The following are the notes and findings from the Panel Session
Louise introduced the session and the panel, explaining that we would have five minute presentations from the panel members outlining three key issues. The first of these is commercialization of the internet with Louise covering the western view and Asrar Baig the eastern view of this topic. Governance on the internet will be covered by John Bullard. Then Any Smith would cover the implications on identity of balancing of security and privacy.
The panel discussion was then about an hour and was a good interactive session. Louise explained that the panel was organized by the BCS which is the chartered institute for IT.
The Identity Assurance Working Group within the BCS has the aim to drive improvements that are needed globally on this subject through the U.N. Internet Governance Forum.
One topic to consider is how to develop valued incentive models that match the requirements of people for identity for eCommerce. The panel looked at the whole framework for identity governance on the internet and the complex topic of trust in transactions with remote identities. This included the use of anonymity, pseudonymity and attribution.
The most fundamental finding from the work last year was the confirmation that security, privacy and anonymity is culturally and contextually a sensitive topic. It's hard to define and agree and very emotive. Proportionality will be raised in every discussion in identity on the internet.
This year, the panel was focusing on a modified set of issues. The commercialization of the internet including legal frameworks, the effect on economic development of the internet, the contextual nature of identity and the different drivers for security and privacy and how they can be better balanced
Over the internet you need different levels of certainty about who the other party is that you're communicating with and you need a level of certainty that's appropriate to the transaction that you are doing. This covers a whole spectrum of problems. From the certainty that you've logged onto a legitimate supplier website, to being certain that you're transferring funds to your bank account. That's a different level of trust for each different type of transaction.
The key thing in every transaction, on the internet, is, is the other party good for the transaction? It's exactly the same issue as if you were doing it in the physical world. Can they deliver the goods? Can they pay for the goods? And most importantly, bringing in the legal issue? What's the redress you're going to get if this transaction doesn't work and something goes wrong?
If you're doing business with an organization, you need to know the business is legitimate and has processes in place that means the individuals from the organization you're dealing with have the authority to undertake the transaction.
You don't actually need to know the individuals identity in the organization. You need to know that the organization is the right one and has internal systems that are going to check the transaction that's carried out.
There are a lot of different commercial models on the internet and some services are free, or below cost, because there is value in the data that we, as individuals and customers, may give up when we're using those sites or services. And, we should know that there's a quid pro quo which is usually targeted advertising. A Quote from Blue Beetle was " If you're using a free service, you're not a customer, you're a product”.
There are costs associated with the internet. If you don't want to pay for those services and access with cash, then you have to realize, maybe you're paying through your taxes. Or maybe you're paying for it through the abrogation of your activities as an individual identity on the internet. When you talk to young people, they mostly accept this paradigm.
It can be a win-win situation. The individual can get subsidized or free services, access to information, by giving up personal information about themselves and their identity that they think is of equivalent value or less value than the services they're getting.
If you don't want your identity attributes to be used and privacy really matters to you, then you either get offline or pay for your protection or pay to understand how to protect yourself. We need to make our own informed choices and these will be culturally and contextually, completely different for each of us at any point in time and over time. We'll change our views on these, perhaps as we grow older.
The ability to retain anonymity, particularly in countries with repressive regimes, in some situations, is absolutely vital. However, identity assured at some level is needed for many transactions. Most importantly, it's actually needed for commercial transactions when you're buying or selling things. You need to know the counterparty will supply the goods or pay the price.
You may also need to know identifiers for some things. This is becoming increasingly important as we have smart homes and online health takes off. If you're a diabetic and your doctor is monitoring your blood sugar level remotely and automatically increasing the flow of medication, which is already happening in some places, you need to know it's your medication that's being changed, not someone else's.
So, managing your online identity and the identity of things or organizations that are associated with you is becoming a vital life skill for everybody. How can we possibly manage that effectively on a global scale with billions of people and a trillion things attached to the internet?
Turning to the Eastern view and more specifically the Arab world there are significant cultural differences, when we're looking at the internet governance or the commercialization of the internet, we are way apart, whereas, we can benefit a lot if we really look closely and analyze the eastern aspect.
Because, if you look at internet security and privacy, then you'll be looking at that in the western world, the security and privacy is on one extreme whereas when you come to the east, it's in a very different extreme. In the Arab world people are used to being monitored. In the western world, you want everything to be more open. And it's already very open.
On the products side, we have new challenges, whereas on the service side, over the past few years, the middle-east has come forward leaps and bounds. Now there's a lot which can be done over the internet, including e governments, everything is on the e government side. You can do transactions with the government using the internet and a lot other services like Telecom services, airline tickets, hotel bookings have gone on to be done over the internet.
When you come on the product side, that's where the biggest challenge is because in the middle-east people are more used to buying products with a touch and feel, the tangible thing.
Then we have other challenges, we don't have the real infrastructure in place for the logistics to manage the goods to go from one place to another. Many places do not have postal addresses. Not only that the east often lacks the legal framework to protect the consumer. So then, from that aspect, trusting somebody will ship something and it will be delivered without problem becomes difficult.
On the trust side the trust on the face value is totally opposite. In the arab world people trust very much on the face value. When somebody says who he is its often not questioned, they just want to believe it. To ask somebody to give their identity or to cross question is like offending them.
This trust on the face value is not lost when you go onto the internet, it's more like, with the technology there, it has to be true. Anything which is written on the internet, anybody who writes something on the internet, you consider it as valid. As true. This level of naivety on the Internet can be problematic.
In the middle east privacy is not so private. We accept, in our part of the world, we accept being monitored. Why? Because we have this trust in the government, thinking the government is supposed to provide us security and they're going to be monitoring us.
When we have these kinds of talks in the modern world, people in the middle-east aren't looking at the private sector for providing digital identities to do e commerce, they're looking at the government and make them accountable or responsible. Bringing security to the identities on the internet.
One question is how privacy advocates wouldn't go overboard in pushing the eastern societies to be more aware of their rights. I know, very tough for western people and privacy advocates to see that's a different aspect. You look at it from the western side its completely different.
If you look at the east side, the number of people getting onto the internet is huge and it's multiplying many fold every year. So how can this framework enable the masses in the east to gain benefits out of this quickly.
What boundaries of internet identity would advocates of anonymity accept? When we say the word freedom, there is a definition requirement. What is freedom? And the definition requirement can only be fulfilled of the freedom if we know the boundaries.
Giving a commercial perspective, whatever we may say about the eastern view or the western view, the internet makes no difference at all. Whether you are trading in Birmingham, U.K., Birmingham, Alabama, Bahrain, Barley or Baku, it makes no difference to the next street or the other side of the world. We have to build some form of framework, some form of trust model that will enable wealth and commerce to take place.
How do we enable small businesses to interact with their counterparties in a trusted manner so that commerce can take place? The internet offers an enormous opportunity to do this, but we must bring some form of governance, some form of trusted identity processes into the picture to enable this to happen.
What do we mean by trusted identity? We may mean having absolute certainty of who you're interacting with. We need to know who guarantees the identity of the individual person or organisation? We need to have a complete and transparent audit trail of who did what and when?
We need to see trusted electronic identities as a key component in limiting liability and external exposure. So there must be some form of liability management, if things go wrong, where can I look for redress? Those are the key issues we should seek to address from a commercial and from a business perspective around the world.
Identity is a critical piece of, of a trust model which needs to accompany the commercialization of the internet. The other two things we need to be thinking about in this context, is what aspects of identity are to be managed and who will be covered by any identity management solution.
The technology is the easy bit. It will do what it says it will do. The human bits become much more complicated, particularly when you look at the liability and legal issues. How can you, how can we link together the buyer in Bali and the seller in Birmingham so everyone knows what their liabilities are and are not?
It's easy to have identity management internally or within a community of interest or within multiple communities of interest. But once you get to multiple communities of interest across multiple legal jurisdictions, it can get much more complicated.
We could have the equivalent of a scheme such as Visa or Mastercard, if you think of that in the 20th century and think of the internet era and think of the joining up of payments with all other pieces of a transaction, you need some scheme, some method, some legal liability framework that all parties can sign up to.
It is likely to be a number of private sector initiatives, that can interact based upon the law of contract so that everybody knows what their liabilities are and what they are not.
From a government perspective, we would suggest that governments are not in the business of managing their citizens liabilities. That is not what government does or should do. Government should make use of these sorts of private sector initiatives in much the same way as governments use the world's payments networks. They do this today with significant trust.
So one thesis is that; if we can have some form of global contractual structure, through things like financial institutions, which are regulated at the country level, then it should satisfy all the different blends of government that we have around this planet and instill trust in use of identity.
Security versus privacy and openness is a really contentious issue. It is a very difficult balancing act. And finding the right balance is proving incredibly difficult if not impossible.
On the one side, you've got national security and law enforcement, actually protecting the majority from the minority. The Government obligation of making sure that all the citizens in a country are protected from those who would cause them harm. From those that would commit identity theft, fraud, and otherwise perform various activities.
On the other side, you've got the right to privacy, you've got fundamental human rights, and in Europe, you've also got data protection legislation, all aimed at protecting the individual.
In some ways, privacy and the right to privacy is about protecting yourself. Some also claim that anonymity is part of privacy and therefore also a right. So, it makes the balancing act even more complicated because some of the things that you're doing for national security can be misused and used against people. Some of the things you do for privacy can be misused.
More and more, as organized crime move onto the internet, you're actually seeing them using the laws and rights that are being granted around, data protection, and privacy to protect themselves and their activities online and using those laws to misuse the internet and use it against individuals and against law enforcement.
When it comes to identifying someone how good is good enough? We have a lot of problems with stolen identities. We have a lot of problems with online fraud. Much of that is caused because the root identity cannot be confirmed or cannot be traced or can be too easily stolen or misused. So when you're interacting with someone, either you don't know they're the legitimate person or they don't know you're a legitimate organization and one they should be doing business with.
From a sort of governmental point of view, if you're going to give someone a passport, you want to know they are who they claim to be and they are a national of your country and they have a right to a passport and a right to travel.
But if you are just letting someone download a free report on the Internet do you really need to see their passport?
We have a lot of people going online, a lot of young people going online. They're following the crowd, they're following what their friends do, they're putting a lot of their personal information up on the internet. It's being, captured, it's being stored, and they can never delete it again.
We have situations where, large companies, are interviewing people and actually asking to be friends with them on Facebook or linked to them on linked in, so that they can see their personal information. So they can see the type of person they are and who they consort with. That's a bad use of someone's personal information. People's personal information cannot be deleted. Once it's on the internet, it's there to stay.
People may do silly things in their teens when they go to get a job in their 20s, the people interviewing them can see what they did in their teens and can hold it against them. You cannot stop people from doing stupid things in the first place, but how do you protect the naïve from themselves, can you, should you?
Will we ever be able to balance the need for security against the need for privacy? And, do we actually need to do it the same for everybody? Can we actually have different forms of balance in different countries, in different jurisdictions and in different contexts?
How do you have any assurance in remote identity? Whether it's a government dealing with their citizens, whether it's a commercial organization dealing with customers, how do you actually have assurance in the identity? Organizations like ebay, PayPal, Amazon, they seem to have got a model to work. They're using ratings based on feedback. As you interact with them and with other people, your identity becomes corroborated and the level of trust improves. Its not perfect but it works.
You're basically getting an identity rating. So, whereas the financial industry has credit ratings, things like ebay and that, also operate equivalent of trust ratings. Is the concept of identity ratings one that we want to use? Is that a concept we want to actually establish? The idea of identity ratings online?
Currently there are only a few identity documents, there are only a few ways of verifying identity. When you come to get a credit card or a bank account, when you come to set up your account with Amazon, normally they will use things like your passport or your birth certificate or some other breeder document to initiate that new identity you're creating in that context. But it always comes back to a few documents. Always comes back to the passport. If you have a passport, you can get a driver's license, bank account, mortgage, et cetera.
One of the workshop participants raised a very critical point during the discussion. “I think there are a number of confusions. I don't think anonymity is the same as privacy. People can know who I am without knowing everything about me. I think it's important to retain these distinctions. And also, in these, at this conference, a lot of people are talking about what their rights are in different places, quite honestly, I don't see how you can have rights without having a rights holder.”
Louise responded – “I agree with you that anonymity and privacy aren't the same thing. I think they're often allotted together and this caused an enormous amount of confusion…”
Asar made the follow up comment “It looks like it's really a security issue rather than anonymity issue. Because the person who will declare something, doesn't like somebody to know it, just because they feel threatened by them. But in an ideal world, if there is ideal security, then we can have that we really don't look for anonymity at that point. Because we have those threats, that's the only reason we require the anonymity.”
Andy followed up with “I agree completely that privacy and anonymity are different. The biggest issue I have with anonymity is where people actually abuse it and use it to their own advantage” for nefarious means.
Privacy is about not giving personal details to people who have no need to have them. You may give your name, you may give a pseudonym, you may use some form of identity tag, on the internet, but it should be traceable back to a root identity in most instances, but it should only be people like law enforcement or intelligence agencies, that should be able to do that.
A Workshop participant then made the following point: This problem is often posed as one of drawing the balance between privacy and security. One of my counterparts said we have to optimize for security and privacy. I think that's even more challenging than just simply drawing the balance between the two, but something we need to try and step up to.
When it comes to the anonymity versus privacy versus security debate, again, it's an emotive topic, but my view is that well, this is often characterized, again, if you've got nothing to hide, you've got anything to fear, argument. My problem with that is, there are always bad actors in the system, even amongst those, for example, who have authorized access to data. And under those circumstances, the question is, who do you have something to fear from? Because it may well not be the people asking for your information, it may well be third parties who don't have your best interest at heart. That's something that needs to be designed into these kinds of systems.
Louise made the point that reputation and trust are other very important issues and reputation is not only important to individuals, it's enormously important to institutions.
We have to trust the market to deliver some of these issues and there'll be some absolutely trusted organizations that people will be comfortable in going with. If people become sufficiently uncomfortable with a particular policy of a particular organisation or its reputation gets damaged or people lose trust in it, they will simply move to a competitor. Many websites have gone out of business when they have lost customer trust. Those that protect their reputations have become household names.
John made the point that “I think the key issue there is liability. If something goes wrong, where do I get recourse from? That seems to me, when all else is said and done, is incredibly important for trust and for doing business on the internet.”
Asrar provided a slightly different view on this point “I believe there's still a balance required, when you just say that the markets can decide and once we have their organization and people, based on their liking, can do that… Because sometimes, things like what happened in 2008, the financial collapse was, again, the same market and what happens in the days of, the dot com collapse when everything went wrong by just leaving it to the market there is, again, a responsibility and accountability which has to be there by somebody”.
There has to be somebody on top of the regulators. You are required to have a framework, if you just leave it, the banks can do it the way they want to do, the market is just being driven by money, profit. If you leave it to be driven by profit, who will look after the real interest of customers?
The panel then moved on to another question posed by a Dutch participant. “In real life, you have a right to be forgotten. When you don't want something you have produced or anything else, in the market anymore, you have the right to ask to take it out of the market. On the internet, it's not possible. So...what's your opinion on that?”
Andy made the point “If you post stuff on the internet, it's there forever.” It will get copied, it will get backed up. You try and delete it from one source, you find it on another source. But he made the point you have this problem in the real world. Once you're in a printed newspaper or on TV, you will never be forgotten, you just have to be careful in the first place.
Around London there, are over 7,000 CCTV cameras, that are run and monitored by different parts of the government. On top of that, you've got tens of thousands of CCTV cameras put in by industries, business, even private individuals. Nobody sits and watches all of that, all the time. The police have 12 people looking after 7,500 cameras. If something bad happens, they go find the tapes and they look. That's pretty much what's happening with the internet. And with the, the data capture on the internet. Nobody's looking at it, there's just too much of it, but if something bad happens, they can have a look at the tiny little bit that's relevant.
You have to understand from a proportionality point of view, it's not that they're tracking everybody, it's that there's loads of big computer systems storing loads of data that could potentially track everybody and as when they need to, they go find the bit that's relevant. They don't have the resources to do it and they also don't have the inclination to do it either.
The final discussion point was on How, can an internet identity framework become an e business enabler for the masses in the east?
On participant commented that often in the East the main issue with e business. It's two things. Getting a credit card is a pain. You have to be already employed. So, and it takes awhile. And the second issue is that people have a feel of getting their identities stolen by a hacker and all that, because during the late 90s, there was a huge amount of hackers.
Asrar made the point that there are companies trying to address this. There's a starting point from a company which started in UAE. The company is a Canadian company that shifted their business model to the Arab world. They said there are too many blue collared people working in the Arab world who are not even connected with any kind of internet identity or e commerce or banks or so on. They started by putting ATMs, specifically their own ATMs around different organizations which have got a few thousand employees and the salaries are going to be coming from the cards which will be issued to every single employee.
Now those staff have started now having that identity. The same card can be used anywhere across any of the countries because it's really a debit card. Which can be used everywhere. Not only that, with that card being there, the same organization, which isn't a bank, but is now acting like a bank, they've started giving micro-financing. People can take loans, small amounts, and that automatically is being deducted in the same manner. All of their money transfers can be done using the same card. So it suddenly gave them a lot of ease.
The BCS have made a lot of progress in the last two years, defining what the problem is and coming up with answers, but the balancing act between security and privacy and openness is going to remain emotive and it's going to remain very hard. We're just going to have to work hard on this and the U.N. and U.N. IGF is a very good forum to actually keep this moving forward.