Event Recording

There is No Consensus About Consent

Log in and watch the full video!


Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
I thank you so good afternoon, everyone. Try to see if that works. Yeah. Just so my name is Jeff. I'm working for a company called for rock and today's topic is that there is no consensus about consent, but there's good reason to get a better privacy karma. Now how these two are interrelated let's let's see. So the purpose of the conversation is a little bit encyclopedic because we see that there are various usages of the term concept. What can be done with contents? Content sometimes is a sort of a pain in the hand for many customers. We also see that customers turn towards us and say, so do you have a solution? Yeah. There's what type of concept you mean? And for many of the customers in the first place it's cookie let's, let's see how that relates to the other users of, so typically goes beyond GDPR.
And if you get the slides at the end, there's a link on what GDPR consent means. It's mainly about data processing, but can be much more than data processing. Content must be manageable. So to me, if I surf the internet and I hit one of those cookie content pages, and I'm thinking, Hmm, I don't allow all cookies. I just want to be a little bit picky, which I allow and don't allow, then it really becomes unmanageable. It's like the privilege of least privilege, but principle of least privilege it's it's to me, it's not manageable. It's just too much. And I think cookie basically broke the internet. We need to, well, actually we should tie cookie to a user because a user gives consent. But what cookie consent does? It ties it to a device. So if you, if you take a different browser, a different device, so if the same website you get the same stupid questions, again, cookie can be a pain. Yeah. Mention that it can be a legal requirement by GDPR and others, but it can also be a basic business function and will step into this. And it can also be, if we do cookie, if we do right, we can use it for innovative applications. And I think this is the main takeaway. If you do cookie, if you do right, it can lead to a better privacy karma and privacy karma. It's like better, better trust off the consumers in your website, in your services.
So this is just a list of how we use the term consent. So very often it's as a tech box, like I consent to terms and conditions. You sign up to a service. First of all, you need to do the, the cookie stuff. Let's, let's not discuss the cookie thing, but you agree to terms and conditions. That's more like a checkbox exercise. You take a box, it gets stored and you user profile, you consent it to terms and conditions, version one. And that's it. It can also be like, send me promotion emails. And what then happens is ideally your email address is being provisioned or sent to the email marketing system. You receive email messages once a day, once a week, depending on, on the service. And ideally what should happen if you withdraw the, then you should be deprovisioned immediately hands up, who did ever say, please don't send me an email messages and it stopped immediately. Hands up. I see 1, 2, 3, 4 hands five, maybe. But I mean, can we improve this? Yes, we can improve this. So, and this is just by attaching provisioning actions and IDM systems and connectors with that, don't send me email messages.
It can also be so, so this is a step up, right? I mean, this is sort of hierarchy. It can also be adding in individuals like apple, family sharing or guitar projects. I want to join my guitar project and he'll become the super coder. I can lay back and stop working. I can invite others. This is more like a, a central database where this gets added. Same with applet sharing. And that is, this is where the interesting part starts. It's it's about OS two transactional content, for example, or two, I sign in with OS two. This application wants to see your followers, follow your timeline, whatever that's good, sort of, then we can think of transactional. Like for example, today I'm in Berlin. There's a parcel that will be delivered to my home. Maybe no one opens the door. I want to give consent that the parcel guy could open my car boots, deposit the parcel, and then walks away. That could be more and more sophisticated use of content. And then of course, there's humor. I allow my text advisor to access my financial records.
So terms and conditions. So I will look in each of those and then display the pros and cons of, of each of the approach, what it can do, what it can't do, terms and conditions, what you should pay attention to, what customers want for terms and conditions they want versioning. I mean, not only PayPal customers receive a, Hey, we've updated the terms and conditions, things every couple of months and there's languages. So whenever you think about a system for terms and conditions, make sure it can do versions so that when you have an updated version, customers, consumers need to consent to this new version. It should be able to serve different languages and it should also be revocable. And this is actually the, the tricky part. I've never seen one of those where I con it in the beginning and then can revoke to the trans zone conditions.
I've never seen this. Maybe, maybe it's just my use of the internet, but it's not revocable. Actually it should be. And just had a conversation two hours ago with some people up there. And actually it's, it's this thing here. If you, if you have multiple services or multiple brands, think of, for example, Spotify offering a video streaming service. So you want to have your Spotify, but you have the audio service and you have the video streaming service. So you have different sub-organization with different terms and consent, but you have only one IM system. So IM system should be able to cater brands with multiple services below. That's important now to the thing where we go towards the provisioning. So this is the, the, the one here's the level. So we going, going up a level level up, for example, you subscribe to a service and you want to receive email notifications, or you want track a parcel via a mobile app, you to this service, and this could result in a provision action. And actually what you should do from an identity perspective is attach a provisioning system like one identity cell 0.4, drop, whatever you have to make sure that whenever the user says, I agree, I consent email account will be sent over to the email marketing system. Whenever the user says, I withdraw, the email record will be deleted. This is what I expect as a customer.
So you might want to use the, the company might want to use your data statistics for analytics. Like, can we use your data anonymized? Yeah, that's, that's also part of a concept that can be done using provisioning actions. So we have TRS and condition provisioning actions that all more or less proprietary here. Example of how a good GDPR console could look like. So this is Adobe campaign management, low access. Maybe it should be more clear on this means we're sending you an email message every week. If you think that this is too much, simply click here be selected and then you will never receive a message again.
Yeah. So this is good for something that should be effective immediately. It should be good for newsletter subscription. It's not so good for sharing scenarios. Like I want to share something with clouds, for example, not so we can't use that. We need something more sophisticated. So I can think of sharing something with the group there's an are missing, and that could be family, apple, family sharing the getup project sharing we've just talked about. So this is typically implemented via access control lists or a central database. There are no really standards about it. What to do. It's it's easier if you, if you keep that all in a single database, the good thing is it's, it's easy to implement. So it's good for ad hoc implementation, but it's not so good for systems which are largely distributed. If systems are largely distributed, each of these systems need to connect to your central database and, and look it up.
Rather, if you have a distributed systems, we would go for the next level, which is off to, or two is the next level. And it means you want to share something with yourself. That sounds a bit of absurd, but effectively, this is what oth two does. You're sharing something with you where you're the owner. And an example is you have a Twitter account and you have have a Twitter application on your desktop could be tweet deck, and you give tweet deck access to your Twitter account, but you own the Twitter account. You're the resource owner. You're operating this program. You just want to give the program access to the Twitter account. So you're sharing something with yourself.
So a computer and Twitter account are both owned by Mr. And that's a good way of sharing, but we see it's, it's good for sharing something with yourself, but it's not so good for sharing something with someone else. So back to the, I want to share my code base with BA John or with clouds. It's it it's you, you can't do this with, with plain north sharing. So what you want to do then if you don't want the central database, the central database with like family sharing could solve it, but it's not based on a standard.
So here's the scenario where you want to share something with the parcel guy, parcel guy says, Hey, I want to deposit a parcel in your cardboard. I own the cardboard and what would be nice. I mean, it all depends on the, on the mechanism. So there must be a very intelligent T C P connected lock of the carbo. But the, the carbo lock says, aim, Mr. The postman, you need an excess token and I will open the carbo. And how does the person guy get an excess token? And one solution you're doing is C bar client initiated back channel authentication. So the, the, that guy says, I need, I need an excess token. And I get a message on my iPhone. And the message says, the guy needs the excess token. Do your confirm. I say, yes, I authorize this transaction. I press guy. Guess the excess token cardboard opens.
That's one scenario where use this. Another scenario could be customer support. I want to access your account data. I get a message on my iPhone. I authorize this. And then that person from the help desk can open, can access my account data. So that's a nicer way of sharing. And that's just a small deviation from plain earth to the cyber flow. So cyber is actually not too bad. I can't do many things. Yeah. I've got some illustration. So it's good for ad hoc ad hoc requests. So I'm not expecting that someone will ask me for access, but I get a message. Like I get messages from my daughters. Like I want to have more screen time on YouTube, but this is based on a standard. So that's, that's the good thing. And can we do everything with, with cyber flows? No cyber flows are quite good, but what you can't do is you can't be specific about the action that can be done. Like with medical records, you want, for example, specify. If someone can read them, can write them, can maybe continue sharing them. This is what you want to do. You can't do this with plane or to a cyber, unless you really making it super complicated. Maybe you want to be specific on the duration. Like, yeah, I allow this for 10 minutes, five minutes, like you all know from the screen sharing five minutes. Okay. Got it. From the screen sharing scenario, access to YouTube in the evening, five minutes done bedtime.
And you might, might want to have a, a process to register de deregistered resources. This is a typical metering scenario where someone wants to read the meter in your house locks at the door. So yeah. Can I go to your cellar and read the meter from the heating water, gas, whatever, say, sure. Yeah, go, go, go down there. And if the guy doesn't come back after 50 minutes, you going down the cell and see what he's actually doing. But with if these, these meters are red automatically, so there's no guy knocking edge at door, then you probably want to have some humor process in place because this let you to specify whether that guy is allowed to use to go into the cell for 10 minutes, for 15 minutes, you can register the resource beforehand. So this is actually where you have OS two extended with this is the, the sharing gold standard, I would say, but we have some screenshots about sharing data. You can say yeah, the time.
But the thing is, is like, this is very good for complex sharing scenarios in practice. We really, we rarely come across those complex sharing scenarios. So I would say that 80% of the requests we get for, Hey, this is something Uma can do, would say, mm, no. Uma is like too heavyweight too, to do this. There are simpler ways of doing this and you should maybe first explore the simpler path. So this is really good for complex scenarios, but not for, for anything where you can avoid complexity. So as a summary, this is more for your records. As I summed it up in a table, the types of content we have, whether it's standard and also the main area of application. And what we see here is I think the oth two and C and the oth two, and this is where you can create innovation.
So if, if ups, for example, would be able to run those flows, deposit something in a cardboard or in one of those safety boxes, that's really good. This is where innovation comes in. So as a summary, where do we see content interacts with the business legal aspects, user experience, then there's this data oil. Can we use your, your data for, for analytics purposes, but also innovative aspects and what it does it enhances if you do it right? And there's lots of things from a user perspective, from a usability perspective that needs to be done on top of just implementing oth is it can enhance trust, credibility, reputation, and ethics. And to me, it seems it's, it's in, in the same category as reducing CO2, where companies say whatever we produce, we're trying to lower a CO2 footprint. We go green. We try to have a better environmental karma. You can do the same and applying a better privacy karma. This is what we can do from the it side. That's it. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00