Aspects of Identity

Yearbook 2013–2014

© 2014 BCS, The Chartered Institute for IT

All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may be reproduced, stored or transmitted in any form or by any means, except with the prior permission in writing of the publisher, or in the case of reprographic reproduction, in accordance with the terms of the licences issued by the Copyright Licensing Agency. Enquiries for permission to reproduce material outside those terms should be directed to the publisher.

All trade marks, registered names etc. acknowledged in this publication are the property of their respective owners. BCS and the BCS logo are the registered trade marks of the British Computer Society charity number 292786 (BCS).

Published by BCS, The Chartered Institute for IT, First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org

British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.

Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of the Institute except where explicitly stated as such. Although every care has been taken by the author(s) and BCS in the preparation of the publication, no warranty is given by the author(s) or BCS as publisher as to the accuracy or completeness of the information contained within it and neither the author(s) nor BCS shall be responsible or liable for any loss or damage whatsoever arising by virtue of such information or any instructions or advice contained within this publication or by any of the aforementioned.

Typeset by Lapiz Digital Services, Chenai, India

Supporting statements

The issues associated with the management and protection of an individual’s identity on the internet are gradually gaining the recognition that many have been crying out for over the last decade. The work that the BCS Identity Assurance Working Group is progressing is an enabler for the discussions that are taking place worldwide and plays a vital role in providing an articulate, authoritative and independent voice of reason in a world swirling with a host of good intentions. For identity subjects and providers alike wishing to navigate the shark-infested waters of identity assurance, the BCS Aspects of Identity Yearbook offers a much-needed way forward and EEMA is honoured to endorse this publication.

Roger Dean Executive Director, The European Association for eidentity and Security (EEMA)

BCS, The Chartered Institute for IT, is working in many ways to ensure that everyone has the education they need to benefit from an increasingly online world. Working internationally on ways to increase trust in the identities of both individuals and businesses online is key to this. The BCS Cyber to the Citizen Campaign with Get Safe Online that I launched with them in 2014 is one aspect of this, and I strongly endorse the call in this Yearbook to protect the vulnerable from harm associated with discovery of their identity online.

Alun Cairns MP

The Digital Policy Alliance (formally EURIM) supports the view of BCS that multi-stakeholder dialogue through the UN IGF and other international institutions is the best way to improve the governance of identity on the internet. The trust in transacting online that has been eroded by the NSA surveillance revelations must be restored. Identity assurance is key to this, through simple usable identity schemes that are secure enough for each type of transaction and that are interoperable. The DPA supports BCS in their proposed work with W3C on developing and promoting open standards for identity and payments on the web.

Lord Erroll Chairman DPA

This useful guide to the key issues around identity will, I hope, help to end the sterile discussion about security vs. privacy and surveillance vs. invisibility framed by the NSA and The Guardian, control freaks and libertarians. As the handbook makes plain, anonymity is not privacy. Privacy is about control, and I hope that this more sophisticated perspective can be used to steer political discussion of national identity infrastructure to more reasonable ground.

Dave Birch Global Ambassador, Consult Hyperion

OpenNet South Korea is pleased to work with BCS, The Chartered Institute for IT, whose expertise and sustained effort to lead debate on online identity have provided useful guidance for policy makers. Governance of online identity requires a nuanced approach. BCS work has demonstrated a healthy pragmatism that strikes a good balance between the need to achieve a robust and sustainable identity management system, which can work across the borders, and the equally important need to protect anonymity and privacy of individuals. Users, service providers, regulators, law enforcement agents, security engineers and human rights activists all have different concerns and interests regarding the topic of online identity. The works and proposals of BCS will serve as important signposts which will help us navigate through this challenging topic.

Keechang Kim, Professor, Korea University Law School Director, OpenNet South Korea

iv

Contents

Foreword vi

1 Introduction 1

2 Internet landscape 2013 3

3 Identity-related issues on the internet 5 Internet governance and the NSA surveillance revelations 5 Privacy and education 6 Anonymity and traceability 7 Open standards for online identity 8 The ethics of big data 8 Data protection and censorship 9 Legislative processes, and commercial and liability models 10

4 Practical ways forward on internet identity governance 12 Mobile identity 12 Identity in the cloud 13 Simplifying and rationalising standards 14 Biometrics: friend or foe? 14

5 Conclusions 16

6 Recommendations and engagement in 2014–15 18

Annex 1 The IAWG and its activities in 2013 and proposals for 2014 20

Annex 2 Infosec Europe: Preventing identity theft in the digital age 21

Annex 3 Digital Enterprise Europe 2013: Managing identity for the future 26

Annex 4 UK IGF: Identity and trust workshop 28

Annex 5 8th UN Internet Governance Forum: Building bridges – Enhancing multi-stakeholder cooperation for sustainable growth and development 32

Annex 6 Parliament and Internet Conference 35

Annex 7 BCS EEMA Seminar: How is eID enabling business growth? The challenges and opportunities 37

Annex 8 Some standards for consideration in identity management 38

v

Foreword

It is a privilege to offer a few words by way of a foreword for this year’s excellent edition of Aspects of Identity.

Eidentity and trust are rightly seen as one of the most fundamental issues in our contemporary era of ubiquitous and instantaneous electronic networks.

While there is no single ‘one size fits all’ solution, there has been significant progress as outlined in this edition of the Yearbook.

Identity and access mechanisms are inextricably linked – whether it is access to big data in the cloud, or access into a building – and this theme of convergence is echoed in this edition.

Another important theme in Aspects of Identity is that of trust and its concomitant liability. At the higher end of assurance, the two are interdependent – and in order for liability to be apportioned and managed there must be a pre-agreed set of rules or operating procedures that all parties agree to abide by.

In this regard, readers of Aspects of Identity will recall the principle of Gall’s Law – better to build upon practices that already work and are trusted than attempt a highly complex, totally new mechanism.

I encourage all parties, whether technical or not, to study the fascinating set of contributions contained within the Aspects of Identity Yearbook 2013–14.

John G BullardGlobal Ambassador, IdenTrust Inc.

vi

1 Introduction

In 2011, the OECD stated that digital identity management was at the core of the internet economy,1 and this view is now widely accepted. Identity governance is now considered a mainstream global issue applying to individuals, organisations and the ‘internet of things’.

The purpose of this Yearbook is to trace the developing views of identity governance over the internet from both UK and global perspectives. The views have been collected by members of the BCS Identity Assurance Working Group (IAWG)2 at meetings throughout 2013.

This report also takes up the threads from the work reported in the two previous Aspects of Identity Yearbooks (both available from the IAWG website).

In 2011, the IAWG started with a conventional set of key issues associated with electronic identities:

• citizen’s rights and control of personal data;

• minimising access and controlling privacy;

• registration authorities and ID assurance;

• rights and responsibilities of ID providers, and

• the proportionality between security and privacy.

These covered the whole framework for identity governance on the internet and the complex topic of trust in transactions with remote identities: anonymity, pseudo-anonymity and attribution.

1 OECD (2011) ‘Digital identity management for natural persons: enabling innovation and trust in the internet economy – Guidance for government policy makers’. OECD Digital Economy Papers, No. 186. OECD Publishing. http://dx.doi.org/10.1787/5kg1zqsm3pns-en

2 The IAWG is a subgroup of the BCS Security Community of Expertise (SCoE) and is made up of members of the SCoE with invited experts from industry and academia. It aims to represent the views of BCS membership in this area and help drive the improvements that are needed globally in the area of identity management and assurance over the internet, primarily through the UN Internet Governance Forum (UN IGF). The IAWG supports the UK Government’s view that the UN IGF multi-stakeholder approach to improving internet governance is the most effective way to make progress. BCS is represented on the UK IGF coordinating committee by the IAWG.

1

In 2012, the focus shifted to several controversial topics identified in 2011:

• the proportionality between security, privacy and anonymity;

• identity discovery through data aggregation and data mining;

• the commercialisation of the internet and monetisation of identity attributes;

• legal and commercial frameworks;

• how to use various attributes of identity for access to online resources.

The key topics of identity assurance, namely how to ensure confidence in the individuals, organisations and services people are dealing with on the internet, how to prevent identity theft and how to protect the vulnerable remain the main objectives of sound internet identity governance.

In 2013, further workshops and seminars were held in the UK, Europe and at the UN IGF. These focused on:

• the drivers for privacy and anonymity (accepting that security underpins both);

• basing identity in ecommerce on liability models and contractual frameworks;

• the positives and negatives of identity as currency on the internet;

• the link between different motivations to go online and securing online identity in each context;

• how both national and global single purpose schemes, fit for different purposes, can interoperate;

• how to register users remotely on the internet when they are communicating over untrusted infra-structure from an unsupervised environment.

The developing internet landscape in 2013 is outlined in Section 2. The identity-related issues on the internet that came to the fore and were widely discussed in 2013 are covered in Section 3. Section 4 looks at progress and practical ways forward on internet governance. The IAWG conclusions and recommendations for the focus of work in 2014–15 are given in Section 5 and Section 6.

Annex 1 details the IAWG activities in 2013. Annexes 2–7 are summaries of each event that IAWG members attended and to which they made formal inputs during 2013. Annex 8 covers some relevant standards for governance of identity on the internet.3

The IAWG members in 2013 were Louise Bennett, John Bullard, Lizzie Coles-Kemp, Roger Dean, Ian Fish, Andy Smith, Toby Stevens, Peter Wenham and David Williams.

Aspects of Identity

3 The write-ups in Annexes 2–7 are in the style required by the conference organisers or the requested workshop output reports. Links to conference presentations and verbatim texts are given where available.

2

2 Internet landscape 2013

The internet has continued to expand in 2013 and is becoming increasingly important globally. Growth related to the internet economy is forecast at almost 11 per cent in the EU, with a contribution to GDP expected to rise from 3.8 per cent in 2010 to 5.7 per cent in 2016.4 Small- and medium-sized enterprises that use the internet intensively grow almost twice as fast as others.5 This economic potential needs to be further exploited to ensure that individuals can access the content, goods and services they want, and control what personal data they want to share or not. In order to achieve this it is necessary to have robust identification of businesses and individuals. The EU said this in its cyber security strategy: ‘Secure, stable and resilient networks form the basis of a trusted and flourishing internet economy.’6

Specifically, in relation to the identity governance and administration (IGA) sector, Gartner said in their December 2013 report that:

In 2013, IGA has been the fastest-growing sector of identity and access management (IAM). Gartner estimates combined 2012 IAM and IGA product sales at $1.8 billion – with estimated sales in 2013 exceeding $2.2 billion. Growth rates for IGA products and services are estimated to be more than 10 per cent for the next five years. Sales for the consulting and system integration service for IGA in 2013 are believed to be between two to three times the estimated product sales for the year.7

On the negative side of the balance sheet, however, is the fact that criminals tend to follow the money, so with more financial transactions and purchases moving online, identity assurance becomes all the more important.

In addition, the focus of global tensions has moved into cyberspace in 2013. In the 1980s global tensions focused on the cold war. After 9/11 the focus shifted to terrorism. In 2013, global tensions moved decisively into the cybersphere. Intelligence and data gathering in cyberspace were already the key topics in dis-cussions between the two global superpowers, the USA and China, even before the Snowden revelations about NSA surveillance. Since then the steady drip, drip, drip of Snowden’s stolen information to the world’s media has done much to erode trust between nations and the social norms of different cultures on the internet. As trust is inextricably bound up with identity assurance and issues of privacy, the Snowden affair has had a profound effect on internet identity governance. It seems likely that nation states will no longer trust each other’s PKI/eID systems, and there may be a rise in independent, off-shored services that refuse to disclose their root keys to intelligence services.

4 Boston Consulting Group. ‘The $4.2 Trillion Opportunity – The Internet Economy in the G-20’, 3/20125 McKinsey Global Institute (2011). ‘Internet Matters: The Net’s Sweeping Impact On Growth, Jobs and Prosperity’6 Join (2013). ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace’, 7.2.20137 Gartner (2013). Magic Quadrant for Identity Governance and Administration. 30 December 2013, ID:G00253758

3

Another issue that was raised last year and is now being widely debated is the question of identity discovery through personal data aggregation. Big data collection, aggregation and analysis, particularly where parts of the data sets contain personally identifiable data, are major ethical issues. The fact that these topics have been emotively dominated by NSA surveillance has detracted attention from other aspects and an understanding that they concern a much broader issue. For example, people tend to overlook what NGOs and commercial organisations are doing with big data, and instead focus their attention solely on spying governments. Yet the privacy issues surrounding data collection and analytics are enormous and require a rational, unemotional debate about when societal good outweighs personal privacy.

It is now widely acknowledged that information on the internet is discoverable by anyone determined to do so. Absolute privacy and anonymity online are chimeras, in the same way that they are in the physical world. However, people need to have the means of ensuring security for their online identities that are com-mensurate with the contexts of different online interactions.

In connection with all the issues associated with online identity there is a growing need for widespread public education about safe use of the internet. This is a key requirement for the internet to flourish and to ensure that all nations, businesses and individuals get economic benefits from an increasingly online world.

A final point that is particularly important for legislators to take on board is that identity solutions need to be designed for tomorrow’s business models, not (just) for today’s. Legislators have got to be much more agile than they are now. Grand schemes are not going to provide the answer, because changes and the growth of new solutions for specific problems are happening too fast. It is important that legislators solve practical real-world problems that individuals and businesses face, pragmatically, as those problems arise.

Aspects of Identity

4

3 Identity-related issues on the internet

Seven major new or evolving identity-related issues, covered in more detail below, emerged from the workshops during the year. These were:

• the extent to which the revelations about NSA surveillance have reduced trust in privacy and the pro-tection of personal identity on the internet;

• widespread recognition that security enhances privacy, and that education on this topic is critical;

• a realisation that privacy and anonymity are not the same. This leads to a more mature and nuanced view of anonymity/traceability, which includes the importance of context when considering anonymity and a better understanding of the tensions between national security and anonymity;

• the place of open standards in building trust in online identity and payments, particularly precipitated by the World Wide Web Consortium (W3C) proposals for open internet identity and payment standards;

• the ethics associated with personally identifiable data aggregation, analysis and mining by governments, NGOs and businesses;

• data protection and censorship;

• the development of commercial and liability models of internet activity.

Internet governance and the NSA surveillance revelations

Governance of the internet has been dominated in 2013 by the revelations of Edward Snowden about the extent of NSA surveillance. Although the discussion around this is not primarily about identity, it concerns the vital element of trust, and identity assurance is a key element of internet trust.

This erosion of trust in both the US Government and companies is in danger of leading to calls for the ‘global commons’ of the internet to be turned into ‘gated commons’.

In the light of these developments, it is essential that trust is restored as a matter of priority to prevent this from happening. It is important to ensure that the internet is used to connect and liberate, not to divide and conquer. Balkanisation is in no one’s interests and will certainly not assist global business growth. Indeed, the US Information Technology and Innovation Foundation has recently estimated that international distrust of the activities of US intelligence agencies on the internet could cost US businesses between $22 and $35 billion in the next three years.

5

Aspects of Identity

The Snowden revelations have also given further impetus to calls for the de-Americanisation of the internet. This trend was already apparent at UN IGF 2012 (then largely focused on ICANN) but, because of the ongoing drip feed of revelations, became the dominant theme at IGF 2013. The calls came from many government delegations (notably from Brazil and the EU) as well as human rights and privacy groups.

Major US companies have now formed the Reform Government Surveillance Alliance to counter the anti-American feelings about the internet and loss of business by those companies, particularly in cloud computing.

In the commercial context it is worth remembering that fragmentation is not a new worry. The internet as a unitary entity, free and open to all, has been under pressure from commerce as well as governments for years. A new Argentinian law passed in January 2014 stated that all goods bought from foreign websites must be posted to and collected from Argentinian customs premises. Although this was probably more a response to Argentina’s fiscal woes rather than an attack on ecommerce, it will do nothing to support the global nature of the latter. Also, many of the product sets and apps intended to differentiate major providers from each other have a side effect of creating ‘walled gardens’ protected by the vendor. These ‘walled gardens’ are frequently global, but provider specific.

Since there are now over 500,000 interlinked networks on the internet, the practicality of separating these is near impossible. However, some countries are determined to build barriers and defend their borders, insisting on their own governance behind and within them. Even if just political posturing, this is deeply counter-productive. This is particularly the case for massive online data storage and cloud computing.

There may be two factors to counter this adverse trend. The first will depend on the effectiveness of the response of nation states, and the USA in particular, to the general outcry over the activities of the intelligence agencies, which has culminated in the UN General Assembly unanimously adopting a resolution affirming the right to privacy in the digital age. The second is the fact that many users wish to use the products of large commercial internet providers, which minimises the ability of nations to move towards Balkanisation.

Privacy and education

Privacy is the ability of a person to control the dissemination, processing and use of their personal information. Theoretically, this includes the right to be ‘forgotten’ and the right to withdraw consent to use personal information. In reality, however, this is not the case. There are good reasons, in a civilised society, for governments to have mandated access to and processing rights of certain personal information about their citizens and visitors to their country. In most cases there is still informed use, so, although the person does not have a choice in providing information for tax or other purposes, they know why this information is being provided and how it will be used. This governmental right of access is normally covered by legislation.

It is only for investigation of specific serious crimes that personal information should be used without consent and even then such action should have legislative cover. For example, in the UK there is effective legislative cover, based on specific exclusions of law enforcement from the Data Protection Act and other Acts of Parliament.

When it comes to the right to be ‘forgotten’, the modern digital world makes this a pipedream. Information on the internet cannot be deleted with absolute certainty, and once data is on the internet it needs to be treated as ‘write once, read many’. Many people can find postings they made on such websites as Usenet news 20 or 30 years ago if they search for their first email address.

6

Identity-related issues on the internet

Time and again people who put up pictures from bachelor parties or other events that they have attended find that these cause them embarrassment later when they are looking for a job. It is not hard for personnel departments to look up people on social networking websites or do an internet search and find out things that could affect their employability.

Privacy online only exists if people actively protect their personal information in the same way as they would their money. People need to be educated from the first time they go online at school age about the issues of exposing personal information on the internet. It is like putting ink in water – it is very easy to put the ink in, but very hard, if not impossible, to take it out again.

For those who want privacy, security (including national security) is actually a supporting capability, not a contra-capability. Personal information exists in a myriad places, from large government databases (the UK Department for Work and Pensions database has over 88 million records) to small charity websites that have a few hundred credit card details. Significant resources go into security controls such as firewalls and anti-malware systems. Access control systems and auditing can only ensure authorised access. It is clear that, if personal information is stored in a digital system, security controls are vital to retaining privacy and data protection compliance.

National security is also important because it is one of the mechanisms that underpins a civilised society and allows people to live free lives with limited fear of criminal and terrorist actions and no fear of the state or other countries. However, national security should not become an excuse to abuse privacy or ignore ethics.

National security has to have the freedom to work covertly and act in the best interest of the state, but only where necessary and within a legislative framework and oversight. In the UK there are strong legislative controls regarding national security and effective oversight. The national security effort should always be operated in a way that is privacy-friendly. If exercised within such a framework, national security efforts can become instrumental to preventing hacking and other potential privacy compromises. So security is an enabler of privacy.

Anonymity and traceability

Anonymity and traceability should be considered as two separate issues. For their report Global perspectives on online anonymity, the Childnet Youth IGF Group defines anonymity as ‘the ability to interact online without being compelled to reveal who you are’. This ensures that individuals can have the right to free speech without fear of repercussions; but also that people cannot easily be identified and held accountable for their actions. Traceability, on the other hand, is the ability to trace apparently ‘anonymous’ postings. At its most benign it is a protective law enforcement requirement. It is most often used in a reactive manner where there is good legal cause.

There are strong calls from most stakeholders to ensure that anonymity on the internet is retained. For example, 86 per cent of young people who responded to the above mentioned Youth IGF project supported this call. The IAWG has also had a similar response in all the workshops it ran over the last three years.

However, it is important to realise that true anonymity on the internet is not achievable: it is always possible to trace at a minimum the IP address people are using, and then it is usually possible, with sufficient resources, to determine who they are via access to multiple data sets. True anonymity is, therefore, extremely difficult to achieve. There is also concern that anonymity can be misused, for example for criminal activities, cyberbullying and so on. In addition, there are also examples where people do not seek complete anonymity but want to reveal themselves only to a trusted group, as in the case of Arab Spring members: while they wished to remain untraceable to the authorities, they did not want to be

7

Aspects of Identity

anonymous to other members of the movement. If they were truly anonymous how could the other members trust them?

While freedom of expression allows individuals to say things that some people might find offensive, criminal activity should always be prosecuted. To do this effectively, the definitions of criminal behaviour and the rules of social behaviour need to be agreed internationally, together with enforcement mechanisms.

It is also important to recognise that not every internet interaction should have the privilege of ano-nymity. The context of such interactions is important; for example, some private interactions, such as those to financial institutions, may well need to identify positively the person making the interaction. Other interactions, such as email, will at least need to associate the interaction with a pseudonym, which may actually be operated by a single person or a connected group.

There is still an ongoing discussion about the exact contexts in which it is acceptable to be anonymous as well as about the meaning of the access afforded to law enforcement agencies under the Human Rights Act and various national legislations. For example, in August 2012, in the South Korean Constitutional Court, OpenNet South Korea, BCS’s joint workshop organisers at the UN IGF 2013, won their case against the South Korean Government’s 2007 regulatory regime that required ‘mandatory verification of user identity’ in online services. The regulation was declared unconstitutional.

In all these discussions, it is important to understand not only who is seeking anonymity, but also who they are seeking anonymity from and the reason why.

Open standards for online identity

The World Wide Web Consortium (W3C) is currently developing an infrastructure for web identity and payment standards (PaySwarm) that has the potential to be a major (positive) disruptive force, encouraging many new business models and enabling the unbanked and digitally excluded to benefit from online services. It offers a decentralised ID, using a secure digital signature and web key encryption. It operates by creating an ID with the PaySwarm authority, associating a web key with this ID and registering it with the PaySwarm listing service. The user then constructs a purchase request, signs it digitally and receives a receipt that contains the transaction ID and contract. The PaySwarm website describes the coding and gives a series of demos.

These new open standards have the potential to make an important contribution to secure online identity and payments.

The ethics of big data

Big data is big news in the media, particularly since the analysis of internet and phone records by various state organisations came to light. However, state organisations are not the only ones involved with the analysis of big data – it is also the field of international NGOs and the private sector.

The analysis of large volumes of data for specific data types, known as data aggregation, can lead to identity discovery even where data has been ‘anonymised’. This is a relatively easy task where the data has only been ‘pseudo-anonymised’. Such analysis can be benign, as in tracking disaster victims or plotting the spread of a new disease as it crosses the globe, or oppressive, as in tracking a country’s citizens through cyberspace and using that information for ‘control’ purposes.

8

Identity-related issues on the internet

Therefore, ethical scrutiny of both the collection and analysis of massive open data online is needed to ensure it is used for social good.

The emergence of crowd-sourced large meta-data data sets such as the MetaPhone data set adds more ques-tions to the ethical discussion.8 For example, how do you control such crowd-sourced initiatives, and who is behind such initiatives? Are their motives benign? Could the initiative be subverted to support another more nefarious cause? Indeed the emergence of these crowd-sourced data sets shows that the internet itself can be viewed as one large repository of data just waiting to be harvested and mined for useful nuggets of information.

Treating the internet as a big data source and using tools such as web crawlers and other automated and manual tools such as Paterva’s Maltego to interrogate available resources opens the door to the darker side of big data analysis: that of actively seeking out specific individuals and targets for crime. As these tools become more powerful and ubiquitous, it will become increasingly difficult to guarantee an individual’s anonymity on the internet even when they are using anonymising mechanisms.

While search engines are a source of data that can be mined, social media websites offer a far richer and more interesting source of data. However, the one thing both have in common is the monetisation of information obtained from analysis of data held. In this sense, the user of these services is not a consumer of the services, but the product or part of the product sold by these services. Revenue is gained from selling the information obtained from analysing the held data, so many of these services are free to the end user. One could ask ‘is data the next oil?’

As with other aspects of internet security and privacy, what is required is better education and raising awareness to help protect users.

Data protection and censorship

At the start of 2014, the European Commission published a paper on internet policy and governance. This reiterates the EU approach to internet governance summarised in the COMPACT acronym first put forward to the OECD in 2011, which builds on the Tunis agenda of 2005. This states that the internet is a space of:

• Civic responsibilities

• One unfragmented resource governed via a

• Multistakeholder approach to

• Promote democracy and human rights, based on a sound technological

• Architecture that engenders

• Confidence and facilitates a

• Transparent governance both of the underlying internet infrastructure and of the services which run on top of it.

8 See also http://webpolicy.org/2013/12/23/metaphone-the-nsas-got-your-number/ http://webpolicy.org/2013/11/13/whats-in-your-metadata/ http://www.commondreams.org/view/2013/12/27#.Ur2o6ykcPr0.twitter http://www.theatlantic.com/technology/archive/2013/12/stanford-researchers-it-is-trivially-easy-to-match-metadata-to-real-people/282642/

9

Aspects of Identity

The IAWG endorses the principles given in COMPACT. However, the EU agenda remains one where data protection, privacy and human rights (as enshrined in the European Convention on Human Rights) are of paramount importance. This emphasis on freedom from harm can and does bring the EU in conflict with the cultural norms of other countries and societies. There has been a long-running difference of approach between the EU and the USA where, as Isaiah Berlin said in an essay, ‘freedom to’ trumps ‘freedom from’.9 This manifests itself most obviously in the American view that, on the internet, it is more important to pro-tect freedom of speech than it is to protect privacy.

While those living in the UK and other parts of Europe enjoy strong data protection legislation, this is not the case in many other parts of the world. This is important to keep in mind, for example when visiting websites, since websites that appear to be in the UK can often be operated from other locations, which have cheaper resources, but much weaker legislative protection and security. Until people start reading the privacy statements and refusing to use services operated from countries that do not have effective data protection they will continue to put themselves at risk.

Data protection is fundamental to the success of commerce on the internet. If people lose trust in online services they will stop using them. There have already been a number of online companies that have failed as a result of a data breach. Thus data protection is not just a right, it is also a business driver and some-thing that can make or break an online business.

However, there have also been accusations from much of the developing world that EU data protection legislation is simply a means of putting up a trade barrier rather than protecting a fundamental right to privacy. The Western view of privacy and data protection is also at variance with the norms of censorship in totalitarian regimes.

It is possible to take data protection too far. There are examples where implementing secure identity has, possibly unintentionally, resulted in censorship. In the previously mentioned case of South Korea, the government instituted the requirement that people logging on to certain services had to have an online ID, which was only given to people living in South Korea. This effectively prevented all Koreans living in other countries from accessing these websites. As some of these were discussion groups and news websites, this basically resulted in censorship of those websites from Korean speakers outside Korea.

Wherever a government or organisation implements access controls to services, they need to ensure that all of those who could benefit from the service or should have access are able to obtain credentials. However, the related issue of remote registration of identity remains an unresolved topic.

Legislative processes, and commercial and liability models

Steps to manage and mitigate operational risk are essential in today’s electronic era where processes are measured at the speed of light and where no conventional industry or geographic boundaries necessarily apply.

Clearly there is a balance to be sought in individual national legislative initiatives worldwide being suf-ficiently flexible to encourage and nurture genuine commerce, trade and wealth creation electronically, and yet being sufficiently rigorous to combat crime and prevent misdoing.

Risk cannot be totally eliminated and governments should be wary of introducing overly specific technology-based legislation that runs the grave risk of being out-dated by the time that it reaches the

9 I. Berlin (1969). Two concepts of liberty. In I. Berlin, Four Essays on Liberty. Oxford: Oxford University Press.

10

Identity-related issues on the internet

statute book. However, at a minimum, the same rights and liabilities associated with an ink signature should appertain to an electronic signature.

There is a growing body of thought that supports a minimalist approach from government, but looks to private law-making between trading parties to fill the void. Under Common Law, and specifically the Law of Contract, those undertaking commerce agree in advance upon written rules, which govern aspects of their relationship, including rules governing the legal recognition of electronic signatures. With such a contract in place, they can then engage in ad-hoc transactions in which their electronic signatures will be accorded full legal validity.

Clearly it is impractical for parties at each instance to draw up such contractual relationships, and therefore it is much better, wherever possible, to have a standard set of agreements and then add specifics according to the nature of the transactions and their commensurate risk. The more detailed a contract is, the more freely the parties can conduct their business.

For private law-making to work optimally for all parties, whether in the public or private sector, it is essen-tial that it be permitted to operate without inconsistent requirements from local public law. Mandatory local requirements that conflict with a global contractual system merely serve to Balkanise the world of ecommerce. Indeed local enactments of public law imposing unique requirements could actually serve to isolate the enacting country or bloc from the rest of the ecommerce world. There is ample evidence to illustrate how such problems can arise when, with the best of intentions, overly prescriptive legislation clashes with enactments from other national legislatures.

Interoperability is also important in areas of policy, and legal and operational consistency, where parameters should harmonise in order to achieve full business interoperability. For example, in dispute resolution or in cases where there is disagreement between two parties about the validity and/or enforceability of their respective contractual obligations, it is essential that there is a pre-agreed process in place. This should escalate, if necessary, to an independent court of arbitration if settlement cannot be reached.

It is worth noting that none of these measures is unique to the electronic world. Much of what people use and rely upon in the physical world on a daily basis is underpinned by some sort of contractual frame-work that brings with it the elements of genuine trust; namely privacy, authenticity, message integrity and non-repudiation.

This is especially prevalent in the payments industry, from the historic reliance upon paper-based cheques used within a cheque clearing and settlement system, through to the globally used card payment mechanisms, which operate via the banks under common pre-agreed ‘trust frameworks’ better known as Visa and MasterCard. Within payments, which is essentially the movement of value represented in bits and bytes of data from one digital identity (i.e. a bank account) to another, the contractual frame-works work perfectly 24/7 and are used as much by governmental bodies as they are by private sector commerce.

In the internet environment where a payment is simply and invariably the final step in a transaction between trading parties, the historic role of the banker as the enabler of commerce to support those parties through-out the trade cycle remains valid.

11

4 Practical ways forward on internet identity

governance

Mobile identity

Over the last three years, SSEDIC10 conducted two large surveys on user attitudes towards eID and the use of eIDs: ‘Bridging IMS and Internet Identity’ and ‘Electronic Identities in Europe’. They found that end users:

• are sceptical: they expect to see clear benefits from the use of eID technologies;

• are convenience-seeking: they want convenient, readily available tools, even if they have experienced or are aware of some associated security issues;

• are internationally oriented: they want to engage in cross-border online commerce and banking transactions;

• have high expectations: they expect their national governments and the EU to take action towards improving the current situation and to ensure cross-border usability of eIDs not only for public but also for private sector applications.

Mobile technology is rapidly becoming a key means of interacting over the internet, and ‘mobile first strat-egy’ is a term coined to refer to the primacy of mobile networks made up of modern smartphones attached to a large network coverage area. The mobile first strategy refers to the increasing tendency of companies to design their products for mobile phones or devices before making correlated designs for traditional desktop and laptop computers.

Industry experts are quick to identify many advantages of running digital identity over the mobile phone. Research by GSMA into mobile identity stated:

The obvious thing to use is the mobile phone – it has the display, the computing power and it is the most common thing people will carry with them. Mobile is the convenient device. It needs to be mobile because you will want to establish your ID in many, many scenarios.

This means that online identity has to be fit for mobile use, with all of the additional standards, security and privacy issues that brings with it. The key technical issues include mobile, esignatures, WPKI (wireless PKI), secure UICC (SIM) chip cards, server signatures and ‘mobile first strategy’.11

10 SSEDIC – Scoping the Single European Digital Identity Community http://www.eid-ssedic.eu/11 See Giesecke & Devrient: http://www.gi-de.com/en/trends_and_insights/tee_1/trusted-mservices.jsp

12

Mobile eID is a key enabler for ebanking, ecommerce, egovernment and ehealth because of the ubiquitous nature of mobile technologies. Where services already support national card-based eID solutions (as in some EU countries) these may well get seamlessly amended by mobile solutions. The Estonian mobile ID

Practical ways forward on internet identity governance

deployment exemplifies this, as does the Austrian example where citizens have shown a clear preference for the mobile solution.

Where no national eID systems exist, states may consider first deploying mobile ID and mobile signature. A core part of the infrastructure, the end-user devices, is already widely deployed and this means less public sector investment to deploy tokens or to subsidise card readers – a point not to be underestimated in times of austerity.

As in the financial and commercial arenas, collaboration between the public sector, commercial users and mobile network operators (MNO) needs formalisation in trust frameworks with appropriate governance.

A revision of mobile tariffs may be required to provide access to egovernment services and eID use via mobile. This should include pay-as-you-go tariffs. A parallel can be seen on satellite broadcasting in the UK and elsewhere. For example, one may cancel a Sky subscription yet still access terrestrial channels via the Sky service free of charge. There is a need to harmonise parts of identity standards between the domains of government eIDs (national and ICAO standards) and telco-id standards (ITU, ETSI, GSMA), so that interoper-ability is enhanced.

As with other areas, citizen education in safe mobile use is imperative to build trust. Educational resources with embedded ethical perspectives need to be created and disseminated to explain digital ID on mobile and other devices, enabling registration and authentication in a standard process on all mobile devices.

Identity in the cloud

Cloud computing, like mobile, is becoming ever more popular. Gone are the days when all of an organisation’s applications were run within their control, and internal access control systems, such as Active Directory, were used to manage identities and user accounts. In theory, user registration and access control management could be required for each separate cloud service. However, there are methods for simplifying identity governance.

One method is for the cloud service provider to create and issue a role (or small set of roles) to an organisation, and for the organisation to then manage the users they put in each role. This means the cloud provider does not have to manage user accounts, but can still bill for usage based on the role. The organisation retains full control and management of users’ accounts and access, and, using technologies such as SAML, can also integrate all of their cloud services with their internal identity management systems.

There are a number of things that need to be taken into account when using cloud services and these are detailed in a presentation BCS gave at Cloud Computing Expo ‘It’s getting Cloudy – why risk IT?’:

• Organisations need to ensure that there is only forward trust from their organisation to the cloud service. Access to the cloud service should not provide access to other information and only the organisation should be able to add and remove users.

• Organisations should insist on good audit trails. All actions taking place on the cloud service should be logged and compared with the billing information from the cloud provider to ensure they tally.

13

Aspects of Identity

• Organisations should retain control of user accounts for both authentication and authorisation. It is neither efficient nor privacy-enhancing to have 80 administrators in five countries managing your user’s accounts, especially as users have a habit of using the same password on multiple things.

• Organisations should ensure that they know where their data is really going, including resilient sites, back-ups, archives and so on. This is especially important for data protection compliance. If the cloud provider sends back-ups to cheap storage in a country without effective data protection, it is the organisation collecting the data that will be held liable.

• Organisations need to be able to prove who did what if something goes wrong.

Simplifying and rationalising standards

It is very easy to be standards-compliant – there are many standards, so it is easy to find one to meets an organisation’s needs. However, when it comes to identity, this means there are lots of mutually exclusive or incompatible standards. There are also standards that address every aspect of identity management. The trouble is that people keep reinventing the wheel, not because it does not work, but usually because it does not offer them a commercial advantage or because ‘it wasn’t invented here’.

There will always be too many standards and given the number of standards bodies who sell standards, there will always be competition to generate the most widely adopted standards. Standards bodies such as ISO provide some excellent standards, but when it comes to identity management and identity assurance, there are lots of free standards that can be used. One of these sets of standards from W3C, PaySwarm, has already been mentioned in Section 3, and this is one that the IAWG thinks has the potential to be of major importance in the future.

Annex 8 contains some suggestions for standards to consider in different areas of identity management.

Biometrics: friend or foe?

Biometrics linked to identity assurance has been an important topic for many years. Highly secure systems are often based on the old adage: what you know (a password), what you have (a token) and what you are (a biometric).

The military and governments have used biometrics, such as iris scans, to access secure areas for a long time. Recent developments have seen biometrics implemented on many consumer devices such as smart-phones, including facial recognition on the Sony Xperia and fingerprint recognition on the Apple iPhone 5S.

Static credentials can be compromised quite easily, more so than biometrics. They can be captured and replayed with a keyboard logger or camera and, if they are something like a really complex password, they are likely to be written down. Biometrics on the other hand are very convenient, cannot be forgot-ten, and most of the time they provide a very simple user interface that is much faster to use than long passwords. Once a biometric is turned into a template, it becomes unique and although it is technically a static credential, a template from one system is unlikely to work on another.

One aspect of biometrics to consider is that it is not ‘an identity’; it is only a credential. If biometrics are con-sidered as a replacement for a password and used as such, the concept works. If it is considered as more than this, it may cause problems.

14

Practical ways forward on internet identity governance

The second aspect is that biometric signatures are not 100 per cent reliable. The error rate with biometrics can be quite high, for example facial recognition is sensitive to lighting, and fingerprint readers to contamination such as oily fingers or cuts. Any biometric system has to have a method of exception handling that is strong.

The third aspect is the most important and also the most misunderstood. Unlike a password, biometrics cannot be replaced. Once a biometric signature is compromised, it will remain compromised. This means any biometric system needs a good enrolment process and should use capabilities such as ‘liveness’ detection to prevent images or counterfeits being used in place of real biometrics.

Most attacks on biometric signatures are lab-based because they require significant skill or resources to enact. It is normally not viable to attack biometric systems, which is why the military and governments use them. While iris scanners can be compromised with a contact lens etched with the iris pattern of an authentic user, this is not something even a skilled hacker is likely to be capable of.

There are also other aspects of biometrics that are unique among credentials. For example, some regulators treat them as personal information, and there may be health, social and cultural issues to address in association with their use.

On balance, if biometrics signatures are used properly, that is as a replacement for long complex passwords, they are a good thing and significantly reduce the human error factor while improving convenience. However, if they are expected to be any more than a good credential they may fail to meet the demands.

15

5 Conclusions

The governance of identity on the internet is now accepted as a key mainstream issue.

Internet users, needing to assert their identity for a transaction, behave as users do in most situations. They will frequently forgo both security and privacy for speed and usability. Only if a transaction is sufficiently important to an individual (for example a transaction with a bank or with government for an entitlement) will they submit to a complex (and secure) proof of identity to complete the transaction. Ideally individuals like to use a small number of asserted electronic identities (for some people this could even be one iden-tity) for the range of transactions they perform on the internet. However, there is no clear consensus about the degree of security needed for eidentity in different situations, because these are individually context sensitive.

The value and ownership of identity attributes are also becoming mainstream issues as individuals realise two things:

• Identity has value (it is becoming a new asset class) and many businesses, such as Google, are making money from personal data attributes.

• Personal data attributes are being used both to discover identity without the individual’s consent (invading privacy) and also to assert identity for some transactions.

Education is needed for people to realise the value of their identity and the associated digital attributes. There also needs to be greater understanding of the differences between identity for ecommerce and iden-tity for national entitlements, security and border controls.

It is important to maximise the value of the internet for individuals, society and businesses. In order to do this, it is necessary to:

• maintain trust in the use of the internet;

• keep the internet open, as a global resource, resisting calls for Balkanisation, following the NSA sur-veillance revelations;

• ensure that the new ways of interacting and doing business, such as mobile and cloud computing, are included simply and securely in eID frameworks;

• ensure that simple, usable identity assurance schemes (which may include biometrics as credentials) are fit for their defined purposes and can be linked together when appropriate;

16

• educate people to enable them to be as safe as practicable in their contexts of use, in ways that they understand. This includes educating children from the time they first go online about issues and risks associated with putting personal data online, including privacy and the impossibility of eradicating all personal data in the online world. Users need to understand that security supports and is an enabler of privacy;

• protect the vulnerable from harm associated with discovery of their identity online;

• maintain a mature debate on the issues of privacy, anonymity and traceability that is not emotive and recognises the needs of different contexts (cultures, sectors, jurisdictions and transactions). Privacy, anonymity and traceability are distinct issues. If anonymity is taken as ‘the ability to interact online without being compelled to reveal one’s identity’, it is a desirable thing that surveys and research have shown most people support. However, if individuals or groups use anonymity to behave criminally (whether it takes the form of harassment and bullying, fraud and theft or extortion and terrorism), it is vital that governments ensure that these individuals or groups are prosecuted;

• have a wide-ranging debate on the ethics of big data aggregation, analytics and use by governments, NGOs and businesses that ensures societal and individual benefits are achieved with the minimum of harm through the inclusion of personally identifiable data in those data sets. This is particularly important in connection with the collection and analysis of massive open data online.

Conclusions

17

6 Recommendations and engagement in 2014/15

In order to make progress on internet identity governance it is essential that a true multi-stakeholder approach is adopted. This is best achieved through the UN IGF, and it is essential to pursue involvement of players from all aspects of at least two dimensions:

• The cultural dimension, since different cultures’ understanding and reaction to privacy varies. Culture here does not mean merely Asian, Western European and so on, but refers to a more nuanced under-standing of social norms.

• The sectoral dimension, for example civil society, academia, commerce, industry, government, judiciary and so on.

During the coming year, the IAWG will continue its work in the areas of identity assurance, identity manage-ment and identity governance related to the use of identity on the internet. There are still many problems to be addressed. Identity is not only a very important subject that underpins much of people’s trust and interactions; it is also very emotive when it comes to balancing different requirements in different contexts.

When members of the IAWG talked to W3C at the UN IGF 2013 about the new open standards that they are developing, W3C’s greatest concern was the difficulty in engaging with legislators and regulators. It is important that UK and EU legislators engage with this initiative to ensure it fits in with acceptable data protection concerns as expressed in the EU COMPACT principles described in Section 3 and with the UK financial regulatory regime.

In 2014/15 the IAWG will be:

• engaging with the W3C initiative, starting at a meeting in Paris in March 2014;

• ensuring that the internet remains open and is not Balkanised in response to the NSA security revelations;

• pressing for the ethical scrutiny of big data collection and analytics by governments, NGOs and businesses;

• examining how to handle mobile and cloud-based eidentity in a way that is both usable and secure. This includes how to register a person remotely with an appropriate level of trust for their transaction;

• looking at ways of using liability models to build trust in online identity governance and expanding global trusted frameworks and keeping them interoperable;

18

Recommendations and engagement in 2014/15

• examining whether the way forward for online identity is a trickle down from global commercial solutions (such as those connected with payments and mobile telephony systems) to the citizen rather than government schemes;

• exploring how valuable identity information is and how to minimise ‘dual use’ of identity attributes;

• continuing discussions around the tensions between anonymity, traceability, privacy and security;

• debating in which situations ‘freedom to’ trumps ‘freedom from’.

19

Annex 1

The IAWG and its activities in 2013 and proposals for 2014

The Identity Assurance Working Group (IAWG) members attended many conferences and seminars on identity assurance in the internet during 2013 and made formal presentations on behalf of BCS, The Chartered Institute for IT, at the conferences listed below:12

• Infosec Europe, April 2013

• EEMA Conference, June 2013

• Childnet Summer Camp, August 2013

• UK Internet Governance Forum, September 2013

• UN Internet Governance Forum, October 2013

• Parliament and Internet Conference, October 2013

• BCS/EEMA Conference, November 2013

These appearances were made as interactive as possible to elicit feedback on the questions raised from UK and international perspectives. The questions asked in 2013 are covered in the main text.

The IAWG will continue to progress this work in 2014. The aim is to join in the W3C workshop on open standards for identity and payments on the internet in March 2014. Then, during the year, IAWG members will run workshops with EEMA, give workshops and presentations at both UK and UN IGF events in 2014 and present at the Parliament and Internet Conference. Presentations will be made at other conferences and events and the IAWG will produce positions papers and other material to feed into the ongoing debate on the topic of trusted identities on the internet.

In addition the IAWG members will help with the BCS Cyber to the Citizen Campaign, which was launched in January 2014, in association with Get Safe Online, the National Fraud Authority and Childnet. This will be the main focus for educating the public on identity assurance issues on the internet. The BCS Security Community of Expertise also publishes advice on security in all interactions on the internet (view the BCS Top Tips guide).

The main focus for the IAWG is covered in the Recommendations and conclusions section in the main body of the report.

12 Links to presentations and verbatim text of these conferences and workshops are available at http://policy.bcs.org/content/reports-research-papers-and-presentations

20

Annex 2

Infosec Europe: Preventing identity theft in the digital age

Three members of the IAWG, Andy Smith, David Williams and Peter Wenham, spoke at InfoSec 2013 on three subjects related to identity assurance that are relevant to organisations, especially those that allow use of corporate machines to access the internet. However, the talks were also relevant to individuals using both corporate and personal devices to access the internet.

Andy Smith started with an introduction to the risks of online identity use, identity theft and fraud. This covered how identity theft in the physical world can translate to the online world, because many online identities are initially based on, or corroborated by, physical identity documents, such as passports and bank cards. The ability to steal physical identity information can lead to the creation of fraudulent online identities or the misuse of online identities already created by the legitimate identity holder, such as misusing a bank account or credit card.

The second area covered was the risk both to individuals and organisations from malicious code, especially keyboard loggers. The examples described showed how filling in online forms, such as application forms, when keyboard loggers are installed on the machine could result in large amounts of personal infor-mation being captured and sent to malicious entities. This method of obtaining personal information bypasses the protection offered by encrypted connections and most other controls, other than up-to-date antivirus software.

People often think that the biggest threat is the capture of static credentials, such as passwords. This is a serious threat and is a key reason why banks now use one-time passwords or other changing credentials. However, research has shown that the use of keyboard loggers that capture someone’s application for a bank account, driving licence, passport and so on can be a much higher risk because enough personal information can be collected to apply for other accounts or even steal the identity completely.

Identity theft is a growing problem and has hit the press a number of times recently, including Israel’s national intelligence agency, Mossad, using counterfeit passports to travel. While the new UK passport is incredibly difficult to counterfeit, this is not the case with all passports or identity cards. It is very easy to capture and replay information online. BCS is therefore looking at how online identity can be better protected, especially during the initial registration processes.

The key message was that good antivirus and internet firewalls should be installed on every personal device. If people do not trust the machine, for example in an internet café, they should not enter personal information or credentials such as usernames and passwords. They must also remember that corporate machines may record information for audit purposes and online credentials may inadvertently end up in audit files.

The third area covered was access to information on stolen machines or where machines and hard drives were sold and information from them was recovered. The recommendation was to use the

21

Aspects of Identity

built-in capabilities of Microsoft Windows and most other operating systems and use a fully encrypted drive. With Windows 7 Ultimate and later versions, for example, Bitlocker is included and can give an encrypted filing system that can make use of two-factor authentication. This means that, if a machine is stolen, it is improbable that someone could access the information on the drive. The main reason for using an encrypted filing system is that basic access control does not protect data on a computer. If someone is after the data they will normally take the hard drive out of the computer, attach it externally to another computer and read all the data. This completely bypasses any credentials or logon to the computer other than an encrypted filing system.

The topic of hardening the computer was also covered. Hardening means removing all unused software on the machine and disabling any services that are not needed, then ensuring there is good antivirus and a personal firewall, and finally making sure that there is a secure access control with either a strong password or preferably stronger authentication, such as biometrics or token – even the Apple iPhone 5S has a fingerprint reader now.

Another aspect covered was social engineering. In this context, social engineering is using email and other attack vectors to obtain personal information. Too often people will give out personal information that can then be used against them. The most effective way of avoiding falling victim to social engineering is to improve people’s awareness of the risks from psychological manipulation.

The final aspect Andy covered was human error. The biggest threats to personal information within large organisations or online are apathy, complacency and stupidity. Too often personal information gets compromised because someone loses an unencrypted memory stick or does not protect credit card information properly on an ecommerce website. If you don’t look after your information, someone else will.

David Williams then spoke on personnel issues and insider threats. The biggest issue here is establishing trust in staff. The first point was that organisations often do not realise how exposed they are. They think that, if they outsource activities, they can outsource responsibility. However, as was clearly demonstrated when two disks of personal information went missing from HMRC, it was HMRC that ended up on the front page of the paper, not TNT who actually lost the discs. And it was down to apathy that the disks were not encrypted and that the transfer was via removable media rather than performed over a secure network.

The second example David gave was that of credit cards being cloned even by reputable organisations, or rather the people who make up the organisation. If the organisation does not perform good background checks or does not effectively monitor and audit staff activity, then the wrong people can end up working for the organisation. These can range from opportunist thieves to malicious individuals with a criminal past.

The third point addressed was process. Complacency is all too common in many organisations with people bypassing processes and taking shortcuts where they can. This can lead to various issues including embezzlement and fraud. If things do go wrong and staff feel that they will suffer if they report things, they will cover it up. It is much better to have a no-blame culture and get things reported and sorted when there is an accident or mistake. However, this needs to be balanced against holding people accountable when something is clearly premeditated criminal activity. It is much easier to sort things out the next day rather than when it finally comes to light weeks or even months later.

Due diligence is critical when employing people. There needs to be a fair and unbiased policy for per-forming background checks. The UK Government uses the HMG Baseline Personnel Security Standard (BPSS), which can be freely downloaded from the Cabinet Office website. There are also other standards such as British Standard 7858. Background checks must be rigorous but must not be unfair or unnecessarily intrusive. The key thing to establish is ‘Is this person really who they claim to be?’

22

There needs to be policies and procedures so that people know what is expected of them, but it is also useful to explain why certain processes are required. People are more likely to follow processes fully if they understand why they are necessary. Auditing the processes and making sure they are followed are also key this. Again people will follow processes more effectively if they think they may get caught out.

One other aspect is how to address problems to do with personal information if something happens. Good remedial action plans are required, including repair and redress processes. Data protection compliance is much easier to evidence if there are clear processes for handling personal information and ensuring that it is properly protected and only available on a need-to-know basis.

The other thing to consider when something goes wrong is the question of who is liable for what. Companies have their reputation to consider; for example organisations such as Amazon and eBay would not be successful online if people did not trust them to keep their personal information safe. However, it is inter-esting just what the terms and conditions of some websites cover. Most people never read these, but many websites exclude liability for loss of personal information and other things that can go wrong, and they often process information outside of the EU.

Organisations such as credit reference agencies rely on others to provide them with information. If the information is wrong, they will just try to pass you on to the provider of that information, who may in turn pass you on to their provider. Sometimes it can be quite difficult to work out who is responsible for wrong information and therefore ultimately liable for fixing the problem. At a minimum this can cause the individual hassle, at worst it can seriously damage their standing in society.

A big issue with wrong or false information is that the internet never forgets. It is often impossible to unlearn something or to have access to information revoked. Thus reputation damage from incorrect or false information is often hard to undo and restitution hard to achieve. There have been a number of cases where personal information has been exposed that has damaged a person’s reputation or even caused them to be subject to criminal investigation, only to be proven innocent after months of heartache and stress. This is a very difficult problem to resolve in today’s real-time, connected world.

Legal redress can also be extremely difficult if not impossible when dealing across international boundaries. There is legislation in the UK and Europe such as the Data Protection Act, but it can only be enforced within the EU. When using websites outside of the EU such protection may not be available and if information is misused there may be no form of redress.

The methods in which online identity is normally established is to use government or other assured real-world, physical identity documents, such as passport, driving licence or bank information. There is still no real method of establishing an identity over the internet without some form of corroboration using physical identity documents. However, using utility bills and some other forms of document that are easily forged does not offer any level of assurance, unless the account existence and personal details can be corroborated with the utility company.

The IAWG is researching methods that could be used to establish online identity remotely. The group has put a lot of effort into this area, but has as yet been unable to find an effective method of establishing identity over untrusted infrastructure (the internet) where the person is in an unsupervised environment (e.g. cyber café).

Online people do not need to use their real identity; they can have many different personas for different activ-ities. For example someone can have a persona for Amazon and another for eBay, and yet another one for, say, World of Warcraft. The only thing internet companies really care about is that they get paid for the goods they sell and that the goods are delivered to the legitimate person who ordered them. Linking the address for delivery with the address for payment is one way to ensure this and methods such as the eBay and

Annex 2 InfoSec Europe

23

Aspects of Identity

PayPal rating schemes increase trust. They do not need to know the real name of the person or the account details, though they may require it in the credit card or bank details.

Even if PayPal is used, only the email address is required for payment – the real payment identity is only visible to PayPal. However, it should be noted that this is not an anonymous transaction, because those with the right to know can still trace the transaction to the real identity. However, the information that is visible to most people in the ecommerce website is pseudo-anonymous.

Finally the checks on other rights, in addition to checks on identity, such as checks on the right to work, criminal record, education and security clearances that are required for government work are also important. All of these are based on user identity; thus, if the identity is incorrect, the subsequent checks on right to work or criminal records will be incorrect.

Peter Wenham outlined the five key findings from the previous year and how people’s understanding of the issues had changed during the year.

The first aspect was the balance between security and privacy. The IAWG had gone into the year asking how privacy and security balance against each other. After presenting at various conferences and following research and online discussions the group concluded that the balance is not between security and privacy. Security and privacy in fact overlap quite a bit and are mutually supporting. The balance lies between security and anonymity. One problem is that many people regard privacy and anonymity as the same thing. Anonymity gives people privacy by hiding information. However, privacy does not necessarily provide ano-nymity, though it should to anyone who does not have a need or right to know the personal information. While anonymity does not support online activities such as ecommerce, privacy does. So, the question for this year was ‘Is anonymity a bad thing and how does it balance with security and privacy?’

The second major topic was whether a liability model, such as the one the finance industry uses to make credit cards work worldwide, could be used for online identity. The question was whether a trust model could be built in such a way that multiple identity schemes could each have mutual trust in such a way that any individual enrolled in any scheme was trusted by other schemes. Theoretically, this is perfectly feasible, but is likely only to remain possible within global industries or communities that already have well-established trust frameworks and agree to detailed cross-border contractual and liability frameworks, such as the global banking or telecommunications industries.

The next topic was the use of identity information as currency on the internet. There are many things that appear to be (or are marketed as) free on the internet; however people are effectively paying for them using their personal information. Identity attributes such as email addresses, age, address and so on are used as currency on the internet to ‘buy’ goods and services. This information is then used for targeted marketing and other activities.

In general, using information as a currency on the internet can be a good thing, because it keeps many simple but useful services free or low cost. However, it should be done with care and much better user awareness is required about how people should protect themselves. Again the key conclusion was that if people do not trust the website, they should not share personal information.

There are a lot of incentives to go online, but as more people use the internet for entertainment and shop-ping, the criminal elements of society are following the money online. After a steady increase in identity theft over the previous 10 years, 2009 saw an almost 100 per cent increase and it has been getting worse ever since. Identity theft is used to perpetrate many different crimes, with the worst two being non-delivery fraud and auction fraud according to iC3 figures.

24

Annex 2 InfoSec Europe

The final finding was that there is no grand, universal scheme that would work on the internet. There is no single identity solution because there are too many stakeholders and vested interests for one scheme to work. A scheme based on small steps towards a federated identity solution is the only practical way forward.

The internet is not owned by anyone; it is a federated model and all the stakeholders should strive toward principles such as mutual trust and no trans-boundary harm. Anyone trying to control the internet will ultimately isolate themselves and cause themselves more harm than good. Many cyber laws have damaged the economies of the countries they seek to protect, driving business to other countries. How people are identified, how they interact and how they are held accountable for their actions are all very difficult problems to understand, let alone address.

Finally, the questions that were set for discussion for 2013 were covered. These were:

• Is the balance really between anonymity and security?

• Can online identity be based on a liability model?

• How is identity used as currency on the internet and how can risk be managed?

• What incentives are there to go online?

• How do you protect the vulnerable?

• How can small steps be made rather than a grand scheme?

• Is shared sovereignty a way forward for identity governance on the internet?

In the discussion with the workshop attendees the main points included questions such as ‘if banks become the main provider of digital ID, how would this relate to those who do not have bank accounts or other forms of financial footprint?’

The discussion centred around needing to support those in developing countries and on methods for having digital identities that were related to something other than financial models. An example given was M’pesa in Kenya, which links the person to their mobile phone account and uses the phone for payments.

Another question raised was how to protect the vulnerable. All too often people do things online that they would not do in the physical world, simply because they do not understand the risks and do not realise that something they do today may be used against them in the future. This was something the IAWG took away for further investigation.

Another point made was that people have always done stupid things, especially when they were young. However, whereas in the 1960s people might embarrass themselves in front of their parents or friends, now, with the internet, people’s social circles can be much larger and silly actions can even go viral. Effectively, today, people can embarrass themselves in front of the world, and it is remembered forever.

Overall the workshop was useful and the feedback from participants was supportive of the conclusions, but they also gave the IAWG new areas to think about.

25

Annex 3

Digital Enterprise Europe 2013: Managing identity for

the future

At this meeting Louise Bennett, John Bullard and Peter Wenham ran a workshop entitled ‘The identity needs of the digital economy’.

The value and ownership of identity attributes is becoming a mainstream issue, centring around two aspects. First, identity has value (it is becoming a new asset class) and commercial interests are making money from personal data attributes; and second, personal data attributes are being used both to discover identity without the individual’s consent (invading privacy) and to assert identity for some transactions.

One of the key points that came out of this workshop was that education is needed for people to realise the value of their identity and the associated digital attributes. There also needs to be greater understanding of the differences between identity for ecommerce and identity for national entitlements, security and border controls.

It also found that internet users, needing to assert their identity for a transaction, will frequently forgo both security and privacy for speed and usability. If a transaction is sufficiently important to an individual, that person will submit to a complex (and secure) proof of identity. Also, if a secure identity system is forced on an individual to perform certain classes of transactions (e.g. with a bank or with government), individuals will follow it. Ideally individuals would like to use a small number of asserted electronic identities (for some people this could be one identity) for the range of transactions they perform on the internet. However, there is no clear consensus about the value of different transactions because these are individually context sensitive.

The following points of relevance to identity on the internet were noted by the IAWG participants (not in priority order):

• Identity assurance on the internet has got to be a time saver and not a burden to be acceptable. Do not underestimate the importance of convenience. If it’s not convenient, John or Jane Doe won’t play.

• Will new apps help people to use secure privacy enhancing ID management strategies on the internet? Do any exist?

• The World Economic Forum has defined personal data as a new asset class.

• Trusted ID can be classed as a by-product of attribute exchange (when being derived from attributes as opposed to a root identity). Matching data sets are essentially an inefficient permanent ID scheme with serious data protection challenges.

26

• Mydex, one of the UK identity providers (IDPs), has found that it is very hard to get individuals to sign up to their system. They have concluded that they need to use companies/organisations to persuade people to sign up to an ID they provide. Mydex is an example of how the individual can take control of their eID.

• BYOD is now ‘Bring Your Own Identity’.

• IDP set-up costs are very high, but delta costs per new user are low.

• Access permissions are the hard part of new ID schemes and ID scheme maintenance.

• The draft EU ID directive/regulation is throwing up all sorts of privacy and permissions problems and these will probably sink it.13

• The problem with the UK ID scheme for citizens is widely seen as the lack of a viable commercial model.

• Jumio.com have got an interesting credential management platform. It is used by the likes of Airbnb.

• National ID issues (e.g. for entitlements and border control) have blurred ID issues for ecommerce.

• Biometric ID failings (i.e. false positives and false negatives) tend to be viewed (wrongly) by both pro-viders and users as more serious/suspicious than other ID failures. This issue can arise over time as a person’s record is updated by various agencies and so the record drifts away from the original reality.

• STORK 2.0 was mentioned more than a few times in a number of presentations. However, one presenter stated that it is seen as being too simplistic, when based on the Belgium experience, which is atypical.

• The API economy is exposing businesses to third-party ID’s.

• Identity is a by-product of an attribute exchange > Web 3 > API.

• Old world > certifying authority, ID attributes, relying authorities, subscribers.

• New world > identity provider, ID attributes, service provider, users.

• ID should always be context sensitive.

Annex 3 Digital Enterprise Europe 2013

27

13 Post-meeting note: The Snowden affair and Merkel’s intervention could change this.

Annex 4

UK IGF: Identity and trust workshop

This workshop was presented by BCS and covered a number of areas related to the work of the BCS Identity Assurance Working Group (IAWG). The speakers were Andy Smith (BCS), John Bullard (IdenTrust) and William Heath (Mydex).

William Heath opened with the hypothesis that people are seeing the emergence of a new personal data ecosystem, one in which an individual’s control of their personal data will play a significant and valuable role. This will have many benefits, ranging from new business opportunities to protecting human rights better. To do this we need incentives for three sets of actors; the individuals, the organisations that provide services over the internet and the new breed of application developers such as those writing applications for iPhone and Android. Together they will form the ecosystems that will allow individuals to protect and manage their information.

At the moment the move to ‘digital by default’ is being driven by cost reductions and providing better services. In order to do this the organisations need to be able to prove that people are entitled to the services they are asking for through some sort of attribute verification. Coupled with this, application developers want a predictable environment in which to create their applications. One method of doing this is to use a trusted third party to provide identity provision, linking the individual to the organisations via new applications and tools while ensuring privacy and data protection under the control of the individual.

John then looked at trust and liability. He defined identity as the absolute certainty of knowing and being able to check and validate that the person asserting the identity really is the person they claim to be.

He explained that in the global world of the internet it is not possible to have a single organisation that would provide identity services or a guarantee of trust for everyone. Third parties can provide identity assurance, but usually only within either sector or national boundaries. The requirement is to enable these to interoperate globally.

The finance industry has been doing this for many years. For financial transactions to work, it has to be sure of who all the parties are in a transaction.

This capability, which is currently confined to one sector, could be used to provide the same capability for use of identity in any other transaction. This would require the trust model and liability model that is already in place today to be expanded in scope to cover other areas where trust in an identity is required.

John emphasised that this would have to be done via the regulated financial industries because they already have the legal and regulatory models in place and can implement the necessary validation and liability models for use of identity in the future. This would include any regulated financial institution being able to validate an identity to any relying party via a regulated financial institution that the relying party trusts.

28

This does not need a global regulator; it only requires that the regulated bodies trust each other, which they do today. New rules and governance structures are necessary to take this model into the internet era, and to cover not only financial transaction but also other transactions with a liability model based on assured identity.

Andy Smith then talked about the fact that a person’s identity attributes have value. Even though people think they are getting free ‘stuff’ on the internet, they are actually paying for it by giving away identity attrib-utes and information about themselves. These can then be used for targeted marketing, sold or data-mined for various purposes. The information about who people are, and what and where they buy, is collected and used to support business on the internet. If large organisations did not have access to such information to drive their business models, they would have to find some other way of funding the services and software they provide on the internet. A simple example is software for the Android smartphones, where there is usually a free version, which contains advertising, and a paid-for version, which does not. Other examples are social media websites and search engines.

Andy stressed the importance of ensuring that data protection and privacy do not become so onerous that they disrupt funding of the internet, but equally that collection and data mining of personal information does not invade people’s privacy or become uncontrolled. In the worst case such activity could become dangerous with people being targeted for nefarious activities.

He made clear that this is a balancing act and that, at the moment, it is not in balance. If large organisations that provide popular services cannot collect and sell personal information or use it for targeted market-ing, those services would either become expensive or disappear. On the other hand, there are numerous examples of forms used to collect information online that show that organisations are collecting far more personal information than they need in order to offer their services. This counters the principles of the UK Data Protection Act and the right to privacy.

Filling in forms online with lots of personal information can be dangerous if people do not have a machine with good antivirus software because a keyboard logger on the machine could collect that information and send it to someone who could then steal or misuse this identity.

The final point covered concerned the issues around aggregation and data mining: with electronic data-bases being easy to search and cross-correlate, it becomes much easier to build up a picture of someone’s life or even find information about them, such as their name and address, from other attributes about them.

Andy then introduced the discussion section where questions were taken from the audience.

One participant thought that some of the statements made during the talks, such as ‘if the product is free, you are the product’ were a bit sweeping. The example given was that the BBC news website is free and does not collect personal information or include advertising. However, the BBC news website is not actually free because it is paid for by the TV licence fee, which answered the question about why there is no adver-tising on the website.

Another member of the audience said that collection of unnecessary information is already covered by data protection legislation and no more laws were needed; just better enforcement of the current ones. William agreed, provided that people’s rights and protections are fundamental to this.

The next question focused on online jurisdictions and the models that had been discussed. If lawyers got together and agreed a model, how would this work? John explained this would it be based on the laws of contract, with different layers providing a local perspective for the users or organisations, but covered by a global contractual model, similar to those currently used by Visa and Mastercard. The only contractual relationship the person would have would be with their identity provider.

29

Annex 4 UK IGF

Aspects of Identity

There was a discussion on the UK Government GDS identity trust framework, which is a good concept and has gone a long way to solidifying the balance between provision of assured identity and provision of only those attributes needed for a transaction. This reduces secondary use of personal information especially where the ability to do so is hidden in long complex online privacy statements.

The next question came from a participant who used to work for a newspaper. They explained that, when people signed up for an online subscription, all of that data was collected and sold off to marketing companies. This meant that each person’s subscription data was worth about 12 pence. The question was whether there was a way to split this value between the organisation and the individuals. William, who also worked in this area, said that the subscriber’s primary motivation was to have the subscription. It was possible to share the value. For example, a company in the USA tried this as a business model, but it did not work, because once individuals realised their data was valuable they wanted to retain the whole value. William also pointed out that the value was not just about the personal information attributes, but also about a person’s preferences, what they like, where they shop and so on. This information has value for targeted marketing.

There was then a discussion on supermarket loyalty cards and the pros and cons of these. The perceived advantage of such loyalty cards was that people know who they are sharing the information with and for the most part what it is being used for – they expect targeted marketing from the supermarket.

There was a short discussion on the use of new application types such as heart rate monitors that can record a person’s heart rate over extended periods and store this information online. This information is also being sold off, supposedly as anonymised data, but in some instances personal attributes have been included with the data sets. These allow, through data mining, the individual to be identified. These are the sorts of accidental secondary uses that need to be better controlled.

Andy then looked at the issue of finding the balance between security, privacy and anonymity. The point was made that security and privacy are actually mutually supporting and are both good things. It is anonymity and its ability to support nefarious activities that poses difficulties. Andy pointed out that the underlying problem is that there is too much personal information on the internet and that, once something is published, it is virtually impossible to redact or remove it. This means the internet is a huge data warehouse that can be mined. He stated that online privacy needs to be improved, although that does not mean that everything needs to be anonymised.

Anonymity and privacy very much depend on the transactional context, and more debate is needed to provide a more nuanced view of the context around the use of anonymity and privacy and how they interrelate.

It was also pointed out that attribution needs to be taken into account. Anonymity and attribution are interrelated. Being able to attribute an action to a person may be necessary in one context such as solving a crime, but this may not be needed in general use, in which case the attribution could be anonymous.

William said that a simple proposition should be put forward to UN IGF that users should have more control of their personal data and that governance of the internet should address this specific issue. This does not stop businesses exploiting personal information, but it would be more under the control of the individual.

Andy made a comment about the scale of the internet and the fact information is virtually never deleted. This makes aggregation and data mining all the more effective and dangerous. He asked the audience for their views on the ability to withdraw consent. Everyone agreed that this was a good idea, but that the implementation would be very difficult.

30

Annex 4 UK IGF

There now exists an organisation-centric structure on the internet, which has been built up over many years. It is necessary to start thinking about user-centric data models and to move to a more balanced view, with individual-centric aspects being seen as just as important as organisational aspects. While it is possible to get copies of all the information held about oneself, there is currently no way to enforce or, given the copies, caching and archiving, to realistically ensure the removal or redaction of personal information online.

The discussion moved on to the ability of online organisations such as social networks to change their privacy policy without the user’s consent. For example, one social network that Andy had been a member of kept changing the privacy policy, and the last change meant that they owned all photos people posted. The only choice other than agreeing to the policy was to remove his account. The problem is that most people tend not to read the policy and will not realise that all of their pictures are now owned by the social network. Most teenagers may not care about this now, but may in the future when such pictures impact their livelihood or ability to get a job.

There is a dichotomy for some organisations because they are stewards of personal data on the one hand, but have an obligation to maximise profits for shareholders on the other, which can lead to a conflict of interests. This means that, even if they have the best intentions, they may in the future be forced to sell the personal information as an asset of the organisation.

The last point made was that privacy can be thought of as security by obscurity because for the most part it prevents access to the information. However, where access to identity is required, such as for law enforcement, it can be obtained. Most legislation in this area, such as the UK Data Protection Act has clauses to allow for this. This also means that anonymity online is extremely difficult to achieve because everything from the end IP address onward is recorded somewhere and can be obtained with the relevant authority.

31

Annex 5

8th UN IGF: Building bridges – Enhancing

multi-stakeholder cooperation for sustainable growth

and development

The IAWG organised this workshop with Keechang Kim of OpenNet South Korea.

The background paper for the workshop summarises the issues to be addressed at the UN IGF and can be viewed here.

Louise Bennett, Andy Smith and Ian Fish from the IAWG attended and spoke. The other panellists were Keechang Kim (OpenNet South Korea), Sarah Wynne-Williams (Facebook, USA) and Professor Hong Xue (Professor of Law from Beijing Normal University). Louise Bennett also assisted Childnet with their work-shop on anonymity on the internet.

The full transcript from the workshop can be found at http://www.intgovforum.org/cms/2013- bali/workshops2013/reports-with-transcripts and http://www.intgovforum.org/cms/2013-bali/igf-2013- transcripts/1513-ws19-security-and-governanace-of-identity-on-the-internet

The following are new points raised in the BCS workshop and in other sessions/products seen at the UN IGF meeting that might change/develop the views expressed in the BCS Aspects of Identity Yearbook 2013–2014. The first three are the most important, but the rest are in no particular order:

• There remain strong calls from the majority of stakeholders to ensure that anonymity on the internet is retained (defined as the ability to interact online without being compelled to reveal who you are). This was supported by 86 per cent of the young people who responded to the Youth IGF Project Global perspectives on online anonymity. The IAWG has also had a similar response in all the workshops they have run over the last three years. OpenNet South Korea, who jointly sponsored the BCS UN IGF workshop this year, won their case against the South Korean Government’s 2007 regulatory regime requiring‘mandatory verification of user identity’ in online services in the South Korean Constitutional Court in August 2012, when it was declared unconstitutional. UK legislators should defend this right to anonymity.

• Big data analysis over the internet is a growing activity raising concern. This is being carried out by both governments and the private sector. The IAWG has warned that identity discovery through data aggregation is something that internet users need to be aware of and they should be asked to give consent to the use of their personal data online. Ethical scrutiny of both the collection and analysis of massive open data online is needed so that it can be used for social good. Just because it is possible, it is not necessarily ethical, but it is important to control these risks and not forgo the opportunities to use such data for humanitarian reasons (such as to track victims of disaster as in Haiti, or use internet performance monitoring data to identify such things as patterns of censorship in repressive regimes). UK legislators should lead discussion on the ethical issues on the collection, anonymisation and analysis of big data online. There are problems deciding who is responsible for shared data in all

32

Annex 5 8th UN IGF

contexts (including humanitarian relief): Governments? Telcos? NGOs? ISPs? App developers? Some key issues are data granularity and the retention of metadata.

• The World Wide Web Consortium (W3C) is currently developing an infrastructure for web identity and payment standards (Payswarm) (including automatic payment of taxation in online transactions) that has the potential to be a major disruptive force that could encourage many new business models and enable the unbanked and digitally excluded to benefit from online services. UK legislators should engage with this initiative to ensure it fits in with acceptable regulatory regimes embraced in the UK, especially in the London financial centre.

• When biometric data is compromised and gets into the wrong hands, it is much more difficult to reset than something like a password. Use of biometrics for identity can potentially cause more serious prob-lems than those it solves. Storage and protection of biometric databases is really important. You should think of your biometric as your user name and not your password.

• Governments and regulators are not sufficiently involved with leading edge technology companies pro-ducing new secure technologies for assuring identity on the internet. Should companies build and deploy new products, or wait years while regulators in each country play catch up?

• Korean experience of using national identity numbers to access political discussion websites resulted in a ‘walled-off debate’ because foreigners and Korean speakers outside the country could not get access to the websites and add to the discussions.

• You should allow ambiguity and ‘messiness’ in assuring online identity, so that access can be nuanced, and different means of assuring your identity can be used in different circumstances. Online identity should be a diverse fluid concept that is interaction dependent.

• There are arguments, in the cases of many internet services, for not having any authoritative identities on the internet, but relying on identities being formed over time from the accumulation of interactions with many online providers. This prevents the strong, privileged and powerful from exerting undue influence. This identity could be different from your offline identity. This might be particularly useful for companies wanting to interact globally (like Facebook), but not wanting to rely on each and every national identity. They could determine age verification, for example, by the length of time a person had accessed various services.

• Facebook made a clear decision that they wanted a real-name culture and for people to interact as their authentic selves on Facebook. They wanted their users to feel comfortable and secure in the Facebook community with their online world mirroring their offline world. There are both challenges and benefits to such a real-name policy. For one thing Facebook comments have been shown in a University of Kent study to be twice as civil as Washington Post’s anonymous comments on the same issues. They found that 80 per cent of the time the person posting content that someone else found offensive would remove it when they received a social reporting notification request from the offended party. This is a result of real-name accountability.

• In China there is real name registration for any telco and any internet site. You must register with your photo ID. When it comes to content providers and microbloggers, there is also a real-name requirement, but it is much easier to get round. It can be just your account name. However, the service provider is liable if you have used a false name and they have not verified the account name properly and someone posts something that is not in line with the law.

33

• It is very important to educate people that they cannot really be anonymous on the internet where they are always being watched and monitored by governments and by industry.

• You do not need anonymity to have privacy. In the same way that you know the identity of the person in each bedroom in your home, they can still have privacy if your policy is to knock before you enter that room even if there is no lock. You observe the rules and retain privacy, and parents only exceptionally exert their power over their children. On the internet, both government and industry power needs to be sensibly controlled by house rules that are transparent. Control and transparency in the exercise of power are the keys to online privacy.

• There needs to be an ability to chose to exercise freedom of expression in both real-name and anonymous places, so that you can have accountability or experiment and gain confidence in an anonymous situation. People simply need to understand the risks and benefits and weigh them up.

• In the off-line world you would never know the offensive or complimentary comment of someone on the other side of the globe. On Twitter you do know it and it changes the dynamic of communication. This reachability is the great distinguishing factor of the internet.

• It’s incredibly difficult to verify remotely and register an identity. Many people have tried it. There have been various schemes on the internet, but unless there’s some way of verifying the attributes someone claims and corroborating the evidence they give you, it is both really difficult to have any assurance in the identity and of that identity belonging to the person who is claiming it (which is why so many schemes rely on government-issued identities like passports and ID cards). South Korea has been issuing PKI protected identities for anyone doing online financial transactions for over 10 years, but people do not know how to keep those certificates secure, so there is a tremendous problem with stolen, leaked and fake identities.

• Being anonymous and being traceable are different things. You cannot remove your identity online. If you cannot be forgotten can you be forgiven? The internet reveals you, it does not protect you.

• The debate about social networks should be about intimacy rather than privacy. How intimate do you want to be with your ‘friends’? Do you understand the sensitivities among diverse users who do not share the same social frameworks? Anonymity falls between freedom of expression and privacy and needs to be conceptually sorted out.

• Thinking on identity, privacy and security needs to move away from notions of balance to one of mutual optimisation.

• Youth IGF said that when they were anonymous online, they felt safer – it protected their privacy, gave confidence, it was less judgemental, they could experiment, they could express their sexuality, they could get help on embarrassing issues, they could express themselves freely. However, they understood if someone really wanted to know who they were they could not remain anonymous. When they were anonymous they were less accountable, they and others were nastier when they were anonymous. It was good to have anonymous personas for different issues.

• The quality of services you get online are less good if you are anonymous.

Aspects of Identity

34

Annex 6

Parliament and Internet Conference

Louise Bennett spoke in a session entitled ‘What are the key issues facing the governance of the internet and how will these affect the UK going forward?’ The points that she made to UK Parliamentarians are listed below and were endorsed by the Policy and Public Affairs Board of BCS:

• The Snowden revelations concerning US NSA surveillance on the internet have given further impetus to calls for the de-Americanisation of the internet that were already apparent at UN IGF 2012 from many political delegations (especially from Brazil and EU), human rights and privacy groups. This erosion of trust in both the US Government and companies is in danger of leading to calls for the ‘global commons’ of the internet to be turned into ‘gated commons’. UK legislators should do everything in their power to restore trust and prevent this from happening. The UK should try to ensure the internet is used to connect and liberate, and not to divide and conquer.

• There remain strong calls from the majority of stakeholders to ensure that anonymity on the internet is retained (defined as the ability to interact online without being compelled to reveal who you are). This was supported by 86 per cent of the young people who responded to the Youth IGF Project Global Perspectives on online anonymity. The IAWG has also had a similar response in all the workshops they have run over the last three years. OpenNet South Korea, who jointly sponsored the BCS UN IGF work-shop this year, won their case against the South Korean Government’s 2007 regulatory regime requiring ‘mandatory verification of user identity’ in online services in the South Korean Constitutional Court in August 2012, when it was declared unconstitutional. UK legislators should defend this right to anonymity.

• Big data analysis over the internet is an activity raising concern. Big data analysis is being carried out by both governments and the private sector. BCS warned that identity discovery through data aggregation is something that internet users need to be aware of and they should be asked to provide consent to the use of their personal data online. Ethical scrutiny of both the collection and analysis of massive open data online is needed so that it can be used for social good. Just because it is possible, it is not neces-sarily ethical, but it is important to control these risks and not forgo the opportunities to use such data for humanitarian reasons (such as to track victims of disaster as in Haiti, or use internet performance monitoring data to identify such things as patterns of censorship in repressive regimes). UK legislators should lead discussion on the ethical issues on the collection, anonymisation and analysis of big data online.

• Many UK-based organisations have contributed to the ITU/UNICEF Guidelines for Child Online Protection. The consultation on the first of these (the business guidelines) was announced at the UN IGF. UK legislators should remain in the forefront of this work.

• Education about safe use of the internet for all groups is a key requirement for the internet to flourish and to ensure that the UK gets economic benefits from an increasingly online world. There were many good examples of short public service broadcasting videos from countries like Czechoslovakia and from the

35

Internet Watch Foundation. The BBC should be encouraged to translate and broadcast such messages as part of its public service remit.

• The World Wide Web Consortium (W3C) is currently developing an infrastructure for web identity and payment standards (Payswarm) (including automatic payment of taxation in online transactions) that has the potential to be a major disruptive force that could encourage many new business models and enable the unbanked and digitally excluded to benefit from online services. UK legislators should engage with this initiative to ensure it fits in with acceptable regulatory regimes embraced in the London financial centre.

• Intangibles and virtual goods online cover much more than copyright of music, the written word and software, for example design, business processes and creative works at which the UK excels. UK legislators should ensure that the global governance of these intangibles is in the interests of UK business and fit for the digital world.

Aspects of Identity

36

Annex 7

BCS EEMA Seminar: How is eID enabling business

growth? The challenges and opportunities

Roger Dean, Louise Bennett and John Bullard from the IAWG were among the speakers at this workshop on ‘International governance of identity on the internet’. This lively and sometimes controversial seminar focused on practical guidance from key representatives from Government, suppliers and users who are looking to take advantage of secure and accredited identity and participate in an open forum.

The full transcript of all the talks and discussions can be found on the BCS Policy Hub website.

37

Annex 8

Some standards for consideration in identity

management

Initial registration

This is the most critical part of any identity activity. If the initial enrolment and registration goes wrong, everything else goes wrong. The key aspect is to ensure someone is who they claim to be. The following standards are suggested reading:

GPG 45 – Identity proofing and verification of an individual

GPG 46 – Identity assurance: organisation identity

FIPS 201-2 – Personal identity verification (PIV) of federal employees and contractors

HMG Baseline Personnel Security Standard

ISO/IEC 29003 Identity Proofing and Verification

Background checks

Once it has been established who a person is, there is the need to corroborate other attributes before giving them access to information. This can be as simple as a right-to-work check or making sure that they are not a convicted fraudster. The following are freely available standards that can help with this:

Disclosure and barring service

BS 7858:2006+A2:2009 Security screening of individuals employed in a security environment. Code of practice

Identity and access management systems

One of the industry standard IDAM systems is still Microsoft Active Directory, but there are a number of other good IDAM systems to choose from that offer significant benefits in performing identity management. There are a large number of standards in this area covering everything from database formats to transfer of information and single sign-on. The following are worth a look:

GPG 43 – Requirements for secure delivery of online public services

ISO/IEC 24760-1 A framework for identity management – Part 1: Terminology and concepts

38

ISO/IEC CD 24760-2 A Framework for identity management – Part 2: Reference architecture and requirements

ISO/IEC WD 24760-3 A Framework for identity management – Part 3: Practice

ISO/IEC 29115 Entity Authentication Assurance

ISO/IEC WD 29146 A framework for access management

Annex 8 Some standards for consideration in identity management

Auditing and accounting

The key thing here is to be able to hold someone accountable for their actions. This means non-repudiation of actions and logging information that is admissible as evidence should this be required. The following are the primary standards in this area:

BS 10008:2008 – Evidential weight and legal admissibility of electronic information – Specification

BIP 0008-1:2008 – Evidential weight and legal admissibility of information stored electronically – Code of Practice for the implementation of BS 10008

GPG 53 – Transaction monitoring for HMG online service providers

Identity assertion

This is becoming more important as more services move online and cloud services become more popular. The de-facto standard here is the Security Assertion Markup Language (SAML), with version 2 being the most popular. Mutual authentication of devices and authentication of a device (browser) to a service can also be done with standards such as Transport Layer Security (TLS) using certificates. The following are worth a look:

Security Assertion Markup Language (SAML) v2.0

OAuth 2.0

Identity Assurance Hub Service

Credentials

Whether they are passwords, biometrics, tokens or some combination, one of the main things people use on a daily basis are their credentials. Critical to ease of use and user satisfaction is the human–technology interface, coupled with the simplicity of managing the credential. There are various standards that are of use here, for example:

GPG 44 – Authentication credentials for online government services

FIPS 190 – Guideline for the use of advanced authentication technology alternatives

FIPS 196 – Entity authentication using public key cryptography

SP 800-116 (Nov 2008) – A recommendation for the use of PIV credentials in physical access control systems (PACS) 39

Compliance

Most identity information is personal. In the UK this means ensuring compliance with the Data Protection Act, Human Rights Act and other legislation. In other countries there are different legal and regulatory frameworks. The following standards are generally useful:

SP 800-122 – Guide to protecting the confidentiality of personally identifiable information (PII)

Data protection compliance

Aspects of Identity

Strategy and other standards

There are also a number of standards related to identity management and strategy. Some useful refer-ences are:

The Open Group Identity Management Forum

Public Sector Internal Identity Federation

40