This workshop was co-organized by the Citizen Lab, at the University of Toronto and the Internet Society and was moderated by Brenden Kuerbis, Postdoctoral Fellow in Internet Security Governance at the Citizen Lab. Panelists included Andrea Servida (European Commission), Robin Wilton (ISOC), Mawaki Chango (Association for Progressive Communications), Marc Crandall (Google), Bill Smith (Paypal), Malavika Jayaram (Centre for Internet & Society) and a pre-recorded interview with Naomi Lefkovitz (U.S. Dept of Commerce).
Setting the Stage
The governance of identifiers underlies many debates at the Internet Governance Forum. How unique network identifiers like new gTLDs or IP addresses are governed impacts a range of issues from access, privacy and free expression, to copyright enforcement and cybersecurity. The premise of Workshop #163 is that we are in the formative stages of governance for a new set of identifiers, those associated with individual persons. Governing individual identity on the Internet presents enormous challenges with respect to 1) differing views on the roles and responsibility of public and private sector, 2) developing mechanisms to govern Internet identity, and 3) the incorporation of fundamental rights in the governance of Internet identity.
Governments and Internet identity
The United States government and the European Commission have initiated governance activities pertaining to identity on the Internet. Numerous other governments are pursuing national identity initiatives, e.g., India’s Aadhaar identity cards that incorporates biometric information. However, the USG and European Commission efforts are explicitly about governing identity on the Internet. Naomi Lefkovitz reviewed the USG’s National Strategy for Trusted Identities in Cyberspace (NSTIC) and subsequently created governance body, the Identity Ecosystem Steering Group (IDESG). In June 2012, the Department awarded a two-year grant to Trusted Federal Systems, Inc. to provide secretariat functions for the IDESG and facilitate the convening of stakeholders with the goal of achieving agreement on the standards, policies and a unifying accreditation system that would underpin consumer identity on the Internet. It also awarded $9 million in grants to organizations to develop Internet identity solutions consistent with the goals outlined in the NSTIC. In the spring of 2012, the European Commission, building on several European identity efforts (e.g., STORK), published a legislative framework for interoperable electronic identification and trust services that “empowers citizens and companies” and recognizes “legitimate government interests around public safety and policy.”
These domestic or regional initiatives belie the transnational nature of the Internet and raise questions as to why governments are active in this space. The relationship between identity and authority was noted. The state has traditionally presumed the authority to issue identification, but on the Internet “there’s no one unifying [governmental] authority”, nor does private actor authority traditionally extend beyond organizational boundaries. Therefore, there is a “natural call” for some kind of authority to “link the different spaces [of the Internet] together in a way that...recognizes [an] entity as being the authority.” It is efforts like USG’s and the European Commission’s that are attempting to fill this perceived vacuum.
Mechanisms for governing Internet identity
Contractual regimes as a mechanism for governing Internet identifiers are familiar territory and can have global reach, e.g., having occurred with domain names. Private actors in the numerous industries (e.g. credit card, education, health, defense) have created contractual agreements to federate identity usage across borders (e.g., Liberty Alliance). While nominally a national strategy, the USG’s effort represents an attempt to create federated identity at Internet scale. However, arriving at a set of baseline rules, policies or standards that all parties can abide by will be difficult. As much flexibility as possible must be provided to organizations managing users’ identities in order to allow compliance with various regulatory requirements and jurisdictions. It was also noted that, in the case of the financial industry, some companies don’t see themselves as providers of identity used for authentication, rather as providers of a credential used to authorize a transaction. Nonetheless, it is quite possible (perhaps likely) for the use of an identity credential to be extended beyond its original intention. E.g., passports have become a de facto credential for identification and authorizing activities in addition to their original purpose to identity citizens and facilitate crossing of borders. An important area to watch will be the voluntary nature of government-initiated efforts, and how the credentials that these initiatives foster may become de facto forms of identity via their widespread adoption (e.g., for access to e-government services). Another important area is the assignment of liability. Governments assume no liability for the repurposing of a passport credential. Managing the commercial liability associated with reliance on federated credentials will be a critical issue going forward. E.g, if a party is relying on another organization's assertion of a user's identity in support of transaction, how will identity-related risks be separated and managed distinctly from other risks?
Identity models and implications for rights
The classic model of providing identity, e.g., a government issuing a passport, can be surmised as a single authority issuing a trustworthy credential. This high level of assurance credential and its associated authentication process and liability models are relatively mature. However, the emerging model of Internet identity relies on lower level of assurance data from multiple sources with different levels of reliability. These data convey individual and contextual (e.g., location) attributes concerning a transaction and allow a relying party to make a determination regarding authorization. It allows systems to look for patterns and anomalies rather than rely on a single trusted source of identity. Such a model allows the relying party to apply dynamic risk management techniques to any transaction, as opposed to determining liability ex ante.
The two models can be merged, where a trusted identity from a recognized authority is supplemented with attribute data. Arguably, this reflects what is proposed by the USG’s NSTIC, with its recognition of both public and private identity and attribute providers as IDESG stakeholders, and the European Commission, which builds “on the initial element of trusted identity as they are to some extent hooked into the legal system of individual Member States...on top of which private sector is called to provide much richer authorization credential-based on authentication or reputation based type services that will make the disclosure of identity to be the last resort instead of the practice.”
The notion that attribute data from a variety of Internet-based transactions can be associated with an individual’s identity obviously raises privacy concerns. It raises questions of data management and the obligations of identity and attribute providers to protect personal data E.g., the Article 29 Working Party issued guidance in July 2012 with respect to enterprises use of cloud services to store personal data, the absence of legal frameworks to protect privacy in some countries was also noted. It is true that such a system can be designed to provide transaction authorization without revealing identity information and thereby be privacy preserving. However, it is a policy choice whether such systems and transactions are anonymous, pseudonymous, or identifiable, which makes the governance regime foundational documents and participation of all stakeholders, including individual users, important. To this point, the IDESG has institutionalized review by a privacy committee of any policies or standards recommended for adoption.