How to Work Together in a Privacy Preserving Way to Mitigate Risks

So welcome back from break. Everybody we'll have our first panel and on our panel, we've got Tom ones hark and, and you guys like to just do a quick introduction of yourselves and then we'll launch into our topic about how order together in a privacy preserving way to mitigate crisis. Hi. So I'm Tom Wells. I live in Singapore. I'm not from Singapore as my guess. I Bluetooth for seven years and I've been working in the ID space for about 20 to 25 years. I was involved in building authentic standards and solutions for visa.

Initially also with more recently, I, I helped P ID get off the ground about 15 years ago. Right now, currently I work with a small advisory firm, a bunch of people out of visa that is in the FinTech space and we help both banks and FinTech startups to, to move forward the technology stack forward.

So, hi, I'm I'm, I'm from wave the Paris office. I'm the manage there. And my colleague was based in Hong Kong and engaged with Singapore.

Just, I couldn't couldn't make it today. So I'm taking this space. I dunno that I need the microphone, but I grab it anyway. So I'm Alan Foster currently working at for drug have been working there for the last six, seven years. Been involved with identities since the way backstage, when NCAP city was gonna fix everything and also president Panara and various other member organizations throughout the world the time. Okay.

Well, thank you. So the topic you, how to work together in a privacy preserving way to mitigate risks, you know, the focus has been on consumer identity access management systems, the last two days and privacy and security. We've tried to interject a little bit of local flavor as, as it pertains to regulations that that actually differ across the Asian Pacific region.

So, you know, I think there's a couple of different ways we could go with this, and certainly we'd like to invite audience participation as well, but in thinking about perhaps differences in privacy landscape, you know, throughout the local regional area, what, what would you say are some of the top concerns with regard to privacy, consumer identity management systems and by say proper implementation or some things to be on the lookout for when designing these systems Happy to start?

So, so, so let me hears one thing and then having more Silicon valley in the UK for years before that one thing that really stood out for me when I started working here is that, you know, cyber are global. So everything that you read about in the papers tends to be out of the us. And the reason it comes out of the us is it might skew your, your, your perception that, that the us is, is very heavy on cyber threats and, and data breaches. That's not the case. They're global.

The reason that you hear it out out the us mostly is because there's there's of regulation, disclosure requirements, and so on which don't exist in this part of the world. Right? So what happens is, is the bank gets reached. You aren't here about it unless you're actually working inside, or you're very close to the, to the institution itself. But I can tell you without mentioning any names that it happens every bit as much here in Singapore for Southeast Asia, throughout Asia, as it does around the world.

So the concern though, is that I found over the last 10 years, the, the field was advancing more in the us and Europe. And now I, in that results in regulations like GDPR. So because of the public, a little more public discussion about it, that, that you see there. And there's less of that in this part, even though the problem is exactly a severe, so that's, that's that's would be top of one for me. There's other, Okay, I'll jump on. So one of the words out there that actually sort of grabs my attention is risk.

And, and I start thinking about, well, where are the risks? And I think that there are really two different areas of risk on that one, the, the, the easy one is that the risk to the corporation, right?

So, I mean, we are, we are in business and businesses are like alligators. They make money and they do what they can to make money and anything that stops, that becomes a risk. And so we have things like GDPR, which puts the risk of the CFO in jail suddenly becomes a really existential problem for the, for the organization. And so a lot of the things that we end up doing are in response to regulations, whether it's it's KYC, AML, GDPR, any one of these, the risk is to the management of the corporation and the fine to whatever it might need to the corporation.

The other form of risk that's there is what happens the risk exposed to the end user. And this is pretty much either ID theft as a result of data, which, or something along sort of those lines and how we can manage those. And I think the way that we have to address those, we become quite different. Although we have to address, we have to address them both. We probably go into a discussion of how we end up addressing them. And there's probably different ways to address both of them. We sort should be aware that multiple dimensions of what that risk looks like They Overlap.

Wouldn't You say too Things in common, but, but the, the, the, the injured party is quite different, Right? I Would agree with that.

And, and, and so how we, how we mitigate the Injured body becomes A different process. And then just to sort of continue on from that one, how we work together in at least from the end user perspective, I think this is intuitively obvious with the rises things like open standards, open connect was to PSE, to all of these kinds of things, which are standards rather than sort of bespoke security solutions that three guys in a basement somewhere have worked up. And we don't know where the inherent technical risks are on those. At least we've got full supported standards.

We have an entire industry, which making sure that at least at the underlying technical level, there is security to end across those pieces. So I think it's adopting and building on those standards. A very important part. The last one direction was kind of when we would go talking about standards, which standards do you think are most applicable for privacy preservation? Obviously Qari has a lot to say about that with user menu access and consent received from GDPR.

But again, sort of thinking locally O IC is course it's very important. What do you think about Fido or any other related standards and what role I make coming forward?

Well, I think we see for, for some years now, the standard, you mentioned have the privacy in mind when they're being designed. It's, it's really privacy, very five, a good example of that, the way it's designed is really privacy for the, for the end user word, concent is privacy is the hurt of the standards. And that that's a big, big change from pure interpretability standard is really, it's not the sum effort it's, which is just an inter moving issue between providers. It's much more user-centric and privacy living.

I would say Again, sort of, sort of Highlighting the differences of this region versus versus the rest of the world, right? There's some, when we start talking about privacy, we very quickly get into political and cultural discussions.

And, and we also get into the fact that there's no such thing as an Asian market, right? Right.

There's, there's, there's a Singapore market. There's Malaysia's Childs, China was in, and every single one of those is an individual jurisdiction. They have their own laws, they have their own regulations.

And so, and, and it's just the hodgepodge as you go, as you go throughout the region, everything from Singapore, Hong Kong, which tends to be more advanced in terms, and, and probably closer to, to, to Europe and the us in terms of maturity of privacy legislation and regulations all the way to several countries that don't have any whatsoever. So, so, so that's the thing.

But when, when we see implementations of, of privacy standards and we see enterprises looking at how to privacy in this part of the world, you can kind of divide it into two different sections. One is the multinational. So Singapore is home to a lot of major multinationals in the financial services and other industries. And they will tend to follow whatever corporate is doing, whether corporate will be in the us Europe, let's try.

And, and, and also because they're doing business globally, they, they would obviously have to go to the, so, so, so there, you see attention to GDPR, for instance, you, you see attention to you see even more attention to Fido. I would say amongst, amongst that group, you say, you, you, you see even attention to the, to the, us, to the regulations. And then outside of that, there's, there's another circle, which is much more locally focused types of businesses.

And that, that could I work with max bring up max a lot, probably in my comments, but it applies to other, other types of industries as well, that are less, and, you know, on a regional basis, less, less focused. And I mentioned this cultural difference here. So the extreme as a China, where, where China, the, the PBC in China has basically set up a surveillance society there, right? Where all social media platforms, all the eCommerce platforms have basically gotta give up all of their data, including their, the PII of their customers, notably to the government on demand.

Now that's a very different way of looking at things than, than, you know, we would be used to say in Europe space. And, and, and I, you know, I've done presentations that I didn't want in the Hague about five or six months ago for, with the GSMA.

And, and I sort of meet a level of outrage about this, that, that, how can, how can the government do this as people that, that type of thing. And oddly enough, when you, when you spend some time in this region, you, you sort of, it's not apathy, but is that it just doesn't bother people as much. And it was hard for me to get my head to wrap it up, right. Maybe someone has time for privacy for such a long time, but it really, especially, if you go to China, I don't, I talk about this.

My, my in-laws happened to live in China and I, so I had discussions about this all the time, And it really don't care. And that's very, very different from if I go and have discussions with my colleagues, family, and friends, so Indian, California, Texas.

So, so that's, that's a big thing. And, and, and, and it drives a lot of the development standards and the adoption of standards as well. Right.

And so we, we're almost sort of entered two different worlds. I, I was laughing as you talk about that, because it brings out probably a discussion that we've had three different times over the last three days with different people in the coffee room. And that is pretty much summarized by the phrase trust in government. And You know, that Cultural difference around the issue of how you trust the, the author system and, and the author society around us, no matter what that looks like, whether it's the us or anywhere else, you're absolutely right.

In many cases, I have run into the situation where people look at the us way of doing things without great. Why doesn't the government do something? And then there's other ways where people look at either how China or other countries work and say, how can the government do that?

And, and this issue of the relationship between the citizen and the government is, is very different across different countries. And it becomes fundamentally important to what we are doing because traditionally government is key to establishing identity and almost every single one of the outside of the individual enterprise, when you start looking at a society level of identity, it almost always goes back at one point to another.

And in some cases it may be done by the private sector, but it almost always Matthias back into government as an authority around identity and government is often an authority source for many of the identity attributes. And so the trust relationship that the citizen of the government has, and the, the differences in that trust relationship makes it very how well that goes into working together. But that makes it very hard for us to try and normalize those, those relationships. Yeah. Very different.

I think, well, thinking on normalize, that seems to be one of the problems. I mean, we do that technologies that we can use today.

And, and I think, you know, Fido's a pretty good example, you know, cuz it was built with privacy preservation in mind, you know, you can for each, each connection between a device person and a relying party, you get a different set of keys. So the idea is you can't leave data between your different sessions. So I think, you know, that's, that was well designed.

What, what do we do in terms of standards like that in like UMMA that clearly have very, very practical relevance in privacy, regardless of how you want to implement it along the spectrum, based on cultural differences, what, what do we in the room as consumer identity management solution providers or Analyst Analyst, how do we promote the adoption of these kinds of standards that will ultimately help with whatever the privacy regulatory needs are around the world? It's a lot more heavy lifting.

I could tell you in this part of the world, simply because you've gotta go country by country and, and do those, those very things. You find companies that are multinationals that see that in their own interests, regardless of regulation, there they're rare, but regardless of regulation that will adopt standards like, like Fido that will embrace those and actually put some investment into, into building the, into their systems because they see it in their business interest to do that. Right.

And, and then there's, that's maybe about 10 or 20% of the total, the 80 or 90% is you I'll make the comment about, about re you say regulatory risk, right? Or the risk that's associated with non-compliance security regulations and being a security geek in my life.

I've always found it, very unfortunate that things are driven by that they're driven by the, the need to comply rather than what I've always felt was the right way to do, which was by a risk assessment by, by looking at your actual, I call you different multidimensional types of risk, not just complied risk, but cyber risk and fraud and, and, and, and, and things of that nature, financial risk in reality, and just like pretty much anywhere in the world, it's not done that way. So what we have is a company sets up say, it's a FinTech eCommerce platform.

And they say, well, they've got to be PCI compliant, PCI DSS. So we'll, we'll, we'll do that.

We'll, we'll go through whatever the process is. And then we'll tick that box. We'll check the box and we'll go into the next thing, but not a lot of effort beyond that.

So, so that's that sort of slows down, I think, relative to other confidence, other regions in the world, it slows down embracing of, of global standards like that. Yeah.

I, I, the, I think the, the I'm a little less pessimistic About global standards. And one, one of the reasons for that is that the, the adoption of global is happening in the private sector. Right? The big challenge we've got is that the public sector, every government is own special snowflake, and it's unlike anybody else in the world, except for all the others.

But, you know, the, every single one is different. And so what we end up seeing is Australia wants to put together an attribute experience and their needs are so different than everybody else in the planet that they're going to write it themselves. Right. And I kid you not. And yet it looks exactly like the Canadian one and exactly like the Norwegian one. So there there's a, we, we have this problem of a very geographically defined space where we started looking in the public sector in the private sector. Amazon is Amazon and Facebook is Facebook and Google Google.

And so I think we, as an industry have actually done quite well in jumping on the coattails of those big industry, behemoth who are not really there to change governance around the world. They just want to sell another book or CD or whatever it is, you know, that they've got on the online. And if you look at companies like Google, Google, Facebook, so Google Salesforce, and maybe one either in about 2012 were probably the main drivers around it. Option not sound on the biotech sector, right?

The moment they started doing it, all of a sudden, what did Google Facebook and, and a few of the other ones were predominantly the main drivers around social login and open connect. It was able to come in right behind that. And Google app student saw that as if the other ones. And so it's now not uncommon for us to see log in with your Google account all over the world. Right?

And, and I think we have to get onto the coattails of the private sector, these big Beas, and they are the ones who are gonna be driving behavior. They're the ones that face it. PayPal was the one that got behind cyber Alliance and started driving that one around.

So you, I think that's where the global standardization comes from. I, I think I, I can also share what we see in Europe. Europe is a direction of different countries with different ation, but they, they have some common relations, for example, DST two, which, which forces banks to, to, to open up some, some APIs to, to access accounts.

We we've been working with various banks in Europe and they, they all have the same regulation to, to, to, to back with, and, and they, they come up with different solutions yet they, they corporate to try to find common center, a common way of providing technical standards, connect to, and try to build financial API. For instance, maybe using the open idea, one, maybe using the burning words, maybe using the stead and trends group, each, each group is trying to, to find common, choose to, to, to do that. And they all rely on existing standards.

So, so, so it, to me proves the, the current standard are able to, to, to meet the requirements of, of such privacy regulation. And PS two is not privacy regulation, but in France, there's this strong privacy culture. And there's something around having your bank account information, being given to third parties. And this is mostly Don need, and banks are very cautious in, they, they pay attention to that.

And for, for, for the customer, they understand the privacy is important to keep their customers. And they're really that using the 10 words and they're actually currently proving it, that 10 means of can reduce executions. So I got another question, but before we run out time, does anyone have any questions? Could I have a comment question? Is that right? Quite right.

The, the issue in Asia Pacific is not as easy as this is in Europe, where, where there's more set of control, but there's, there's good stuff happening in the cross board privacy rules, which we're gonna be talking about this, our community. So that's the comment. The question is how do we encourage, maybe have you had the experience in getting companies to take a risk management approach? Because I mean, the, one of the criticisms I've heard of the cross border privacy rules is, well, I'm gonna have to pay to have an audit done.

Well, the cost of an audit is ally small compared to the cost of a breach. Yet the companies don't seem to understand that a risk management approach would clearly indicate which way they should go. Have you some experiences in that space?

Yeah, the answer is yes, even though I've found that it's, it's not the majority. I mean, I I've been trying to sort of evangelize.

I say, if you were to ask me if there was a theme to micro career, it would be, I'm trying to evangelize taking a risk based approach, rather a compliance based approach to securing X to securing point. So yes, I've been able to, to get that done, but, but actually it's been more. So I mentioned earlier that, that in our practice, we work both with banks and FinTech. I've found that that fin text have been more receptive to, to that rather than the banks themselves. But in one case with, with the bank is, well, we've actually gotten them to do that.

And it's a matter, you know, there's this perennial problem of just selling security, right? And, and, and getting people to care about security, getting, not people who are professionals, love, security, who thinks really interesting, but, but you, you know, the 99% of, of end users and executives who think is pain is pain in the as basically, right? So this is always been true. It's gonna be true in 10, 20 years from now as well. But If you can sort of get beyond that, then you can get people to start thinking about risk, right.

But, but this is really getting to the core of why people security. Why, why, why your reputation counts, why, how, how this affects your brand and the digital world that, you know, a data breach can, can negatively affect your reputation and your shareholder values. We we've seen that happen with, with Yahoo and so on. It's It's An uphill battle. Right.

I, I see, you know, it's, I Think, I think personally I'm getting better at, at persuading people, clients C level. Yes. Yeah. So C level good point, because C level tends to launch a more sort of risk based approach to things. But when you get down to the implementation level, no, they get resistance there.

It's like, why do we need to do X? And we only have budget for Y at this type of, So I, I have a comment on your question.

You, you said that the cost of an audit is infant be smaller, the cost of a breach. And up until very recently, I don't believe that's true. If you look back at the target breach that happened in the us three years ago, it was 2014, 2000. The actual cost in dollar value to that on target was less than one day business.

It, it, it went down to something like 38 million, the, the, the physical, the, the amount listed on the balance sheet of, of the cost of that breach. And the reality about it is that if it's less than the cost of the day of doing business, they'll take that risk every day.

So the, the challenge we have to end up with is that recently the cost of a breach probably is still the same financially, but we are now getting a lot more, the Equifax breach has a lot more reputational damage and, and visibility from that perspective where it is a lot More expensive, But in general, because we've had, you know, twice a week news reports of breaches, most people look at that.

And, you know, when you go into it with the perspective of, there's only two kinds of companies, those that have been breached, and those that don't know they've been breached the cost of a breach, actually, isn't that expensive as long as they do the, the right thing afterwards. And that's something we have to try and change, right.

Well, I think we'd be kicked off. I would have two comments.

First is, is risk, risk based assessment and risk based word is done because there's a bridge because there's a problem in because slow people that's. My second are, are sensitive to, to business communication, business description or risk pay.

So for instance, I would say banks and friends are very, very at paid lot of attention to insider threats because a few years that there was massive risk and massive amount of money lost because of an insider, having put some money, too much money, some position, and, and over the capability of the bank, more recently, not in the space and not manage to bridge domain, but Simon is well known. French is a very old French company. He has been impacted by the, my world this summer. And this serves as an example for every industrial company in France. And I think more large, like learned cetera.

Everyone can be rich. Everyone can be target such hardware, and everyone knows it is just matter driving and, and see other people actually still that now.

And, and we see, see people today asking for cybersecurity advice where they, they, they weren't a few months back. So it's really coming because they're rich because there are ware and business disruption. Great.

Well, thank you. Thanks to the panel.