(No.50) Aspects of Identity

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

This workshop addresses aspects of the following theme questions from Security, Openness and Privacy:

Question 1: What impact can security and governance issues have on the Internet and human rights? In this case the right to privacy
Privacy is a fundamental right, but so is national security and the right to feel safe which is derived from enforcement of law. Privacy is giving people the ability to protect and control the dissemination of their personal information. However even in the physical world it is not possible to retract or remove information from the collective conscious - for example something published in a newspaper. However the problem is not the balance of security v privacy it is actually security & privacy v anonymity.
We need to better manage and improve governance of the Internet and identity usage so that in general privacy is upheld but where necessary someone can be held accountable for their actions.
Question 3: What risks can Internet fragmentation pose to security, privacy and openness? If identity governance becomes fragmented and requirements change what impact does this have?
If identity use and governance becomes fragmented it will destroy many of the benefits of the internet as a global resource. The market may well deal with this as there are business and funding drivers that require the effective globalisation of identity. This will effectively come about by contractual relationships and an effective liability model as we have today with passports.
Question 5: What risks do law enforcement, information suppression and surveillance have on security, privacy and openness? Identity information can be used as a tool by state and law enforcement both for good and bad reasons, how do you strike a balance?
Anonymity is the biggest conceptual headache, not privacy. Privacy is good and hard to misuse - anonymity can be misused. Surveillance is often ineffective as you often only servile those that are law abiding when you capture internet logs. Law enforcement is fundamental to the security of nation states. The balance is probably more between anonymity and security rather than privacy and security.
Question 6: What measures can be taken to ensure freedom of expression, access to knowledge and privacy, including for children? Can anonymity really be possible on the Internet and does this have implications on providing a tool for criminal and terrorist organisations?
Anonymity will always be used by the bad guys. We already have organised crime using data protection and human rights especially article 8 to protect themselves against being traced, being prosecuted and general law enforcement activities. One way trust models and zero knowledge proof of knowledge are examples of ways in which pseudo anonymous activities can be transacted but with the ability to hold those who perform criminal activity accountable.
However this would allow suppressive regimes and those that misuse the information to have dangerous tools they could misuse. Until we have a fully democratic world we will have to find a balance between security and anonymity and become much better and improving privacy. For now we need to start defining the boundaries and contexts in which each identity balance should be tuned.

Concise Description of Workshop: 

This workshop is intended to enable the exchange of ideas around various Aspects of Identity on the Internet, allowing the panel of identity experts from the Middle East, Asia and Western Europe, to interact with the participants with the aim of achieving some consensus on key aspects of identity use. Importantly this needs to cover the global or “borderless” perspectives of identity over the Internet.
The workshop is titled Aspects of Identity as it was at the IGF 2011 in Nairobi as it covers a number of different closely related topics. There are three objectives for this workshop:
1. To look at the governance of identity on the Internet and its impacts on security and privacy.
2. Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development.
3. To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services.
This workshop focuses on registration of people onto Internet sites (and the protection of their personal data), either for obtaining identity credentials or for getting access to services. It does not cover access control, user authentication or any subsequent use for ongoing logon or authorisation systems.
It addresses aspects of three of the main theme questions and follows on from the workshop presented at IGF 2011, including the report (Aspects of Identity Yearbook 2011-12) and the presentations at the UK IGF, InfoSec 2012 and EEMA Identity Governance 2012 (links to these are provided below).
Identity Governance on the Internet – This topic follows on from the output of the workshop at IGF11. The discussion is about who should have control of personal identity and what legislative or standards framework would be practical for such a vast range of applications. The panel have some ideas and would like to solicit input as to their international practicality. The registration process for identity credentials can reveal vast amounts of personal information. These are not only at risk from malicious code (Trojans, keyboard loggers) and criminal elements (e.g. credit card thieves), but from misuse by organisations and in some cases governments that collect the data. How can a governance framework reduce the likelihood of misuse and allow safer registration for users? How will such a framework help Internet development especially in developing countries where online services may be much more practical than physical services in some cases, but where data protection is not enshrined in law?
Commercialisation of Identity – There are a lot of people who do not realise identity information has value and is often used as a currency on the Internet. Identity is used not only for buying access to information and resources, but also linking people together in social networks and in ways they may not want. It allows targeted marketing and is responsible for some of the value of many big organisations on the Internet. However, it also allows for targeted attacks and identity theft. This topic will generate discussion on how to make people aware that their personal information has value, to them, to organisations and to criminals and to look at how identity is used as a currency on the Internet. This will cross-pollinate with various other workshops around commercialisation of the Internet and privacy. Identity registration is one of the primary ways that personal information gets on to the Internet in the first place. Internet services such as using a mobile phone for both micro payments and online banking may be much more practical in some countries than traditional bricks and mortar banks. But how does a bank know the person registering is who they claim to be and how does the person know the bank will not misuse their information?
Identity theft and the misuse of online identity is a growing concern and identity data is becoming much more valuable to organised crime. This topic covers the balance between privacy, security and openness with aspects from registration of users to minimising the privacy impacts of registration. How do you protect the naïve from themselves? How do you get people to understand that what they put on the Internet stays there forever and can be seen in future interactions, such as when applying for a job or starting a new relationship? How do you make online registration safe and minimise the amount of information required and protect people’s privacy, but still allow that information to be corroborated to meet business risk management requirements? This topic is one of the fundamental issues facing the development of the Internet and its use. How can the internet be made safer for everyone by ensuring that anonymous activity is possible where it is not used for illegal purposes?
There are significant information resources on the Internet, for learning and development, but should identity be used as a currency to buy access to this information? These aspects are critically important for children accessing the Internet who do not realise the risks of revealing personal information in online registration or social networks. Should there be laws enabling redaction or real deletion of information from social networks? Can consent be revoked?
The workshop last year proved very effective in providing an international context and deriving useful answers to a number of key questions. This year the aim is to build on that work and try to address some of the areas that are becoming critically important, due to the widespread use of identity online and the cyber security risks now posed by organised crime and other threats targeting Internet commerce and government presence on the Internet.
The format is a number of short presentations (about ¼ of the time) followed by a panel based question and answer session, giving members of the audience the chance to contribute and provide both answers to the questions posed but also allow the audience to raise further questions and help develop a way forward.
This workshop is a feeder workshop to the main Security, Openness and Privacy workshop. The findings from this workshop will be presented by our rapporteur at the main session.
We produced a booklet following the IGF in Nairobi, which is freely available on the Internet and to all IGF participants. We commit to producing a similar booklet following this year’s IGF, taking in to account input from InfoSec 2012, IGF UK Nominet workshop 2012, EEMA workshops in 2012 and IGF 2012.
We intend to form a Dynamic Coalition following IGF 2012 and intend to seek input and membership in Baku. This will be managed by the BCS, which is a worldwide membership organisation with 70,000 members (www.bcs.org) but will be open to anyone on the Internet.
The panel is international with members from UK, Saudi Arabia and Sri Lanka. Those from the UK having spent decades working in many other countries, including various developing countries and the Middle East. All panel members are confirmed to attend and present.
The primary background papers for this workshop are the output from last year’s work including the workshop at IGF11 (see previous workshops) and the write up for the UK event earlier this year (see Background paper).
We are willing to merge this workshop with workshops that have the same discussion threads and outcomes, to support both our report and the formation of a Dynamic Coalition.
Remote hub was used last year successfully and will be integrated in to the workshop more fully based on the experience last year with the same moderator.
Workshop Agenda:
The workshop will consist of a short presentation (5 min) from each panel member on their specific areas of interest. The panel will then be opened up to questions and discussion from those present and remote participants. The aim is to try and address and discuss the 3 key themes:

  • Governance of Identity on the Internet - how it impacts security and privacy
  • The use of Identity in commercialisation of the Internet - personal information as currency
  • The balance between privacy and openness including protecting the naive from themselves


Backgroung Paper: 
Organiser(s) Name: 

Organiser & rapporteur - Andy Smith
[email protected]
BCS - www.bcs.org
EURIM - www.eurim.org

Previous Workshop(s): 

The following is the workshop we conducted last year: http://www.intgovforum.org/cms/component/chronocontact/?chronoformname=W...
The resulting report is freely available here: http://www.bcs.org/category/6046
We also presented at the UK IGF 2012. The summary of workshop 1 can be found here: http://www.nominet.org.uk/about/events/policyforum/

Submitted Workshop Panelists: 

The following are the Confirmed panelists and moderator:
Louise Bennett - BCS - Chair of the Security Forum of Expertise (SCoE). Louise has many years’ experience in both security and privacy including commercialisation of the Internet and is representing BCS worldwide including the BCS Youth forum and women on the Internet.
Andy Smith - BCS SCoE helped set up one of the first Internet service providers in Pakistan and spent years working in the Middle East on Internet security. He now works for UK Government on identity assurance and is representing BCS worldwide and EURIM UK
John Bullard – is Global Ambassador for IdenTrust providing identity systems for online banking and funds transfers. He has many years’ experience helping banks in developing countries and Europe set up secure online identity system to help prevent identity theft and protect privacy
Asrar Baig -  Runs IT Matrix in Bahrain & Saudi Arabia - a consultancy that works across the Middle East. He has considerable experience with Internet security and online identity including prevention of identity theft and brings a unique perspective on privacy and use of identity for access to information from the Middle-East.
Sujit Christy - Is a member of the BCS in Sri Lanka and is representing the Indian and Sri Lankan interests in identity and preventing identity theft. He is a Director at Layer-7 Securo Consutoria Pvt Ltd with several years of experience in cyber security & compliance.

Name of Remote Moderator(s): 
Ian Fish - BCS SCoE - Ian moderated the Aspects of Identity session in Nairobi. Ian is highly experienced in Information Security and identity on the Internet and will manage external questions and input to the session.
Gender Report Card
Please estimate the overall number of women participants present at the session: 
About half of the participants were women
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Reported by: 
Andy Smith
A brief substantive summary and the main issues that were raised: 

Members of the BCS Identity Assurance Working Group (IAWG) supported by IT Matrix from Saudi Arabia and IdenTrust from London attended the UN IGF meeting in Baku in November 2012 to take forward one of the five calls for action agreed by the Policy and Public Affairs Board (PPAB) for BCS to pursue in 2011/12 .
The panel was chaired by Louise Bennett (Chair BCS SCoE) and the other members were Andy Smith (BCS SCoE), Asrar Baig (IT Matrix) and John Bullard (IdenTrust). Remote moderation was performed by Ian Fish (BCS SCoE).
The IAWG prepared a follow up workshop on “Aspects of Identity” for IGF 2012, following up on IGF 2011 and other workshops including InfoSec 2011 & 2012, EuroDIG 2011 and UK IGF 2012.  The outcomes of these events will be reported back at a joint BCS/EEMA Thought Leadership Seminar on e-ID Enabling Business Transaction on 27 November at BCS.
The IGF in Baku was the seventh meeting, each year the emphasis and themes are changed. This is the second IGF at which the BCS have run a workshop. This year the BCS workshop fed in to the Plenary session on Security, Openness and Privacy.
The IGF is described as a multi-stakeholder discussion. To date it has achieved consensus on a number of issues such as ways of dealing with child sex abuse on the Internet, where there is a large degree of international consensus. The attendees were: Parliamentarians, government officials, internet registrars (such as Nominet), business (largely the majors such as Microsoft, Google, Cisco, Nokia and some smaller  businesses and civil society (largely human rights, privacy and freedom of the Internet (or more accurately a free Internet) activists).
This workshop addresses aspects of the following theme questions from Security, Openness and Privacy The IGF questions that the BCS was concentrating on addressing were:
Question 1: What impact can security and governance issues have on the Internet and human rights? In this case the right to privacy
Question 3: What risks can Internet fragmentation pose to security, privacy and openness? If identity governance becomes fragmented and requirements change what impact does this have?
Question 5: What risks do law enforcement, information suppression and surveillance have on security, privacy and openness? Identity information can be used as a tool by state and law enforcement both for good and bad reasons, how do you strike a balance?
Question 6: What measures can be taken to ensure freedom of expression, access to knowledge and privacy, including for children? Can anonymity really be possible on the Internet and does this have implications on providing a tool for criminal and terrorist organisations?
There were three main objectives for this workshop:
1. To look at the governance of identity on the internet and its impacts on security and privacy.
2. Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development.
3. To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services.
Feedback from Workshop 50 Aspects of Identity.
This workshop provided some surprising answers and changes in direction….
The fundamental finding from last year was that Proportionality between security & privacy is culturally and context sensitive but also very hard to define and a very emotive subject. It is unlikely that there is one balance and there will always be polarised views over the balance between security and privacy. However the surprise was that the balance is not necessarily between security and privacy, but between security and anonymity.
The Key issues for this year were:
To look at the governance of identity on the internet and its impacts on security and privacy.
Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development. Can identity be used as currency?
To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services.
The key questions we posed for discussion were:

  • Is identity legitimate currency to fund the Internet?
  • How context sensitive is identity?
  • How do you protect the naïve from themselves?
  • Will we ever be able to balance the need for security with the right to privacy?
  • How internet identity framework can become e-business enabler for the masses in the east?

The balance may not be between Security and Privacy. Both of these are about protecting people and protecting peoples rights. The balance is more between Security and Anonymity. Privacy is difficult to misuse, anonymity can and is misused. Even though anonymity intrinsically provides privacy, there is a significant difference between privacy and anonymity:
Anonymity is the ability to perform actions without them being traced to the person - which means both that they have the right to free speech without fear of repercussions; but also that people cannot be held accountable for their actions.
Privacy is the ability to only provide personal information to those entitled to it by law or that the person chooses to provide the information to of their own free will.
Privacy protects peoples rights but does not damage the need for national security and law enforcement which is normally built in to privacy and data protection laws. However anonymity can. Anonymity is not necessary for privacy but is often misinterpreted as a requirement of privacy. Anonymity is not necessary for privacy and the two concepts should be separated.
Anonymity is only required where free speech or other actions could have negative repercussions against the person. In most western countries free speech is a legal right and anonymity can be used to avoid charges of libel and slander or for nefarious actions including cyber bullying.
Therefore the issue is not security v privacy. They both have the same goal of protecting people. The balance is between Security and Anonymity.
It is vital to have the right level of Identity assurance for the context of a transaction over the Internet. The assurance in the identity is context sensitive and can change from anonymously downloading pages from a news service to very high assurance when transferring funds between bank accounts.
In all cases the identity needs to be registered to the level of assurance required for the transactions, which means there needs to be effective methods for remotely identifying someone and issuing credentials.
Basing Identity on a liability model and using a contractual framework would significantly improve the trust and commercial use of identity on the Internet. Having some method of holding people accountable for their actions and for use of a trusted identity would significantly improve both national and global online commerce.
However for identity to stand up in court and be viable under a contractual framework, high assurance identity, meeting the tests (using a UK example) of ‘balance of probability’ for civil prosecution or ‘beyond reasonable doubt’ for criminal prosecution would be required.
Identity is used as a form of currency on the Internet, with people providing personal information in order to gain free or low cost services in return. This allows the "payment" of those services to come from targeted marketing and other sources. However this does expose people to risks they may not realise.  Datamining of the same aggregated data sets can be used for both targeted marketing and targeted crime.
There is still a lot of work to do with balancing and understanding the different drivers for security, privacy and anonymity, including how they pull against each other or overlap. This will be the theme for work next year.
Digital Identity is an on-going piece of work and becoming a critical subject for the success and globalisation of the Internet. The key is going to be to define a governance structure that will actually work and the conclusion was that IGF can play an important part in providing the stage for discussions, however such discussions are needed between the IGF meetings therefore a Dynamic Coalition is needed and the BCS has set one up for Identity. Anyone is welcome to join and can do so by sending an email to [email protected] with their contact details.
Most digital identity is still fundamentally based on physical identity issued by a single authoritative source (normally Government) - the original documents tend to be the national passport, or other Government identity documents such as ID cards or driving licence. This may be used directly to set up a digital identity, or indirectly, where it is first used to get a bank account or credit card which is then in turn used to get a digital identity. There are currently no effective methods of creating only a digital identity. Every digital citizen is still a citizen of somewhere.
People need real incentives to get online and perform commercial activities, such as the card for blue collar workers originally started in GCC but now moving in to Saudi Arabia. Here a real world (physical) card can act as a digital identity and allow holders to go online and perform commercial transactions. But again this card is provided under a commercial framework and contractual model.  
People also need to be helped to secure their online profile so that they are not subject to identity theft and fraud. Weak identities that have been exploited for criminal acts and a few media stories is already resulting in fear of going online across much of the Middle East. Schemes like the GCC card will help to rectify this, but user education and in some places, media education is also required.
Fear of going online and being subject to identity theft is also prevalent in the West and much still needs to be done to help people to understand how to protect their identity and their privacy.
We should not be looking for a grand scheme, but rather small steps and maybe compatible standards so that small schemes can interoperate effectively. However someone needs to set the standards and this is another task that the IGF along with standards making bodies such as IETF and ISO could achieve.

Conclusions and further comments: 

The following are the notes and findings from the Panel Session
Louise introduced the session and the panel, explaining that we would have five minute presentations from the panel members outlining three key issues.  The first of these is commercialization of the internet with Louise covering the western view and Asrar Baig the eastern view of this topic.  Governance on the internet will be covered by John Bullard. Then Any Smith would cover the implications on identity of balancing of security and privacy.
The panel discussion was then about an hour and was a good interactive session.   Louise explained that the panel was organized by the BCS which is the chartered institute for IT. 
The Identity Assurance Working Group within the BCS has the aim to drive improvements that are needed globally on this subject through the U.N. Internet Governance Forum. 
One topic to consider is how to develop valued incentive models that match the requirements of people for identity for eCommerce.  The panel looked at the whole framework for identity governance on the internet and the complex topic of trust in transactions with remote identities. This included the use of anonymity, pseudonymity and attribution.
The most fundamental finding from the work last year was the confirmation that security, privacy and anonymity is culturally and contextually a sensitive topic.  It's hard to define and agree and very emotive.  Proportionality will be raised in every discussion in identity on the internet.
This year, the panel was focusing on a modified set of issues.  The commercialization of the internet including legal frameworks, the effect on economic development of the internet, the contextual nature of identity and the different drivers for security and privacy and how they can be better balanced
Over the internet you need different levels of certainty about who the other party is that you're communicating with and you need a level of certainty that's appropriate to the transaction that you are doing.  This covers a whole spectrum of problems.  From the certainty that you've logged onto a legitimate supplier website, to being certain that you're transferring funds to your bank account.  That's a different level of trust for each different type of transaction. 
The key thing in every transaction, on the internet, is, is the other party good for the transaction?  It's exactly the same issue as if you were doing it in the physical world.  Can they deliver the goods?  Can they pay for the goods?  And most importantly, bringing in the legal issue?  What's the redress you're going to get if this transaction doesn't work and something goes wrong? 
If you're doing business with an organization, you need to know the business is legitimate and has processes in place that means the individuals from the organization you're dealing with have the authority to undertake the transaction. 
You don't actually need to know the individuals identity in the organization.  You need to know that the organization is the right one and has internal systems that are going to check the transaction that's carried out.
There are a lot of different commercial models on the internet and some services are free, or below cost, because there is value in the data that we, as individuals and customers, may give up when we're using those sites or services.  And, we should know that there's a quid pro quo which is usually targeted advertising. A Quote from Blue Beetle was "  If you're using a free service, you're not a customer, you're a product”. 
There are costs associated with the internet.  If you don't want to pay for those services and access with cash, then you have to realize, maybe you're paying through your taxes.  Or maybe you're paying for it through the abrogation of your activities as an individual identity on the internet.  When you talk to young people, they mostly accept this paradigm. 
It can be a win-win situation.  The individual can get subsidized or free services, access to information, by giving up personal information about themselves and their identity that they think is of equivalent value or less value than the services they're getting. 
If you don't want your identity attributes to be used and privacy really matters to you, then you either get offline or pay for your protection or pay to understand how to protect yourself.  We need to make our own informed choices and these will be culturally and contextually, completely different for each of us at any point in time and over time.  We'll change our views on these, perhaps as we grow older. 
The ability to retain anonymity, particularly in countries with repressive regimes, in some situations, is absolutely vital. However, identity assured at some level is needed for many transactions.  Most importantly, it's actually needed for commercial transactions when you're buying or selling things.  You need to know the counterparty will supply the goods or pay the price. 
You may also need to know identifiers for some things.  This is becoming increasingly important as we have smart homes and online health takes off.  If you're a diabetic and your doctor is monitoring your blood sugar level remotely and automatically increasing the flow of medication, which is already happening in some places, you need to know it's your medication that's being changed, not someone else's.
So, managing your online identity and the identity of things or organizations that are associated with you is becoming a vital life skill for everybody.  How can we possibly manage that effectively on a global scale with billions of people and a trillion things attached to the internet? 
Turning to the Eastern view and more specifically the Arab world there are significant cultural differences, when we're looking at the internet governance or the commercialization of the internet, we are way apart, whereas, we can benefit a lot if we really look closely and analyze the eastern aspect. 
Because, if you look at internet security and privacy, then you'll be looking at that in the western world, the security and privacy is on one extreme whereas when you come to the east, it's in a very different extreme.  In the Arab world people are used to being monitored.  In the western world, you want everything to be more open.  And it's already very open. 
On the products side, we have new challenges, whereas on the service side, over the past few years, the middle-east has come forward leaps and bounds.  Now there's a lot which can be done over the internet, including e governments, everything is on the e government side.  You can do transactions with the government using the internet and a lot other services like Telecom services, airline tickets, hotel bookings have gone on to be done over the internet. 
When you come on the product side, that's where the biggest challenge is because in the middle-east people are more used to buying products with a touch and feel, the tangible thing. 
Then we have other challenges, we don't have the real infrastructure in place for the logistics to manage the goods to go from one place to another. Many places do not have postal addresses.   Not only that the east often lacks the legal framework to protect the consumer.  So then, from that aspect, trusting somebody will ship something and it will be delivered without problem becomes difficult. 
On the trust side the trust on the face value is totally opposite.  In the arab world people trust very much on the face value.  When somebody says who he is its often not questioned, they just want to believe it.  To ask somebody to give their identity or to cross question is like offending them. 
This trust on the face value is not lost when you go onto the internet, it's more like, with the technology there, it has to be true.  Anything which is written on the internet, anybody who writes something on the internet, you consider it as valid.  As true. This level of naivety on the Internet can be problematic.
In the middle east privacy is not so private.  We accept, in our part of the world, we accept being monitored.  Why?  Because we have this trust in the government, thinking the government is supposed to provide us security and they're going to be monitoring us. 
When we have these kinds of talks in the modern world, people in the middle-east aren't looking at the private sector for providing digital identities to do e commerce, they're looking at the government and make them accountable or responsible.  Bringing security to the identities on the internet. 
One question is how privacy advocates wouldn't go overboard in pushing the eastern societies to be more aware of their rights.  I know, very tough for western people and privacy advocates to see that's a different aspect.  You look at it from the western side its completely different.
If you look at the east side, the number of people getting onto the internet is huge and it's multiplying many fold every year.  So how can this framework enable the masses in the east to gain benefits out of this quickly.
What boundaries of internet identity would advocates of anonymity accept?  When we say the word freedom, there is a definition requirement.  What is freedom?  And the definition requirement can only be fulfilled of the freedom if we know the boundaries. 
Giving a commercial perspective, whatever we may say about the eastern view or the western view, the internet makes no difference at all.  Whether you are trading in Birmingham, U.K., Birmingham, Alabama, Bahrain, Barley or Baku, it makes no difference to the next street or the other side of the world.  We have to build some form of framework, some form of trust model that will enable wealth and commerce to take place. 
How do we enable small businesses to interact with their counterparties in a trusted manner so that commerce can take place?  The internet offers an enormous opportunity to do this, but we must bring some form of governance, some form of trusted identity processes into the picture to enable this to happen. 
What do we mean by trusted identity?  We may mean having absolute certainty of who you're interacting with.  We need to know who guarantees the identity of the individual person or organisation?  We need to have a complete and transparent audit trail of who did what and when? 
We need to see trusted electronic identities as a key component in limiting liability and external exposure.  So there must be some form of liability management, if things go wrong, where can I look for redress?  Those are the key issues we should seek to address from a commercial and from a business perspective around the world. 
Identity is a critical piece of, of a trust model which needs to accompany the commercialization of the internet. The other two things we need to be thinking about in this context, is what aspects of identity are to be managed and who will be covered by any identity management solution. 
The technology is the easy bit.  It will do what it says it will do.  The human bits become much more complicated, particularly when you look at the liability and legal issues.  How can you, how can we link together the buyer in Bali and the seller in Birmingham so everyone knows what their liabilities are and are not?
It's easy to have identity management internally or within a community of interest or within multiple communities of interest.  But once you get to multiple communities of interest across multiple legal jurisdictions, it can get much more complicated. 
We could have the equivalent of a scheme such as Visa or Mastercard, if you think of that in the 20th century and think of the internet era and think of the joining up of payments with all other pieces of a transaction, you need some scheme, some method, some legal liability framework that all parties can sign up to. 
It is likely to be a number of private sector initiatives, that can interact based upon the law of contract so that everybody knows what their liabilities are and what they are not. 
From a government perspective, we would suggest that governments are not in the business of managing their citizens liabilities.  That is not what government does or should do.  Government should make use of these sorts of private sector initiatives in much the same way as governments use the world's payments networks.  They do this today with significant trust. 
So one thesis is that; if we can have some form of global contractual structure, through things like financial institutions, which are regulated at the country level, then it should satisfy all the different blends of government that we have around this planet and instill trust in use of identity.
Security versus privacy and openness is a really contentious issue.  It is a very difficult balancing act.  And finding the right balance is proving incredibly difficult if not impossible. 
On the one side, you've got national security and law enforcement, actually protecting the majority from the minority.  The Government obligation of making sure that all the citizens in a country are protected from those who would cause them harm.  From those that would commit identity theft, fraud, and otherwise perform various activities. 
On the other side, you've got the right to privacy, you've got fundamental human rights, and in Europe, you've also got data protection legislation, all aimed at protecting the individual. 
In some ways, privacy and the right to privacy is about protecting yourself. Some also claim that anonymity is part of privacy and therefore also a right.  So, it makes the balancing act even more complicated because some of the things that you're doing for national security can be misused and used against people.  Some of the things you do for privacy can be misused. 
More and more, as organized crime move onto the internet, you're actually seeing them using the laws and rights that are being granted around, data protection, and privacy to protect themselves and their activities online and using those laws to misuse the internet and use it against individuals and against law enforcement.
When it comes to identifying someone how good is good enough?  We have a lot of problems with stolen identities.  We have a lot of problems with online fraud.  Much of that is caused because the root identity cannot be confirmed or cannot be traced or can be too easily stolen or misused.  So when you're interacting with someone, either you don't know they're the legitimate person or they don't know you're a legitimate organization and one they should be doing business with. 
From a sort of governmental point of view, if you're going to give someone a passport, you want to know they are who they claim to be and they are a national of your country and they have a right to a passport and a right to travel.
But if you are just letting someone download a free report on the Internet do you really need to see their passport?
We have a lot of people going online, a lot of young people going online.  They're following the crowd, they're following what their friends do, they're putting a lot of their personal information up on the internet.  It's being, captured, it's being stored, and they can never delete it again. 
We have situations where, large companies, are interviewing people and actually asking to be friends with them on Facebook or linked to them on linked in, so that they can see their personal information.  So they can see the type of person they are and who they consort with.  That's a bad use of someone's personal information.  People's personal information cannot be deleted.  Once it's on the internet, it's there to stay.
People may do silly things in their teens when they go to get a job in their 20s, the people interviewing them can see what they did in their teens and can hold it against them.  You cannot stop people from doing stupid things in the first place, but how do you protect the naïve from themselves, can you, should you?
Will we ever be able to balance the need for security against the need for privacy?  And, do we actually need to do it the same for everybody?  Can we actually have different forms of balance in different countries, in different jurisdictions and in different contexts?
How do you have any assurance in remote identity?  Whether it's a government dealing with their citizens, whether it's a commercial organization dealing with customers, how do you actually have assurance in the identity?  Organizations like ebay, PayPal, Amazon, they seem to have got a model to work.  They're using ratings based on feedback. As you interact with them and with other people, your identity becomes corroborated and the level of trust improves. Its not perfect but it works.
You're basically getting an identity rating.  So, whereas the financial industry has credit ratings, things like ebay and that, also operate equivalent of trust ratings.  Is the concept of identity ratings one that we want to use?  Is that a concept we want to actually establish?  The idea of identity ratings online? 
Currently there are only a few identity documents, there are only a few ways of verifying identity.  When you come to get a credit card or a bank account, when you come to set up your account with Amazon, normally they will use things like your passport or your birth certificate or some other breeder document to initiate that new identity you're creating in that context.  But it always comes back to a few documents.  Always comes back to the passport.  If you have a passport, you can get a driver's license, bank account, mortgage, et cetera. 
One of the workshop participants raised a very critical point during the discussion. “I think there are a number of confusions.  I don't think anonymity is the same as privacy.  People can know who I am without knowing everything about me.  I think it's important to retain these distinctions.  And also, in these, at this conference, a lot of people are talking about what their rights are in different places, quite honestly, I don't see how you can have rights without having a rights holder.”
Louise responded – “I agree with you that anonymity and privacy aren't the same thing.  I think they're often allotted together and this caused an enormous amount of confusion…”
Asar made the follow up comment “It looks like it's really a security issue rather than anonymity issue.  Because the person who will declare something, doesn't like somebody to know it, just because they feel threatened by them.  But in an ideal world, if there is ideal security, then we can have that we really don't look for anonymity at that point.  Because we have those threats, that's the only reason we require the anonymity.”
Andy followed up with “I agree completely that privacy and anonymity are different.  The biggest issue I have with anonymity is where people actually abuse it and use it to their own advantage” for nefarious means.
Privacy is about not giving personal details to people who have no need to have them. You may give your name, you may give a pseudonym, you may use some form of identity tag, on the internet, but it should be traceable back to a root identity in most instances, but it should only be people like law enforcement or intelligence agencies, that should be able to do that.
A Workshop participant then made the following point: This problem is often posed as one of drawing the balance between privacy and security.  One of my counterparts said we have to optimize for security and privacy.  I think that's even more challenging than just simply drawing the balance between the two, but something we need to try and step up to.
When it comes to the anonymity versus privacy versus security debate, again, it's an emotive topic, but my view is that well, this is often characterized, again, if you've got nothing to hide, you've got anything to fear, argument.  My problem with that is, there are always bad actors in the system, even amongst those, for example, who have authorized access to data.  And under those circumstances, the question is, who do you have something to fear from?  Because it may well not be the people asking for your information, it may well be third parties who don't have your best interest at heart.  That's something that needs to be designed into these kinds of systems.
Louise made the point that reputation and trust are other very important issues and reputation is not only important to individuals, it's enormously important to institutions.
We have to trust the market to deliver some of these issues and there'll be some absolutely trusted organizations that people will be comfortable in going with. If people become sufficiently uncomfortable with a particular policy of a particular organisation or its reputation gets damaged or people lose trust in it, they will simply move to a competitor. Many websites have gone out of business when they have lost customer trust. Those that protect their reputations have become household names.
John made the point that “I think the key issue there is liability. If something goes wrong, where do I get recourse from?  That seems to me, when all else is said and done, is incredibly important for trust and for doing business on the internet.”
Asrar provided a slightly different view on this point “I believe there's still a balance required, when you just say that the markets can decide and once we have their organization and people, based on their liking, can do that…  Because sometimes, things like what happened in 2008, the financial collapse was, again, the same market and what happens in the days of, the dot com collapse when everything went wrong by just leaving it to the market there is, again, a responsibility and accountability which has to be there by somebody”.
There has to be somebody on top of the regulators.  You are required to have a framework, if you just leave it, the banks can do it the way they want to do, the market is just being driven by money, profit.  If you leave it to be driven by profit, who will look after the real interest of customers?
The panel then moved on to another question posed by a Dutch participant. “In real life, you have a right to be forgotten.  When you don't want something you have produced or anything else, in the market anymore, you have the right to ask to take it out of the market.  On the internet, it's not possible.  So...what's your opinion on that?”
Andy made the point “If you post stuff on the internet, it's there forever.”  It will get copied, it will get backed up.  You try and delete it from one source, you find it on another source. But he made the point you have this problem in the real world.  Once you're in a printed newspaper or on TV, you will never be forgotten, you just have to be careful in the first place.
Around London there, are over 7,000 CCTV cameras, that are run and monitored by different parts of the government.  On top of that, you've got tens of thousands of CCTV cameras put in by industries, business, even private individuals.  Nobody sits and watches all of that, all the time.  The police have 12 people looking after 7,500 cameras.  If something bad happens, they go find the tapes and they look.  That's pretty much what's happening with the internet.  And with the, the data capture on the internet.  Nobody's looking at it, there's just too much of it, but if something bad happens, they can have a look at the tiny little bit that's relevant. 
You have to understand from a proportionality point of view, it's not that they're tracking everybody, it's that there's loads of big computer systems storing loads of data that could potentially track everybody and as when they need to, they go find the bit that's relevant.  They don't have the resources to do it and they also don't have the inclination to do it either.
The final discussion point was on How, can an internet identity framework become an e business enabler for the masses in the east?
On participant commented that often in the East the main issue with e business.  It's two things.  Getting a credit card is a pain.  You have to be already employed.  So, and it takes awhile.  And the second issue is that people have a feel of getting their identities stolen by a hacker and all that, because during the late 90s, there was a huge amount of hackers. 
Asrar made the point that there are companies trying to address this. There's a starting point from a company which started in UAE.  The company is a Canadian company that shifted their business model to the Arab world.  They said there are too many blue collared people working in the Arab world who are not even connected with any kind of internet identity or e commerce or banks or so on.  They started by putting ATMs, specifically their own ATMs around different organizations which have got a few thousand employees and the salaries are going to be coming from the cards which will be issued to every single employee. 
Now those staff have started now having that identity.  The same card can be used anywhere across any of the countries because it's really a debit card.  Which can be used everywhere.  Not only that, with that card being there, the same organization, which isn't a bank, but is now acting like a bank, they've started giving micro-financing.  People can take loans, small amounts, and that automatically is being deducted in the same manner.  All of their money transfers can be done using the same card.  So it suddenly gave them a lot of ease.
The BCS have made a lot of progress in the last two years, defining what the problem is and coming up with answers, but the balancing act between security and privacy and openness is going to remain emotive and it's going to remain very hard.  We're just going to have to work hard on this and the U.N. and U.N. IGF is a very good forum to actually keep this moving forward.