Caveat 7.20.23
Ep 180 | 7.20.23

The cost of identity.


Jeff Reich: There are certainly some organizations that are managing identity and securing identities very well. The good news is about half of the organizations are doing a really good job. And the bad news is about half the organizations aren't there yet.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland's Center for Health and Homeland Security. Hey, there, Ben.

Ben Yelin: Hello there, Dave.

Dave Bittner: Today Ben discusses a new legal challenge to Texas's law banning TikTok on state-issued devices. I've got the story of tax preparation companies allegedly oversharing data with Meta. And later in the show, my conversation with Jeff Reich, Executive Director at the Identity Defined Security Alliance. We're discussing the cost of identity. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Alright, Ben, before we jump into our main stories this week, we've got some follow-up here. A couple weeks ago, I believe, we talked about how there was a judge who has an order blocking federal agencies from communicating with social media firms.

Ben Yelin: Yep, got a lot of media attention. For this decision, for sure.

Dave Bittner: So there's been some movement here. And there is a temporary stay on this judge's order. What do we need to know about this, Ben?

Ben Yelin: So basically, it is a three sentence order. Just simply says the ruling is stayed while we consider the merits of this lawsuit. So I think there is a going to be a whole hearing with oral arguments. And the stay was issued just because this is a pretty extraordinary opinion, and I think the 5th Circuit Court of Appeals, or at least this panel, wants to do review of both the law and I think the factual allegations that made up that lawsuit are certainly ripe for review as well. It is a three judge panel. So the 5th Circuit Court of Appeals is notoriously conservative. Three judge panels are just a luck of the draw. It's a pure lottery. This three judge panel is one very conservative Trump appointee, Andrew Oldham. The other two appointees are Bill Clinton and Barack Obama appointees. So you have a really interesting three person panel here.

Dave Bittner: Was that an unlikely panel given the makeup of the 5th Circuit?

Ben Yelin: Oh, yeah. It's like drawing an inside straight while playing poker. It was extremely unlikely. But it did happen. The only problem for people who are opposed to Judge Doughty's opinion here is that whatever this three judge panel comes up with, it could go in front of the whole 5th Circuit en banc, and that would probably be reversed.

Dave Bittner: Oh.

Ben Yelin: But because of the novel issues here, I don't think it would be that much of a surprise if this ended up at the United States Supreme Court. It could be just a matter of time. Especially if the 5th Circuit en banc, the full panel of the 5th Circuit, is amenable to the arguments of the district court judge, whose opinion, to me, still is rather extraordinary. I mean, it's a restraining order preventing the government from talking to private sector entities, that has its own First Amendment implications, so.

Dave Bittner: Right, right.

Ben Yelin: Yeah, a ruling is not in place as of the moment because of the stay. But we will definitely keep an eye on it.

Dave Bittner: Yeah. Interesting development, for sure. Alright, well let's jump into our stories this week. Why don't you kick things off for us here?

Ben Yelin: So my story comes from the New York Times. It is about a new lawsuit challenging the state of Texas on their ban of TikTok on state issued devices and networks. And the challenge was filed by the Knight First Amendment Institute at Columbia University, and they filed it on behalf of an entity called the Coalition for Independent Technology Research. This is a group of college professors in Texas who say that their work product was compromised after they lost access to TikTok on campus WiFi university issued computers. So even if they have personal devices, if they are on university networks, where presumably their offices are, they are forbidden under this Texas law from accessing TikTok. So Texas, like many states, by Executive order this past December banned the use of TikToks on state issued devices. It happened in red states, it happened in blue states. Happened here in Maryland where we are.

Dave Bittner: Yeah.

Ben Yelin: But Texas actually codified this into a statute in their most recent legislative session. So it is now beyond an executive order. And these professors are saying that this is an inhibition on their own First Amendment rights because it prevents them from doing research on the effect of TikTok, the effect of social media applications on various things, including our news consumption, the psychological impact, I mean, you can imagine a lot of reasons why researchers would want access to these applications.

Dave Bittner: Sure.

Ben Yelin: To find out what the impact is going to be. So, this coalition has filed this lawsuit saying that this is a First Amendment inhibition on academic freedom. And they are demanding that the Federal District Court, and this is a district court in Austin, Texas, issue a declaratory holding saying that the state of Texas must carve out some type of exemption for academic research.

Dave Bittner: Okay.

Ben Yelin: And I think that's really a promising development. I will reveal my biases here as someone who's in academia. I would like to preserve access to applications for research purposes. I think research is very useful and worthwhile. And this is not something that's entirely new in the legal sphere. there are a lot of laws that have research exceptions. Most notably, our intellectual property laws. So, you can do something vis-a-vis a patent for research purposes that you couldn't do in terms of just straight reproduction. And we've talked about in the context of cybersecurity, you know, I always go back to something like the Aaron Swartz incident of 10 years ago where the good guys are trying to do research, are trying to expose vulnerabilities, or discover some of the ill effects like a platform like TikTok, and they're going to be punished with the arm of the law simply because the letter of the law doesn't consider the importance of research, of academic research.

Dave Bittner: Right.

Ben Yelin: So I think this is a good, promising lawsuit. I think if I were the state of Texas, or really any other state, I would focus on writing in exemptions that allow university professors to do this type of research. I realize it's not easy, there is a fine line between what counts as research and what counts as screwing around on TikTok. I get it. But I do think some effort does need to be taken to respect what some of these researchers are doing.

Dave Bittner: Yeah. This seems reasonable to me that, and just to be clear here, they're not looking to overturn the entire ban. What they're looking for is a carveout where someone can make the case, if I'm a university professor, I can say hey, on my computer I need access to TikTok and here's why.

Ben Yelin: Right, exactly, exactly. They are not seeking a stay or an injunction overruling the statute or the executive order. They're simply asking for a carveout for research purposes. And there are already carveouts in this law. So, if law enforcement for example is engaged in an investigation, they can access TikTok for the purposes of that investigation. So that's one exception. The other provision in the law is that department heads of the Texas departments can make decisions on potential other exemptions or legal uses of TikTok on state issued devices. But the university system sent a pretty broad scary email to all the professors who work at public universities saying there aren't academic exceptions here. Not only is TikTok banned on state issued devices, that means your device, you work for this university. But also we're going to enforce it. So we're going to be on your devices just like you are seeing if you have downloaded TikTok and are using it. And that's having a real chilling effect. Especially, you know, when you think about research here that could be critically important, the impact of TikTok as a social media platform on children, child development, the political sphere. All of this stuff is important information that we want to learn. So I just really think it would be a positive idea to have a carveout like this.

Dave Bittner: Yeah. Where do we stand in terms of, you know, we live in this era of bring your own device to work. You know.

Ben Yelin: BYOD?

Dave Bittner: Yeah. We have this cross pollination. If I'm a, let's say, a university professor in Texas and I use my own mobile device, do the powers at be have the ability and right to scrutinize my personal device for this?

Ben Yelin: They cannot scrutinize your personal device except if it is on a university network, it can be monitored. If you're using university WiFi with your personal device, not only is that going to be monitored, but it's actually written in the law that that qualifies as a use of TikTok, which would violate the ban.

Dave Bittner: I see.

Ben Yelin: So it's not just state issued devices, it's also using state networks. Now you could be very careful with it and use your personal device and never do the research on a state network. But that's going to be exceedingly difficult. They work at universities.

Dave Bittner: Right.

Ben Yelin: Presumably they're teaching there. Also, it's not just the professors who want to gain access to something like this, they all have students. And the students are going to want to do research projects. And presumably, students, some of them are living in dorms. They're forced to use WiFi at some of these public institutions.

Dave Bittner: Right.

Ben Yelin: So there really isn't a meaningful choice. I think the regulation in that sense is kind of overbroad. Even if we're talking about a BYOD situation.

Dave Bittner: I see. Well, I mean, this seems entirely reasonable to me. And I hope we get a good outcome here.

Ben Yelin: Yeah, I mean, I think this is a broader issue than people really have come to grips with. It's 20 states that have banned TikTok in some form. The state of Montana issued a blanket ban on TikTok. Not just in state issued devices, but literally nobody can use it. That law doesn't go into effect until next January. There's going to be litigation. A lot of content creators who live in Montana are probably very upset that they're not able to post funny videos that are going to show up on everybody's For You tab. I'm using the TikTok lingo. Just so the kids know I'm with it.

Dave Bittner: I'm not.

Ben Yelin: So yeah, this is going to be a broad issue. And I think in my view, it was a little hasty for these 20 states to issue such a broad ban on the use of TikTok for state issued devices without really going into the broader implications of it. I get it, I get the national security implications. You know, the way we look at potential First Amendment violations is through something called strict scrutiny. Basically, for a content based restriction, like a restriction on TikTok, the government has to show that it has a compelling interest. And the means of achieving that interest have to be narrowly tailored to the end. I think you could certainly argue that with TikTok being owned by ByteDance, a Chinese company, that the government clearly does have a compelling state interest in protecting national security here, it's just that the means of achieving that might not be sufficiently narrowly tailored if they are preventing people from engaging in things like academic research. So I just hope that the federal court here comes to its senses. I'll note that this was filed on a federal district court in Texas. It is in Austin, Texas. I don't know this for a fact, my guess is there could be some forum shopping going on here.

Dave Bittner: Right. Because Austin is a little oasis, a little island of, what do the locals say? Keep Austin weird?

Ben Yelin: Keep Austin weird, yes.

Dave Bittner: That's right, that's right. Interesting.

Ben Yelin: Yeah, yeah. So I definitely think it could be an instance where they tried to find the most favorable venue to get a decision to their liking. So, maybe that'll happen. And then guess what? If the theme continues, we'll go back in front of the 5th Circuit Court of Appeals and we're back to square one. Yeah, we can't have nice things, basically.

Dave Bittner: Well, not in Texas.

Ben Yelin: Exactly.

Dave Bittner: Right, right. Alright. Well interesting. We will have a link to that in the show notes. My story this week comes from the AP, this is an article written by Fatima Hussein. And they point out in their writing that this is something that was initially reported from the online non-profit journalism organization the Markup. And this is about three tax prep firms have allegedly shared extraordinarily sensitive data about taxpayers with Meta. Of course, the company who owns Facebook. And there is a group of lawmakers who are coming at them, who've written a letter to some of the regulators, saying that they immediately want them to open an investigation into this incident. The lawmakers is kind of a who's who on privacy issues, right? It's Senators Elizabeth Warren -- [crosstalk], that's right. Richard Blumenthal, Tammy Duckworth, Bernie Sanders, Sheldon Whitehouse, and Representative Katie Porter. Who she's making a run to become a senator, right?

Ben Yelin: She is in California, yes. Very progressive member of the House.

Dave Bittner: Right. So, it's kind of a who's who of the usual suspects that you would expect for something like this. But the core of this is that Meta has a thing called their pixel code, which is this little snippet of code that anyone can put on their website and what that does is it monitors the activity on your website and sends that information to Meta. In exchange for that, you get insights onto how people are using your website, which helps for things like ads on Facebook and elsewhere.

Ben Yelin: It seems very beneficial to these tax prep companies and to Meta, just not to the poor consumers that are using these tax prep company surfaces.

Dave Bittner: Right, and that's the thing about Meta's pixel code. Which is what these lawmakers is alleging, and certainly, they are not the only ones who have had their eyes on this. The pixel code has the ability to vacuum up an extraordinary amount of stuff on your website if you let it. And the allegations here is that's exactly what it's done. They're saying that it vacuumed up taxpayers' filing status, income, refund amounts, names of dependents, proximate federal tax owed, which buttons were clicked on the websites, and the name of text entry forms that the taxpayers navigated. So that's a lot of very private and sensitive information.

Ben Yelin: Sure is.

Dave Bittner: And I think most consumers when using one of these websites would not have considered that hey, everything I'm entering here is also going to go to Facebook.

Ben Yelin: Yeah, it's very possibly that it was in the ULA that nobody read.

Dave Bittner: Yeah.

Ben Yelin: I don't know because I also didn't read it when I was using my tax prep services and now I'm regretting it. This also is not the first time with Meta, previously known as Facebook, I mean, does this not bring back memories of Cambridge Analytica?

Dave Bittner: Yeah.

Ben Yelin: From 2018. Where then it was just Facebook was pretty reckless in obtaining all this data that people didn't realize that they were sharing all of this private data.

Dave Bittner: Right.

Ben Yelin: So it's certainly not the first time that we've seen something like this.

Dave Bittner: Yeah. So the three companies who are named here, which are H&R Block, Tax Slayer, and Tax Act. A Tax Act representative says the firm has engaged with Warren's office to explain its usage of the analytical tools. And that protecting customers is it's top priority. The Tax Slayer representative said that the report contains numerous false or misleading statements. And H&R Block says that it takes protecting client privacy very seriously. And has taken steps to prevent the sharing of information through the pixel coding. Yeah.

Ben Yelin: Yeah, and also, Meta for its part is saying well, you know, it should be well-known to the companies, because we've written the policies, that they should not send sensitive information about people through our business tools.

Dave Bittner: Right, right.

Ben Yelin: Well that's great, but it did happen.

Dave Bittner: Handing off the blame to the companies, saying that they should have dialed in what they were sending more carefully.

Ben Yelin: Right. I mean, the problem is it's very easy to get away with all of this.

Dave Bittner: Right.

Ben Yelin: There's not really a proper enforcement mechanism. And there's just a lot of money involved. So I mean you could see why these companies would want to use this tool from Meta because it's useful for planning out advertisements and figuring out demographic information on their clientele. I mean, that's very valuable information.

Dave Bittner: Right.

Ben Yelin: And for Meta, this is a service. So they're making a lot of money off of it as well. So, the fact that we only find out about these things through investigative journalism, and that piques the interest of lawmakers, it's kind of unfortunate for the consumer that there's really no recourse until all this has already happened. And it goes totally underneath the radar. Because users of course have no idea that the information they're inputting into these tax prep companies, into their websites, is being collected by this tech giant.

Dave Bittner: Yeah.

Ben Yelin: I mean, consumers are just completely in the dark here.

Dave Bittner: Yeah. So the letter that these lawmakers have written, they've sent it to the IRS, the Department of Justice, the Federal Trade Commission. What sort of relief do you suppose they're seeking here?

Ben Yelin: So the pipe dream, and I don't think this will actually happen for a variety of reasons which I'll try to explain.

Dave Bittner: Yeah.

Ben Yelin: Is that there should be an electronic free file system for submitting tax returns run by the IRS through the government. The IRS is actually piloting something like this, they are trying it. But it's not widely available yet to my knowledge. Obviously this would put all these companies out of business. Tax preparation is an industry.

Dave Bittner: Right.

Ben Yelin: There are a lot of accountants who make their money in tax season.

Dave Bittner: Yep.

Ben Yelin: So these companies are going to lobby tooth and nail, if they have to wine and dine every single member of Congress, they will do so. Because this is literally their lifeline is this business existing.

Dave Bittner: Yeah.

Ben Yelin: So I think they're terrified of that as an ultimate outcome. I think short of having that free filing system is sending a letter to the Department of Justice and to the Federal Trade Commission to investigate whether there should be fines levied against these companies or against Meta for improper trade practices. Or criminal charges from the Department of Justice for illegally sharing this information. I don't think any of that is necessarily likely in these circumstances. But it's certainly a warning sign to these companies that somebody is onto them. And so now there's a watchful eye, at least from a pretty decent group, a somewhat powerful group of members of Congress.

Dave Bittner: Yeah.

Ben Yelin: And that since this is covered int Associated Press, there's going to be a microscope on them. And that might dissuade them from further using this pixel tool.

Dave Bittner: Right.

Ben Yelin: Yeah.

Dave Bittner: And other companies who provide tax preparation could likely take another look at how they're using Meta's --

Ben Yelin: Right, they still might decide, eh, we can take the hit on this.

Dave Bittner: Oh, okay, it might be worth it.

Ben Yelin: Oh, it might totally be worth it. Even if it's bad PR for our company, I don't think H&R Block is going to go out of business because of one article or one letter from Bernie Sanders and a bunch of other progressive members of Congress.

Dave Bittner: Right.

Ben Yelin: But you know, these things can start to pile on one another. And if it's clear that the tax prep companies have just been very shoddy at protecting user data, I mean, the user --

Dave Bittner: Seems fundamental to me.

Ben Yelin: It's pretty fundamental, I mean, the user will have other options. There are other tax prep services that are not mentioned here. They want to sponsor our podcast, I'd be happy to mention them.

Dave Bittner: Well, I mean, it's an interesting competitive advantage, isn't it? I mean, you could sell yourself as being the privacy focused tax prep organization.

Ben Yelin: Right, we're the apple of tax prep.

Dave Bittner: Right. We don't sell your information or share your information with anyone else. Imagine that.

Ben Yelin: Yeah, I know. Something that would seem to be very simple and self evident might end up being a major competitive advantage. I mean, I think the vision of this IRS pilot project is it might incentivize these tax prep companies from not trying to nickel and dime their customers. And part of that nickel and diming is collecting really, in a kind of secretive way, private information. Things like somebody's refund amount, social security, all different types of private information.

Dave Bittner: Yeah.

Ben Yelin: So the result of the IRS having this pilot program, and maybe it will eventually be used more broadly, will be to force these companies to alter their practices to stay competitive. Again, this is their absolute nightmare. Because if most people end up using an IRS free filing service, then most of these companies would be out of business. They'd still have businesses with complicated tax situations that they could have as clients. But your average household could probably do all of this in a free, online IRS system.

Dave Bittner: Right.

Ben Yelin: So that's kind of the stick that the government holds over these companies if the government chooses to use it, which is an open question.

Dave Bittner: I'll also point out, you know, for our listeners that there are steps you can take, particularly when it comes to this Meta pixel tracking system. You know, on your desktop computer, you can use one of the browsers that's privacy focused. Browsers like Brave. I believe DuckDuckGo has a browser now. So there are a number of browsers that are -- it's usually they're chromium based. Which means they're using the same engine underneath as, say, Google Chrome. But they have built-in tools where you can dial in the amount of information you want to share on a much more granular way than you can with, say, a browser like Google Chrome. The other option you have is there are plugins that will do this for you as well. They will block things like the Facebook trackers, you know, just plugins like Privacy Badger. And there's a whole industry in these privacy enhancing plugins. Some of them are free, some of them are subscription based. But I think it's worth looking into. Also, like if you're on IOS, you can dial in how much information gets shared. Of course, it's been in the news a lot that, you know, Apple in the past couple of years really dialed down the amount of information that organizations like Meta could automatically get from their users. So, there's a certain amount of vigilance that's required on people's part to not just accept the default settings for these sorts of things. And I think certainly, in the case of the Meta tracking pixel, it's time well spent. Because man, that thing sucks up everything.

Ben Yelin: It really does. You know, and I'll say that our listeners and people like our listeners are technologically savvy enough to make use of these tools. Most people aren't, and most people are absolutely in the dark about the extent of the information being collected by these companies. So, you know, there is a concern that people with technological know-how and access are going to be able to opt out or evade this type of collection while just normal people are not. And that's kind of its own concern.

Dave Bittner: Yeah. A digital online haves and have-nots.

Ben Yelin: Exactly, exactly.

Dave Bittner: Yeah. Alright, well we will have links to all these stories in our show notes. And of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's

Ben, I recently had the pleasure of speaking with Jeff Reich. He is the Executive Director at the Identity Defined Security Alliance. And we were discussing identity and the potential costs of managing identity. Here's my conversation with Jeff Reich.

Jeff Reich: You know, it's a mixed bag. Because there are certainly some organizations that are managing identity and securing identities very well. Some of them do it because of regulations, some of them are doing it because they've had a big breach and they really need to not have another one. That's the good news. The good news is about half of the organizations are doing a really good job. And the bad news is about half the organizations aren't there yet.

Dave Bittner: What are the specific challenges here? I mean, what makes effective management of identity so challenging?

Jeff Reich: Well first, there's a perception, two perceptions. The first one is some organizations feel I'm not a target, I'm never going to get attacked, I'm not going to have a breach, why do I have to invest money when my margins are already so tight to protect something that really isn't mine anyways? So, there's one driving force. Another one, and they can be mutually exclusive. Sometimes they co-exist. It's well, we bought a firewall and we have a tool to manage identities. We're good. And until something bad happens to them, they think because they've made investments, that's enough.

Dave Bittner: Well let's talk about the IDSA. The Identity Defined Security Alliance. So what's the origin story of that organization?

Jeff Reich: This is an organization that was formed about five years ago. It's a non-profit, member based organization. It was formed mainly by a relatively small group of identity vendors that has since grown. The core is still the identity vendors. This year, however, two significant changes have happened and one doesn't necessarily correlate with the other. The founding Executive Director, Julie Smith, retired. And I was recruited -- and it has nothing to do with the shoe size -- but to fill some very large shoes. And it's something I'm working on. I joined in February. Since then, we've had our annual Identity Management Day, which is the second Tuesday of every April. And we have been engaged with the RSA conference and Identiverse. I won't spend really any time on that, other than we've been really busy and we now have a focus. We're kind of turning our sights to increasing having more identity vendors, but also bringing in a lot of the enterprises that use identity tools. And the reason we're doing that is when you look at the mission of IDSA, it's really to increase the security of identities and to increase identity security. And for the most part, our identity still belong to the carbon-based units that are us. And we need the right tools and information to protect them. So when the vendors create those, the enterprises can use them and pass that along to the consumers, who can then protect their identities appropriately.

Dave Bittner: Can you tell us about some of the conversations that you're facilitating out there?

Jeff Reich: Yeah, there's quite a few. I mean, Identiverse, for instance, we presented our annual "Trends in Identity Security" research survey. We don't really need to dive into that, but good information came out of that. Some of what I refer to about the half and half of the organizations. And there's been a lot of conversation about that. Because it's doing exactly what we intend. It's sparking conversations about gee, I think I fall into this category, what sort of things could I do to get myself out of that category, if it's one they don't want to stay in. And we'll either connect them with one of the identity vendors, potentially, although we're not there to make sales for anyone. We'll also sometimes bring in a third party, who is a consultant. Who talks to other identity vendors. Or maybe has a solution package so they can say -- or just here are processes you could install to make it better for yourself. So those conversations are happening and that's fantastic. We have some, I'd say loosely, a mind relationship with some standards organizations. And not because we are going to write standards, and I'm not certain we necessarily even influence them, influencing them, although in some cases I think we are. But we do want to see where standards are going so we can start helping our membership get in front of here's a standard you may have to comply with, or here's a standard that you may want to use because it may make sense for you. So that's just a sampling of some of the conversations we're having.

Dave Bittner: And what's the advantage for folks who are in the identity industry to have an organization such as yours representing them?

Jeff Reich: Well, what's unique about IDSA, and there's a few identity organizations around, most of the others focus on individuals and either getting an identity analyst, for instance, certified to manage identities. So there is that focus, which we don't really put a lot of our emphasis on, although it's good. The reason identity organizations would want to be associated with us is the rules we use here, we're a big room, and you check your guns at the door. You come in, and the goal we have is to raise the level of security around identities and we're all doing that together because no one vendor, for instance, can do that alone. As much as they would love to be able to. So, we all work together. And everyone benefits when that happens. Because when you can say well here's two things that this vendor does, here's something we do, and it kind of fills the gap. Maybe we should start talking about the two of us together can really help each other out. So there's that. And now that we're going to start bringing in more enterprises to use it, there are more use cases that we'll be able to start using and sharing through our webinars, for instance, that say you know, I really need to go along this identity management, security path. But I don't know what road to take. So you can start listening to others that have gone the same path and see where there were successes and where they had challenges and what didn't work for them. And I think when we do that, everyone benefits. And as I said, that all rolls downhill to the individual consumers, who can now start saying hey, with this tool, this information, I can now start protecting my identity.

Dave Bittner: Are there any common misconceptions out there when it comes to identity and these sorts of tools that are available?

Jeff Reich: You know, there are some common misconceptions. One of the most common ones has been, well, there's identity management, that's an administrative function. And then there's security, whether it's information security and/or enterprise security that you're working with. And until recently, many of those, many organizations kept those two separate as two separate cost centers, maybe two distinct organizations that never even talked to each other. Because one would say well here's your ID, and I'll give you access to these five resources. And the other in security's going to say how are we managing our resources and what are we doing to protect them? And organizations that are starting to say they really belong together, they don't have to be managed by a common individual, but they really need to be tightly coupled, are seeing that in fact, identity ends up being a valuable asset to every organization. And, you know, I've been in this business five decades. We'll go with that. And security has always been focused on what's the perimeter, how do we protect the perimeter? The perimeter used to be the computer you worked on. And then it became the data center you worked in. And then it became the network that you were on. And now, the perimeter is the identity of those assets because with the internet and Web3 and IoT and everything else going on, no one can define what their physical perimeter looks like anymore. Or even their logical perimeter. It rests within identities.

Dave Bittner: What do you suppose that the future holds in this space? When we think about identity going forward. What sorts of things do you see coming to bear?

Jeff Reich: So I think, in the industry, the sort of tools that you're going to start to see available to enterprises in particular are going to be tools that allow the enterprises to say let's take a look not only at our internal identity management, but of our customers and our partners and our vendors. And how do we tie that all together, protect it all appropriately, as a valuable asset that it is? And make sure that we enable everyone to get their work done appropriately? Now my ideal vision, this is Jeff as a person, not necessarily as the Executive Director, although I guess I'm not sure how I separate the two. What I innovation seeing, but I don't see it happening in the next couple years, is individuals will be able to say I know what my identity means, and to a degree, I know what the value is. And I can pick and choose where I use it and how I want to use it, and maybe create different identities to do different things, as in the identity I use for banking and financial applications? I would never use in social media applications. And that's something people can start doing now, by the way, but I think as more tools are available, we make it easier for a consumer to do that. I see the identity nirvana of identity belongs to the individual, and that's where it should be controlled.

Dave Bittner: Ben, what do you think?

Ben Yelin: I thought it was really interesting hearing about the effect that GDPR has had on all of this. It's caused ripples even in the countries for which GDPR has no jurisdiction. I think it's really changed the landscape in terms of data privacy and ways that I think we're not yet able to fully understand. And now that it's been partially replicated in some states in the United States, some of the spirit of GDPR is spreading to other countries and jurisdictions. So.

Dave Bittner: Yeah.

Ben Yelin: Yeah, I thought that was an interesting element of it.

Dave Bittner: It's fascinating to me the balance, or the attempts to balance, the legitimate need and utility of online anonymity. Right? When you think about political speech, you know, there are cases where anonymity is the best thing for certain types of information to be spread. And so, you don't necessarily want to eliminate that. But on the other hand, having a real names social media platform or something like that, also has its benefits.

Ben Yelin: Right.

Dave Bittner: It's a tough balance, a tough thing to balance out.

Ben Yelin: Right, absolutely.

Dave Bittner: Alright. Well, our thanks to Jeff Reich for joining us. Again, he is the Executive Director at the Identity Defined Security Alliance. We do appreciate him taking the time.

That is our show. We want to thank all of you for listening. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at Our senior producer is Jennifer Eiben. This show is edited by Elliot Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening.