The Future Of Security, Privacy And Control With Wayne Chang

Wayne Chang: “Your ability to just collect your data in a place and then interoperate with a bunch of services and they can fully integrate with whatever level of information sharing you're comfortable with or not, right? And that consent management is under you and not a delegated entity unless you pick that to be the case. I think that model is more conducive for an ecosystem where you have a lot more entities who want to verify that information and consume it and also a lot of different sources to issue the information.”

[INTRODUCTION]
 

[0:00:29] Guy Podjarny: You are listening to The Secure Developer, where we speak to industry leaders and experts about the past, present, and future of DevSecOps and AI security. We aim to help you bring developers and security together to build secure applications while moving fast and having fun.

This podcast is brought to you by Snyk. Snyk's developer security platform helps to build secure applications without slowing down. Snyk makes it easy to find and fix vulnerabilities in code, open source dependencies, containers, and infrastructure as code, all while providing actionable security insights in administration capabilities. To learn more, visit snyk.io/tsd.

[EPISODE]

[0:01:10] Danny Allan: Hello, and welcome to another episode of The Secure Developer. I'm Danny Allan, the CTO at Snyk, and I'm very excited to be with you here today with Wayne Chang, who's the founder and CEO of SpruceID. Wayne, welcome to the show. How are you?

[0:01:26] Wayne Chang: Thanks. Doing great. A little chilly, but it's awesome to be here. Thanks.

[0:01:31] Danny Allan: Yes, it's a little chilly indeed. We were just chatting before we kicked off here and I'm in Boston. I think Wayne is in New York and it is freezing cold outside. It's the middle of the winter.

So, Wayne, it's excellent to have you here. I know that you're the CEO of SpruceID, but maybe you can just give a bit of background about yourself and how you entered into this role for our audience today?

[0:01:54] Wayne Chang: Yes, so the first startup I built was in health tech. And our mission was to help people find follow-up care after they went to the emergency room. If you've ever been to the ER in the US, you kind of see how rushed everything is, right? They try to get you to like, “Okay, you're stable. You got to get out of here because we got a whole room of patients trying to use those beds.” You don’t really get a follow-up plan. You might be surprised at how many people break their bone, but they won’t get an x-ray, because they’re like, “I just saw a doctor.”

So, we’re trying to build a system that help people find the next place they were supposed to go, because it’s hard to navigate. But what we found, it was like a nightmare to integrate with health records. Trying to trying to get access to that – this is the reason why every time you go to the same doctor or like in [inaudible 0:02:38] they make you feel the same dumb form again, right? So, that was incredibly frustrating at my first company, and I have always been on the side of data sovereignty, the idea that you should control your stuff in the digital world just like you can have control of your stuff in the physical world. I think it's kind of like some people pull a fast one on us that we don't have that full ability. I'm just trying to get us back there and that's where I really kind of aligned with everything I was interested in, why I ended up working in this field of user-controlled digital identity.

[0:03:07] Danny Allan: In the medical space, with the electronic health records that occurred, what did you learn from that business? If there's one thing that you took away as you were building that and move forward into digital identity, which I know that we're going to get into, what was the one thing that you took away from building that company?

[0:03:22] Wayne Chang: Yes. I think that the combination of what already exists and the policy matters a ton, right? This is something that especially folks with a very technical background, including yours truly, I feel like they don't think about often enough until it's kind of like, you're running against some wall and like, “Why am I stuck here?” And it's like, “Oh, there's like actually like a policy, and that's why we send things over fax machines or whatever.” And then, understanding that these systems are going to be in flight, especially in these deep enterprise spaces for like decades. That Java or Fortran or Vax assembler is going to keep on trucking, and I think that learning to stop fearing it and starting to understand how to be more incrementalist about those parts, incredibly important to not just just get stuck.

[0:04:12] Danny Allan: It's funny that you say that. My first job, I was working with student records at a university. It was cobalt code on a CP6 Honeywell mainframe. This is in the nineties. I'm dating myself now. I always used to say that system is still running, although I just found out recently that they deprecated the mainframe. It's now in a museum, so eventually, I guess it gets put away. But it takes a while.

[0:04:33] Wayne Chang: Yes, you think it's a museum, but they're all these engineers, and they're keeping it on ice, just in case.

[0:04:40] Danny Allan: Yes, that's definitely the case. But what's interesting there is it became digital. Growing up, I grew up in Canada, and health records at that time were very much paper-based. I'm assuming one of the things that you were helping with was take the records and move them into a digital format so that it can be more easily shared. Is that a true statement?

[0:04:57] Wayne Chang: Yes, totally. I think that a ton of stuff needs to become digital, and I think our attempts to do that have evolved over the years as new technologies became available and new threats kind of presented themselves. So, for example, with all this AI stuff where you can just generate a real-looking document, so we see players like Adobe and other folks try to build these content authenticity credentials that you can basically stamp to your content so you can tell who made that thing, right?

I think the representation of things that are paper and plastic today are going to have to keep evolving to match up with the new threats and the new technologies that are evolving that are available.

[0:05:36] Danny Allan: One of the aspects of this, if I'm understanding correctly, is very much around the identity of people, which historically has been username and password, in fact, for the people that are watching this. I have this book from, I don't know, I'm going to say late nineties. Identity used to be about username and passwords in the digital world, but that has changed for most applications today. Is that a true statement?

[0:06:01] Wayne Chang: Depends on how you define most. Because if we're looking at the whole universe of things that, IoT device from like 30 years ago, probably still has like a password on it or some, like all of you probably use like some enterprise software, maybe username and passwords, they didn't quite integrate the SSO that they needed to yet, a bunch of realm called shadow IT, right?

So, I think it depends on where you're looking. But yes, there are new forms of identity that are rapidly evolving and gaining adoption, such as passkeys, based on cryptography, the digital credential stuff we work with. I think it is evolving.

[0:06:35] Danny Allan: So, for the developers who are listening to the podcast, maybe my first question is, if something comes to you and says, “What kind of identity should I use?” Because I know there are many. There's federated, there's centralised, there's decentralised. What is your recommendation for a developer in terms of implementing an identity capability within this software?

[0:06:56] Wayne Chang: Well, Danny, this is one of those questions where I'm going to feel like the Riddler. It depends. It's definitely the case. I'll just give a few examples. So, if we're like an enterprise, right, and we definitely want to make sure that it's our employees accessing the systems, we have to look at what's out there, what can we install and roll out across everyone. If we're a very progressive enterprise with a great training program, we might get everyone to use a device-bound passkey to access those systems. There's a key that is stuck on a device, physical device doesn't leave the device during any part of the transaction and you basically log in with that. So, unless someone actually steals the device or place where the key is, then they can't spoof themselves with you.

But if you're asking like a banker who's trying to onboard someone and they don't want to get fooled about who this person is, because they're opening a bank account, it might affect their credit score, all this stuff, there's a different type of identity check you have to do. Not just if you have the device or not, right? So, there's a really great NIST publication that the whole industry leads on called NIST 863 for the real nerds out there that want to go evaluate this. And they really do a nice job articulating different kinds of things that you can check for to get assurance.

There are authenticator assurances. So, how many devices with keys or knowledge things like passwords or even biometrics do we have to match up someone with their session? Really thought about when you're resuming a session. You go off and you do something, your session expires. You're like, how do we make sure that's the same entity? Then, there's basically identity assurance levels. And that's like, is this actually a legal person, and there's an analogy to organisations trying to access the service? This typically involves things like state identification like a passport or a driver's licence, or someone doing checks on a utility bill right to really uniquely resolve to a person and associate that with an account. They're orthogonal concepts, but they are frequently used together.

[0:09:09] Danny Allan: If you're trying to balance between the security of the identification and the user-friendliness of the authentication, what is the ratio there? I know if you're 100% secure, it's probably not going to be very user-friendly. If you're 100% user-friendly, it's not going to be secure. Is it 50/50? Is it 51/49? How do you balance those two things when you're building the software?

[0:09:32] Wayne Chang: Yes. I think the cool third dimension of that because I totally agree with this security convenience trade-off, right? There's a concept from economics called the production possibility frontier, and that's basically what we're talking about. Are we going to produce all guns or all butter, right? There's like some combination in between. Are we going to produce convenience or security? And typically, a society needs like both, right?

So, if you are able to pour more resources on the problem, I think you can push that frontier further out and get more of both; just gets more expensive, and that's kind of the hidden vector. One way you can zoom into it is by picking a niche problem to solve. For example, if we're trying to have people who, let's say, work in a chicken processing facility right, and they have all these gloves on that are not sanitary so they can't type in any passwords. If we were to think about a secure and convenient form factor for them, having a device that they tap is good, or if they're okay with it, even doing a one-to-one face match as they walk through a door, just to make sure that's the right person and it helps them clock in and everything, that might be secure and convenient, it just might not be cheap or easy to install or easy to convince people to be comfortable with.

So, there are a bunch of these different trade-offs that we can pick along the curve. I think that I really subscribe to the security principle that there's no such thing as a just, pristinely secure system; everything can be hacked. It's all about making it not worth it to hack, right? So, the spoils that a hacker gets should be basically, they should be looking at that and saying, “You know what, it's not worth it to go through all that to do, to get that.”

[0:11:11] Danny Allan: Generally speaking, are you a proponent of federated identity systems. I'm thinking out of the OAuth and authenticate with Google or Facebook or Apple or whatever. Generally speaking, this is not the government, not passports, and not DMV driver's licences. Would you recommend for developers that, that is the path they go down or try to do something on their own?

[0:11:32] Wayne Chang: I think I'm a big supporter of a lot of the benefits that federation brings because It is true that when you have multiple teams trying to secure down an identity product for SSO, you can do a way better job. You just have the economies of scale to invest in solving that problem very thoroughly and carving out that problem. And then when people use that, I think it can be a much more secure system than trying to take some open source, deploy it. I love open source, by the way, but also, there's the whole DevOps part that must be secure and run processes, and how many are you going to have a security operations centre and all these other aspects that you need for a high-security and reliability program.

So, I think, generally, it is a good path. What is worrying about me to some of these approaches is the governance of it, right? Because it's like, what if you lost your Gmail account, right? It could be a system flip, or maybe someone doesn't like you and they happen to have access to the admin panel, right? How much of your life disappears online if that is the case? Or Apple or any of these kinds of very large IDPs, right? What are the assurances against that? That's why I've always been very interested in architectures that are more user-centric and that basically, you're able to have more control over stuff, and someone can't just turn off all your accounts.

[0:12:46] Danny Allan: Well, I know self-service identity is another option here that balances against some of those risks, but let's touch on the risks actually first. In a centralised system, what kinds of things do you need to be concerned about or does maybe the federated identity provider need to be concerned about?

[0:13:03] Wayne Chang: If you're using a federated service, they're doing the identity verification for you. I think a big thing to think about is alignment in terms of what your interests are and what the interests of the entity are. I think that, for example, if you have the interests where you want maximum interoperability, you want people to be able to log in and bring any data from any source, and you're integrating with an SSO provider that has a storage product, or any other of these products that they would prefer, they probably would not integrate a competitor's product, right? That is one of those considerations. Do you also want to force your whole user base to go through theirs? Or do you want to support multiple, and you're taking on more complexity?

I think that there are a bunch of trade-offs to do this too, but for a lot of startups that are just starting out, it's not the worst to just go, "Okay, how do I give access to the most users at once?" But as you grow, I think it's important to think about how you don't get locked in.

[0:14:00] Danny Allan: There is this option today that enables a self-service identity wallet as well, where there's an issuer, a verifier that is third party but is not one of these big providers. Do you think that those are going to continue to grow and displace the providers? Or where do you see this ending up five years from now, centralised or decentralised?

[0:14:22] Wayne Chang: Yes, I think increasingly decentralised is my proposition. This idea of self-sovereign identity where you're able to service yourself these credentials and go about collecting things into your data vault and you want, right? I think that one of the – there are a lot of challenges with this model, first of all, right? Because it's actually really easy: when you click a button, you sign in, and all your data are managed for you. That's definitely a convenience. You don't have to pay for storage in a lot of the cases or think about, “Oh, what happens if I lose this account? What's my recovery plan?” You kind of have to think about that because you might get locked out, but there are some mechanisms that are built out for that.

One of the most important problems, the other model, instead of letting someone manage everything for you that you're starting to be able to collect your data from different sources and have it is interoperability. Because I think that it is going to be very difficult for just one vendor to understand all the different use cases where you might want something in your digital wallet. And then making that experience perfect for you for every one of those circumstances. That's the reason why we have app stores, where basically you can download specific experiences.

I think that like your ability to just collect your data in a place and then interoperate with a bunch of services, and that they can fully integrate with whatever level of information sharing you're comfortable with or not right, and then that consent management is under you, and not a delegated entity unless you pick that to be the case. I think that model is more conducive for an ecosystem where you have a lot more entities who want to verify that information and consume it, and also a lot of different sources to issue the information.

[0:16:01] Danny Allan: I think you and I are very alike in that, and I don't know if I should be asking this on a public podcast or not, but I'm going to ask it anyway. Do you do your own self-hosted wallet, or are you using a centralised wallet or do you have multiple wallets in your world?

[0:16:14] Wayne Chang: Personally, or like the company, or what do you mean, Danny?

[0:16:15] Danny Allan: Well, personally, you yourself. So, I'll admit on a public podcast, and maybe I shouldn't. I have my own personally hosted wallet. But I'm just curious what your model is. I mean, you live and breathe this every day, and for me, I'm less so. I'm focused obviously on software development, but I do have a high security and privacy awareness, which is what we're talking about.

[0:16:38] Wayne Chang: Yes. I've been a big fan and user of PGP, right? And basically, figuring out the key management and all these other aspects. I won't go into too much detail, but key signing parties, figuring out – I was a really big fan of Keybase when that was in full swing and doing active product development. They were going down the wallet route. But at the same time, it's led me to appreciate just kind of talking to people who don't live in that world, how onerous it actually is. I use this editor called Vim. Unfortunately, I'm stuck using it because I'm good at it now. But I just realised how decrepit the interface is actually. But I'm just blind to it, right?

So, I think that also zooming out and understanding how normal user that just wants to send an email doesn't want to set up PGP and do a key signing party, I think takes some like – I always try to set aside some time to grow appreciation for that so we can actually build products that are usable.

[0:17:35] Danny Allan: Well, I've been using PGP now for 26 years since 1999, so it has come a long way. It's become far easier to use now for the end user, and that's a good thing. I mean, all of these things are good.

[0:17:50] Wayne Chang: I mean, Danny, that's one of the big technical shifts that I think is enabling a lot of this technology. So, for example, we work with the California DMV to build a mobile driver's licence. It's a digital version of your driver's licence that can live on your phone, and you can use it at the airport. It was tested by federal agencies so that they understood what the issuance infrastructure looks like and how you can basically securely use it to pass the gate. I think that some of the enabling technologies from this were basically smartphones today. They have these special secure elements that allow you to hold private keys, and the private keys do not leave the secure element. So, it is very reminiscent of the smart cards from the late nineties and early 2000s, where that was their role in the PKI ecosystem, but now you can basically do that on a phone and provide a superior user experience that is very familiar to consumers. I think this is one of the key unlocks of this era.

[0:18:51] Danny Allan: Do you worry about – I love that system, by the way. I use Clear and FastPass and like all the different mechanisms, and it's all tied to my phone. Do you worry about the biometric authentication? So, in a multi-factor authentication obviously, people are used to what you know. Do you worry about the loss of data of what you are causing issues in this world going forward?

[0:19:14] Wayne Chang: I am worried about that. You've heard about all the data breaches and hacks and how just hundreds of millions of people of data are like on the dark web, right? And then all these LLM models probably have rags with that loaded up, and now they're going around the KBA systems and starting to destroy them. They're generating pictures of licences for people, right? With accurate information, they're going to fool a lot of the simplistic systems.

So, I think that, like the trend, unfortunately, is that a lot of that stuff is going to continue to get out there and more. I think we have to do our part and figure out how we mitigate those breaches and adopt practices that are private by default. When you transmit your image that is digitally signed by the DMV to a TSA terminal, it happens over Bluetooth peer-to-peer. So, it doesn't hit some server or something. That's the transaction, right? And then it gets sent over an encrypted channel on top of Bluetooth because I think Bluetooth has been busted so many times. So, we're going to do Diffie-Hellman again. And then, basically, they're able to validate the data integrity. They're able to quickly do a matching, and you're able to opt out if you don't want to use the algorithm. The person will just like do a visual scan between you and the image, and everything is deleted. I think only the fact that the check happened is recorded, right? This is stuff that can be verifiable if you send an auditor to those machines.

I am interested in architectures that are based on trusted execution environments where we can basically have more guarantees that the data were truly deleted. So, I think that is some of the next generation of what we have to do with a lot of our biometric systems and incorporate new like zero-knowledge proofs where I can prove that my face matches without actually sending you a picture of my face.

[0:20:57] Danny Allan: That makes total sense. Really, you're combining two concepts there, which is reducing the attack surface, but also using a zero-trust architecture so that there is no assumption of trust of any of the elements within it. I think that makes a lot of sense. Does that have a bias against individuals? So, for example, you mentioned DMV driver's licences. Is there biases in this against people who don't want to use digital identity or are not able to obtain driver's licences? How do you deal with those scenarios?

[0:21:30] Wayne Chang: Yes. So, this is where the policy wall is very important to consider and engage with. I think that technologists don't engage enough with civil society. A lot of these identity programs are legislatively authorised, right? The ACLU's website has model legislation for what a digital identity program ought to look like, in their opinion. That's a really interesting follow-up reading for any of your listeners if they're interested in this topic. But I think that one of the commonly recommended criteria is the right to paper, where you're also able to get a physical version should you want it and that it must be where a digital one is accepted, right?

I think a lot of the ambitions that we have working with digital systems is that a lot of the same guarantees are transitioned to the digital version. You're not pinging the DMV every time you use your plastic card, right? So, why should it be so different when you're using your digital one? It should pretty much keep the same privacy characteristics as much as is recently possible.

I think it is important to maintain paper. Some people just won't necessarily want to use the digital version or maybe it's just not convenient for them because they never got used to the technology. If they're in an older demographic, I believe in maximising user choice.

[0:22:44] Danny Allan: Yes, the right to privacy, the right to paper, as you say, is an important part because there's some groups within society that want to maintain that privacy and that is expected and I actually think it's a good thing to have that multiple model available to users. What about - so regulation actually causes some issues, though, right? So, right to be forgotten: how do you implement that in a digital identity world?

[0:23:09] Wayne Chang: Yes, so some advantages, privacy advantages that a digital identity has over a paper or plastic one will actually start to get us towards there. For example, there's something called selective disclosure, where you are able to pick which attributes to share from your identification or other credentials without showing the whole thing, right? So, it's late at night, you're at a bar, and you're trying to show your over 21 or 18 depending on where you are, why does that bouncer need to see your home address? Why do they need to see exactly how tall you are or what your eye colour is like? It's pretty irrelevant. Why not just show over 21 and be done with it?

Basically, I think technology allows us to do that. If you're a programmer, you can kind of think about how we do that. We just have a field called over 21, true, and that's all we have to share, and it's part of the same data integrity-protected payload that we send over. That's all the information necessary. We can't do that on plastic cards because it's kind of small. You have to print a lot of stuff onto there to get all those fields. So, there are a lot of advantages for using this as well. I think as we get towards the right to be forgotten or GDPR, CCPA in California, and some other privacy regulations, it's going to be critical that the people receiving the information handle it correctly under the policies that they're subjected to.

I think that we should move to a model of personal data licences where you are able to share your information, but along with your information, you're able to create a digitally signed credential or licence that entitles the receiver to use it how you specify according to the right framework. Basically, if it's GDPR, then we refer to GDPR. I let my primary care physician access these records for the duration of three years. I also let them share it with any specialist in my network. That might be what you stamp onto the information as you give it to the physician's office. I think technologies like this would allow compliance to be automated. I think this is one of the really difficult friction points of GDPR and policies like it. Again, technologists need to interact more with policy because it's like, we want to do this thing. It's a good idea. But how do you do that thing? Is it just going to be an accept all button that everyone clicks for the cookies? That's where I think we need a lot more thinking and architecture so that the policies are easier to implement without creating these detrimental effects on user experience or adoption barriers.

[0:25:39] Danny Allan: Do you worry about fragmentation? So, we've been talking about compliance here. Do you worry about fragmentation of compliance? In other words, having GDPR and CCPA and DPA and having many of these different frameworks that are not 100% in alignment with one another. Do you think that's going to be a problem? If every state implements their own CCPA, that's obviously not a good thing. Or do you think, generally speaking, there's going to be a common denominator that everyone applies to?

[0:26:08] Wayne Chang: I tend to stray away from common denominators, even though as an implementer, I'm like, “Give me that. Give me that so we can turn it into a spec, and we'll just build it in Rust, and then you know the world will be perfect.” But basically, I think that the more time I spend with state legislatures and people who care about things, the policy's job is to express the value of a society. I think that you might find that the data regime in one place is inappropriate for the people somewhere else.

Now, there may be some pretty core tenants that are largely aligned, right? Maybe we and do something about that layer, but I think that, largely, I like the idea that people can better express what their society's values are as policy and that we can just make the technology automate the hard interoperability bits away from it. That is basically my idealised way to get it because I think you can reduce a lot of the work to interoperate different frameworks. It just requires the use of automation.

[0:27:06] Danny Allan: Well, you have a huge opportunity to make that happen. I know with you're working with the state of California and a number of big players in this space. So, that's interesting. I want to pivot a little bit to AI because we touched on it very briefly, and identity is a huge part to play in artificial intelligence. In fact, I made this comment, and I don't know whether you would agree with it, but I say that really the boundary, the perimeter around AI is identity because if agentic systems are making choices on their own, they have to be making it on behalf of someone or something.

[0:27:40] Wayne Chang: Yes. There are a few ways to look at this, right? One of the ways to look at this is like, okay, we don't – there's this game called Cyberpunk where, like part of the core plot is that rogue AI has basically just destroyed the Internet as we knew it, and we had to build a big firewall around everything. Start anew from punch cards and everything, and then we're like back, but they're in this like cordoned area that we're not going to touch, and that’s it’s central to the plot, but whatever.

So, I think that, like to avoid that reality, I think that being able to figure out authorisation of action, like how do you delegate permission to an AI, it's going to be really important for accountability because we don't want all these like fraudsters to use AI. It's being used right now. It's like not a bogeyman thing. Anyone can sound like, “Oh, make me sound like a 20-something-year-old, whatever attractive person, and make me write text messages that are very seductive or whatever.” Anyone can do that now, even in English or whatever language is not their native language and it's just extremely convincing how specifically these pure phishing attacks can get.

I think that it's definitely becoming a fraudster’s tool, and to prevent this, we need accountability for who used that. The other angle, too, is how you harness the benefits of AI as well. There was this one congresswoman who can't speak anymore because she had some medical condition. But AI was able to reconstruct her voice, and she was able to type things out, authorise AI to read them, and it was her voice again. I think that's incredible. But also, we don't necessarily want anyone to be able to do that, right?

So, I think that being able to understand this delegation chain of action to AI actions is going to be more and more important. We already find OpenAI incorporating the content credentials as, I think, part of their generated outputs. I was an author on a paper called Personhood Credentials, working with OpenAI of the Harvard Berkman Klein Center and MIT and a few other institutions where we were thinking about, “Hey, we need to be able to designate if someone is a human or bot because things could get really messy if we lose that ability.” Making sure that there are a variety of sources that people can get this and not through one ministry of information is very important to me, that we use decentralised protocols, and arrive to a place where there's a lot of places where someone can get this. Because if that becomes a gaining factor to interacting with some Internet societies, we need to make sure it's authentic people, which I think is pretty reasonable, that should be broadly accessible to your point earlier. We shouldn't just constrain it to people who are running the latest iPhones or whatever to be able to access those societies.

[0:30:20] Danny Allan: Yes, it's scary to me how easy it is. I think it takes 20 seconds to copy someone's voice and tone and everything. Same thing on the visual front. It's actually concerning. On one hand, you can say, well, regulate those things away. Don't allow it to be done. But on the other hand, you can say, “No, embrace it, but put in the controls and checks to make sure that someone doesn't use a voice recognition to launch a nuclear weapon.” That's a bad thing. I think we would all agree.

[0:30:46] Wayne Chang: Yes. That's my default stance too. The technology is just evolving much faster than the pace of policymaking can catch up with. A lot of the policy is just like, we see some of this happen when you try to put specific technologies or approaches into the policy and you stray away from expressing values of the society. Now, in some parts of the world, you must sign things in XML. It's like, what? But it's the law.

So, I think to kind of make sure that a lot of the protection mechanisms can catch up with the technology, you should look to equally dynamic industries that have the potential to grow and meet the evolution of AI.

One instance in my field is a lot of people who do verification to open a bank account or get a loan or even your DoorDash, you might have had to take a picture of your driver's licence, which I think now is like let's just get away from that. Let's stop doing that as a society. What's really pushing that approach over the cliff is that a lot of the verification flows where you hold your driver's licence or your passport in front of your webcam and you stand next to it, AI can generate that entirely. It's like you can't even tell from that anymore.

In fact, none of the security controls, the UV-activated ink, the bending of the card, the holograms, all that stuff is not appropriate for showing over a webcam, right? It's kind of like facts; it's happenstance that the industry was able to lean on that for so long, but I think there are cracks, and the cracks are going to become fissures, and we have to rely on technologies that are resilient to the new fraud approaches enabled by AI. There are two things that AI have a hard time with today.

One of those is showing up in person, although we see those humanoids, and maybe the second one is breaking cryptography. To our knowledge, they can't really break cryptography and by combining the two of those that you showed up to like the DMV or something when they were taking your portrait image, and now we have a cryptographically signed payload that is your mobile driver's licence, that is basically where the industry is headed in terms of, now we can have a high fidelity digital copy of it that is verifiable from the authority. And then we can check the information or even do advanced biometrics against it. This is how we’re going to have to evolve as some new threats basically emerge, and I care a lot that we’re evolving in such a way that people are able to return control of their information, and we’re not building big databases of people’s data. Some countries have won with this approach, and yes, I think it works well for them in the short term, but I just think about the societal costs, and I don't think it's very – values along with the United States to do it that way.

[0:33:32] Danny Allan: Yes, it's true. You don't want to have all of that control in one place because any kind of either vulnerability or corruption of the system can lead to massive, massive issues. What makes you most optimistic for the future? If you look out, I guess two questions. What do you think is the most innovative thing that we're going to see in the next five years as it comes to digital identity? What makes you most optimistic as well for where we're going?

[0:33:56] Wayne Chang: Yes, I think that there is now an understanding of alignment that is necessary, but not consolidation and centralisation of everyone's identity into one place. So, the alignment that I'm talking about are actually a lot of the technical rules of the road, the technical standards that seem to be stiffening. People are lined on three or four of these things and not like 40. So, the industry has started to understand which of these approaches are going to really start bearing fruit, and that makes it more comfortable to adopt to build privacy mechanisms that will accompany it. We see evidence of consensus globally, where, for example, in the EU digital identity wallet project, they have narrowed down on a few of these standards that all EU member states are to implement by, I think, 2026, right? Then, in the US, we've seen a trend of many states going online with digital ID programs. I think this year is like 10 or 11. But by the end of the year, I wouldn't be surprised if it doubled. I think that everyone also understands this new risk that's coming to play and why a lot of the systems, as evidenced by, I think it was like 20 billion of fraud in California, or 200 billion-plus in the federal side during the plague, of where money went to sanctioned states, it went to dead people, a whole bunch of things that feel like, “Hey, this is a real problem that we have to solve so that we can get rid of this wasted abuse.”

So, we have this idea and understanding that, okay, we need to modernise our tools. We want to keep our values of letting people control their stuff even as we enter into digital society. Then also, the technologies are basically starting to line up about how we're going to do that. That's why I think it's a very exciting momentum for the next five years, and we're going to see a lot of adoption and use cases that we haven't even seen before. I think that this is going to culminate – my dreams of how it evolves, basically you being able to hold your stuff in one place. Instead of you asking the platform for permission to access your data in there, the platform asks you for permission if they can access your data vault, right? I want to see that transition happen.

[0:36:14] Danny Allan: Yes, at a very regular level. As you said earlier, I don't know that I want anyone to know what my weight is. In fact, my weight on my driver's licence is probably wrong anyway. But being able to give them just the information that they need for whatever task it is, I think that's a good thing for everyone. We often are concerned about the security risks of all of this, but I think in the long term, in the two to five-year term, it ends up just being better and easier for anyone.

[0:36:41] Wayne Chang: I think that with these privacy goals in mind, these are things that you can design into solution architectures. If we take this idea of personal data licences, you get a stack of these things for every time you share information, and you can hold them in one place. What if you can also exercise all your GDPR rights automatically if you're a citizen or a CCP in California, et cetera? So, I think being able to give more control this way is really exciting, too. You just have to think about it up front and have that as part of the requirements.

[0:37:10] Danny Allan: Well, I love the fact, Wayne, that you're thinking of these things and helping your customers and helping the market implement them. It's a very exciting time. I have to say, I remember a time when I was scared to sign a digital signature pad because I didn't want anyone to get my digital signature. But now, I think the ease of use of going through facial recognition at an airport. It's just so much easier. It's so much better for everyone and so we shouldn't be scared of it. Embrace it, but do it in a practical way.

[0:37:38] Wayne Chang: Yes, that's right. Just kind of understand, where are the data going? How are they being managed and everything like that? I think I think the industry having different policies about how that's done is really constructive. But also, I think what's really exciting is the movement away from, let's call it, multi-factor authentication. That was the first version of the evolution, but I think we're going to move to myriad factor authentication where there are thousands of factors considered. In fact, many device endpoint security products already start operating this way, and I think that there are a lot of things that can go into resuming the session.

[0:38:14] Danny Allan: That's truly exciting, and I think better for everyone; it's better for the organisation, better for the government. But more importantly, it's better for the individuals that are consuming these technologies and systems.

Well, Wayne, it's been fantastic to have you on The Secure Developer. Thank you for joining us today. And to everyone who joined the show, thank you for joining. We'll see you next time on the next episode of The Secure Developer.

[0:38:36] Wayne Chang: Thanks for having me, Danny. Appreciate it.

[OUTRO]

[0:38:41] Guy Podjarny: Thanks for tuning in to The Secure Developer, brought to you by Snyk. We hope this episode gave you new insights and strategies to help you champion security in your organisation. If you like these conversations, please leave us a review on iTunes, Spotify, or wherever you get your podcasts and share the episode with fellow security leaders who might benefit from our discussions. We'd love to hear your recommendations for future guests, topics, or any feedback you might have to help us get better.

Please contact us by connecting with us on LinkedIn under our Snyk account or by emailing us at thesecuredev@snyk.io. That's it for now. I hope you join us for the next one.