FTC says health apps must notify consumers about data breaches — or face fines

The U.S. Federal Trade Commission (FTC) has warned apps and devices that collect personal health information must notify consumers if their data is breached or shared with third parties without their permission.

In a 3-2 vote on Wednesday, the FTC agreed on a new policy statement to clarify a decade-old 2009 Health Breach Notification Rule, which requires companies handling health records to notify consumers if their data is accessed without permission, such as the result of a breach. This has now been extended to apply to health apps and devices — specifically calling out apps that track fertility data, fitness, and blood glucose — which “too often fail to invest in adequate privacy and data security,” according to FTC chair Lina Khan.

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said Khan in a statement, pointing to a study published this year in the British Medical Journal that found health apps suffer from “serious problems” ranging from the insecure transmission of user data to the unauthorized sharing of data with advertisers.

There have also been a number of recent high-profile breaches involving health apps in recent years. Babylon Health, a U.K. AI chatbot and telehealth startup, last year suffered a data breach after a “software error” allowed users to access other patients’ video consultations, while period tracking app Flo was recently found to be sharing users’ health data with third-party analytics and marketing services.

Under the new rule, any company offering health apps or connected fitness devices that collect personal health data must notify consumers if their data has been compromised. However, the rule doesn’t define a “data breach” as just a cybersecurity intrusion; unauthorized access to personal data, including the sharing of information without an individual’s permission, can also trigger notification obligations.

“While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said.

If companies don’t comply with the rule, the FTC said it will “vigorously” enforce fines of $43,792 per violation per day.

The FTC has been cracking down on privacy violations in recent weeks. Earlier this month, the agency unanimously voted to ban spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry for harvesting mobile data on thousands of people and leaving it on the open internet.

#articles, #artificial-intelligence, #babylon-health, #chair, #data-breach, #digital-rights, #flo, #government, #identity-management, #lina-khan, #open-internet, #security, #security-breaches, #social-issues, #spyfone, #terms-of-service

Have ‘The Privacy Talk’ with your business partners

As a parent of teenagers, I’m used to having tough, sometimes even awkward, conversations about topics that are complex but important. Most parents will likely agree with me when I say those types of conversations never get easier, but over time, you tend to develop a roadmap of how to approach the subject, how to make sure you’re being clear, and how to answer hard questions.

And like many parents, I quickly learned that my children have just as much to teach me as I can teach them. I’ve learned that tough conversations build trust.

I’ve applied this lesson about trust-building conversations to an extremely important aspect of my role as the chief legal officer at Foursquare: Conducting “The Privacy Talk.”

The discussion should convey an understanding of how the legislative and regulatory environment are going to affect product offerings, including what’s being done to get ahead of that change.

What exactly is ‘The Privacy Talk’?

It’s the conversation that goes beyond the written, publicly-posted privacy policy, and dives deep into a customer, vendor, supplier or partner’s approach to ethics. This conversation seeks to convey and align the expectations that two companies must have at the beginning of a new engagement.

RFIs may ask a lot of questions about privacy compliance, information security, and data ethics. But it’s no match for asking your prospective partner to hop on a Zoom to walk you through their broader approach. Unless you hear it first-hand, it can be hard to discern whether a partner is thinking strategically about privacy, if they are truly committed to data ethics, and how compliance is woven into their organization’s culture.

#column, #digital-advertising, #digital-rights, #ec-column, #ec-how-to, #foursquare, #identity-management, #lawyers, #privacy, #security, #startups, #terms-of-service, #verified-experts

UK now expects compliance with children’s privacy design code

In the UK, a 12-month grace period for compliance with a design code aimed at protecting children online expires today — meaning app makers offering digital services in the market which are “likely” to be accessed by children (defined in this context as users under 18 years old) are expected to comply with a set of standards intended to safeguard kids from being tracked and profiled.

The age appropriate design code came into force on September 2 last year however the UK’s data protection watchdog, the ICO, allowed the maximum grace period for hitting compliance to give organizations time to adapt their services.

But from today it expects the standards of the code to be met.

Services where the code applies can include connected toys and games and edtech but also online retail and for-profit online services such as social media and video sharing platforms which have a strong pull for minors.

Among the code’s stipulations are that a level of ‘high privacy’ should be applied to settings by default if the user is (or is suspected to be) a child — including specific provisions that geolocation and profiling should be off by default (unless there’s a compelling justification for such privacy hostile defaults).

The code also instructs app makers to provide parental controls while also providing the child with age-appropriate information about such tools — warning against parental tracking tools that could be used to silently/invisibly monitor a child without them being made aware of the active tracking.

Another standard takes aim at dark pattern design — with a warning to app makers against using “nudge techniques” to push children to provide “unnecessary personal data or weaken or turn off their privacy protections”.

The full code contains 15 standards but is not itself baked into legislation — rather it’s a set of design recommendations the ICO wants app makers to follow.

The regulatory stick to make them do so is that the watchdog is explicitly linking compliance with its children’s privacy standards to passing muster with wider data protection requirements that are baked into UK law.

The risk for apps that ignore the standards is thus that they draw the attention of the watchdog — either through a complaint or proactive investigation — with the potential of a wider ICO audit delving into their whole approach to privacy and data protection.

“We will monitor conformance to this code through a series of proactive audits, will consider complaints, and take appropriate action to enforce the underlying data protection standards, subject to applicable law and in line with our Regulatory Action Policy,” the ICO writes in guidance on its website. “To ensure proportionate and effective regulation we will target our most significant powers, focusing on organisations and individuals suspected of repeated or wilful misconduct or serious failure to comply with the law.”

It goes on to warn it would view a lack of compliance with the kids’ privacy code as a potential black mark against (enforceable) UK data protection laws, adding: “If you do not follow this code, you may find it difficult to demonstrate that your processing is fair and complies with the GDPR [General Data Protection Regulation] or PECR [Privacy and Electronics Communications Regulation].”

Tn a blog post last week, Stephen Bonner, the ICO’s executive director of regulatory futures and innovation, also warned app makers: “We will be proactive in requiring social media platforms, video and music streaming sites and the gaming industry to tell us how their services are designed in line with the code. We will identify areas where we may need to provide support or, should the circumstances require, we have powers to investigate or audit organisations.”

“We have identified that currently, some of the biggest risks come from social media platforms, video and music streaming sites and video gaming platforms,” he went on. “In these sectors, children’s personal data is being used and shared, to bombard them with content and personalised service features. This may include inappropriate adverts; unsolicited messages and friend requests; and privacy-eroding nudges urging children to stay online. We’re concerned with a number of harms that could be created as a consequence of this data use, which are physical, emotional and psychological and financial.”

“Children’s rights must be respected and we expect organisations to prove that children’s best interests are a primary concern. The code gives clarity on how organisations can use children’s data in line with the law, and we want to see organisations committed to protecting children through the development of designs and services in accordance with the code,” Bonner added.

The ICO’s enforcement powers — at least on paper — are fairly extensive, with GDPR, for example, giving it the ability to fine infringers up to £17.5M or 4% of their annual worldwide turnover, whichever is higher.

The watchdog can also issue orders banning data processing or otherwise requiring changes to services it deems non-compliant. So apps that chose to flout the children’s design code risk setting themselves up for regulatory bumps or worse.

In recent months there have been signs some major platforms have been paying mind to the ICO’s compliance deadline — with Instagram, YouTube and TikTok all announcing changes to how they handle minors’ data and account settings ahead of the September 2 date.

In July, Instagram said it would default teens to private accounts — doing so for under 18s in certain countries which the platform confirmed to us includes the UK — among a number of other child-safety focused tweaks. Then in August, Google announced similar changes for accounts on its video charing platform, YouTube.

A few days later TikTok also said it would add more privacy protections for teens. Though it had also made earlier changes limiting privacy defaults for under 18s.

Apple also recently got itself into hot water with the digital rights community following the announcement of child safety-focused features — including a child sexual abuse material (CSAM) detection tool which scans photo uploads to iCloud; and an opt in parental safety feature that lets iCloud Family account users turn on alerts related to the viewing of explicit images by minors using its Messages app.

The unifying theme underpinning all these mainstream platform product tweaks is clearly ‘child protection’.

And while there’s been growing attention in the US to online child safety and the nefarious ways in which some apps exploit kids’ data — as well as a number of open probes in Europe (such as this Commission investigation of TikTok, acting on complaints) — the UK may be having an outsized impact here given its concerted push to pioneer age-focused design standards.

The code also combines with incoming UK legislate which is set to apply a ‘duty of care’ on platforms to take a rboad-brush safety-first stance toward users, also with a big focus on kids (and there it’s also being broadly targeted to cover all children; rather than just applying to kids under 13s as with the US’ COPPA, for example).

In the blog post ahead of the compliance deadline expiring, the ICO’s Bonner sought to take credit for what he described as “significant changes” made in recent months by platforms like Facebook, Google, Instagram and TikTok, writing: “As the first-of-its kind, it’s also having an influence globally. Members of the US Senate and Congress have called on major US tech and gaming companies to voluntarily adopt the standards in the ICO’s code for children in America.”

“The Data Protection Commission in Ireland is preparing to introduce the Children’s Fundamentals to protect children online, which links closely to the code and follows similar core principles,” he also noted.

And there are other examples in the EU: France’s data watchdog, the CNIL, looks to have been inspired by the ICO’s approach — issuing its own set of right child-protection focused recommendations this June (which also, for example, encourage app makers to add parental controls with the clear caveat that such tools must “respect the child’s privacy and best interests”).

The UK’s focus on online child safety is not just making waves overseas but sparking growth in a domestic compliance services industry.

Last month, for example, the ICO announced the first clutch of GDPR certification scheme criteria — including two schemes which focus on the age appropriate design code. Expect plenty more.

Bonner’s blog post also notes that the watchdog will formally set out its position on age assurance this autumn — so it will be providing further steerage to organizations which are in scope of the code on how to tackle that tricky piece, although it’s still not clear how hard a requirement the ICO will support, with Bonner suggesting it could be actually “verifying ages or age estimation”. Watch that space. Whatever the recommendations are, age assurance services are set to spring up with compliance-focused sales pitches.

Children’s safety online has been a huge focus for UK policymakers in recent years, although the wider (and long in train) Online Safety (neé Harms) Bill remains at the draft law stage.

An earlier attempt by UK lawmakers to bring in mandatory age checks to prevent kids from accessing adult content websites — dating back to 2017’s Digital Economy Act — was dropped in 2019 after widespread criticism that it would be both unworkable and a massive privacy risk for adult users of porn.

But the government did not drop its determination to find a way to regulate online services in the name of child safety. And online age verification checks look set to be — if not a blanket, hardened requirement for all digital services — increasingly brought in by the backdoor, through a sort of ‘recommended feature’ creep (as the ORG has warned). 

The current recommendation in the age appropriate design code is that app makers “take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users”, suggesting they: “Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.” 

At the same time, the government’s broader push on online safety risks conflicting with some of the laudable aims of the ICO’s non-legally binding children’s privacy design code.

For instance, while the code includes the (welcome) suggestion that digital services gather as little information about children as possible, in an announcement earlier this summer UK lawmakers put out guidance for social media platforms and messaging services — ahead of the planned Online Safety legislation — that recommends they prevent children from being able to use end-to-end encryption.

That’s right; the government’s advice to data-mining platforms — which it suggests will help prepare them for requirements in the incoming legislation — is not to use ‘gold standard’ security and privacy (e2e encryption) for kids.

So the official UK government messaging to app makers appears to be that, in short order, the law will require commercial services to access more of kids’ information, not less — in the name of keeping them ‘safe’. Which is quite a contradiction vs the data minimization push on the design code.

The risk is that a tightening spotlight on kids privacy ends up being fuzzed and complicated by ill-thought through policies that push platforms to monitor kids to demonstrate ‘protection’ from a smorgasbord of online harms — be it adult content or pro-suicide postings, or cyber bullying and CSAM.

The law looks set to encourage platforms to ‘show their workings’ to prove compliance — which risks resulting in ever closer tracking of children’s activity, retention of data — and maybe risk profiling and age verification checks (that could even end up being applied to all users; think sledgehammer to crack a nut). In short, a privacy dystopia.

Such mixed messages and disjointed policymaking seem set to pile increasingly confusing — and even conflicting — requirements on digital services operating in the UK, making tech businesses legally responsible for divining clarity amid the policy mess — with the simultaneous risk of huge fines if they get the balance wrong.

Complying with the ICO’s design standards may therefore actually be the easy bit.

 

#data-processing, #data-protection, #encryption, #europe, #general-data-protection-regulation, #google, #human-rights, #identity-management, #instagram, #online-harms, #online-retail, #online-safety, #policy, #privacy, #regulatory-compliance, #social-issues, #social-media, #social-media-platforms, #tc, #tiktok, #uk-government, #united-kingdom, #united-states

ForgeRock files for IPO as identity and access management business grows

ForgeRock filed its form S-1 with the Securities and Exchange Commission (SEC) this morning as the identity management provider takes the next step toward its IPO.

The company did not provide initial pricing for its shares, which will trade on the New York Stock Exchange under the symbol FORG. The IPO is being led by Morgan Stanley and J.P. Morgan Chase & Co., with the company being valued as high as $4 billion, according to Bloomberg, which is a significant uplift over the $730 million post-money value that PitchBook had for the company after its last round in 2020.

With the ever-increasing volume of cybersecurity attacks against organizations of all sizes, the need to secure and manage user identities is of growing importance. Based in San Francisco, ForgeRock has raised $233 million in funding across multiple rounds. The company’s last round was a $93.5 million Series E announced in April 2020, which was led by Riverwood Capital alongside Accenture Ventures. At that time, CEO Fran Rosch told TechCrunch that the round would be the last before an IPO, which was also what former CEO Mike Ellis told us after the startup’s $88 million Series D in September 2017.

While the timing of its IPO might have been unclear over the last few years, the company has been on a positive trajectory for growth. In its S-1, ForgeRock reported that as of June 30, its annual recurring revenue (ARR) was $155 million, representing 30% year-over-year growth. 

While revenue is growing, losses are narrowing as the company reported a $20 million net loss down from $36 million a year ago. There certainly is a whole lot of room to grow, as the company estimates that the total global addressable market for identity services to be worth $71 billion. 

Among the many competitors that ForgeRock faces is Okta, which went public in 2017 and has been growing in the years since. In March, Okta acquired cloud identity startup Auth0 for $6.5 billion in a deal that raised a few eyebrows. Another competitor is Ping Identity, which went public in 2019 and is also growing, reporting on August 4 that its ARR hit $279.6 million in its quarter ended June 30, for a 19% year-over-year gain. There have also been a few big exits in the space over the years, including Duo Security, which was acquired by Cisco for $2.35 billion in 2018.

“ForgeRock has a good access management tool and they continue to be a strong player in customer identity and access management (CIAM),” commented Michael Kelley, senior research director at Gartner.

Kelley noted that in 2020, ForgeRock converted most of its core access management services to a SaaS delivery model, which helped the company catch up with the rest of the market that already offered access management as SaaS. Also last year the company expanded into identity governance, introducing a brand new identity, governance and administration (IGA) product.

“I think one of the more interesting products that ForgeRock offers is ForgeRock Trees, which is a no-code/low-code orchestration tool for building complex authentication and authorization journeys for customers, which is particularly helpful in the CIAM market,” Kelly added.

ForgeRock was founded in 2010, but its roots go back even further to an open-source single sign-on project known as OpenSSO that was created by Sun Microsystems in 2005. When Oracle acquired Sun Microsystems in early 2010, a number of its open-source efforts were left to languish, which is what led a number of former Sun employees to start ForgeRock. 

Over the last decade, ForgeRock has expanded significantly beyond just providing a single sign-on to providing an identity platform that can handle consumer, enterprise and IoT use-cases. The company’s platform today handles identity and access management as well as identity governance.

The ability to scale is a key selling point that ForgeRock makes in the S-1, noting that its platform can handle over 60,000 user-based access transactions per second per customer. 

“As of June 30, 2021, we had four customers with 100 million or more licensed identities, the company stated in the S-1. “Our ability to serve mission-critical needs in complex environments for large customers enables us to grow our base of large customers and expand within each of them. “

 

#access-management, #cloud-applications, #duo-security, #exit, #forgerock, #identity-management, #initial-public-offering, #ipo, #okta, #ping-identity, #san-francisco, #security, #startups

InfoSum raises $65M Series B as organizations embrace secure data sharing

InfoSum, a London-based startup that provides a decentralized platform for secure data sharing between organizations, has secured a $65 million Series B funding round led by Chrysalis Investments.

The investment comes less than a year after InfoSum closed a $15.1 million Series A round co-led by Upfront Ventures and IA Ventures. Since, the data privacy startup has tripled its revenue, doubled its employee base, and secured more than fifty new customers, including AT&T, Disney, Omnicom and Merkle.

Its growth was boosted by businesses that are increasingly focused on data privacy, largely as a result of the mass shift to remote working and cloud-based collaboration necessitated by the pandemic. InfoSum’s data collaboration platform uses patented technology to connect customer records between and amongst companies, without moving or sharing data. It helps organizations to alleviate security concerns, according to the startup, and is compliant with all current privacy laws, including GDPR.

The platform was bolstered earlier this year with the launch of InfoSum Bridge, a product which it claims significantly expands the customer identity linking capabilities of its platform. It is designed to connect advertising identifiers along with its own “bunkered” data sets to better facilitate ad targeting based on first-party data.

“The technology that enables companies to safely and securely compare customer data is thankfully entering a new phase, driven by privacy-conscious consumers and companies focused on value and control. InfoSum is proud to be leading the way,” said Brian Lesser, chairman and CEO of InfoSum. “Companies are looking for solutions to help resolve the existing friction and inefficiencies around data collaboration, and InfoSum is the company to drive this growth forward.”

The company, which says it is poised for “exponential growth” in 2021 as businesses continue to embrace privacy-focused tools and software, will use the newly raised investment to accelerate hiring across every aspect of its business, expand into new regions, and further the development of its platform.

Nick Halstead, who previously founded and led big data startup DataSift, founded InfoSum (then called CognitiveLogic) in 2015 with a vision to connect the world’s data without ever sharing it. The company currently has 80 employees spread across offices in the U.S., the U.K., and Germany.

#articles, #att, #chrysalis, #cloud-computing, #data-security, #datasift, #disney, #funding, #general-data-protection-regulation, #germany, #human-rights, #ia-ventures, #identity-management, #infosum, #london, #merkle, #nick-halstead, #omnicom, #open-data-institute, #privacy, #security, #social-issues, #united-kingdom, #united-states, #upfront-ventures

Europe wants to go its own way on digital identity

In its latest ambitious digital policy announcement, the European Union has proposed creating a framework for a “trusted and secure European e-ID” (aka digital identity) — which it said today it wants to be available to all citizens, residents and businesses to make it easer to use a national digital identity to prove who they are in order to access public sector or commercial services regardless of where they are in the bloc.

The EU does already have a regulation on electronic authentication systems (eIDAS), which entered into force in 2014, but the Commission’s intention with the e-ID proposal is to expand on that by addressing some of its limitations and inadequacies (such as poor uptake and a lack of mobile support).

It also wants the e-ID framework to incorporate digital wallets — meaning the user will be able to choose to download a wallet app to a mobile device where they can store and selectively share electronic documents which might be needed for a specific identity verification transaction, such as when opening a bank account or applying for a loan. Other functions (like e-signing) is also envisaged being supported by these e-ID digital wallets.

Other examples the Commission gives where it sees a harmonized e-ID coming in handy include renting a car or checking into a hotel. EU lawmakers also suggest full interoperability for authentication of national digital IDs could be helpful for citizens needing to submit a local tax declaration or enrolling in a regional university.

Some Member States do already offer national electronic IDs but there’s a problem with interoperability across borders, per the Commission, which noted today that just 14% of key public service providers across all Member States allow cross-border authentication with an e-Identity system, though it also said cross-border authentications are rising.

A universally accepted ‘e-ID’ could — in theory — help grease digital activity throughout the EU’s single market by making it easier for Europeans to verify their identity and access commercial or publicly provided services when travelling or living outside their home market.

EU lawmakers also seem to believe there’s an opportunity to ‘own’ a strategic piece of the digital puzzle here, if they can create a unifying framework for all European national digital IDs — offering consumers not just a more convenient alternative to carrying around a physical version of their national ID (at least in some situations), and/or other documents they might need to show when applying to access specific services, but what commissioners billed today as a “European choice” — i.e. vs commercial digital ID systems which may not offer the same high-level pledge of a “trusted and secure” ID system that lets the user entirely control who gets to sees which bits of their data.

A number of tech giants do of course already offer users the ability to sign in to third party digital services using the same credentials to access their own service. But in most cases doing so means the user is opening a fresh conduit for their personal data to flow back to the data-mining platform giant that controls the credential, letting Facebook (etc) further flesh out what it knows about that user’s Internet activity.

“The new European Digital Identity Wallets will enable all Europeans to access services online without having to use private identification methods or unnecessarily sharing personal data. With this solution they will have full control of the data they share,” is the Commission alternative vision for the proposed e-ID framework.

It also suggests the system could create substantial upside for European businesses — by supporting them in offering “a wide range of new services” atop the associated pledge of a “secure and trusted identification service”. And driving public trust in digital services is a key plank of how the Commission approaches digital policymaking — arguing that it’s a essential lever to grow uptake of online services.

However to say this e-ID scheme is ‘ambitious’ is a polite word for how viable it looks.

Aside from the tricky issue of adoption (i.e. actually getting Europeans to A) know about e-ID, and B) actually use it, by also C) getting enough platforms to support it, as well as D) getting providers on board to create the necessary wallets for envisaged functionality to pan out and be as robustly secure as promised), they’ll also — presumably — need to E) convince and/or compel web browsers to integrate e-ID so it can be accessed in a streamlined way.

The alternative (not being baked into browsers’ UIs) would surely make the other adoption steps trickier.

The Commission’s press release is fairly thin on such detail, though — saying only that: “Very large platforms will be required to accept the use of European Digital Identity wallets upon request of the user.”

Nonetheless, a whole chunk of the proposal is given over to discussion of “Qualified certificates for website authentication” — a trusted services provision, also expanding on the approach taken in eIDAS, which the Commission is keen for e-ID to incorporate in order to further boost user trust by offering a certified guarantee of who’s behind a website (although the proposal says it will be voluntary for websites to get certified).

The upshot of this component of the proposal is that web browsers would need to support and display these certificates, in order for the envisaged trust to flow — which sums to a whole lot of highly nuanced web infrastructure work needed to be done by third parties to interoperate with this EU requirement. (Work that browser makers already seem to have expressed serious misgivings about.)

Another big question-mark thrown up by the Commission’s e-ID plan is how exactly the envisaged certified digital identity wallets would store — and most importantly safeguard — user data. That very much remains to be determined, at this nascent stage.

There’s discussion in the regulation’s recitals, for example, of Member States being encouraged to “set-up jointly sandboxes to test innovative solutions in a controlled and secure environment in particular to improve the functionality, protection of personal data, security and interoperability of the solutions and to inform future updates of technical references and legal requirements”.

And it seems that a range of approaches are being entertained, with recital 11 discussing using biometric authentication for accessing digital wallets (while also noting potential rights risks as well as the need to ensure adequate security):

European Digital Identity Wallets should ensure the highest level of security for the personal data used for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking into account the different levels of risk. Using biometrics to authenticate is one of the identifications methods providing a high level of confidence, in particular when used in combination with other elements of authentication. Since biometrics represents a unique characteristic of a person, the use of biometrics requires organisational and security measures, commensurate to the risk that such processing may entail to the rights and freedoms of natural persons and in accordance with Regulation 2016/679.

In short, it’s clear that underlying the Commission’s big, huge idea of a unified (and unifying) European e-ID is a complex mass of requirements needed to deliver on the vision of a secure and trusted European digital ID that doesn’t just languish ignored and unused by most web users — some highly technical requirements, others (such as achieving the sought for widespread adoption) no less challenging.

The impediments to success here certainly look daunting.

Nonetheless, lawmakers are ploughing ahead, arguing that the pandemic’s acceleration of digital service adoption has shown the pressing need to address eIDAS’ shortcomings — and deliver on the goal of “effective and user-friendly digital services across the EU”.

Alongside today’s regulatory proposal they’ve put out a Recommendation, inviting Member States to “establish a common toolbox by September 2022 and to start the necessary preparatory work immediately” — with a goal of publishing the agreed toolbox in October 2022 and starting pilot projects (based on the agreed technical framework) sometime thereafter.

“This toolbox should include the technical architecture, standards and guidelines for best practices,” the Commission adds, eliding the large cans of worms being firmly cracked open.

Still, its penciled in timeframe for mass adoption — of around a decade — does a better job of illustrating the scale of the challenge, with the Commission writing that it wants 80% of citizens to be using an e-ID solution by 2030.

The even longer game the bloc is playing is to try to achieve digital sovereignty so it’s not beholden to foreign-owned tech giants. And an ‘own brand’, autonomously operated European digital identity does certainly align with that strategic goal.

#access-control, #authentication, #digital-identity, #digital-services, #digital-sovereignty, #digital-wallet, #e-id, #eidas, #eu, #europe, #european-digital-identity, #european-union, #facebook, #identity-management, #mobile-device, #policy, #privacy, #web-browsers

Brazil’s idwall raises $38M for identity validation platform

Online fraud and identity theft is a global problem that has only been exacerbated with increased online transactions amid the COVID-19 pandemic. In particular, it is estimated that Brazilian companies lose over $41 billion due to fraud every year.

In an attempt to tackle this problem head on, Lincoln Ando and Raphael Melo started idwall in mid-2016. São Paulo-based idwall started as an automated background check solution and has since grown into a suite of data and identity validation and risk analysis products. For the consumer market, its “MeuID” app is aimed at users who want to change the way they identify themselves and share their data.

And now the Brazilian regtech has raised $38 million in a Series C round led by Endurance.

GGV Capital, monashees, Canary, Qualcomm Ventures, ONEVC, Peninsula and Norte also participated in the funding, bringing its total raised to nearly $50 million.

The company says it has grown 1,458% between 2017 and 2020, with average growth of 144% per year. Its more than 300 clients include 10 unicorns, two out of the three biggest banks in Brazil and companies such as iFood, Claro, Cielo, Loggi, Ebanx, QuintoAndar and OLX, among others.

Fintechs make up a significant portion of its client base, and in 2020, the company saw its revenue from clients in the financial industry alone climb by 588% compared to 2019.

Idwall uses machine learning and AI to automate the onboarding process via its face match, background check, risk analysis, ID validation and automated optical character recognition (OCR) offerings to help companies avoid fraud.

The company said its APIs verify personal documents and information by searching in public and private databases “quickly and pursuant to the compliance rules.” Idwall does all this by first validating that an ID is authentic. Then it works to ensure the person using it is actually the owner of the ID. And lastly, it runs a full background check. It claims it does all this in less than three minutes.

“We help them do all these onboarding processes in a safer, better and faster way,” said idwall co-founder and CEO Ando.

Over the years, idwall has generated more than 65 million data reports for its clients, a number that it says surged by 5,000 times between 2017 and 2020.Those reports, it claims, have helped its clients scale their operations, register more of their own clients and optimize compliance and KYC processes, as well as reduce fraud.

Image Credits: idwall

In general, the pandemic’s drive to digital led to a massive increase in the number of digital bank accounts, mobile payment services and also of companies adjusting to digital platforms and/or expanding their digital operations — leading to a boom in business for idwall.

“The more digitized companies become, the more client expectations grow — and market competition grows stronger,” Ando said. “Our mission is to always stay ahead of innovation in our market, and that’s why we invest so much in growth and in building the best possible team to develop our products.”

Part of that includes using its new capital to recruit more developers, strengthen its existing products and release new ones. Idwall plans to increase its headcount from its current 200 to about 300 over the next few months. The company is also examining the possibility of expanding outside of Brazil to all of Latin America. 

“Many of the identity validation and fraud problems faced in Brazil are seen in other Latin American countries as well,” Ando said. “Besides, places like Mexico and Colombia also have highly innovative companies pushing the envelope when it comes to identity and technology. We still have a lot to achieve in Brazil, but we see a big opportunity for us to take our mission even further.”

Still, in its home country, recent regulatory changes in Brazil in recent years have also led to an increase in demand for idwall’s offerings.

In addition, Brazil’s documentation databases are highly siloed, the company says, with each state having its own model for the most common identity document, the RG (“Registro Geral” or “General Registry”). Plus, each citizen can be issued a different RG document in each state.

“It’s undeniable how much digital onboarding and automated identity validation processes are fundamental for the Latin American market to reach as far as it has the potential to,” Ando said. “It’s extremely difficult to understand and validate identification and personal data in Brazil.”

Also, in general, the company has observed how weary Brazilians are of having to show their IDs for routine events. Idwall helps with that via its aforementioned “MeuID” solution, which stores in a single wallet all the documents necessary for the onboarding processes of fintechs, startups, office buildings and other businesses.

Its investors are, naturally, bullish.

Hans Tung, GGV Capital’s managing partner, describes idwall as a “one-of-a-kind” startup. 

“idwall is leading the discussions and innovations in Brazil regarding digital onboarding and identity validation,” he said. “And their B2C digital identity app MeuID could be the first true super-app in Latin America.”

GGV aims to invest in category leaders that are using technology to create positive impact for its users and for society, Tung added.

“The idwall founders are tackling a huge yet underserved problem in Brazil, and have led the company through terrific growth,” he said. “They have the ingredients to become the leading personal data platform in LatAm for the enterprise.”

Marcos Toledo, managing partner at Canary, notes that idwall was one of his firm’s first investments.

“Lincoln and Raphael’s abilities to build and scale a business solving a very relevant problem in Brazil have caught our attention,” he told TechCrunch. “Their culture, tech level and agility as a company also are very remarkable in the Brazilian market.”

#artificial-intelligence, #brazil, #canary, #colombia, #digital-identity, #ebanx, #economy, #endurance, #finance, #financial-technology, #funding, #fundings-exits, #ggv-capital, #hans-tung, #identity-management, #identity-theft, #identity-verification, #idwall, #ifood, #latin-america, #machine-learning, #managing-partner, #mexico, #ocr, #olx, #onboarding, #online-fraud, #optical-character-recognition, #qualcomm-ventures, #quintoandar, #recent-funding, #regtech, #sao-paulo, #startup, #startups, #tc, #venture-capital

Pulumi launches version 3.0 of its infrastructure-as-code platform

Pulumi was one of the first of what is now a growing number of infrastructure-as-code startups and today, at its developer conference, the company is launching version 3.0 of its cloud engineering platform. With 70 new features and about 1,000 improvements since version 2.0, this is Pulumi’s biggest release yet.

The new release includes features that range from support for Google Cloud as an infrastructure provider (now in preview) to a new Automation API that turns Pulumi into a library that can then be called from other applications. It basically allows developers to write tools that, for example, can then provision and configure their own infrastructure for each customer of a SaaS application, for example.

Image Credits: Pulumi

The company is also launching Pulumi Packages and Components for creating opinionated infrastructure building blocks that developers can then call up from their preferred languages.

Also new is support for Pulumi’s CI/CD Assistant across all the company’s paid plans. This feature makes it easier to deploy cloud infrastructure and applications through more than a dozen popular CI/CD platforms, including the likes of AWS Code Service, Azure DevOps, CircleCI, GitLab CI, Google Cloud Build, Jenkins, Travis CI and Spinnaker. Until now, you needed to be on a Team Pro or Enterprise plan to use this, but it’s now available to all paying users.

In addition, the company is expanding some of its enterprise features with, for example, SAML SSO, SCIm synchronization and new role types.

“When we started out on Pulumi, we knew we wanted to enable developers and infrastructure teams to
collaborate more closely to build more innovative software,” said Joe Duffy, Pulumi co-founder and
CEO. “What we didn’t know yet is that we’d end up calling this ‘Cloud Engineering,’ that our customers
would call it that too, and that they would go on this journey with us. We are now centering our entire
platform around this core idea which is now accelerating as the modern cloud continues to disrupt
entire business models. Pulumi 3.0 is an exciting milestone in realizing this vision of the future —
democratizing access to the cloud and helping teams build better software together — with much more
to come.”

#api, #aws, #cloud-computing, #cloud-infrastructure, #co-founder, #computing, #continuous-integration, #devops, #gitlab, #identity-management, #jenkins, #joe-duffy, #pulumi, #software-engineering, #tc, #technology, #version-control

Building customer-first relationships in a privacy-first world is critical

In business today, many believe that consumer privacy and business results are mutually exclusive — to excel in one area is to lack in the other. Consumer privacy is seen by many in the technology industry as an area to be managed.

But the truth is, the companies who champion privacy will be better positioned to win in all areas. This is especially true as the digital industry continues to undergo tectonic shifts in privacy — both in government regulation and browser updates.

By the end of 2022, all major browsers will have phased out third-party cookies — the tracking codes placed on a visitor’s computer generated by another website other than your own. Additionally, mobile device makers are limiting identifiers allowed on their devices and applications. Across industry verticals, the global enterprise ecosystem now faces a critical moment in which digital advertising will be forever changed.

Up until now, consumers have enjoyed a mostly free internet experience, but as publishers adjust to a cookie-less world, they could see more paywalls and less free content.

They may also see a decrease in the creation of new free apps, mobile gaming, and other ad-supported content unless businesses find new ways to authenticate users and maintain a value exchange of free content for personalized advertising.

When consumers authenticate themselves to brands and sites, they create revenue streams for publishers as well as the opportunity to receive discounts, first-looks, and other specially tailored experiences from brands.

To protect consumer data, companies need to architect internal systems around data custodianship versus acting from a sense of data entitlement. While this is a challenging and massive ongoing evolution, the benefits of starting now are enormous.

Putting privacy front and center creates a sustainable digital ecosystem that enables better advertising and drives business results. There are four steps to consider when building for tomorrow’s privacy-centric world:

Transparency is key

As we collectively look to redesign how companies interact with and think about consumers, we should first recognize that putting people first means putting transparency first. When people trust a brand or publishers’ intentions, they are more willing to share their data and identity.

This process, where consumers authenticate themselves — or actively share their phone number, email or other form of identity — in exchange for free content or another form of value, allows brands and publishers to get closer to them.

#advertising-tech, #column, #consumer-privacy, #digital-advertising, #ec-column, #ec-marketing-tech, #identity-management, #marketing, #media, #online-advertising, #operating-system, #privacy, #targeted-advertising

Socure raises $100M at $1.3B valuation, proving identity verification is hotter than ever

The COVID-19 pandemic has accelerated digital adoption in a way that no one could have ever anticipated, and as more people conduct more services online and via mobile devices, businesses have had to work even harder to validate users and security. One company working to serve that need, Socure – which uses AI and machine learning to verify identities – announced Tuesday that it has raised $100 million in a Series D funding round at a $1.3 billion valuation.

Given how much of our lives have shifted online, it’s no surprise that the U.S. digital identity market is projected to increase to over $30 billion by 2023 from just under $15 billion in 2019, according to One World IdentityThis has led to skyrocketing demand for the services provided by identity verification companies. 

Historically, Socure has been focused on the financial services industry, but it plans to use its new capital to further expand into “every consumer-facing vertical” including online gaming, healthcare, telco, e-commerce, and on-demand services.

The startup’s predictive analytics platform applies artificial intelligence and machine-learning techniques with online/offline data intelligence (from email, phone, address, IP, device, velocity, and the broader internet) to verify that people are, in fact, who they say they are when applying for various accounts.

Today, Socure has more than 350 customers including three top five banks, six top 10 card issuers, a “top” credit bureau and over 75 fintechs such as Varo Money, Public, Chime, and Stash.

Accel led Socure’s latest financing, which included participation from existing backers Commerce Ventures, Scale Venture Partners, Flint Capital, Citi Ventures, Wells Fargo Strategic Capital, Synchrony, Sorenson, Two Sigma Ventures, and others. 

The round comes less than six months after the company raised $35 million in a round led by Sorenson Ventures, and brings the New York-based company’s total raised to $196 million since its 2012 inception.

Socure founder and CEO Johnny Ayers says his company’s identity management products can help B2C enterprises achieve know-your-customer (KYC) auto-approval rates of up to 97%. This means that financial institutions can more easily capture fraud, for example, via Socure’s single API. The company also claims that by more easily verifying thin-file (those without much credit history) and young consumers, it can help reduce the underbanked population.     

The company plans to use its new capital to also enhance its product offering as it continues to develop patents. 

Accel partner Amit Jhawar will join Socure’s board as part of the funding round.

In a blog post, Jhawar described Socure as “a purpose-built solution designed to handle the wave of new online users because its machine learning models have learned from every identity it has already seen.”

As former COO at Braintree and general  manager at Venmo, Jhawar knows a thing or two about the importance of identity verification, especially in the financial services space.

He wrote: “I knew immediately that the Socure solution would be a game-changer because the solution can be used in every step of the customer lifecycle, from account creation to login to transaction.”

Socure also has hinted that it has an IPO in its future.

In a written statement, Ayers said: “We are incredibly grateful for the chance to innovate and partner to solve this problem with some of the greatest companies in the world and are energized for the opportunities that lay ahead for Socure, especially as we make our march to a potential IPO.”

TechCrunch has reached out to Socure and will update this story with more details.

#api, #articles, #artificial-intelligence, #b2c, #ceo, #citi-ventures, #commerce-ventures, #coo, #digital-identity, #finance, #financial-technology, #funding, #fundings-exits, #healthcare, #identity-management, #know-your-customer, #machine-learning, #mobile-devices, #money, #new-york, #online-gaming, #recent-funding, #scale-venture-partners, #socure, #startups, #two-sigma-ventures, #united-states, #venmo

Okta acquires cloud identity startup Auth0 for $6.5B

As Okta announced earnings today after the bell, it revealed that it’s buying cloud identity startup Auth0 for a hefty $6.5 billion. The company had a valuation of $1.92 billion when it raised $120 million led by Salesforce Ventures last July.

With Auth0, Okta gets a cloud identity company that helps developers embed identity management into applications, adding an entirely new dimension to its identity platform. “Today, we’re taking a significant step forward — I’d go so far to call it a “leap” — to enhance the Okta Identity Cloud. We announced our agreement to join forces with Auth0, a leading identity platform for developers,” Okta co-founder and CEO Todd McKinnon wrote in a blog post announcing the deal.

Auth0 users can breathe a sigh of relief in that McKinnon writes that the company will operate as an independent unit inside of Okta as they look for paths to integration in the coming months.

Eugenio Pace, co-founder and CEO Auth0 sees his company together with Okta as powerful combination in the identity management space, and he’s not just hyping the deal when he says that. “Together, we can offer our customers workforce and customer identity solutions with exceptional speed, simplicity, security, reliability and scalability. By joining forces, we will accelerate our customers’ innovation and ability to meet the needs and demands of consumers, businesses and employees everywhere,” Pace said in a statement.

Okta had a pretty good quarter too while it was at it, announcing $234.7 million in revenue up 40% year over year, but Wall Street appears to be unhappy with the deal with the stock price down 6.9% in after hours trading.

Auth0 was founded in 2013 and raised over $300 million along the way. In addition to Salesforce Ventures, other investors included Sapphire Ventures, Bessemer Venture Partners and Meritech Capital Partners.

This is a breaking story. More to come.

#auth0, #cloud, #enterprise, #identity-management, #ma, #mergers-and-acquisitions, #okta, #saas, #security, #tc, #todd-mckinnon

Identiq, a privacy-friendly fraud prevention startup, secures $47M at Series A

Israeli fraud prevention startup Identiq has raised $47 million at Series A as the company eyes international growth, driven in large part by the spike in online spending during the pandemic.

The round was led by Insight Partners and Entrée Capital, with participation from Amdocs, Sony Innovation Fund by IGV, as well as existing investors Vertex Ventures Israel, Oryzn Capital, and Slow Ventures.

Fraud prevention is big business, which is slated to be worth $145 billion by 2026, ballooning by eightfold in size compared to 2018. But it’s a data hungry industry, fraught with security and privacy risks, having to rely on sharing enormous sets of consumer data in order to learn who legitimate customers are in order to weed out the fraudsters, and therefore.

Identiq takes a different, more privacy-friendly approach to fraud prevention, without having to share a customer’s data with a third-party.

“Before now, the only way companies could solve this problem was by exposing the data they were given by the user to a third party data provider for validation, creating huge privacy problems,” Identiq’s chief executive Itay Levy told TechCrunch. “We solved this by allowing these companies to validate that the data they’ve been given matches the data of other companies that already know and trust the user, without sharing any sensitive information at all.”

When an Identiq customer — such as an online store — sees a new customer for the first time, the store can ask other stores in Identiq’s network if they know or trust that new customer. This peer-to-peer network uses cryptography to help online stores anonymously vet new customers to help weed out bad actors, like fraudsters and scammers, without needing to collect private user data.

So far, the company says it already counts Fortune 500 companies as customers.

Identiq said it plans to use the $47 million raise to hire and grow the company’s workforce, and aims to scale up its support for its international customers.

#articles, #cryptography, #customer-data, #digital-rights, #entree-capital, #human-rights, #identity-management, #insight-partners, #marketing, #online-shopping, #online-stores, #peer-to-peer, #privacy, #security, #slow-ventures, #sony, #sony-innovation-fund, #startups, #terms-of-service, #vertex-ventures

SailPoint is buying Saas management startup Intello

SailPoint, an identity management company that went public in 2017, announced it was going to be acquiring Intello today, an early stage SaaS management startup. The two companies did not share the purchase price.

SailPoint believes that by helping its customers locate all of the SaaS tools being used inside a company, it can help IT make the company safer. Part of the problem is that it’s so easy for employees to deploy SaaS tools without IT’s knowledge, and Intello gives them more visibility and control.

In fact, the term ‘shadow IT’ developed over the last decade to describe this ability to deploy software outside of the purview of IT pros. With a tool like Intello, they can now find all of the SaaS tools and point the employees to sanctioned ones, while shutting down services the security pros might not want folks using.

Grady Summers, EVP of product at SailPoint says that this problem has become even more pronounced during the pandemic as many companies have gone remote, making it even more challenging for IT to understand what SaaS tools employees might be using.

“This has led to a sharp rise in ungoverned SaaS sprawl and unprotected data that is being stored and shared within these apps. With little to no visibility into what shadow access exists within their organization, IT teams are further challenged to protect from the cyber risks that have increased over the past year,” Summers explained in a statement. He believes that with Intello in the fold, it will help root out that unsanctioned usage and make companies safer, while also helping them understand their SaaS spend better.

Intello has always seen itself as a way to increase security and compliance and has partnered in the past with other identity management tools like Okta and Onelogin. The company was founded in 2017 and raised $5.8 million according to Crunchbase data. That included a $2.5 million extended seed in May 2019.

Yesterday, another SaaS management tool, Torii, announced a $10 million Series A. Other players in the SaaS management space include BetterCloud and Blissfully, among others.

#cloud, #enterprise, #exit, #fundings-exits, #identity-management, #intello, #ma, #mergers-and-acquisitions, #saas, #saas-management-tools, #sailpoint, #security, #startups, #tc

Okta launches its new open-source design system with a focus on accessibility

Identity and access management service Okta today launched its new design system, both for its own corporate and brand use, but also as an open-source project under the Apache 2.0 license. The Odyssey Design System, as the company calls it, is similar to the likes of Google’s Material Design or Microsoft’s Fluent Design. It may not have quite the same number of features, but what makes it stand out is a focus on accessibility, with every element of the design system being compliant with the W3’s Web Content Accessibility Guidelines.

Brian Hansen, Okta’s SVP of Design, told me that until now, the company didn’t really have a unified design system. Instead, it had what he called a “glorified pattern library.” And while the engineers loved it, because it allowed them to build new UIs quickly, it was hard for the team to add new patterns. “And so it was limited in what it could do,” Hansen said. “And what you ended up having to do sometimes is compromise — particularly as a designer — and kind of shove the square peg into the round hole.”

Image Credits: Okta

Now that Okta has moved beyond its early startup roots, though, the team decided that it was time to go back to the drawing board and build a more fully-featured design system for the company — and you may soon see it yourself in Okta’s sign-in widget, which is where most users are likely to encounter it. But it’s worth remembering that Okta, the platform, also offers a plethora of backend tools for admins that most users never see. Those admins typically want a very information-dense user experience and a design that makes it easy for them to get things done and move on. Okta’s third group of users, Hansen stressed, is developers and what matters a lot to them — in addition to all the technical details — is documentation, which has to be easily readable (from a design perspective).

As Hansen noted, though, internally, it wasn’t a realistic project to simply switch every surface area to Odyssee at once. “As a designer, you want everything to be perfect all at once. But you also have to be pragmatic and live with some things that aren’t perfect,” he acknowledged. So while the Okta brand is now getting this refresh and some of the user-facing services, it’ll take a while before every Okta service can make this move.

For the admin console, for example, Hansen’s team decided that it would take years to switch out the UI. So instead, the team opted for a bridge strategy where it created the style sheets to essentially mimic the Odyssee design. “Then we can cut over to Odyssee-native components and they’ll blend in. We can’t have a Franken app — we can’t have two different generations of UI coexisting. That to me just ruins trust. No one would be happy with that,” Hansen said.

Developers who want to give Odyssee a try for their own projects can do so and explore the different components it has to offer. And designers can try it out in Figma, too.

#cloud-applications, #designer, #developer, #identity-management, #okta, #svp

Privacy is the new competitive battleground

In November, Californians voted to pass Proposition 24, a ballot measure that imposes new regulations on the collection of data by businesses. As part of the California Privacy Rights Act (CPRA), individuals will now have the right to opt out of the sharing and sale of their personal information, while companies must “reasonably” minimize data collection to protect user privacy.

For companies like Apple, Facebook, Uber and Google, all of which are headquartered in California, these new requirements may seem like a limitation on their existing data collection capabilities.

Looking more closely, it’s a nuanced story: By not only meeting the demands of these new regulations but exceeding them, companies have an opportunity to differentiate themselves from competitors to grow their bottom line, thanks to new technologies that put data privacy in the hands of consumers.

Take Apple, the world’s most valuable tech company, as an example. When Google and Facebook — two of Apple’s largest competitors — were under fire for exploiting customer data, CEO Tim Cook saw an opportunity to turn privacy into a competitive advantage.

The tech giant rolled out a suite of new privacy-maximizing features, including a new Sign In With Apple feature that allows users to securely log in to apps without sharing personal information with the apps’ developers. More recently, the company updated its privacy page to better showcase how its flagship apps are designed with privacy in mind.

By not only meeting the demands of these new regulations but exceeding them, companies have an opportunity to differentiate themselves from their competition.

This doubling down on privacy took center stage in the company’s marketing campaigns, too, with “Privacy Matters” becoming the central message of its prime-time air spots and its 10,000+ billboards around the world.

And of course, the company could hardly resist taking the occasional jab at its data-hungry competitors:

“The truth is, we could make a ton of money if we monetized our customer — if our customer was our product,” said Cook in an interview with MSNBC. “We’ve elected not to do that.”

Apple’s commitment to privacy not only puts them in a stronger position to comply with new CPRA regulations. It also sends a strong message to an industry that has profited off of customer data, and an even stronger message to consumers: It’s time to respect personal data.

The growing demand for privacy

The prioritization of consumer data privacy comes out of a need to address growing consumer concerns, which have consistently made headlines in recent years. Attention-grabbing stories such as the Cambridge Analytica data privacy scandal, as well as major breaches at companies such as Equifax, have left consumers wondering whom they can trust and how they can protect themselves. And the research is pretty conclusive — consumers want more out of their businesses and governments:

  • Only 52% of consumers feel like they can trust businesses, and only 41% worldwide trust their governments (Edelman).
  • 85% of consumers believe businesses should be doing more to actively protect their data (IBM).
  • 61% of consumers say their fears of having personal data compromised have increased in the last two years (Salesforce).

It’s hard to say exactly how this trust crisis will manifest in the global economy, but we’ve already seen several large boycotts, like the #DeleteFacebook movement, and a staggering 75% of consumers who say they won’t purchase from a company they don’t trust with their data.

And it’s not just Big Tech. From loyalty programs and inventory planning to smart cities and election advertising, it’s hard to overestimate the appetite — and effect — of using data to optimize processes and drive behavioral change.

As we look toward a new data-driven decade, however, we’re starting to realize the cost of this big data arms race: Consumers have lost trust in both the private and public sectors.

Private sector initiatives like Apple’s strengthened commitment to privacy, alongside public policy legislation like the CPRA, have the potential to not only build back consumer trust but to go even further beyond the minimum requirements. Thanks to new technologies like self-sovereign identity, companies can transform their data privacy policies, while cutting costs, reducing fraud and improving customer experiences.

The value of SSI

Self-sovereign identity (or SSI) leverages a thin layer of distributed ledger technology and a dose of very advanced cryptography to enable companies to prove the identities of their customers, without putting privacy at risk.

At its simplest, SSI is a way of giving consumers more control over their personal information. It offers a way for consumers to digitally store and manage personal information (in the form of verifiable credentials) that are issued and signed by a trusted authority (like a government, bank or university) in a way that can never be altered, embellished or manipulated. Consumers can then share this information when, where and with whom they wish as a way of proving things about themselves.

While sharing digital records online is nothing new, SSI changes the game in two fundamental ways:

  1. Organizations can capture the required data, without overcollection. Unlike the physical credentials we carry in our wallets, like driver’s licenses and insurance cards, a digital verifiable credential can be divided into individual attributes, which can be shared separately.

The classic example is walking into a bar and showing the bouncer your driver’s license to verify that you are of legal age. The card reveals the necessary data, but it also includes information that the bar has no business knowing — such as your name and address. With verifiable credentials, we can share proof of age without revealing anything else.

For sensitive cases, self-sovereign identity even allows us to cryptographically prove something about ourselves without revealing the actual data. In this case, we could provide a yes/no answer to whether we are of a legal age, without revealing our date of birth.

For individuals, data minimization represents a great stride forward in privacy. For organizations, it’s a way of avoiding the massive liability of storing and securing excess personally identifiable information.

  1. Correlation becomes much, much harder. While there are those who say privacy is a myth and our data will all be correlated anyway, self-sovereign identity protects us against many of the leading concerns with other digital identity solutions.

For example, if we look at other tools that give us some level of data portability, like single-sign-on, there is always a concern that a single player in the middle can track what we do online. There’s a reason those Facebook ads are eerily relevant: They know every site and app we have signed into using our Facebook profile.

With SSI, there’s no one player or centralized registry in the middle. Verifiers (those requesting an identity verification) can verify the authenticity cryptographically, meaning they don’t have to “phone home” to the original credential issuer and the credential issuer has no way of knowing when, where or to whom a credential was shared. No correlatable signatures are shared, and your digital identity is truly under your control and for your eyes only.

As a result, the consumer benefits from better privacy and security, while businesses benefit from:

  • Reduced fraud, with better, more accurate data verification at the time of account creation.
  • Reduced friction, with a dramatically faster sign-up process.
  • Reduced costs, both from time savings and from smarter KYC compliance (which normally costs large banks $500 million+ each year).
  • Increased efficiency, with less back-and-forth verifying third-party data.
  • Better customer experiences, with the ability to create a personalized, omnichannel customer experience without data harvesting.

And it’s not science fiction, either. Several major governments, businesses and NGOs have already launched self-sovereign solutions. These include financial institutions like UNIFY, Desert Financial and TruWest, healthcare organizations like Providence Health and the NHS, and telecom and travel giants like LG and the International Air Transport Association.

It’s not clear how soon the technology will become ubiquitous, but it is clear that privacy is quickly emerging as the next competitive battleground. Newly passed regulations like CPRA codify the measures companies need to take, but it’s consumer expectations that will drive long-term shifts within the companies themselves.

For those ahead of the curve, there will be significant cost savings and growth — especially as customers start to shift their loyalty toward those businesses that respect and protect their privacy. For everyone else, it will be a major wake-up call as consumers demand to take back their data.

#column, #cryptography, #digital-identity, #digital-rights, #identity-management, #personal-data, #privacy

Google, Intel, Zoom and others launch a new alliance to get enterprises to use more Chrome

A group of industry heavyweights, including Google, Box, Citrix, Dell, Imprivata, Intel, Okta, RingCentral, Slack, VMware and Zoom, today announced the launch of the moderncomputing.com.

The mission for this new alliance is to “drive ‘silicon-to-cloud’ innovation for the benefit of enterprise customers — fueling a differentiated modern computing platform and providing additional choice for integrated business solutions.”

Whoever wrote this mission statement was clearly trying to see how many words they could use without actually saying something.

Here is what the alliance is really about: even though the word Chrome never appears on its homepage and Google’s partners never quite get to mentioning it either, it’s all about helping enterprises adopt Chrome and Chrome OS. “The focus of the alliance is to drive innovation and interoperability in the Google Chrome ecosystem, increasing options for enterprise customers and helping to address some of the biggest tech challenges facing companies today,” a Google spokesperson told me.

I’m not sure why it’s not called the Chrome Enterprise Alliance, but Modern Computing Alliance may just have more of a ring to it. This also explains why Microsoft isn’t part of it, though this is only the initial slate of members and others may follow at some point in the future.

Led by Google, the alliance’s focus is on bringing modern web apps to the enterprise, with a focus on performance, security, identity management and productivity. And all of that, of course, is meant to run well on Chrome and Chrome OS and be interoperable.

“The technology industry is moving towards an open, heterogeneous ecosystem that allows freedom of choice while integrating across the stack. This reality presents both a challenge and an opportunity,” Google’s Chrome OS VP John Solomon writes today.

As enterprises move to the cloud, building better web applications and maybe even Progressive Web Applications that work just as well as native solutions is obviously a noble goal and it’s nice to see these companies work together. Given the pandemic, all of this has taken on a new urgency now, too. The plan is for the alliance to release products — though it’s unclear what form these will take — in the first half of 2021. Hopefully, these will play nicely with any browser. A lot of these ‘alliances’ fizzle out quite quickly, so we’ll keep an eye on what happens here.

Bonus: the industry has a long history of alliance like these. Here’s a fun 1991 story about a CPU alliance between Intel, IBM, MIPS and others.

#chrome, #chrome-os, #citrix, #citrix-systems, #cloud-computing, #computing, #dell, #google, #google-chrome, #ibm, #identity-management, #intel, #microsoft, #mips, #okta, #operating-systems, #os, #ringcentral, #software, #spokesperson, #tc, #vmware, #web-applications, #web-apps, #web-browsers, #zoom

WeWork employees used an alarmingly insecure printer password

A shared user account used by WeWork employees to access printer settings and customer print jobs had an incredibly simple password — so simple that a customer guessed it.

Jake Elsley, who works at a WeWork in London, said he found the user account after a WeWork employee at his location mistakenly left the account logged in.

WeWork customers like Elsley normally have an assigned seven-digit username and a four-digit passcode used for printing documents at WeWork locations. But the username for the account used by WeWork employees was just four-digits: “9999”. Elsley told TechCrunch that he guessed the password because it was the same as the username. (“9999” is ranked as one of the most common passwords in use today, making it highly insecure.)

Read more on Extra Crunch

The “9999” account is used by and shared among WeWork community managers, who oversee day-to-day operations at each location, to print documents for visitors who don’t have accounts to print on their own. The account cannot be used to access print jobs sent to other customer accounts.

Elsley said that the “9999” account could not see the contents of documents beyond file names, but that logging in to the WeWork printing web portal could allow him to release other people’s pending print jobs sent to the “9999” account to any other WeWork printer on the network.

The printing web portal can only be accessed on WeWork’s Wi-Fi networks, said Elsley, but that includes the free guest Wi-Fi network which doesn’t have a password, and WeWork’s main Wi-Fi network, which still uses a password that has been widely circulated on the internet.

Elsley reached out to TechCrunch to ask us to alert the company to the insecure password.

“WeWork is committed to protecting the privacy and security of our members and employees,” said WeWork spokesperson Colin Hart. “We immediately initiated an investigation into this potential issue and took steps to address any concerns. We are also nearing the end of a multi-month process of upgrading all of our printing capabilities to a best in class security and experience solution. We expect this process to be completed in the coming weeks.”

WeWork confirmed that it had since changed the password on the “9999” user account.

#articles, #economy, #identity-management, #london, #security, #spokesperson, #startups, #web-portal, #wework, #wi-fi

Privacy data management innovations reduce risk, create new revenue channels

Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.

Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.

Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.

The first wave of innovation

A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:

Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.

Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.

#artificial-intelligence, #b2c, #collaboration-tools, #column, #data-protection, #data-security, #enterprise, #general-data-protection-regulation, #identity-management, #machine-learning, #privacy, #security, #startups

Google is making autofill on Chrome for mobile more secure

Google today announced a new autofill experience for Chrome on mobile that will use biometric authentication for credit card transactions, as well as an updated built-in password manager that will make signing in to a site a bit more straightforward.

Image Credits: Google

Chrome already uses the W3C WebAuthn standard for biometric authentication on Windows and Mac. With this update, this feature is now also coming to Android .

If you’ve ever bought something through the browser on your Android phone, you know that Chrome always asks you to enter the CVC code from your credit card to ensure that it’s really you — even if you have the credit card number stored on your phone. That was always a bit of a hassle, especially when your credit card wasn’t close to you.

Now, you can use your phone’s biometric authentication to buy those new sneakers with just your fingerprint — no CVC needed. Or you can opt out, too, since you’re not required to enroll in this new system.

As for the password manager, the update here is the new touch-to-fill feature that shows you your saved accounts for a given site through a standard Android dialog. That’s something you’re probably used to from your desktop-based password manager already, but it’s definitely a major new built-in convenience feature for Chrome — and the more people opt to use password managers, the safer the web will be. This new feature is coming to Chrome on Android in the next few weeks, but Google says that “is only the start.”

Image Credits: Google

 

#access-control, #android, #biometrics, #computing, #cryptography, #google, #identification, #identity-management, #internet-security, #password, #password-manager, #smartphones, #tc

The coronavirus has hastened the post-human era

In the mid-1970s, Professor Fereidoun M. Esfandiary decided to change his name. From then on he would be legally called “FM-2030.”

“Conventional names define a person’s past: ancestry, ethnicity, nationality, religion. I am not who I was ten years ago … The name 2030 reflects my conviction that the years around 2030 will be a magical time. In 2030 we will be ageless and everyone will have an excellent chance to live forever. 2030 is a dream and a goal,” he offered in explanation.

It didn’t hurt that by 2030 he would be 100 years old, an age he was sure he would reach.

Already in his forty-odd years of living, FM — which some speculated stood for “Future Man” — defied easy categorization. The son of an Iranian diplomat, he’d lived in 17 countries by the age of 11 and would go on to represent his country’s basketball team at the 1948 Olympic Games before beginning an academic career. He was educated at Berkeley and UCLA, later becoming one of the first professors of futurology at the New School. It was there that he would begin to espouse his “new concepts of the human,” discussing the steps necessary to transition to the age of post-humanity. FM described this as an epoch in which Homo sapiens became “post-biological organisms,” transcending the limits of their body through technology.

 

Much of the 21st century has seen us hurtle toward a post-human future, fulfilling predictions FM made half a century earlier. Over the course of his career, he foresaw the creation of 3D printers — which he referred to as “Santa Claus machines” — along with the advent of telemedicine, teleconferencing, teleshopping and genetic editing.

Though that suggests the process of post-humanization is well under way, we may look back on 2020 and the coronavirus crisis as a crossing over. A time in which our relationship to core aspects of our humanity is fundamentally remade. In particular, I believe we are seeing meaningful recalibrations of our relationship to identity, labor, health and love. In short, the post-human era is beginning in earnest.

Identity

The shift to a locked-in world has accelerated the acceptance of identity as distinct from physical body or place. We still want to communicate, socialize and play during this time, but have only a digital version to offer. Those constraints are forcing new expressions of selfhood, from the Zoom background used to express a personal interest or make a joke, to the avatars roaming rich, interactive metaverses. Nintendo has seen millions turn to Animal Crossing to socialize, trade virtual assets and host both weddings and conferences, while Travis Scott’s surreal performance inside of Fortnite attracted 12.3 million concurrent views, and 27.7 million unique attendees. We are showcasing even the darker aspects of our nature via these platforms, with some on Animal Crossing bullying and torturing villagers they deem “ugly.”

Tools like Pragli illustrate how this development manifests in the workplace beyond Zoom backgrounds ripped from “Tiger King” or “Love Is Blind.” Rather than hopping onto a video call with co-workers, Pragli offers the ability to connect with anime-style avatars of your officemates. Changing one’s appearance on the platform is determined by the options the company rolls out, with a recent update showcasing the ability for men to sport a bun, braid or ponytail. Set “happy” or “sad” expressions blur the lines between real and performative feelings.

All of this is in stark contrast to the masked, distant, de-individuated person we show outside our homes, something a little less than human. There are indications that this redacted version of ourselves is becoming something of a style. G95’s “biohoodie” features a built-in face-cover, while creative studio Production Club showed off a hazmat suit designed for socializing. Even once the worst is over, we may see a new cautiousness and implied distance expressed in fashion.

Labor

“Work gives you meaning and purpose and life is empty without it,” said Stephen Hawking. Whether that is an assessment you agree with, much of our conception of ourselves is tied up in our labor. COVID-19 is accelerating a shift away from humans and toward machines, doing so at a time in which we may actually feel grateful for cyborg usurpers as they keep critical services running and spare us from disease. Neolix, a Chinese manufacturer of driverless vans, has seen a spike in demand since the outbreak and has been trusted to ferry food and medical supplies, and to disinfect streets. Suppliers like AMP, UVD, Nuro and Starship have experienced a similar surge, while the order books of industrial behemoths like Harmonic Drive and Fanuc suggest more universal demand. The latter saw orders increase 7% between Q4 and March.

This insinuation is not limited to manual labor. With customer support and moderation offices closing down, many companies are aggressively employing AI solutions. Facebook and Google have expanded automated moderation, while PayPal used chatbots for 65% of customer inquiries in recent weeks, a record for the firm.

Those lucky enough to retain their jobs may face a very different work environment in which they are forced to collaborate with robots and be treated as an increasingly mechanized system themselves. Walmart greeters will stand side-by-side with automated floor-scrubbers, and McDonald’s cooks may soon be joined by a kitchen full of bionic sous-chefs. Amazon warehouse workers — old-hands at human-robot collaboration thanks to the company’s acquisition of Kiva Systems — must adapt to being managed more like their pallet-ferrying co-workers, with temperatures monitored by thermal cameras. That is just a small part of the broader surveillance blitz being undertaken around the world and across industries. China is installing more cameras to monitor the comings-and-goings of citizens, while companies dip into budgets to purchase “tattleware,” software designed to surveil employees. Among the beneficiaries are companies like InterGuard, which provide minute-by-minute breakdowns of how workers spend time online. Sneek takes photos of workers as often as once a minute. The company’s CEO joked that the “sneeksnap” command came in particularly handy when a colleague did something embarrassing like picking their nose.

Health

Much of our waking life is filled with health-related ruminations. As we become more aware of our vulnerabilities, we are turning to technologies to extend corporeal limitations, treating our bodies more like software with which we can experiment. Consumers are turning to immunity-boosting supplements such as Vitamin C and zinc, which have soared in sales, in addition to courting riskier treatments like “rectal ozone insufflations,” peddled by influencers. Spurred on by world-leaders like Trump and Brazilian president Jair Bolsonaro, demand for hydroxychloroquine has grown rapidly, with prescriptions increasing ~500%.

Whatever your opinion of the president or the treatment in question, this represents a rapid, iterative model of medicine more akin to the Silicon Valley mantra of “move fast and break things” than a considered FDA approval process. Biohacking communities, a group with high-tolerance for health-related risks, are teaming up online to research COVID-19 vaccines on their own time. “Biohacking used to be a fringe space, but I think this is becoming a kind of breakout moment for things like DIY biology and community labs and hackerspaces,” one contributor noted.

Beyond immediate experimentation, we are looking to extend the limits of our bodies in order to accommodate changing plans for the future. Reports suggest that men have turned to at-home sperm collection companies like Legacy during quarantine, motivated by fears of diminished fertility and perhaps the acknowledgment that with life on hold, children may have to wait. That certainly seems to be the case for 1,894 women surveyed by Modern Fertility and SoFi: 31% noted that the pandemic had affected their fertility plans, while 41% stated they are delaying childbearing because of the coronavirus.

Love

“The trouble is not that I am single and likely to stay single,” novelist Charlotte Brontë once wrote, “but that I am lonely and likely to stay lonely.”

The current state of affairs does not offer many ways to amend that state of misery, prompting some to turn to AI companions. Created in 2015, Replika provides a sympathetic texting partner, designed to serve as a digital therapist. But for many of the company’s 500K monthly active users, Replika is too charming to resist: up to 40% consider the bot a romantic partner. The coronavirus may serve as the ideal catalyst for relationships between humans and artificial personalities to deepen. There are signs we may already prefer their company: research on Microsoft’s XiaoIce indicated that conversations with the chatbot last longer than human-to-human interactions.

For those committed to finding love among creatures of blood and bone, the pandemic has forced a recalibration of what it means to date. Interactions take place almost entirely online, through chat or video calls, changing the necessary criteria for a match. Location matters much less now than availability and responsiveness. When the desire for touch, or “skin hunger” as it is gruesomely called, becomes too much to bear, interested parties must navigate a meeting. In the process, we treat partners as potential threats, owners of a corpus that may endanger us, despite best intentions. In doing so, we view the individual as distinct from their body, a separate being in possession of a liability with which we must negotiate. Depending on the length of the pandemic, we may see this fear harden into an unconscious aversion, reviving the disgust for the corporeal felt by more puritanical eras. These mores may take time to correct.

The self, as we know it, is being decimated. That may not be a bad thing. As identity moves online, as work is stripped from us, as our physical bodies are optimized like an OS, as love sheds its carnality, new opportunities will emerge. Humans will find meaning in new modes of self-expression, discover purpose beyond work (or reclassify what work means), reengineer physical limits as “biology eats the world” and find affection in new beings. We are undergoing a period of Schumpeterian “creative destruction,” felt at the anthropological rather than industrial level. Great things may come of it.

For FM-2030, the future was something at which to marvel, where “people will belong to no specific families or factions … we will free-flow across the planet and beyond. Highly individual yet universal.” Though the changes wrought by the coronavirus appear bleak, some of FM’s vision feels true: We are united as a world, fighting against a common enemy, more connected than ever before. Perhaps, in time, the rest of FM’s dream will be made manifest.

For all of his prescience, however, FM-2030 got one prediction very wrong. He did not make his 100th birthday, dying of pancreatic cancer in 2000. He was just 69. If he has his way though, he may still have a role to play in the creation of the future. Though dead, FM’s body remains frozen in a state of cryonic suspension in Scottsdale, Ariz. Perhaps he is waiting for the world to catch up.

#artificial-intelligence, #avatar, #column, #coronavirus, #covid-19, #health, #identity-management, #internet-culture, #opinion, #science, #telemedicine, #transhumanism, #virtual-reality

Identity management startup Truework raises $30M to help you verify your work history

As organizations look for safe and efficient ways of running their services in the new global paradigm of increased social distancing, a startup that has built a platform to help people verify their work details in a secure way is announcing a round of growth funding.

Truework, which provides a way for banks, apartment-rental agencies, and others to check the employment details of an applicant in a quick and secure manner online, has raised $30 million, money that CEO and co-founder Ryan Sandler said in an interview that it would use both grow its existing business, as well to explore adding more details — both via its own service and via third-party partnerships — to the identity information that it shares.

The Series B is being led by Activant Capital — a VC that focuses on B2B2C startups — with participation also from Sequoia Capital and Khosla Ventures, as well as a number of high profile execs and entrepreneurs — Jeff Weiner (LinkedIn); Tom Gonser (Docusign); William Hockey (Plaid); and Daniel Yanisse (Checkr) among them.

The LinkedIn connection is an interesting one. Both Sandler and co-founder Victor Kabdebon were engineers at LinkedIn working on profile and improving the kind of data that LinkedIn sources on its users (the third co-founder, Ethan Winchell, previously worked elsewhere), and while Sandler tells me that the idea for Truework came to them after both left the company, he sees LinkedIn “as a potential partner here,” so watch this space.

The problem that Truework is aiming to solve is the very clunky, and often insecure, nature of how organizations typically verify an individual’s employment information. Details about salary and where you work, and the job you do, are typically essential for larger financial transactions, whether it’s securing a mortgage or another financing loan, or renting an apartment, or for others who might need to verify that information for other purposes, such as staffing agencies.

Typically that kind of information gathering is time-consuming both to reach out to get and to confirm (Sandler cites statistics that say on average an HR person spends over 1,000 hours annually answering questions like these). And some of the systems that have been put in place to do that work — specifically consumer reporting agencies — have been proven not be as watertight in their security as you would hope.

“Your data is flowing around lots of third party platforms,” Sandler said. “You’re releasing a lot of information about yourself and you don’t know where the data is going and if it’s even accurate.”

Truework’s solution is based around a platform, and now an API, that a company buys into. In turn, it gives its employees the ability to consent to using it. If the employee agrees, Truework sources a worker’s place of employment and salary details, and then when a third party wants to verify that information for the person in question, it uses Truework to do so, rather than contacting the company directly.

Sandler says that currently the idea is that if you leave your job, your next employer would need to also be a Truework customer in order to update the information it has on you: the startup makes money by charging both larger enterprises to make the platform accessible to employees as well as those organizations that are querying for the information/verifications (small business employers using the platform can use it for free). Over time, the plan will be to configure a way to update your profiles regardless of where you work.

So far, the concept has seen a lot of traction: there are 20,000 small businesses using the platform, as well as 100 enterprises, with the number of verifiers (its term for those requesting information) now at 40,000. Customers include The College Board, The Real Real, Oscar Health, The Motley Fool, and Tuft & Needle.

While all of this was built at a time before COVID-19, the global health pandemic has highlighted the importance of having more efficient and secure systems for doing work, especially at a time when many people are not in the office.

“Our biggest competitor is the fax machine and the phone call,” Sandler said, “but as companies move to more remote working, no one is manning the phones or fax machines. But these operations still need to happen.” Indeed, he points out that at the end of 2019, Truework had 25,000 verifiers. Nearly doubling its end-user customers speaks to the huge boost in business it has seen in the last five months.

That is part of the reason the company has attracted the investment it has.

“Truework’s platform sits at the center of consumers’ most important transactions and life events – from purchasing a home, to securing a new job,” said Steve Sarracino, founder and partner at Activant Capital, in a statement. “Up until now, the identity verification process has been painful, expensive, and opaque for all parties involved, something we’ve seen first-hand in the mortgage space. Starting with income and employment, Truework is setting the standard for consent-based verifications and unlocking the next wave of the digital economy. We’re thrilled to be partnering with this exceptional team as they continue to scale the platform.” Sarracino is joining the board with this round.

While a big focus in the world of tech right now may be on building more and better ways of connecting goods and services to people in as contact-free a way as possible, the bigger play around identity management has been around for years, and will continue to be a huge part of how the internet develops in the future.

The fax and phone may be the primary tools these days for verifying employment information, but on a more general level, there are companies like Facebook, Google and Apple already playing a big role in how we “log in” and use all kinds of services online. They, along with others focused squarely on the identity and verification space (and Truework works with some of them), and using a myriad of approaches that include biometrics, ‘wallet’-style passports that link to information elsewhere, and more, will all continue to try to make the case for why they might be the most trusted provider of that layer of information, at a time when we may want to share less and especially share less with multiple parties.

That is the bigger opportunity that investors are betting on here.

“The increasing momentum Truework has seen since its founding in 2017 demonstrates the critical need for transformation in this space,” said Alfred Lin, partner at Sequoia, in a statement. “Privacy, especially around identity data, is becoming increasingly top of mind for consumers and how they make transactions online.”

Truework has now raised close to $45 million, and it’s not disclosing its valuation.

#enterprise, #identity-management, #identity-verification, #tc

CyberArk snaps up identity startup Idaptive for $70M

Israeli cybersecurity company CyberArk has acquired identity startup Idaptive for $70 million in an all-cash deal.

CyberArk is one of the shining stars in the Israeli cybersecurity scene before its initial public offering in 2013 saw it go public on the Nasdaq. To date, its share price has almost quadrupled.

At the core of CyberArk’s identity and privileged access management technology is making sure the right people — like corporate employees — can access the right systems and services. Data suggests exposed or breached credentials can account for most data breaches. Having technologies in place that put barriers in place to prevent credential misuse can prevent further damage.

No wonder Idaptive makes for a good fit.

Idaptive, a Santa Clara, Calif.-based startup that spun out from Centrify in 2018, made a name for itself by taking a zero-trust approach to identity security. Zero-trust treats every user the same, whether they’re inside the firewall or not.

In a blog post, CyberArk said the acquisition will bolster its position in the identity management space, allowing its customers to improve their security posture across a multitude of different infrastructures, like hybrid and multi-cloud environments.

“Merging the innovative technology and talents of the Idaptive team with that of CyberArk represents an exciting opportunity to deliver a differentiated, modern approach as we work to continually meet the ever-changing needs of the dynamic threat landscape,” said CyberArk’s chief marketing officer Marianne Budnik.

#california, #centrify, #computer-security, #cyberark, #cybercrime, #cyberwarfare, #data-breach, #data-security, #firewall, #identity-management, #information-technology, #security

UK’s NHS COVID-19 app lacks robust legal safeguards against data misuse, warns committee

A UK parliamentary committee that focuses on human rights issues has called for primary legislation to be put in place to ensure that legal protections wrap around the national coronavirus contact tracing app.

The app, called NHS COVID-19, is being fast tracked for public use — with a test ongoing this week in the Isle of Wight. It’s set to use Bluetooth Low Energy signals to log social interactions between users to try to automate some contacts tracing based on an algorithmic assessment of users’ infection risk.

The NHSX has said the app could be ready for launch within a matter of weeks but the committee says key choices related to the system architecture create huge risks for people’s rights that demand the safeguard of primary legislation.

“Assurances from Ministers about privacy are not enough. The Government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law,” said committee chair, Harriet Harman MP, in a statement.

“The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.

“Parliament was able quickly to agree to give the Government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”

The NHSX, a digital arm of the country’s National Health Service, is in the process of testing the app — which it’s said could be launched nationally within a few weeks.

The government has opted for a system design that will centralize large amounts of social graph data when users experiencing COVID-19 symptoms (or who have had a formal diagnosis) choose to upload their proximity logs.

Earlier this week we reported on one of the committee hearings — when it took testimony from NHSX CEO Matthew Gould and the UK’s information commissioner, Elizabeth Denham, among other witnesses.

Warning now over a lack of parliamentary scrutiny — around what it describes as an unprecedented expansion of state surveillance — the committee report calls for primary legislation to ensure “necessary legal clarity and certainty as to how data gathered could be used, stored and disposed of”.

The committee also wants to see an independent body set up to carry out oversight monitoring and guard against ‘mission creep’ — a concern that’s also been raised by a number of UK privacy and security experts in an open letter late last month.

“A Digital Contact Tracing Human Rights Commissioner should be responsible for oversight and they should be able to deal with complaints from the Public and report to Parliament,” the committee suggests.

Prior to publishing its report, the committee wrote to health minister Matt Hancock, raising a full spectrum of concerns — receiving a letter in response.

In this letter, dated May 4, Hancock told it: “We do not consider that legislation is necessary in order to build and deliver the contact tracing app. It is consistent with the powers of, and duties imposed on, the Secretary of State at a time of national crisis in the interests of protecting public health.”

The committee’s view is Hancock’s ‘letter of assurance’ is not enough given the huge risks attached to the state tracking citizens’ social graph data.

“The current data protection framework is contained in a number of different documents and it is nearly impossible for the public to understand what it means for their data which may be collected by the digital contact tracing system. Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation,” it writes in the report, calling for a bill that it says myst include include a number of “provisions and protections”.

Among the protections the committee is calling for are limits on who has access to data and for what purpose.

“Data held centrally may not be accessed or processed without specific statutory authorisation, for the purpose of combatting Covid-19 and provided adequate security protections are in place for any systems on which this data may be processed,” it urges.

It also wants legal protections against data reconstruction — by different pieces of data being combined “to reconstruct information about an individual”.

The report takes a very strong line — warning that no app should be released without “strong protections and guarantees” on “efficacy and proportionality”.

“Without clear efficacy and benefits of the app, the level of data being collected will be not be justifiable and it will therefore fall foul of data protection law and human rights protections,” says the committee.

The report also calls for regular reviews of the app — looking at efficacy; data safety; and “how privacy is being protected in the use of any such data”.

It also makes a blanket call for transparency, with the committee writing that the government and health authorities “must at all times be transparent about how the app, and data collected through it, is being used”.

A lack of transparency around the project was another of the concerns raised by the 177 academics who signed the open letter last month.

The government has committed to publishing data protection impact assessments for the app. But the ICO’s Denham still hadn’t had sight of this document as of this Monday.

Another call by the committee is for a time-limit to be attached to any data gathered by or generated via the app. “Any digital contact tracing (and data associated with it) must be permanently deleted when no longer required and in any event may not be kept beyond the duration of the public health emergency,” it writes.

We’ve reached out to the Department of Health and NHSX for comment on the human rights committee’s report.

There’s another element to this fast moving story: Yesterday the Financial Times reported that the NHSX has inked a new contract with an IT supplier which suggests it might be looking to change the app architecture — moving away from a centralized database to a decentralized system for contacts tracing. Although NHSX has not confirmed any such switch at this point.

Some other countries have reversed course in their choice of app architecture after running into technical challenges related to Bluetooth. The need to ensure public trust in the system was also cited by Germany for switching to a decentralized model.

The human rights committee report highlights a specific app efficacy issue of relevance to the UK, which it points out is also linked to these system architecture choices, noting that: “The Republic of Ireland has elected to use a decentralised app and if a centralised app is in use in Northern Ireland, there are risks that the two systems will not be interoperable which would be most unfortunate.”

#apps, #bluetooth, #data-protection-law, #digital-rights, #elizabeth-denham, #europe, #germany, #health, #human-rights, #identity-management, #ireland, #law, #matt-hancock, #mobile, #national-health-service, #nhs, #nhs-covid-19, #nhsx, #northern-ireland, #privacy, #privacy-policy, #terms-of-service, #united-kingdom