Let’s talk about digital identity with Jim Pasquale, EVP Interoperability at digi.me.

In the final episode of series 2, Oscar and Jim discuss the problem of “digital exhaust” – the data trail (including identity data) that consumers leave as they go about life online, which they often have little control over. Jim fills us in on why this data needs to be better managed – and how. He also explores the importance of interoperability, given his role as Chair of Kantara’s Information Sharing Interoperability working group.

[Scroll down for transcript]

“Businesses need to use mechanisms to give data back to the individual – because if you give data, you’ll get better data back”

Jim PasqualeJim Pasquale is a veteran innovator with a passion for disruption. He has deployed large and complex software systems with the world’s largest telcos and communications companies to improve engagement, conversion and customer experience. Jim is currently EVP Interoperability at digi.me.

Find Jim on LinkedIn and Twitter @jpasquale.

Find out more about the organisations Jim’s involved with: digi.me, kantarainitiative.org/groups/isi-work-group and me2ba.org.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

That’s a wrap on series 2, but don’t worry – we’ll be back soon with series 3 of Let’s Talk About Digital Identity, the podcast connecting identity and business. Subscribe to get new episodes in your feed, wherever you get your podcasts.


Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining this episode at the end of the season for Let’s Talk About Digital Identity. And one of the things we haven’t talked too much is about sharing data – particularly there are scenarios when it’s a definitely a good idea to share data. And for that, we are going to have a special guest who is Jim Pasquale. He is a veteran innovator with a passion for disruption. Jim has deployed large and complex software systems with the world’s largest telcos and communication companies to improve engagement, conversion and customer experience. Jim is also Executive Vice President Interoperability at digi.me.

Hello, Jim.

Jim Pasquale: Good morning, Oscar. And thank you for the opportunity to have this conversation this morning about the importance of providing real-time or near real-time data and being able to share.

Oscar: Yeah, thank you. It’s a pleasure talking with you, Jim. So, I would like to hear more, we would like to hear more about how life led you to this world, working at digi.me and in digital identity.

Jim: Sure. So, I’ve been in the computer industry for over 35 years, predominantly in software and mostly in data communication software infrastructure. What really led me to much of the digital identity work that we do today was my 15-year experience at a company called Novell who had deployed probably one of the very first PC-based or LAN-based X.500 identity programme. And really, when we talk about the idea of identity it goes beyond a person, so it includes people, places and things. And not only how to identify them but how to structurally place them in a directory so that they’re easily accessible and able to be found.

Oscar: Excellent. So from the time at Novell, you were working already on the very early days of identity as we know it today. We have been discussing because we have been collaborating for a couple of years at least in Kantara Initiative in the workgroup related to information sharing. So, we know that today in this fast-paced digital world we are living, there is a lot of what is called the digital exhaust, everywhere, everything we do we are – some data is leaking. Well, we are letting some data, personal data go and of course some companies are taking that advantage. So, tell me from your perspective why this is a serious problem and why we should act.

Jim: Certainly, because really when you think about the way companies acquire this digital exhaust about us, it is really a kind of mechanism that I refer to as being taken from behind your back. So, instead of companies acquiring this data in a more ethical manner, they tend to scrape and scratch data wherever they can. And the unintended consequence of doing this in many cases is that they are acquiring data that is no longer accurate or applicable in many cases to what you are as an individual doing at a certain point in time.

So, I can give you a quick example of that. And let’s talk about the mighty monster called Facebook. So, you go out on a website or go to a search engine and search for a particular item. Chances are you are going to make some kind of buying decision and in almost an immediate kind of time frame. So that buying decision might be buying it online, it may also be going to a store and – a brick and mortar – and actually acquiring the item itself. So companies, ad companies, advertisers grab a hold of this information through your Facebook account that’s tracking you everywhere you go and scraping a lot of this information. And they start to present these advertisements, these ads to you when a good majority of the time you’ve already made a buying decision, and in many cases you may have already acquired the item.

Now, this becomes a serious problem because they’re wasting ad dollars, you’re wasting your time being presented with these ads that are no longer relevant to a point and time. And it all happened because from the very beginning the mechanism used to share the information or your intention to do something was not done in front of you as far as an intention goes. And so, one of the ways that we could act upon this is if we had mechanisms that understood what our intentions are, or what they might look like as far as what we would like to have.

I know that although I’m not what one would call a Facebook power user, I am constantly clicking on ads and saying that that the ad is no longer relevant because I’ve already purchased the product. And so, to me, that’s a lose-lose and the only one that really wins is the social network that their little cash register made a few pennies here or there for basically presenting an advertiser with stale data.

Oscar: Yeah, yeah. You have illustrated pretty well this problem and those companies extracting too much information especially information that becomes irrelevant. It doesn’t help either of the way, neither a company and neither the individual.

Jim: Absolutely Oscar and the other unintended consequence in many cases is all of these little components allow other companies then to start to build a profile around the individual. And many times that information is not correct.

So as an example, I may be looking for a birthday present for a close friend who has a hobby that I don’t share the same interests with but yet after someone’s gone ahead and put all of that information together I start to receive all of this advertising around something. Let’s use fishing as an example, that is not necessarily a hobby of mine because my hobby happens to be racing cars or exotic cars or things of that nature. And so, there’s always this misalignment of the information that gets presented to us which again is a lose-lose for the advertiser and the individual whose time is wasted because they’re presented with it and you kind of have to look at it or in many cases act upon it so that you don’t continually get these ads that are not interesting to you or something that you’re interested in.

Oscar: We are clear that in those cases the individuals don’t really want to share that data. It’s more or less they are forced to do it. But there are cases in which it makes more sense for the benefit of the individuals and from the society in which an individual should share some information with some service provider. So, what are the good reasons when information share is yeah, it’s a good reason?

Jim: Well, the most important reason is doing it through consent. That’s for starters. Consenting upfront to some general terms of what a service provider might actually be asking for. When we use the term ‘service provider’, it’s a very broad kind of term. That could be an advertiser, that could be a manufacturer, that could be an actual provider of your actual internet connection in many cases. And so, sharing that information with them, again, is a good idea because you are now sharing your intention upfront rather than the information being scraped. And, I’ll use the term “loosely put together” so that an advertiser is taking a pretty big chance that the information that they’re getting is not accurate and in the sense that it’s information that – let’s call it past information, not future information or present information of how you want to act or the intentions that you might have while you’re online.

So, the online experience is very different than walking into a brick-and-mortar store or walking down the street whether it’s a cookie that’s been planted or bot that’s been sitting on your mobile device – that tracking your location to try and coerce you into purchasing something you had no intention from the very beginning of having. So again, ads become very nuisant orientated and a nuisance on your phone or your mobile device when in fact the location-based advertising really becomes quite annoying because once again you might be walking from point A to point B and you’re not necessarily interested in any of the local advertising that might being offered by different companies.

Oscar: What are the solutions for all these problems?

Jim: Well, you don’t know where that location information is being shared. And so, again, there can be serious and significant consequences to where you have been, because in many cases, that’s a real intrusion on our privacy, our privacy of where we go, and what we do. And so, you want to be able to share that information on your terms and conditions, and not some unknown entity where you don’t know how that information is being used, who it’s being shared with, how it’s being shared, and how it might be also used to build a profile of that you walk a certain distance or a certain way, use a certain route to get from point A to point B.

Now, on the other side of that, if you could actually share that information on your terms, let’s say with a health app, or a fitness app, that fitness app might be able to then offer you a different route to take that might add more steps to the daily amount of steps you take. And it’s a win for the fitness app, because they’re providing a better value exchange in providing you information at a more granular level. Because now, they’re not just counting how many steps, they’re actually recommending that you might take a different route, or go a different way to obtain your goal for the number of steps per day.

So to me, that’s a perfect example of how sharing real-time information on your terms, using consent, is now a win-win for everybody. It’s a win for the app provider, because they’re providing a better value to you by providing better information and more accurate information. And it’s certainly a win for you because it’s helping you obtain your goals. There’s another good reason why sharing real-time information or information that’s based on your knowledge and consent is a good idea.

Oscar: Yeah, I think now it’s more clear. One of the components of course, as you say is consent. So consent to the use of your personal data. And then it comes the – this user agreement, right? The user agreement with the use of data, what is going to be done with that data. That something recalls me, I talked with Lisa LeVasseur from Me2B, and that’s one of the components – the user agreement. How technology in the case of service provider or apps, however they are called in the context, make respectful agreement relationship with the individual.

And makes a lot of sense the example you gave about an app that you share with a health app, a fitness app, you as an individual, you are receiving something back, some value, that’s the most important. So it sounds like a good deal in a way so you consent to share some of your data because you are giving some value back. So those are, of course, when the details are seen and I think those are good examples for how data can be shared. And could you tell me, you’re working in digi.me, so how you are addressing – how digi.me is addressing this situation of sharing data?

Jim: The main value proposition in the digi.me ecosystem in and of itself is the fact that it is a simple, safe, reliable cloud service to be able to have personal data in the individual’s control. So when you really think about the large or enormous number of silos where our personal data is kept. And when I talk about – or when we talk about personal data, we really go beyond just name and email address. There are a lot of privacy concerns around where that additional information, age and other PII, Personally Identifiable Information, is stored.

And there is very few companies, although there are some that are now emerging, that are doing a better job at giving you the individual the ability not only to see that information and, in some cases, correct the information if it’s not accurate, but also provide a downloadable copy of that information. And once individuals have a copy of that information, they then become the centre piece, or the centricity of all of that personal data. And being able to again, share it on the individual’s terms becomes quite interesting. Because not only can companies offer a value exchange for sharing that information, but companies like UBDI as an example, that use their own end digi.me access for people to share that information, compensate individuals through a monetary exchange.

That’s a very slippery slope. There is so much information, or the digital exhaust that we talk about, about us as individuals that are already out there that are of very little value, with the exception of health information. Health information still continues to drive the highest cost to acquire for other companies. Thank goodness for regulators and health information securing it that the restrictions and restraints on that information have kept the value of it relatively high. Because as we’ve seen in the past, when some of that information gets out in the wild, like maybe a young girl, the example that’s been used in the past that a young girl goes off and purchases a pregnancy test and that information is let loose into the – I referred to it as being let loose out into the wild, and right after that, suddenly, there’s a lot of searching going on about having a baby, and things of that nature. And regardless of whether that teenager is actually pregnant or not, now you have a situation where advertisers are going to be bombarding that person with all kinds of advertising that, well, it may be applicable, but may also not be very applicable above and beyond the fact that it would be in my mind a huge intrusion of that individual’s privacy.

So, this whole idea of monetarily compensating individuals, because there’s so much information that’s out in the wild already about us, that digital exhaust that we talk about all the time that we tend to, including in Kantara and the Kantara Initiative, really talk about information sharing based on some kind of value exchange. And so it doesn’t necessarily always have to be some type of payment in some monetary form which today, again, because there’s no control, there’s no centricity from the individual out doesn’t have an awful lot of value.

Now, I think as more and more people become savvy and more knowledgeable about personal information, and there are more companies offering ways for individuals to safely and securely not only acquire all that information, but then be able to share it on their terms, will we see that value of that data increase and potentially some companies provide more of a monetary compensation, which is something that UBDI is trying to do. They’re a small start-up company out of LA, in California. And several years ago, they were very focused on a universal basic income, and being able to provide a universal basic income based on the sharing of personal information.

But as you can imagine, like many other start-ups that are in this area, it is a struggle. And it’s a struggle because much of the data is still locked up in big enterprise silos, and not very accessible. Although, with things like the GDPR, and some of the legislation now that’s starting to come through in North America, like the California Consumer Protection Act, there’s also some legislation around privacy and data sharing that’s going through the state of New York, Illinois, the States are finally starting to recognise that there is a reason to provide regulations to protect their citizens and the residents of those different states, because the information abuse has gotten really out of control.

So, it’s a hard problem to solve. It’s not an easy problem to solve. And it’s not going to happen overnight. And it’s going to require individuals to become more cognizant, more aware, and certainly more sensitive of all the information that is spewed out, and then kind of acquired by these unknown entities. And a perfect example of some of the companies now that have awakened to providing better privacy, or some of the recent announcements by Apple, and even some of the announcements that Google has made around the whole idea of protecting personal identifiable information or PII and personal data, and not sharing it without the individual’s knowledge.

Again, in the cyber world, or in the world of the internet, it’s much more challenging to do because of the IP protocol being used to provide solutions that it was really never designed to use. So we tend to bolt on all this additional software, and provide these additional features that have lots of backdoors in them. And savvy companies have figured out ways to get around those additional security capabilities in many ways. To me again, that would also be another example of why placing the power of the individual having control over their personal data becomes a strong value proposition, not only for the individual, but for companies that are interested in having a conversation and understanding the intentions of what an individual might be interested in or have a desire for as far as a purchasing or acquiring either a better solution or an actual physical product.

Oscar: Yeah, it’s – the way you have summarised this problem, as you said, it’s complex and it’s going to take years to be completely solved but also, as you mentioned, like Apple, Google already are taking steps into the right direction. You also mentioned this – some companies who are doing well sounds quite interesting business model, such as doing some way of monetising the data sharing and creating this universal basic income, that’s quite ambitious. And let’s see how that goes but yeah, that’s interesting – interesting initiatives that we see today.

One of the other things I would like to talk with you briefly is – you are a digi.me Executive Vice President of Interoperability and also in the workgroup where we are working together is the Information Sharing and Interoperability. So tell us what is the keyword “interoperability” through this context.

Jim: In order to do that, let me give you a quick explanation of how digi.me addresses the problem today. And simplicity is usually the fastest route, if you will, to providing a solution. And so one of the unique capabilities around digi.me is its simplicity. It allows you to take the user credentials that you have in let’s say, fitness, financial, banking information, social networking, media, digital lifestyle, we refer to them as data channels, because they’re channels of information. Most of us have more than one financial institution that we deal with.

But in today’s mechanisms without digi.me, you have to go and download your financial information from each of those institutions, and then somehow put them all together. And you have to do it in a very safe and secure manner. And so that’s what digi.me really addresses. It allows you to go off and collect all that information in a secure encrypted manner from the time the API’s that are offered, those are application program interfaces that are offered, to setup a secure communication, an encrypted communication channel to download that information and then keep it in a cloud source like Dropbox or OneDrive, or Google Drive as an example, where all of this information is placed in a syntax and an ontology that makes it highly accessible as long as the encryption, or the permission, the consent has been granted by the individual to share that information.

So applications can actually be developed where they are either run in a continuous basis, meaning that they would like to be able to see information on an ongoing basis. Or perhaps it’s just a one-off time that the information request comes through. And then the individual has the ability through feature called Private Sharing to consent to sharing the information.

And the interesting part of that, that makes the digi.me product very GDPR compliant, is that the requester of the information or the app for that matter has to lay out what information they want? What are they going to do with the information? Do they want to just look at the information and take away a result? Or, are they actually going to take the information and store it? And if they are, how long are they going to do it? Are they going to share it with anybody? In other words, potentially you know the data broker. And are they going to adhere to the individual’s right to erasure, or as many people refer to it ‘the right to be forgotten’, which is a little bit of a misnomer because from a regulatory standpoint, companies that acquire certain information, certain PII are bound to hold that information, in many cases for a fixed period of time, which may be outside the individual’s desire for a company to have that information. But legally, those companies are required to do that. In many cases that happens in financial institutions as one can imagine, from a legal standpoint, and also from health information.

So digi.me is very easy to use and develop applications that actually respect individual’s privacy by acquiring data from the individual through their consent. And the result of that, and you can go to the website, there are several applications in the accelerator programme that help a developer understand how simple and straightforward digi.me makes it to acquire that encrypted data that sits in a cloud service in a digi.me encrypted mechanism and methodology, which has been referred to as being military grade and battlefield tested because it uses 256 instead of 128 crypto algorithm to do public-private key transfers back and forth, which is really-. What digi.me is doing is managing those keys on behalf of the individual back and forth, holding businesses accountable to acquiring the data and then either holding the data or getting the result of the data.

So we can actually do data analysis on a device and allow only the result of the data to be presented to the application, without the application ever really having acquired in their own silo that information, whether they were to delete it immediately after the calculation or not. So, again, it’s a very simplistic approach to a very complex problem that makes it easy for developers to write applications that actually provide a more respectful way of acquiring the information by making the individual part of the conversation and not acquiring the data, which may not represent the individual at a certain point in time of present or future, and is usually not very accurate because it’s based on past data points and data collection.

And that is really what digi.me provides in what we believe is a new and exciting way. And there are a host of other companies that are emerging, many of them are part of the MyData and are data operators within the MyData initiative. Many of those companies participate in the Kantara Initiative, whether it be in the information sharing interoperability workgroup, where we work on building specifications to allow the different implementations of acquiring personal data, a way to interoperate with each other.

So what one of the goals of the ISI workgroup, or the Information Sharing Interoperability workgroup, is to make data in the future behave and act much the same way the mobile operators have been able to build a ecosystem where it doesn’t matter whether I have an iPhone or an Android phone. It doesn’t matter whether I’m on an Orange mobile network, or a Verizon or an AT&T network. We are able to communicate with each other and share information verbally with each other, in some forms digitally. My reference there is with texting and SMS seamlessly, that doesn’t happen today at an application level. And it certainly doesn’t happen today at a browser level.

So those are future goals that we work towards, or one of them at the Kantara Initiative. And so, whether it’s Information Sharing Interoperability, or building specifications for a mobile driver’s license, or better access to not only acquiring health information, but then being able to share information, which comes out of a group called the FIRE group in Kantara. These are all around your personal data being used. Your identity, when you think about it today, one of the greatest access mechanisms to prove who you are is based on the data that you have created – your bank account, health information, your social reputation, and things of that nature. So while many companies have over the years, as they should, and will continue to do in a right way, provide digital identity at an enterprise level, whether it’s employee identity, or customer identity, there’s this requirement, this new requirement to use that digital identity from those enterprises in new ways that have not been available in the past to the individual to – I’ll use the term reuse or be able to use to prove who they are.

And of course, we start to talk about certainly not for this podcast, but maybe in another series in the future of how some of the technologies around blockchain allow that to happen. This whole notion of a self-sovereign identity and how one could use enterprise digital identity mechanisms to have a self-sovereign identity.

Oscar: Yeah, absolutely. It’s a big universe. What an amazing work you are doing there in Kantara Initiative in the Information Sharing and Interoperability workgroup. We are coming to the end of this interview, I would like to ask you a final question so Jim, for all the business leader that are listening to us, what is the one actionable idea that they should write on their agendas today?

Jim: So to me, and for us in the Me2B Alliance, in the MyData operator initiative, in the Kantara Initiative, companies like digi.me, and digi.me themselves is that businesses need to use mechanisms to give data back to the individual because if you give data, you’ll get better data back. And it’s as simple as that Oscar, businesses need to stop what I call stealing data from behind the back of the individual, ask for the data upfront. I would suspect that the majority of the time individuals are very willing to share a lot of data, sometimes too much data.

When you think about some of these social media games, people have no idea that when they play these games that require them to put in their birthday, to find out I don’t know, where they’re going to retire, or when they’re going to retire, or some futuristic kind of thing, that company that wrote that application on that social network is acquiring a vast amount of information around that individual. And more than likely, placing some kind of mechanism in place that’s going to track that individual anytime they’re on that social media platform.

So again, businesses need to begin to change their behaviour in the way they treat individuals, whether they be a consumer or a customer. And to me, that’s the greatest thing and the most important actionable item that businesses could take today to start to change the way the internet is used. When you look at the history of the internet, the internet was built for the people and big enterprise companies and social media platforms more or less hijacked the internet along the way. And one of the ways they did it way back in 1994, as many of us remember, good, bad or indifferent was from the invention of the cookie. And as we all know, today, more and more institutions are going cookie-less, and the cookie is finally going away. So there is a glimmer of brightness in our future that companies will start to use an individual centricity perspective in acquiring data.

Oscar: Thanks a lot Jim for this. Please let us know how people can get in touch with you.

Jim: Sure. The easiest way is through LinkedIn. I’m an open networker on LinkedIn. And you can look me up as James Pasquale on LinkedIn if you search. I’m also listed at digi.me, I’m listed on the Me2B Alliance and the Kantara Initiative. And if anybody wants to contact me directly, they can do so through my Gmail account, which is simply jimpasquale, all one word spelled [email protected]

And in closing Oscar, I’d like to thank you and Ubisecure for the opportunity to share my perspective on these important developments that are finally disrupting the way businesses architecturally approach acquiring and using personal data. And so, I appreciate the opportunity. I appreciate your time. And of course, I appreciate all of our listeners on this morning’s podcast for their time. Thank you.

Oscar: It was a pleasure Jim and all the best.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]