Aspects of Identity British Computer Society

30 September 2011 - A Workshop on Security in Nairobi, Kenya

Agenda

This workshop covers the balance between privacy and security for Internet identity and the governance of online identity required to achieve this.
It addresses various debate points that are critical to the success of the Internet as so many aspects rely on the effective registration and authentication of individuals using digital identities.
It uses a panel debate to solicit discussion on 3 primary questions but aims to address other areas too:
1. When identities are used on the internet, how can the balance between privacy and national security be achieved?
2. How can trust in remote identities on the internet be achieved and maintained?
3. What Governance model would be appropriate for managing identities on the internet?

We have held workshops on this topic in the UK at Infosec, at EuroDIG in Serbia and now here at the IGF in Nairobi. We want to understand what this international audience, steeped in the complex issues of Internet Governance thinks. So our workshop facilitators will speak for a couple of minutes on three key topics. Each will pose a question and then open the floor to all for input and interactive discussion. We hope that we can move forward together to improved governance of identity on the internet for the benefit of individuals and service providers. The results and conclusions from the debates will then be published as a report and made freely available.

Detail
The British Computer Society (BCS), the Chartered Institution for IT has consulted its 70,000 professional members worldwide to determine what they consider to be the most important IT related issues facing organisation in delivering savings, stimulating innovation and enabling e-commerce over the Internet. One of the key issues is Identity Assurance.
EURIM as an advisory body to the UK Government has reached much the same conclusion and has a specific workgroup looking at Identity Governance.

 

 

A brief substantive summary and the main events that were raised:
The Panel was increased in size before the presentation on the day with Bill Smith from Paypal and Robert Kahn, one of the original designers of Arpanet joining Alun Michael MP, Louise Bennett (Moderator) and Andy Smith. Ian Fish was the Remote Moderator and working on communicating with remote participants.

This discussion was about the aspects of identity that affect life online, including identity assurance, privacy and preventing fraud and misuse. It was very nice to see so many people attend the session considering the number of alternatives available, there were a large number of participants which make for an interesting discussion.

Louise started by giving an introduction to the BCS and why the delegation was at IGF speaking about Identity. In summary this was because identity is becoming more and more important in making online activity possible and the BCS membership wanted this topic raised. Identity assurance is fundamental to activities such as assured communication, remote access and remote working, provision of government services, banking and commerce.

Without assured identity and proper identity governance models, much of the funding for the internet from business models and commercial endeavours would not be possible.

Three main topics were covered. The Security v. Privacy balance, Identity Governance and Trust in remote identities. Louise started with a description of the problem with access to the Internet more and more from remote devices rather than fixed computers and some 20% of these being lost or stolen each year in the UK removing any trust you can have in the device for authentication. With the online community connected via more than 25 billion devices to over 2 billion people there is now a massive criminal element at work, thus methods of trust are paramount. The key point was "So it is an inescapable truth that you can neither know who you are communicating with on the Internet nor who owns let alone who is using the device or the IP address that you are communicating with. However you do need to know both of these things."

Andy Smith discussed the balance between security and privacy. The first point he raised was that the balance is often skewed towards privacy but that it is also the right to privacy and the Human Rights of all of the victims of cybercrime that are important and that is part of national security and online crime prevention.

The second point was that most trusted credentials issued by government involved a strong background check and an in-person visit. When using these credentials, such as a passport they are physically checked. However neither of these processes is appropriate online, where the registration, issuing of credentials and subsequent use of those credentials is remote from the trusting party.

This causes two issues, counterfeit credentials and compromise of credentials through social engineering and technical attacks (hacking). This is more of an issue today as many people have their whole life stored on their computer or even their smart phone; everything needed to steal their identity. The final point was that people think many things on the internet are free, when infact they pay for them by seeing adverts or providing their personal information, which is either used for targeted marketing or for more nefarious activities.

Alun Michael raised to point that people need to have confidence in the Internet and online activities. If this confidence is lost, it would damage the online community. Online is important for government as you can do more and do it more cheaply with a digital by default provision of services (using the physical world for exception handling). However he pointed out there is growing evidence that a significant portion of the UK population would not go online even if you gave them a computer and broadband connection, this is likely to be similar in other countries. That is to some extent a question of fear.

He made the point that he and other legislators were very reluctant to legislate in this area unless they had to and that the impact of legislation on the Internet was often unpredictable and ended up having undesired consequences and could be completely out of date by the time it became law. That makes it all the more important that what we are doing is making clear what principles and responsibilities are rather than trying to put in place regulations and legislation that is technology specific or specific to a particular point of the development of these ways of using communications. There is no central control of the Internet, which is one of the reasons IGF is so important. He raised the issue of who would be appropriate to govern identity assurance on the internet and how some governance models would work. Is it a question of control or one of standards?

The following discussions raised many good points. One that was raised by Bill Smith is that Paypal find three things of key importance now: these are anonymity, pseudo-anonymity and attribution. They believe in using attribution in various levels as and when necessary. He made the point "In the United States that was a very important part of the founding of our country, the ability to speak anonymously and it is embedded in our constitution".

The point about liability in business was made as this is very important. Often it is not necessary to have a detailed identity or even prove an identity, only ensure that the person that was registered is the same person performing the transactions in the future. This is especially important for credit card and online banking. There are however legal requirements for knowing who customers are and being able to trace transactions to individuals when necessary. This means the registration needs to be strong but the use of credentials do not need to reveal details about the identity.

Bill also detailed the distinction between identity and authorisation. This led to a debate about the attributes and the different requirements needed for proving identity, performing an authentication and authorising an action. This included a discussion on the need for different levels of authentication for different types of transaction authorisation. You would not transfer someone’s life savings based on a username and password. Ian brought in the first question from a remote participant who raised the difference between the European concept of privacy and the US principle of openness. This raised a number of responses, which covered this as an example of the need for international debate and the need for different philosophies to operate together and interact. Again there is a balancing act between privacy and openness.

The discussion turned to misuse of information access and the ability to identify individuals, especially by oppressive governments, which means that online there needs to be the ability for the same individual to be anonymous for expressing opinions and fully identifiable for online banking and commerce. Separating the two can be very difficult.

Robert Kahn made a number of points about the changing technology, especially around the use of identifiers for things rather than people, such as IP addresses and how even this is changing. You can use different systems but there needs to be more standardisation to make systems compatible and allow them to work together. Such examples are Public Key Infrastructure (PKI) where a private key can be used as a credential for a person, token or device. This is currently the most effective credential and as long as the issuance process and protection of the credential are effective it can be used to underpin various identity systems.

Alexander made one very clear statement about the nightmare scenario "The idea when there will be introduced global authority for identities on the Internet where every person will be required to have one identity because it will make us traceable and accountable on the Internet because we need to be anonymous but almost all services will be oriented only on citizens with one identity".

Andy raised the point that its only really governments that need to know the true root identity of a person and that is mainly for national security and quite often that's not even for criminal prosecution. If you commit a crime, what the law enforcement and judicial process needs to know is that the person that committed the crime is the person they have put in prison. They don't even need to know you are who you claim to be. They don't care what you are called, but they care the person who committed the crime is the person who is punished.


Various people made the point that there are a lot of laws around money laundering, around criminal fraud, et cetera, which require a level of knowledge of identity for reporting. However, quite often a minimum of personal data can be used as long as the organization that's actually performing the financial transactions has access to more information should they need it. The transactions themselves can use zero knowledge, proof of knowledge, one way trust and other methods in the transactions. So the identities themselves can be pseudonymous or linked to a root identity.

Andy raised another point on compatibility and interaction. The UK Government is looking at how you can put authentication systems in place with identity credential conversion. So rather than trying to get everyone to use the same credentials or the same authentication mechanisms, actually putting in converters so someone can use PKI, someone can use SAML. You have got devices that can accept the trust from one authentication system and pass it on to another authentication system and this will hopefully allow different systems to interact with each other and actually try and get some of these commercial models more stable. The conversation then turned to the research and policy perspectives around seeing if two parties can have these transactions directly and be able to authenticate when there is no central party that is guaranteeing identity. eBay was used as an example of this where reputation was used as a form of trust.

The discussion then turned to use of biometrics and both the use of biometrics online and the ability to counterfeit and fraudulently use them. This was especially interesting with facial recognition, where webcams and even mobile phone cameras can be used. For example there is the potential from systems that would use facial recognition as a way of encrypting or decrypting files on your computer to improve privacy but increase authentication security. Unless your face is in front of the computer then the file would not be decrypted. This is something that is already being trailed in UK hospitals. Louise stated "I think it is a very exciting way of doing it. I use my biometric to log on to my machine. It seems much safer than anything else and it is much quicker". Andy mentioned that this is also being used for automated gates at passport control right across Europe now.

If you can tie a person's identity to the individual using immutable credentials like biometrics it does make things a lot better because it can prevent people stealing identities or at least makes it a lot harder to steal identities because you have to replicate whichever biometrics you use.

Another remote participant was curious if U.S. and NSTC came up and how it might be shaping global governance. This was discussed and the conclusion was that it had not really had an impact yet.

The discussion returned to biometrics and the worry that biometrics could be stolen and misused. The point was made that if you are doing biometrics properly, this is not really a concern as you do not use the source biometrics in the credential system and if you do, they are backed up with other measures such as encryption and digital signatures, so cannot be counterfeited or forged. European Governments are putting in a system with BAC and EAC for use with passports addressing these problems.

The final discussion concluded that when information is required, for authentication and authorisation, it should be kept to a minimum and what is appropriate for the transaction given the context in which it is happening.

Louise finished the session with two questions
We had quite a lot of talk about whether people should have one I.D. or many I.D's. Could everyone who thinks people on the Internet should have one I.D., put up their hand? No hands were raised. Should people be allowed to have many I.D.s.? Everyone raised their hands. That's pretty conclusive which is quite helpful. Consensus, yes.

The second point that I'd just like to ask you is do people think looking that the way to deal with remote I.D's is through trusted third parties? Do they think that is a route that is worth pursuing? And again those who think that is a route that's worth pursuing in this area could you put up your hands? A mixed response. The consensus was that rusted third parties had a role to play in some contexts..


Conclusions and further comments:
There is a balancing act between security and privacy and the balance needs to be moved nearer security in some countries, mainly Europe and nearer privacy in others, such as some countries in the Middle East.

There is another balance between openness and privacy where sharing of information is important in some contexts and privacy is not a fundamental right, but in other contexts privacy is a right and should be respected.

The rights of victims of cybercrime should also be taken into account when talking about rights and privacy online

There needs to be more standardisation of identity systems and better processes for registering people into identity management systems online. Credentials need to be secure with private keys and biometrics being two strong credentials, but the issuance processes need to be improved to reduce identity theft and fraud.

Only Governments really need to know the true root identity. For most online activity organisations just need to know that they are dealing with the same person at every interaction, or that the individual has the ability to deliver their part of the bargain (money or goods). There are however some legal requirements to be able to link a person back to an established root identity, this is usually done via a strong Government issued credential such as a passport.

There is a lot of work to do on identity governance and organisations such as IGF and the UN will play a part in this, but a centralised governance model is inappropriate for identity on the Internet.


Trusted reliable identities are needed for the safety and security of citizens and underpin many transactions, particularly where money changes hands or valuable service and entitlements are provided to citizens meeting defined nationality, age, or other status tests.
There are intrinsic risks associated with the creation of identity data, maintaining its integrity, security and non-repudiation that demand the highest standards of governance. However there is no central governance of the Internet so how can governance of Identity on the internet be achieved?

Is it essential that governments lead the way in providing and using identity assurance that is trusted by its citizens and international partners and is fit for a wide range of purposes? If not who should? Governments need to be able to: identify their nationals; collect taxes and deliver a wide range of services efficiently without fraud; warrant transactions and contracts within government and with its suppliers nationally and across borders; and ensure that the global internet is a safe and trusted place to do business.

The workshops will explore the key underpinnings of internet identity principles, assurance and management, rights and responsibilities, including information rights and privacy, in an interactive format. The key points for discussion will be:
1. Security v. Privacy, The Balancing Act:
• What principles need to be in place to ensure an individual’s right to freedom of opinion and expression (and why)?
• In the context of Information assurance what are legitimate National Security Interests (and why)?
• What safeguards should be in place to ensure that personal privacy is protected whilst not compromising national security?
• The whole concept of Identity Assurance is a bit “big brother” so how do you go about ensuring that Jack and Jill Doe “Trust” the process? For example, how do we ensure that raw seed information that feeds into the registration process and thus through to the Information Provider AND the Attribute Provider is both accurate and pertains to the specific individual (or persona)?
• How can we ensure that an individual (or persona) is who they say they are when they request a service, and if something goes wrong will there be a speedy restitution and redress process?

2. Remote Identity, Registration Authorities & ID Assurance:
• What is a root identity, what attributes make it up?
• Should biometrics be used as part of an identity, if not what else would offer an immutable link between the person and the identity?
• Who should have the authority to register a root identity and perform the level of background checks needed to establish identity beyond reasonable doubt?
• Will it be up to the individual to ensure that any information held by an Identity Provider is up to date and accurate (a responsibility), or is an individual’s “right” that the information is correct in the first place? Is it a case of ignorance is no defence!
• When we identify someone, we sometimes want to establish that they are a unique biological being as recorded on their birth certificate and sometimes that they are the same “persona” who did something at a different time. - What are the implications of this for the successful running of a multi-level Identity Assurance scheme?
• How can an individual control access to their biographic data (and biometric data) after enrolment in an identity scheme?
• What responsibilities should the citizen (identity subject) accept to ensure the Identity Assurance information held by the provider remains accurate and “current”?

3. Governance
• Why do we need governance of internet identity?
• Who should have control or should multiple organisations work together?
• How much should government and legislation be involved in online identity?
• What governance model will work?
• How do organisations establish a culture of privacy, to ensure that clients’ privacy needs are properly addressed from initial system proposals through to end of life decommissioning?

An short presentation on the topic will be given by a panel. For each key point of discussion the chair will then lead an interactive debate so participants can discuss the major discussion points under each question above.
The whole interactive seminar will then be fed back to all delegates and recorded for later dissemination. These workshops are being run at a UK, a European and a UN event to collect national and international views. These will then be collated and fed back to all participants and at a European event to be held in the UK and a report published for the IGF.

 

 

A brief substantive summary and the main events that were raised:
The Panel was increased in size before the presentation on the day with Bill Smith from Paypal and Robert Kahn, one of the original designers of Arpanet joining Alun Michael MP, Louise Bennett (Moderator) and Andy Smith. Ian Fish was the Remote Moderator and working on communicating with remote participants.

This discussion was about the aspects of identity that affect life online, including identity assurance, privacy and preventing fraud and misuse. It was very nice to see so many people attend the session considering the number of alternatives available, there were a large number of participants which make for an interesting discussion.

Louise started by giving an introduction to the BCS and why the delegation was at IGF speaking about Identity. In summary this was because identity is becoming more and more important in making online activity possible and the BCS membership wanted this topic raised. Identity assurance is fundamental to activities such as assured communication, remote access and remote working, provision of government services, banking and commerce.

Without assured identity and proper identity governance models, much of the funding for the internet from business models and commercial endeavours would not be possible.

Three main topics were covered. The Security v. Privacy balance, Identity Governance and Trust in remote identities. Louise started with a description of the problem with access to the Internet more and more from remote devices rather than fixed computers and some 20% of these being lost or stolen each year in the UK removing any trust you can have in the device for authentication. With the online community connected via more than 25 billion devices to over 2 billion people there is now a massive criminal element at work, thus methods of trust are paramount. The key point was "So it is an inescapable truth that you can neither know who you are communicating with on the Internet nor who owns let alone who is using the device or the IP address that you are communicating with. However you do need to know both of these things."

Andy Smith discussed the balance between security and privacy. The first point he raised was that the balance is often skewed towards privacy but that it is also the right to privacy and the Human Rights of all of the victims of cybercrime that are important and that is part of national security and online crime prevention.

The second point was that most trusted credentials issued by government involved a strong background check and an in-person visit. When using these credentials, such as a passport they are physically checked. However neither of these processes is appropriate online, where the registration, issuing of credentials and subsequent use of those credentials is remote from the trusting party.

This causes two issues, counterfeit credentials and compromise of credentials through social engineering and technical attacks (hacking). This is more of an issue today as many people have their whole life stored on their computer or even their smart phone; everything needed to steal their identity. The final point was that people think many things on the internet are free, when infact they pay for them by seeing adverts or providing their personal information, which is either used for targeted marketing or for more nefarious activities.

Alun Michael raised to point that people need to have confidence in the Internet and online activities. If this confidence is lost, it would damage the online community. Online is important for government as you can do more and do it more cheaply with a digital by default provision of services (using the physical world for exception handling). However he pointed out there is growing evidence that a significant portion of the UK population would not go online even if you gave them a computer and broadband connection, this is likely to be similar in other countries. That is to some extent a question of fear.

He made the point that he and other legislators were very reluctant to legislate in this area unless they had to and that the impact of legislation on the Internet was often unpredictable and ended up having undesired consequences and could be completely out of date by the time it became law. That makes it all the more important that what we are doing is making clear what principles and responsibilities are rather than trying to put in place regulations and legislation that is technology specific or specific to a particular point of the development of these ways of using communications. There is no central control of the Internet, which is one of the reasons IGF is so important. He raised the issue of who would be appropriate to govern identity assurance on the internet and how some governance models would work. Is it a question of control or one of standards?

The following discussions raised many good points. One that was raised by Bill Smith is that Paypal find three things of key importance now: these are anonymity, pseudo-anonymity and attribution. They believe in using attribution in various levels as and when necessary. He made the point "In the United States that was a very important part of the founding of our country, the ability to speak anonymously and it is embedded in our constitution".

The point about liability in business was made as this is very important. Often it is not necessary to have a detailed identity or even prove an identity, only ensure that the person that was registered is the same person performing the transactions in the future. This is especially important for credit card and online banking. There are however legal requirements for knowing who customers are and being able to trace transactions to individuals when necessary. This means the registration needs to be strong but the use of credentials do not need to reveal details about the identity.

Bill also detailed the distinction between identity and authorisation. This led to a debate about the attributes and the different requirements needed for proving identity, performing an authentication and authorising an action. This included a discussion on the need for different levels of authentication for different types of transaction authorisation. You would not transfer someone’s life savings based on a username and password. Ian brought in the first question from a remote participant who raised the difference between the European concept of privacy and the US principle of openness. This raised a number of responses, which covered this as an example of the need for international debate and the need for different philosophies to operate together and interact. Again there is a balancing act between privacy and openness.

The discussion turned to misuse of information access and the ability to identify individuals, especially by oppressive governments, which means that online there needs to be the ability for the same individual to be anonymous for expressing opinions and fully identifiable for online banking and commerce. Separating the two can be very difficult.

Robert Kahn made a number of points about the changing technology, especially around the use of identifiers for things rather than people, such as IP addresses and how even this is changing. You can use different systems but there needs to be more standardisation to make systems compatible and allow them to work together. Such examples are Public Key Infrastructure (PKI) where a private key can be used as a credential for a person, token or device. This is currently the most effective credential and as long as the issuance process and protection of the credential are effective it can be used to underpin various identity systems.

Alexander made one very clear statement about the nightmare scenario "The idea when there will be introduced global authority for identities on the Internet where every person will be required to have one identity because it will make us traceable and accountable on the Internet because we need to be anonymous but almost all services will be oriented only on citizens with one identity".

Andy raised the point that its only really governments that need to know the true root identity of a person and that is mainly for national security and quite often that's not even for criminal prosecution. If you commit a crime, what the law enforcement and judicial process needs to know is that the person that committed the crime is the person they have put in prison. They don't even need to know you are who you claim to be. They don't care what you are called, but they care the person who committed the crime is the person who is punished.


Various people made the point that there are a lot of laws around money laundering, around criminal fraud, et cetera, which require a level of knowledge of identity for reporting. However, quite often a minimum of personal data can be used as long as the organization that's actually performing the financial transactions has access to more information should they need it. The transactions themselves can use zero knowledge, proof of knowledge, one way trust and other methods in the transactions. So the identities themselves can be pseudonymous or linked to a root identity.

Andy raised another point on compatibility and interaction. The UK Government is looking at how you can put authentication systems in place with identity credential conversion. So rather than trying to get everyone to use the same credentials or the same authentication mechanisms, actually putting in converters so someone can use PKI, someone can use SAML. You have got devices that can accept the trust from one authentication system and pass it on to another authentication system and this will hopefully allow different systems to interact with each other and actually try and get some of these commercial models more stable. The conversation then turned to the research and policy perspectives around seeing if two parties can have these transactions directly and be able to authenticate when there is no central party that is guaranteeing identity. eBay was used as an example of this where reputation was used as a form of trust.

The discussion then turned to use of biometrics and both the use of biometrics online and the ability to counterfeit and fraudulently use them. This was especially interesting with facial recognition, where webcams and even mobile phone cameras can be used. For example there is the potential from systems that would use facial recognition as a way of encrypting or decrypting files on your computer to improve privacy but increase authentication security. Unless your face is in front of the computer then the file would not be decrypted. This is something that is already being trailed in UK hospitals. Louise stated "I think it is a very exciting way of doing it. I use my biometric to log on to my machine. It seems much safer than anything else and it is much quicker". Andy mentioned that this is also being used for automated gates at passport control right across Europe now.

If you can tie a person's identity to the individual using immutable credentials like biometrics it does make things a lot better because it can prevent people stealing identities or at least makes it a lot harder to steal identities because you have to replicate whichever biometrics you use.

Another remote participant was curious if U.S. and NSTC came up and how it might be shaping global governance. This was discussed and the conclusion was that it had not really had an impact yet.

The discussion returned to biometrics and the worry that biometrics could be stolen and misused. The point was made that if you are doing biometrics properly, this is not really a concern as you do not use the source biometrics in the credential system and if you do, they are backed up with other measures such as encryption and digital signatures, so cannot be counterfeited or forged. European Governments are putting in a system with BAC and EAC for use with passports addressing these problems.

The final discussion concluded that when information is required, for authentication and authorisation, it should be kept to a minimum and what is appropriate for the transaction given the context in which it is happening.

Louise finished the session with two questions
We had quite a lot of talk about whether people should have one I.D. or many I.D's. Could everyone who thinks people on the Internet should have one I.D., put up their hand? No hands were raised. Should people be allowed to have many I.D.s.? Everyone raised their hands. That's pretty conclusive which is quite helpful. Consensus, yes.

The second point that I'd just like to ask you is do people think looking that the way to deal with remote I.D's is through trusted third parties? Do they think that is a route that is worth pursuing? And again those who think that is a route that's worth pursuing in this area could you put up your hands? A mixed response. The consensus was that rusted third parties had a role to play in some contexts..


Conclusions and further comments:
There is a balancing act between security and privacy and the balance needs to be moved nearer security in some countries, mainly Europe and nearer privacy in others, such as some countries in the Middle East.

There is another balance between openness and privacy where sharing of information is important in some contexts and privacy is not a fundamental right, but in other contexts privacy is a right and should be respected.

The rights of victims of cybercrime should also be taken into account when talking about rights and privacy online

There needs to be more standardisation of identity systems and better processes for registering people into identity management systems online. Credentials need to be secure with private keys and biometrics being two strong credentials, but the issuance processes need to be improved to reduce identity theft and fraud.

Only Governments really need to know the true root identity. For most online activity organisations just need to know that they are dealing with the same person at every interaction, or that the individual has the ability to deliver their part of the bargain (money or goods). There are however some legal requirements to be able to link a person back to an established root identity, this is usually done via a strong Government issued credential such as a passport.

There is a lot of work to do on identity governance and organisations such as IGF and the UN will play a part in this, but a centralised governance model is inappropriate for identity on the Internet.