November 7, 2023 • 41 mins
Ever wondered about government's role in online identification and how it could expand to help our digital economy function better and safer? Or how government data quality directly impacts risk assessment?
In this episode of Making Data Better, we tackle where US and Australian governments stand on protecting our digital IDs and personal credentials.
Join us as Jeremy Grant, Managing Director of Technology Business Strategy at Venable LLP, brings his insights on security technology strategy, policy, finance, and more to Making Data Better. Jeremy speaks to his decades-long experience with US federal and state government initiatives. And to the work of his organization, the Better Identity Coalition (check out its policy papers for federal and state-level policymakers!)
Government issues the credentials we rely on to prove who we are. Regulating how those credentials may be protected to enjoy expanded usage is both necessary and fraught with complications. Tech regulation has a history of being well behind technology's evolution.
That said, it is coherent policy and political direction that is needed. Disparate agencies may fully understand the potential of the assets they manage but without strategic focus at the highest level, the challenge of digital ID will remain. And our exposure to fraudsters, synthetic identities, and nation-state attacks will continue.
This is no small matter. FINCEN, the Treasury Department's Financial Crimes Enforcement Network, recently announced their analysis of bank-filed suspicious activity reports. They found that $212 billion of transactions were tied to compromised identity. The General Accounting Office, the investigative arm of the US Congress, estimated between $100 and $135 billion losses in public benefits fraud during the pandemic.
This is real money, ending up in the hands of organized criminals and adversarial nation-states.
So, take a listen to this episode with Jeremy Grant and Lockstep's Steve Wilson and George Peabody. There's work to be done.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
George Peabody (00:11):
Welcome to Making Data Better, a podcast
about data quality and theimpact it has on how we protect,
manage and use the digital datacritical to our lives.
I'm George Peabody, partner atLockstep Consulting, and thanks
for joining us.
I'm so glad you can join us,and with me is Lockstep founder
Steve Wilson.
Hey, steve, hey George, how areyou doing Very well?
Sometime we're going to talk alot about all the exciting
(00:32):
things that are happening inAustralia, but today we're going
to take a little more of afocus on what's happening in the
US to provide some context tosomething that we think is super
important, and that's to beclear, data quality.
And we look at data quality asa social and economic concern,
while there are multiplemechanisms for individual
(00:53):
enterprises to attempt to manageand protect their data, and we
know that hackers find thecracks in those bespoke walls
all too often.
So we believe the long-termsolution requires systemic
change and ecosystem build, ifyou will, to how we conduct data
sharing, security andgovernment.
And in this discussion,technology is not essential.
(01:15):
We're far from it.
We're interested in how theupcode to use Scott Shapiro's
single word to describe therules and procedures that govern
tech behavior.
We're really interested in howthe upcode is developed and
guides how we, in this case,manage the task of.
We're really going to betalking a lot about
identification online today, andI use that that last verb,
(01:37):
govern intentionally, because webelieve that government at all
levels has a major role to play.
Why?
Well, let's focus on one usecase for data quality
identification online.
Knowing who we transact withremains challenging, and getting
that wrong is costly.
Fraud hurts.
The day we leave riskmanagement up to the party with
(01:58):
something to lose.
Called the relying party is theparty that owns the risk, and
we are all relying parties.
Each of us performs the riskmanagement tasks every day.
We may lock our apartment door,our car or use a password
manager or not.
Those are all individualdecisions.
Individuals and businesses haveall sorts of tools to assess
(02:19):
risk and decide whether or notto trust In the world we might
want to see.
We want to look someone rightin the eye.
Online, the tools we use aredifferent.
Cyber space is still new, riskmanagement tools are evolving
and the data isn't very good,and now that we have generative
AI, we have the ability tocreate bullshitted industrial
(02:43):
scale at zero cost.
It turns out that managing thecost of fraud has many
similarities to the cost ofpollution, and I'm really going
to be interested in our gueststoday reaction to this
particular metaphor Individuals,and often those with the fewest
assets to protect.
They're a disproportionateburden of impact when defrauded.
(03:04):
Today's post-breach nostrum offree data monitoring services
how many of those have yougotten over the last 10 years,
or 20?
They're a thin layer ofprotection and we can't pretend
that fraud doesn't have hugecost to enterprises too.
In our last Making Data Betterepisode, we saw what it took for
Heartland payment systems torecover from massive system
(03:26):
compromise and, as we've seenover and over with pollution,
the marketplace alone, withoutgovernment influence, has
insufficient incentives,imaginations or tools to put
forward systemic or network-wideguidance.
So that's our premise andviewpoint here at Lockstep.
We think government has animportant role to play in data
(03:47):
quality, and it's a role thatgovernments are just beginning
to examine around data qualityand in this role in online
safety In the real world,government has a huge interest
in safety.
There's not an airplane in theair that doesn't conform to the
FAA's strict certificationregulations.
60 years ago, automobile safetywas up to the manufacturer, no
(04:10):
more.
So what could or shouldgovernments do about data
quality and what would be theimpact.
So I'm very pleased to say thatwe're going to examine the role
of government.
We're delighted to welcomeJeremy Grant, managing director
of technology business strategyat Washington DC law firm
Venable LLP.
(04:31):
Jeremy has long worked ondigital identity in the public
sector, having been seniorexecutive advisor to the USA's
National Strategy for TrustedIdentity and Cyberspace
Initiative, a key advisor to theFIDO Alliance, which has a huge
bit of something to celebratethis year and a leader of the
Better Identity Coalition.
(04:51):
So with all that preamble,jeremy, welcome to Making Data
Better.
Jeremy Grant (04:56):
Thanks Great to be here.
Where do we start?
George Peabody (04:59):
So why don't we start with what you're doing?
What you're doing now?
Tell us about your work and whya law firm is so eager to have
an expert in online identity inthe practice.
Jeremy Grant (05:08):
Yeah, so the easiest way to describe my role
at Venable.
So Venable has what, by mostmeasures, is the largest
cybersecurity and privacy legalteam in the US, and I'm going to
say about eight, nine years ago.
The chairman of that practice,who actually chairs the whole
firm, now came to the conclusionthat there's a lot of things
that they're often asked to doas attorneys because they're in
(05:31):
there as a trusted advisor,usually to the general councils
of companies, but also sometimesdealing with product teams or
on the security side, ifsomebody's dealing with incident
response.
He said there's a lot of thingslawyers just don't necessarily
know how to do, and so he hadthe idea of what if we could
actually complement this best inclass legal team with people
who understand securitytechnology strategy, policy,
(05:53):
finance that would allow thefirm to offer we call our 360
degree approach to service,where, if you're looking to do
something, say, in the identityspace, where you need help
understanding technology,security strategy in terms of
what might work, what might not,also liability and regulatory
compliance, well, we've gotattorneys who are great here.
(06:15):
We've got a team that I leadthat's really helpful there, and
so think of us almost as aboutique consulting firm that
just happens to be co-locatedinside a great law firm that
specializes in the same thingsthat we do.
It's a little bit of adifferent model.
I'm not sure any other firm hasit, at least not at the scale
that we have but it's one thatworks really well for us and for
our clients.
Steve Wilson (06:35):
That makes so much sense.
Jeremy, we've got a particularangle that George has already
explored, that we're looking atso many of the world's problems
through this lens of data and alot of what you say always
resonates with me around data.
We had some great conversationsjust a couple of weeks ago in
Carlsbad at the FidoAuthenticate Conference.
It was great to be outtraveling again and good to see
(06:55):
you.
Definitely.
How do you reflect on dataquality and its import for
cyberspace and risk andeverything that you're doing in
the law firm?
Jeremy Grant (07:06):
I think it's a great angle you guys are looking
at here, in that, beyondidentity security or, frankly,
anything that's fueling thisdata-driven economy, so much of
the algorithms that we'refeeding the systems that we're
building are dependent on makingsure that you're starting with
the right facts, or at leastenough of them, that you can
start to analyze it properly.
(07:29):
And I'll say as much as we'lltalk about this a little more
today.
As much as I'm an advocate ofhaving the government play a
bigger role in digital identity,because they're the one
nationally recognizedauthoritative source, even the
government has a data qualityproblem when it comes to
identity.
I mean, I often point out ourSocial Security Administration
here in the US mistakenlydeclares, I think, about 5,000
(07:51):
people dead every year, which,if you look at it in the context
of there's 330 millionAmericans, all of whom have a
social security number anddeceased ones as well and
whatnot, you're probablymanaging maybe twice that many
identities in your system.
5,000 is a pretty low errorrate.
That sounds pretty good whenyou do the percentages, unless
you're one of the 5,000 peoplewho has been declared dead
(08:15):
suddenly life now looks like aMonty Python skip, but perhaps a
little less funny.
So I think it is an issue thatunderpins things in that the
government has a role to play,but at the end of the day,
nobody's going to be perfect,and the more we're going to
perhaps rely on governmentsystems for certain things, we
also need to make sure that thequality is there.
Steve Wilson (08:37):
So we see a real willingness around the world.
Well, not universally, but wesee a willingness in the US
administration with the SocialSecurity online checking
function, and in Australia we'vegot a document verification
service where criticalgovernment documents can be
checked in real time.
So there's a willingness, wethink, for government to get
(08:58):
into the ecosystem.
Would you like to see more done?
Jeremy Grant (09:03):
I think a lot more needs to happen and
unfortunately, I wouldcharacterize the willingness
we've seen within the USgovernment to be in isolated
pockets as opposed to, I wouldsay, as a whole of government
approach, to sort of bind intothe idea that we actually need
to play a bigger role here.
The Better Identity Polish, inwhich you mentioned before and
(09:24):
is a group I lead, was foundedwith the premise that we have a
hodgepodge of differentnationally recognized
authoritative credentials issuedby a mix of federal, state and
local authorities, but theirusefulness generally stops in
physical application becausethere aren't digital
counterparts.
There aren't ways to validatethe information there.
There's no way for me as anAmerican to ask an agency route
(09:48):
that develops for me when I'mtrying to prove who I am online,
and so we see some isolatedthings that are out there.
For example, when you mentioned, our Social Security
administration will validatesome appliance, say, for a new
credit card.
Is there really a Jeremy Grantwith this date of birth and SSN
who's not dead?
Yes, no answer there can bereally helpful in preventing
synthetic identity fraud, whichthe Federal Reserve has stated
(10:09):
is the fastest growing type offinancial crime in the US, but
they'll only do that for banksand only for certain types of
applications because they werenarrowly directed by Congress.
Well, you have to do this.
Nothing legally precludes themfrom doing that, say, if I'm
applying for government benefitswhere there's also a big
synthetic fraud problem, but theSSA does not do that, and so we
actually have this.
Really, I don't even know ifbifurcated gets into how messed
(10:33):
up it is in many ways, wherethere's little places here and
there, where there's pockets ofexcellence in identity services,
but without a holistic approachto define what good looks like
and how we get there and ensurethat services are available more
widely, we actually, I think,are really falling behind a lot
of our competitors across theglobe.
Steve Wilson (10:52):
You observe about the physical use of credentials.
Typically I get a bitfrustrated that it's not just a
government problem but there'ssome tunnel vision with the ISO
MDL work, sometimes the mobiledriver's license.
I've sat in rooms where peopleare saying wouldn't it be a good
idea if this driver's licenseon the mobile phone was
presented or usable online?
(11:14):
And it's like their defaultassumption is this thing is only
ever going to be used offlineand it's a brand new idea that
you would use a digital driver'slicense online.
I just think it's a slow rateof thinking sometimes.
Jeremy Grant (11:29):
I would argue with what's happening in the MDL
world.
We've got things absolutelyupside down in that the ability
to use an app on my phone to gothrough an airport security
checkpoint or to get a beer at abar that's a nice to have,
Makes things maybe a little moreefficient, or if I leave my
wallet behind while I've got abackup on my phone, but it
(11:49):
doesn't really solve anypressing problems.
Steve Wilson (11:52):
It is not transformative.
Jeremy Grant (11:54):
And meanwhile in the US and I think globally as
well but I can certainly quotesome of the US numbers we have
an absolute epidemic of identityrelated cyber crime that is
costing the country hundreds ofbillions of dollars.
I mean just to quantify thosenumbers.
Fincen, the TreasuryDepartment's Financial Crimes
Enforcement Network, recentlyannounced that they did an
(12:15):
analysis of all of the so banksfile something called suspicious
activity reports with FinCEN.
When they see an evidence of,hey, this is likely, suspicious,
likely financial crime, we'regoing to continue the 2021
reports that were filed.
$212 billion of transactionsthat were filed in those reports
tied to compromised identity.
(12:37):
Moving to public benefitstracking fraud, during the
pandemic, when our governmentpumped a lot of money into new
benefits systems to aid peoplewho were suddenly out of work,
the GAO, which is theinvestigative arm of the US
Congress, estimated between $100and $135 billion loss.
So let's take the low point ofthat, $100 on top of the $212
(12:58):
billion, that's over $300billion just in two sectors, and
that doesn't even start toscratch the surface of what's
going on in other places.
Much of this crime is becauseit is really easy to defeat the
systems that agencies andprivate sector organizations
have in place today to try andverify who's who online.
We're still, in many places,clinging to this outdated idea
(13:19):
that because I know five thingsabout you, that means I must be
you and so I can open an accountin your name and assume your
identity.
And it's, I would say, a littlefrustrating that it has taken
so long for the government and Iwould say, industry writ large
as well to sort of recognizethis stuff doesn't work anymore,
(13:41):
and when we have a nationalproblem and it's costing
Americans and Americanbusinesses and government
agencies and others a lot ofmoney and we need to actually
have a strategic approach tosolve it, that is definitely
missing right now in the US.
Today Will sit.
George Peabody (13:54):
Jeremy, we were all at Tvito authenticate and we
are so happy to see that.
Past keys, this replacement forpasswords.
We're shifting from plain textto device assisted presentation
Super exciting, right.
We'd love to see similartreatment to the credentials
that we use, those, those otherfour other five things you were
(14:15):
just talking about.
Where there's some chain ofcustody, the provenance of that
data can be assured throughdevices assisted presentation.
Have you seen any discussionabout that kind of thing?
Jeremy Grant (14:29):
Well, I think mobile driver's licenses are
going to get there.
I mean, to Steve's point,they're focusing largely on the
in person use cases, but theyare also working on a
complimentary set of standardsto support, you know, what I
would call online presentationof my credentials.
So, look, we've been at this along time.
The technology is not actuallythat hard.
It's not very difficult to, youknow, be able to have digitally
(14:51):
signed credentials stored andprotected hardware on this
device tied back to the state.
You know DMV that issues thecredentials say it's a mobile
driver's license that I can thenuse, so that the experience
when I am looking to prove who Iam goes from answer these five
questions tied to your creditreport.
Or, hey, take a picture of yourID and a selfie and enter a
(15:11):
bunch of other information to.
In about five seconds, youlaunch your app that says hey,
this bank or this agency islooking to know these four
things about you, or these seventhings, depending on how many
validated attributes they need.
Are you okay sharing it withthem?
Sure, and at that point thisdevice then transmits digitally
signed data that the reliantparty can validate.
I mean, this isn't rocketscience.
(15:32):
This is pretty easy stuff, butit does require-.
George Peabody (15:35):
That's the down code.
The up code is the governmentorientation towards the problem.
Jeremy Grant (15:42):
And the government has to decide collectively that
.
You know they give a crap toactually look to digitize this
stuff, which I think is reallywhere in the US we have been.
Look, there are a lot ofpockets of great people in
different agencies right now, aswell as in the States, looking
to drive this forward, but mostof them, in my view, are often
an island.
They're, you know, trying todrive stuff forward with the
(16:03):
authorities and the budgets theyhave, which is not very
significant, and there isn't anyprioritization of this at a
national level to try and guideit and, you know, ensure that as
we do this, how do we set ahigh bar for security and
privacy and accessibility andusability?
How do we define?
You know, as I said before,what good looks like and how to
(16:23):
get there, or what bad lookslike, and you know what are the
risks to avoid.
So it's not all bleak.
In that, I feel like we'remaking some progress.
My concern is that at thecurrent pace, it's going to take
us 15 or 20 years to solve thisproblem and I don't think we
have that long, particularly aswe're seeing new, you know,
attacks powered by generative AIthat make some of the old ID
(16:46):
spoofing attacks look, you know,very unsophisticated in
comparison.
One of the points I've made iswe rely on things you know, like
biometrics, for example, theselfie match tool.
You know we're nearing a point,as AI gets more sophisticated
and our adversaries start to useit, where we can't trust any
face or voice or video.
(17:06):
So, and there's a lot of thingsI look at as a practitioner in
the identity space and I say,well God, can we really guard
against it?
And in some cases we can with,you know, maybe AI-powered
liveness detection, but there'sgoing to be a lot of really high
quality spoof out there.
One thing AI does not know howto defeat is public key
cryptography, at least until itgets married to a post quantum
computer in 15 years, and thenwe'll all be bowing down to the
(17:28):
machines.
Getting back to what you talkedabout with FIDO and the great
things that are happening therein terms of solving
authentication, finally gettingbeyond the password, that's,
leveraging public keycryptography, being able to find
proof of my identity to someform of public key cryptography,
like that digitally signedcredential I talked about that I
want on my phone, as we'reasked more and more to prove
(17:49):
that we're human.
It's gonna be really essential,I think, to have proof of
identity bound to some sort of athing that the AI is not able
to defeat.
Steve Wilson (17:57):
Yeah, something physical, George, and I often
say that this whole problemspace boils down to data and
metadata, but certainly that'sthe perspective of the relying
party.
That's all they've got to lookat is data.
But the physical aspect thatyou hit on there, I think, is so
important and it's sort of keyto FIDO.
But AI can't defeat public keycryptography because it can't.
(18:19):
You know, no large languagemodel can walk out of the
machine and grab hold of yourkey and enter a pin and take off
with it.
There's no scalable attackthere.
That because of the beauty ofthe hardware and the public key
cryptography.
You make such a good point.
I just love hearing you saythat, Jeremy.
Jeremy Grant (18:35):
To be clear, pki offers a lot of headaches as
well.
It's not that I want to say thatit's the easy solution, but
again, this is where I meancertainly some of the
discussions I have with you know, I would say national security
officials who are thinking aboutthis, and how do we start to
get ahead of, you know, whatcould be a wave of scams and
cyber crime that you know sortof puts the shame some of what
(18:56):
we have seen to date and I don'tmean to be sensationalist, I'm
just it's not too hard to sortof see where this could be going
or where some of it already isin terms of the trends.
Well, you know, how do weactually start to decide that
this is actually a priority?
How do we decide this issomething we really care about?
To me, this is the sort ofthing as you see these threats
on the horizon on top of what'salready a very significant
(19:18):
identity related cyber crimeproblem that's largely
benefiting hostile nation statesand organized criminals.
It's not like anybody nice istaking this, who we want to have
our data or our money, but asyou sort of see the types of
attacks that are on the horizon,to me, this is the sort of
thing where you would like tosee your leaders acknowledging
the threat and coming up with astrategy to proactively deal
with it, and we've beenadvocating for a lot of that
(19:40):
within the coalition.
I would say there are a lot ofpeople in the Biden
administration and Congress whoget it, but not necessarily
enough to make something happenat this point.
George Peabody (19:51):
And would you say, Jeremy, that one of the
challenges of democracy is thatwe have administrations that
turn over on a periodic basisand then focus changes based on
that?
Jeremy Grant (20:02):
I mean, sometimes change is good, right.
So you know I, you know.
So, look, I've worked inDemocratic politics a little
over the years.
I very famously sent out somefundraising emails during the
2020 campaign that said youcan't spell Biden without ID.
Because I was very bullish that,after the Trump administration
had more or less ignored thisissue for four years, that a
(20:25):
Biden administration would lookto pick up on the leadership
shown by the Obama Bidenadministration, which, not to
say that NSDIC was the be all,end all, but this was, you know.
At least there was a strategyand a vision for how to move
forward and it came out of theWhite House.
Yes, and instead there hasunfortunately been nothing.
(20:46):
The efforts to date from theadministration have largely
focused on trying to addressidentity fraud and government
benefits, which is a very smallsubset of the problem, and I
think there's a challenge andyou know we've made this point
and there are those who get itbut some who don't which is it
is the same organized criminalsand hostile nation states taking
(21:09):
advantage of the same two,three and a before deficiencies
in digital identityinfrastructure and it really is
infrastructure, if you thinkabout it properly to steal not
only from government but frombanks and health and retail and
fintech and cryptocurrencyexchanges.
It's all the same stuff.
It's compromised passwords orcompromised MFA, it's synthetic
identity fraud.
It's hey, I know the fivethings about you so I can be you
(21:32):
and take over, set up accountsin your name.
None of this is overlysophisticated.
In fact, the reason we see somuch of it is the attacks have
become scalable.
But if you just try to treatthis as an issue around
government benefits, you'regonna fail In that.
Solving the government benefitsissue doesn't mean you build
new infrastructure forgovernment benefits.
It means you buildinfrastructure that can work in
(21:52):
every one of those verticals andthen government consumes it and
it's also a much betterexperience at that point for
Americans who look at to getthose services.
George Peabody (22:00):
So that requires a government agency who has
been issuing credentials forlegibility purposes between the
agency and its users, thecitizens, to really rethink the
utility of that account numberthat they created.
What's it gonna take to getagencies?
What do you think is the rightapproach to convince agency
(22:22):
leadership that, hey, there's abigger use for the credentials
we already have?
Jeremy Grant (22:28):
If you leave it to the agency heads who are in
charge of issuing driver'slicenses or state IDs or
passports or social securitynumbers, which are not really
credential, but at least anidentifier, to figure out which
George Peebo you are, you're notgonna get too far.
This, honestly, isn't their job, or at least they don't realize
it's their job.
(22:48):
Yet and I mean as an example,the driver's license bureaus for
years, when they had thesediscussions about identity,
would say with a totallystraight face we are not in the
identity business.
You see what I mean?
Say, we issue you a card thatsays that you are authorized to
operate a motor vehicle driver'slicense.
The fact that other agenciesand private sector entities like
(23:09):
to use that as proof ofidentity is mildly interesting,
but that's not what we're herefor.
We're here to say you canoperate a motor vehicle Now.
Congress then in 2005 passedwith some controversy to the
Real ID Act, which forcedfederal standards onto the
states.
That kind of made it theirproblem.
(23:29):
Even then, it took a while fora lot of them to sort of
recognize.
I think what you're seeing nowis some states are waking up and
saying this is a dumb argument.
Of course we're in the identitybusiness, and why don't we
recognize that and then take astep back and think about what
does that mean in terms of whatour role should be?
So I do think that you're nowseeing a lot of DMVs who are
(23:50):
taking a more modern approach tothings, but it is taken, I mean
, I would say, over 20 years forthis conversation to happen,
and even now you will still havesome states who are looking
very much to just keep doingwhat they've been doing.
This is why we've tried tofocus our policy blueprints one
for the federal level and onefor the state level and the
Better Identity Coalition onstate legislatures, governor's
(24:12):
offices at the federal level,congress and the president and
his administration.
I mean, you shouldn'tnecessarily expect change to
come from within, but you canhave those bodies that actually
supervise agencies in thecredential issuing business and
that maybe have the ability tothink a little more
strategically about this.
They can change things too, andwe think that's really where
the discussions need to go, asopposed to beating up a DMV
(24:35):
director that they just don'tget the vision of the future.
George Peabody (24:37):
Got it.
Steve Wilson (24:38):
Well, one of the powerful things we think about
the better idea agenda theinitiatives are incremental.
That's not to downplay theenormous impact of those
incremental changes.
But to us, the important thingand we've learned this the hard
way for many years that when youcome up with a radical new
digital vision for people andyou change the meaning of
(25:00):
business rules or you take therug underneath people's feet
about how they deal with risk,they can't cope with that.
I think there's fiveinitiatives in your Better ID
Coalition agenda and they're allincremental.
They're things like stopping sostupid with the social security
number.
Jeremy Grant (25:16):
Stop pretending that it's an authenticator.
It's not a secret.
It's great as an identifier,not very open.
Steve Wilson (25:22):
We think that preserving or conserving the
meaning of data and theprocesses behind the data is
probably important so that wedon't scare the horses and
people are still comfortable intheir own agency missions.
But we've got to make that databetter when it winds up in
people's hands and it's lessvulnerable to replay and et
cetera.
I like one of the things yousaid at Identiverse, I think,
(25:44):
jeremy.
I don't know why you called ita uniquely American approach,
but maybe that was marketing.
But I love the way that yousaid why don't we take these
ideas that we have now and makethem presentable digitally?
Have I got that right?
Jeremy Grant (25:58):
Yeah, that's pretty much the thesis and I
will say I mean here's why Ithink a uniquely American
approach is needed is for yearsI mean certainly when I was
running the NSTIC program forthe Obama administration we
would talk about what we weretrying to do with the identity
ecosystem and partnering withthe private sector.
You know, if I had a nickelevery time somebody in the
audience said, but what aboutthe Estonians?
(26:19):
Or but what about the Indians?
I'd probably have about $8,which mean that wouldn't be rich
.
But it's got asked a lot andyou know, like the point I made
for example, look, india, forexample I think it's just safe
to say as an example withcentral match biometrics, would
never fly politically in the US.
Estonia is really interestingin that I mean, look, they've
done some wonderful things forgovernment services with their
(26:42):
smart card program.
But I also point out thatEstonia is a country with a
population that is less thanthat of Fairfax County, virginia
, the suburb just across, youknow, the river here in Northern
Virginia, and it's actually alot less diverse than Fairfax
County.
And also, fairfax County is notmotivated by an existential
threat immediately to its eastbecause, you know a big driver
(27:03):
for the big investment indigital government that the
Estonians made when they becamean independent country again was
they're worried about when theRussians come in, and to them
it's a matter, as we've seenwith Ukraine, of you know if and
not when, or at least that'show they're thinking, and they
want to be able to run agovernment in exile which is a
really great driver for issuing,you know, very robust smart
(27:25):
cards to people, but a littledifferent from the stuff we're
working with in the US.
So, look, the US has never hada national ID.
The idea of one, I think, istriggers a lot of negativity on
both the left and the right.
People aren't comfortable withit, and so one of the things we
thought about doing when we werecreating the policy blueprint
was to say what can we suggest?
(27:46):
That's a little bit different,because too many times in the US
, you get into maybe threeminutes into the digital
identity conversation andEstonia or India derail it.
Yep, and how could we change thethinking to actually say here's
another way we could do stuff?
And so I think the bestcompliment I ever got on it was
(28:06):
from Congressman Bill Foster,who spoke at an identity verse
back in 2019, I believe, inWashington DC, right, and he
said what I like about thisblueprint.
This was in his keynote, so Ithink it's fine if I quote him
here what I like about this.
I've been looking at this issuefor a long time, and this is
the only organization that'scome up with an approach that's
both technologically feasible,could solve the problem, and
(28:28):
it's also politically feasible.
It's not going to trigger peopleto take to the hills with their
guns in protest, because we'renot talking about creating any
new identity systems whatsoever.
We're just talking about comingup with digital counterparts
and attribute validationservices that are based off the
systems we already have today,and I think what we have found
politically in conversationswith folks on all sides of the
(28:50):
political spectrum is when youexplain that, they kind of go oh
, that doesn't sound socontroversial, exactly.
Steve Wilson (28:58):
It's incremental, it's safe.
So we're seeing the same thingin Australia after about 12
years and three different roundsof draft legislation.
The latest installment hasdropped about two months ago and
it's called the Digital ID Billand I read it twice before I
(29:19):
realized that the phrase digitalidentity doesn't appear, and I
think it's a significant pivotto go from digital identity to
digital ID.
I think that ID is a safer termbut, more importantly, it's not
a new thing, and our digitalminister it happens to be the
minister for finance hisownership of this bill and she's
(29:40):
been very strong and articulatefor some time that a new
digital identity is not on thecards, let alone a national ID,
because we share the sameallergy down under as you do in
the states for a new national ID.
But it's not needed At Lockstep.
We think what's needed is tomake the data better and make it
(30:02):
useless to criminals.
But this new digital IDlegislation sets up a governance
framework within which you candemonstrate the fact that you
have a set of IDs driver'slicense, birth certificates.
It's the normal vocabulary orthe normal grammar of
identification, but made digital.
I don't think there's anythingscary in that.
Jeremy Grant (30:24):
It shouldn't be to most people.
I also think it's interesting.
When we launched the N-Stick in2011, we were very careful to
say this is not agovernment-sponsored digital
identity.
It's all voluntary and all bedriven by the private sector,
because we were really trying toavoid triggering any of those
emotions or different politicalgroups and not to say that we
(30:48):
didn't envision that thegovernment might have some role
in this.
But there was an aspect of itwhere I think, in retrospect, we
maybe were overlooking theelephant in the room which is,
at the end of the day, thegovernment's where the data is.
The government's the onlyauthoritative issuer.
We've got a bunch of privatesector systems that are trying
to guess who's who.
Some are decent at it, butlet's not.
(31:11):
Let's not be afraid to talkabout why government's playing a
more direct role is important.
With that, I think we've alsoseen, in the 12 years since that
strategy was first published, Ithink another generation has
come into the digital age where,look, in 2011, we wouldn't have
smartphones.
(31:31):
I mean, a few people did, butit was still a pretty new thing.
I had a flip phone when I wentinto government at the time but
the idea of having these thingsthat are very powerful and
people are used to using as aremote control to their lives,
and also just the fact thatyou're asked so many times each
year to prove who you are to dosomething.
People are tired of it.
(31:51):
The idea of something as simpleas I mean gosh.
Again 2011, most people didn'thave smartphones.
Now we're carrying everythingelse on our phone.
Why wouldn't you have your IDin it?
People get this in a way that Idon't think they would have a
dozen years ago.
George Peabody (32:06):
Yeah, we'll sit.
What haven't we asked you,Jeremy?
Jeremy Grant (32:09):
Happy to talk about what's going on.
We've got a, there's alegislation the Improving
Digital Identity Act which wekeep trying to drive forward or
try to get the White House to dosomething based on it.
We do point out you don't needa bill to actually tell the
White House to launch aninitiative to try and close this
gap between physical anddigital credentials.
That's optimistic conversationswith some folks in the House
(32:32):
and Senate this last week, butI've also learned there's 10
steps to get a bill passed intolaw.
You can get to nine and thensomebody pops up and blocks you
on number 10.
And so it is a challenge thatwe still have, I think, to drive
progress.
Likewise, the White House had areally great section on digital
identity and their nationalcyber strategy in March of this
past year.
When the implementation plancame out, we were all excited to
(32:54):
see what they were going to donext.
They skipped right over it, asif it was never in there, which
I will say.
There is disagreement indifferent parts of the White
House in terms of whether theyshould do something, in how, and
so I think there's some workthat needs to be done to
overcome some of those concernsas well.
Steve Wilson (33:10):
I'd like to say watch this space in Australia.
Sometimes the five majorAnglophone countries take it in
turns to try somethinginnovative in cybersecurity and
I think that perhaps we're goingto see a really modest way
forward and maybe a model comingout of Australia.
We'll see what happens.
We're supposed to have alegislation developed and passed
by June of next year, butthere'll be quite a lot of
(33:32):
governance to put in place inthe meantime.
It'll look like some of thatmature governance that we've got
in our open banking system hereand we'll build on that.
Jeremy Grant (33:41):
I'm rooting for you here and that we need more
good examples of how to do thisin a way that works and that
candidly gets people worriedthat if we don't have something
similar in the US, we're goingto be falling behind.
A point we keep making in ourdiscussions with policymakers is
that doing nothing is also anactive policy choice.
Indeed, you can look at do wepass this bill or not?
(34:03):
That's often what the questionis.
A no vote means you're going todo nothing.
You're going to preserve thestatus quo, which, in some cases
, in some policies, is the rightthing to do, but here, every
year that we decide to donothing means it's another year
that we're falling furtherbehind our peers like Australia
that are leading on this, not tomention in the European Union
and other countries across theglobe.
(34:23):
It means that the identityrelated attacks that we see in
cyberspace get moresophisticated and we don't have
a strategy.
So doing nothing, even if youdon't love the options, it's not
a particularly good answer atthis point, you know.
George Peabody (34:38):
Jeremy, I come from the payments industry and
we noticed after chip cards weredeployed in the UK and Europe
around the rest of the worldthat fraud was migrating happily
to the US because we were onlya magstripe country at the time.
I told the story today, gettingthe same effect right now, with
fraudsters who are seeing us asmore vulnerable and, of course,
(35:03):
a massive target, this is astory today to a room full of
congressional staff.
Jeremy Grant (35:11):
I said in 2011, mastercard, at the conference I
was at, revealed a stunningnumber, which is that the US
accounted for 25% of all globaltransactions, but 50% of all
payments card fraud, which meantwe had an eight times higher
fraud rate than the rest of theworld, solely because we were
stuck on magstripes while therest of the world had moved to
secure chip.
And it was only after thetarget breach happened in 2013
(35:35):
that it was bad enough.
Enough money was lost.
The damage was bad enough thatthe banks and the retailers
finally said we're going to moveto chip.
And I feel like we're at a verysimilar point right now when it
comes to digital identity, inthat, as other countries are
moving ahead, we are going to bethe last one standing hanging
on to our old, archaic plasticcards and legacy systems trying
to guess who's who, and we'regoing to be that eight times
(35:58):
higher fraud rate again, if notmore.
Steve Wilson (36:00):
The one thing that gives me some pause is that on
my last trip to the US and Idon't travel that often anymore,
but I was delighted to see howmany average retailers were
accepting my Apple Pay.
Even use Apple Pay on the SanFrancisco subway.
Now, if you can click to pay,then you should be able to click
or tap to present, and we thinkthat maybe the US has got this
(36:23):
ability to in fact leapfrog.
Now that there's a increasinglya social acceptance of using
this smart technology to sendones and zeros that relate to
your payments, well, why not usethe same technology to send
ones and zeros that relate toyour driver's license, your real
ID, your birth certificate?
Jeremy Grant (36:40):
I mean, it's no coincidence that in a lot of the
companies that are drivingdigital identity solutions, it's
the same team that's working onpayments right now.
The tech platforms, this isintegrated.
I mean they really see them asvery complimentary to each other
.
George Peabody (36:59):
I'll be a little bit grumpy in that in the
payments industry, there'srevenue associated with each
transaction for multiple parties, and when we're talking about
digital ID and security ingeneral, it's a cost.
So I'm hoping that there's aworld where, just like, the FAA
will move the aviation industryinstantly if it decides to put a
(37:24):
rule in place.
Do you think, jeremy, we'regoing to need that kind of
rulemaking to start to addressthis?
And that's not such anincremental change, that's a
fundamentally I mean it's hardto say Look part of it.
Jeremy Grant (37:37):
I think, at least in terms of solving identity, is
a lot of it gets back togovernment doing something
itself, as opposed to trying toforce industry through
regulation.
I think there's an interestingdiscussion around.
I mean, more broadly, what'sbeen going on in the
cybersecurity space, where we'vebeen in at least a 15 years
argument over do we regulatecritical infrastructure here or
(37:58):
not, to mandate things likephishing resistance and
multi-factor authenticationversus just using passwords?
And on that side I will sayanytime you talk about
regulating one, you've got oneparty that just doesn't like the
idea right from the start.
But also, how do I say this Inaviation, the thing that's going
(38:18):
to make a plane crash today isprobably the same thing that was
going to make it crash 10 yearsago, and in 10 years we're now
probably not a lot's going tochange.
You'll see some changes aroundthe edges In security.
Technology is changingconstantly, threats changing
constantly, and so I would saythe anti-regulatory crowd does
have a good point, which is thatif you get too prescriptive,
(38:40):
you may find yourself pointingto a bunch of compliance crap
that's out of date.
I mean, we see this all thetime when I mean heck.
The SEC just filed a lawsuitagainst SolarWinds this week,
holding their CISO legallyaccountable, because they claim
they had better passwordpolicies than they actually did.
And my first reaction on thatwas password policies.
(39:01):
What gives a crap aboutpassword policies in this decade
?
Like you can have a30-character password and it'll
still get fished.
I mean, we're fighting the lastwar too many times, so I'll
just offer that up as acautionary note Every time we
think forcing action.
You really have to craft thosethings deliberately.
George Peabody (39:20):
Well, Jeremy, I think we need to leave it there.
Terrific having you on makingdata better.
Really appreciate it.
Jeremy Grant (39:26):
Thank you for the invite.
This was a pleasure.
Steve Wilson (39:28):
Well, that was cool.
That was very good.
If we're reflecting on what hehad to say, I mean, I think he
nailed it.
You see the same pattern, don'tyou?
Time and time again?
Benefits fraud, payments fraud.
He talked about syntheticidentity.
You and I are talking aboutdata generally.
Jeremy raised faces and videosfor selfie matching.
(39:51):
You don't know if any of thatstuff's true.
So it's all about provenance,isn't it?
I mean, he said the samepattern is occurring all the
time.
Let's not just pick on socialbenefits fraud.
If you could reuse thosepatterns, what do you need to
know?
How are you going to know thatthe data is true?
And it seems to me that timeand time again, we're seeing the
(40:12):
same thing.
How do you distribute themeaning of data so that you can
tell what's in front of you istrue or not?
George Peabody (40:17):
We have a lot of work to do.
Steve Wilson (40:19):
Yeah, we do.
We've got a lot of stories totell and if we can make those
stories simple and nottriggering I love the way that
he was conscious of nottriggering people with digital
transformation I think thatthat's the trick.
George Peabody (40:34):
Well, I think, yeah, among other things, we
ought to be encouraging folks tolook at the Better Identity
Coalition and their policypapers.
We'll put that in the shownotes.
All right, we'll see.
Thanks, very much Glad thatwe're doing this again.
It's been a pleasure to talk toyou.
Steve Wilson (40:49):
Good stuff, George Prepare for another Desmond
Show generation.
Welcome to Making Data Better, a podcast
about data quality and theimpact it has on how we protect,
manage and use the digital datacritical to our lives.
I'm George Peabody, partner atLockstep Consulting, and thanks
for joining us.
I'm so glad you can join us,and with me is Lockstep founder
Steve Wilson.
Hey, steve, hey George, how areyou doing Very well?
Sometime we're going to talk alot about all the exciting
(00:32):
things that are happening inAustralia, but today we're going
to take a little more of afocus on what's happening in the
US to provide some context tosomething that we think is super
important, and that's to beclear, data quality.
And we look at data quality asa social and economic concern,
while there are multiplemechanisms for individual
(00:53):
enterprises to attempt to manageand protect their data, and we
know that hackers find thecracks in those bespoke walls
all too often.
So we believe the long-termsolution requires systemic
change and ecosystem build, ifyou will, to how we conduct data
sharing, security andgovernment.
And in this discussion,technology is not essential.
(01:15):
We're far from it.
We're interested in how theupcode to use Scott Shapiro's
single word to describe therules and procedures that govern
tech behavior.
We're really interested in howthe upcode is developed and
guides how we, in this case,manage the task of.
We're really going to betalking a lot about
identification online today, andI use that that last verb,
(01:37):
govern intentionally, because webelieve that government at all
levels has a major role to play.
Why?
Well, let's focus on one usecase for data quality
identification online.
Knowing who we transact withremains challenging, and getting
that wrong is costly.
Fraud hurts.
The day we leave riskmanagement up to the party with
(01:58):
something to lose.
Called the relying party is theparty that owns the risk, and
we are all relying parties.
Each of us performs the riskmanagement tasks every day.
We may lock our apartment door,our car or use a password
manager or not.
Those are all individualdecisions.
Individuals and businesses haveall sorts of tools to assess
(02:19):
risk and decide whether or notto trust In the world we might
want to see.
We want to look someone rightin the eye.
Online, the tools we use aredifferent.
Cyber space is still new, riskmanagement tools are evolving
and the data isn't very good,and now that we have generative
AI, we have the ability tocreate bullshitted industrial
(02:43):
scale at zero cost.
It turns out that managing thecost of fraud has many
similarities to the cost ofpollution, and I'm really going
to be interested in our gueststoday reaction to this
particular metaphor Individuals,and often those with the fewest
assets to protect.
They're a disproportionateburden of impact when defrauded.
(03:04):
Today's post-breach nostrum offree data monitoring services
how many of those have yougotten over the last 10 years,
or 20?
They're a thin layer ofprotection and we can't pretend
that fraud doesn't have hugecost to enterprises too.
In our last Making Data Betterepisode, we saw what it took for
Heartland payment systems torecover from massive system
(03:26):
compromise and, as we've seenover and over with pollution,
the marketplace alone, withoutgovernment influence, has
insufficient incentives,imaginations or tools to put
forward systemic or network-wideguidance.
So that's our premise andviewpoint here at Lockstep.
We think government has animportant role to play in data
(03:47):
quality, and it's a role thatgovernments are just beginning
to examine around data qualityand in this role in online
safety In the real world,government has a huge interest
in safety.
There's not an airplane in theair that doesn't conform to the
FAA's strict certificationregulations.
60 years ago, automobile safetywas up to the manufacturer, no
(04:10):
more.
So what could or shouldgovernments do about data
quality and what would be theimpact.
So I'm very pleased to say thatwe're going to examine the role
of government.
We're delighted to welcomeJeremy Grant, managing director
of technology business strategyat Washington DC law firm
Venable LLP.
(04:31):
Jeremy has long worked ondigital identity in the public
sector, having been seniorexecutive advisor to the USA's
National Strategy for TrustedIdentity and Cyberspace
Initiative, a key advisor to theFIDO Alliance, which has a huge
bit of something to celebratethis year and a leader of the
Better Identity Coalition.
(04:51):
So with all that preamble,jeremy, welcome to Making Data
Better.
Jeremy Grant (04:56):
Thanks Great to be here.
Where do we start?
George Peabody (04:59):
So why don't we start with what you're doing?
What you're doing now?
Tell us about your work and whya law firm is so eager to have
an expert in online identity inthe practice.
Jeremy Grant (05:08):
Yeah, so the easiest way to describe my role
at Venable.
So Venable has what, by mostmeasures, is the largest
cybersecurity and privacy legalteam in the US, and I'm going to
say about eight, nine years ago.
The chairman of that practice,who actually chairs the whole
firm, now came to the conclusionthat there's a lot of things
that they're often asked to doas attorneys because they're in
(05:31):
there as a trusted advisor,usually to the general councils
of companies, but also sometimesdealing with product teams or
on the security side, ifsomebody's dealing with incident
response.
He said there's a lot of thingslawyers just don't necessarily
know how to do, and so he hadthe idea of what if we could
actually complement this best inclass legal team with people
who understand securitytechnology strategy, policy,
(05:53):
finance that would allow thefirm to offer we call our 360
degree approach to service,where, if you're looking to do
something, say, in the identityspace, where you need help
understanding technology,security strategy in terms of
what might work, what might not,also liability and regulatory
compliance, well, we've gotattorneys who are great here.
(06:15):
We've got a team that I leadthat's really helpful there, and
so think of us almost as aboutique consulting firm that
just happens to be co-locatedinside a great law firm that
specializes in the same thingsthat we do.
It's a little bit of adifferent model.
I'm not sure any other firm hasit, at least not at the scale
that we have but it's one thatworks really well for us and for
our clients.
Steve Wilson (06:35):
That makes so much sense.
Jeremy, we've got a particularangle that George has already
explored, that we're looking atso many of the world's problems
through this lens of data and alot of what you say always
resonates with me around data.
We had some great conversationsjust a couple of weeks ago in
Carlsbad at the FidoAuthenticate Conference.
It was great to be outtraveling again and good to see
(06:55):
you.
Definitely.
How do you reflect on dataquality and its import for
cyberspace and risk andeverything that you're doing in
the law firm?
Jeremy Grant (07:06):
I think it's a great angle you guys are looking
at here, in that, beyondidentity security or, frankly,
anything that's fueling thisdata-driven economy, so much of
the algorithms that we'refeeding the systems that we're
building are dependent on makingsure that you're starting with
the right facts, or at leastenough of them, that you can
start to analyze it properly.
(07:29):
And I'll say as much as we'lltalk about this a little more
today.
As much as I'm an advocate ofhaving the government play a
bigger role in digital identity,because they're the one
nationally recognizedauthoritative source, even the
government has a data qualityproblem when it comes to
identity.
I mean, I often point out ourSocial Security Administration
here in the US mistakenlydeclares, I think, about 5,000
(07:51):
people dead every year, which,if you look at it in the context
of there's 330 millionAmericans, all of whom have a
social security number anddeceased ones as well and
whatnot, you're probablymanaging maybe twice that many
identities in your system.
5,000 is a pretty low errorrate.
That sounds pretty good whenyou do the percentages, unless
you're one of the 5,000 peoplewho has been declared dead
(08:15):
suddenly life now looks like aMonty Python skip, but perhaps a
little less funny.
So I think it is an issue thatunderpins things in that the
government has a role to play,but at the end of the day,
nobody's going to be perfect,and the more we're going to
perhaps rely on governmentsystems for certain things, we
also need to make sure that thequality is there.
Steve Wilson (08:37):
So we see a real willingness around the world.
Well, not universally, but wesee a willingness in the US
administration with the SocialSecurity online checking
function, and in Australia we'vegot a document verification
service where criticalgovernment documents can be
checked in real time.
So there's a willingness, wethink, for government to get
(08:58):
into the ecosystem.
Would you like to see more done?
Jeremy Grant (09:03):
I think a lot more needs to happen and
unfortunately, I wouldcharacterize the willingness
we've seen within the USgovernment to be in isolated
pockets as opposed to, I wouldsay, as a whole of government
approach, to sort of bind intothe idea that we actually need
to play a bigger role here.
The Better Identity Polish, inwhich you mentioned before and
(09:24):
is a group I lead, was foundedwith the premise that we have a
hodgepodge of differentnationally recognized
authoritative credentials issuedby a mix of federal, state and
local authorities, but theirusefulness generally stops in
physical application becausethere aren't digital
counterparts.
There aren't ways to validatethe information there.
There's no way for me as anAmerican to ask an agency route
(09:48):
that develops for me when I'mtrying to prove who I am online,
and so we see some isolatedthings that are out there.
For example, when you mentioned, our Social Security
administration will validatesome appliance, say, for a new
credit card.
Is there really a Jeremy Grantwith this date of birth and SSN
who's not dead?
Yes, no answer there can bereally helpful in preventing
synthetic identity fraud, whichthe Federal Reserve has stated
(10:09):
is the fastest growing type offinancial crime in the US, but
they'll only do that for banksand only for certain types of
applications because they werenarrowly directed by Congress.
Well, you have to do this.
Nothing legally precludes themfrom doing that, say, if I'm
applying for government benefitswhere there's also a big
synthetic fraud problem, but theSSA does not do that, and so we
actually have this.
Really, I don't even know ifbifurcated gets into how messed
(10:33):
up it is in many ways, wherethere's little places here and
there, where there's pockets ofexcellence in identity services,
but without a holistic approachto define what good looks like
and how we get there and ensurethat services are available more
widely, we actually, I think,are really falling behind a lot
of our competitors across theglobe.
Steve Wilson (10:52):
You observe about the physical use of credentials.
Typically I get a bitfrustrated that it's not just a
government problem but there'ssome tunnel vision with the ISO
MDL work, sometimes the mobiledriver's license.
I've sat in rooms where peopleare saying wouldn't it be a good
idea if this driver's licenseon the mobile phone was
presented or usable online?
(11:14):
And it's like their defaultassumption is this thing is only
ever going to be used offlineand it's a brand new idea that
you would use a digital driver'slicense online.
I just think it's a slow rateof thinking sometimes.
Jeremy Grant (11:29):
I would argue with what's happening in the MDL
world.
We've got things absolutelyupside down in that the ability
to use an app on my phone to gothrough an airport security
checkpoint or to get a beer at abar that's a nice to have,
Makes things maybe a little moreefficient, or if I leave my
wallet behind while I've got abackup on my phone, but it
(11:49):
doesn't really solve anypressing problems.
Steve Wilson (11:52):
It is not transformative.
Jeremy Grant (11:54):
And meanwhile in the US and I think globally as
well but I can certainly quotesome of the US numbers we have
an absolute epidemic of identityrelated cyber crime that is
costing the country hundreds ofbillions of dollars.
I mean just to quantify thosenumbers.
Fincen, the TreasuryDepartment's Financial Crimes
Enforcement Network, recentlyannounced that they did an
(12:15):
analysis of all of the so banksfile something called suspicious
activity reports with FinCEN.
When they see an evidence of,hey, this is likely, suspicious,
likely financial crime, we'regoing to continue the 2021
reports that were filed.
$212 billion of transactionsthat were filed in those reports
tied to compromised identity.
(12:37):
Moving to public benefitstracking fraud, during the
pandemic, when our governmentpumped a lot of money into new
benefits systems to aid peoplewho were suddenly out of work,
the GAO, which is theinvestigative arm of the US
Congress, estimated between $100and $135 billion loss.
So let's take the low point ofthat, $100 on top of the $212
(12:58):
billion, that's over $300billion just in two sectors, and
that doesn't even start toscratch the surface of what's
going on in other places.
Much of this crime is becauseit is really easy to defeat the
systems that agencies andprivate sector organizations
have in place today to try andverify who's who online.
We're still, in many places,clinging to this outdated idea
(13:19):
that because I know five thingsabout you, that means I must be
you and so I can open an accountin your name and assume your
identity.
And it's, I would say, a littlefrustrating that it has taken
so long for the government and Iwould say, industry writ large
as well to sort of recognizethis stuff doesn't work anymore,
(13:41):
and when we have a nationalproblem and it's costing
Americans and Americanbusinesses and government
agencies and others a lot ofmoney and we need to actually
have a strategic approach tosolve it, that is definitely
missing right now in the US.
Today Will sit.
George Peabody (13:54):
Jeremy, we were all at Tvito authenticate and we
are so happy to see that.
Past keys, this replacement forpasswords.
We're shifting from plain textto device assisted presentation
Super exciting, right.
We'd love to see similartreatment to the credentials
that we use, those, those otherfour other five things you were
(14:15):
just talking about.
Where there's some chain ofcustody, the provenance of that
data can be assured throughdevices assisted presentation.
Have you seen any discussionabout that kind of thing?
Jeremy Grant (14:29):
Well, I think mobile driver's licenses are
going to get there.
I mean, to Steve's point,they're focusing largely on the
in person use cases, but theyare also working on a
complimentary set of standardsto support, you know, what I
would call online presentationof my credentials.
So, look, we've been at this along time.
The technology is not actuallythat hard.
It's not very difficult to, youknow, be able to have digitally
(14:51):
signed credentials stored andprotected hardware on this
device tied back to the state.
You know DMV that issues thecredentials say it's a mobile
driver's license that I can thenuse, so that the experience
when I am looking to prove who Iam goes from answer these five
questions tied to your creditreport.
Or, hey, take a picture of yourID and a selfie and enter a
(15:11):
bunch of other information to.
In about five seconds, youlaunch your app that says hey,
this bank or this agency islooking to know these four
things about you, or these seventhings, depending on how many
validated attributes they need.
Are you okay sharing it withthem?
Sure, and at that point thisdevice then transmits digitally
signed data that the reliantparty can validate.
I mean, this isn't rocketscience.
(15:32):
This is pretty easy stuff, butit does require-.
George Peabody (15:35):
That's the down code.
The up code is the governmentorientation towards the problem.
Jeremy Grant (15:42):
And the government has to decide collectively that
.
You know they give a crap toactually look to digitize this
stuff, which I think is reallywhere in the US we have been.
Look, there are a lot ofpockets of great people in
different agencies right now, aswell as in the States, looking
to drive this forward, but mostof them, in my view, are often
an island.
They're, you know, trying todrive stuff forward with the
(16:03):
authorities and the budgets theyhave, which is not very
significant, and there isn't anyprioritization of this at a
national level to try and guideit and, you know, ensure that as
we do this, how do we set ahigh bar for security and
privacy and accessibility andusability?
How do we define?
You know, as I said before,what good looks like and how to
(16:23):
get there, or what bad lookslike, and you know what are the
risks to avoid.
So it's not all bleak.
In that, I feel like we'remaking some progress.
My concern is that at thecurrent pace, it's going to take
us 15 or 20 years to solve thisproblem and I don't think we
have that long, particularly aswe're seeing new, you know,
attacks powered by generative AIthat make some of the old ID
(16:46):
spoofing attacks look, you know,very unsophisticated in
comparison.
One of the points I've made iswe rely on things you know, like
biometrics, for example, theselfie match tool.
You know we're nearing a point,as AI gets more sophisticated
and our adversaries start to useit, where we can't trust any
face or voice or video.
(17:06):
So, and there's a lot of thingsI look at as a practitioner in
the identity space and I say,well God, can we really guard
against it?
And in some cases we can with,you know, maybe AI-powered
liveness detection, but there'sgoing to be a lot of really high
quality spoof out there.
One thing AI does not know howto defeat is public key
cryptography, at least until itgets married to a post quantum
computer in 15 years, and thenwe'll all be bowing down to the
(17:28):
machines.
Getting back to what you talkedabout with FIDO and the great
things that are happening therein terms of solving
authentication, finally gettingbeyond the password, that's,
leveraging public keycryptography, being able to find
proof of my identity to someform of public key cryptography,
like that digitally signedcredential I talked about that I
want on my phone, as we'reasked more and more to prove
(17:49):
that we're human.
It's gonna be really essential,I think, to have proof of
identity bound to some sort of athing that the AI is not able
to defeat.
Steve Wilson (17:57):
Yeah, something physical, George, and I often
say that this whole problemspace boils down to data and
metadata, but certainly that'sthe perspective of the relying
party.
That's all they've got to lookat is data.
But the physical aspect thatyou hit on there, I think, is so
important and it's sort of keyto FIDO.
But AI can't defeat public keycryptography because it can't.
(18:19):
You know, no large languagemodel can walk out of the
machine and grab hold of yourkey and enter a pin and take off
with it.
There's no scalable attackthere.
That because of the beauty ofthe hardware and the public key
cryptography.
You make such a good point.
I just love hearing you saythat, Jeremy.
Jeremy Grant (18:35):
To be clear, pki offers a lot of headaches as
well.
It's not that I want to say thatit's the easy solution, but
again, this is where I meancertainly some of the
discussions I have with you know, I would say national security
officials who are thinking aboutthis, and how do we start to
get ahead of, you know, whatcould be a wave of scams and
cyber crime that you know sortof puts the shame some of what
(18:56):
we have seen to date and I don'tmean to be sensationalist, I'm
just it's not too hard to sortof see where this could be going
or where some of it already isin terms of the trends.
Well, you know, how do weactually start to decide that
this is actually a priority?
How do we decide this issomething we really care about?
To me, this is the sort ofthing as you see these threats
on the horizon on top of what'salready a very significant
(19:18):
identity related cyber crimeproblem that's largely
benefiting hostile nation statesand organized criminals.
It's not like anybody nice istaking this, who we want to have
our data or our money, but asyou sort of see the types of
attacks that are on the horizon,to me, this is the sort of
thing where you would like tosee your leaders acknowledging
the threat and coming up with astrategy to proactively deal
with it, and we've beenadvocating for a lot of that
(19:40):
within the coalition.
I would say there are a lot ofpeople in the Biden
administration and Congress whoget it, but not necessarily
enough to make something happenat this point.
George Peabody (19:51):
And would you say, Jeremy, that one of the
challenges of democracy is thatwe have administrations that
turn over on a periodic basisand then focus changes based on
that?
Jeremy Grant (20:02):
I mean, sometimes change is good, right.
So you know I, you know.
So, look, I've worked inDemocratic politics a little
over the years.
I very famously sent out somefundraising emails during the
2020 campaign that said youcan't spell Biden without ID.
Because I was very bullish that,after the Trump administration
had more or less ignored thisissue for four years, that a
(20:25):
Biden administration would lookto pick up on the leadership
shown by the Obama Bidenadministration, which, not to
say that NSDIC was the be all,end all, but this was, you know.
At least there was a strategyand a vision for how to move
forward and it came out of theWhite House.
Yes, and instead there hasunfortunately been nothing.
(20:46):
The efforts to date from theadministration have largely
focused on trying to addressidentity fraud and government
benefits, which is a very smallsubset of the problem, and I
think there's a challenge andyou know we've made this point
and there are those who get itbut some who don't which is it
is the same organized criminalsand hostile nation states taking
(21:09):
advantage of the same two,three and a before deficiencies
in digital identityinfrastructure and it really is
infrastructure, if you thinkabout it properly to steal not
only from government but frombanks and health and retail and
fintech and cryptocurrencyexchanges.
It's all the same stuff.
It's compromised passwords orcompromised MFA, it's synthetic
identity fraud.
It's hey, I know the fivethings about you so I can be you
(21:32):
and take over, set up accountsin your name.
None of this is overlysophisticated.
In fact, the reason we see somuch of it is the attacks have
become scalable.
But if you just try to treatthis as an issue around
government benefits, you'regonna fail In that.
Solving the government benefitsissue doesn't mean you build
new infrastructure forgovernment benefits.
It means you buildinfrastructure that can work in
(21:52):
every one of those verticals andthen government consumes it and
it's also a much betterexperience at that point for
Americans who look at to getthose services.
George Peabody (22:00):
So that requires a government agency who has
been issuing credentials forlegibility purposes between the
agency and its users, thecitizens, to really rethink the
utility of that account numberthat they created.
What's it gonna take to getagencies?
What do you think is the rightapproach to convince agency
(22:22):
leadership that, hey, there's abigger use for the credentials
we already have?
Jeremy Grant (22:28):
If you leave it to the agency heads who are in
charge of issuing driver'slicenses or state IDs or
passports or social securitynumbers, which are not really
credential, but at least anidentifier, to figure out which
George Peebo you are, you're notgonna get too far.
This, honestly, isn't their job, or at least they don't realize
it's their job.
(22:48):
Yet and I mean as an example,the driver's license bureaus for
years, when they had thesediscussions about identity,
would say with a totallystraight face we are not in the
identity business.
You see what I mean?
Say, we issue you a card thatsays that you are authorized to
operate a motor vehicle driver'slicense.
The fact that other agenciesand private sector entities like
(23:09):
to use that as proof ofidentity is mildly interesting,
but that's not what we're herefor.
We're here to say you canoperate a motor vehicle Now.
Congress then in 2005 passedwith some controversy to the
Real ID Act, which forcedfederal standards onto the
states.
That kind of made it theirproblem.
(23:29):
Even then, it took a while fora lot of them to sort of
recognize.
I think what you're seeing nowis some states are waking up and
saying this is a dumb argument.
Of course we're in the identitybusiness, and why don't we
recognize that and then take astep back and think about what
does that mean in terms of whatour role should be?
So I do think that you're nowseeing a lot of DMVs who are
(23:50):
taking a more modern approach tothings, but it is taken, I mean
, I would say, over 20 years forthis conversation to happen,
and even now you will still havesome states who are looking
very much to just keep doingwhat they've been doing.
This is why we've tried tofocus our policy blueprints one
for the federal level and onefor the state level and the
Better Identity Coalition onstate legislatures, governor's
(24:12):
offices at the federal level,congress and the president and
his administration.
I mean, you shouldn'tnecessarily expect change to
come from within, but you canhave those bodies that actually
supervise agencies in thecredential issuing business and
that maybe have the ability tothink a little more
strategically about this.
They can change things too, andwe think that's really where
the discussions need to go, asopposed to beating up a DMV
(24:35):
director that they just don'tget the vision of the future.
George Peabody (24:37):
Got it.
Steve Wilson (24:38):
Well, one of the powerful things we think about
the better idea agenda theinitiatives are incremental.
That's not to downplay theenormous impact of those
incremental changes.
But to us, the important thingand we've learned this the hard
way for many years that when youcome up with a radical new
digital vision for people andyou change the meaning of
(25:00):
business rules or you take therug underneath people's feet
about how they deal with risk,they can't cope with that.
I think there's fiveinitiatives in your Better ID
Coalition agenda and they're allincremental.
They're things like stopping sostupid with the social security
number.
Jeremy Grant (25:16):
Stop pretending that it's an authenticator.
It's not a secret.
It's great as an identifier,not very open.
Steve Wilson (25:22):
We think that preserving or conserving the
meaning of data and theprocesses behind the data is
probably important so that wedon't scare the horses and
people are still comfortable intheir own agency missions.
But we've got to make that databetter when it winds up in
people's hands and it's lessvulnerable to replay and et
cetera.
I like one of the things yousaid at Identiverse, I think,
(25:44):
jeremy.
I don't know why you called ita uniquely American approach,
but maybe that was marketing.
But I love the way that yousaid why don't we take these
ideas that we have now and makethem presentable digitally?
Have I got that right?
Jeremy Grant (25:58):
Yeah, that's pretty much the thesis and I
will say I mean here's why Ithink a uniquely American
approach is needed is for yearsI mean certainly when I was
running the NSTIC program forthe Obama administration we
would talk about what we weretrying to do with the identity
ecosystem and partnering withthe private sector.
You know, if I had a nickelevery time somebody in the
audience said, but what aboutthe Estonians?
(26:19):
Or but what about the Indians?
I'd probably have about $8,which mean that wouldn't be rich
.
But it's got asked a lot andyou know, like the point I made
for example, look, india, forexample I think it's just safe
to say as an example withcentral match biometrics, would
never fly politically in the US.
Estonia is really interestingin that I mean, look, they've
done some wonderful things forgovernment services with their
(26:42):
smart card program.
But I also point out thatEstonia is a country with a
population that is less thanthat of Fairfax County, virginia
, the suburb just across, youknow, the river here in Northern
Virginia, and it's actually alot less diverse than Fairfax
County.
And also, fairfax County is notmotivated by an existential
threat immediately to its eastbecause, you know a big driver
(27:03):
for the big investment indigital government that the
Estonians made when they becamean independent country again was
they're worried about when theRussians come in, and to them
it's a matter, as we've seenwith Ukraine, of you know if and
not when, or at least that'show they're thinking, and they
want to be able to run agovernment in exile which is a
really great driver for issuing,you know, very robust smart
(27:25):
cards to people, but a littledifferent from the stuff we're
working with in the US.
So, look, the US has never hada national ID.
The idea of one, I think, istriggers a lot of negativity on
both the left and the right.
People aren't comfortable withit, and so one of the things we
thought about doing when we werecreating the policy blueprint
was to say what can we suggest?
(27:46):
That's a little bit different,because too many times in the US
, you get into maybe threeminutes into the digital
identity conversation andEstonia or India derail it.
Yep, and how could we change thethinking to actually say here's
another way we could do stuff?
And so I think the bestcompliment I ever got on it was
(28:06):
from Congressman Bill Foster,who spoke at an identity verse
back in 2019, I believe, inWashington DC, right, and he
said what I like about thisblueprint.
This was in his keynote, so Ithink it's fine if I quote him
here what I like about this.
I've been looking at this issuefor a long time, and this is
the only organization that'scome up with an approach that's
both technologically feasible,could solve the problem, and
(28:28):
it's also politically feasible.
It's not going to trigger peopleto take to the hills with their
guns in protest, because we'renot talking about creating any
new identity systems whatsoever.
We're just talking about comingup with digital counterparts
and attribute validationservices that are based off the
systems we already have today,and I think what we have found
politically in conversationswith folks on all sides of the
(28:50):
political spectrum is when youexplain that, they kind of go oh
, that doesn't sound socontroversial, exactly.
Steve Wilson (28:58):
It's incremental, it's safe.
So we're seeing the same thingin Australia after about 12
years and three different roundsof draft legislation.
The latest installment hasdropped about two months ago and
it's called the Digital ID Billand I read it twice before I
(29:19):
realized that the phrase digitalidentity doesn't appear, and I
think it's a significant pivotto go from digital identity to
digital ID.
I think that ID is a safer termbut, more importantly, it's not
a new thing, and our digitalminister it happens to be the
minister for finance hisownership of this bill and she's
(29:40):
been very strong and articulatefor some time that a new
digital identity is not on thecards, let alone a national ID,
because we share the sameallergy down under as you do in
the states for a new national ID.
But it's not needed At Lockstep.
We think what's needed is tomake the data better and make it
(30:02):
useless to criminals.
But this new digital IDlegislation sets up a governance
framework within which you candemonstrate the fact that you
have a set of IDs driver'slicense, birth certificates.
It's the normal vocabulary orthe normal grammar of
identification, but made digital.
I don't think there's anythingscary in that.
Jeremy Grant (30:24):
It shouldn't be to most people.
I also think it's interesting.
When we launched the N-Stick in2011, we were very careful to
say this is not agovernment-sponsored digital
identity.
It's all voluntary and all bedriven by the private sector,
because we were really trying toavoid triggering any of those
emotions or different politicalgroups and not to say that we
(30:48):
didn't envision that thegovernment might have some role
in this.
But there was an aspect of itwhere I think, in retrospect, we
maybe were overlooking theelephant in the room which is,
at the end of the day, thegovernment's where the data is.
The government's the onlyauthoritative issuer.
We've got a bunch of privatesector systems that are trying
to guess who's who.
Some are decent at it, butlet's not.
(31:11):
Let's not be afraid to talkabout why government's playing a
more direct role is important.
With that, I think we've alsoseen, in the 12 years since that
strategy was first published, Ithink another generation has
come into the digital age where,look, in 2011, we wouldn't have
smartphones.
(31:31):
I mean, a few people did, butit was still a pretty new thing.
I had a flip phone when I wentinto government at the time but
the idea of having these thingsthat are very powerful and
people are used to using as aremote control to their lives,
and also just the fact thatyou're asked so many times each
year to prove who you are to dosomething.
People are tired of it.
(31:51):
The idea of something as simpleas I mean gosh.
Again 2011, most people didn'thave smartphones.
Now we're carrying everythingelse on our phone.
Why wouldn't you have your IDin it?
People get this in a way that Idon't think they would have a
dozen years ago.
George Peabody (32:06):
Yeah, we'll sit.
What haven't we asked you,Jeremy?
Jeremy Grant (32:09):
Happy to talk about what's going on.
We've got a, there's alegislation the Improving
Digital Identity Act which wekeep trying to drive forward or
try to get the White House to dosomething based on it.
We do point out you don't needa bill to actually tell the
White House to launch aninitiative to try and close this
gap between physical anddigital credentials.
That's optimistic conversationswith some folks in the House
(32:32):
and Senate this last week, butI've also learned there's 10
steps to get a bill passed intolaw.
You can get to nine and thensomebody pops up and blocks you
on number 10.
And so it is a challenge thatwe still have, I think, to drive
progress.
Likewise, the White House had areally great section on digital
identity and their nationalcyber strategy in March of this
past year.
When the implementation plancame out, we were all excited to
(32:54):
see what they were going to donext.
They skipped right over it, asif it was never in there, which
I will say.
There is disagreement indifferent parts of the White
House in terms of whether theyshould do something, in how, and
so I think there's some workthat needs to be done to
overcome some of those concernsas well.
Steve Wilson (33:10):
I'd like to say watch this space in Australia.
Sometimes the five majorAnglophone countries take it in
turns to try somethinginnovative in cybersecurity and
I think that perhaps we're goingto see a really modest way
forward and maybe a model comingout of Australia.
We'll see what happens.
We're supposed to have alegislation developed and passed
by June of next year, butthere'll be quite a lot of
(33:32):
governance to put in place inthe meantime.
It'll look like some of thatmature governance that we've got
in our open banking system hereand we'll build on that.
Jeremy Grant (33:41):
I'm rooting for you here and that we need more
good examples of how to do thisin a way that works and that
candidly gets people worriedthat if we don't have something
similar in the US, we're goingto be falling behind.
A point we keep making in ourdiscussions with policymakers is
that doing nothing is also anactive policy choice.
Indeed, you can look at do wepass this bill or not?
(34:03):
That's often what the questionis.
A no vote means you're going todo nothing.
You're going to preserve thestatus quo, which, in some cases
, in some policies, is the rightthing to do, but here, every
year that we decide to donothing means it's another year
that we're falling furtherbehind our peers like Australia
that are leading on this, not tomention in the European Union
and other countries across theglobe.
(34:23):
It means that the identityrelated attacks that we see in
cyberspace get moresophisticated and we don't have
a strategy.
So doing nothing, even if youdon't love the options, it's not
a particularly good answer atthis point, you know.
George Peabody (34:38):
Jeremy, I come from the payments industry and
we noticed after chip cards weredeployed in the UK and Europe
around the rest of the worldthat fraud was migrating happily
to the US because we were onlya magstripe country at the time.
I told the story today, gettingthe same effect right now, with
fraudsters who are seeing us asmore vulnerable and, of course,
(35:03):
a massive target, this is astory today to a room full of
congressional staff.
Jeremy Grant (35:11):
I said in 2011, mastercard, at the conference I
was at, revealed a stunningnumber, which is that the US
accounted for 25% of all globaltransactions, but 50% of all
payments card fraud, which meantwe had an eight times higher
fraud rate than the rest of theworld, solely because we were
stuck on magstripes while therest of the world had moved to
secure chip.
And it was only after thetarget breach happened in 2013
(35:35):
that it was bad enough.
Enough money was lost.
The damage was bad enough thatthe banks and the retailers
finally said we're going to moveto chip.
And I feel like we're at a verysimilar point right now when it
comes to digital identity, inthat, as other countries are
moving ahead, we are going to bethe last one standing hanging
on to our old, archaic plasticcards and legacy systems trying
to guess who's who, and we'regoing to be that eight times
(35:58):
higher fraud rate again, if notmore.
Steve Wilson (36:00):
The one thing that gives me some pause is that on
my last trip to the US and Idon't travel that often anymore,
but I was delighted to see howmany average retailers were
accepting my Apple Pay.
Even use Apple Pay on the SanFrancisco subway.
Now, if you can click to pay,then you should be able to click
or tap to present, and we thinkthat maybe the US has got this
(36:23):
ability to in fact leapfrog.
Now that there's a increasinglya social acceptance of using
this smart technology to sendones and zeros that relate to
your payments, well, why not usethe same technology to send
ones and zeros that relate toyour driver's license, your real
ID, your birth certificate?
Jeremy Grant (36:40):
I mean, it's no coincidence that in a lot of the
companies that are drivingdigital identity solutions, it's
the same team that's working onpayments right now.
The tech platforms, this isintegrated.
I mean they really see them asvery complimentary to each other
.
George Peabody (36:59):
I'll be a little bit grumpy in that in the
payments industry, there'srevenue associated with each
transaction for multiple parties, and when we're talking about
digital ID and security ingeneral, it's a cost.
So I'm hoping that there's aworld where, just like, the FAA
will move the aviation industryinstantly if it decides to put a
(37:24):
rule in place.
Do you think, jeremy, we'regoing to need that kind of
rulemaking to start to addressthis?
And that's not such anincremental change, that's a
fundamentally I mean it's hardto say Look part of it.
Jeremy Grant (37:37):
I think, at least in terms of solving identity, is
a lot of it gets back togovernment doing something
itself, as opposed to trying toforce industry through
regulation.
I think there's an interestingdiscussion around.
I mean, more broadly, what'sbeen going on in the
cybersecurity space, where we'vebeen in at least a 15 years
argument over do we regulatecritical infrastructure here or
(37:58):
not, to mandate things likephishing resistance and
multi-factor authenticationversus just using passwords?
And on that side I will sayanytime you talk about
regulating one, you've got oneparty that just doesn't like the
idea right from the start.
But also, how do I say this Inaviation, the thing that's going
(38:18):
to make a plane crash today isprobably the same thing that was
going to make it crash 10 yearsago, and in 10 years we're now
probably not a lot's going tochange.
You'll see some changes aroundthe edges In security.
Technology is changingconstantly, threats changing
constantly, and so I would saythe anti-regulatory crowd does
have a good point, which is thatif you get too prescriptive,
(38:40):
you may find yourself pointingto a bunch of compliance crap
that's out of date.
I mean, we see this all thetime when I mean heck.
The SEC just filed a lawsuitagainst SolarWinds this week,
holding their CISO legallyaccountable, because they claim
they had better passwordpolicies than they actually did.
And my first reaction on thatwas password policies.
(39:01):
What gives a crap aboutpassword policies in this decade
?
Like you can have a30-character password and it'll
still get fished.
I mean, we're fighting the lastwar too many times, so I'll
just offer that up as acautionary note Every time we
think forcing action.
You really have to craft thosethings deliberately.
George Peabody (39:20):
Well, Jeremy, I think we need to leave it there.
Terrific having you on makingdata better.
Really appreciate it.
Jeremy Grant (39:26):
Thank you for the invite.
This was a pleasure.
Steve Wilson (39:28):
Well, that was cool.
That was very good.
If we're reflecting on what hehad to say, I mean, I think he
nailed it.
You see the same pattern, don'tyou?
Time and time again?
Benefits fraud, payments fraud.
He talked about syntheticidentity.
You and I are talking aboutdata generally.
Jeremy raised faces and videosfor selfie matching.
(39:51):
You don't know if any of thatstuff's true.
So it's all about provenance,isn't it?
I mean, he said the samepattern is occurring all the
time.
Let's not just pick on socialbenefits fraud.
If you could reuse thosepatterns, what do you need to
know?
How are you going to know thatthe data is true?
And it seems to me that timeand time again, we're seeing the
(40:12):
same thing.
How do you distribute themeaning of data so that you can
tell what's in front of you istrue or not?
George Peabody (40:17):
We have a lot of work to do.
Steve Wilson (40:19):
Yeah, we do.
We've got a lot of stories totell and if we can make those
stories simple and nottriggering I love the way that
he was conscious of nottriggering people with digital
transformation I think thatthat's the trick.
George Peabody (40:34):
Well, I think, yeah, among other things, we
ought to be encouraging folks tolook at the Better Identity
Coalition and their policypapers.
We'll put that in the shownotes.
All right, we'll see.
Thanks, very much Glad thatwe're doing this again.
It's been a pleasure to talk toyou.
Steve Wilson (40:49):
Good stuff, George Prepare for another Desmond
Show generation.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com