This lively and sometimes controversial seminar focused on practical guidance from key representatives from government, suppliers and users who are looking to take advantage of secure and accredited identity and participate in an open forum.
Chairman – David Rennie, Cabinet Office, Identity Assurance Programme
The government are now on the verge of starting the implementation of their Identity Assurance Programme and hope to make rapid progress over the next 12 months. Government is a relying party offering a number of government services and there is a policy of Digital by Default, led by Digital Service. Each public service will access the hub, which is a live component, and will connect to a number of identity providers (IDPs). The user will choose their provider and verify the information as trustworthy then use that identity for government services and hopefully there will be a take up in the private sector.
DVLA and HMRC are starting as a private beta in January and February of 2014. The government has contracted with five identity providers, Mydex, The Post Office, Digidentity, Experian, and Verizon. These suppliers are likely to deploy two-factor authentication. Relying parties are responsible for matching the digital identity to customer account details. They may require further matching piece of information, such as a driving licence number on the first transaction. They do not have live users at the moment but will have in 2014 and hope to have millions of users by March 2015.
Adam Thilthorpe, BCS Executive Director, Policy and Public Affairs
BCS, The Chartered Institute for IT, is a not for profit organisation with an individual membership of 75,000 individual members. BCS represents group memberships and has, for instance, 1,200 members at HRMC.
BCS continues to work with GDS – A government platform focused on exploring what the user need is when interacting with government, corporates and others. Mydex has changed thinking on my assurance, my identity and my information and giving citizens more choice.
Dr Mike Westmacott represented BCS at the two main party conferences, speaking on cybercrime and security.
BCS Google campus project brings together corporates and innovators which is good for corporates to bring their business problems to innovators who supply creative ideas and learn to pitch corporates.
Roger Dean, Executive Director, EEMA
EEMA was formed 27 years ago and always evolving to ensure its activities brings benefits and relevance to all of their members.
• Members include multinationals, corporates and financial institutions;
• Members network and collaborate with a range companies who technically may be competitors but come together and discover mutual advantages;
• EEMA partner with over 30 industry and governmental bodies throughout Europe and on a global basis to avoid duplication of effort and produce improved deliverables.
Cyber security is now on everyone’s agenda and EEMA are involved in this area together with organisations like Trust in the Digital Life (TDL) where the commission have asked them to partner in their NIS Platform on cyber security. There are activities including the successful annual ISSE Conference attracting high level speakers and participants. The current Projects EEMA are working on are SSEDIC, STORK 2.0, Future eID and Cloud for Europe.
A summary of the SSEDIC recommendations to the EU are: Encouraging mobile eID eGov services, harmonising attribute management and exchange, rationalising the choice of authentication assurance, liability and accelerate digital Europe
Keynote – Lord Errol - Independent Crossbench Peer – Chair of Digital Policy Alliance
Is there a role for government to engage with industry to provide trusted identities?
Yes there is a role for government but how dangerous is it when they interfere?
Is it our role to stop people doing what they want? Banks still do not talk to each other.
We want to enable not be restrictive.
• The effective use of trust has to be people, tokens and contextual;
• ID and privacy - it’s my data – an individual needs to have control of their data;
• Separate the identifiers and the attributes;
• Jericho Forum now taken forward by Security Forum – how to protect individuals identity.
• Which jurisdiction? Who carries the can?
• What level of assurance do we NEED - civil or criminal?
• Government issued ROOT ID;
• Government and private sector – they need to be involved with leading edge secure technology;
• Need to provide frameworks and principles to work with.
We need to be careful we don’t risk our privacy by having a too centralised database, for example, Tesco telling the health service how much chocolate or salt I use, or telling the insurance company that my tires are worn which could invalidate my insurance half way through a long journey. I’m me and I want to be free.
He does not believe we need a government single ID system.
Q What worries me is reciprocal information, there seems to me a need for when I make a phone call to an insurance company or a bank and say they are recording information and need all my security – what safeguards do I have.
A Lord E - It is far too one way, we should belong to citizen groups and not give information that is not strictly required.
Q Do we have to answer our date of birth as identification?
A Lord E - Only give the information you need and invent your own security codes except if it’s something like financial services or banks – not necessarily genuine ones.
Panel – Public and Private Sector Focus – Industry initiatives fuelling business growth
David Dinsdale, e-Government Product Director, ATOS
• GDS is now set up;
• Fixed publishing – Gov.UK;
• Fixed transactions gradually rolling out and working across government;
• Vision of wholesale services.
Is the government the right eID provider or should it be wrapped up in other places?
• For example, could the RAC or MOT send you a tax disc, for instance;
• Social care – the government are beginning to outsource services and put the individual in control and be able to choose their health provision.
How does eID play out? Government has a vision of wholesale services and how industry can be a partner.
• Purpose of eID is mixing the needs of the users in allowing me to interact with government and allowing the user to choose;
• Entitlement by government;
• Government identifying me and stopping fraud and ensuring security.
Most commercial organisations are already dealing with fraud and security and have processes in place, such as credit card fraud which is well understood.
It may be the case that the government eID scheme can provide a better way by encouraging organisations, in the wholesale context, to interact with users by blending all these services together, which creates a package which makes more sense to the user.
Sandy Porter, Strategy and Business Development Director, Avoco Secure
Identity is everywhere but how are we able to use it - how is it being harnessed in data ecosystems?
The trust platform
• Usability, flexibility, elastic scalability, security and dynamic;
• A trust level in the commercial world, federated authentication- create a persistent identity;
• Consent to permissions;
• Basics in a trust platform, flexible plus and play, easily configurable, relying party directed registration and user centric control and interactive
• Enhanced user data service: Data is key to identity;
• Federated trust platform model;
• Multiple verification options;
• Elastic scalability and flexibility.
It could be pure IDA but really it is validation in multiple forms. The eco system is mixed and we have to maintain this dynamic
Ian Imeson, independent Identity Consultant, Architect of the Cabinet Office PSN Identity Solution
Government Gateway, lead team and authentication service, DWP - Public Sector Internal Identity Framework
Internal identity services – how they are going to be delivered?
• Public sector must be able to know who did what where and when – employees should not have access to data not required for their role;
• Public organisations have to trust each other and therefore trust how identity is verified and authenticated;
• Internally the same standards, GPG 45,44 will be implemented – for all users this means Level 3 right to access information.
Currently most people have multiple identities when accessing government services - PSN was tasked with implementing single sign on with increased use of shared and cloud services. IDP – currently predominantly inside organisations or going forward with more shared id providers – meaning lower cost with a higher level of security.
Health and social services in local authorities is a huge challenge for identity.
Who is that person accessing the data, identities must be asserted securely for level of access, this may include using citizen identity assertion linked to a company or organisation leading to a healthy framework and more choice.
David Alexander, Chief Executive & Co-Founder, Mydex CIC - Private company who re-invest 65 per cent in social purpose, empowering individuals.
The presentation illustrated the transformative nature of attributes in motion/attribute exchange and how proofs of claim and entitlement can remove manual, paper and web browser forms from the economy through secure two way API connections between people and organisations that provide services.
• Identity evidence is not good enough from one source – Mydex believes in a blended evidence set;
• We want trust, proof, participation and to save time and money;
• Individuals want to be in control and be able to stop sharing or limit what someone can do with your data.
Organisation centric approach is open to abuse, individuals would lose control, Individuals needs to manage their own data.
Inoperability problem can be solved by equipping the individuals to receive evidence and information, multiple data sets and multiple standards and re-purpose them and send them out with a new certificate so that they can share aggregate data. David believes:
• The individual is the logical point of integration;
• Identity becomes a by-product of verified attribute exchange between individuals and organisations;
• A federated identity assurance scheme is vital to move to the secure API economy and channels;
• An open personal data attribute exchange is essential for economic growth, citizen empowerment and the transformation of all services.
Q DR - We in government think we are the centre of the world, government interactions is pretty small in citizens services, but is the IDAP and other countries programmes, what do the panel think the big initiative will be? What can we look to in industry?
A DD – ID government documents authentication as Sandy says there is no single solution there is an eco-system – divided trust platform – commercially there is value in personal data and how do you use that but government is an important back end to who are we.
Q Can third party products access this market?
A DA- There will be API’s for citizens to interface with them – Mydex believes in inoperability and convenience using different providers such as G Cloud to simplify connections, people want identity services which have ease of access.
RD said citizens haven’t got a clue e.g. with Tesco club points, Lord McLaren is introducing e-receipts to encourage people to sign up with all their data, they will then get benefits – convenience and incentives are everything to the citizen
Q We are encouraging citizens to put all their eggs in one basket and go for one single solution which makes the citizen very vulnerable.
A II - It is better to highly secure one system than to go for lots of unsecure providers.
Q DA: Should there be organisations that should be involved that are not involved at the moment?
A SP: Everyone has attributes about the individual and has a role to play and individuals should be able to pick and choose the information they release.
Panel – International Governance of Identity on the Internet
David Birch, Global Ambassador, Consult Hyperion
David made an impassioned plea to make progress in all areas and address the issues now, since everyone had been talking round these issues for many years.
Mark King, Consultant, Broadsail, UK
Two drafts going through the EU processes:
The Data Protection Regulation and eID Trust Services Regulation. The latter is in two parts and includes:
• EID Trust Services – national confidence – interoperability;
• European Competence – signatures, seals, who is on the web?
• IDAP architecture – not yet published;
• Discussion on big data is good, big brother is bad;
• Privacy principles, draft.
Many of the missing items have international aspects
1. Establish and fund an ombudsman;
2. Determine what audit trails are needed and for how long;
3. UK parliamentary discussion on the exception principle;
4. Sound commercial models for the IDP's signed up for the scheme with clarity on liability;
5. Explain data matching not sharing;
6. Publish architecture.
STORK mapping- levels across member states are not compatible.
• Self–asserted, so no value added by any ‘provider’
• Civil: balance of probability;
• Criminal: fraud, most interactions with government involving money) beyond reasonable doubt.
John Bullard, Global Ambassador, IdenTrust - Why haven’t the trust identities moved on?
John’s presentation suggested solutions to the following questions:
• What do we mean by trusted e-Identity?
• Solutions by national boundaries, which cannot operate outside;
• Why is trust such a significant interest to business, governments and banks?
• Trust network solution to ‘esignatures;’
• Contract based legal framework;
• Bank issued trust network identities – end users bring the applications;
• Multi-use identity and validation layer and true interoperability.
Applications, such as Iden, can provide identity, validation, liability management, global interoperability and legally enforceability.
Q DB - There was a huge rise in fraud why aren’t they doing anything about it;
A RD - Perhaps the banks cover it up as it is not in their interest to share that information.
Dr Louise Bennett, Chair of BSC Security Community of Expertise
Feedback and recommendations from UN IGF Conference – 31 October 2013
During the conference issues relating to the Edward Snowden revelations and the American domination of the internet, which could cause an erosion of trust in the US government and industry dominated proceedings.
• Global common must not become a gated commons;
• Right to anonymity – but traceability in case of criminality;
• Ethics issues associated with big data need;
• W3C web consortium id and payment potentially disruptive;
• Child online protection is an area of global agreement;
• Education about safe Internet use is essential;
• Global governance of intangibles is more than copyright.
Q It seems rather strange that we used Estonia as a model.
A MK – Estonia different political environment and essentially different problems and they are primarily using mobile phone technology.
Q Are lawyers involved in the ID projects?
A MK – They are not involved in the solutions at the moment but have been involved in consultations with SSEDIC and STORK.
JB – Lawyers are brought in at the end of some processes.
LB – The law society has been involved in the projects she has been working on.
Q There are different attitudes to electronic signatures and perhaps lawyers would give us correct usage of words?
A RD– This suggestion for lawyers to be involved will be discussed at the next BCS meeting.
Panel- New Directions, Commercial Opportunities and managing the risks
Nigel Taylor, UK e-Invoicing
Why electronic invoicing – the benefits
• Saves money – takes away paper processing and substitutes electronic process producing 40 per cent savings;
• Automate processes – prompt payment – 30 days to pay public sector;
• Gain strategic value – optimise working capital – improves customer experience- CSR;
• Regulatory requirement.
Why are these invoices Important?
• VAT and other payments are a large part of tax for companies worldwide and this helps companies, individuals and governments;
• Business connections in the cloud are now an economic necessity;
• Proving authenticity is very important and has vast potential;
• Have to be adopted by 2020 but interpreted differently in all countries.
Q DB – What is the date that this has to be complied by government?
A NT: By 2016 an electronic invoice will have to be accepted by the UK government
Steve Pannifer, Head of Delivery, Consult Hyperion, UK
How can we improve user experience and security in CNP transactions?
How can we engage better with customers on the mobile device or in a multi-channel environment?
How can we market to consumers in more relevant ways that build trust?
Digital wallets may be part of the solution, but identity also has a key role to play.
• Payments - CNP still not great. The improvements in 3d secure help but:
Card PAN entry cumbersome especially on mobile (MOBILE is so important)
Card on file helps but then you are reliant on security of merchant;
Not all merchants employ all fraud measures (cvv) which in any case are still relatively low security
• Advertising / marketing is still crude, relying on cookies, tags and causing a scatter gun approach.
The current approach to some of these problems is wallets:
MasterPass, V.me, PayPal etc provide better ways to manage my payment cards - increased security and reduced friction, but still use passwords. MNO wallets (WEVE, ISIS) have a strong element of targeting, but who owns the data?
There is a need to separate identity and authentication from the service, from the wallet.
We need to take some baby steps:
• We need to replace passwords - wallets use passwords, IDAP IDPs use passwords ....
• We hear about the data economy. There's a desire for richer data sharing, or at least the monetisation of data;
• Data ownership is a real issue - as consumers and identity professionals I think we all agree on the principles etc., but that doesn't translate into conventional business cases. Need to develop and clearly spell out the business case for putting the consumer at the centre - making it their data, PDS, Assure UK.
Does Govt eID solve these things - I think it may help but the range and needs of commercial services need a wider spectrum of choices. eID may help for those higher level assurance interactions. But we need to start somewhere...
Paul Rodgers, Chairman and Founder, Vendorcom – Cards and Payments
Retail and Payments issues:
• Individuals want to choose their own credentials;
• Governments do not give great value;
• Vast sections of the public do not want to give their credentials to the government;
• If the NHS take Facebook authentication they are taking information, like age, that may be inaccurate.
Focusing in on making the citizen take control of their own information, perhaps there needs to be mutual liability
Q DB - Is there some way to work together, the banks are not even working together.
A PR - there are lots of good payment solutions like PayPal which is already established and ready to use whereas new solutions are very expensive and take time.
Q Should corporate payments and individual payment be treated differently?
A PR – bank to bank will be very important – but will they deal with transactions in real time?
Closing discussion and audience participation
Q The merchant has to keep to various standards but when there is fraud what is best practice.
A PR – We need to radically re-think the security authentication that has been built on old processes – you need to use more than one identification credential.
DB – I think we want identities that are more controlled. We need to do something active now to make this happen. Operator mobile ID may be the way forward.
Next year’s seminar should include legal aspects, financial institutions reactions and examples of PPP from other administrations.