I spent last week week at the Cloud Identity Summit and came away with a disturbing conclusion - Commercial enterprises in the U.S. either don't care about privacy or don't consider privacy a priority.
CIS is billed as the premier identity conference held in the U.S mainland and it is notable for the caliber and diversity of its attendees.
This gathering of people in one place, at one time, provides massive value and you can be assured of having great, in-depth, and nuanced conversations on a wide range of identity topics with fellow attendees simply by showing up and actively engaging.
However, I was both surprised and disappointed by the lack of focus or priority on privacy in the official conference track. And that started with the two opening keynotes where the term "privacy" was not mentioned at all - I am absolutely sure about this, as I was actively listening for it.
Yes, there were a very small number of sessions that focused on it - Robin Wilton's Ethical data use and Jenn Behrens' User-centric privacy come to mind. Oh, BTW, those two sessions were in the same time slot (last day, right before lunch) so you needed to pick one or the other to attend.
The folks who noticed this and remarked on it tended to be public sector folks, whether they were from the U.S, Canada, New Zealand or elsewhere. The excuse for the lack of same, typically from vendors, was that 'privacy is not something our customers are asking for'.
I am not going to bang this drum any more, but I will leave you with a relevant historical note.
Many recent conversations have referenced the WaPo article that talked about how the designers of the Internet did not consider security as part of their design, and much surprise has been expressed at their supposed naivete.
We too are currently at an inflection point when it comes to the future design and use of the Internet, and need to make a conscious choice to weave privacy into the core fabric of security and identity.
So when an opportunity arises to bring together, at one time, a collection of knowledgeable and influential people who work on that core fabric and the tools that operate on it, it is a loss to the community, and our shared future, when such conversations are not encouraged or prioritized.
GOV.UK Verify has started a trial of what they are calling a Basic Identity Account at LOA 1. It will be the fallback account for when they cannot verify the identity of a person using their existing identity verification processes.
I really like the way that they have positioned this - the default will always be a 'Verified Identity Account' at LOA 2. The 'Basic Identity Account' is a fall back when online verification is not possible.
- Interesting data point that UK, Canada and NZ have all positioned their 'Verified Account' at LOA 2. My assumption is that if the RP wants more, it will have to accept the risk and put in compensating controls.
cyberforge: random and relevant
Amazon releases its first information request (transparency) report
NSTIC/NIST and UK IDAP/Cabinet Office have joined the FIDO Alliance. It will be interesting to watch how much of this is a desire to partake in the halo effect of FIDO popularity vs. real engagement (Yes, I am a bit jaded here)