IEEE Digital Privacy Podcast: Episode 13

Salvatore D'Agostino A Conversation with Salvatore D’Agostino
Founder, ID Machines

Part of the IEEE Digital Privacy Podcast Series

Episode Transcript:

Brian Walker: Welcome to the IEEE Digital Privacy Podcast Series, an IEEE Digital Studio production. This podcast series features conversations with industry and academic leaders, as well as key stakeholders of digital privacy, in order to help advance solutions that support the privacy needs of individuals. In this episode, we speak with Salvatore D’Agostino, an entrepreneur who’s been involved with digital privacy for a number of years. He addresses a number of topics related to digital privacy, including agency and trust, and offers advice to young professionals and students who might be looking at digital privacy as a career track. Salvatore, thank you so much for taking time to speak with us today and contributing to the IEEE Digital Privacy Podcast Series. To get started, can you please introduce yourself and provide a little information on your background?

Salvatore D’Agostino: Thank you. Happy to be here. So Sal D’Agostino, I’m the founder of– I’m sort of a serial entrepreneur. Currently, ID Machines is a consulting and technology company, which has been around since 2008, with the idea that there are all sorts of machines related to identity and identifiers that exist out in the world. It’s looking at both the use of physical space as well as in digital space as well. A lot of experience and background related to things like IoT and intelligent infrastructure. It’s also another recent enterprise, which is something called Surveillance Trust, which is a new entity that’s launching. So I’m a true entrepreneur spirit, I have more than one thing going on at one time. My background is one of early work experiences with robotics and computer vision going back into the 1980s, designing license plates reading systems and beginning to get an understanding of what it’s like to do digital surveillance, not necessarily surveillance capitalism, which is kind of an interesting differentiator in terms of the purpose of the use of the technology. That led to a whole bunch of fun things related to intelligent transportation systems. At the same time, doing a lot of work using that same technology in factories and coming to an understanding about how quality and security and privacy are all in some ways related. I guess today, some of that’s referred to as smart cities. Then kind of a stint doing the whole on digital identity stuff, which included a period where back in 2012, there was something called the National Strategy for Trusted Identities in Cyberspace, which was an initiative of President Obama. It actually produced something called the Identity Ecosystem Framework. I had the honor of being the president and chair of it at the time that it actually published that. So that was a full-on experience with beginning to look at digital identity. In that case, the things that we looked at was usability, privacy, security, and interoperability. Also today, I actually run a laboratory for the Security Industry Association to certify the card readers and door controllers, so the things that get you in and out of buildings, to an international standard for that. All those fun things keep me busy. In almost all these cases, there’s some aspect of transparency and standards as best practice and a way to do identity, security, and access control well.

Brian Walker: So Sal, how did you first become involved with digital privacy?

Salvatore D’Agostino: Well, I think that license plate reading things really kicked it into gear. Just the idea that if you didn’t know that someone was reading your license plate, then that certainly would be an example of digital privacy, not necessarily on the Internet, but digital in the sense that it was a machine. Then from there into the world of identity and access control and identity management, which was more about security and countermeasures because access control is a security countermeasure. But then from there, the next step from that, for me, was combining that experience and then working with the IDSG, so going back to 2012, very specifically on what digital privacy meant and what it was like, in fact, because before then, why did you need it? You’re talking about when we’re first beginning to come online, so along with that and some of the measures of it, I guess.

Brian Walker: So you’ve talked about agency and trust. Can you explain those terms in context?

Salvatore D’Agostino: I’d say agency is about authority over what’s taking place and authority that is shared with others and with and among organizations. Agency requires knowledge and understanding and freedom and free will, effectively. So opt-in plus, and among other things that it requires, transparency, proportionality, reciprocity. So those are the things that agency requires. Then if, in fact, the conditions for agency exist, then trust is about the shared knowledge, right, and the common understanding then applied in context. So you have to have the knowledge, you have to have a knowledge and an understanding. Then with that, if you find someone with shared knowledge and a common understanding, then you get the trust. So it’s really a two-step, right, in many ways. Yeah, and they both need to be human-centric, right. Today, effectively, trust is mostly measured by service providers, and it relates to, among other things, cryptographic assurance around identifiers and authentication technology. That’s pointed at me. That’s not really giving me trust in what’s going on. So in terms for there to be agency and trust, what governance and co-governance is really what’s required, right. Ideally, for that also, you’ve got laws that actually provide codes of conduct and codes of practice that you could use to actually have agency and establish conditions for trust.

Brian Walker: Can you talk a little bit about transparency and why you believe it should be prioritized?

Salvatore D’Agostino: It goes back to the first point about, what is agency? There’s the requirements for knowledge and understanding, right. Those are not easily obtained in a digital context, whether on a website or an app, about really what’s digitally going on. It’s zeros and ones, and how do you know? For that to actually exist, again, you need to invert that measure of trust. So it’s not about the identifiers issued to me and tracking me. It’s really for the PII principal, the data subject, the person, me, needs to know a few things before I can have agency and a basis for trust. That’s where digital transparency comes into play and associated with the notices and notifications required. Then to go even further, yeah, how receipts and records about the controllers can establish a baseline for that digital transparency and have those things be something that’s effectively available for me, right. So this needs to take place before any identifiers related to me are brought into play. By default, I get online, there’s all sorts of identifiers, right. So effectively, you want no tracking to take place until my conditions are met, as opposed to literally auctioning off my browser refresh. So notice before surveillance would be a nice thing. Transparency is fundamental to consent for all those reasons for there to be agency or trust. I mean, you literally need to start with transparency and provide people with some easy-to-use measurements or some understanding of that.

Brian Walker: So what efforts are underway to help educate the public and other stakeholders about consent and privacy?

Salvatore D’Agostino: The topic of consent is actually very dynamic right now, thankfully. The Telephone Consumer Protection Act of 1991– so the wiretapping was always the early basis of privacy. The FTC here, the FCC, just updated language around the requirements for expressed written consent. So what’s being called out for the most part, which is much appreciated, is that consent doesn’t exist for a turn of phrase. I like to think that what you have is consent to see. I don’t like to think it, but what you do have is consent to see. Terms and conditions and privacy policies that put all the risk on the PII principal meet– were being found not be a valid basis for consent and there’s legislation out there. It’s actually easy to tell. It’s when people are talking about consent, it’s based on the preposition used, right. So if you consent to something, it’s not consent. Consent comes from an individual. Online today, very few agreements online work that way and so if they don’t work that way, then many of the pieces of legislation out there actually say, well, then actually what you’re doing could be considered illegal. That’s not necessarily a risk people want to run. In terms of education, data protection, security and privacy actually go hand in hand and data protection is important. I think most of the education that are in that area. But independently, there needs to be digital services and infrastructure available to people and I think that’s missing. Then with that, you’d have education about how to use it, like learning to drive or a pilot’s license. You then show competency and there would be a way for, as an example, that may be a way to bring certain education and proper digital privacy into play. We need to build a road or at least have a road map for some of the human-centric services that would provide that.

Brian Walker: So Sal, in your view, what are some of the key challenges facing the digital privacy space right now?

Salvatore D’Agostino: So one is business model, I think, what we call surveillance capitalism and the lack of transparency, proportionality, and reciprocity that’s inherent in that. So that’s one. The second is really, I think, would be enforceability of digital rights. It’s mostly in the hands of the regulators and not available to the data subject or me for the most part. So this goes to the need for co-governance effectively, enforcement power for the individual, which is actually acceptable and usable. In terms of a way forward, it might be nice to have my personal, private, and public AI, make sure that my rights are established and maintained. So again, just like the direction of the use case for the tech beginning to be more humancentric could be really helpful here, too.

Brian Walker: What are some of the regulatory activities taking place in the digital privacy space currently?

Salvatore D’Agostino: U.S., we don’t have a national privacy policy act. There has been legislation in Congress. There actually is an American Privacy Rights Act of 2024. That’s sort of draft legislation. That’s not actual legislation. Globally, there’s big stuff. The GDPR and Council of Europe and that has a broad impact. I think there’s 18 states in the United States that have privacy legislation. So part of the reason why there’s a desire for national legislation is that you’ve got to deal with 18 different states’ legislation and there’s others pending. That’s just privacy legislation. That’s not biometric legislation or cybersecurity requirements around encryption of personal identifiable information. Those are very specifically privacy bills. So yeah, California is very influential, right? The fact that they’re whatever the fifth largest economy in the world and they’re doing things and they’ve got privacy boards and they’re active in this regard. So yeah, so that’s a lot and more coming every day. There’s particularly, as an example, I mentioned earlier, the administrative parts of the U.S. government are becoming a little bit more active in terms of the Federal Trade Commission and the FCC. So not everything actually has to be legislative as well. So there’s a lot of activity and it’s helpful, frankly, because it’s important that people have an understanding or at least respect the individual and their data.

Brian Walker: What are your thoughts on the IEEE Digital Privacy Initiative?

Salvatore D’Agostino: IEEE is widely respected and influential when it comes to computing information and network technology and standards. The Digital Privacy Initiative is first and foremost, a human-centric approach to privacy and necessarily security. So the fact that IEEE is advocating for this, it’s phenomenal. The fact that they’re giving voice to people who are also trying to work to advance digital privacy is greatly appreciated. I mean, there are a lot of motivated engineers. It’s a topic that people actually care about and having a place to do it and to find other people who are like-minded and then actually trying to do stuff. IEEE also provides platforms to do stuff beyond just the white papers and the advocacy. But we talked earlier a little bit about the need for education in this area. Yeah, IEEE is doing that as well. So it’s helping advance things on a number of fronts.

Brian Walker: So Sal, can you provide an overview on what Surveillance Trust is?

Salvatore D’Agostino: Surveillance Trust is a new entrepreneurial effort with the idea that maybe we also need to think about changing the economic model around how we’re working. I’m looking to establish it as a public benefit corporation in Massachusetts and the public benefit literally being security infrastructure for people, literally surveillance infrastructure for people. So the idea that if there’s public safety, then the public should be involved with and have access to and actually take great advantage of the infrastructure. So along with the digital highways that we might be building, it would be nice if, in fact, some of the services that were available were built for people effectively. It’s a new effort. I’m looking forward to actually standing up some of the registries for providers of surveillance technology so that they can actually– one of the things we learned early on in doing the license plate reading work was that if you’re going to do surveillance, you really need to be very transparent about it. The same thing is true with the way security works. If someone were to say to you that they’ve got this proprietary method that makes us do the world’s best cybersecurity, you need to basically run away from them because the way the security works is that you’re open about the standards and the approaches that you use. You’re open about the cryptographic processes and it’s open to peer review and comment. So I think it’s critical that we have the same sort of approach to personal security infrastructure and surveillance. Trust is being established to begin to put in place the opportunity for anyone who’s providing security to provide public resources to help support that. Any earnings that we have will go back into maintaining that infrastructure for people.

Brian Walker: As an entrepreneur, what kind of advice would you offer young students or professionals looking at the digital privacy space as a career track?

Salvatore D’Agostino: Yeah, so I highly encourage it. I think it’s both an old and a young field, right? So as someone who has been referred to as having done old-fashioned AI, what I actually think I’m finding out is that the hands-on experience with finding opportunities to take on large responsibilities early, maybe not caring all that much about– well, clearly you’ve got to pay rent and eat, but the opportunities to learn beyond or put to work your education to develop and grow your knowledge and understanding of what digital privacy means, perhaps in an area that you really find interesting. For me, it was always sort of the little machines and the automation stuff and vehicles and those kinds of fun things. I think it’s also helpful to go both wide and deep, horizontal and vertical. Just expose yourself as much as you can, I guess, in terms of different places in the ecosystem, right? So if you can begin to understand things from a customer perspective or from a supplier perspective or from a regulator perspective, and not necessarily you need to change jobs, but maybe somehow you gather that experience in the work that you’re doing. To me, those are the kinds of things that have helped me, but different people have different brains. So find things that you enjoy and are good and like showing up for. Also, don’t be afraid to volunteer for other things. There’s lots of opportunities in places like IEEE and other organizations where you can get experience and things. In fact, the activity that they’re involved in is something that you really like and maybe could pursue a career there.

Brian Walker: Thank you for listening to our interview with Salvatore D’Agostino. To learn more about the IEEE Digital Privacy Initiative, please visit our web portal at digitalprivacy.ieee.org.