Identity Management

Identity guru Eve Maler wants to rebuild online trust

Eve Maler is one of the most engaging people on the subject of identity management and, frankly, it’s a subject that badly needs her combination of good sense, plain talking and, when called on, technological depth. The term ‘identity management’ itself is of the umbrella variety, referring to the way people are identified, authenticated and can sign on to use both internal systems at their employers and pretty well any other kind of external system as individuals. The companies claiming to be playing in the field constitute a veritable scrum of companies covering cloud and on-premises platforms and extending from decades-old veterans at some of the world’s largest technology firms to shiny startups. And then it’s at the heart of a prickly debate over privacy, ethics and security. Like I said: not easy.

Thankfully, Maler is here to parse and explain, all with a sense of humour and none of the po-faced attitudes sometimes characteristic of tech sector people with far less to be proud of. Maler helped develop XML, the markup language that acts as the Esperanto for data sharing on the web, which gave her the soubriquet (and Twitter handle) of XMLgrrl. Another moniker is SAML Lady, reflecting her role in developing another markup language, this one being the widely used standard for federated identity management. More recently she has defined herself as “chief UMAnitarian”, riffing on her involvement in the User-Managed Access protocol to let users define in one place what they will and won’t share on the web and related applications and services.

Such is her love of puns that, outside her many jobs, she has even conducted a choir version of the Queen hit Bohemian Rhaps-ID. But we can forgive her that as, despite that rich CV alluded to above, she wears her learning so lightly, sitting on various working groups and sharing insights all over the word on various blogs and conferences. Her day jobs have covered the analyst firm Forrester, Sun Microsystems and PayPal, and now she is employed by ForgeRock, the open-source leader in identity management. 


Be afraid…

So, should the person in the street have as many fears about the privacy of their data as they seem to? ‘Yes’ might be the short version of Maler’s answer but the moral maze is tricky indeed. On the one hand we all have to think sensibly about what we disclose and be aware that personal information can have a high value. On the other, assuming the ostrich position and disclosing nothing might also be foolish.

She adds that identity is “hot” as a topic because there’s such a strong human element. As an illustration of this, in Europe there has been a lot of attention focused on General Data Protection Regulation (GDPR) intended to protect individuals in the EU.

“They made a higher bar in the regulations,” Maler says. “It wasn’t just codifying what was already there. But there will be 28 countries interpreting this and you still have interpretations that will need to happen. I worry about interpretations. Some aspirations are laudable but I worry about some of the challenges of the modern world of technology and things like the Internet of Things not being taken into account.”

But such are the penalties available under GDPR (up to four per cent of annual turnover for businesses) that Maler contends that businesses will have to respect it as the “table stakes” of commerce. “It’s the price of doing business,” she says. “Regulations are regulations.”


A broad church

Maler agrees that identity management is a broad church and describes what she calls a “cornucopia” of efforts from directory services to authentication, the provisioning and creation of the identity management record, the identity gateway and more.

But she believes that individuals clearly providing details of what they will and will not let use personal data for could be a stride forward.

“Consent is starting to have an outsized role in the world of privacy,” she says. “It used to be the redheaded stepchild in terms of compliance, the lowest rung of the ladder in what you do. Now consent is becoming a first-class citizen.”

She uses the example of Smart Socks, made to give feedback on running and fitness.

“They’re designed to generate data where dumb socks don’t. You want data not to go just to an app you use but perhaps to a doctor if you have heel spurs because they detect how you walk and run and they catch which part of the foot hits the ground when you run.”

However, she adds, the runner might not want that data to be fed back to Facebook friends – or to medical insurers that might charge a premium for a known ailment. By specifying who is allowed to access that data the user is empowered.

In the web and mobile eras, people have most often operated on the fear side of “the fear-to-greed continuum” in terms of sharing personal data, Maler argues. In the new Internet of Things, however, people have new opportunities to share data for personal benefit. Businesses are just figuring out how to deliver and where there’s a greed side of the continuum, people’s rights tend to be better protected.


Get smart

Maler is also optimistic that more of us are smarter about what we do in terms of online security and data privacy.

“Just as everyone has got smarter about password security and more of us use password managers and password-less login is starting to be more of a reality, the notion of being savvy about what companies are doing with our data is also rising. It’s the post-Snowden era: we’re more aware and more cynical, and businesses are aware of how they’re not treated if they’re not seen as being trustworthy.”

Are things changing with the generations though? Some view young people today as not caring about privacy and accepting of ‘letting it all hang out’ on social networks and so on.

“I don’t think they’re casual about privacy,” Maler says. “There is this awareness of what’s available to them. That’s why they use Snapchat.”

Forming trusted digital relationships will be critical to the success of the digital world and to that end Maler supports efforts such as ForgeRock’s Trust Network, an attempt at creating a lightweight permissions model, and its Digital Trust Pledge. She is also  involved in the Health Relationship Trust (HEART) work group for patient-centric health data exchange.

The simple premise in all this is to “ask people what they want done with their data and do what they say”. Maler is no cock-eyed optimist (with the Internet of Things she says trusted hardware modules that go right down to sensor level could be needed) but she consoles herself that “when money walks away, business listens”, citing Spotify as an example. Rebuilding trust will be necessary for all of us – which gives it a shot at happening.


Also read:

ForgeRock welds ID management links

Scott McNealy still rages


« Typical 24: Jonathan Scudder, ForgeRock


C-Suite Talk Fav Tech: Sudhir Chaturvedi, NIIT Technologies Limited »
Martin Veitch

Martin Veitch is Contributing Editor for IDG Connect

  • twt
  • twt
  • Mail