and access to it, what you need is some identity infrastructure to enable that. And so this is where it gets back to some of the core work of the Better Identity Coalition. If we had these investments on the government side that can help to close the gap between the nationally recognized authoritative credentials that government issues today and that work in the physical world and this gap we have in the digital world be easier than ever to give people control over their data. And I think we want to weigh in to suggest that as part of passing the privacy bill that don't ignore the identity layer of this because otherwise you don't get to deliver that benefit to people.
Delaney: Very comprehensive answer, Jeremy. Thank you. So, lastly, quick fire question. What's the biggest lie sold or told in cybersecurity? Tom, go for it.
Field: We genuinely care for our customers' security and privacy. If you did, we wouldn't be having this conversation.
Schwartz: And I always love it when a company comes out and says, "we have bulletproof security that it is impossible to hack." If you ever want an invitation to hackers to come and prove you wrong, them's fightin' words.
Grant: I'd say it's "if you buy our product, you're going to stop the attackers. But just our product, none of the other products."
Delaney: You been in this industry a while, haven't you? Well, I also think, humans are the weakest link is another one, which is great because this wasn't designed for humans. But this has been very enjoyable. Jeremy, thank you so much for your insight. We always feel better informed and educated. So we appreciate.
Grant: Great talking again, virtually, if not in person. Thank you.
Schwartz: Thanks, Jeremy.
Delaney: Thank you so much for watching. Until next time!