Let’s talk about digital identity with Aran Khanna, Co-Founder & CEO of Archera.

In episode 61, Oscar talks to Aran about how social media companies handle identity management and data privacy, and considerations for businesses offering social media identity providers for login to their online services.

[Transcript below]

“Identity plays a different role in different places around the social ecosystem today that is really dependent on what the goal of that underlying social platform is and sort of what regulatory regime it operates under.”

Aran KhannaAran Khanna has been labelled many things. Thought leader. Innovator. And (at times) troublemaker. Now, in his search to give technological control back to developers and business leaders, he’s added cloud management entrepreneur to that list as the Co-Founder & CEO of Archera, a company that helps organisations find cloud solutions that fit their companies.

Find Aran on Twitter @arankhanna.

Find out more about Archera at archera.ai.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello, and thank you for joining. Today, we’ll have now a conversation with an entrepreneur in the tech industry that is not directly connected in the identity industry, but they are very innovative company and the CEO has a very interesting story to tell us.

So let’s welcome Aran Khanna. He has been labelled many things. A thought leader, an innovator and at times, a troublemaker. Now, in his search to give technological control back to the developers and business leaders, he has added cloud management entrepreneur to that list, as being the co-founder and CEO of Archera, a company that helps organisations find cloud solutions that fit their companies.

Hello, Aran.

Aran Khanna: Hi, Oscar. Thanks so much for having me.

Oscar: Welcome to the show. Let’s talk about digital identity. But of course, first of all, we want to hear your story, a bit of your journey, how, since the beginning of your career, you end up in this world of – you tell us about your company, and also about identity, please tell us.

Aran: I can tell the short version here, I don’t want to bore you guys with a 30-minute background. But in short, I was born and raised in Seattle, I’ve really grown up all my life around technology. Both my folks worked at Amazon and Microsoft in the early days. And my first foray into technology was actually working at, funnily enough full circle, at the cloud provider that was soon to become Azure, it was called something different back then. But essentially started in that world. Really, from there, I started to get really interested in digital privacy as myself and all of my friends at college and high school were migrating all of our communications, all of our financial activity on to platforms like Facebook, Venmo, Twitter, etc., Instagram, right?

And I started to think a little bit about particularly the data leakage that was coming out of that sort of migration of really society, and started my journey as a privacy researcher in college working with the former FTC CTO Latanya Sweeney on a number of projects, including one very well-known one that actually got me fired from Facebook for revealing some pretty invasive defaults that they had in their platform around location sharing.

From there, I actually went into machine learning research, there was very interesting story behind that, but really started working on fundamental deep learning research, and actually then got pulled right back into the cloud world when AWS acquired that team that was working on to become their internal deep learning team. We launched a number of products at Amazon. And I started again, to start seeing this disconnect between platform users and the platforms themselves and the rules they were putting forward, similarly to what I was looking at in the privacy space, but really around financials in the cloud space.

And that’s when I spun off and started this company Archera to help customers, just like I did in the privacy space and the social media space, understand data leakage, and how platform incentives were not aligned with them, and how they had to orient their behavior to correct against that, trying to apply that sort of thinking into the B2B space with businesses who are migrating to the clouds, and trying to parse the incredible complexity of pricing and the different offering types on the cloud service provider platforms.

So in a nutshell, that’s sort of the arc of the journey. There’s obviously a lot more detail in there. But really, I’ve touched identity and access management and identity and privacy more broadly, both on the consumer side and the business side throughout that journey. So excited to chat more about that with you.

Oscar: Yeah, thank you. And definitely your company, Archera, sounds very interesting. As you said, also, that the case of data there in cloud platforms that are becoming, well inevitably, most of cases, most services require some level of cloud. And also something that I was also checking your website about finding the right model, so you can save money on that is interesting. Sometimes it feels like, in my own case, I feel that the cloud providers make it difficult to find how to save money just by using the elements on the cloud. And also about yourself, I went actually to search just put Aran Khanna on using DuckDuckGo. And first of all, I think you’re the most famous if not the only Aran Khanna I have found.

Aran: I think I might be the only one – so the least and the most famous one.

Oscar: If not the only one, the most famous for sure, all the top 10 entries are about you. And yeah, a few of them talk about your Facebook story. So tell us a bit more about that.

Aran: That’s a real fun one. So actually, at that time, I was in college in 2015 at Harvard, and studying computer science. I had actually not started doing my privacy research yet. This was one of the things that catalysed that world of research and projects that I did, but I was learning how to develop web applications and extensions at the time. And what was interesting is all of my friends at Harvard had migrated to using Facebook Messenger on their mobile devices largely – this was 2015.

What was interesting about the product was every time one person would send a message to another person, the default behaviour of the application, you have to go into the settings deep and turn this off – was that it would attach your location to that message. And this wouldn’t matter if you’re in a one-on-one chat with friends, or a massive group chat with 200 people in a class, and you’re constantly texting back and forth, your location was actually being leaked and revealed.

And what I started to think about was, “Hey, wouldn’t it be in the user’s best interest to understand that this default is on. And it’s not just one-off location data points being shared, there’s so much information given the volume of chat that’s happening here, that you can actually build an incredibly detailed picture of someone’s historical locations, their future locations, given their routine, and really come up with some fairly invasive data if you aggregated this.

So that was sort of my hypothesis. And I thought this was something that users would be really happy to know about, Facebook would be really happy if I actually kind of built something that helped people understand this data leakage, and then showed them where the knobs were to control it if they thought it was a problem.

So I went ahead, move fast and break things, and built this Chrome extension and wrote a blog post alongside it. The Chrome extension was called Marauder’s Map, you know, just like in Harry Potter, if you’ve read the books, there was a map where Harry and other folks would actually use it to track people’s live locations around the castle. And very similarly, people say Harvard looks like Hogwarts a little bit, I was able to build a little prototype where I could actually stalk my friends around Harvard campus using this Chrome extension.

So I wrote up that story, released the extension. And really, the point was to educate users, educate what I thought were the customers of the Facebook platform on this very interesting design decision, this product decision that might be affecting them and something they may want to turn off. So I thought this was a great thing for Facebook users, for Facebook as a company, I released it. And at the same time, I actually had an internship lined up at Facebook on a completely different team, on newsfeed ranking, which funnily enough became the source of a whole another set of controversies years later, with respect to echo chambers and digital amplification and misinformation.

But what happened was right before I was supposed to join Facebook, right before I was supposed to start my internship, the VP of Engineering and the Head of HR called me up and said, “Hey, by releasing that extension, you didn’t act in our best interest as a company, so we’re going to let you go.” And this was the Friday before I was supposed to start my internship, I had a place already booked in California and paid for and it was quite a rug pull.

And I think that whole journey really taught me a few key things. I think, first and foremost, it taught me a lot about Facebook’s culture, and that they do not see the people who are using the platform, you and me, as users or customers. They view us as cattle, that is more likely to be happy when the wool is pulled over our eyes versus transparency about how the platform operates being given to us.

And the other thing I realised was that this is a pervasive problem, that is not just a Facebook issue. If we have more and more of our lives moving online to these sorts of platforms, often the incentives of the users are misaligned with growth incentives, and the incentives of the platform, which are really not just to suck all the data out of users, but also to reveal that data publicly in a way that benefits their growth in some advantageous manner.

So that was one of the things that I think it really launched me into looking more deeply at these privacy issues throughout the tech industry. And then really focusing a few years of my life doing research there and additional projects, just like the Marauder’s Map Project with companies like Venmo to reveal all of the issues around the transparency with which these platforms operate, particularly with respect to customer data.

Oscar: Yeah, that’s a very interesting story. I’m sure you learned a lot about that. And it’s interesting that as you explained that, so the user, if the user was curious enough or observant enough, would see the location just in front of his or her eyes, correct?

Aran: Correct. You just have to click on the message and the exact location it was sent from was attached. So all you really needed was a piece of paper and a pencil to go and do this by hand. I just happen to do it programmatically and release an application to help customers do this. So they could make the decision for themselves, whether or not this was something that should be left on or turned off.

Oscar: You also mentioned the example of Venmo. I know you have shown also in some of your blog post Venmo is, I think not so familiar here at least in Finland, I think it’s an app for splitting the bills, right? When you buy something together with your friends?

Aran: Yeah, it’s more generally like peer-to-peer payment. The way that they really came at it was it was a mobile-first peer-to-peer payment solution that had a very big social component to it. And I believe the company thought the social component was a big part of their growth. So what they did was that by default, when you sign up for Venmo, and you know, if your friend wants to pay you back for a meal, you have to sign up for Venmo. All transactions that you put into the system, become default public and actually show up on a global news feed.

And the thinking and I saw a number of talks from folks at the company including their Chief Growth Officer saying the thinking behind this was, the more people who share the more people see them sharing and the more the company grows. So even if it wasn’t in the user’s best interest to share all of their financial transactions with friends. And I did a very similar project where I went back, added up all of those transactions and built a map to show things like who’s your best friend, who are you going on dates with, what clubs are you a part of, etc. But the user, basically, it may not be in their best interest to share all this stuff publicly. But by default, they make it very difficult to turn off, and it helps the business grow.

So that was another instantiation of the same problem. And I think it’s intertwined with identity moving to the net, in that era, right, in the 2010s, people started to use their real names on the internet. And now that identity was tied to these things in such a tight way, you could really get fairly clear signal about specific individuals from all of this public data that these platforms were in a sense, forcing them to reveal by hiding defaults and controls behind different layers of friction.

Oscar: Yeah, for instance, the case of Facebook, that map you created, it was in 2015, now we are 2022 so a few years forward, so how – today, if you still continue with social media for a bit while, social media platforms are doing better in data privacy?

Aran: Yeah, I think the target has shifted a little bit. I think the major things that happen were things like GDPR, between 2015 and now, and honestly, I don’t think it was very effective. I think from a privacy standpoint, the most effective thing has been increased scrutiny, and increased public awareness of these issues. And hopefully, my projects and other journalists writing on this actually did something to catalyse that.

But what I’m seeing now, and what I’m most concerned about now is actually, even if the data on people is not being publicly revealed to the world, for the purposes of growth, or inadvertently through features like location sharing in Messenger, what I’m really concerned about is how that data that’s now been collected even internally in a secure database is being used with things like machine learning algorithms to actually manipulate people at a much broader scale.

So I think the ball has shifted a little bit on where my concern is. I don’t think the privacy issue is necessarily completely solved or rectified. But I think it’s not the most pressing issue of the day, because there are other issues that are downstream from that, that are also causing large, inordinate impact and likely have to be addressed before we even go back and address the privacy issue. And that kind of brings me to why I even started researching machine learning in the first place coming out of 2015.

Oscar: So that was one of your drivers to go deeper into machine learning.

Aran: Yeah, I think after seeing the amount of data just being leaked, it was very clear how much data was being collected. And the natural consequence of that data collection to me was OK, I know who you are, I know all this data associated with you. And I have a cohort of folks who look like you, can I not build models and experimentation to do things that are basically not in your best interest as a user?

I think it’s a very similar sort of thought process I went through on the privacy side, which is how are these platforms going to use these technologies in ways that are not aligned with customers or their users. And how do I help users actually navigate that? Educate them about it, so they can make informed decisions on what they use and how things are used against them.

Oscar: And how social media platforms currently handle more broadly, identity management?

Aran: Yeah, that’s a very interesting topic, because I think it varies broadly between platforms, right? Working on Venmo, I think the places with the highest fidelity kind of identity mapping are, by necessity, these social cross financial platforms where you need KYC AML, to actually enter into the gates, you need to upload your ID to be a member of Square Cash or Venmo. So from that perspective, I think there’s sort of a bifurcation where you have these strongly enforced identity social platforms, largely correlated with some regulatory requirement.

And then you have these much more weakly enforced platforms, things like Twitter, and Instagram, and Facebook, where you see even today, huge issues with identity, with bots, with harassment. And I think that it’s not a one brush that you can paint the whole space with. There’s a lot of nuance there. And I think identity plays a different role in different places around the social ecosystem today that is really dependent on what the goal of that underlying social platform is and sort of what regulatory regime it operates under.

Oscar: And if go a bit broader, not only on social media platform, but any company that has users, many tech companies, how do you think from your perspective, of course, you have your own company, you might have an idea how the companies do on that side, but other companies who have services/applications are handling the identity management?

Aran: I think there’s a few questions in there, right. One is how are these companies, these technology companies, many of which we serve, we serve social media companies, B2B companies, kind of all over the space of technology, how do they handle internal identity and access management for their engineers, for their employees? And then how do they handle user data and identity for their customers?

Again, I think the customers piece is something that varies a lot more, because it’s a function of trying to have minimum friction, while meeting regulatory requirements at the space, the FinTechs that we work with obviously have much, much tighter regulations around their customer data, where it can be stored, the keys that manage it, so heavy usage of KMS and other services within the cloud providers that assist with that sort of process.

And on the other side, what’s heartening is seeing a lot of the internal practices around engineering teams, regardless of what the company is doing standardised with respect to identity and access management So we see lots of folks using internal SSO providers now, I think that’s the majority of our customers, whether or not they’re in the B2B or B2C space, we see widespread usage of KMS, and other custodial encryption services that help encrypt data at rest. And I think in flight as well, though, a lot of cloud providers have done a really good job of, by default, encrypting data in flight within their networks.

And I think what we’re seeing as well is with a lot more focus, particularly in the B2B space, on things like SOC 2 Compliance and ISO Compliance in Europe, a much more standard operating model for engineering teams with respect to when passwords are rotated, who has access to what, you know, are people all sharing the same account, the login, the stuff. A lot of that gets hammered out with these broader certification schemes.

So I think in the enterprise space, specifically with how customers data is being managed, there’s variance, but internally with respect to how identity is being enforced, within organisations, for the internal teams, we’re seeing a lot more standardisation. And I think that’s very heartening. It’s showing a much greater level of maturity entering into the space. And obviously, that raises the bar for everyone in terms of security.

Oscar: Well, as you know, many service providers – mixing the topic with the social media, again – many use social media authentication, what’s your opinion on that, the use of that and how, for the ones who use it, what could you say are good practices?

Aran: I think that’s a mixed topic again, because frankly, from my perspective, I view login with Facebook and login with Google, even though they’re both technically social logins for consumers, as very, very different. And I think it really goes back to the motivations behind those specific products.

I look at the motivations behind the login with Google product, it’s really around things like making sure that these users who are already Gmail users are being safe with password management on the internet. It’s very much a function of doing good for the community of users by giving them a tool to sort of authenticate and log in globally without having to deal with passwords, which are sort of a mess. So if you secure your Google account, which most folks do, becomes really easy downstream to log in and use best practices. So I actually view that as a net positive.

When I go to the other side with Facebook’s login, which came a little bit later, for their single sign-on solution, it’s useful. And I think it accomplishes many of the same things. And especially for parts of the world where Facebook is the internet, like the developing world, it’s kind of the only option you have. But in terms of the data that it extracts from customers, it becomes much more invasive.

So it really becomes a function of yes, the customers ultimately have the choice and you should give them the choice as the platform. But do you have a point of view as a business when you’re offering this? And is your customer base one that is going to, for example, if you have both individuals and business customers, you’re probably not going to have a login with Facebook, you might actually have a login with Google because that handles G Suite and the enterprise side as well as the consumer side.

So again, there’s a nuance there. But I think in terms of best practices, selecting one of those providers is really a function of what is your customer base? Who are they? Where do they live? And then do you have any strong views as a business on where you expose their data?

Oscar: Yeah, I think it’s an interesting distinction. You mentioned, Google, yeah, tends to be more oriented to business because there is a Google Suite, for instance, that doesn’t exist in the Facebook world. Yeah. So to your view is Facebook, it’s much more invasive as this identity provider point of view.

Aran: It’s purely extractive in terms of why they created that, right? They don’t have a business to business service on the backend, that they’re actually serving and building this as a legitimate solution for.

Oscar: Yeah, because they are in a position of power. In many cases that’s, as you mentioned, some places it’s just the only way to have this log in.

Aran: It’s a way to get Facebook pixel out into the world, essentially, they just want more pixels on more sites so they can track you on more parts of the internet.

Oscar: Yeah. And what if one business has decided, OK, we’re going to use anyway log in with Google, log in with Facebook, log in with LinkedIn.

Aran: Yeah, LinkedIn and GitHub I’ve seen.

Oscar: So what do you say in terms of making that more robust as an authentication to safeguard the data, what do you say are important things for the service provider who is adding that functionality and sign in with Google or sign in with GitHub, what would you say?

Aran: It’s difficult, right? Because when you do that, you assume that you’re pinging the API on the GitHub side or the Facebook side or the Google side. They’ve done all the heavy lifting for you. They done the 2FA, they’ve really gone in and made sure that the person who is giving you the token, is the person they say they are.

The difficulty is that you are outsourcing that trust. Now obviously, from a development standpoint, that’s exactly what you want to do. You don’t want your engineers going and building this thing that’s been built 500 times, you just want to use someone else’s sort of version of this where customers already have credentials and already have a process set up.

That being said, if you’re the service provider, I think it’s incumbent on you to think about what is the level of security I need here? Facebook, for example, is never going to kind of enforce 2FA in a strong, strong way for their customers, because they want people logging in and looking at the site. I think GitHub on the other hand, especially like for corporate GitHubs or G Suite on the other hand, for corporate accounts, they do have the ability to enforce that centrally. And you know, if you need even stronger access controls, getting something like an Okta with SSO is a consideration.

But again, I think it’s really a function of what is the level of security that your customers are requiring from you. And do you choose a platform that matches that? And we’ll give them those downstream controls and that you can trust to actually maintain that contract.

Oscar: Yeah, absolutely. And on your case, I was checking also the Archera website. So you offer on this type of social media, you offer Google and Microsoft, correct.

Aran: Google, Microsoft and yeah, Okta more broadly, which is powering the whole thing. And it’s really just because we serve enterprises, right, big and small, we need to be where those enterprise admin accounts are set up, be it in G Suite, be it in Office 365, in Active Directory, or be it in Okta.

Oscar: Exactly. So based on the customer that the enterprise already use.

Aran: Correct.

Oscar: For all business leaders listening to us right now, what is the one actionable idea that they should write on their agenda today?

Aran: Hmm, the one actionable idea. I think one thing that has been surprising to me when I go in and audit platforms, including our own, or those of our customers for security and identity and access management best practices that I constantly see is the fact that the defaults, and the policies often don’t change from kind of the first setup to whenever I go and look at the thing, even if it’s three years, five years, N years down the line.

So having a review every quarter of particularly our identity and access management policies internally and for customers and being thoughtful about the goals of those policies, being thoughtful about setting them, having a cross functional team talk about it, at least once a quarter, because things change really quickly in this world, frankly. It’s something that I think is really important for leaders to go and do and build a cadence around.

And often, you know, if you’re doing SOC 2, or ISO, whatever, you’re going to have to do this anyways, there is some sort of cadence that is built into getting that certification. But building that muscle, regardless, I think is going to be very important going forward for business leaders.

Oscar: And normally what kind of position in the company normally takes care of that?

Aran: It depends on the scale. I’ve seen dedicated CISOs, Chief Information Security Officers, in less mature companies, sometimes the CIO, the Chief Information Officer, and even less mature companies, sometimes it’s the CTO and team of SRE or developers underneath them. But in general, it’s someone on the engineering side, who has deep knowledge of the architecture of the infrastructure, and likely deep knowledge of the cloud provider that the core infrastructure is being run on.

Because nowadays, and we see this in a lot of our customers, to really get in and fix a lot of issues or update a lot of issues, when you find them, you need to have that deep understanding of the offerings of the cloud provider, and how to actually orient and change those without impacting the application in a negative way. Or on the flip side, something we see a lot is impacting the costs in a very negative way by turning on things like detailed logging, when it might not be necessary and blowing up the amount of ingress or egress that you have from certain systems.

Oscar: Yeah, absolutely. Well, thanks a lot, Aran for this very interesting conversation, I definitely like all the work you have done, not only talking about your story, of course, the story you had with Facebook, and also other cases when social media and other providers didn’t take privacy seriously. So thank you for that, for sharing that story. Please let us know how people would like to get in touch with you.

Aran: Yeah, so you can find me on Twitter @arankhanna. And if you’re interested in automating cloud management, and we also actually sell insurance for cloud costs, you can visit our website at archera.ai. And we have a free to use demo, so if you’re interested in anything cloud management related, come check us out.

Oscar: OK, excellent. Again thanks a lot, Aran for this conversation and all the best.

Aran: Thank you, Oscar. It was great chatting with you. Have a great rest of your day.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]