Security and Governance of Identity on the Internet

22 October 2013 - A Workshop on Security in Bali, Indonesia

Internet Governance Forum 2013

Workshop # 19 Report

Security and Governance of Identity on the Internet

Organizer Name 

Smith Andy

Organizer Entity 


Workshop Theme 

Legal Frameworks and Cyber-crime (Spam, Cyber-security, etc.)

Consise description 


 Concise description of broader thematic area of interest:


This is now a joint workshop between OpenNet Korea and the BCS having merged proposal 35 “User Identity and Anonymity in the Cyber Space” in with proposal 19.

  The workshop falls under “Shaping global principles for the Internet” and covers Identity Governance on the Internet and balancing security v anonymity, which is directly relevant to “Human Rights/Freedom of Expression” itself key to sustained growth of the Internet, from supporting global e-commerce to protection of people’s rights online. This work also feeds in to “Science & Technology online” including development of credentials for those with special needs and reducing digital exclusion.

Security v anonymity is a key governance topic and falls under “Legal Frameworks and Cyber-crime”. Law enforcement needs, in particular, have often motivated the discussion around the regulatory regime requiring “mandatory verification of user identity” in wide-ranging areas of online services.

The workshop covers use of Identity on the Internet. It deals with a number of themes the MAG find important. Trust in online identity is key to sustained growth of the Internet, supporting global e-commerce and protection of people’s rights online.

Over the last two years this work has asked a number of questions including how identity can be governed on the Internet, how to balance privacy and security and how identity is used and misused.

The results have influenced the work of others including the UK Government and continue to result in new questions for which the workshops at IGF and interactions with related bodies are vital in helping provide informed answers in a global context.

This year the aim of the workshop is to invite input and feedback on the following questions which are all related to Identity Governance:

  • Proportionality between anonymity and security and whether security and privacy overlap
  • Whether legislative controls could ever effectively govern identity on the Internet
  • Whether commercial frameworks can be used to govern identity on the Internet
  • Should people use identity attributes as currency on the Internet
  • How to protect the naïve from themselves and not damage their privacy or become a victim of identity theft, and
  • Preventing digital exclusion through proper governance of identity where countries are going “digital by default” and developing countries are coming online

IGF 2012 provided unique input from the middle-east and Africa. This year we aim to bring new faces to the panel and also improve the diversity of the workshop. In addition to the topics listed above, we seek to address the question of how industry can be persuaded to design identity credentials that support the whole population including those with special needs. Our full proposal will cover this in more detail.

BCS have already started the groundwork for a Dynamic Coalition on Identity Assurance and Governance and we hope to progress this much farther at IGF 2013 creating a coalition that will provide benefit to all those who wish to become involved.

    Concise description of specific issues or policy questions to be addressed:

The questions for our workshop are all related to Identity Governance on the Internet. They include:

  • Balance between anonymity, privacy and security and the Governance aspects
  • The reasons to promote or suppress 'anonymity' in the Internet and its relationship to trust
  • How freedom of expression would be affected by introduction of a generalised system of real-name user identity
  • The use of identity attributes as currency on the Internet
  • Whether commercial frameworks can be used to govern identity on the Internet
  • Types of federated identity models that could work
  • How to protect the naïve from themselves
  • Preventing digital exclusion through proper Governance of Identity


The key issues that this work addresses are those of Internet governance, specifically the critical area of identity governance. This is closely entangled with cyber-security and preventing cyber-crime. Special attention will be paid to identity theft, misuse of identity and overuse of identity verification.

Relating this to the MAG key themes, this falls under “Shaping global principles for the Internet” as adequate level of identity assurance and identity management are critical to the success of the Internet. Without trusted identity, privacy is at risk, social networking is undermined and e-commerce falters. At the same time, overuse of identity verification would pose a number of technical, legal and business issues.

The work on balancing security and anonymity is directly relevant to “Human Rights/Freedom of Expression, (Security vs. Personal Rights and Freedoms)”.

It is often assumed that the Internet provides ‘anonymity’ for users. However, users leave technical traces which can be used to establish the offline identity of the person in many cases. To avoid traceability, it requires technical expertise only a small minority of users normally possess.

Is anonymity possible and desirable or is anonymity really context sensitive and how does it really relate to privacy and trust in the context of the Internet? For most users, the Internet merely ‘appears’ to offer anonymity. But the façade of anonymity encourages and facilitates user behaviour in certain ways. Where fraud prevention is an important priority (financial transactions, for example), verification of user identity is, without doubt, an essential requirement. But in most other areas of online services, requiring verifiable user identity poses a number of difficult issues.

In 2007, South Korean Government introduced the regulatory regime requiring “mandatory verification of user identity” in wide-ranging areas of online services. The regulatory regime encountered intractable difficulties and vigorous opposition from users and service providers. It was declared unconstitutional in August 2012. The South Korean experience can provide a convenient opportunity to discuss the technical, legal and business issues relating to user identity, anonymity, protection of minors and privacy in the cyber space.

This is an area that OpenNet and the BCS will continue to work in with a goal of helping the understanding of the different drivers and motivations. We hope to provide some concrete conclusions and guidance to be published in our 2013/14 report.

Critical to this work is continuing the discussion on balancing national security with online rights and whether anonymity is the real antonym of security or whether there is a contextual and proportionate balance to be had. One of the key conclusions from IGF 2012 is that security and privacy actually overlap quite well and are mutually supporting. It is infact anonymity that is often seen as the antipode of security which causes such bipolar views and vibrant debates. It is vital that clarity is brought to this area so that a more effective and productive discussion can be had with resultant useful outcomes. This will be an important discussion point in our workshop at IGF 2013.

This work also feeds in to “Science and Technology (In Internet) for Development” with the BCS as a charity specifically interested in how the various work taking place on identity credentials is supporting all users, including the disabled and those with special needs, with the aim to minimise digital exclusion. It is important to get a global view on such issues for which IGF provides a unique forum.

Following on from last years theme of Security, Openness and Privacy, there has been specific follow-up work undertaken to better understand the use of identity attributes as currency to “buy” things on the Internet, such as access to information or “free” products. We wish to feedback these findings at the workshop and solicit comment and input from the diverse discussion group.

“Trust in cyberspace” can only be achieved if identity registration and assured identities are possible, supported by strong credentials and effective governance. There will never be a hierarchical identity model or one run under specific legislation, but IGF has the potential to influence the development of standards in this area.

BCS is an active member of ISO SC 27 Working Group 5 which covers ISO standard on Identity Management and Privacy. The output from our workshop will influence our input to the ISO standards work in addition to UK Government policy and standards work.




Introduction 5 minutes from each panelist on their areas of discussion and questions Open discussion 1 - The use of identity attributes as currency on the Internet - How to protect the naïve from themselves - Preventing digital exclusion through proper Governance of Identity Open discussion 2 - Balance between anonymity, privacy and security - The reasons to promote or suppress 'anonymity' in the Internet - Is anonymity possible or desired Conclusion


Dr. Louise Bennett

Remote Moderator 

Ian Fish

Have you organized workshops at previous IGFs?


Workshop format 


Workshop Transcript 


Brief substantive summary of the workshop and presentation of the main issues that were raised during the discussions 

L'atelier s'est très bien passée et a eu une bonne participation. Les discussions ont été divisés en deux. Le premier couvrait les attributs de l'identité et de l'identité étant utilisé pour financer l'Internet, le second couvert de l'équilibre entre la vie privée, la sécurité et l'anonymat. 
Dans la première partie Louise introduit le BCS ensuite porté sur l'utilisation de l'identité en tant que monnaie sur Internet, elle a couvert divers aspects, y compris comment les attributs d'identité sont utilisés pour payer les services et comment utiliser des attributs pour le marketing ciblé, etc

Conclusions drawn from the workshop and further comments 

Il ya encore du travail à faire sur les différents soldes. Le solde est entre l'anonymat et la confidentialité / sécurité n'est pas entre la vie privée et la sécurité. 
L'anonymat sur ​​Internet est très difficile à atteindre, les métadonnées peuvent souvent être utilisé pour tracer les gens. Normalement, c'est une bonne chose car il est utilisé pour traquer les criminels et est fait seulement réactive mais il peut aussi être détournée. 
Big data, l'agrégation et l'extraction de données sont de plus en plus d'un problème et l'industrie et les organisations en ligne font plus l'utilisation de gros données à plus efficacement la publicité et des services de produit cible. 
vie privée en ligne est possible, mais la plupart des gens sont naïfs dans la façon dont ils utilisent l'Internet et de révéler plus de données personnelles qu'ils ne le devraient. Il s'agit plus d'une question aussi rien n'est jamais supprimé une fois qu'il est sur ​​l'Internet. 
Sans personnes acceptant de services subventionnés par «payer» avec leur identité sur Internet serait beaucoup plus coûteux et certains services peuvent ne pas exister. 
Certains gouvernements ont tenté d' utiliser et appliquer les règlements véritable identité de nom et même si cela pourrait être une bonne chose qu'ils n'ont pas normalement mis en œuvre correctement ce qui entraîne des risques et l'utilisation abusive surtout pour le propriétaire d'identité. 

Reported by 

Andy Smith

Estimate the overall number of women participants present at the session 

About half of the participants were women

To what extent did the session discuss gender equality and/or women's empowerment? 

It was not seen as related to the session theme and was not raised

Discussion affecting gender equality and women's empowerment 


Workshops Staticals 
Number of FEMALE participantsNumber of MALE participantsNumber of Young participantsNumber of Developing Countries ParticipantsNumber of Developed Countries ParticipantsNumber of LDCs participantsNumber of TOTAL Participants
34 51 8 15 35 0 85