Security and Governance of Identity on the Internet

22 October 2013 - A Workshop on Security in Bali, Indonesia

Agenda

This is now a joint workshop between OpenNet Korea and the BCS having merged proposal 35 “User Identity and Anonymity in the Cyber Space” in with proposal 19.

  The workshop falls under “Shaping global principles for the Internet” and covers Identity Governance on the Internet and balancing security v anonymity, which is directly relevant to “Human Rights/Freedom of Expression” itself key to sustained growth of the Internet, from supporting global e-commerce to protection of people’s rights online. This work also feeds in to “Science & Technology online” including development of credentials for those with special needs and reducing digital exclusion.

Security v anonymity is a key governance topic and falls under “Legal Frameworks and Cyber-crime”. Law enforcement needs, in particular, have often motivated the discussion around the regulatory regime requiring “mandatory verification of user identity” in wide-ranging areas of online services.

The workshop covers use of Identity on the Internet. It deals with a number of themes the MAG find important. Trust in online identity is key to sustained growth of the Internet, supporting global e-commerce and protection of people’s rights online.

Over the last two years this work has asked a number of questions including how identity can be governed on the Internet, how to balance privacy and security and how identity is used and misused.

The results have influenced the work of others including the UK Government and continue to result in new questions for which the workshops at IGF and interactions with related bodies are vital in helping provide informed answers in a global context.

This year the aim of the workshop is to invite input and feedback on the following questions which are all related to Identity Governance:

  • Proportionality between anonymity and security and whether security and privacy overlap
  • Whether legislative controls could ever effectively govern identity on the Internet
  • Whether commercial frameworks can be used to govern identity on the Internet
  • Should people use identity attributes as currency on the Internet
  • How to protect the naïve from themselves and not damage their privacy or become a victim of identity theft, and
  • Preventing digital exclusion through proper governance of identity where countries are going “digital by default” and developing countries are coming online

IGF 2012 provided unique input from the middle-east and Africa. This year we aim to bring new faces to the panel and also improve the diversity of the workshop. In addition to the topics listed above, we seek to address the question of how industry can be persuaded to design identity credentials that support the whole population including those with special needs. Our full proposal will cover this in more detail.

BCS have already started the groundwork for a Dynamic Coalition on Identity Assurance and Governance and we hope to progress this much farther at IGF 2013 creating a coalition that will provide benefit to all those who wish to become involved.

    Concise description of specific issues or policy questions to be addressed:

The questions for our workshop are all related to Identity Governance on the Internet. They include:

  • Balance between anonymity, privacy and security and the Governance aspects
  • The reasons to promote or suppress 'anonymity' in the Internet and its relationship to trust
  • How freedom of expression would be affected by introduction of a generalised system of real-name user identity
  • The use of identity attributes as currency on the Internet
  • Whether commercial frameworks can be used to govern identity on the Internet
  • Types of federated identity models that could work
  • How to protect the naïve from themselves
  • Preventing digital exclusion through proper Governance of Identity

 

The key issues that this work addresses are those of Internet governance, specifically the critical area of identity governance. This is closely entangled with cyber-security and preventing cyber-crime. Special attention will be paid to identity theft, misuse of identity and overuse of identity verification.

Relating this to the MAG key themes, this falls under “Shaping global principles for the Internet” as adequate level of identity assurance and identity management are critical to the success of the Internet. Without trusted identity, privacy is at risk, social networking is undermined and e-commerce falters. At the same time, overuse of identity verification would pose a number of technical, legal and business issues.

The work on balancing security and anonymity is directly relevant to “Human Rights/Freedom of Expression, (Security vs. Personal Rights and Freedoms)”.

It is often assumed that the Internet provides ‘anonymity’ for users. However, users leave technical traces which can be used to establish the offline identity of the person in many cases. To avoid traceability, it requires technical expertise only a small minority of users normally possess.

Is anonymity possible and desirable or is anonymity really context sensitive and how does it really relate to privacy and trust in the context of the Internet? For most users, the Internet merely ‘appears’ to offer anonymity. But the façade of anonymity encourages and facilitates user behaviour in certain ways. Where fraud prevention is an important priority (financial transactions, for example), verification of user identity is, without doubt, an essential requirement. But in most other areas of online services, requiring verifiable user identity poses a number of difficult issues.

In 2007, South Korean Government introduced the regulatory regime requiring “mandatory verification of user identity” in wide-ranging areas of online services. The regulatory regime encountered intractable difficulties and vigorous opposition from users and service providers. It was declared unconstitutional in August 2012. The South Korean experience can provide a convenient opportunity to discuss the technical, legal and business issues relating to user identity, anonymity, protection of minors and privacy in the cyber space.

This is an area that OpenNet and the BCS will continue to work in with a goal of helping the understanding of the different drivers and motivations. We hope to provide some concrete conclusions and guidance to be published in our 2013/14 report.

Critical to this work is continuing the discussion on balancing national security with online rights and whether anonymity is the real antonym of security or whether there is a contextual and proportionate balance to be had. One of the key conclusions from IGF 2012 is that security and privacy actually overlap quite well and are mutually supporting. It is infact anonymity that is often seen as the antipode of security which causes such bipolar views and vibrant debates. It is vital that clarity is brought to this area so that a more effective and productive discussion can be had with resultant useful outcomes. This will be an important discussion point in our workshop at IGF 2013.

This work also feeds in to “Science and Technology (In Internet) for Development” with the BCS as a charity specifically interested in how the various work taking place on identity credentials is supporting all users, including the disabled and those with special needs, with the aim to minimise digital exclusion. It is important to get a global view on such issues for which IGF provides a unique forum.

Following on from last years theme of Security, Openness and Privacy, there has been specific follow-up work undertaken to better understand the use of identity attributes as currency to “buy” things on the Internet, such as access to information or “free” products. We wish to feedback these findings at the workshop and solicit comment and input from the diverse discussion group.

“Trust in cyberspace” can only be achieved if identity registration and assured identities are possible, supported by strong credentials and effective governance. There will never be a hierarchical identity model or one run under specific legislation, but IGF has the potential to influence the development of standards in this area.

BCS is an active member of ISO SC 27 Working Group 5 which covers ISO standard on Identity Management and Privacy. The output from our workshop will influence our input to the ISO standards work in addition to UK Government policy and standards work.