I'm a consultant. So I help my customers to, to shape their consumer identity and access management strategy and to be compliant. And it shows that we want to, to reduce the friction of our customers. So we will try to add IQ a in O the user expect,
Hi, my name is Tom Fleming. I'm a former CSO of Sears holding, which is conglomerate of companies, and they each have different websites and mobile sites. I'm all responsible for their own privacy policies.
So I can bring a perspective of the retail industries and how, how they address privacy programs and try to use that for their customer experience, as well as that internal exercise that they have to go through to, to implement that and to do that in a way that, you know, in a kind of a phased way where they can, you know, achieve milestones and, you know, serve the broader purpose.
My name's Brad hill, I'm on the identity team at Facebook.
It's a big company and I can't answer all of your questions and don't wanna hog the panel, but the team that I'm on, we work on Facebook login, formerly known as Facebook connect. We work on account kit, which is a platform for doing phone number or email based passwordless login. And we also have a new product for replacing the email link as a account recovery method, with something more secure and more privacy respecting.
So I'll ask some questions and from the audience at any point, if you have questions, I know it's in the middle afternoon now.
So one sugar may be a bit low, but you know, we'd love to hear from you. And in the meantime, I guess what's just any of you, if you care to hold time on, what are some of the challenges, what do you see as sort of three top challenges in the user experience space? As we try to meet some of the privacy regulations that are coming like G GDPR, others,
Let me start. And then I'll hand the link over.
So, you know, in the retail space, the customer is number one, all you, most retailers have the mantra where it's customer first and the organization is designed around that way. So you, you want, you know, want to maximize your conversion rate. If they're gonna visit your site while they're on the site, you don't want any additional clicks or navigation or complications or anything getting in the way of them getting what they need or seeing what they wanna see as quickly as possible.
And so, you know, we, we all have the digital customer teams for the customer experience and they're really the business units. So when we talk about us working with the business for privacy purposes, that's really who we're working with is this digital experience team, those that work on the digital journey.
And so, you know, they have access to the research on what the customer trends are, what they like and what they don't like.
And so as you try to collectively work with them on what the requirements can look like, what you can do from a controlled standpoint and what you can put in front of them, that that's kind of the process that we go through to create that experience for the customer, right? So we want it to be transparent.
We want, we want the customer to say, or to feel that we're the data secure that is being treated, you know, with privacy, but being very careful not to say, you know, that your data is a hundred. We can't like, you know, directly say that your data is being, you know, protected a hundred percent. And so it's been, it's kind of a, a tricky business and trying to convince the customers or show them that their data is protected without saying it directly for different legal reasons.
But, you know, but there is the policy, right, which is kind of general where they acknowledge it. And that gives you the right to share the data that will change with GDPR. But that's kind of the, the retail experience in the nutshell,
Is it two challenges I see for sure. The first one is, as you said, each time we need to interact with, with the customer is because we have something to do. We have some gain to pass, and this can be very tied to the business. This can be very tied to the technical mechanism, but we have to speak customer language. You understand why we need it.
We must understand why we need him to provide a password. At some point, we, you must understand why he receive a SMS. And he has to set the OTP. For example, when they try 3d secure in, in France, when you do a payment, you receive a SMS and you must it okay, but you must also do it. If you either re sorry, re is IBAN account definition, just to be able to make money transfer to it. You also receive a SMS.
So what we is that there were some occurs trying to, to, to add some Ivan information into the account, to export money from the account and trying to make these pass for payments that has to be done. And just because the SMS were just T with no information, why it was used, many customers fell into the trap to provide zero TP and then to, to, to fade into this trap.
So that's, that's the first problem being able to, to speak a language for the customers. And the other part is everything related to credential loss, or for, for get by the finance user, we can get out of it. And I think that Facebook and that's where we users bank to, but Facebook is friend relationship can provide best mechanism that what we have to do in adult for credential recovery.
So with regard to the GDPR, I think there's a lot, we get to be learned from businesses about how it's gonna impact us.
I think from an identity point of view, and from the identity tools that we offer at Facebook, there's gonna be much fewer changes than you might expect. I've heard a lot today from people who sort of think about Facebook login or talk about Facebook connect, which is not a product name we've used for years. And think about what it was like five, seven years ago, when you were seeing invites for Farmville and things like that. And we've independently recognized and we've had consent degrees and other things.
And we know that that's not an experience people like, and people want to be in control of their identity information. And that informed consent is very important to us. If you actually look at how Facebook login works today and has worked for several years, we're one of the first and one of the only today, still that lets you have full consent over everything that you might share or not share.
You can uncheck all the permissions except for email address and basic public information that, you know, once your email address, anyone could look up on your Facebook public profile.
Anyway, everything else you can uncheck. And we verify that, you know, accounts using Facebook or customers using Facebook login still work correctly with unchecked permissions. We're moving more aggressively towards models where we have incremental disclosures. So you start your interaction with a customer by just learning their name. And then if you want to learn their friend graph later, you present that in the context where it's clear with the value exchange to the customer is what they're gonna get by disclosing is information why it's necessary.
And these are the patterns that we've been working with in developing through our user research for many years. And I think that you're gonna fit really well with what the GDPR looks like.
So I don't think you're gonna see a lot of changes from Facebook. I think what you're gonna see is the barriers to entry are gonna get higher for other identity providers, because they're gonna have to support that, those kind of models.
I think you're gonna see platform changes where models like, you know, doing the single sign on in a web browser where you have the full flexibility to collect this kind of consent and information is there versus like an API model, like some of the earlier Android or pre earlier versions of iOS, where you just had a real simple API to call be an identity provider that doesn't provide you the flexibility you need to deal with the kind of consent and customization that the GDPR I think is gonna require. So I think Andrew had a question.
Yeah.
So just taking the topic of informed consent of all the other privacy topics, what kind of indicators do you have that is working at the customers actually being informed, obviously directs observing and all that, but in retail space and social space, enterprise space is can you tell the difference between an informed user and an uninformed user images click any tactical
Measures? Yeah.
I mean, we, we, we know what we show you. We know that you can interact with that dialogue and you can uncheck things and you can just proceed.
You know, we also know, and I think we all know anyone who's worked in technology for more than two or three years, knows the user just can keep clicking the button, matching the button until it works right. And you know, whatever text you put up there, they're not gonna read it so that that's sort of a perennial problem. The best you can do is be compliant and give people the option. Present those dialogues clearly make sure that those dialogues happen and that they can't be bypassed or, or skipped or obscured. And we also constantly do user research. We're always talking to our customers.
We're always bringing people for user research sessions. We're serving, we're doing AB testing.
We're always learning about how do people understand and interact with these services.
And, you know, mostly people are fairly sophisticated. People have a pretty good understanding of what data is being shared and why it's being shared. What the implications are usually actually assume much worse from a privacy point of view about what's happening. What's being shared than what actually is being shared. And they're still okay with it. And whenever we do a user research session, we have people suggesting, well, I wish I could share this other informa. I wish I could share my dietary preferences as part of Facebook log.
And so the event would know I need a vegetarian meal or it can suggest new restaurants to me. So people are savvyer than you think we have this assumption. I think that people don't know what's going on or they don't understand these dialogues, but a lot of people actually know it pretty well.
So sorry, jump in here. Do you know of any, any work on Facebook to start publishing lessons learned about like, you know, I know it's a general, incredibly general question about user interactions, but yeah. Maybe
Like what are the experiences that you get from the Facebook users, right.
When, when they do have that interaction, I think that's something that we can all learn
From. Yeah. I just
Wonder, you know, I'll pitch Johns talking in tomorrow afternoon. We're gonna talk a lot about those lessons in terms of like, what, what channels are people preferring for login and, and what methods do they prefer in various regions? What are the, because
We not all those with
Large scale, right? So what are the, what are the, what are the ways people like to log in? What identifiers do they like to use?
Why do they make the choice of that identifier for convenience versus trust versus privacy? And so, you know, we don't necessarily publish research papers on that all the time and we it's sort of constant of process, but we do try and share those. We always have an identity session at our FA conference and those videos are available online.
So there's a number of videos you can go look at from FA talking about our user research and the numbers that we have and, and our understanding of the market that we share and, and how we're evolving these experiences to help the customer journey and, and make sure people, you know, we have a, we have a big hole to dig out of, right? We have everyone in this room has, and these are the most expert people in the world. And everyone's shitting on Facebook all day long about our bad privacy practices, talking about things we did five years ago, people have a long memories.
And so we have a big hole to dig out of and we're investing a lot in making sure that the things we do people understand and can feel that they deserve our deserve their trust
From a, from a perspective, I think, you know, retails have been around for a while and don't have the, you know, our classified as high tech companies, we've gone through years of privacy programs and we've got HIPAA. And for the most part, we've got privacy information and spend quite a bit of time doing data flows, right? So we don't really consent necessarily.
Or we, we, I'm sorry, take acceptance in the form of, you know, we approve or you, you, the customer approve the privacy policy as you use the website. But beyond that, we don't really, you know, demonstrate what information it is that's being used. Every customer will have a loyalty, a profile page, and that's gonna be geared around what are your interests? What can we do for you? But there's never been a requirement of to, to illustrate what data needs to be protected and why, so that is changing.
But I would say from a retail standpoint, you know, what they've been doing or how, how it's been done, it's it's data flows. It's, you know, there are attributes being tracked on, on customers and which website they're coming through. And really, that's kind of the extent of how do you have traceability with the usage of that data? It's what policy did they sign?
And can you demonstrate how the data's being managed in accordance with that particular
Policy, but that's like converge convergence rate rate and that like, have you ever tried to link that to things like talking about privacy policy through all that, all
The stuff yeah, it is being done. I don't, I don't have the numbers on that, but
I one set of indicators that might be useful for everybody else to learn how they might work.
Yeah. If there's no privacy policy, they'll be more skeptical. We know that, right.
I don't remember the data, but you know, it's like, if you don't see the SSL symbol, you know, users are skeptical, right. They're, they're a lot savvier than they used to be in terms of how to use an interface, to know how to look for URLs and how privacy policies, yous, ASL type indicators.
So, you know, we know that influences it. So I think, you know, GDPR, you know, with the customer experience, we'll find a way to make it like a game, you know, make it fun, you know, give rebates or something, you know, in terms of, we'll give something back to the customer because we know if you incentivize them to share information, they will.
And I think that we get, we all get this feedback from the big clue and the two points font to extend paragraph so that we overseeing the contract.
We, we sign in bags and each time I ask the question, how many times do do read it, few people do it. And I think that we, we must find there is I see two things. The first one is we must find the equivalent of when you sign the paper, I say, yes, model. I agree to that. And you put it with your handwriting. This is not for you. You have to put your handwriting. So we must find something which is the equivalent.
Well, I, I think I would have to beg to defer on that. I think that whether a contract is on paper or whether it's online, a lot of people kind of make the choice. I'm gonna rent this car or I'm gonna buy this product. And they don't read the contract because it takes a lot of time and they can't change it anyway.
Yeah. But they must understand what they gain.
Not so much whether it's paper or electronic, it's those two things it's, they, they know they're not gonna understand it. It's gonna take a lot of time. They can't change it.
And
I was not speaking though about technical, but functionals equivalent, what we done, we do with the paper. And now with GDR, because we are capable of segmenting, segmenting the, the piece of information, right? One by one capable of explaining what would be the usage. And once we last from, and maybe what you say called into the, into the, the retake space, and maybe we can put, as you said, some incentives to go, there are anyways, because we may want to buy. And we know that from consent, I read somewhere that consent must be reacquired every months.
So we are ready to pay X months to have informations
And the amount of information we want, you know, it's another opportunity to reach out and interact with the customer, right. But there's only so much you can ask every time you do that. And so you don't want to ask them 150 things at one time. So you find reasons new touchpoints to say, okay, well I need these two data items.
Now, you know, next week I need these two data items. And so there's a, a sequence of events that the customer teams understand just, you know, what's, what's reasonable
And from an identity and access management point of view and the sort of problems, space that we live in. This is something, a soapbox I've been hammering for a long time since I was one of the early contributors in the fight of Alliance. But I think GDPR is gonna bring this home again, is understanding the difference between identity and authentication.
And, you know, we've been trying to replace a password for 30 years and we've been failing because a password is an authenticator and we're trying to replace it with an identity. And identities are about attributes and identities have baggage and identities have all these penumbras of how you feel about them and privacy. And there's lots more work that can be done on making authentication, easy, strong, reliable with choice with privacy, that doesn't rely on it being an identity or exchanging attributes.
It can be anchored in a strong identity, but you can project that in a way to authenticate yourself in a very private way. And I hope that the GDPR accelerates that trend and that recognition of the separation of these two problems in the industry space as a whole.
So to almost exactly, to your earlier to your earlier point about not wanting to collect 150 attributes or elements of one time, have you guys done any, any type of tests around abandonment of specific applications when you're collecting that specific amount of consent, basically a specific amount of attributes that you're trying to collect, or a type of information that you've seen a lower adoption rate and willingness to accept that consent?
Yeah, absolutely.
I mean, we find people are much more likely to consent again when it's in context it's, you know, at the time of use when they understand what the value exchange is.
Yeah.
I mean, and yeah, people will often, you know, especially something like a friend graph, that's very personal information or importing your contacts, something like that. If you just have to click through that, when you do the first login and there's a big list of things, a lot of people will decide maybe not a lot, but a fair number of people will decide. They don't want to do that. If you wait until they've been using your application and they understand, oh, I'm about to navigate to a friend's house.
I would like to access my contact information to get that address, or, you know, I want to do this other activity where I'm gonna invite friends, putting those in contacts, having those makes sense. We, we find that that correlates with all kinds of success metrics we measure for the application beyond just abandonment of the login page. And so that's the model we're really pushing and, you know, trying to make our standard.
And
I think part of the recipe needs to be when you present them with the list of things you want to collect, it needs to be clear to them how it's gonna benefit them, right. Not like a list of things they can market to you. So it's gotta have, it's gotta have some level personal relevance to you. Otherwise it's gonna get bored real quick. It's like going to a, a magazine website, like security magazine, right. And you've gotta fill out.
They say, please fill out this short questionnaire. And then you're like, next, next, like 10 pages later, you're still clicking check boxes.
And like, before, you know, it like, oh, this sucks a letter here, but there is something too that, you know, you've gotta, there is metrics around their tolerance for how much they'll provide at once. And if it's relevant, right. If that value to them, and that value chain is clear, that's where you're gonna get more stickiness
And, and the story you should do for every of your customers.
So in order to draw what experience path you want them to go through, the story will give you what you need to collect, because there is a usage build a mean, which goes with a compliance of GDPR where you have to prove why you do so, but you'll also give you what you have to collect at which point. And as you said, progressive profiling, it's a way to do it slowly when necessary and to keep a link with the I don't it.
So,
So one, one thing when we were talking about the problem of both electronic and paper contracts of length, Andy, in order for consent to be called informed consent, I think that the description of what the use of the data is going to be has to be something that a lay person could reasonably understand in a short period of time, right? It's no longer gonna be an acceptable user experience to say, click here to accept the 12 page PDF of the contract of the, of the contract.
So will your screens where you obtain informed consent contain typically a, you know, explanation, which is not 12 pages, but maybe a paragraph of is that reasonable, is that what you'd see retailers or social network sites doing?
I mean, that's what you have when you go to do Facebook log and today use your boxes. You can check her and check about what you want to share. We try and make that simple, plain language that can fit on a screen. Right. Right.
As far as the overall like user agreement for signing up for Facebook, I'm an engineer's, lawyer's gonna lawyer,
But that's, that's I
No hope of influencing how that goes
Down, but that's separate from the informed consent now
You're saying right. Well, I mean, I think it's about like, again, it's about teasing apart and understanding what's the difference between like, how does a business entity work that, you know, does advertising that does marketing, things like that. And how does participating in that service?
What is that apply consent to and how is your data gonna be collected and used in that context versus an identity and an authentication Federation event that you might have with a Facebook login. Yeah. Where there's actually very little data, you know, people assume if you log into Facebook to some site, we learn everything you do there not true. We learn that you use that application and that's about it. There's not, it does not create, you know, Porwal where we're sucking down everything else you do and attaching that to your Facebook profile.
So those and my part of that's about minimizing and making those experiences understandable and usable. So again, it's, I said we could, in the last panel, in the other room, I said, we could do an eight hour myth busting session on Facebook and some of these things. But I think, I think there's a lot of misunderstanding about how ad tech works versus how federated login and authentication products work.
And, and there's a lot of misunderstanding of what the mechanisms behind those are. And I think things are gonna change less with GDPR than people expect them to.
Yeah, I would suspect too, that, that your generations are gonna react differently. You know, like if you, like in other regular regulation areas, you have to, you know, provide the scope of what's, you know, in, in third party contracts, you know, if they're responsible or co-responsible for certain things, you have to explain what the scope is, explain exactly what the service is.
And it's a lot of language, you know, and it's like, it requires, you know, technical leaders and, and others to review that and understand what that means, but, you know, for the non-millennials or those, you know, non or say older generations who, you know, don't adopt Facebook, they're gonna need something that's, you know, a less savvy capable way of understanding what they're looking at. You know? And so I imagine, I mean, it's gotta be, I think that would've been in one of the earlier sessions or example of duke university showing some of their seems yes.
That would've been nice to kind of slow down a little bit, look at exactly what their interface looked like and how your doctor was. But I imagine it's, you know, you've gotta keep the message short and it's gotta be clear, right. What the data is and how it's gonna be used and kind of, one-liners
Sorry,
We saw it with
A child with private. It must be simple because the S less world and capability to comprehend complex it and stuff.
So there's a few initiatives going on and on either icons privacy, anyways, there's work going on about making icons for the
Customs.
I can't wash my clothes because of all the icons. So I hope it's not, I it's better than that.
Maybe
Like a nutritional label. Like we see a nutritional
Label on food, somebody. So I can tell that was a precursor for Sandra Steve, the world group developed a standard information sharing label, which was suspicious like nutrition. I also saw some interesting research at the my data conference to ago on using legal XLS par policies that auto generate visual symbols using design design techniques.
Now, obviously nothing fully works yet, but it's problems that is being worked out and there's
Symbolism. It sounds like a cultural challenge
Right there.
Well, there's, yeah. Concept might not be different, but the, the idea is that there's a lot of usability in design work and thinking, going on about how to take the words outta the equation, so that at least one of the interfaces is simplified and you don't have to read full text. Every sounds like
You're, you're getting a bit filming that would not be concise enough for the data usage, give it a category. Will that category be?
I also think there's a danger in that we don't want to make techniques that are good for security, good hygiene habits, like using federated login systems, less attractive because you have all of this, you know, you have 10 pages of SEMA fours to read through then, oh, I'm just gonna have a username and password and a big, well, a text I scroll through and hit accept. Cause everyone knows how to do that. Right.
And if you make that the, the user experience that has better conversion, then the one that's more secure and protects people better, we end up with perverse incentives and there's no, I like to, I, you know, I came from the security team before I joined the identity team. That's where my background is. And there's no privacy without security. If your account gets hacked, then all of your data is gone.
And so it's important to keep those things in balance and understand are we getting to the right end state for people in terms of what are the actual outcomes in their lives versus, you know, building overcomplicated interfaces that incentivize the wrong things.
And there is one another aspects. So being able to simplify each system that collecting formation is really do so, but having 30 services with each of them, the screen, having all the, the icons describing this services, it's still complex and the ability to do one dashboard place that can go into dimension.
So you have the in one dimension, but also the can also be a way to excellent.
Also this idea of the barcode and having these icons can also be translated if you're thinking now, I think you're talking about the user experience from the web and clicking on something, but now if I'm delegating my permissions to a device and the device needs to talk to another device, and you understand that you follow these policies by suddenly not labeling, if you will standardization, then you can entrust your devices to act on your behalf and use that.
So maybe that's swinging idea out that could be used for devices.
You could probably set the context with a visual, right. And then get specific with the language.
So we're, we're coming up on the break now and let's just wrap up. But if each of you have a short closing comments, you'd like,
We must forget about the it's just best practice. Okay. We want to do that because it's best practice period. Yeah. You really get signed if you don't do it because you deal with a specific part of the population, which is under regulation. Okay. But that's, that's a single part of the program.
So first of all is best practice. I mean, we are already here to implement the best practice.
Yeah. When you put the compliance lens on it, you know, I think like any other program you're gonna have a, a lot of new requirements and from, you know, what we're hearing is it's gonna be yes or no. Did you do it all?
You know, one business unit can, can bring down the whole house cards. I mean, that sounds scary, but some of you, I think that's the rhetoric that you're gonna hear when it comes with any type of compliance or legislation. If you look at, if you look at the compliance frame or compliance landscape, right. You look at, you know, socks or PCI or HIPAA, just how well, you know, were those regulators coming after the industry and how, you know, how aggressive was that? I think there there's a little bit of level expectation level setting to be done there.
You know, I think, you know, if I think about PCI in my experience doing that for many, many years, I've had assessors come through that have a whole different set of criteria in how they assess that, that body word.
And so I think we're gonna see the same thing, right? It's gonna be, the requirements will be clear. The assessors will come through and they'll have a responsibility to do, do their due diligence, but it's gonna be, you know, how well are you doing your due diligence? Are you doing all the right things?
Are you, are you making the effort? And so I think there's, you know, that's kind of the, the way I think about this is you're gonna have to, you know, grow into this space, but you've gotta make a significant effort to, to do everything that you can. And then certainly use this to your advantage with your, you know, leaderships of the company.
I mean, this is a gift, you know, you're being handed to go, you know, get a bunch of money to go, you know, do things probably wanting to do for many years. It's a lot of work, but, you know, I think it's gonna be a great thing.
What, at least I've been hearing at the, the workshop before this though was 80% is
Right. Right. And I think that's what you're gonna hear.
So is, is, is that mean that does that mean that we need to, no matter what, hands down, our compliance order, that
That's what you're gonna hear. Right.
And, and I think no one will tell you differently when you go about doing the implementation, your goal needs to be just that you need to tell your executives that it's a hundred percent or not. Right. And so if you, if you miss the 20%, most likely defines will be proportional to your deficiency. And that's kind of the message, right? So you want to get that deficiency area as small, as possible to reduce the amount of impact from the assessment, but, you know, get your arms around the scope, make sure you don't miss any, there's no blind spots, scope.
What have you make sure that that's real clear because on the onset, you don't want to go back to the well and say, oops, you know, there's a, there's a sister company I missed in the fold and now we gotta go after them.
And Brad
Need to wrap
Up. Yeah. I just talked to the gentleman morning and he said that, that we look SOS a good will and the roadmap.
So yes, you have to do things, but if you have a map, it'll help your case. You gotta have a plan.
I'll just say again, narrowing this scope very much being as an identity technologist. I think the GDPR actually validates a lot of the engineering work and.