It’s Brownfield, Not Greenfield

Host: John Verrico, Chief of Media & Community Relations, Science and Technology Directorate, Department of Homeland Security

Guest: Jon Prisby, Identity Technologies Expert, Biometric and Identity Technology Center, Science and Technology Directorate, Department of Homeland Security.

[00:00:00] Jon Prisby: If you use it at a doctor's office, at a bar, at a casino, at a grocery store, anywhere where someone scans the barcode or takes a photocopy of it, you are disclosing all of the information that's on it whereas if you want to, let's say, purchase like an age restriction substance like tobacco or alcohol, you could present to say, yes, I'm above a given age threshold, as well as your portrait image that proves that it is you and not someone who has possession of your device for that.

[00:00:28] Dave: This is Technologically Speaking, the official podcast for the Department of Homeland Security Science and Technology Directorate, or S&T as we call it. Join us as we meet the science and technology experts on the frontlines keeping America safe.

[00:00:42] John: Hello and welcome to a new episode of Technologically Speaking, I'm your host for this episode, John Verrico. And with me today is a really special guest, and I say this because this is such a unique and interesting project that he's been working on. I'd like to welcome Jon Prisby. Jon is an identity technologies expert in our Biometric and Identity Technology Center. Good afternoon, Jon. How are you today?

[00:01:08] Jon Prisby: Good afternoon. I'm well. Excited to be here.

[00:01:11] John: So, I mean, let's just get right into this and start things off a little bit. First of all, tell us a little bit about you and what is an identity technology expert?

[00:01:20] Jon Prisby: So, an identity technology expert is someone who ended up in identity. It is one of those professions where there isn't really a degree for it. So often I saw a presentation at a conference where they asked how many of you intended to be here in college and how many of you ended up here sort of by accident.

[00:01:41] And something like 90 percent of people was the latter, so I'm one of those. I ended up falling into it initially in a healthcare context, working of how do you match patients across different systems, and over time just really got fascinated by the subject and kept finding myself back to it. So, I think at a basic level, identity is how do you tell uniqueness and context, and this can be about people, this can be about organizations, or this can be about machines, and it's expressed in many ways, but I think at the basics, that's kind of it, and I've just found this concept sort of endlessly, fascinating over the last number of years.

[00:02:25] John: So, what did you find so interesting about it? I mean, cause it is an interesting topic, but have to wonder what sucked you in, right? What grabbed you by the jaw and said, oh my goodness, you've got to, you've got to devote your time here?

[00:02:36] Jon Prisby: I think because it's never the same, I mean, when you think at first blush, like, oh, my identity is my, you know, my name, my date of birth, the things we often see in a government ID, but especially as you get very deep into it, it almost has a spiritual quality because if you ask yourself, well, who am I? What makes me unique? Who do I identify as? Whom do I identify with? What defines me? There really is kind of, an endless distillation, especially when you combine like people and systems because you with your family can be a very different context than you on the internet. And you have one person who, if you approach different contexts, can be almost entirely different people.

[00:03:20] John: Well, you know, it's so true. People are so different at work than they are at home, than they are with friends. In different environments we become absolutely different people, but it is still essential, especially in the security side of things in the security industry and in all things with trying to assure you are dealing with the right person at the right time, you've got to connect all these different facets of people in to make sure that they're all the same. Is that pretty much kind of a good way to summarize it?

[00:03:53] Jon Prisby: Yeah. And it's also with systems. It's not just you. It is the thing that's pretending to be you, or is the entity you're dealing with on the internet actually that person? I think like one of the classic examples that came up is people will run experiments on like LinkedIn and they'll say, well, if you put up a photo of an attractive person and you click connections request it's kind of astonishing the number of people who will just click connect because there is this avatar that purports to be a person. And they'll have these details that don't actually make sense. Like you're 25 years old, but you have 30 years’ experience. But over and over, it's shown that, you know, hundreds of people click connect and will have job offers and all sorts of things.

[00:04:32] And that kind of human behavior of like, yes, you know, we sort of are wired to deal with people in person, but so much of it is remote and with systems. And that's where our brains and our biology hasn't really yet caught up to technology.

[00:04:47] John: And sometimes I can imagine it's quite distressing to see, all of the different ways that people try to abuse the technologies and the abilities of technology nowadays that allows people to kind of take on new personas and different personas and to spoof others. So, let's delve into another whole kind of scary, spooky area of what's happening in the digital world and that's deep fakes. You know, so, so much now we're seeing, you know, on the news and reports around the world, these deep fakes where people are able to capture snippets of your voice or images of you, and then animate them and then kind of take over and pretend to be you, what do you see as ways to protect against that?

[00:05:36] Jon Prisby: Biometrics can be part of the solution. I think part of the challenge is with social media and all of it, a lot of the work that has been done to make it easier to enhance an image or do something like, well, you know, I would like to make my skin look smoother, or wouldn't it be fun if I could see my wife and I what our child might look like and it could merge our faces. A lot of these technologies that were driven for, a visual audience it's that's where a lot of the work has been that can be used to generate deep fakes. So, biometrics can be part of the problem, it can also be part of the solution, where, to give one specific example, if you go to a kiosk, so like an ATM, for example, that camera is controlled by the institution, not by the person, so if later, it turns out that, you know, John, I stole your debit card, and I used it, and I was able to get your PIN, and you reported it stolen, they could roll back that footage, and they could see, well, if they see my face in front of the ATM, they could see that's not you, and they could say, yes, fraudulent transaction, we'll refund the money.

[00:06:52] And the key thing there is, that is a camera sensor and software system that is controlled not by the individual, where it's much harder to trust it, because it's not a system that is owned and operated by the person who's trying to access, it's owned by the institution or the person or the system that's sort of gating access. So that's an example of sometimes removing digital requiring physical presence can help us defend against these kinds of things.

[00:07:23] John: It's interesting that the systems are, capturing imagery, that can be verified, you know, later on forensically, let's say, but it's not like they're comparing you against database of information there doesn't need to be a database there. It just needs to be, hey, you know, this incident happened at this time, at this location, and they can pull that up and then verify at that point and then they're looking at making that facial comparison. So, it's not like people have to worry about their face being constantly compared.

[00:07:53] Jon Prisby: Correct, yes. There isn't a central database this is being compared against, and it's actually part of what makes digital credentials, MDLs being one example of it, sort of a key aspect of this, where the image of you or the person who's on the credential is signed by the state to say, yes, this is a picture that was taken and can be trusted to later make a match, but it's done on the edge or one to one.

[00:08:19] John: Jon, I have to ask, it seems like this whole. using digital versions of identification just like digital payments. I'm still, you know, leery about connecting my bank to my phone and things like that. I'm kind of old school that way. And, you know, you just wonder, oh my goodness, you know, is it now become hackable by others. And also, we rely so much on devices like our own mobile phones and things like that. But, you know, we all know that we misplace phones, you know, they get stolen, things like that. So if somebody were to get a hold of my phone, could they then suddenly have, all of that access and be able to present my digital ID, my, my mobile driver's license or whatever, in order to present themselves as me and conduct transactions?

[00:09:10] Jon Prisby: Right now, if someone steals your wallet and there are your credit cards and there's your ID and there's cash in your wallet, there really is no recovery mechanism. I mean, you can report it to the police or to the authorities but the ability to recover it is difficult because there's really no easy way to, to trace it or do anything about it. In contrast that with your phone, you're right that hacking can be a risk and there is definitely a number of challenges and thoughtful designs that we need to explore, be cognizant about, and really design securely and well.

[00:09:42] But the difference compared to your physical wallet is one, most mobile OSs have an option where if your phone is lost or stolen you can remotely wipe it or log out of your accounts or delete your data. The other is if you report it to the issuing authority, they can mark it as no longer valid and revoke it.

[00:10:05] The other is often, this is still kind of forming, but there's the mechanisms of, well, if someone seized your phone there typically is a mechanism that will protect the MDL from being accessed, either a pin that you've set, a biometric match that's on the device, but something that requires both the possession of the device as well as some other kind of second form of authentication that proves the device is something you have, along with something you know or something that you are.

[00:10:34] John: Oh, that's a really good point. So many people I know don't even have passwords, you know, or pins on their, to unlock their phones. So let me ask this other part of it too. There's the other side of this is, what about privacy implications on this stuff?

[00:10:49] Jon Prisby: Yeah, that is a really interesting question that as of now is still very much being designed. From the get-go privacy is included in the architecture of this. There's a concept called Selective Disclosure, only disclose as much information as necessary for a transaction, not everything. Increasingly, your physical driver's license, I'll just stick with driver's licenses because it's the mobile version.

[00:11:17] If you use it at a doctor's office, at a bar, at a casino, at a grocery store, anywhere where someone scans the barcode or takes a photocopy of it, you are disclosing all of the information that's on it, whereas if you want to, let's say, purchase like an age restriction substance like tobacco or alcohol, you could present to say, yes, I'm above a given age threshold, as well as your portrait image that proves that it is you and not someone who has possession of your device for that.

[00:11:46] John: Only sharing a limited amount of the data rather than the whole thing.

[00:11:50] Jon Prisby: Right. And where it's still, there's a lot of interesting work coming out of the privacy enhancing technology where you get to things like zero knowledge proofs or cryptographic things where you prove something is true without revealing the mobile driver's license model begins with a bit of simpler of like, yes or no, you're above a threshold and disclosing only where there's still work to be done is, once the verifier, the device that is reading, saying it's true and then granting benefit eligibility or service based on the information read and the integrity of it, the model of what happens to that data, how long is it retained, , that work is still ongoing, much in the same way that if you, you know, go to the mall and you enter a lottery thing that says, you know, I would like to win a new car, I'll use my data. What happens to your data once it's disclosed to that party? There, it is very sort of contextually specific.

[00:12:54] John: Now I'm seeing more and more that there are sites like payment sites, banking sites, and even social media sites that are looking for some sort of a verification of your identity when you sign up, or if you want to expand your service, for example, Meta right now, which is the parent company for, Facebook, Instagram, et cetera, they are requiring that people submit images, scanned images of their traditional paper, hard copy, identifications. And I'll tell you, I'm leery about scanning my driver's license or my passport and submitting them into a social media site just to get, you know, a more enhanced account. What are the concerns there?

[00:13:48] Jon Prisby: Yeah, you're touching on another piece of work that's ongoing, which is first of all, how well do capturing white light photos of identity documents with smartphones or other devices actually work? That is an ongoing test and evaluation that S&T has ongoing right now to sort of understand that more deeply because they're identity as a science as opposed to a technology is fairly, um, it's not new, but the measures and thresholds and things are not as defined as you get with a lot of other sciences like physics.

[00:14:29] And the other piece you're describing, which is very common, I myself have the same, is like, well, if I give you this data that is sensitive and private about me, you know, what do you do with it? Do you only use it for the intended purpose? Do you use it for other purposes? And that is, I think, also part of what digital credentials can help, because increasingly, as we trust the information on the Internet less and less, there's a natural tendency to ask for more verification.

[00:14:56] However, there's... You know, it makes people understandably uncomfortable to ask - Why are you asking this? Why do you need this? How much do you need? And helping users be able to control the release of their own data through models that are designed to be more private can enable this and give a bit more control back to the user as opposed to requests for ID documents or others that, you know, maybe too much. It's sometimes both a cultural and a personal, how do people feel about this?

[00:15:28] John: Yeah, it's a whole interesting science. I mean, the whole idea of protecting your identity and all of the things that identify you is a very interesting science. And it's also, like I said, it's a little scary when you look at all of the different ways that things can go awry. I know when I first joined the military back in 1981, yes, I'm that old. You know, we didn't have, like, a serial number. We had, instead, used our social security numbers as our identification. And so, we actually stenciled our social security numbers, full social security numbers, onto our uniforms back in that era.

[00:16:09] Well, now, you know, you're going, fast forward to 2023 and everything has gone digital, but we've still had to have this information and it's in data banks everywhere. And so that goes down to, this new project that you were talking about is this, and I take it, we're talking about the Identity Credential Risk Research.

[00:16:28] Jon Prisby: Yes, that is true because, it's interesting you give, you know, the Social Security example because I've always found it a bit, baffling that it's like, well, you're supposed to keep it secret. However, you need to tell everyone it.

[00:16:40] John: It's so true.

[00:16:41] Jon Prisby: We, I think I just got a letter from a former bank. It's like my identity was stolen for, I don't know, the sixth time in the past five years.

[00:16:50] So, I don't personally believe that my social security number is really secret anymore. And I try to personally operate as like, well, I assume it's out there and I try to protect myself with that kind of assumption. And I think that's where, yes, to your question, the idea with Identity Credential Risk Research is, well, can we at a macro level make it a little easier and digestible to understand if you call him, if you are in a video conference, like we're on at the moment, If you walk in, how do we understand and measure strength?

[00:17:31] How strong, how sure am I that you're you? What are the ways people can potentially exploit this? And how can we balance that or at least understand the asymmetry that occurs between those channels? But also, how do we really understand that we're ultimately trying to deliver, you know, services to the public?

[00:17:53] And we have to be very thoughtful about design tradeoffs because it's very easy to have a very secure process that 90 percent of people fail. So, it's being thoughtful about balancing that risk of delivering the service to the people who need it and are eligible for it, but also understanding, you know, how are fraudsters continuing to be creative?

[00:18:14] John: And so, let me ask you, Jon, how did you, how did S&T even get involved in this work in mobile driver's licenses and other types of digital identities?

[00:18:24] Jon Prisby: Sure. So, I've been with the Department a little less than two years. So, the origin predates me by a couple of years, but from what I understand, it was an understanding that in five or seven years ago, there was the potential, the long-term potential that this could really change the way that the public, even globally, people interact with, you know, all the places you do ID things. It could be casinos, banks, the government, et cetera. And with that sort of long-term view of how do we choose and understand, you know, as a department, what do we think is going to affect DHS and sort of five to 10 years? And I think this was one of those sorts of investments that really was on the mark where it's a real testament to the really high-quality team that was already here and was kind enough to sort of invite me to join them and come aboard on the research side of things. Of recognizing this early opportunity, but also if we're not part of the discussion and part of the shaping, we will be impacted by this even though we don't necessarily have a voice. So, I think it was a long-term understanding that this is the way the market and sort of the world is going and to make sure the Department has a seat at the table getting involved early and helping to consistently shape it as well as understanding that just DHS’s typical role in the identity ecosystem.

[00:19:56] John: And such a critical role it is. Let me ask you, what is a typical day for you like in this realm of digital identity protection?

[00:20:04] Jon Prisby: Yeah, I mean, that's, probably the most interesting and fun part about the job is I don't know if there is strictly a typical day because in one day, I mean, it may touch on conversations or challenges involving immigration, and then the same day, it may be about, you know, applied cyber security. And issues dealing with that. And then later in the day it may involve how to help first responders better have and use digital identity and can we assist with disaster response and speeding that up? And that's what makes this to me, such a sort of an endlessly fascinating job because there's such a diverse breadth of problems where identity is never the end result, but it's often a step along the journey.

[00:20:51] John: Interesting way to look at that. Yes. So, you know, we've heard a lot. about biometrics over the years too, and how we're using things like your fingerprints, your facial recognition, iris scanning, all these different types of ways of verifying your identity. And now we have what were traditionally our hard copy paper identity verification documents that are also now going into this digital realm. How do the biometrics and digital identities work together? How does that really work?

[00:21:26] Jon Prisby: So, there's a generic concept in identity called Credential and credentials can be everything like you kind of just described. It could be your face, your fingerprints, your iris for physical biometrics could be your voice. It can also be the documents you just described or your password. Generally, it's some, something or some things that you are presenting to a person or a system and is then used for an access decision. How biometrics often play into this is, it's critical to a concept called Binding to your sort of question, your point earlier about like, what happens if someone steals a phone?

[00:22:03] Well, one of the ways that you can ensure that the person who has the credential is the rightful holder of the credential that's where a biometric binding can be helpful to say, well, is, does the face on this ID that I'm being shown to make the decision of should I let someone in this bar or not, does that match the face on the ID?

[00:22:24] And this is sort of irrespective of, physical or digital. And it's also for deduplication because you get things like, you know, Robert Smith, thousands of people have that name, whereas biometrics are very unique. And so, it's a complimentary to me anyway, looking at it like a subset, one of the things I see as a convergence between cybersecurity, biometrics, digital identity, documents, because we're using all of these things on the Internet and in systems, so they're, it's hard to draw a bright, clear line, at least kind of where I sit, between these sub disciplines when you get into real life use.

[00:23:05] John: CNN recently reported that starting as soon as 2024, one of the airports in Singapore, they're introducing automated immigration clearance, which allows passengers to depart without passports using only biometric data. Can you talk a little bit about this kind of technology and how it can impact the passenger experience? And well, do you think we'll see something similar in the United States at some point?

[00:23:33] Jon Prisby: Yeah, it's interesting you bring that up. There are a number of pilots in the world to look at, how can we use digital versions of passports? How can we use biometrics for speedier, immigration, customs processing? There is some work, in the U.S. I know CBP has rolled out a number of initiatives involving biometrics, for example, very recently, if you're involved in global entry, they have released a new application on the phone that you can use your smartphone as opposed to using a kiosk at certain select airports.

[00:24:09] So, I think we will see, increasing use and trying out of these kinds of technologies. We're seeing them with some domestic airlines where you can, use your face as backdrop at the airline. At the checkpoint, I think globally, this is going to be sort of a very country specific thing, because biometrics, the databases that can be accessed, cultural attitudes are very different.

[00:24:40] So I think we're seeing a bit of it here in the U.S. I think others will likely move a bit faster than we are here because we have such a distributed system of federal, state, local government. And it's between kind of all of those in the private sector that manage identity. In other places, it's much more centralized. So, if they make a decision to move it can sometimes be a bit simpler administratively to move in a given direction.

[00:25:10] John: You know, you talk about the differences between, just different, uh, different states and localities, also having, different rules, different capabilities, all that kind of stuff. I know when I moved to Pennsylvania, one of the requirements they had to get a Pennsylvania driver's license was not that you had a driver's license from another state. You had to show proof of identity, obviously that you are who you are. But one of the things they absolutely required, no substitution allowed, is your physical social security card, I had no idea where that is. It's not something we carry. And I had no idea where that was. And I had to go through, you know, all sorts of, of rigmarole to try to get a replacement social security card to meet the requirement for the state of Pennsylvania to be able to have that identification.

[00:26:01] So it's very interesting how, to see where this can possibly evolve moving down the road and which things will be acceptable in different locations and which things will not. And I think it's really wise to tell people, although everything seems to be going digital, it's not there yet and you need to still keep stuff.

[00:26:20] Jon Prisby: I agree 100%. One of the analogies I've been using is we really call it digital, but it's, if you were thinking of it as real estate development, it's brownfield, not greenfield. We don't get to imagine from a blank piece of paper, what do we wish it to be and design from there. We have to deal with all of the messy reality that is and try to incrementally improve or change things. But it's not that all of this existing paper or infrastructure or manual processes are going to go away overnight.

[00:26:52] John: Do you worry about protecting your identity in the digital world now with what you've learned on the job and how does that impact your day-to-day life and interactions?

[00:27:06] Jon Prisby: Yeah. I mean, of course it's once, you know more, there are more things, you know, to worry about. I think, day to day it's sort of affected in being thoughtful about my own personal security choices. So, using, uh, it's commonly told like, Yubikey, it's a hardware thing that you can put on a key chain. And using that plus like password managers and just in general being thoughtful about how I try to make sure if someone's going to exploit my own personal devices or data, I've sort of thought through and worked, where it can be funny is doing it yourself, I've discovered, trying to convince your loved ones to do the same things is quite a bit harder because they're not quite as invested or care as much about the topic as you do.

[00:27:59] John: You know, why is it that it's so hard to convince, our own friends and family and loved ones that, you know, we know what we're talking about?

[00:28:06] Jon Prisby: Yeah, that has been, a journey where it's good when you talk to people because they keep you grounded and honest and humble because it's like, it's, you know, interesting, but hey, I've got my own interest and I'm not that, as deep into your topic or care nearly as much as you do. So, hey, can we change the topic and move on to something else?

[00:28:22] John: How much advice do you give and are you charging a fee for that kind of a service?

[00:28:29] Jon Prisby: No, just view it as, you know, one more thing to help those I care about stay a little safer.

[00:28:34] John: Jon, you're absolutely brilliant on this topic. And as usual, with doing the Technologically Speaking podcast, I learned so much chatting with folks within the Science and Technology Directorate. All the expertise that we have here and, this has been, a very enlightening conversation. I have to ask some goofy question though, the, what does an identity nerd do on his time off?

[00:28:57] Jon Prisby: A lot of not looking at computers. I try to really get outside, go hiking, go play sports, or activities where I have to be both physically and mentally present. So, I really like to boulder or play squash. And what I like about both of those is if you get distracted or if you're not present things don't go well, and that's a way of making sure that, you know, I take a break and try to recharge myself by doing things that have nothing to do with identity. I love it, but not 100 percent of every day.

[00:29:31] John: There you go. Absolutely. And you know what? I realized that you're doing this not just for the people that you care about, but you're actually doing it for, you know, all of the people of the nation, just in the work that you do. And I want you to know that is truly greatly appreciated. So anyway, Jon, this has been a wonderful conversation. The topic is continuously evolving, which is what makes it interesting. So, thank you so much for joining us today.

[00:29:55] Jon Prisby: Thank you so much for having me.

[00:29:57] Dave: Thank you for listening to Technologically Speaking. To learn more about what you've heard in this episode, check out the show notes on our website, and follow us on Apple and Google Podcasts, and on social media at DHS SciTech. DHS SCI TE CH. Bye!