As I mentioned this talk or this 20 minutes or so is all about the biggest art heist in history, 13 treasures, 81 minutes outta Boston. The treasure in 2015 was reported to be 500 million worth, no suspects, no leads, no clues as to really who did it, but believe it or not, I don't really want to make any kind of a metaphor for zero trust or anything like that.
Instead, as we tell the story, I want to argue that identity needs to be the new Vermer and hang with me. And we'll see if I can convince you in the next 17 minutes or so. Now our story begins in the city of Boston and specifically, and part of the town called back bay, where there's an Isabella Gardner museum. It's a relatively small Villa that was donated around 1900 or so by Mrs. Isabella Gardner, she was fairly wealthy and left all of her heart and her entire house behind for the enjoyment of public citizens.
Now, our story actually begins not in 1990 when the art highest took place, but in 1981, when the museum was cased out was examined, was checked out by local criminal elements, possibly the mob. And in 1981, the mafia realized that this museum had inadequate security and was ready to have its art stolen from it. Now the FBI warn a museum of this, and so they added additional security. They put in some more infrared sensors, they put in some external cameras, they added some more guards, but like any place, right? They had some lingering weaknesses.
When, when Mrs. Gardner left the museum to the city, she said, you cannot renovate the building at all. As soon as you do all of the art, the entire building, all of it gets seated to Harvard university.
Also, they didn't really pay the guards that much above what the minimum wage at the time.
And there was a lack of a fail, safe policy. We'll get to that in just a minute. Now you might think, okay, what does this have to do with identity or identity data?
Well, it turns out our identity data, as you may be aware is ready to be stolen as well. It's been cased out. So to speak.
Last year, I did an experiment where I created a fake identity and I signed this identity up for 25 different online services. And then I read through all of the privacy agreements to see what we're all actually agreeing to, whether it's consumer enterprise or otherwise.
And it, it turns out it's as bad as you think, five of these 25 track your activity on third party sites. No matter if you're logged in or not, 14 of them, just straight up resell your information to advertisers and others, your behavioral identity data, eight of them retain your content.
Even after you possibly deleted your account. This is not for financial regulatory purposes. This is just, we're going to keep your data until we feel like getting rid of it. All of these are fairly bad ideas. And in fact, my favorite quote from any of these privacy agreements was this one.
I won't tell you where it came from, but these are back to back paragraphs.
The first paragraph says you retain all the rights to your content, that your post, then the very next paragraph says by posting that content you give us and our users, a non-exclusive royalty free transferable sub licensable worldwide store to produce, create derivative per full, and you gain all the rights, but you've given all its to us, basically our identity of being taken stolen much like the art in the museum now on March 8th or early in the evening was the, the time of the heist and the, the first real indication we have of something being wrong is at 1:00 AM.
We have two security guards in the building and this was the action of security guard, brick aback. He opens and closes this side door, possibly signaling to two people outside in a small car down the how we know Rick ABA did this.
Well, the, the thieves, when they left, they took the printouts, but they didn't take the hard drives for the infrared and the motion detecting cameras. So we have a record blow by blow room by room of who was where almost anyway, Rick, a Beth opens and closes this side door, potentially signaling the people, whether it was a signal or not. It's unclear regardless at 1 24 buzzed through this side door are two individuals. They buzz in.
They say, Hey, there's been a disturbance. This is the sketch of what they look like. There's been a disturbance. We need to come investigate. They look like cops.
They sound like cops. He buzzes them in. Now Rick ABA is behind a long security desk. And at that security desk, I talked about a fail safe earlier at that security desk, it's a single button. You hit that button and the police come, the authorities come, something is wrong. You don't hit the button. No help ever comes. The our policemen say to Rick ABET, Hey, you look like someone.
We have a warrant for come out from behind the desk. And Rick ABA does. And as soon as he does, he's walked away from his only potential source of calling outside help. As soon as he moves away from the desk, our policemen, our thieves tell him, Hey, this is a robbery. They pat him down. Take any weapons. He has. They handcuff him. They tell him to call us other guards, patrolling the hall to come down.
Other guard comes down, they leave both security guards down to the basement. Duct tape them, tie them up, blindfold them. They tell them, we know where you live.
If you don't say anything after a year, you'll get a reward. Then they go about their business at 1 48, we see them on the second floor. You can see 'em go up to the main hallway where the stairs are into the Dutch room. And in the Dutch room, they take 1, 2, 3, 4, 5, 7 objects. The beer will talk about a couple of REM France, a Chinese vase and an Eagle. Believe it or not, the Eagle was attached, attached to a flag that they tried to bluntly steal, but could not for some reason. So they just looked the bird.
They go down the hallway and at 1 51 they're in the short gallery, also on the second floor here, they take five different Dega, works, various stages of being finished or drawing the last work.
I said, 13 works. And I've told you about 12. The last one was this band and the blue room on their first floor. And you'll know, I don't have a time or a minute count or anything like that. And that's because we have no record of anyone being in this blue room, who wasn't supposed to be there.
Despite there being motion, sensors, et cetera, the only person ever to have been documented as having going in and out of this room during the night is our friend, Rick ABA, regardless, this painting was taken as well. And at 2 45, 81 minutes in, we have the door opening and closing for both thieves and they're gone. They leave the security guards and the basement tied up and they don't get discovered until the next morning when the new shift arrives unharmed, but that's their wellbeing.
Now, if you went to the museum today, this is what you see.
When the thieves took the artwork, they were very rough with how they stole it. They took the frames off the wall, they cut out the, the paintings and just took it with them and left the frames. And the museum has hung up the frames. You can see what it might have look like and kinda what you're missing now. So they got away. Let's talk about the aftermath and the investigation. Now they did what anyone does after a breach, so to speak, right? They did incident response.
Oddly enough, I didn't know this before this 80% of art Hess have an inside operative. Some inside actor, the FBI took over cuz the art was assumed to be leaving the state. And one of our primary suspects was Rick Abba, our old friend who opened the door. This is in part because the night after getting freed from being a captive all night, he decided that it would be a good idea to go to a grateful dead concert in a neighboring state, that he was never indicted, never charged with anything.
They're not sure he had any involvement.
The other option of course, was the mafia, which a lot of speculation and stories have been written about that now. And as I said, there's no real charges, no indictments, no idea of exactly who did it. The artwork has never been found. The main result has been four books of non-fiction five works of fiction and four television shows. One of which was the American show, the Simpsons, which revealed that a character Mr. Burns had all the artwork hidden in his basement. Great art.
Now, despite nothing being recovered, the museum still tried in 1994, there was a letter sent to the museum, the director of the museum saying, Hey, we'd like to return the artwork, but to do so. We want immunity and we wanna negotiate, you know, recovery price, that sort of thing. And they wanted the museum to prove their interest.
By changing the currency value for the Italian Lira in the local paper, the Boston globe, the globe said, no, we're not gonna publish a wrong number, but we will put a one, a leading one in there. And you can see that there, that trail went cold rather quickly.
And that conversation fell apart. I never heard from them again. And in 1995, the statute of limitations ran out. So at this point, no one can be charged or indicted. Now the garden museum is still offering a 10 million reward. If you can give any information leading to a turn, they still on artwork's unharmed. They will pay you 10 million and presumably not charge you or a hundred thousand dollars. If you can just give them the bird so to speak, why does this reward work? Well it's because art thievery is a so-called short sided crime.
The only place you can get rid of fine art is by returning it or getting a reward.
You, you Rob a bank, you spend the money, you steal a car, you drive it around, you steal fine art. It stays on your wall. That's because stealing it is the easy part. It seems like a good idea, but it's immensely hard to sell. And those of us in security and identity have kind of flipped that from what you saw before selling is easy, but stealing is harder. And that's because we spend a lot of time on defense, zero trust, making sure nothing bad happens and not so much on privacy.
This is shifting a little bit. And in fact, that's why I want to advocate that identity is the new ver the Vermer here is the most valuable painting stolen in the heist. It's half the value of the entire hall. There's only like 34 works that are attributed to ver and it's the most valuable stolen art in the world.
That's the kind of concept we need for identity. It's recognizable identifiable with ver it's anonymous with his name. It's a temporal expression of how he was at the time it's created, not collected. It's one of a kind and it's impossible to sell as we talked about.
And if we flip it through identity, we can, we've done well on some of those. It's identifiable with a person synonymous with creator, oftentimes identity, data or identity is expression of self. But a lot of times it's not created, it's collected and it's not one of a kind. And quite frankly, the hardest part is that it's not impossible to sell. There have been a couple of, of suggestions.
Proposals made by various people about making identity data ownership, a right, treating it like a human, right, but more like a property, right based off of some private legislation states or a, a music model for, for example, for will I am and some other artists.
And I like to point out this morning that I think that this is a terrible idea. Let me tell you why it's terrible.
I, I don't mind that I did data ownership to enhance privacy. That's that's a good idea, right? Make people own their data, give them a sense of entitlement that it's worth protecting. The privacy is worth something, but, and this equation is fine. But once you start making identity data ownership a property, right specifically, well then it becomes an alienable. Right? Which I just frankly like saying the word, alienable what alienable means here. It's a legal term.
Of course, it just means sellable. That means you can, you can sell your identity data. Right? Sounds good on some level. But by the transitive property, what you've done is you've made your privacy a sellable, right? And this puts people at risk of exploitation.
It, it, it makes stratification within society. Who's affluent who needs to sell their data, who doesn't need to sell their data. The danger here is best explained. I think through a medical analogy here, you own your kidneys, right? You have two of them, hopefully still, but in most places you can't sell them. Governments have stepped in and said, no, we're not gonna let you do this. Cuz you might try to do this, but it's not in your best interest. That's the kind of impetus we need to protect identity and privacy and identity data.
Now there are various sites out there that can tell you what your data is worth. For example, this calculator from the financial times, interesting note, I filled it out and it's about 26 sense us worth per use for me, by the way, if you're interested in something like toilet paper or consumer goods, your value goes up by a mere fraction of a scent.
Most people don't understand what their data is worth and it's actually not worth that much on its own. And consent. As I pointed out before is already difficult enough, right?
No one reads those privacy agreements I talked about and how much more, how much less would they be inclined to read them? If they also had to do math to figure out if the financial trade off was worth it.
Now, before we, we just shut off the idea of using identity identity data at all, keep in mind that I'm talking about the original identity data. There might be other angles. This analogy like reproduction, where a poster of the art, some of then we retain elements of what I was talking about before. And we forego others. For example, a reproduction is not phenomen creator. It's not one of the kind it's meant for selling. It's often created.
Hopefully this makes sense, right?
No artist wants to be the best poster in university dorm rooms around the world, but they're okay making money off of it. And there are various companies out there that are, are trying to do surveys and other things to, to give some kind of avenue using some of that. But privacy at its core has to be a human, right? It has to be all of these things I talked about. And I think the avenue to that in part one of the avenues along with reproduction, of course, is national privacy data law.
Here, you see an active data protection throughout the world and there's a whole detail, whole different talk that goes into details about GDPR, of course, and CCPA, the new Brazilian legislation and other avenues, but all of these need to protect identity and identity data as a human, right?
So hopefully I've convinced you that identity is the new ver companies that actually establish privacy policies were found to be a third, less likely to be breached in general than those that did not have privacy policies.
And so as a takeaway identity data, just repeat, it's not the new oil, it's not a commodity. Privacy is coming and it's expected from your consumers as well as your employees and your partners and your vendors. So catalog your collection of what you have and then establish those privacy policies preemptively even before you're acquired to by law and then govern it well with all the things that you're hearing about today with PI and with identity governance and access controls, all the things that you would expect.
And then finally, if you've seen this artwork someplace, your uncle's summer home, your grandmother's base, wherever, feel free to collect on this 10 million reward. Here's the link for it. And you don't even have to tell me if your benefit.
