Three Pillars of Data: Protection, Transparency, and Control - An Interview with Eve Maler of Forgerock

Interview with Eve Maler of Forgerock:

Cyber Security Dispatch:

Show Notes:
On today’s episode of the Cyber Security,  we welcome Eve Maler, VP of Innovation & Emerging Technology at Forgerock’s Office of the CTO. Eve and I talk about all things data. We start of with GDPR: why it is such a widespread Data Regulation, how different people approach it, and how it can be treated as either a way to accumulate penalties or an opportunity to gain customers’ trust. Then we talk about the steps one can take to build trusted relationship with customers and use their data to benefit both the consumer and the corporation. Next we talk about data protocols and how some of them are breaking the status quo, while promising real benefits with the enforcement of GDPR. Finally we talk about how revolutionary ideas within cyber can not only help security and data protection, but also data privacy and usage in the larger sense. This episode is full of information and advice about GDPR and the larger realm of data.

Key Points From This Episode:

  • How GDPR’s triangular nature makes it quickly spread like a virus

  • Why GDPR can be like a cruise ship

  • The cause of people’s bifurcated approach to GDPR

  • Four steps for companies to forge trusted digital relationships with customers

  • How forward-thinking companies take advantage of GDPR as an opportunity

  • UMA’s new approach towards consent

  • Companies should be using their large data collections for more trusted relationships with customers

  • What would make a mind-blowing RSA?

  • One word answer: Does blockchain give control back to the customer?

  • And much more!

Links Mentioned in Today’s Episode:
Eve Maler Linkedin –
Forgerock Linkedin –
GDPR penalties –
OAuth –
User Managed Access –
RSA Conference –

Welcome to another edition of Cyber Security Dispatch, this is your host Ashwin Krishnan. In this episode titled, Three Pillars of Data: Protection, Transparency, and Control, we speak to Eve Maler, VP at Digital Identity Forum, ForgeRock. With past lives at Forrester Research and Paypal, Eve now works to develop digital systems that enable user controlled and compliant data sharing. It’s actually putting consumers in the driver’s seat when it comes to managing their own online information, and she’s the real thing when it comes to GDPR.

Ashwin Krishnan: Welcome. Today on the Cyber Security Dispatch my guest today is Eve Maler. I’ll have you intro yourself and then we can get right in.
Eve Maler: Sure I work for ForgeRock at our CTO (Chief Technology Officer)’s Office and I drive ForgeRock’s privacy and consent innovation agenda.
AK: Privacy and consent. I’ve heard that before - it looks like it’s very topical these days. So let’s talk about something that is “trending” - I want to say: this year, looking at the crowd - is GDPR (General Data Protection Regulation) so for our viewers I think if you just described in layman’s terms what GDPR means. But more importantly - I think what we were discussing outside before the interview - is: what are some of the nuances of GDPR that are either getting lost or getting pushed down with all of the other noise.
EM: Sure. Well let me talk about - first of all - to talk about the context in which I see the General Data Protection Regulation. So ForgeRock is about digital identity - for consumers and customers and patients and citizens - so kind of for people that you’re not the boss of, if you’re a business. And so we really see an identity-centric view of forging digital trust with all of those people. And so one of the ways that we see GDPR is: as kind of a viral mechanism, a viral regulation for spreading trustworthy mechanisms for businesses to forge that trust. 
So one of the things that it achieves - for virality - is kind of a triangle of relationships among: individuals, data subjects; data controllers, so the organizations providing digital services directly to them; and then data processors and others - so one removed or more than one removed. And so if an EU resident is a data subject, or an organization has business operations in the EU, or a data processor has operations - any one of that triangle of relationship has got an EU relationship - suddenly GDPR gets pulled in. So that’s what I mean by viral.
AK: Yeah so it’s interesting because there is this notion of ‘EU: GDPR, EU: GDPR’ but it’s not just the EU it actually -
EM: It sure isn’t.
AK: - has tendrils all over. So maybe let’s talk a little bit about that.
EM: Yeah. So if you find yourself with - you know you’re a multinational or global corporation and you’ve got business tendrils in EU, or you’re marketing your services to EU residents suddenly you’re in the game as I’ve described with this triad; or you’re marketing your services you’re one removed and you’re working with companies that sell to EU residents. I think a lot of US companies have been caught short a little bit. Maybe not now in April - one month removed from the enforcement deadline. 
We are close to the deadline so a lot more companies are aware but I was talking to companies, four months ago or five months ago, who were US based but had operations all over including the EU, who were still a little bit surprised. I’ll give you one example: We were talking about jurisdiction and how it’s becoming a dirty word. 
So we have some customers who are in the hospitality business and let’s say you have a cruise line where: you have customers who get onto a cruise ship, you have employees who get onto a cruise ship - and by the way employees are people too - they can be data subjects- and a cruise ship docks at ports of call, so you get to a port and within three miles of a port you’re within a jurisdiction - where the ship is registered is a jurisdiction when you’re out at sea. And data that is getting collected and used on the part of serving those customers is part of the proposition, so a lot of jurisdiction is getting involved and I think not all companies are aware of really what’s involved in the - data doesn’t know about jurisdictions but companies have to care about jurisdictions.
AK: So let me ask you something else because this is something that the more I talk to organizations and individuals there seems to be a bifurcation of thought processes. One is: 4%, 20 million Euros right? Fearmongering. The other one is: what you mentioned earlier, which is digital identity is: using this as a almost a jumpstart to a competitive advantage in doing the right thing.
EM: Yes. Yes.
AK: So are you seeing that bifurcation of ‘okay let’s see who gets penalized first and I’m not this fan of the noise about 4% and 20 million that’s just too much so let me get back into my shell,’ and then these forward-leaning companies, which are going the other direction. Where is this all going to end; are we going to have a bifurcated world of hate GDPR and pretend it doesn’t exist and others who are using this as a proprulsion mechanism. 
EM: Well I think it’s bifurcated and will remain a bit bifurcated, but it’s because we have different stakeholders in the same organization. We have people whose job is to be incentivized towards risk-based thinking, and people whose job is incentivized towards opportunity-based thinking and it’s the responsibility of folks like me to kind of bring them together. And so I’ll give you an example of four steps that we lay out in our work towards helping companies forge trusted digital relationships with their consumers and their customers. 
Step 1 is to identify the intersections between digital transformation opportunities - to use a kind of a hashtag - it’s the new version of air quotes right - and user trust risks or gaps. So your new Data Protection Officer or your Chief Privacy Officer is incentivized to think about all of those risks and your business owners are going to be thinking about the digital transformation opportunities - that’s what all that data is there to do: is to help provide new services for users, things like that. But there is an intersection where you’re going to get in trouble. There have been really cool Internet of Things companies that have gotten as far as putting out a product and then been chased out of the market by angry people and ‘.orgs’. And that’s a shame if you get all the way to market before that intersection. So that’s step one.
Step 2 is to as an organization conceive of personal data as a joint asset with your end users. GDPR will say, well look, its a human right and it’s totally the asset of the data subject and a DPO (Data Protection Officer) can think that way, but a business owner is thinking what they can do with that lovely data to make more product. So it’s a mindset shift and I hear you’ve written a lovely article about this being an existential thing.
AK: Yeah so I wanted to continue because I have some ideas over here - the way that you’re talking about this.
EM: Maybe if we have more time we can - nothing but an over-the-beer conversation.
Step 3 is: lean into consent. 
AK: Yeah.
EM: Now GDPR has six legal bases that it’s identified for legal data processing, and consent isn’t always appropriate, but consent can often be appropriate when risk-based thinking would say “don’t choose it”; because with that choice comes new rights that an organization has - new responsibilities but new rights. And it invites your end user in and that can invite a customer in and demonstrate some trustworthiness to them.
And then the 4th I would say is: take advantage of identity and access management for building those trusted digital relationships for make it easier and to reduce friction by doing the right thing. 
AK: Right. No those are great steps. So a few things. One is: the top of consent, right?
EM: Yup.
AK: We can have an all-day conversation about companies literally -
EM: Let’s do that some time.
AK: - within 30 miles, right? Our so called ‘New Age Companies’, but when I got to their website and I look at consent and it’s still driven by legal.
EM: Yup.
AK: You look at this and say on the one hand you’re trying to force this trustworthy relationship with your customer. On the other hand if you’re consent is not transparent, easy to understand, and it’s not a 70 page eulogy - the iTunes, which no one can understand any of it right? Are you seeing companies which are forward-leaning which say ‘we are going to make this easy’. 
EM: Yes
AK: We are going to make this easy so that I’m going to build trust with you and therefore stand above everybody else.
EM: Yes I will give you an easy answer to how that needs to be fixed and how some really forward-thinking companies are thinking about it. 

So [UMA is] a particularly - I think- interesting standard for a new kind of consent because it enables a person to in a demonstrable auditable fashion become a kind of offerer of access to their data rather than just being a passive agreer to access. And I’ve been talking to a number of companies about how to put this in place because it can demonstrate choice and control - a phrase that appears all over if you look at ICO guidance for GDPR for example. And so if you want to be trustworthy as an organization, that’s a way to flip the script.
— Eve Maler

So GDPR is interesting and innovative as a regulation in another way because even though it says “Data Protection” in the title; the Europeans say Data Protection when they mean Data Privacy at large, right? So to me the phrase Data Protection means don’t accidentally let data out, right? It sort of means the security of privacy, but they kind of mean that phrase to mean everything. But what I see the elements of in GDPR are are data protection - the way I normally mean it: the security of privacy, don’t accidentally let it out. Also data transparency - tell us what you know about us and tell us what you want it for and all that stuff - so the two-way street. But it also has really strong elements of control - giving people control. It’s just transparency to say “Here’s our Terms and Conditions” so people can’t do anything about the terms and conditions, that kind of consent is -
AK: Correct. Exactly right -
EM: - particularly disempowered-
AK: - that kind of consent is a one way thing -
EM: Yeah. What can you do really? So new tools to understand what you’ve agree to are nice, but it’s not a particularly great way of taking control. So one of the things I’ve involved with - I’m kind of a standards wonk from way back- we were just mentioning SAML (Machine Learning) (Security Assertion Markup Language) the identity standard that I’ve been involved with. I was involved with the creation of XML; long, long story. One of the things that I’ve been involved with for some time now is a standard based on OAuth called User Managed Access, or UMA. So it’s a particularly - I think- interesting standard for a new kind of consent because it enables a person to in a demonstrable auditable fashion become a kind of offerer of access to their data rather than just being a passive agreer to access. And I’ve been talking to a number of companies about how to put this in place because it can demonstrate choice and control - a phrase that appears all over if you look at ICO guidance for GDPR for example. And so if you want to be trustworthy as an organization, that’s a way to flip the script.
AK: So it’s interesting you mentioned that - because one of the ideas I mean I keep vacillating between talking about a consumer and an enterprise. From the consumer’s perspective if I’m a YouTube Red subscriber or a Netflix subscriber.
EM: Right.
AK: If my per month charge keeps varying, sometimes it’s free, sometimes I get cashback, sometimes I get 100$ a month. It really depends on data I’m generating for that. So the average consumer knows that ‘Hey why did my 99 bill just drop to 0?’ It’s because you guys were binge-watching, and where you paused, and where you stopped, and where you flipped over is actually valuable information. It’s not rocket science so you look at it and say Netflix is probably the poster child of AWS (Amazon Web Services) usage, and they have all that data but they aren’t using it for actually engendering trust with their customers, they’re using it for their own purpose.
EM: That’s right.
AK: There is no copout over here. I mean you have all of the data, you have all the mechanism, you have all the analytics - 
EM: More transparency -
AK: Yeah, exactly!
EM: - and more control would be exactly fascinating.
AK: And I mean I’d be a fan for life if they did that.
EM: Yeah it’s true. So you know it’s interesting you're making a case for protection - yeah - more transparency combined with more control would be - I mean that’s the area of business models, not basic security. And so business models are now up for question and so I think consumers combined with some government, some ‘.orgs’ are inviting companies to say ‘Hey how about it?’ If you want to engender trust you gotta examine - it is an existential crisis, right - ?
AK: Right, right, right, right.
EM: For some.
AK: So I know we’re kind of running out of time, but any last takeaways as to what you would - I know it’s still day two, we have two more days to go - 
EM: So much more
AK: Right - but given the amount of foot traffic over here, the number of people over here clearly security is top of mind, right? So what would a really mind-blowing RSA for you look like. Coming out on Thursday, Friday saying “Hey, this was a great event if A, B, C happened.” Just… Food for thought.
EM: Oh God… Well you know I’ve always been gratified when they added a half-track for identity. And I think it’s time to recognize the core role that identity has in security, privacy, and consent, and in trust. 
AK: Wow okay.
EM: So I think… I know I have identity-colored-glasses but more identity and I’ve talked to others who agree.
AK: Right, yeah. That’s cool. So you can’t have a conversation without blockchain, right so?
EM: I invented a drinking game for this! When someone says blockchain you drink.
AK: Alright I’ll be going binge drinking already. No but do you think ultimately that actually gives control back to the user. I mean last - yes or no. Or do you still think we are far away from -
EM: If I had to give a one-word answer I’ll say: “No”.
AK: Alright good. We’ll talk about that later.
EM: Another time I hope. A pleasure.
AK: Thanks for this it’s been a fascinating conversation. And it’ll be viewed GDPR, but hopefully we’ve given the audience something to think about over here - which is actionable.
EM: I hope so too.
AK: And hopefully enterprises - the forward-leaning one’s that you talked about will are using this as an opportunity to actually elevate themselves for new business models. Thank you for your time.
EM: Thank you.

EditorAshwin Krishnan