(No.50) Aspects of Identity
This workshop addresses aspects of the following theme questions from Security, Openness and Privacy:
Question 1: What impact can security and governance issues have on the Internet and human rights? In this case the right to privacy
Privacy is a fundamental right, but so is national security and the right to feel safe which is derived from enforcement of law. Privacy is giving people the ability to protect and control the dissemination of their personal information. However even in the physical world it is not possible to retract or remove information from the collective conscious - for example something published in a newspaper. However the problem is not the balance of security v privacy it is actually security & privacy v anonymity.
We need to better manage and improve governance of the Internet and identity usage so that in general privacy is upheld but where necessary someone can be held accountable for their actions.
Question 3: What risks can Internet fragmentation pose to security, privacy and openness? If identity governance becomes fragmented and requirements change what impact does this have?
If identity use and governance becomes fragmented it will destroy many of the benefits of the internet as a global resource. The market may well deal with this as there are business and funding drivers that require the effective globalisation of identity. This will effectively come about by contractual relationships and an effective liability model as we have today with passports.
Question 5: What risks do law enforcement, information suppression and surveillance have on security, privacy and openness? Identity information can be used as a tool by state and law enforcement both for good and bad reasons, how do you strike a balance?
Anonymity is the biggest conceptual headache, not privacy. Privacy is good and hard to misuse - anonymity can be misused. Surveillance is often ineffective as you often only servile those that are law abiding when you capture internet logs. Law enforcement is fundamental to the security of nation states. The balance is probably more between anonymity and security rather than privacy and security.
Question 6: What measures can be taken to ensure freedom of expression, access to knowledge and privacy, including for children? Can anonymity really be possible on the Internet and does this have implications on providing a tool for criminal and terrorist organisations?
Anonymity will always be used by the bad guys. We already have organised crime using data protection and human rights especially article 8 to protect themselves against being traced, being prosecuted and general law enforcement activities. One way trust models and zero knowledge proof of knowledge are examples of ways in which pseudo anonymous activities can be transacted but with the ability to hold those who perform criminal activity accountable.
However this would allow suppressive regimes and those that misuse the information to have dangerous tools they could misuse. Until we have a fully democratic world we will have to find a balance between security and anonymity and become much better and improving privacy. For now we need to start defining the boundaries and contexts in which each identity balance should be tuned.
This workshop is intended to enable the exchange of ideas around various Aspects of Identity on the Internet, allowing the panel of identity experts from the Middle East, Asia and Western Europe, to interact with the participants with the aim of achieving some consensus on key aspects of identity use. Importantly this needs to cover the global or “borderless” perspectives of identity over the Internet.
The workshop is titled Aspects of Identity as it was at the IGF 2011 in Nairobi as it covers a number of different closely related topics. There are three objectives for this workshop:
1. To look at the governance of identity on the Internet and its impacts on security and privacy.
2. Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development.
3. To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services.
This workshop focuses on registration of people onto Internet sites (and the protection of their personal data), either for obtaining identity credentials or for getting access to services. It does not cover access control, user authentication or any subsequent use for ongoing logon or authorisation systems.
It addresses aspects of three of the main theme questions and follows on from the workshop presented at IGF 2011, including the report (Aspects of Identity Yearbook 2011-12) and the presentations at the UK IGF, InfoSec 2012 and EEMA Identity Governance 2012 (links to these are provided below).
Identity Governance on the Internet – This topic follows on from the output of the workshop at IGF11. The discussion is about who should have control of personal identity and what legislative or standards framework would be practical for such a vast range of applications. The panel have some ideas and would like to solicit input as to their international practicality. The registration process for identity credentials can reveal vast amounts of personal information. These are not only at risk from malicious code (Trojans, keyboard loggers) and criminal elements (e.g. credit card thieves), but from misuse by organisations and in some cases governments that collect the data. How can a governance framework reduce the likelihood of misuse and allow safer registration for users? How will such a framework help Internet development especially in developing countries where online services may be much more practical than physical services in some cases, but where data protection is not enshrined in law?
Commercialisation of Identity – There are a lot of people who do not realise identity information has value and is often used as a currency on the Internet. Identity is used not only for buying access to information and resources, but also linking people together in social networks and in ways they may not want. It allows targeted marketing and is responsible for some of the value of many big organisations on the Internet. However, it also allows for targeted attacks and identity theft. This topic will generate discussion on how to make people aware that their personal information has value, to them, to organisations and to criminals and to look at how identity is used as a currency on the Internet. This will cross-pollinate with various other workshops around commercialisation of the Internet and privacy. Identity registration is one of the primary ways that personal information gets on to the Internet in the first place. Internet services such as using a mobile phone for both micro payments and online banking may be much more practical in some countries than traditional bricks and mortar banks. But how does a bank know the person registering is who they claim to be and how does the person know the bank will not misuse their information?
Identity theft and the misuse of online identity is a growing concern and identity data is becoming much more valuable to organised crime. This topic covers the balance between privacy, security and openness with aspects from registration of users to minimising the privacy impacts of registration. How do you protect the naïve from themselves? How do you get people to understand that what they put on the Internet stays there forever and can be seen in future interactions, such as when applying for a job or starting a new relationship? How do you make online registration safe and minimise the amount of information required and protect people’s privacy, but still allow that information to be corroborated to meet business risk management requirements? This topic is one of the fundamental issues facing the development of the Internet and its use. How can the internet be made safer for everyone by ensuring that anonymous activity is possible where it is not used for illegal purposes?
There are significant information resources on the Internet, for learning and development, but should identity be used as a currency to buy access to this information? These aspects are critically important for children accessing the Internet who do not realise the risks of revealing personal information in online registration or social networks. Should there be laws enabling redaction or real deletion of information from social networks? Can consent be revoked?
The workshop last year proved very effective in providing an international context and deriving useful answers to a number of key questions. This year the aim is to build on that work and try to address some of the areas that are becoming critically important, due to the widespread use of identity online and the cyber security risks now posed by organised crime and other threats targeting Internet commerce and government presence on the Internet.
The format is a number of short presentations (about ¼ of the time) followed by a panel based question and answer session, giving members of the audience the chance to contribute and provide both answers to the questions posed but also allow the audience to raise further questions and help develop a way forward.
This workshop is a feeder workshop to the main Security, Openness and Privacy workshop. The findings from this workshop will be presented by our rapporteur at the main session.
We produced a booklet following the IGF in Nairobi, which is freely available on the Internet and to all IGF participants. We commit to producing a similar booklet following this year’s IGF, taking in to account input from InfoSec 2012, IGF UK Nominet workshop 2012, EEMA workshops in 2012 and IGF 2012.
We intend to form a Dynamic Coalition following IGF 2012 and intend to seek input and membership in Baku. This will be managed by the BCS, which is a worldwide membership organisation with 70,000 members (www.bcs.org) but will be open to anyone on the Internet.
The panel is international with members from UK, Saudi Arabia and Sri Lanka. Those from the UK having spent decades working in many other countries, including various developing countries and the Middle East. All panel members are confirmed to attend and present.
The primary background papers for this workshop are the output from last year’s work including the workshop at IGF11 (see previous workshops) and the write up for the UK event earlier this year (see Background paper).
We are willing to merge this workshop with workshops that have the same discussion threads and outcomes, to support both our report and the formation of a Dynamic Coalition.
Remote hub was used last year successfully and will be integrated in to the workshop more fully based on the experience last year with the same moderator.
The workshop will consist of a short presentation (5 min) from each panel member on their specific areas of interest. The panel will then be opened up to questions and discussion from those present and remote participants. The aim is to try and address and discuss the 3 key themes:
- Governance of Identity on the Internet - how it impacts security and privacy
- The use of Identity in commercialisation of the Internet - personal information as currency
- The balance between privacy and openness including protecting the naive from themselves
The following is the workshop we conducted last year: http://www.intgovforum.org/cms/component/chronocontact/?chronoformname=W...
The resulting report is freely available here: http://www.bcs.org/category/6046
We also presented at the UK IGF 2012. The summary of workshop 1 can be found here: http://www.nominet.org.uk/about/events/policyforum/
The following are the Confirmed panelists and moderator:
Louise Bennett - BCS - Chair of the Security Forum of Expertise (SCoE). Louise has many years’ experience in both security and privacy including commercialisation of the Internet and is representing BCS worldwide including the BCS Youth forum and women on the Internet.
Andy Smith - BCS SCoE helped set up one of the first Internet service providers in Pakistan and spent years working in the Middle East on Internet security. He now works for UK Government on identity assurance and is representing BCS worldwide and EURIM UK
John Bullard – is Global Ambassador for IdenTrust providing identity systems for online banking and funds transfers. He has many years’ experience helping banks in developing countries and Europe set up secure online identity system to help prevent identity theft and protect privacy
Asrar Baig - Runs IT Matrix in Bahrain & Saudi Arabia - a consultancy that works across the Middle East. He has considerable experience with Internet security and online identity including prevention of identity theft and brings a unique perspective on privacy and use of identity for access to information from the Middle-East.
Sujit Christy - Is a member of the BCS in Sri Lanka and is representing the Indian and Sri Lankan interests in identity and preventing identity theft. He is a Director at Layer-7 Securo Consutoria Pvt Ltd with several years of experience in cyber security & compliance.