Consent and ID after Cambridge

James Riley
Editorial Director

The Cambridge Analytica scandal, where the Facebook histories and personal records of more than 87 million people were extracted and used potentially for political influence, underscores a critical concept when it comes to digital identity: What rights do users have when it comes to giving consent?

According to Helaine Leggat, Principle Lawyer at Sladen Legal, Australian law does not distinguish digital identity from other forms or formats of personally identifiable information (PII).

“Global privacy and data protection laws includes information that identifies an individual, or has the potential to identify an individual,” she said.

Helaine Leggat: Identity issues are key to better data management and consent issues

“In relation to Facebook and Cambridge Analytica, both PII that indirectly identified individuals and inferential PII, was scraped and processed without consent,” she added.

“The reason I say ‘without consent’ is because for consent to be valid, four key elements should be satisfied.”

Those elements include the fact that an individual must be adequately informed before giving consent. Second, consent must be provided voluntarily. Consent must be current and specific; and finally, an individual must have the capacity to understand and communicate their consent.

“None of these things happened in the case of Cambridge Analytica,” she concluded.

So will anything change following the scandal? According to Aleksandr Kogan, the Cambridge University researcher whose Facebook app extracted the data of those millions of users, the net could actually fall much wider than the initial 87 million affected.

Mr Kogan told a British Parliamentary hearing that many other apps had also used similar techniques, and that the Facebook profiles of many millions more people could be in jeopardy.

The scandals involving Facebook and Cambridge Analytica are sobering. But these are not insurmountable issues, according to Ping Identity’s Asia Pacific Chief Technology Officer Mark Perry.

The emergence of regulatory frameworks overseas were starting to pull data practices more in line with community expectations, and data management and identity technology had matured significantly, Mr Perry says.

“Overseas regulations like GDPR and PSD2 will force multi-nationals to remediate their online services to meet mandates for fine-grained user consent and the right of the consumer to be forgotten,” he said.

“While there may be some time before the Australian Government introduces similar regulations, the recent Open Banking Review made specific recommendations regarding simplified user consent that enables the consumer to be in control of their data and how it’s shared.

“Ping Identity has updated its IAM (Identity and Access Management) software platform to allow our customers to meet these requirements, and continues to work in the standards bodies to enhance the identity security protocols that underpin modern applications and services,” Mr Perry said.

ANZ Bank privacy expert Gabriel Steele said his personal opinion – he emphasised he was not speaking on behalf of the ANZ –the solution to preventing scandals like Cambridge Analytica was to ensure that consumers are put back in control of their data.

“What needs to happen is that we have to ensure that consumers have a simple way of consenting to share their data,” he said.

These simple methods of consent could include the ability to time-box consent, and ensuring that the same consents are readily available and not necessarily layered.

Mr Steele also said that consent needs to be managed by the consumer, and that such consents would include the right to be forgotten.

“Thankfully, the challenge is less of a technical one,” he noted. “Standards exist today that [puts] the customer back in control.

“Combined with OAuth/OIDC – we’ve pretty much got everything we need. Add FIDO, and the power of biometrics and devices, and all the ingredients are pretty much there,” he said.

One of the challenges associated with implementing a consent regime is the fact that, as digital societies, we are not starting with a clean slate. Consumers have already given their data to many platforms, both corporate and government.

The legacy of that fact needs to be made transparent and fine-grained, without creating a burden for consumers, or for the digital platforms they have invested so much of their time and personal information in.

“Ensuring that we’ve got the digital identity landscape under control is another key challenge to this,” said Mr Steele. “Without it, how are we really sure who it is that is consenting?”

Ping Identity will host its Identify 2018 events in Sydney on May 8 and Melbourne on May 10. Identify 2018 is an event by the Ping Community for the Ping Community. You can reserve your seat here. Ping Identity is a valued partner.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories