In Conversation With: Allan Foster

Each month, PlaceSpeak presents a Q&A with experts in public engagement and civic technology.

This month, we spoke with Allan Foster, VP Global Partner Success at ForgeRock. As one of the founders of ForgeRock, he has helped build ForgeRock into a multinational Identity Management software vendor with offices on four continents. Having served in multiple positions during its startup, Allan is now responsible for leading the worldwide ForgeRock community. This includes the contributing developer community, as well as the representation of ForgeRock on multiple standards committees.In the twenty years prior to ForgeRock, Allan founded and ran a successful small consulting business focusing on the Identity Management space, with clients all over the world. 

Q: In 2010, you founded ForgeRock, a company that manages digital identities of people, devices, and the internet of things (IoT). How did you first become involved in the fields of digital ID and authentication?

A: I’ve been involved with computing and technology since the beginning of the dot-com revolution at Netscape. I got heavily involved with e-commerce and the challenges around users, keeping track of them, and general commerce. I’ve probably been involved in identity for well over 20 years, not only in terms of how you manage identity, but also how you start managing identity in a consistent way across multiple “things”.

When AOL joined the net and became a big player in bringing identities, your AOL username was what you were known by. Around 1993, you started seeing the Microsoft network and Netscape. That was the beginning of the problem around digital properties. At that time, identities were tied very closely to the individual properties. So when I was at Netscape, the challenge was how several different components in your business would begin to share identities. That was when directory services and active directory started coming up as one of the ways to deal with things. It’s snowballed since then, and it’s been a problem we’ve dealt with in digital and network spaces for the last 25 years.

Q: In the last seven years, how have the narrative and norms around digital ID shifted?

A: Our digital lives have become much more intertwined with our “real lives”. Back in the ‘90s, there was a very real difference between your AOL username or your email address and your “real life”. Everyone still had a home phone number and an address, and that was what was really important – the email address was just something that was cool.

In the last 20 years, our digital lives have become core to who we are. Smartphones, mobile technologies, and the internet have driven that. We now have internet properties now that make up 20% of the planet, such as Facebook, Google, Amazon which have over a billion users. Your digital ID – whether that’s your email address, your Skype ID, your WeChat – is now who you are. It’s the way to reach you, get your bank information, buy things online, communicate with others – even in politics. On CNN, you see the tagline of who’s speaking with their Twitter handle. Our digital life has become as important, if not more important than, our real lives. They’ve definitely intertwined to such a level that is impossible for us to differentiate.

Q: There is still some hesitation amongst public sector organizations to fully embrace digital ID. What are some major misconceptions or concerns around digital ID?

A: Some of the big concerns aren’t necessarily around digital ID, but around ID in general. The challenges we have with digital ID is that a) it’s very easy to copy, move around, or manipulate, and b) it’s very easy to process.

For example, the website Ancestry.com lets people look up their family history. In the early ‘60s, my father tried to get information about his father, who was from the UK. He went to the UK to get information and had to go to the county clerk’s office and sit in the office, and page through thousands of physical files. He tried for about two years and basically couldn’t find any information that was worth following. In about 2012, I started doing the same thing, but the difference is that I had access to the internet. Within the span of about 3 days, from home, over the course of a weekend, I was able to find the identity of my grandfather, where he lived, and get information about the rest of his family. Within a week I was able to contact one of my relatives from that family. It literally took me about days to locate what my father had got absolutely nowhere doing the same thing for about 2 years.

That serves to illustrate the fear we have: information and identities are so easy to process digitally that we, as consumers, lose control. We recognize that it’s very difficult to move boxes of paper information from one office to another, but it’s so easy to push a button on a computer and have that info magically appear somewhere else. As citizens and as consumers, we fear losing control of what we are doing. We feel that we are at a disadvantage – that we are are being spied on and being watched. That’s one of the fears that comes up with identity and digital ID. We see that a lot in the US, Canada, and Australia, where there’s a very strong reaction to the things that can happen when governments or industry use that information for their profit, to our detriment.

Q: Despite these concerns, how can the public and private sectors work together to leverage digital ID productively for service delivery, citizen engagement, and more?

A: It comes down to trust. When we start talking about identity and who we are, it’s done in a relationship of trust. We need to feel that we, as consumers and citizens, are equitable members of that trust relationship – we have to be able to trust that the person or entity is going to treat information as confidential, and that they are going to use it appropriately.

There are a lot of cases where this is not the case, and we have seen that happen. Many companies have exhibited behaviour that is simply not acceptable moving forward, and we have to try to stop that. We have efforts in governments such as the General Data Protection Regulation (GDPR), in Canada we have the Personal Information Protection and Electronic Documents Act (PIPEDA), and similar efforts in Australia, New Zealand, and various countries around the world that are basically saying that there are some uses of data which are not acceptable.

For example, when you discuss a medical condition with the doctor, you expect your doctor to keep that information confidential. You may expect them to be able to talk about it with other doctors in their practice if it is about your specific case. However, for them to talk about it after work while drinking martinis – that would be inappropriate. It’s very clear when you describe it that way – what is appropriate and inappropriate behaviour. We need to get the same standards for how things work on the internet – advertisers, data miners, people who want to be able to target certain demographics. If I have half a million dollars in the bank, I don’t expect them to share that information with people who want to advertise to me or get me to spend that money. There is an expectation of confidentiality.

So we have interesting things within the digital space like Facebook or Google that mostly do provide legitimate services. But what I always say is, “If you’re not paying for the product, you are the product.” And that puts things in a slightly different perspective. You have to be aware that these big companies are worth a lot of money, and the way they got there is your information and the relationships that can be gotten out of your information. We need to have guidelines about how we treat users’ information and what is acceptable or unacceptable.

Q: That’s something that people don’t really think about on a day-to-day basis. People aren’t necessarily thinking about where their information is going or what is being done with the data that they’re putting into the system.

A: Absolutely – the data that you create, or simply the data that is being created because of what you do. In the United States, they are starting to offer discounts on your car insurance if you plug a nanny-cam into your car so that the insurance company can see your driving habits. Well, you’re providing a lot of information about what you do every day to that insurance company. What are they doing with that information needs to be explicitly stated.

There was a very interesting case with Target a few years back. Many big box stores have some kind of reward or loyalty card which gives you discounts. A father of a teenage girl started getting advertisements for pregnancy and childbirth-related products based on the data they were collecting. It seemed that his daughter was buying the same products that pregnant women were buying. Later, he discovered that she was indeed pregnant. It is amazing that the things that data can show, but you don’t get to know that.

For example, if somebody can track how long it takes you to go to work every day, they might see that your commute time has increased by 5 minutes per day. You might not even notice it, but someone looking at that information and correlating with time might be able to make inferences about your life that you might not even be aware of. What are people able to determine about you? It becomes quite a scary model.

Q: What are your predictions for future applications of digital ID?

A: People are becoming more and more aware of the implications that we have been talking about. We have organizations like the DIACC and the Kantara Initiative that are beginning to focus on and talk about the ramifications of what we are doing with identity. Ultimately, identity is going to become the currency in which we trade, as part of our daily lives. It already is – everyone carries their driver’s licence around, you can’t go into a bar or get a drink without it. The concept of having ID is very normal and acceptable for most people, and digital ID is going to become the same way.

It’s encouraging to see the number of public and private sector entities that are working towards being able to have not only local digital IDs, but also digital IDs that can be used globally. We are seeing cooperation between the United States, UK, Canada, Australia, New Zealand, and the European Union where IDs can be used in a wider context, but also with considerable thought put into privacy and unintended data leakages. We won’t be able to avoid all of it, but we need to be aware to avoid as much of it as we can. It’s not going away – digital ID is here to stay. If anything, it’s going to be more prevalent.

Q: Do you have anything else to add?

A: If we look at the way that politics is done across the world, people who feel strongly about a topic and tend to mobilize. It’s thought that if you can organize several hundreds of people to provide feedback about a particular bill, you can take a pulse of the people. However, over the last few years, we have seen the rise of “fake news” and the rise of people being able to say something while making use of others’ digital IDs. For example, the FCC in the United States had a request for comment on net neutrality. Thousands of people who never participated found their email addresses attributed to various comments. Someone was basically trying to stuff the ballot box. In this world of digital information and digital capabilities where you can talk to anyone in the world, we have to think about how to differentiate real news from fake news.

One aspect that is especially important when we talk about either providing feedback to our elected representatives is for them to be able to trust the feedback that they are getting. Both of those things are fundamentally tied to digital ID. It is exactly the space where PlaceSpeak is in, and that’s why I’m so interested in it. Digital ID allows the relationship between the constituent and the representative to become a two-way trust relationship. The constituent can trust who their representative is, which we’ve always been able to do, because we elect them and it’s a very public process. But the representative has never really been able to trust what they are hearing from the constituents, and that is where digital ID overlaps into our political system and the public sector. You want people who are interested and affected by legislation to be heard. You want people to be heard in proportion to how they are affected. Just because this one old man on the corner doesn’t like parades doesn’t mean the whole town is against them. I feel very strongly that a trust relationship is required so the citizen is trusting the environment in which they are willing to participate, and that the representative is able to trust the information that is coming from the constituents.

Trust needs to be built as we move through our process of public discourse. The internet and the level of digital interaction we have right now is very heavily related to the relative chaos that we’ve had in politics worldwide over the last few years, whether that’s Brexit in the UK, or France, or Germany, or the US. These are symptoms of digital societies trying to learn how to build these trust relationships and make things work.