Keynote at the Consumer Identity World 2017 EU in Paris, France
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the Consumer Identity World 2017 EU in Paris, France
Keynote at the Consumer Identity World 2017 EU in Paris, France
Good morning ladies, Welcome to consumer identity world 2017, a Paris event. We already have one in Seattle. We have one in Singapore in December. Welcome to this joint event of city people, and we right together and we created together. I just wanted quickly before we start introduce the motors today, which are with six people, he will moderate one of the directs today. Tr also will moderate one of the directs in tr moderate, the evening keynote session. And Martin, I will already morning assessment together with Sean. I'll do the first keynote.
There will be snacks and drinks reception today after the evening keynotes, which is host by Facebook. So I just wanna inform you about that. So don't listen. And with that, given that we have a short time for each of the keynotes, we directly will start with our first keynote, then done by Sean and me, which is balancing user experience privacy and security for the connected customer safety. So as I said, it's one we will do together. Try on me.
And I think it's very obvious in these days where we discuss a lot about GDPR, not only EU, but I would say across the world, There's a situation where we have to discuss about privacy for GDPR heavily brings in this privacy aspect. We have to discuss about security anyway. So when we look at all the hacks, all the data getting lost, etcetera. So we had so many prominent attacks over the past years of billions, tons of billions of customer effort. After that, on the other hand, we have the, the user user experience side of things.
So how can we make it convenient for the customer to consumer to work? And so that's, I would say as a complex trial them, I would say we have to figure out ways how to do it. Good. And look at the consumer perspective on that. So use experience privacy security, then use experience from a, from a customer consumer perspective. Everything should be super simple to use. I don't want to register again and again and again. So registration, the boring thing, and I want to authenticate the way I want to, what is convenient to me? I want to use the most convenient necessary for privacy. Yeah.
Most little privacy. I will tell you everything for a prize, but only to my advantage.
So it's, it's a, a little bit, a strange situation. So on one hand, people are, as we all know, willing to tell our stuff, if they feel they got something back, but they anyway complain about if they feel it's that used the right way, but what GDPR will bring in, I think this is an interesting aspect. And I think we already started, started learning it.
When you look at what Microsoft edge browser or recently had in, when I've tried to use Google maps, then you end up being asked or informed, oh, we collect a lot of data and you have to look at this and blah, blah, blah, privacy policy, or we using cookies. And then you can look up the things and then you end up a lot of information you've never saw before about what is collected or where this and cetera. And I think this, I didn't know about what, what you collected that will change latest with GDPR. It already starts to change.
And that, yeah, when you look at the list, you sometimes feel scared and say, okay, that much. So security again, security must be simple, simple to use. No one really likes passwords. And anyway, the perception of the consumer always is if something goes wrong, it's not a consumer. Who's guilty. It's the business, which is guilty. When I look at, from an enterprise perspective, it's sort of the total opposite. So user experience, no, there are usually usually some duction constraints. Also when it comes to eye modernization, then we look at compliance of an onboarding and other process.
So you have to agree to the terms and conditions, which are several hundred pages long, sometimes even longer. Oh yes. And businesses are so creative these days.
So every, every single department creates it's highly innovative apps and applications and new services. Unfortunately, usually they don't talk with each other. So everyone is some way innovative, but there's, and even very large organizations, many organizations says the gap of coordinating these efforts. So all these apps look a little different. All these apps even come may come up with different registrations, et cetera, privacy. Yeah. Everyone feels that personal, only identifiable information is the new money. So they want to earn it.
They even even try to, to harvest it when they have no clue about what to do with that information. So when we look at what information's collected, a lot of information is collected, which isn't used. There was never thought about minimizing the PII collected.
And yes, there are so many different regulations anywhere around privacy. It's not only GDPR. So there are various regions and countries, different regulations, but there's more than GDPR, even in the would you have to look at. And so it's a complex thing. Security. What people have learned is security issues can cost their drops. So if you lose some millions of your customer records and you're a CISO, you most likely actually we'll have an issue because these things gain the attention of the CEO today. And it'll become even worse.
When you look at the breach notifications and the context of GDPR, we will learn far more about it. That might also make things better.
You know, at the end, if we have so many incidents which become public people who care less about a single incident, unless you're very prominent. So if you're not that prominent, no one will care about you. Maybe wait and see what happens. Security costs so much money. That's also perspective of the enterprise. So I have to pay for it. And everything is too complex. Yes. Because everyone creates those apps applications. And I have all this old stuff and oh yes. I still have a mainframe where my, whatever my life insurance car runs on and how can I protect this complex ecosystem?
So it's a, it's a complicated situation. And the one thing we will have to add to this is so we will, and I don't put too much detail here. I think you have heard about this a lot. We have consent as a new topic and consent. In fact means with GDPR, we have many, many situations where we have to ask for consent that is given explicitly, that is given informed and so on. You have gone through all the clear and plain language, etcetera.
So it means we have to inform about which PII we collect, for which purpose, by the way, legitimate interest, which is brought up sometimes as, oh, we don't need explicit consent. Cause we have a legitimate interest in collecting the data. Isn't really the way out of that because you still have to inform about a lot of stuff. And if you, for instance, collect stuff from, from, from children and, and so below 18 year old people, then you have to do it in language, which is adapted to these.
So there are so many things around that, in that we just should assume that we have to inform everyone explicitly about what we do with and what we collect and what we do with it. And that, that will lead to a situation where people understand far better, what is collected. And that really is a big change for this entire balance between privacy and on the other hand, the user experience. So a lot of things will change here and was that I had over to John for the next part. Thank you.
So going a little bit into the consent picture, you know, we really need, as, as proprietors of consumer identity systems, you, you need to clearly state what it is you want to do with customer data and why. And like Martin said, you know, it's more than just having a legitimate interest. You've gotta have a real reason for wanting to process it, process that information other than just collecting as much as you possibly can.
And that's kind of been the default up to this point is just suck up every little bit of data you possibly can about the consumer and the hope that, you know, you might be able to make some money off of it. So you really need to let the consumer know, well, what do I get out of it?
And, and this will probably lead to entirely new business models or, or, you know, the expansion of business models like Freeman. So you have a product that you might allow people to use a minimal feature set for a while. And then if they want to get more advanced functionality, then it's a pay as you go type of service and then finding ways to do revenue sharing.
I mean, I think if you look at some of the interesting things, even going on around cryptocurrency and consumer identity, there will probably be ways to pass along revenue sharing directly back to the consumer. So over and above, just providing them with a discount for a service perhaps, and really this gets to needing to provide some sort of reward to the user for giving them, them, giving you their permission to use their data. So we talk about friction and frictionless user experiences, really the last data you collect, the lower the friction, regardless of what this scenario is.
And on the other end of the scale, you've got more data and it's always gonna be higher friction. We'll talk about progressive profiling and some of the ways that consumer identity management systems today gather that information in a way that's hopefully less obtrusive than asking for it all up front. But really I think the middle is where everybody will want to be, find out exactly the bits of information that you need.
But yes, there will probably be just a little bit of friction for the user, but minimize it as best you can. So gonna go on a, on the flip side here, everybody touts the, the benefits of ride hailing services, but just moving around Paris for the last few days, I started thinking, you know, there are still some advantage to the old way of doing things.
You know, if you, if you have a taxi you want to get into taxi, you don't necessarily need a phone. You don't need an app to, to get a ride. And when you get into the taxi, you don't have to create an account and set up yet another password. And you know, it's a pretty anonymous situation.
You know, you don't, they're not storing information about where you were, which friends were with you. You know, when you look at the ride hailing services, they require all of those things, a phone, an app, you've gotta have an account, you need a password and they're gonna be stored in lots and lots of PII and not to name names. But I think we all probably just read about last week, one of these right healing services, loss of user data. And you know, there's always a need for security of the user data as well as privacy.
So I thought I would just toss out a couple of generic rules to start, you know, how we look at consumer identity management. So there is the ability to collect all kinds of information.
You know, you can start with ad advertising on Facebook. You can link that, get other information about where users have been, what their likes are when they go to product pages.
Of course, all this, all of this is facilitated through the use of cookies till you wind up, you know, on the far end with, you know, a company learning an awful lot about you, that you may not have intended. So rule number one is don't be creepy use information, but make sure again, you get the explicit consent for it. And if you don't need to track absolutely everything somebody does, then I think it would be a good idea not to, especially with GDPR coming up. Another one is don't annoy your consumers.
I don't know about you all, but I certainly whenever browsing the web, I, I find these popups to be increasingly irritating and I've tried every popup blocker I can get, but if I want to go learn about your product, I don't necessarily need a popup that shows up and ask if I want to register for a webinar, let me, let me browse the site without being interrupted for a bit first Or the chat box. Again, you're, you're browsing on a site, just trying to get some information about a product.
Maybe you wanna read the technical details and you'll get a chat box pop up, you know, do you wanna talk to me about this? Well, maybe not right now, Or every web, every retail website. It seems these days when you go there and you wiggle your mouse around the screen just a little bit, they would like to add you to their mailing list.
And again, I don't necessarily need to give you my email address just because I wanna look at something on your side. So I guess the message would be just fine, tune how you want to interrupt a customer, how you could reduce friction, collect the information that you need for your marketing purposes, but do it in a way that collects the consent to the person in a fair way. And I think that there are some that might be a good place to collect a little bit of PII. So let's take the example of the direction behind, right away. They have their IC on the IC.
They have their wifi, and then you log in, you ended up in a Porwal and every time after a couple of minutes, it pops up and says, do you want to participate in the survey? So if they were, would do that in a somewhat thoughtful way, they would latest when I three times removed the popup, they would store it somewhere and say, okay, obviously Martin Kuppinger or at least that system, because it's always the same computer I'm using the person using that computer is not heavily interested in answering the survey, but they pop it up again.
And again and again, and these are things which are really where, where obviously the interest of connecting data is an stands in stark contrast to the user experience. So I I'm interested to learn about delays.
They, they show up at the bottom of this. Porwal, that's what I'm really interested in, but not all this popup stuff, etcetera. But I think behind all of many of these things, there's, there's a fundamental, I think we can call it mistake. Even many organizations are, are making others. They're thinking too much inside out. Instead of thinking outside, I think this is what we really need to fundamentally change. So what do, what do I mean by that?
So when we have the enterprise and around it, we have the consumers, then businesses, towns, those other organizations, governmental organizations, et cetera, they may be even more sometimes tend to think inside our, so what they do is what works best for us. So what do we need as PII? Which authentication works for us. I reason they had a conversation with someone who said, oh yeah, they run a survey with a Swiss bank. And the people weren't overly happy of being, having to use S OTP token for authentication to online banking.
And then they added trust an SMS out of, so they did another thing which fit in there to their world, instead of thinking what would be the customer's preferred way to do it. They didn't even raise that question. What does the customer really want? They trusted, okay. He's not happy with that. We had another one properly is happy with that, but they didn't sync it from the customer perspective to sort from the enterprise perspective, all the process, the center are now solve in most cases from inside out. So do what we want you to do.
That's the perspective still most organizations take at least implicitly. And I think what we already need to do is to look at it far more from a consumer perspective. So really think outside, in, look at it from the different angle. So what works best for them? What do they accept as PI collected? Which type of authentic indication do they want to use? Or a lot of different ones. Obviously everyone wants to use this smartphone. And then he uses the different device.
He wants to use what works best on the device that might vary even for the customer, depending on the device he's using, but it's, it's what we should support. So we do what you want to do. That must be the message to your consumer. We need toss, rethink that, not, and that's what I've brought up is these, all these apps that are created everyone on the business Triess to do the best from his small perspective on the customer, they don't start with a big view of what do we does our customer want to do? How can we do the best for him so that he does most with us.
That's at the end, it's the question. And that build network. When we always look at it from an enterprise perspective, we need to take the perspective of the consumer first to be successful particular, this new age of GDPR, of PSQ, and a lot of other changes we are facing. We are at the end of our first keynote. I think we have you time left for one question before we move to the next keynote.