This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great. I've been thinking about in advance of this episode. I've been thinking a lot about privacy, thinking about, you know, the privacy statutes within higher education and within healthcare. And it's funny.
Usually when you start picking at those use cases, a lot of the use case surrounds famous people. You know you don't want to give out health records for famous people or the class schedules for famous people. And I was wondering, does that apply to you and me doing this podcast? I don't know if I can because I don't ever actually really went to college or higher education. I think I have an economics class to my course or to my
credit. So if you're looking for my for my records or my class schedule, it's gonna be pretty light. I don't know about I I don't know. I I I don't feel like that's something that should be publicly available. But maybe that's just me, Some people. Got out that you had high cholesterol. I mean, just one look at me. You probably already guessed that.
Well, anyway, I don't know. But that's, that's what was going through my mind was, you know, the famous people thing and what is the line between famous and not famous? I think on the Identity at the Center podcast not famous. Decidedly so. Netflix or on broadcast television, that would that would make make you famous.
So you know that would be a a momentous achievement if like we ended up as like a Netflix special, the making of identity at the center and hopefully it's a positive story and not one of those like, you know bizarre like Murder or we try to do our own conference and ends up like Fyre Festival or something like that it. Would be like identity at the center is a joke. Yeah, that's what it would be called. I did something yesterday and usually you hit me with something.
I'm gonna hit you with something. I did something yesterday that I've done in the past and went and watched at a local brewery here in Asheville. I saw UFC, Not the UFC that you're thinking of, but a wrestling kind of thing. Obviously for show here in Asheville they put together. I don't even know what UFC stands for. It's like urban.
Universal Fighting Championship. Well, that's what most people would know it as. But it's actually wrestling and it's like a local Asheville, NC type thing. And we went, and my wife and I went, got tickets paid $10 to go watch a bunch of people have a good time in a in a ring set up
inside of a brewery. And so, you know, we're watching, like, people come off the top ropes and, you know, the fights and quotation Marks and the wrestling or whatever you want to call it, spilling out, you know, along the sides of the of the brewery ring and then into the brewery itself and then outside. It was absolutely nuts, but it was, it was a good time. I think you would have enjoyed it, 'cause it was just kind of like, you know, stupid fun.
Yeah, yeah. I don't even know what to say about that, Jeff, but I'd be surprised to find you there. I'd probably be at the corner of the bar drinking and be like, is that Jeff? Urban combat wrestling. That's what it was. UCW. No, I'm sorry. What did I say before? UFC. Yeah, UFC, no UCW, urban combat wrestling, but it was fun. It was like a, you know, Saint Patrick's Day, you know wrestling thing.
And there were several chants that I cannot repeat here on a, you know, show friendly for kids, 'cause we know I had a lot of those kids tuning in for that I am talk. But it was, it was a good time, you know, beers, burgers and and wrestling. That does sound fun. You know what would make it even more fun Was if you had a discount code. If it was the best discount code. If it was 100% off discount code. Unfortunately, those things rarely exist, but we got some good discount codes.
Yeah, we got Identiverse not 100%, but 25% off. We have IDV 24-I D AC25 that gets you 25% off your Identiverse registration stacks with early Bird. So use early use often. Good way to show show support for the show. Having a hard time talking today. The words just aren't coming out. May 28th, the 31st, it's at the Aria Resort and Casino in Las Vegas. I'll be there, you'll be there. We'll be doing podcasty things
to be determined. Our last episode is with Andy Hindle. He says we're gonna be doing podcasty things. I trust him. I trust that we'll be doing podcasty things. And that's the only thing is if if the past is any indication, so where are you staying? Are you gonna stay at the Aria? Yeah, I think right now I know you're trying to get me over to the Vadara, but you know, it's like an extra like 10 or 15 minute walk from from there it's. Like an extra 10 or 15 steps, but OK.
But I I'd have to go outside and you know, I mean I can stay. I get my record is five days indoors in Vegas and I feel like 3 days is nothing for me. Yeah, there you go. The other conference we've got going on is Identity Week. We're actually gonna be at Identity Week America later this year, but they also have Europe which is in Amsterdam, June 11th and 12th. And the America one that Jim you and I will be at is September 11th and 12th.
That's the one in Washington DC and Asia and Singapore October 22nd, 23rd. We have a conference code for that one as well, IDAC 30 that gets you 30% off of that registration and that code is good for all of the identity work. Identity Week. See. Told you can't talk today. Identity Week conferences, not just the American ones.
So if you're in Europe or Asia and you're heading to Identity Week, another conference code that you can use and hopefully save a little bit of hard earned local currency insert denomination here, whatever that might be for you and looking forward to. That Yeah, fantastic discount codes. So what's our main topic today? Yeah, so I kind of joked as we were hitting by hit record here.
It's like, here's what I'm thinking is what we're going to call the show, and it's a public conversation about privacy. And to that end, we've got Hannah Souter. She's the principal product manager at GitLab and an IDID Pro Board member. Man, I am struggling today. Welcome to the show, Hannah. Hey, Jim. Hey, Jeff. It's great to be here. Well, I'm the words are probably gonna come a lot better from you, but let's talk a little bit about your origin story.
This is the first time you've been on our podcast and one of things I'd like to do is find out identity origin stories. How did you get into the wonderful world of identity and access management? Is it something that you chose
or did it choose you? I think like most people, the identity and access management world chose me, but I think in a way I chose it as well, because after my first job and identity, I chose to kind of keep going down the path of identity, whereas I think I just as easily it could have pivoted elsewhere. But I really liked the niche. I really like the people I
started to get to know. And I really like that it felt to me it feels very important in terms of, you know, you're kind of protecting an ecosystem, you're protecting people's information, you're protecting potentially proprietary
information. And so I think there's a larger meaning behind it, which is part of the reason why I think I chose it. My first job in Identity so I was a developer way back when and eventually I started asking too many questions about why are we coding this and can I talk to the customer and are they happy with this or what do they think? And they're like you might like products.
Most most of our developers don't ask this these kind of questions, so I ended up switching to product about 8 to 10 years ago now. I've been there since and I was in developer tooling at one point just because of my
developer background. So I worked mainly product managing developer APIs for a cloud platform and then one of the services that I inherited as part of the cloud platform was Identity. So it started as kind of a fraction of my job, and then the next role I ended up getting, they saw my Identity experience at the 1st place. They said we need someone fully in Identity. And then now I'm on my third sort of foray into Identity, specifically devoted to it now at GitLab.
So I mentioned when I introduced you that you're a Principal Product Manager. And I think for one of the things I find really interesting about the identity field is the variety of roles that we have. Can you talk a little bit more about that role of a principal product manager, take us through sort of like your day-to-day looks like a normal week for you or are they all different? You know, kind of shed some
light into that role? I product is really varied, which is part of what I like about it. So day-to-day I work with engineering counterparts. I have about six or seven engineers I work with. I have an engineering manager I work with. I also work with other product managers. I've talked to customers a lot, at least a few times a week in customer meetings. These usually originate with
sales or customer success. If a customer has a question about user provisioning in GitLab or, you know, how do I most securely authenticate? Personal access tokens seem like the wild Wild West. Should I turn them off or what? I so it's a lot about security honestly and keeping what's the best way that people can keep their GitLab instance secure. Of course I handle you know this doesn't work the way we expected or we need this extra logging information to make this really
much more robust. And one of the bigger projects I did recently was we had gotten a ton of customer feedback that our static roles and permissions that we had built in were not sufficient anymore. People were having to grant too much privilege just for like one small permission. So we knew we had to make our model more flexible.
So we did a deep dive. Technically, my engineers did that in terms of how could we take our current authorization model and really rip it apart and make it something that customers can build from the ground up and only grant the amount of privilege necessary to accomplish a certain task rather than to have to assign roles out-of-the-box. So that's been something I haven't had the opportunity to
do before any other job. That's, I think that's kind of the power of the product manager, right? Being able to sort of inflict your desires and what you're hearing from customers, right? Say, hey, these are the features that we want to put in there, which I find a little bit of empowering. Maybe maybe it's just me, but it's like, hey, it'll be a neat idea if we could do this.
And you've got like the ammunition from like, yeah, the customers are saying they want this, like we should be doing this, right? Yeah, it's about customer interest and then you know also revenue, right? That's a powerful story to be able to tell if there's perhaps identity or authentication related feature, we can tier to a more expensive tier of our product and try to get more revenue in the door. That's really powerful. The security and compliance use cases usually tell a powerful
story. But the one thing about being a product is that, you know, my engineers are my peers. I'm not, I'm not their manager in any any shape or form. So you do have to get their buy in. And what I always tell them too is I want you to push back on me. It's like my least favorite teams that I've worked with are ones that just take whatever I say and go execute. I'm like, no, I want your
pushback. If there's something that you know is going to take a really long time and it's a ton of effort, maybe it only delivers, you know, 5% of what we need. I'm open to skipping that, you know? So I really like engineering teams and the collaboration that goes on with a strong team of engineers. I also introduced you as a member, actually a board member of ID PRO. Can you talk a little bit about that role? What are you working on from the
ID Pro perspective? And I guess just for Full disclosure, right, I'm a member, Jim, you're a member. I also serve on a couple of different committees for like CID Pro and the nomination committee for board members. So I remember seeing your name on that list a couple years back, but tell us a little bit about your role with ID Pro. Yeah. So being on the board of ID Pro has truly been an honor. I never thought that board member would be, you know, on my resume.
So it's been, you know, hugely encouraging for me that others believed I I was capable enough. ID Pro. We are a a network and a certification body for identity professionals. I found out about ID Pro because my roles in Identity, I've been sort of the lone soldier of Identity expertise in addition to my engineers, but more from like a product or a business side. I've never worked for an Okta or a company where Identity is the
product. I've always worked somewhere where Identity is part of a bigger product, right? And I think there's a difference there. And you can start to feel like, well, do I really work in Identity if, you know, I, I've never worked for one of the big names of the booths that you see at Identiverse. But I think a lot of companies have, you know, every product has identity in it, some more customized or home grown than others. And there need to be people that
oversee that. So I think there's plenty of us out there, but I was struggling to find them and that's when I found ID Pro and was really excited about, Oh my gosh, there's actually hopefully going to be people here that I can talk shop with and I won't feel like the only one. So that's when I joined ID Pro. And being on the board, we work together in a team as the board. We kind of set our yearly strategic initiatives. We kind of decide, you know,
this is who we are. This is our value proposition. Here's what we want to provide to our members so to make sure they're getting benefits out of their membership. And we kind of do strategic initiatives for the year. And then we, along with our Executive Director, Heather Flanagan, execute on those priorities. We check in on them every month at a meeting.
And one of the things I'm excited about that we've done so far this year is I think a huge part of our value prop is our Slack. And I would have never been one to be like, Oh yeah, like really excited about a Slack network. But I can't even tell you to be able to pop a message on Slack in one of the channels, ask a question and then you know get get the author of the SAML standard to reply to your
message. And then ten other people who are have years and years of experience implementing these technologies. That alone is worth the price of membership I think in in one Slack chat. And it's the more active you are, the more you get back.
And so our history used to only last, I think for 90 days and we recently upgraded our Slack plan and we can now have historical knowledge and and have all of those conversations that have been so valuable and now they're searchable, you can find them. And so I think that's one of the things I've been excited about so far this year. Jeff and I couldn't agree more. I mean, we're both ID Pro members.
We talk about the Slack channels, like the number one benefit because not only can you benefit from your question, but Jeff and I can benefit everyone as an ID Pro member can benefit from your question and all the people who wrote responses. I also think one of the great things is like, sometimes you get these questions that kind of stir the pot. And I get the sense that you like to stir the pot a little
bit too. And that was kind of one of the things you wrote in the December newsletter for ID Pro, an article called Privacy is a Human Right. I thought that kind of stirred the pot a little bit. Wonder why did you say that? Privacy has been super important to me over maybe the past year and a half. I remember it identivers, I guess it was three years ago, probably back when it was in Denver and we were all wearing masks. I heard.
I just went to Jamie Danker's talk Introduction to Privacy and I remember just like scribbling down notes and being so interested in this topic that I went back home and I it kind of jived with some things, actually. My friends, you know, like non-technical folk, my friends who I sit down and watch. We have a group that watches The Bachelor when it's out. We get together once a week and we watch it together and they would always be like, you know,
you work in tech. Like is my Alexa listening to me, like, why did I look at that toothpaste at Target? And then it started getting an ad for it like is, are things spying on me? And I realized, like I I don't have a great answer for that. And yeah, I've worked in tech forever and it's weird. And so I'm going to start to try to understand that and share my learning along the way. So that's really how my interest in privacy came about in terms
of sharing it with others. I wanted to do a very low barrier way to share, so I started an Instagram account. But yeah, that's where. So my interest in privacy has blossomed over the past year and a half or so, leading me to write that article. Because I do think identity and privacy are interlinked at this point in our journey as a species that lives a lot of their lives online. So I was really excited to write that.
Yeah, yeah. And I think my whole point on like questions that kind of store the pot is more that different people can end up on different sides of that issue or find themselves. And I'm going to bring up a topic that I think is one of these topics, but I think it's OK. I think it benefits us all to have those conversations, hear both sides of the argument and then figure out which one we align with.
As I know this one, this next question that I have for you is something that not everybody agrees on, maybe not everybody has formulated an opinion on, But I mean, we hear about, you know, the Internet was created without an identity layer and that was the big mistake. So it's kind of like, well, had there been an identity layer in the Internet, all of our problems would be solved. And I don't think that's
necessarily true. I think we're also moving toward different ways to have more of our identity able to be enabled on the Internet. My question is, do we have a right as humans to be anonymous on the Internet? I think out of all the questions we talked about today, let's still be the one I'm most fuzzy on. My answer on right? But this should make for a good
discussion. I think I would lean more towards your right to have anonymity on the Internet than I would on, you know, every single thing should be tied back to
your identity. I think that people are fooling themselves, quite frankly, if they think they can be anonymous on the Internet. And I know that sometimes if people put enough up, enough blockers, VPN, whatever, they do everything right to. Yes, you can maybe be anonymous on the Internet. And I I think there's a a tough line here because you know, I think about all the bad things that can happen on the Internet that people are much more likely to do if they know I can be anonymous, right.
But I also think that potentially, you know, exercising your right to free speech, if that's tied to your identity and the wrong party gets a hold of that data, what could possibly happen? I I really do worry about if everything is tied to This is Hannah, which a lot of it is, right? Even like what we watch on our smart TV's, they know it's me. I worry a lot about the fact that our worlds are so influenced by what we see. The ads we see, the order things are shown in the news articles
were shown. Everything is influenced by like. Here's what we think Hannah wants to see, here's what we think she's going to click on. And so I think it's really hard to get an unbiased view. And that is my concern with not being able to be anonymous on the Internet, is that there's no way to get out of this sort of like tunnel vision that's created for you by by the algorithm. What do you? Think well, tremendous point. Let me kick the Jeff first.
It's like anything else. It's a tool and there are good and bad when it comes to a non anonymity and privacy and being able to, you know, tribute things to people. I don't have the answer, that's for sure. I mean I my, I'm man. I cannot talk today, man. Context switching all the time. Things that I want to be private, things that I don't care and things that I can't be private about because they're required by law. I have a driver's license, or I have to pay a bill, or I have to
do XYZ right? Or maybe I think having the option to toggle that flag is important. I don't know who controls that flag though, because I don't think it's something that can be on the hands of the user 100% of the time, the same way that it can't be in the hands of the service 100% of the time. So I think it's kind of like this wishy washy consulting depends answer.
And I don't know if we have a good infrastructure from an identity perspective to be able to enable that broad of a thinking because right now for the most part, we're all using a variety of different identity providers and services and things like that to log in. And if I look at my, you know, my password wallet, I probably have a 1000 different IDs in there. How am I supposed to manage privacy without some sort of centralized tool to do that?
Who's going to management and would I trust the person managing that or the persons or the company managing that to not do things with the data that I might potentially put into that? So I don't know where to go with it, but I I see both sides of the coin and I think there needs to be some flexibility there somehow. I'm not smart enough to solve it though. What do you think, Jim? Well. I think Hannah brought up a a fantastic point, which is do you really think you can be
anonymous on the Internet? That might raise the question, But here's kind of my concern is if you took away the ability to be anonymous, you might get away from people who are human rights activists in countries where you don't have the right to free speech. Right. And where these things are tremendous threats. And if, you know, the government finds out who posted that, that person might not live another day.
So yeah, I think it's important. I think it's, you know, at the state of where our society is today and it's too easy to get trapped into. OK. In the US we have like online bullying and like believe me that's where I would love to just take away anonymity but at the same time I think there's other issues and and how the the evolution of the of the world needs to happen in terms of you know oppressive regimes or you know etcetera etcetera.
The the those things trump, you know, issues that the other issues I guess because it look, it's not a black and white issue, but I think I fall down on the side of we need to have anonymity on the Internet. And I that's why when I hear like, OK the Internet was built without an identity layer, I think OK, I can agree with that to the extent that there there still could be anonymity. All right. Next question for Hannah. And I think that was a good one,
right. And that might have been the hardest one, but I'm wondering like, so Hannah, you talked about privacy as a human right. And I'm wondering is an inalienable in now it's going to be my turn to not be able to speak in in in inalienable right. In other words like a God-given right or is it based on or depend on where you happen to be or where you live or where you're from. So in other words, like, is it a human right in the United States?
But if you're in North Korea, you don't have that human right. Well, I think that's certainly the way it is right now. I mean I don't even think that we have, we don't have any, you know, legislation here in the US that does make privacy a human right. That's why I felt like, you know, worldwide this is still just very much in its infancy and that's why I wanted to bring it up in the, in the article I wrote. In my opinion, it is an inalienable right. It should not be available to
certain people. I've seen a trending towards, well, we're going to, you know, if you want to use a certain social media platform and you want to use it with more privacy controls, then you're going to have to pay a certain amount a month. And then anyone who can't afford it gets, you know, their data, you know, taken away and sold to brokers. And I don't think that's right either. I don't think it should be something that only people with a certain financial privilege
can afford. So I feel pretty strongly on this one that it should be an inalienable right. I just think that we're far away from that. What do you think, Chuff? Again, depends, I think are you know, are we saying that you don't have the right to privacy as a consumer or as an enterprise worker or in what context? I would say, again, it's not black and white. Some contexts I do not have that right. I need to be, you know accountable for whatever actions I take.
And there are other situations where you know, I I can't or I shouldn't be to preserve physical security or emotional or mental security, right. Things like that. I I, I don't, I don't even know. I don't know how to answer the question because I think it's against that contact switching. And Hannah, you keep throwing me for a loop here and say, OK, well, I agree with that. I don't agree with them. So wait a second. Which context are we talking
about here? You know, how do we, how do we even think about something like this where, you know, we're very fortunate the three of us live in the United States and we're able to have a certain amount of free speech. Not every person has that benefit or that luxury, and that has varying degrees of repercussions depending where you're at in the right How do you protect somebody? Yeah, and I think even just thinking to my day job at GitLab, right, it's another context specific thing.
Because if you want to push, you know, code changes to production for example, we're gonna need a very high level assurance that you are who you say you are. And maybe you have to go through several step up authentication methods to prove, hey, that's actually Hannah behind the keyboard. And the further those go, the less privacy perhaps you could say you have. But it's all a trade off, right?
It's like, is it worth it to have the level of assurance to do a potentially destructive action? Yeah, I kind of feel like there's certain privacy that is a human right. I think that you can put yourself in certain situations where you give up privacy. So for example, you walk into a store, it's a privately owned store if they are doing some kind of eye or they're watching your eyes in terms of like what you're looking at and then feeding that information to a third party.
But here's where I think it breaks down. If you're doing those things and the person doesn't know you're doing those things, I think that's where it should break down. You know, and I think that's the problem with like, privacy policies, for example, is like, OK, if I'm going into a store and they're scanning my face and saying, oh, there's Jim McDonald and, oh, he looked at the Crest
White strips. And now we're going to sell that information back to some marketing firm and we're going to tie his e-mail address to it. And we're just going to start and they're going to do whatever they want to do. Now they know he wants Crest or he's interested in Crest white strips and they're just going to start spamming him or something. I don't think that's right. So that that's kind of where I, I I think if people understand what they're getting into.
But I also think that the counterbalance to that is that sometimes like, oh, you know, if like you go to the airport, we're going to start like, you know, scanning your face and knowing who you are as you're walking through the hallways or if you're on a public St. we're going to do those things. So we're always going to know where you are at any given time. I don't think that's, you know, if even if you know that's what's happening, you don't really have a choice of not
walking on the streets. You know, what are you supposed to do to go live in the woods? Yeah, exactly. And I that's one of the things as I've been sort of talking about privacy in public that I've tried to be very clear on is that it's not all or nothing, right. Just because you you like you can share your photos on Facebook, right? But just understand what the implications of that are and maybe it's worth the trade off
to you, right? Like maybe it's, you know it's really convenient to share the photos of your kid with the grandparents on Facebook. But hey, maybe you should make sure they're at least private, right. So there's like a balance, and it doesn't have to be all or nothing. And just because you use a certain platform doesn't mean that it's all a lost cause for your privacy. And oh, what does it matter? They can know everything about me because, you know, that's fine. I'm boring, right?
It's like the common, you know, who cares? But I think, I think it can get potentially hairy, right? We were talking about walking into stores. You're looking at white strips advertising it to you. Yeah, that seems fairly benign. And I, some people even love those targeted advertisements. Like, yeah, I wanted to buy that. So thanks for reminding me. But what I'd be worried about is, oh, let's, you know, oh, gosh, Based on her last visit six months ago. Yeah. She's gained weight.
What does that mean about her health? Right. And can we combine that with some other records from an online therapy place that's gotten hacked? And now we can tell that, you know, I postulate that a certain thing is going on. And now my health insurance company knows, and they that's what I worry about, is kind of like a next step into how this could go wrong. Yeah, I can see that, Jeff, your love of chicken and waffles is causing your your cholesterol to go up, right? Things like that.
So Hannah, you had mentioned about the Amazon election, whether or not it's listening to you. And I've had conversation with people, so I don't really have the inside information. We did have a guest on the the show at one point who's like, absolutely, it's listening to you and I, here's the the dots that I've connected. It's like, does it require some human being to sit there and listen to what you're saying? No.
With artificial intelligence, they can do speech to text, load that into some big data database somewhere and like just scan through it in seconds, right. So I think it definitely could be. Whether or not it is, I don't know. I don't think we know for sure. It is the person who mentioned that was not speaking on behalf of Amazon. So if you're Amazon listening,
don't sue us, we don't know. But the same thing applies for any of these services, right, That has a Voice Assistant And it just seems like the correlation of different points of data is what's taking place. And they think about Jim, earlier you said choice. And I think that's one of the big parts of this is if you're walking to a store to get Crest White strips, we'll just stay with that thing and you don't
have a choice. It's the only place that you can go to sell it. And the only way you can buy is by going in and giving up your information. In this case, is that really where we want to be where you're in a position where you only have, you don't have a choice. Essentially this is the way you have to do that versus maybe there is an alternative method, right? Maybe you have to drive an extra 2 miles to get to a location
that doesn't do that. You made the decision to go into that private enterprise that theoretically told you what it was doing. But we had a conversation with a few weeks ago with Laura Gomez Martin and from our team here about privacy. And I kind of got on her case a little bit not, you know, not mean or anything, but these Eulas that we see out there, it's buried in, you know, walls of wiggle texts, and you really don't have a choice. It's really the only viable option.
Are you gonna drive 45 minutes extra to get Crest White strips or milk or bread or gasoline or X thing? If you don't have the choice, then I think we run into issues. And then the correlation of the data that's being collected, I think is the other problem point. So yes, you might have all these different, you know, points of data, but until they're correlated, that's what truly
makes it powerful. And that's what concerns me is some of these situations where it's like, oh, I know I visited this website over here. Of course there's a cookie. It tracked that I went to this other website and then I visited a physical location and then I drove my car somewhere and my phone knew where I was going because I wanted Google Maps to run. You put all that stuff together and guess what? Now you've got correlation of data that can be potentially extremely damaging or
potentially extremely helpful. Hey, I get an e-mail every month of my Google travels. I traveled this many miles around the world and I went to these locations and my photos are Geo tagged. I love that. Do I love the fact that it could be used for other purposes? No. But that's that's where we are right now. Right.
And it would be nice and perhaps there is this, I don't know, but if you had some granularity and being able to opt out on the Google front, it wasn't just like a mass all of my information from maps and use it. It would be like, oh, how nice would it be if I could get the check box that showed me my Pretty Little map.
But then I didn't have to let them, you know, package it up and sell it or whatever they do with it or target me with ads for it. So I think we have a ways to go in offering better privacy controls to consumers. Yeah. My feeling also when it comes to human right, we can't look at like, here's how it is, You know, we have HIPAA laws in the United States, maybe in Mexico or in Canada. They're different. Maybe, let's just say they're lesser. I don't know, they might be stronger.
But let's assume that for the sake of argument, they're lesser. I think when we talk about a human right, we should be talking about the way it should be, right. And when we're, we use Crest White strips as the example, it's kind of an innocuous example. But if you were to go and get some kind of medical procedure done or you're buying like birth control or something, that it's just nobody else's business,
right? And you don't want that information to become public or you don't want some insurance company to use it to say, oh, we're going to deny you insurance because you had this procedure, you have a shorter lifespan or you have some kind of disease or here's another example, You get your DNA worked up, right? And you want to know for yourself, OK, am I likely to more likely to catch these diseases or whatever, You don't want that information to become public.
You don't want that information to be sold. So to me it's the human right pieces about how it should be, not the way it is. Yeah, totally agree. All right. Let's shift topics a little bit because I think we've started to talk about this, but maybe not head on. And I think it's just that expectation of privacy as an employee. I think so far we've been talking about this maybe more from a consumer perspective. Typically, we're not a captive audience, right? We do have choices for the most
part. But if you're an employee, you may not have as much choice. What are my expectations of privacy as a employee and how might that be different from the consumer side of things? What do you think, Hannah? I think your expectations as an employee go down, right.
I have found that anytime I'm employed, I'm given pretty thorough policies to sign off on that says, hey, you know, here's if you're working on the work computer, here's what we're recording about you or could in theory record about you. So I think it's been at least pretty transparently disclosed. Hopefully that's the case for others as well.
But I do think when you're an employee you have a lot less, you need to have a lot less expectations And again, you know, balancing sort of privacy and security, a lot of these things are kind of, you know, given under the well, we need to know exactly what our employees are doing for security purposes. And that does certainly have merit whenever you're dealing with, you know, intellectual property and keeping it sort of
within your company's ecosystem. So I guess my personally my expectations as as an employee are pretty low, but at least I feel like I know what I'm in for. What What's been your experience? I'll add my my thoughts on it. My concern is that you know IT administrators are the ones who have access to your communications, at least your electronic communications. And my concern is, is like, you know, what if the IT administrator says, oh, I'd like to start reading Hannah's
emails. Oh, she's having a a argument with her spouse or something like that. And you know, like somebody goes and abuses that. I absolutely think that is not acceptable. But I do think that the company has the requirement to watch for certain things that you're not exfiltrating the company's data or you know doing other things that is like corporate espionage kind of stuff. But it it I think it stops right
there. And I think that if the company is going to put itself in that position, then it's required to make sure that that data is not being abused. Otherwise, it sets itself up for potential lawsuits. Well, I think this is an area though where most companies would have a policy statement somewhere that says, look, this is company property. You know, we may allow some, you know, adjacent use for convenience and things like
that. But you know, if you're using your work e-mail to do it, all of your transactions, that's on you as the end user really not understanding or not adhering or even thinking about that type of privacy. So what is the responsibility of the individual to say, oh, I should probably have my own e-mail account to do this and not do everything through my atwork.com e-mail address,
whatever that might look like. Now if an IT person is snooping my traffic, they're running Wireshark and they're putting together packets and doing things to get into my e-mail and
my personal e-mail. Again, bad situation, but my responsibility as to myself would be of course I'm not gonna use my work account for that kind of thing, but there's lots of people who do. I have been in those situations from a security operations standpoint, doing the forensics analysis and people do dumb stuff all the time. I think it's gotten better probably or at least more known.
But it does happen. You know, you get the the occasional e-mail, always sent it to the wrong address or you know you're in your address book of my work address, some personal address and you know, maybe there's some some you know, weird thing that goes to 1 address and not the other. But you certainly hope you fix that in subsequent threads. But I think there is some personal responsibility when it comes to the usage of a company, resources and understanding.
Like, OK, yeah, like the organization, this belongs to them and they could do something with that data if they wanted to. And they have every right to do that. It is their property. Hannah, what do you? Think, yeah, I think that's very well said that there is a responsibility there on the employee side. One thing I'm curious about, Jeff, since you mentioned your sort of forensic background there. What I've always wondered on using a work computer for encrypted things like iMessage,
right? Can your company still read that? I'm honestly not sure. There are ways to get around it now. It's been 15 years before I message was around that I was doing this type of stuff, but there are still ways to do that. To break the encryption on it. You typically need the device or at least a forensic copy of the device to do that. But I don't want to like say yes or no as of now, because the last time I did it we were still using Lotus Notes for e-mail.
So that just goes how far back it was. Yeah, OK. There's also situations where, like on your desktop hard drive, you might have your W twos or other kind of tax forms that you downloaded from the the company's HR portal, so there's ways that people could access that. I guess your point though is well taken. I can see why companies say don't use your personal device for any personal stuff. Yeah, 'cause they don't want to be responsible for it, and maybe
it's they don't care. They're trying to protect the users who maybe just don't clean up after themselves. A a company device to me is a public portal. I wouldn't do anything on my corporate computer that I wouldn't do at a kiosk, in a library or, you know, whatever it may be. Not that I would ever use any of those. But that same idea right? Of this is not a a trusted device for my personal information, that kind of thing. Yeah, I completely agree.
I think that's I think people should be careful and and you know be judicious with what they do on their on their work computer for sure. There's another saying out there that if you aren't paying for a product, then you probably are the product. And this is one that I I definitely believe there is some truth to and I point back to my own experiences. I don't pay for Google. Well, I do, but not not the services I use like Google Maps
and things like that. So they're clearly collecting my traffic information, right, to make sure that traffic, you know, they can show the green line or the red line in Google Maps. And I'm sacrificing that bit of privacy to enhance the map, the map application. My benefit, no, can't talk again. My benefit from it is I don't have to go to you know a AAA store and buy a triptych to do a cross country, you know, journey like we have to, you had to do like 20 years ago.
Do you believe in that statement? Does that make sense that if you're not paying for a product, then you probably are the product and meaning that your data is probably what's being used? Absolutely. I think I've said this to my Instagram audience and I've put it in a lot of the content that I've written as sort of a principle to keep in mind, right, that nothing is free. You are giving up your data in
exchange for a service. And I think as long as you realize that and you're OK with the trade off, then fine. But it's the fact that the it's so opaque to most people and they don't realize exactly what's happening or they they know some data is being collected. But you know, there's the small text about, oh, it may be shared with third parties. And then before you know it, your data is replicated copy after copy with data brokers.
And it's basically impossible to peel back at that point and regain possession of. So I agree that if you're not buying it, you are the product. I've tried to get away from certain things as best as I can. It's really hard to untangle yourself from some of these products like Gmail for example. I moved over to Proton e-mail address, which I pay for. They have a very transparent privacy policy that they're not selling your data, but it does. It costs more than even like a
Google Business account. And you have the pain of, like most people don't know me at that e-mail address. So do I I can I ever actually get rid of my 10 year old Gmail? Probably not. So it's a very powerful, sticky thing. And it's, I don't want to act like it's, you know, easy. Oh, just switch to all the, you know, privacy products because again, you have financial barriers. There's usability barriers. I'm not familiar with those. For example, I use Google
Photos, right? I know they're scanning everything about those photos. They I take a picture in the kitchen, they probably know what's in my pantry door that's open, right? But I'm willing to live with that because it's easy to use, it's easy for me to share things on there. So I think as long as you're understanding the trade-offs, I think it is what it is and you're definitely the product and maybe that's OK. I mean, I think understanding that trade off is probably the
most important thing. I'm a Google Photos person myself, right? And I'm looking at my my Google Chromecasts with Google TV, which is a terrible name for a product by the way. Google, if you're listening and I have an album that is my dog photos, and every time I pick a picture of one of my dogs, it's using its Google magic to add it automatically to my photo album and it just magically appears on my TV, which I think is great. My wife and I love that.
Yeah, see, it's not all bad. Jim, I know that you've had some concerns or maybe some questions is probably a better way to put it around pictures and those getting uploaded and becoming property. I wanna ask you about this and kind of maybe get Hannah's take on this, but we just talked about Google Photos, right? You're uploading pictures and you're doing something about that.
And I think this concept of all uploaded pictures become the property of that company is a real problem I have with that. Unless it's very clearly stated, I'm probably not going to use that platform. Where do you see that most often? Is that something you've come across, you know? What are your thoughts on that? Because I'd love to hear Hannah's comments after that.
You know, I heard this in the early Facebook days, so I'm not even sure if it's it's ever true then or if it's still true now. But my understanding back in the day was that you agree as part of the end User License agreement that any photos you upload become the property of Facebook or you know via Instagram up the property of I guess meta is the the right term. Now my concern is then, OK, where might those pictures show up?
And if there are pictures of like you and your family or pictures of you and whoever, could they show up and at some point you don't want them to be on the home page of Facebook? Now, I think that Meta's probably smarter than just to take Hannah's one of Hannah's pictures from her Instagram profile and throw it on the instagram.com website, But I don't know. I don't know if that's true.
I think the language that I typically see is transferable, sublicensable, royalty free, worldwide license, all this, you know, legal gobbledygook, where it's OK. I uploaded a picture of one of my dogs and I'll just use Google for that example. I don't know if they're doing this or not, but I uploaded a picture and part of that service says, OK, I have one of these things. Can they make a copy of that picture, then do what they want with it? Who owns the copy of the
original? I don't know. And are they with? Maybe. But I agreed to that when I took advantage of, you know, having a dynamic photo album with my dogs in it. Right. I've got cute dogs. I mean, I hope I get it, you know, a little bit of kickback from Google if that happens, But. But I think that's the issue, right? It's a copy of the original. It's not. Oh, we didn't use the original. We used a copy of it. Does that make? You sold.
What if they sold pictures of you and your wife and millions of other people to a retailer, and then they used AI technology to do facial recognition. Now you walk into that retailer and they knew all this stuff about you or they say, Oh well now Jeff was looking at the Crest white strips and they they start pushing those ads to your your profile. Yeah, they use this podcast. They heard us talking about it. It's the part of the training data.
Who owns the podcast, Jeff? Is it really you and me or is it actually the each podcast platform? People own it. This is a podcast for the people, by the people. Come on. Man, I'm with you. I'm with you, man. Well, and I think back to what I said earlier, right, is that it's the images. And then even if they're not selling the images, they're probably inferring attributes, right, or things in our images about us.
And then these huge data profiles are built up by the data brokers who then, you know, package this information and sell it. And then I think you know it like, like I said at the beginning, like the fact that perhaps when I try to go look at the news and try to get an understanding of what's going on in the world, and I'm seeing some version of it that is different because they think, oh, this is the, this is the version Hannah will interact
with, right. But my friend opens the computer and says what's going on in the world and they might get a completely different sense of what's going on because the output is all influenced by the data that is they had about us.
So that's one thing I think is unique to sort of the past five to 10 years in terms of how tailored our experiences are that we may not even realize it. So I think you bring up early interesting point because I feel like we're going into an electric an election cycle here in the US right. And it's pretty clear that there are red states, blue States and
purple states. And I do find it interesting to say, OK, well, you know, if someone has leans towards these specific sites or whatever, could that data be manipulated to show me things that would put me either for or against, right. Those situations. I do think that's interesting idea of, you know, maybe this is an AI thing. I don't know. But people are constantly trying to tailor their marketing, right.
I mean, we use this for the podcast as well as like, hey, how do we get content that people want to listen to or watch or whatever it may be? You know, and we're just a stupid little podcast about identity. You know, I have to imagine that the larger media networks are probably doing their own analytics to say, oh, we know that, you know, this age demographic in this region that also looked at Crest White strips, you know, watch this sort of, you know, thing. Right.
And I think I think that's an important point is, you know, if and and sometimes maybe it's not even changing the facts of the story, it's how the story is worded or other things right. They can kind of move you in One Direction or the other, depending on, you know, the goal of the of the service. I think what you're what you're fed online, definitely.
I mean, I noticed it myself and I I feel like I'm pretty aware of it, but even I can notice like, OK, you know, oh, it seems like every I'll notice myself saying things like, oh, it seems like everyone is talking about, you know, this And I say that to someone else and they're like, what? Like, so I often times I catch myself wondering like, how much is that really true or how much is it just like continually feeding what I'm being shown and it's making me perceive things
in a different way. And we're all living our lives so much online now that I think everyone sort of has their own perception of things that are going on, what's important, what's not. And it's really hard to know the truth. Would you know you were being radicalized one way or the other? However you want to find that if it was a slow progression over time based off the data coming in about you and your other activities, it might start with just a small little thing.
It's like next thing you know, you know you keep reading about how Quest white strips actually turn your teeth black. It's like, Oh well, must be true, right. I see 1000 different articles about that and only one that says it's good versus someone else like Jim who's out there, he's buying them. He's like, yeah, these are great And he's in, you know Crest white strip fan club, these are things that the Crest you know the the best thing sliced bread.
And he's in the maybe he gets one article. He's like, oh, that's nonsense. Like, how would you even know that you're being pitched one way or another? I find that really scary. And now I've got my tinfoil hat on. So I should. Probably say, yeah, I know, me too. I know it can quickly veer into that. And I don't like when I start to sound like that. But you know, it's it's an interesting question. It's an interesting thing to ask yourself, right? And maybe just become more aware of it.
Yeah, such such a cool topic. I think we go for another hour. But Hannah, you've been such an awesome guest, and I wanted to finish with, you know, you've been kind of this privacy evangelist for over a year now, and I'm wondering, like, what have you learned? What's been your biggest take away? I think my biggest take away on privacy evangelism is that people care about human the human side of it. They don't care about a specific
technology like. All of my most engaging and sticky things that I've done were like videos, little reels of me doing things like, oh, I this is what, like I logged in without a password and it's like I'm looking at me and then I flip the camera around and I touched my Ubikey, right?
Like that was so popular. I don't know why, but I think talking about, you know, Fido and talking about Ubikey didn't connect nearly as much as seeing a person not have to put in a password and just touch something and now they're logged in. And that's what really drives the point home. I did another post where I took a photo of my Christmas tree and I said, you know, if I posted this photo of my Christmas tree online, what would I be giving
away about myself? And then I put a little tag that went over each ornament and it was like my favorite vacation spot. How many people are in my family, the ages of people in my family, like one of my favorite foods. It's like all the different things you can potentially be showing about yourself just in a
in an innocent seeming picture. So I think taking things out of like digital and technology and putting them into humanity and, you know, just everyday objects around the house and framing privacy that way seems to have resonated the most of people. That's a great experiment, being able to like, use those tracking tags right and pixels the opposite way, 'cause they think maybe people are familiar with it, but maybe not.
But you open an e-mail or whatever website, there's usually a tracking pixel somewhere in it that is tracking what you're doing. It's just a little pixel. You would never note it. It's white on white background probably, or black on black background. And yeah, that data gets correlated, stored for somewhere and then correlated back to something about yes. So when you're answering those secret questions, right, It's like, OK, either use the truth or make sure you remember your
lie, whatever that is, right? Yep. Yep. Exactly. All right, well, this. I feel like we got pretty heavy here, but I really enjoyed the conversation. I want to lighten up the mood. As we kind of wrap things up, we'll end on a lighter note. I've actually got two. One's from Jim, one's from me. Jim, I'm gonna go first because I think yours is more fun maybe than mine.
But Hannah, question for you, what's the most unexpected thing that we would find if we looked at your music playlist right now, whether you're using Apple Music, Spotify, or something else? Like, what's the most surprising thing where it's like, well, that's not Hannah Hannah's changed. I think to anyone who doesn't know me, it would be surprising that I have a ton of really hardcore late 90s and early 2000s rap in my playlist. Super hardcore. I still really like rap and hip
hop. But you know, back then it was just super hardcore rapping. And I still love that music to work out too, and I think most people would probably be surprised by that at first. All right. Give me some artists. So you're talking about late, late 90s, two thousand? Yeah, like Snoop. Dogg, Eminem, Doctor Dre, the old Lil Wayne. Yeah, all things like that Kid, Cudi, Chamillionaire and Nellie.
Oh yeah, I could go. I could go on and on thinking, thinking back to my CDs in the CD player of Nellie. I I I can get behind that. That's not bad, Jim. How about yourself, 'cause I feel like it's all country music and I'm hope, I'm hopeful that there will be something good in there. There's lots of good country music in there. There's lots of good old classic rock, new rock, medium rock, like, you know, like the, what do you call that, grunge rock. But here's one that's going to
stand out. The Ambien Zone. Just Music Cafe Volume four. And the song is called Weightless by Marconi Union and it's just one of those like New age kind of like sounds with no, no vocals and you just play it and just like when you want to meditate and it puts you into a meditative state. And I love it. I I use it just for that very purpose. But I don't have, I have a few songs like that. But I think everybody should check that out. They need some way to relax and get into its own.
I use that for focus because I can't, you know, read and write while also listening to someone sing or talk. So I need the. I need the ones without lyrics as well to. I use it for focus though, when I really need to do something and concentrate. What about you, Jeff? Man, I am all over the place when it comes to music. I don't. I'm trying to think it'll be shocking. I mean, I listen to a lot of rock. I I like EDM, even though I can't dance for crap.
I think part of that is like instrumental, like dance music. I love Lady Gaga. I think she's great. I don't. I like her old stuff better than her new stuff. I know, controversial, but like the song Telephone with Beyoncé and Lady Gaga, that's my jam, right? I could do that all day long, but maybe that's the most controversial. But the one thing I just. I can't get behind is like country music bothers me. You don't like Chris Stapleton? I don't. I'll tell you, I do have
Mexicoma on my playlists. From who sings that it's what's the country guy sing. Name me country artist. Cause it's Mexicoma. Tim McGraw. I think it is. Oh yeah, that's it. You're right. It's Tim McGraw. I just looked it up real quick. OK. Yeah. So you're quicker on the on the scrolling I was that's Jim maybe that surprises surprises you that I have a Tim McGraw song on my list. Yeah, even 1 surprises me 'cause you're pretty, you're pretty firm in your hatred of country music.
And it's not for lack of trying, 'cause my wife is a big fan, and we play this game every once in a while where we'll just like, hey, what do you want to do? I don't know. We're just kind of sitting there begging for the TV. We'll fire up the Apple TV or whatever it may be, and just start playing music for each other and telling each other why we like the song that we're listening to. So it's like. Do you like Texas hold 'em by Beyoncé? Because that's kind of like lady
pop rap slash country. Is that the new one? Yeah. I have not listened to it yet, OK? Maybe that'll be another country song you like. I'll. Have to listen to it, yeah. And see. Yeah, I don't know. I haven't listened to it yet. So. And we we won't play it here and get a copyright strike. So we've tried that before. We've run into issues. So yeah, yeah, I. Don't know. All right, Jim, So my lighter note question is very brief. Are you a pineapple on pizza
person? Let's start with our yes, let's say you, Hannah, Pineapple on pizza. Yes. All right, my turn. So I say I had pineapple on my pizza last night. I actually enjoyed it. But here's the deal. I woke up like a bunch of times with heartburn last night and it was kind of unusual for me. So I'm not sure if I can attribute that to the pineapple, but I'm kind of attributing that to the pineapple. So while it tasted good, I don't know if I can deal with the heartburn.
What about you, Jeff? I'm glad that we asked this catching last because we're just gonna have to close out this conversation with Hannah because pineapple does not belong on pizza. Sorry, I have a traditionalist 'cause everybody knows how traditional I am. But no, I I'm not a pineapple on pizza person. I respect your choice, Hannah. I do not agree with it. How about that? So at Identiverse, I should approach you with a giant slice of pineapple pizza.
And I would, I would be very polite to say, oh, thank you. And then I'd like fake eat it like so it's like, I can put it like, you know. Take a picture of. People and then go right into the garbage or hand it out to the next person I find. Hey, Hannah, got you this pizza, Hannah. There you. Go and then pass it along, yeah. So I would be very, you know, diplomatic about it. I just, I don't know, There's something about the combination sweet and like greasy.
Salty just doesn't do it for me. I just think that's the whole point of it. Yeah, I like that combo. Yeah, well, hey, teach, throw. Not everyone can be perfect, right? All right, let's go ahead and wrap it up. We're up over an hour again. We always try to keep these like, closer to 45 minutes and, like, fail miserably. But when the conversation. An hour and 3 minutes is the perfect episode length.
And by the time I get this cut down a little bit, we'll probably be like 101, maybe 60 minutes, but I'll keep talking to inflate that number. But no, when the conversation's flowing, right, we just keep on going with it. So, Hannah, thank you so much for taking the time with us. Thank you for all you do for ID Pro as a regular old member. Let's keep the Slack channel going because definitely, I think we're all fans of that. I'll put a link in our show
notes to your profile. And I think we talked about that article, which originally appeared as an ID Pro kind of e-mail. So there's really not right now a public way to get to it. But hopefully by the time this goes, this episode goes live. I think we talked about maybe putting on like on your LinkedIn channel or something like that so people can go and check it out. So keep an eye out for that. Let's see what else we're on the
web. idacpodcast.com. We're on Twitter or X or whatever it's called when you listen to this at IDAC podcast, if it even still exists. By the time people listen to this, we'll be on Mastodon at IDAC podcast. You think so? Elon hasn't run into the ground yet. Yeah, he's got enough money to make it through sheer dollars and cents just to make it
moving. As long as I keep buying Tesla's, let's see, we're on Mastodon, at IDAC podcast, at Infosec, dot exchange, connect with Gemini and LinkedIn, like subscribe, do all that cool stuff that helps us get great guests just like Hannah. And with that, we'll go ahead and leave it for this week. Thanks everyone for listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and
review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.