One of the shifts I observed at RSAC 25 was an acceptance of the reality we’ve all been hesitant to live inside – the fact that we are now in a post-privacy world. For most people who exist on the internet or in modern society, our PII, biometric information, contact information, and passwords have all been leaked in some fashion. I’ve lost track of how many notices I’ve gotten about data breaches within my healthcare providers, so I assume the intimate details about my epilepsy and its treatment are all out and available for people to peruse. How do we survive in a post-privacy world?
Many private and federal entities are collecting and storing biographic and other identifying data, providing little visibility or control over how that data is used to the humans it represents. These organizations do, however, share this data with contractors, vendors, and an entire web of other parties, making all of them attractive targets for attackers looking for large stores of valuable information.
This presents a unique challenge for security teams, many of whom found that just getting their companies to require MFA has been a challenge. Now, those factors are no longer safe, making relying on multiple of them difficult.
I sponsored an event with Sober in Cyber this year and had the pleasure of meeting Tina Srivastava, Co-Founder of Badge. She mentioned that when the OPM’s databases were breached several years ago, 5.6 million federal employees’ information was compromised, so they are all intimately familiar with living in a post-privacy world.
This shared reality is one of the reasons Tina founded Badge. She had a feeling that within a few years, the vast majority of people’s biographical data would likely be widely available, and thereby unusable. Even if that weren’t the case, why are we giving up our biographical data in the first place? Why are we still using (and reusing and reusing and reusing) passwords?
One of the hardest things about encrypting biometric data (face, eyes, fingerprint) so it can’t be stolen and doesn’t need to be stored is that it’s slightly different every time it’s captured, so it needs to be compared to a stored baseline with some error tolerance. Badge has found a clever solution to this problem that allows biometrics to be turned into a public key, without the need to store the personal key or biometric data. This allows for biometric authentication that doesn’t expose any sensitive information. As Tina put it, “With Badge, it is now possible to live in a world where you don’t have to trade all of the information about yourself just to participate in online spaces.”
While Badge won’t be able to rescue the information and passwords already in the wild, it presents a safer and more secure path forward in identity and will help stem the steady tide of our data that’s flowing onto the internet. I suspect that employees who have a choice would lobby for sharing less data, especially as younger buyers have become significantly more data privacy aware. While Millennials were originally regarded as caring little about privacy, studies increasingly show that they not only do, but will speak with their wallet. Their successors, Gen Alpha, has been taught the importance of data privacy since Kindergarten. Vendors building long-term businesses should take note of these shifting preferences.
