identity management
Auto Added by WPeMatico
Auto Added by WPeMatico
As a parent of teenagers, I’m used to having tough, sometimes even awkward, conversations about topics that are complex but important. Most parents will likely agree with me when I say those types of conversations never get easier, but over time, you tend to develop a roadmap of how to approach the subject, how to make sure you’re being clear and how to answer hard questions.
And like many parents, I quickly learned that my children have just as much to teach me as I can teach them. I’ve learned that tough conversations build trust.
I’ve applied this lesson about trust-building conversations to an extremely important aspect of my role as the chief legal officer at Foursquare: Conducting “The Privacy Talk.”
The discussion should convey an understanding of how the legislative and regulatory environment are going to affect product offerings, including what’s being done to get ahead of that change.
It’s the conversation that goes beyond the written, publicly posted privacy policy and dives deep into a customer, vendor, supplier or partner’s approach to ethics. This conversation seeks to convey and align the expectations that two companies must have at the beginning of a new engagement.
RFIs may ask a lot of questions about privacy compliance, information security and data ethics. But it’s no match for asking your prospective partner to hop on a Zoom to walk you through their broader approach. Unless you hear it firsthand, it can be hard to discern whether a partner is thinking strategically about privacy, if they are truly committed to data ethics and how compliance is woven into their organization’s culture.
Powered by WPeMatico
ForgeRock filed its form S-1 with the Securities and Exchange Commission (SEC) this morning as the identity management provider takes the next step toward its IPO.
The company did not provide initial pricing for its shares, which will trade on the New York Stock Exchange under the symbol FORG. The IPO is being led by Morgan Stanley and J.P. Morgan Chase & Co., with the company being valued as high as $4 billion, according to Bloomberg, which is a significant uplift over the $730 million post-money value that PitchBook had for the company after its last round in 2020.
With the ever-increasing volume of cybersecurity attacks against organizations of all sizes, the need to secure and manage user identities is of growing importance. Based in San Francisco, ForgeRock has raised $233 million in funding across multiple rounds. The company’s last round was a $93.5 million Series E announced in April 2020, which was led by Riverwood Capital alongside Accenture Ventures. At that time, CEO Fran Rosch told TechCrunch that the round would be the last before an IPO, which was also what former CEO Mike Ellis told us after the startup’s $88 million Series D in September 2017.
While the timing of its IPO might have been unclear over the last few years, the company has been on a positive trajectory for growth. In its S-1, ForgeRock reported that as of June 30, its annual recurring revenue (ARR) was $155 million, representing 30% year-over-year growth.
While revenue is growing, losses are narrowing as the company reported a $20 million net loss down from $36 million a year ago. There certainly is a whole lot of room to grow, as the company estimates that the total global addressable market for identity services to be worth $71 billion.
Among the many competitors that ForgeRock faces is Okta, which went public in 2017 and has been growing in the years since. In March, Okta acquired cloud identity startup Auth0 for $6.5 billion in a deal that raised a few eyebrows. Another competitor is Ping Identity, which went public in 2019 and is also growing, reporting on August 4 that its ARR hit $279.6 million in its quarter ended June 30, for a 19% year-over-year gain. There have also been a few big exits in the space over the years, including Duo Security, which was acquired by Cisco for $2.35 billion in 2018.
“ForgeRock has a good access management tool and they continue to be a strong player in customer identity and access management (CIAM),” commented Michael Kelley, senior research director at Gartner.
Kelley noted that in 2020, ForgeRock converted most of its core access management services to a SaaS delivery model, which helped the company catch up with the rest of the market that already offered access management as SaaS. Also last year the company expanded into identity governance, introducing a brand new identity, governance and administration (IGA) product.
“I think one of the more interesting products that ForgeRock offers is ForgeRock Trees, which is a no-code/low-code orchestration tool for building complex authentication and authorization journeys for customers, which is particularly helpful in the CIAM market,” Kelly added.
ForgeRock was founded in 2010, but its roots go back even further to an open-source single sign-on project known as OpenSSO that was created by Sun Microsystems in 2005. When Oracle acquired Sun Microsystems in early 2010, a number of its open-source efforts were left to languish, which is what led a number of former Sun employees to start ForgeRock.
Over the last decade, ForgeRock has expanded significantly beyond just providing a single sign-on to providing an identity platform that can handle consumer, enterprise and IoT use-cases. The company’s platform today handles identity and access management as well as identity governance.
The ability to scale is a key selling point that ForgeRock makes in the S-1, noting that its platform can handle over 60,000 user-based access transactions per second per customer.
“As of June 30, 2021, we had four customers with 100 million or more licensed identities, the company stated in the S-1. “Our ability to serve mission-critical needs in complex environments for large customers enables us to grow our base of large customers and expand within each of them. “
Powered by WPeMatico
The COVID-19 pandemic has accelerated digital adoption in a way that no one could have ever anticipated, and as more people conduct more services online and via mobile devices, businesses have had to work even harder to validate users and security. One company working to serve that need, Socure — which uses AI and machine learning to verify identities — announced Tuesday that it has raised $100 million in a Series D funding round at a $1.3 billion valuation.
Given how much of our lives have shifted online, it’s no surprise that the U.S. digital identity market is projected to increase to over $30 billion by 2023 from just under $15 billion in 2019, according to One World Identity. This has led to skyrocketing demand for the services provided by identity verification companies.
The founding team set out on a mission to be able to verify 100% of “good IDs” in real-time while “completely eliminating” identity fraud across the internet.
Historically, Socure has been focused on the financial services industry, but it plans to use its new capital to further expand into “every consumer-facing vertical” including online gaming, healthcare, telco, e-commerce and on-demand services.
The startup’s predictive analytics platform applies artificial intelligence and machine-learning techniques with online/offline data intelligence (from email, phone, address, IP, device, velocity and the broader internet) to verify that people are, in fact, who they say they are when applying for various accounts.
Today, Socure has more than 350 customers including three top five banks, six top 10 card issuers, a “top” credit bureau and over 75 fintechs such as Varo Money, Public, Chime and Stash.
In 2020, Socure grew its customer base by over 85% year over year and expanded its workforce by over 50% to about 240 people today.
Accel led Socure’s latest financing, which included participation from existing backers Commerce Ventures, Scale Venture Partners, Flint Capital, Citi Ventures, Wells Fargo Strategic Capital, Synchrony, Sorenson, Two Sigma Ventures and others.
The round comes less than six months after the company raised $35 million in a round led by Sorenson Ventures, and brings the New York-based company’s total raised to $196 million since its 2012 inception.
Socure founder and CEO Johnny Ayers says his company’s identity management products can help B2C enterprises achieve know-your-customer (KYC) auto-approval rates of up to 97%. This means that financial institutions can more easily capture fraud, for example, via Socure’s single API. The company also claims that by more easily verifying thin-file (those without much credit history) and young consumers, it can help reduce the underbanked population.
The pandemic and resulting shutdowns resulted in a massive demand for trusted digital identity, Ayers believes.
“This growth tracks with a larger trend marked by the broad migration of businesses to accept applications and onboard new customers online, with many companies accelerating their transformation from digital-first to digital-only,” he told TechCrunch.
Overall fraud attempts among Socure’s existing customer base nearly doubled in the second quarter of 2020 — with certain segments seeing rises as high as 150%, according to Ayers.
“These instances did not involve actual fraud but instead were flagged by Socure as suspicious and blocked prior to inflicting damage,” he said.
Looking ahead, the company plans to use its new capital to also enhance its product offering as it continues to develop patents.
Accel partner Amit Jhawar will join Socure’s board as part of the funding round.
In a blog post, Jhawar described Socure as “a purpose-built solution designed to handle the wave of new online users because its machine learning models have learned from every identity it has already seen.”
As former COO at Braintree and general manager at Venmo, Jhawar knows a thing or two about the importance of identity verification, especially in the financial services space.
He wrote: “I knew immediately that the Socure solution would be a game-changer because the solution can be used in every step of the customer lifecycle, from account creation to login to transaction.”
Socure also has hinted that it has an IPO in its future.
In a written statement, Ayers said: “We are incredibly grateful for the chance to innovate and partner to solve this problem with some of the greatest companies in the world and are energized for the opportunities that lay ahead for Socure, especially as we make our march to a potential IPO.”
Via email, he told TechCrunch that the company will “potentially” look at public markets in 2022 or 2023, when it feels “the time is right for the business.”
The story was updated post-publication with live comments from Socure
Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE at checkout to get 20% off tickets right here.
Powered by WPeMatico
As Okta announced earnings today after the bell, it revealed that it’s buying cloud identity startup Auth0 for a hefty $6.5 billion. The company had a valuation of $1.92 billion when it raised $120 million led by Salesforce Ventures last July.
With Auth0, Okta gets a cloud identity company that helps developers embed identity management into applications, adding an entirely new dimension to its identity platform. Okta co-founder and CEO Todd McKinnon says the acquisition gives his company broad coverage in the identity space and the acquisition has the power to lift identity to a first-class cloud category along with infrastructure, enterprise software like collaboration and CRM and others.
“There are a few other [primary cloud categories], but one of those has to be identity. And for identity to rise to that status, it has to cover all the use cases. It’s got to be both workforce and customer. So workforce [has been] our [primary] business traditionally, and customer is newer,” McKinnon told me.
The customer piece involves having your customers use Okta/Auth0 on the back end to sign onto your platform, rather using it as just your corporate credentials. Having coverage across both areas is what has McKinnon so excited.
Eugenio Pace, co-founder and CEO Auth0 sees his company together with Okta as powerful combination in the identity management space, and he’s not just hyping the deal when he says that. “Together, we can offer our customers workforce and customer identity solutions with exceptional speed, simplicity, security, reliability and scalability. By joining forces, we will accelerate our customers’ innovation and ability to meet the needs and demands of consumers, businesses and employees everywhere,” Pace said in a statement.
Pace and co-founder Matias Woloski came from Microsoft where they worked until launching their startup in 2013. As McKinnon points out this is a substantial company with 800 employees. It is expected to reach $200 million in revenue this year.
“So they have this mindset of building a service that is flexible and API-driven and great tools for developers and all the extensibility or customizability, that developers would need. And you can’t, you can’t do that later, you have to start from the beginning
McKinnon says while they share some common customers, there will be net new ones as well and the nature of the two companies coverage areas means that they can sell Auth0 into traditional Okta customers and vice versa. The combined entities could fill in a soup-to-nuts kind of identity offering.
As Pace told TechCrunch’s Zack Whittaker in 2019, it has always been focused on developers:
“We’re not profitable because we’ve chosen to reinvest and continue to sustain the high scale of growth,” he said. “But we are more efficient every day — in the way we acquire customers, the way we service customers, in the way we ship new design capabilities.”
The question is how much this will change under the Okta, but Auth0 users can breathe a sigh of relief in that McKinnon says that the company will operate as an independent unit inside of Okta as they look for paths to integration in the coming months. What’s more, McKinnon says he has a relationship with the two founders going back years and it sounds like there is an element of trust there.
Okta had a pretty good quarter too while it was at it, announcing $234.7 million in revenue up 40% year over year, but Wall Street appears to be unhappy with the deal with the stock price down 6.9% in after hours trading.
Auth0 was founded in 2013 and raised over $300 million along the way. In addition to Salesforce Ventures, other investors included Sapphire Ventures, Bessemer Venture Partners and Meritech Capital Partners.
Powered by WPeMatico
SailPoint, an identity management company that went public in 2017, announced it was going to be acquiring Intello, an early-stage SaaS management startup. The two companies did not share the purchase price.
SailPoint believes that by helping its customers locate all of the SaaS tools being used inside a company, it can help IT make the company safer. Part of the problem is that it’s so easy for employees to deploy SaaS tools without IT’s knowledge, and Intello gives them more visibility and control.
In fact, the term “shadow IT” developed over the last decade to describe this ability to deploy software outside of the purview of IT pros. With a tool like Intello, they can now find all of the SaaS tools and point the employees to sanctioned ones, while shutting down services the security pros might not want folks using.
Grady Summers, EVP of product at SailPoint, says that this problem has become even more pronounced during the pandemic as many companies have gone remote, making it even more challenging for IT to understand what SaaS tools employees might be using.
“This has led to a sharp rise in ungoverned SaaS sprawl and unprotected data that is being stored and shared within these apps. With little to no visibility into what shadow access exists within their organization, IT teams are further challenged to protect from the cyber risks that have increased over the past year,” Summers explained in a statement. He believes that with Intello in the fold, it will help root out that unsanctioned usage and make companies safer, while also helping them understand their SaaS spend better.
Intello has always seen itself as a way to increase security and compliance and has partnered in the past with other identity management tools like Okta and OneLogin. The company was founded in 2017 and raised $5.8 million according to Crunchbase data. That included a $2.5 million extended seed in May 2019.
Yesterday, another SaaS management tool, Torii, announced a $10 million Series A. Other players in the SaaS management space include BetterCloud and Blissfully, among others.
Powered by WPeMatico
A shared user account used by WeWork employees to access printer settings and print jobs had an incredibly simple password — so simple that a customer guessed it.
Jake Elsley, who works at a WeWork in London, said he found the user account after a WeWork employee at his location mistakenly left the account logged in.
WeWork customers like Elsley normally have an assigned seven-digit username and a four-digit passcode used for printing documents at WeWork locations. But the username for the account used by WeWork employees was just four-digits: “9999”. Elsley told TechCrunch that he guessed the password because it was the same as the username. (“9999” is ranked as one of the most common passwords in use today, making it highly insecure.)
The “9999” account is used by and shared among WeWork community managers, who oversee day-to-day operations at each location, to print documents for visitors who don’t have accounts to print on their own. The account cannot be used to access print jobs sent to other customer accounts.
Elsley said that the “9999” account could not see the contents of documents beyond file names, but that logging in to the WeWork printing web portal could allow him to release other people’s pending print jobs sent to the “9999” account to any other WeWork printer on the network.
The printing web portal can only be accessed on WeWork’s Wi-Fi networks, said Elsley, but that includes the free guest Wi-Fi network which doesn’t have a password, and WeWork’s main Wi-Fi network, which still uses a password that has been widely circulated on the internet.
Elsley reached out to TechCrunch to ask us to alert the company to the insecure password.
“WeWork is committed to protecting the privacy and security of our members and employees,” said WeWork spokesperson Colin Hart. “We immediately initiated an investigation into this potential issue and took steps to address any concerns. We are also nearing the end of a multi-month process of upgrading all of our printing capabilities to a best in class security and experience solution. We expect this process to be completed in the coming weeks.”
WeWork confirmed that it had since changed the password on the “9999” user account.
Powered by WPeMatico
Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.
Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.
Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.
A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:
Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.
Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.
Powered by WPeMatico
Google today announced a new autofill experience for Chrome on mobile that will use biometric authentication for credit card transactions, as well as an updated built-in password manager that will make signing in to a site a bit more straightforward.
Chrome already uses the W3C WebAuthn standard for biometric authentication on Windows and Mac. With this update, this feature is now also coming to Android .
If you’ve ever bought something through the browser on your Android phone, you know that Chrome always asks you to enter the CVC code from your credit card to ensure that it’s really you — even if you have the credit card number stored on your phone. That was always a bit of a hassle, especially when your credit card wasn’t close to you.
Now, you can use your phone’s biometric authentication to buy those new sneakers with just your fingerprint — no CVC needed. Or you can opt out, too, as you’re not required to enroll in this new system.
As for the password manager, the update here is the new touch-to-fill feature that shows you your saved accounts for a given site through a standard Android dialog. That’s something you’re probably used to from your desktop-based password manager already, but it’s definitely a major new built-in convenience feature for Chrome — and the more people opt to use password managers, the safer the web will be. This new feature is coming to Chrome on Android in the next few weeks, but Google says that “is only the start.”
Powered by WPeMatico
As organizations look for safe and efficient ways of running their services in the new global paradigm of increased social distancing, a startup that has built a platform to help people verify their work details in a secure way is announcing a round of growth funding.
Truework, which provides a way for banks, apartment-rental agencies, and others to check the employment details of an applicant in a quick and secure manner online, has raised $30 million, money that CEO and co-founder Ryan Sandler said in an interview that it would use both grow its existing business, as well to explore adding more details — both via its own service and via third-party partnerships — to the identity information that it shares.
The Series B is being led by Activant Capital — a VC that focuses on B2B2C startups — with participation also from Sequoia Capital and Khosla Ventures, as well as a number of high profile execs and entrepreneurs — Jeff Weiner (LinkedIn); Tom Gonser (Docusign); William Hockey (Plaid); and Daniel Yanisse (Checkr) among them.
The LinkedIn connection is an interesting one. Both Sandler and co-founder Victor Kabdebon were engineers at LinkedIn working on profile and improving the kind of data that LinkedIn sources on its users (the third co-founder, Ethan Winchell, previously worked elsewhere), and while Sandler tells me that the idea for Truework came to them after both left the company, he sees LinkedIn “as a potential partner here,” so watch this space.
The problem that Truework is aiming to solve is the very clunky, and often insecure, nature of how organizations typically verify an individual’s employment information. Details about salary and where you work, and the job you do, are typically essential for larger financial transactions, whether it’s securing a mortgage or another financing loan, or renting an apartment, or for others who might need to verify that information for other purposes, such as staffing agencies.
Typically that kind of information gathering is time-consuming both to reach out to get and to confirm (Sandler cites statistics that say on average an HR person spends over 1,000 hours annually answering questions like these). And some of the systems that have been put in place to do that work — specifically consumer reporting agencies — have been proven not be as watertight in their security as you would hope.
“Your data is flowing around lots of third party platforms,” Sandler said. “You’re releasing a lot of information about yourself and you don’t know where the data is going and if it’s even accurate.”
Truework’s solution is based around a platform, and now an API, that a company buys into. In turn, it gives its employees the ability to consent to using it. If the employee agrees, Truework sources a worker’s place of employment and salary details. Then when a third party wants to verify that information for the person in question, it uses Truework to do so, rather than contacting the company directly.
Then, when those queries come in, Truework contacts the individual with an email or text about the inquiry, so that he/she can okay (or reject) the request. Truework’s Sandler said that it uses ISO27001, SOC2 Type 1 & 2 protections, but he also confirmed that it does store your data.
Currently the idea is that if you leave your job, your next employer would need to also be a Truework customer in order to update the information it has on you: the startup makes money by charging both larger enterprises to make the platform accessible to employees as well as those organizations that are querying for the information/verifications (small business employers using the platform can use it for free).
Over time, the plan will be to configure a way to update your profiles regardless of where you work.
So far, the concept has seen a lot of traction: there are 20,000 small businesses using the platform, as well as 100 enterprises, with the number of verifiers (its term for those requesting information) now at 40,000. Customers include The College Board, The Real Real, Oscar Health, The Motley Fool, and Tuft & Needle.
While all of this was built at a time before COVID-19, the global health pandemic has highlighted the importance of having more efficient and secure systems for doing work, especially at a time when many people are not in the office.
“Our biggest competitor is the fax machine and the phone call,” Sandler said, “but as companies move to more remote working, no one is manning the phones or fax machines. But these operations still need to happen.” Indeed, he points out that at the end of 2019, Truework had 25,000 verifiers. Nearly doubling its end-user customers speaks to the huge boost in business it has seen in the last five months.
That is part of the reason the company has attracted the investment it has.
“Truework’s platform sits at the center of consumers’ most important transactions and life events – from purchasing a home, to securing a new job,” said Steve Sarracino, founder and partner at Activant Capital, in a statement. “Up until now, the identity verification process has been painful, expensive, and opaque for all parties involved, something we’ve seen first-hand in the mortgage space. Starting with income and employment, Truework is setting the standard for consent-based verifications and unlocking the next wave of the digital economy. We’re thrilled to be partnering with this exceptional team as they continue to scale the platform.” Sarracino is joining the board with this round.
While a big focus in the world of tech right now may be on building more and better ways of connecting goods and services to people in as contact-free a way as possible, the bigger play around identity management has been around for years, and will continue to be a huge part of how the internet develops in the future.
The fax and phone may be the primary tools these days for verifying employment information, but on a more general level, there are companies like Facebook, Google and Apple already playing a big role in how we “log in” and use all kinds of services online. They, along with others focused squarely on the identity and verification space (and Truework works with some of them), and using a myriad of approaches that include biometrics, ‘wallet’-style passports that link to information elsewhere, and more, will all continue to try to make the case for why they might be the most trusted provider of that layer of information, at a time when we may want to share less and especially share less with multiple parties.
That is the bigger opportunity that investors are betting on here.
“The increasing momentum Truework has seen since its founding in 2017 demonstrates the critical need for transformation in this space,” said Alfred Lin, partner at Sequoia, in a statement. “Privacy, especially around identity data, is becoming increasingly top of mind for consumers and how they make transactions online.”
Truework has now raised close to $45 million, and it’s not disclosing its valuation.
Powered by WPeMatico
A UK parliamentary committee that focuses on human rights issues has called for primary legislation to be put in place to ensure that legal protections wrap around the national coronavirus contact tracing app.
The app, called NHS COVID-19, is being fast tracked for public use — with a test ongoing this week in the Isle of Wight. It’s set to use Bluetooth Low Energy signals to log social interactions between users to try to automate some contacts tracing based on an algorithmic assessment of users’ infection risk.
The NHSX has said the app could be ready for launch within a matter of weeks but the committee says key choices related to the system architecture create huge risks for people’s rights that demand the safeguard of primary legislation.
“Assurances from Ministers about privacy are not enough. The Government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law,” said committee chair, Harriet Harman MP, in a statement.
“The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.
“Parliament was able quickly to agree to give the Government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”
The NHSX, a digital arm of the country’s National Health Service, is in the process of testing the app — which it’s said could be launched nationally within a few weeks.
The government has opted for a system design that will centralize large amounts of social graph data when users experiencing COVID-19 symptoms (or who have had a formal diagnosis) choose to upload their proximity logs.
Earlier this week we reported on one of the committee hearings — when it took testimony from NHSX CEO Matthew Gould and the UK’s information commissioner, Elizabeth Denham, among other witnesses.
Warning now over a lack of parliamentary scrutiny — around what it describes as an unprecedented expansion of state surveillance — the committee report calls for primary legislation to ensure “necessary legal clarity and certainty as to how data gathered could be used, stored and disposed of”.
The committee also wants to see an independent body set up to carry out oversight monitoring and guard against ‘mission creep’ — a concern that’s also been raised by a number of UK privacy and security experts in an open letter late last month.
“A Digital Contact Tracing Human Rights Commissioner should be responsible for oversight and they should be able to deal with complaints from the Public and report to Parliament,” the committee suggests.
Prior to publishing its report, the committee wrote to health minister Matt Hancock, raising a full spectrum of concerns — receiving a letter in response.
In this letter, dated May 4, Hancock told it: “We do not consider that legislation is necessary in order to build and deliver the contact tracing app. It is consistent with the powers of, and duties imposed on, the Secretary of State at a time of national crisis in the interests of protecting public health.”
The committee’s view is Hancock’s ‘letter of assurance’ is not enough given the huge risks attached to the state tracking citizens’ social graph data.
“The current data protection framework is contained in a number of different documents and it is nearly impossible for the public to understand what it means for their data which may be collected by the digital contact tracing system. Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation,” it writes in the report, calling for a bill that it says myst include include a number of “provisions and protections”.
Among the protections the committee is calling for are limits on who has access to data and for what purpose.
“Data held centrally may not be accessed or processed without specific statutory authorisation, for the purpose of combatting Covid-19 and provided adequate security protections are in place for any systems on which this data may be processed,” it urges.
It also wants legal protections against data reconstruction — by different pieces of data being combined “to reconstruct information about an individual”.
The report takes a very strong line — warning that no app should be released without “strong protections and guarantees” on “efficacy and proportionality”.
“Without clear efficacy and benefits of the app, the level of data being collected will be not be justifiable and it will therefore fall foul of data protection law and human rights protections,” says the committee.
The report also calls for regular reviews of the app — looking at efficacy; data safety; and “how privacy is being protected in the use of any such data”.
It also makes a blanket call for transparency, with the committee writing that the government and health authorities “must at all times be transparent about how the app, and data collected through it, is being used”.
A lack of transparency around the project was another of the concerns raised by the 177 academics who signed the open letter last month.
The government has committed to publishing data protection impact assessments for the app. But the ICO’s Denham still hadn’t had sight of this document as of this Monday.
Another call by the committee is for a time-limit to be attached to any data gathered by or generated via the app. “Any digital contact tracing (and data associated with it) must be permanently deleted when no longer required and in any event may not be kept beyond the duration of the public health emergency,” it writes.
We’ve reached out to the Department of Health and NHSX for comment on the human rights committee’s report.
Let’s go through Matt Hancock’s letter to @HarrietHarman @HumanRightsCtte on the NHSX app and take a closer look at some of these statements 1/ https://t.co/sQe2U8wkiy
— Michael Veale (@mikarv) May 7, 2020
There’s another element to this fast moving story: Yesterday the Financial Times reported that the NHSX has inked a new contract with an IT supplier which suggests it might be looking to change the app architecture — moving away from a centralized database to a decentralized system for contacts tracing. Although NHSX has not confirmed any such switch at this point.
Some other countries have reversed course in their choice of app architecture after running into technical challenges related to Bluetooth. The need to ensure public trust in the system was also cited by Germany for switching to a decentralized model.
The human rights committee report highlights a specific app efficacy issue of relevance to the UK, which it points out is also linked to these system architecture choices, noting that: “The Republic of Ireland has elected to use a decentralised app and if a centralised app is in use in Northern Ireland, there are risks that the two systems will not be interoperable which would be most unfortunate.”
Professor Lilian Edwards, a legal expert from Newcastle University, who has co-authored a draft bill proposing a set of safeguards for coronavirus apps (much of which was subsequently taken up by Australia for a legal instrument that wraps public health contact info during the coronavirus crisis) — and who also now sits as an independent advisor on an ethics committee that’s been set up for the NHSX app — welcomed the committee report.
Speaking in a personal capacity she told TechCrunch: “My team and I welcome this.”
But she flagged a couple of omissions in the report. “They have left out two of the recommendations from my bill — one of which, I totally expected; that there be no compulsion to carry a phone. Because they will just be assumed within our legal system but I don’t think it would have hurt to have said it. But ok.
“The second point — which is important — is the point about there not being compulsion to install the app or to display it. And there not being, therefore, discrimination against you if you don’t. Like not being allowed to go to your workplace is an obvious example. Or not being allowed to go to a football game when they reopen. And that’s the key point where the struggle is.”
The conflict, says Edwards, is on the one hand you could argue what’s the point of doing digital contact tracing at all if you can’t make sure people are able to receive notifications that they might be a contact. But — on the other — if you allow compulsion that then “leaves it open to be very discriminatory” — meaning people could abuse the requirement to target and exclude others from a workplace, for example.
“There are people who’ve got perfectly valid reasons to not want to have this on their phone,” Edwards added. “Particularly if it’s centralized rather than decentralized.”
She also noted that the first version of her draft coronavirus safeguards bill had allowed compulsion re: having the app on the phone but required it to be balanced by a proportionality analysis — meaning any such compulsion must be “proportionate to a legitimate aim”.
But after Australia opted for zero compulsion in its legal instrument she said she and her team decided to revise their bill to also strike out the provision entirely.
Edwards suggested the human rights committee may not have included this particular provision in their recommendations because parliamentary committees are only able to comment on evidence they receive during an inquiry. “So I don’t think it would have been in their remit to recommend on that,” she noted, adding: “It isn’t actually an indication that they’re not interested in these concepts; it’s just procedure I think.”
She also highlighted the issues of so-called ‘immunity passports’ — something the government has reportedly been in discussions with startups about building as part of its digital coronavirus response, but which the committee report also does not touch on.
However, without full clarity on the government’s evolving plans for its digital coronavirus response, and with, inevitably, a high degree of change and flux amid a public health emergency situation, it’s clearly difficult for committees to interrogate so many fast moving pieces.
“The select committees have actually done really, really well,” added Edwards. “But it just shows how the ground has shifted so much in a week.”
This report was updated with additional comment
Powered by WPeMatico