Podcasts
Caveat
Ep 153
Caveat 12.15.22
Ep 153 | 12.15.22

The promise of equal digital identity.

Show Notes
Transcript

Ricardo Amper: Having a strong identity system is completely correlated to progress. These type of identities can make a big, big difference.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben talks about the state of Indiana taking legal action against TikTok. I look at the collapse of the FTX exchange and the arrest of its founder. And, later in the show, Ricardo Amper from Incode - we're talking about the egalitarian promise of digital identity. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, why don't we jump right into our stories this week? You want to lead things off for us? 

Ben Yelin: Sure. So many states have been taking action against TikTok. I know in our state of Maryland, they banned the use of TikTok among state government agencies. So no more funny videos from the Department of Traffic about snowstorms. We have to suffer without that. 

Dave Bittner: OK. 

Ben Yelin: But one state is taking things a step further, and that's the state of Indiana. Its attorney general, Todd Rokita, is suing TikTok under a state consumer protection statute. So the allegation is that TikTok has deceived its users about China's access to their data. And he's also concerned - and he expressed this in the lawsuit - that TikTok is exposing children to mature content. And this is the first time that a state has taken action in court against TikTok. It's going to go to the Indiana Superior Court, so it'll be a state-based case. The allegation about China is interesting. It echoes, I think, what we've heard from federal secretaries, including the FBI director, Christopher Wray... 

Dave Bittner: Right 

Ben Yelin: ...And Treasury Secretary, Janet Yellen, that this is a parent company that has very close ties to the Chinese government. And, you know, we've talked about on previous episodes that they could mine this treasure trove of data from TikTok for all different types of purposes, including national-security-related intelligence stuff, just because it's such a rich source of data. TikTok, for its part, has tried really hard to prove its disassociation with the Chinese government... 

Dave Bittner: Right. 

Ben Yelin: ...And I think the adjudication of this case will depend on how believable that is. They have offices located in several locations across the world that are not China. And so I think they've tried to emphasize that, though their parent company is a Chinese company, they are not beholden to the Chinese government. The chief executive of TikTok mentioned that the data of U.S. users is actually hosted on servers controlled by an American cloud computing company, Oracle. And he said that the Chinese government would not be able to access that data. 

Ben Yelin: The Indiana attorney general pushes back against those claims in this lawsuit, saying that Chinese law gives the government the authority to demand data from a U.S. affiliate of a Chinese company. And even though TikTok has eventually promised to delete all of the U.S. users' data from the cloud, it's unclear how that's actually going to work in practice and whether data is going to be sufficiently protected. 

Ben Yelin: So the lawsuit here is not just about the fact that China has played such a large role in this company and that there are risks to the users in Indiana who use TikTok. Part of it is that the lawsuit alleges that people in Indiana have been misled - that TikTok has not properly represented its relationship with the Chinese government and has made assurances about their data that don't stand up to the facts on the ground. And I think the ultimate result of this lawsuit is going to depend on that divide - whether TikTok can convince the court that it actually protects U.S. persons' data or whether the state of Indiana can prove that they are still susceptible to Chinese blackmail and the forces of their authoritarian power. 

Dave Bittner: Could the local TikTok folks - and perhaps I can coin a new term here - EULA-gize (ph) this. 

(LAUGHTER) 

Dave Bittner: Where they take the EULA - which I'm reminded from one of our other shows - Joe and I got scolded for not explaining what the term EULA means. So it's end user license agreement. Could TikTok change their EULA and say, hey, everybody, if you want to use TikTok, your data might go to China (laughter). 

Ben Yelin: So I don't think you can EULA-gize your way out of this... 

Dave Bittner: OK. 

Ben Yelin: ...So to speak. I think it's already in their EULA. Everything they would need to say to cover themselves legally is probably already in there. 

Dave Bittner: Right. 

Ben Yelin: As you can expect, I'm a limited TikTok user, but I did not read the full, 400-some-odd-page EULA, as... 

Dave Bittner: Oh, come on. That's entertainment for lawyers like you, isn't it (laughter)? 

Ben Yelin: I know. I mean, I know I'm supposed to... 

Dave Bittner: OK. 

Ben Yelin: ...But I fell asleep through the first paragraph, so... 

Dave Bittner: OK. 

Ben Yelin: I'm sure they've covered their legal bases there, but I think it's just a question of the veracity of their claims. You know, I think they try and disclaim any liability by saying it's possible under some circumstances that, even though we try to protect the data, it's going to be susceptible to government requests on, you know - in limited circumstances, I'm sure that's something that's in the EULA itself. But what the state of Indiana is saying is that they are misrepresenting their security to their customers in their public statements. So beyond what's on the terms and conditions that nobody reads are public assurances that the data is safe, and it's not prone to collection by the Chinese government. I think what this lawsuit is saying is that those attestations on behalf of TikTok and its CEO aren't backed up by what actually happens and that the risks of Chinese access haven't properly been disclosed to TikTok users. 

Ben Yelin: I think one potential strength of this lawsuit in Indiana is looking at what's happening overseas in Europe. So in Europe, because of their stricter data privacy laws, they've been forced - TikTok has been forced to disclose that their data can be accessed by individuals outside Europe, including those in China. I think they made those assurances/caveats, if you will, in their terms of service in Europe because they realized they could face accountability under GDPR. Because they don't face that level of accountability in the United States - I don't know how strong the data protection laws are in Indiana. I don't think they're particularly strong. 

Dave Bittner: Right. 

Ben Yelin: We're not talking about California or Virginia - some of the states that have passed these data privacy laws. They might not have disclaimed that liability or put a provision like that in the end user license agreement in Indiana. But the fact that they put this in the EULA in Europe might indicate what their actual practices are. So in the words of the Indiana attorney general, that is misleading and deceiving Indiana customers. 

Dave Bittner: So what are they after here? What is Indiana looking to get out of this? 

Ben Yelin: So they want an injunction that would force TikTok to stop giving - basically be a court-ordered mandate to stop giving any data to the Chinese government. And they're seeking what I would characterize as nominal damages. So they're asking for $5,000 per violation. You know, that might add up when you think about TikTok and how many users it has nationally. Indiana's a state that probably has a population of some eight to 10 million. So you calculate the number of kids and discerning adults and teenagers who are obsessed with, you know, the latest TikTok trends - that's going to be a lot of users. I don't think it would bankrupt TikTok to have to pay that level of damages. 

Ben Yelin: I think they're more interested in the type of injunction that would force TikTok to take some type of corrective action. And I think if TikTok sees that this is not just limited to the state of Indiana - that this is a model lawsuit and that they're potentially going to be held liable in other states - not to mention that they're still under threat from being shut down or significantly regulated by the federal government, that might force them to change their practices or at least change some of these alleged misrepresentations in their terms of service. 

Dave Bittner: So is the idea here that TikTok has the burden of proof on them to demonstrate that they've put whatever they need to put in place so that it's not possible for them to share this data with the Chinese? 

Ben Yelin: So in a technical sense, the burden of proof is on the state of Indiana 'cause they're the ones initiating the lawsuit, so... 

Dave Bittner: Right. Oh, interesting. 

Ben Yelin: It's a civil case, which means the standard is preponderance of the evidence, which is 50% plus one. You know, you don't have to be as sure as you are about putting somebody in jail, but you have to have the better argument. So I think the state of Indiana is going to have to argue in court that TikTok is misleading its customers. We might get to the point where there's kind of a de facto portion of the lawsuit maybe that comes out in discovery, where TikTok is forced to put up or shut up and show, to some level of particularity - and these are probably going to be in ex parte proceedings - that the way they are protecting their data complies with the terms of this Indiana statute. But at least from a facial level, the burden of proof is still on the state of Indiana to show that they are violating this consumer protection statute. 

Dave Bittner: How do you think it's going to play out? 

Ben Yelin: I think this is going to be one of those endless lawsuits, where we go through years of discovery without much happening. 

Dave Bittner: Oh, goody (laughter). 

Ben Yelin: I know. I know. I always want to have some satisfying solution here... 

Dave Bittner: Right. 

Ben Yelin: ...So that way I can get some legal clarity. I also think we know that this is not going to be the only state-based case against TikTok. You know, I think states like to copy each other. Maryland might have been the first or second to prohibit the use of TikTok among state employees. I know Utah was another state that took that action. So generally, these types of cases come in bunches, and you might see a series of state cases. It would really only take one successful case in one sympathetic court to get TikTok to really alter its practices and do a better job of safeguarding the data. But it just remains to be seen whether any of these states can get past that threshold matter of showing in court that they're actually misrepresenting themselves in a way that violates consumer protection laws. 

Dave Bittner: Yeah. All right. Well, (laughter) there's nothing to do but wait, right? Keep an eye on it. 

Ben Yelin: Yeah. I wish this could be one of those things where, like, you know, within one or two weeks, we could have some preliminary resolution... 

Dave Bittner: Yeah. 

Ben Yelin: ...So that we can give our listeners an answer here, but... 

Dave Bittner: I mean, could TikTok basically just put an end to this by saying, hey, you know, here's everything you need to know, and here's what we're doing to make the changes you requested, so go away, please? 

Ben Yelin: Yes. They could try and do that. 

Dave Bittner: Yeah. 

Ben Yelin: That could be part of a pretrial settlement, and they might do that. Their other option, which is what I suspect they'll probably do, is answer the complaint in Indiana court with kind of a point-by-point, you know, denying with some level of specificity all of the allegations in the complaint. And I think that seems to be the strategy that they're going to take if you take their public statements as any indication. 

Dave Bittner: OK. 

Ben Yelin: They have pretty good lobbyists and lawyers in the United States, and I think they've done a good job, particularly at the federal level, convincing policymakers that they are not a pushover for the Chinese communist government. 

Dave Bittner: And yet the director of the FBI remains skeptical. 

Ben Yelin: Right. Well, it's a little hard to buy off the director of the FBI. You know, members of Congress - you can wine and dine, take them to the nicest D.C. restaurants. 

Dave Bittner: Right, right. He's such a buzzkill... 

Ben Yelin: I know. They're not as... 

Dave Bittner: ...Director Wray. Yeah (laughter). 

Ben Yelin: Yeah - and my sister, Secretary Yellen. 

Dave Bittner: (Laughter) Sister by another mother? 

Ben Yelin: By another mother - exactly. 

Dave Bittner: Right. Right. 

Ben Yelin: So, you know, I tend to think that they have a pretty good public relations strategy so far. And they have a major advantage in the court of public opinion because they are the most popular social network in the country at the moment. And they have the youngest userbase, which means TikTok is very valuable to advertisers... 

Dave Bittner: Oh. 

Ben Yelin: ...And that's something that could certainly factor into this. 

Dave Bittner: Right. 

Ben Yelin: So it's a moneymaking machine. 

Dave Bittner: For everybody. 

Ben Yelin: Yeah. Everybody uses it. And certainly, the biggest companies in the country have taken advantage of that. So, you know, perhaps they weigh in on this Indiana lawsuit and say, you know what? We're pretty confident in TikTok, too, like... 

Dave Bittner: Let's not be hasty here. 

Ben Yelin: ...Let's not be too hasty. I think we're - you know, we can all benefit from this relationship. 

Dave Bittner: Right. 

Ben Yelin: TikTok is standing pretty strong in how it's responding via statements through its legal counsel and other representatives, basically saying that they're confident that they will fully satisfy all reasonable U.S. national security concerns and that they've tried to implement solutions to prevent the undue collection of data. So we'll see how believable that is in a court of law - if it ever gets to that point. 

Dave Bittner: All right. Well, we will have a link to that story in the show notes. I want to talk this week about FTX and Sam Bankman-Fried, who's the founder of FTX. Now... 

Ben Yelin: Thirty-year-old wunderkind who is now - I think, as we speak, he's probably in the process of getting extradited to the United States. 

Dave Bittner: That's right. 

Ben Yelin: He was arrested last night in the Bahamas. 

Dave Bittner: Yes. 

Ben Yelin: So you're just enjoying a nice vacation at Atlantis, going down the water slide, and those Bahamian law enforcement officers pull you right out of the water. 

Dave Bittner: They're just waiting there with a nice, fluffy, dry towel. 

Ben Yelin: Exactly. Exactly. 

Dave Bittner: So I want to go through this together 'cause we haven't really talked about this here, and I think there are a number of really interesting policy elements to this that we can dig into. Do you - are you familiar with this enough that you could just give a little bit of the backstory of what FTX is and who this guy is and why we should care about them? 

Ben Yelin: Sure. So FTX is a cryptocurrency company. They had really gained in prominence over the past several years. I kind of knew them from their advertising. Every umpire in Major League Baseball has an - or at least had - an FTX logo on their jersey. So it had gained in prominence. It was kind of the second generation of crypto companies after we got the bitcoins of the world. 

Dave Bittner: Right. 

Ben Yelin: Samuel Bankman-Fried was their CEO, and he had gotten in trouble with the U.S. Securities and Exchange Commission for basically misleading the consumers about the benefits of this online cryptocurrency platform. He has denied any criminal liability. He said he never, quote, "tried to commit fraud," but... 

Dave Bittner: Who does (laughter)? 

Ben Yelin: Right, exactly. There's also - there are also money laundering charges that have been alleged as part of this criminal complaint. So it's, I think, part of a broader picture, where the cryptocurrency industry is kind of falling apart. Cryptocurrency lost a lot of value in markets over the past year. 

Dave Bittner: Right. 

Ben Yelin: I think the bubble has - most bubbles do kind of come crashing down... 

Dave Bittner: Yeah. 

Ben Yelin: ...And FTX was kind of at the center of that. What I think Bankman-Fried has tried to do is go on a bit of a public apology tour, where he says, I might have made some mistakes, but I never committed fraud. And I think that was a huge mistake on his part because... 

Dave Bittner: The SEC begs to differ. 

Ben Yelin: Right. And generally, if you're facing legal liability, the last thing you should want to do is make a bunch of public statements. And I think the last element that we should consider here is he was due to testify in front of the House Banking Committee, and there was some question about whether he was going to show up. It seemed like he was going to write a statement, but might not show up, so that's kind of another element. Did I miss anything, or is that... 

Dave Bittner: Yeah. I think you're absolutely right. And my understanding is that some members of the media have seen his prepared statement, so they know what he was going to say. He's not going to say it because, as you say, he's in the process of being extradited. One other thing... 

Ben Yelin: Can I just add one thing really quickly? 

Dave Bittner: Yeah. 

Ben Yelin: The media has released the first line of his opening statement at his - what was going to be his testimony in front of the House Banking Committee. 

Dave Bittner: Right. 

Ben Yelin: And I'm going to quote this without using the actual swear word in the sentence. 

Dave Bittner: OK. 

Ben Yelin: The first line was, I would like to start by formally stating, under oath, I blanked up. 

Dave Bittner: He effed up. 

Ben Yelin: He effed up, yeah. 

Dave Bittner: OK. 

Ben Yelin: So what a guy, this SBF. 

Dave Bittner: Well, yeah. Here's what I'm curious to chat with you about with this. Is - I'm trying to separate the alleged fraud here - the alleged mismanagement of this company - with cryptocurrency, the exchanges, the currencies themselves writ large because I think they're two different things. I think there's a lot of people who are sort of celebrating the collapse of this, who - because they're saying, see, I told you so. There's nothing to any of this crypto stuff. It's all a ripoff. It's a house of cards. It's, you know, it's tulip madness all over again. It's Beanie Babies. There was never any value here. Ha ha. You all got what you deserve. 

Ben Yelin: No one will be laughing when I sell my Beanie Babies collection and make millions. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: So just hold off on that. 

Dave Bittner: So - but that's different from what may - what is alleged to have been going on behind the scenes here, which is, you know, Bankman-Fried was allegedly funneling billions of dollars to his own hedge fund, mismanagement, giving himself loans worth billions of dollars. So all sorts of behind-the-scene things that are bad stuff - bad allegations. 

Ben Yelin: Known as fraud... 

Dave Bittner: Right. 

Ben Yelin: ...In the industry. Yep. 

Dave Bittner: Right. But that doesn't necessarily mean that - and let me just say at the outset here, I'm not trying to be an apologist for any of the cryptocurrency folks. I - count me as a cryptocurrency skeptic, right? I... 

Ben Yelin: Same here. And I think I've been from the beginning. 

Dave Bittner: Yeah. 

Ben Yelin: It just never... 

Dave Bittner: Yeah. 

Ben Yelin: ...Made sense to me. And I've had friends tell me how wrong I am, but you and I have stood pretty strong on this over the years. 

Dave Bittner: So that's where I'm trying to come at this from - is the difference between - could this have been, you know, garden-variety - albeit with large sums of money - garden-variety fraud, which is alleged here, versus the fundamental underpinnings of the exchange and cryptocurrency itself? Can we separate the two, or are they hopelessly intertwined? 

Ben Yelin: So I think you make a good point. I think there are two separate issues. One is with the enterprise itself, and then the other is with Samuel Bankman-Fried, who is just kind of a con artist. 

Dave Bittner: Allegedly. 

Ben Yelin: Allegedly. 

Dave Bittner: Right (laughter). 

Ben Yelin: This has not been proven in a court of law. 

Dave Bittner: Right. 

Ben Yelin: Wait for the actual case. 

Dave Bittner: Right. This allegedly brought to you by the CyberWire's legal team. 

(LAUGHTER) 

Ben Yelin: Oh, I loved the radio voice you used when you did that. So starting with SBF, I think we've seen actors like this in the financial sector pre-cryptocurrency, and we will see it post cryptocurrency. I mean this is - he's basically a crypto Bernie Madoff. 

Dave Bittner: Yeah. 

Ben Yelin: And this is a pyramid scheme, where he was taking other people's money and fraudulently using it for his own enrichment - allegedly. 

Dave Bittner: And it's all great as long as the prices keep going up. 

Ben Yelin: Right. People start to notice when the industry comes collapsing upon itself. The second element of it, apart from SBF and FTX, is what's happening in the industry itself. I would say that, yes, you could isolate Samuel Bankman-Fried. It's not endemic to cryptocurrency to have somebody who's alleged of doing these terrible things, but I think it's particularly prone to it for a couple of reasons. One is just our past experience. We know that several of these exchanges have been under federal investigation, Binance being one of them - the world's largest cryptocurrency exchange. Some of their top executives have been under investigation for potential fraud. And the other reason I think it might be more prone to this type of fraud is because it's new and it's relatively unregulated. 

Dave Bittner: Right. 

Ben Yelin: So it's one of those - it's not a sufficient explanation to say, oh, this is cryptocurrency. Of course this is, by nature, fraudulent. I think that's just kind of one ingredient into what happened with Samuel Bankman-Fried and FTX. 

Dave Bittner: Let's talk about the regulatory element, though, because I think there are lots of people who will look at this and say, well, crypto has been an interesting playground, right? I mean, it's been an interesting test case to have - could this be the future of finance, and is it better to let the market decide? Is it better to let these things play out? The regulators have been, as you say, relatively hands off when it comes to this. So there are some who would say, well, that's great. That's the way it should be. I imagine at this point, there are some saying, see? Told you so. These knuckleheads can't be unregulated. We got to get them under control here. 

Ben Yelin: Yeah. I mean, I do not want to get too political here, but we've seen this happen numerous times. This is not a cryptocurrency problem. This is a financial regulation problem. There end up being these dangerous financial products that are getting a lot of people rich. And when those products are valuable, when, you know, everybody is making billions off of cryptocurrency or subprime mortgage loans or the dot-com boom in the late 1990s... 

Dave Bittner: Yeah. 

Ben Yelin: ...I think the SEC and other government agencies are like, you know what? Let's not mess with this. Sometimes they'll even take deregulatory efforts to kind of let the market flourish. And then there's always the proverbial turd in the punchbowl, usually a consumer advocacy group that's like, hey, this is actually presenting some risks. We've built this house of cards that's very unstable. And if it's not properly regulated, when it comes crashing down, we're going to discover a lot behind the scenes about what went wrong. 

Dave Bittner: Right. Yeah. I mean, Elizabeth Warren's kind of built her career on this, right? 

Ben Yelin: She's been doing this her entire life. I mean, that's one of the reasons we have the Consumer Financial Protection Bureau... 

Ricardo Amper: Right. 

Ben Yelin: ...Is we wanted to prevent something like this from happening in the future. So I just - one thing that's frustrating to me is not enough people, when cryptocurrency was valuable - and this is a very late 2021 mindset - but not enough people stopped and said, you know, now is actually the time where regulators should get their hands on this because, yes, it might cut against the value of cryptocurrency. But if something seems too good to be true, it almost always is. And it's better for regulators to get involved early before you have a situation like you have here where people are getting arrested and individual innocent Americans who have invested their earnings in cryptocurrency exchanges are really suffering as a result of what's gone on in this market over the past year. 

Dave Bittner: Yeah. 

Ben Yelin: So that's just my personal view. You know, I think the libertarian view is that whenever the government gets involved at any point, things inevitably get worse. And I think the other side of the ledger is this is what happens to an industry that is underregulated. 

Dave Bittner: Yeah. And, I mean, partially to your point, there are a lot of, like, retirement funds and things like that that were heavily invested in this. I - and have lost their money. I suppose you could say, well, they took - they rolled the dice. They took the risk. This is - everybody knew this was high risk. It was high-risk, high-reward potential, right? So, you know, dial in your risk ratio, your ability to absorb risk, and off you go. But at the same time, I can't help wondering, will this be the thing that triggers more scrutiny and perhaps more regulation for the whole industry? 

Ben Yelin: One funny anecdote about all of this is there was a Super Bowl commercial with Larry David. It's actually - to me, it's one of the funniest Super Bowl commercials I've ever seen, even though it was apocryphal. So they have Larry David at various points in history, kind of pooh-poohing various modern inventions. 

Ricardo Amper: Right. 

Ben Yelin: So he's like, wheel? What do we use that for? 

Dave Bittner: (Laughter) Right. 

Ben Yelin: And then at the end, you have this guy in Larry David's office trying to sell him on FTX as a currency exchange. And Larry David's like, I'm - I don't buy it, and I've never been wrong about this type of thing. 

Dave Bittner: (Laughter). 

Ben Yelin: And the irony of this is that the character that Larry David is playing in that commercial has actually been vindicated... 

Dave Bittner: Yeah. 

Ben Yelin: ...Because this all did come crashing down... 

Dave Bittner: Their own commercial (laughter). 

Ben Yelin: ...Within a year. Yeah. And it - yeah, it was their own commercial. So, yeah, I just - I do feel sorry for people who took this risk. Yes, they did know it was a risk. Lots of financial products that have - I would say every financial product that seems to have an unlimited reward comes with what should, to most people, be an intolerable level of risk. But, you know, that's why regulations are important, so that you can minimize those risks and also make sure it doesn't have downstream ripple effects on the economy. 

Dave Bittner: Yeah. 

Ben Yelin: I don't think cryptocurrency has risen to the level of prominence in the macroeconomy that it's going to have the type of effect that the collapse of the housing market did in 2008, for example. So I think we can be sort of grateful that this bubble burst before we got hurt even more as a country. 

Dave Bittner: If you're one of the other exchanges, what are you thinking right now? 

Ben Yelin: I would get all of my legal ducks in order and make sure that... 

Dave Bittner: Maybe it's time for a little internal audit (laughter). 

Ben Yelin: Yeah. I would check our own books... 

Dave Bittner: Right, right. 

Ben Yelin: ...And just expect that there is going to be a DOJ, SEC or IRS investigation at some point and make sure that every last dollar is accounted for because I think this SBF experience will lead regulators, particularly at the SEC, to put a watchful eye, whether fair or not, onto all of these other cryptocurrency exchanges. 

Dave Bittner: Yeah. All right. Well, I'll have links to a couple of the stories that are covering this in the show notes. I mean, this one's everywhere, so it's not hard to find. We would love to hear from you. If there's something you'd like us to discuss here on the show. You can email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Ricardo Amper from Incode. And we're talking about digital identity and some of the promise that that has as we move forward. Here's my conversation with Ricardo Amper. 

Ricardo Amper: From a digital identity perspective, there's a big revolution happening around the world. And it happened because with COVID, there was a big change. Before COVID, when you wanted - or when someone wanted to verify people's identity in a high-security setting, they would ask someone to go to a physical place and have a human being verify their identity. And, of course, for obvious reasons, people didn't want to go to doctors, to a notary. They didn't want to go to a bank branch. And digital identity, high-security identity became really important. 

Ricardo Amper: And in that sense, what changed was that companies needed to find an alternative that was technologically viable and was online to verify people's identity with ease and with security - and not just that. The fact that identity was based - it still is based - on a piece of paper, which was an Egyptian invention from 3,000 year old and the fact that we can't learn from someone's identity - oh, and we have to repeat the process of asking for an ID and proof of address and many things over time makes it a very, very obsolete industry that is primed for this change. 

Dave Bittner: Yeah. It's a really interesting point, you know? I think about my youngest son who's working on getting his driver's license and just everything we have to go through with that - of getting a copy of his birth certificate and, you know, all those sorts of things. And is your sense that that's simply not good enough anymore? 

Ricardo Amper: It is absolutely not good enough. As you know, many people in the U.S., for several purposes, buy fake IDs. It's easy. You get it through FedEx and DHL. And to go through that process that your son is going of verifying that he knows how to drive and that he is who it is so that very easily someone else can take his identity is something that I don't think it's cool and appropriate. 

Dave Bittner: Well, I think about my own experience. And as you mentioned, you know, I'd say my driver's license is my primary form of identification. Where do you suppose we're heading, then? I mean, what could replace that? 

Ricardo Amper: Yes. If you think about the things that are wrong are - first, as I said, it's a piece of paper, B, that it's based on human beings trying to verify that with all the biases, unconscious or conscious, that human beings have. The third is that you have to repeat the process over and over. And you can't learn from your previous experience so that every time, it's easier and more secure. And a big one is privacy - that you have to go, and for every bottle of beer you want to buy, you have to show your ID. And the tender knows exactly where you live, what your blood type, you're the donor - just doesn't make sense. 

Ricardo Amper: So we're going to a place where IDs are more accessible because it's online and you don't have to go to a physical place, where there's a lot less bias, because even for all the biases that people think about machine learning and technology - it's a lot less than humans. And so we think an identity that's more inclusive and accessible because it's just a fairer identity, one where - with all the consent of users and embracing the privacy laws, we can understand through your behavior if you're you or not. And every experience that you go through - is just easier than the previous one. That's the fourth - the third one. And finally, privacy - that you can buy that bottle of beer by attesting that you're over 21, or you can be on the metaverse with a different name, different form factor, but still, you're safe to interact with kids. So we're going to much more intelligent, accessible and safer identity. 

Dave Bittner: And how would this work? I mean, if I'm, you know, walking up to buy that six-pack of beer and I'm going to interact with the person behind the counter, how do both of us do that? 

Ricardo Amper: So imagine - the first thing is that you need to prove that you're you. And there's a certain set of technologies that help you to do that. The iPhone made facial recognition accessible. And everybody's now - now feels good - by looking at your phone, you can get access to it. So imagine it's the same technology. You go to that store. You show your face and you give consent. The only thing that person gets is that that person is over 21. Or you look at your phone, and you show your phone, and you present your phone through wireless technologies. And we can do exactly the same. We essentially transfer a certificate that that person knows that you're 21. 

Ricardo Amper: And if you get audited - I mean, they won't get audited - but think about a use case that's a little bit more serious like that. It's important that the person who's actually giving the service has some sense of auditability and a certificate that that person can show to an authority proving that they're actually complying with the law, but not necessarily they have to have information that is just completely irrelevant. 

Dave Bittner: Well, I think about, you know, from a security point of view - again, going to my driver's license, it has a hologram on there that helps, you know, verify that it's legitimate. Is the digital certificates that we're talking about - is that the digital equivalent of that hologram? 

Ricardo Amper: Yeah. It's a good comparison. The security features that on your driver's license were made so that, very easily, with light or just basic equipment, you can prove that that was a genuine identity. And then you look at the picture. You compare that. And, yes, it's that person. So it's the same thing but digitally, but except with the fact that it's just very easy to fake a driver license nowadays. Even if you're comparing the information versus the information that's provided by the DMV, it's just very easy to take a picture of an existing real driver license and use that information or just copy that into a new driver license. 

Ricardo Amper: So instead of that, you use biometrics and other technologies so that you, through a certificate that's literally impossible to fake because it's using cryptography - you can actually prove certain characteristics about the person. And everything, by the way, is with consent. So you have that use case of retail. But just think about banking. Think about how cool it would be if you already are using, let's say, a company that uses Incode, and the next time you're going to go open a bank account, it's just a matter of presenting your face, presenting a second factor like your last four digits of your social or your phone number. And then with that reconsent, you transfer just the information that the bank needs from you - nothing more, nothing less. And with that, in 30 seconds, you have a high-security transaction that's a lot easier. We think that's where we're going. 

Dave Bittner: And what is the initial setup like? I mean, how do I establish to my mobile device - let's say, my iPhone - that I am indeed who I say I am? 

Ricardo Amper: Well, there's going to be different ways how you do it. Some of them are going to be by relying on your phone, although we don't think it's the perfect one, because you - your phone can be stolen. The best way is yourself, right? Like, they can steal a password. They can steal a device. But it's very difficult to steal a face, particularly with kind of world-class technologies like we and others have. And so imagine, you know, walking to one of the fintechs - customers like - that we have, such as, for example, Chime or customers like we have with Citibank. And imagine that you go open that bank account. You provide that information. But the next time that you do that, it's just going to be e-shared because with your consent, we have that information. And we can share it in an intelligent way to the next company that you want to interact with. And as you go through that process, it just becomes a lot easier. 

Ricardo Amper: Now, think about the country. Think about a person who is doing fraud. Right now these people go from bank A to B to C doing fraud. And these banks don't talk to each other - at least from identity. They do for credit fraud because there's a credit bureau. But from an identity perspective, they have no way of knowing. And so with what we're proposing is there's a way where banks don't have to share that information. But when we see a face and where we see a driver's license, we can ask the banks, hey, is this Dave or not? It's not telling me, give me all the information about Dave into a CINT (ph) that I can store, and then maybe hackers can get into that. It's not that. It's just asking them, hey, is this face or is this driver license, Dave? And they answer yes or no. And with that, it's impossible for fraudsters to go from one bank to the other. 

Dave Bittner: Tell me about some of the privacy features here. I mean, I think, for a lot of folks - they may be concerned or uncomfortable with the notion of having their ID scanned and then stored. You know, I could see if someone went to a medical clinic or a gay bar or something like that. How do you ensure that privacy is maintained? 

Ricardo Amper: I think there's a misconception where a lot of people think that privacy laws are a problem for our industry. Actually, it's a blessing for our industry because what they did is they change the premise of who is the owner of the information. Before those privacy laws, the banks and the bars or whoever you asked for that information became the owner of that. And then they could share it to other people without your consent. And by these laws asserting that the citizen is the owner of their identity means that the citizens are in the driver's seat. And so they can make the decision of which companies they want to interact with, which technologies they want to be part of it. And that allows us to be breaking information silos and enable use cases like the ones that I just described. 

Ricardo Amper: Think about the status quo. What is easier? If you go and show your ID to buy a beer or to get into the stadium, it's just very easy for someone to just take a picture of that, and they have all your information. And then if you compare that to the digital equivalent - when we ask for ID, we don't store a photo of your ID. We don't store a photo of your face. We store a cryptographic equivalent of that - a hash that represents that information but even if it's stolen, even if it's unencrypted is not a picture, is not something that they can go and transfer and use. And so if you compare the status quo versus that, it's just a lot - is, like, exponentially easier for people right now, with the current status quo, just to take a picture versus getting your information the way we store it. 

Dave Bittner: So if I'm understanding you, I mean, is it correct that - say, for example, I wanted to go buy that beer. I could set it up to say that really all I want to do is verify that I'm old enough to do this. They don't need to know my name. They don't need to know my address. All they need to know is that I am indeed old enough to make this purchase. 

Ricardo Amper: It's exactly right. And so that's the only information that they keep. And even, you know, companies that did more information, like, for example, a bank or a fintech or a doctor, the way they get that information is in a way where it is much more protected. They know just information that you need to give it to them. They don't have - you know, they or us - like, they - we don't store the copy of the ID so that some hacker can go and steal it. We have a certificate that says that we checked that ID, that these are the times that we did, and we're sure that this person is who they say they are. So it's a very different proposition. 

Ricardo Amper: If a hacker were to just get a certificate that says, we did a test, as opposed to, hey, here's the picture; here's the ID, which is - right now if you go just to a normal doctor - right? - and they scan your ID and they scan your insurance card, they actually have the pictures. So what we're proposing is something that is just common sense. We store only the information that we need to store. And we're going to store is something that people can identify you biometrically easily. 

Dave Bittner: What do you suppose it's going to take to see widespread adoption of this, you know, to make this be the ubiquitous next standard? 

Ricardo Amper: Look, it's interesting because it's already happening. After COVID, a lot of the digital channels were quite inefficient. So we were talking to a few of our bank customers. And imagine that when someone - before COVID - to get a checking account, I would say like 95 or more than 95% of people that go to the branch - they get their checking account. But when they had to do it digitally, it's only 40% - that they could get it immediately. The rest have to go through a very lengthy process, and a lot of them dropped off. So because of that, these companies had to adopt these technologies. And right now hundreds of millions of Americans are already using. So that's really good news. 

Ricardo Amper: The second thing that is important is that around the world, these technologies are even more used because the first thing we use in the U.S. is Social Security number, but it's a very U.S.-centric thing, where we're thinking about the world. The first thing they use is an ID, that piece of paper. So around the world, everybody's using this type of technologies. And the most interesting thing is the amount of progress that it comes with it, because 1% increase in the amount of trust that we have between each other correlates exactly to .86% increase in GDP. It's almost 1-to-1 correlated. And so the more people use these trusted technologies, the more progress we can see. 

Ricardo Amper: And we can see that in India. India 12 years ago was one of the lowest trusting societies in the world. Like, only about 9% of Indians trusted each other. And what happened is that government and companies went - come together and built a digital identity platform that now every Indian uses. And it's pretty safe, pretty inclusive. And right now India is the most trusting society in the world, with about 58% of Indians trusting each other, and they're growing at 9% per year. So having a strong identity system is completely correlated to progress. And certainly in the U.S., where about 20 years ago, we're about 50% trust - now it's about 37% trust - these types of identities can make a big, big difference. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: I'm not sure I buy it. I was a little skeptical in that interview. 

Dave Bittner: OK. fair enough. 

Ben Yelin: I thought it was interesting, but, like - and maybe this is just me being naive and set in my own ways - but I just think there are so many different ways that digital identity could be potentially abused. I think he was very - he was dismissive on some of the controls that we have on regular identification. That's certainly a - or nondigital identification - and that's certainly a good point. I guess I'm just a little skeptical that the technology exists now and is scalable in a way that this could be our new form of identification. 

Dave Bittner: Yeah. All right, fair enough. But we appreciate him coming to join us and sharing that information - interesting stuff. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.