In our Live 5 for 2021, we said that governance would be a major topic for digital identity this year. Nowhere has this been more true than in the UK, where the government has been diligently working with a wide set of stakeholders to develop its digital identity and attribute trust framework – the rules of road for digital identity in the UK. The work continues but with the publication of the second iteration of the framework I thought it would be helpful to focus on one particular aspect – how might the framework apply to decentralised identity, given that is the direction of travel in the industry.
I was delighted to be asked to present a keynote at the FIDO Authenticate Summit and chose to focus on digital identity governance, which is something of a hot topic at the moment. Little did I know that the day before my session was recorded the European Commission would propose a monumental change to eIDAS, the Europe Union’s digital identity framework – one of the main examples I was planning to refer to. I hastily skimmed the proposed new regulation before the recording but have since had the time to take a more detailed look.
In the new digital economy, digital identity is a key component to ensuring security, privacy, and convenience for people and businesses.
When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it. They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews. But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.
This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker. You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction. There is some suspicion that it may have also been uploading session cookies.
Here at Consult Hyperion we tend to go on about the lack of a joined up thinking around government policy on digital identity and source authentication but mostly it doesn’t really affect us personally. I mean, we get this stuff, we can spot a scam a mile off. But sometimes it does get a bit close to home…
I discovered today that my frail but still mentally competent parents have been quarantining for the past week, and a bit, because they received an NHS Test and Trace text warning that they’d been in the proximity to someone diagnosed with COVID-19. As they’re in the very high risk category, you can imagine how worried they were. But here’s the thing – they never give their mobile number to anyone and they wouldn’t know how to download an app even if I spent a year explaining it to them. It was a scam – in fact the text deleted itself, but almost certainly it will have contained “more information” link, which would have downloaded malware onto their phone.
Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.
Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:
Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.
In one sentence I was trying to capture several points:
- Digital identity is a means to an end not an end in itself
- It’s bi-directional – in any transaction both parties need to have confidence in the other party
- It’s about the information you need to share, which will vary considerably between contexts.
- It protects privacy by only sharing the information (or claims) necessary.
[Dave Birch] It’s pretty obvious that RFID is going to transform a variety of retail supply chains, adding value to the services delivered to the end customers.
Izzy’s Ice Cream Café in St. Paul, Minnesota is putting to use RFID technology for giving real time updated on flavors available in its dipping cabinet. It offers more than 100 flavors but serves only 32 in its dipping cabinet at any point of time. The cabinet comes equipped with readers capturing every flavour’s corresponding labels embedded with an RFID tag. The reader captures information 22 times every second and is sent to a system which updates website of the parlour so that customers get to know what is available even before they enter the store. Coloured dots are projected on the wall of the store or TV behind the counter so that the customers get to know the flavours available.
Now this is a great use of the technology and I’m sure it’s only one of the ways in which retailers will find that RFID provides a platform for better management, better service and entirely new services. Nevertheless,iIt’s a step from this kind of use of RFID to the idea of an “Internet of things” has been around for a while.
The “Internet of things” (can’t we think of a better name? the everynet? the allnet? — what about “skynet”, or has that been used somewhere before?) has two essential components: the concept that everything is connected to everything else, and the concept that everything can distinguished from everything else. Universal connection and universal identification. If we take the former for granted and take the Electronic Product Code (EPC) as an example of the latter, we can immediately see that this will create as many problems as it solves (which is not a reason for not doing it, since it also creates many opportunities). It’s easy to see why. Suppose that your phone reads the EPC from my underpants. So what? Now your phone knows that I am wearing either Gucci underpants or a pair of Primark underpants with a Gucci chip in them to impress the ladies. If such phones and such tags were to exist, what would actually happen? What would be the impact on society of knowing what everything is and where everything is all the time.
[Dave Birch] Here at Consult Hyperion we’ve recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there’s another less tangible reason for being interested in it: because once the US government has chosen something as a “standard”, then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I”m not the only one who has been reflecting on just how significant the US government’s support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.
But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.
I was involved in some discussions with a government department a few months ago — long before the US government announcement — during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with “soft” OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook “Identity”, then I’m sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to “hard” OpenIDs (by which I mean 2FA OpenIDs).
The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of “private” digital identities. I think that, as Burton note, the US government’s decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.
after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities
Personally, I think that the government ought to be a “gold standard” identity provider as well as an identity oonsumer, but that’s another issue.
[Dave Birch] I re-read an excellent post over at Emergent Chaos. It reflected an important discussion between two people, both of whom I take very seriously. To paraphrase and simplify horribly, Bob thinks that the social structures maintain privacy, Adam thinks that technological structures maintain privacy.
In a world where some people say “I’ve got nothing to hide” and others pay for post office boxes, I don’t know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of “Online Data Present a Privacy Minefield” on All Things Considered… — I’m not sure the social frame will save us.
The lack of a “norm” is a good point here, and I have to say it made me think. We should be developing tools that allow people to construct their norms (within boundaries, obviously) but not setting out a norm so that the tools can only implement one model. For this reason, amongst others, I tend to come down on the more technological side of this argument, which is why I’m so keen to see privacy as part of customer propositions and privacy-enhancing technologies as part of the systems being built in both public and private sectors.
[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn’t the only person who thought this, by the way.
In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.
I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what’s out there on the basis that it’s much, much better than nothing?