Aspects of Identity British Computer Society
30 September 2011 - A Workshop on in Nairobi,Kenya
September 30, 2011 - 11:00AM
The following is the output of the real-time captioning taken during the Sixth Meeting of the IGF, in Nairobi, Kenya. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> LOUISE BENNETT: Good morning. This is the workshop on aspects of identity in the security openness and privacy theme. I am just saying that because every workshop has been moved somewhere else and interestingly the accessibility workshop has been moved downstairs for accessibility reasons. If you wanted to go to that you need to go downstairs again.
And in room 13 which is where we thought we were there is the young people in safeguarding and if that's where you wanted to you are in the wrong room as well. I hope that you are all in the correct room.
My name is Louise Bennett. And I am moderating this session. The workshop has been organized by the British Computer Society because our membership which is we are a 70,000 people membership organization. Every year they say the main things that they want us to do on their behalf and this year they said that they wanted us to bring the questions of identity assurance on the Internet to the attention of our Government and international institutions.
Consequently myself, Andy Smith and Ian Fish who are all volunteers in the BCS and do day jobs at other times but I chair the security community expertise. Ian Fish chairs the security special interest group and the privacy panel. And Andy is a member of both of those and they will say more about themselves later. Ian is doing the remote moderation. So he won't be speaking on the panel but he will be answering questions but will try to ensure that we have a good dialogue with our remote participants.
The other member of our panel is Alun Michael MP. He is the MP for South Cardiff and Penarth, Wales and we have been working with him for many years. He has been involved in the IGF from its inception. And we have been working with him through EURIM on many things including identity governance on the Internet.
The three topics that we want to cover are very briefly privacy and security, the balance between those. Identity governance on the Internet and trust in remote identities. Now when phones fixed and then mobile were first used they were used for one to one conversations. You decided who you wanted to call and you usually recognized the voice of the person you were talking to.
You knew who they were and you knew that you trusted them. If you rang your mother, you knew it was your mother answering the phone because you recognized the biometric of her voice. In just the same way when the Internet was used over 20 years ago was used by a limited group of people in organizations and it was trusted between each other.
It was an extension of what people have been doing for years. Now the Internet can link everyone and everything. In 2010 there were an estimated 35 billion IP‑based devices on the Internet. The estimate for 2013 is over 1 trillion including linking over half of the population of the world. Now you cannot know, let alone trust all of these people. The greatest vulnerability now is really from mobile access. You may think you know whose phone you are communicating with but if you just think of a few statistics that we have in the UK, last year over 20% of the people lost their mobile phones or had them stolen. And I am sure that kind of statistic probably holds for other countries. But more importantly over 60% of those people didn't even have a pin on their phone let alone any more sophisticated security.
So it is an inescapable truth that you can neither know who you are communicating with on the Internet nor who owns let alone who is using the device or the IP address that you are communicating with. However you do need to know both of these things. You need to know who is at the other end and who they legitimately represent, be it a Government or a business. If you want to benefit from Internet services and transactions, and that's why the management of identity on the Internet is really so important.
We have discussed this topic in the UK at Infosec with our own membership of 70,000 at EuroDIG in Serbia and now here in the IGF. It is a very complex issue. And we want to speak for a short time and really hope that we will have a good dialogue with you.
I would now like to hand over to Andy Smith.
>> ANDY SMITH: Good morning. I am actually going to do something slightly interesting here. One of the things that we noticed at Infosec more so at EuroDIG but also here is there is a tendency to get the balance between privacy and security skewed more towards the privacy side.
So I am going to try and address that and talk a little bit about the national security implications and the other aspects of this balance. Because it is not just the Human Rights, the rights to privacy and the data protection of all of the individuals that are on the Internet. It is also the right to privacy and the Human Rights of all of the victims of cybercrime. And you ‑‑ people really do not understand the sheer volumes, the statistics behind the victims of cybercrime. Every year millions of people have their lives disrupted, life savings stolen. They have organized crime, abusing children. We have a number of aspects of crime on the Internet and very poor ways of actually being able to deal with these. So looking at the national security side, terrorists acts happen in the physical world, but more and more we are seeing these being organized, coordinated through the Internet through communications over the Internet. It is a great way for terrorist organizations to hide what they are doing. It is a lot harder to listen in and gather information from encrypted communications going over the Internet than it is from mobile phones or more traditional forms of communication.
So we need privacy. We need to protect people's rights but we also need to be able to track down, stop wherever possible and wherever we can't stop we need to be able to prosecute those that commit heinous crimes either on the Internet or using the Internet as a communications media.
But we have still got this other aspect. We have got this balance. And the balance is there and it is fundamentally important. So if you look at some of the things that have happened in the past, when the Nazis went in to the Netherlands they just pulled all the records that the Dutch authorities had and it allowed them to identify every single Jew. It made it easy to run up the Jews and stick them on trains. We need to protect people's privacy and rights. We need to get the balance right. Looking at identity management and looking at how identities are used on the Internet. In the old days you had a trusted registration process. So someone would go and apply for a passport. They turn up in person. Feeling that they ‑‑ they would have their forms filled in and do the background checks, collaborate the information and a trusted organization, usually the Government would issue them credential, a passport, driving license or if it was a bank they would issue them with a credit card, a bank account, et cetera, and then they can use this set of trusted credentials in the case of a bank a credit card with a pin number to do transactions over trusted infrastructure like the ATM and e‑pause networks and usually in a supervised environment like a shop or a bank or some other trusted location. So this is all nice. This is pretty simple. You have got some level of trust because you have supervised the environment and its trusted infrastructure.
But on the Internet we have got a completely different scenario. There is a lot of bad people out there. And organized crime are more and more working out, that they have got a large target market on the Internet. And they can make a lot of money both because of human error, but through social engineering, psychological manipulation, all sorts of tactics and techniques. They can make a lot of money from people on the Internet. And they can do it from countries or places where they stand very little chance ‑‑
(Lost audio. )
>> ANDY SMITH: We have got other examples of people stealing identities on the Internet and it is very easy to get in to someone else's computer and on their computer is their whole life. And when you are using things like Facebook or Google you don't realize it often but you are paying them for their services with your personal information. Your personal information is valuable. And that's what they are using as currency, your personal information. So you need to be very careful about how you use it.
So with that I am going to pass on to the right Honorable Alun Michael to look at Internet Governance.
>> RT. HON. ALUN MICHAEL MP: Hi everyone. I think the reason that this is quite important from a parliamentarian's point of view and it is great that it has been brought up as an important issue by the British Computer Society there is an issue of confidence. More and more public services are going on. It is the things that you need in everyday life and basic services that are dealt with online and that's increasingly happening at a time when the money is short. And you can do it more cheaply by putting things online. That's fine. But there is considerable evidence that a very significant proportion of the public in the UK at least would not go online even if you gave them a free high level broadband service and a computer for nothing.
And that is to some extent a question of fear. And an old friend of mine ran a club for elderly people called Computers for the Terrified because it is quite nice because it admitted that it wasn't stupid to be fearful and unusual. You can look at how to be secure online. But when it comes to the question of identity, I love this picture. I don't know if you can see it because it is a slightly washed out picture, but it is the annual event when the Queen comes to parliament and you can just see to the left of her Prince Philip. There is the Queen and she is giving the Queen's speech. Actually it is not the Queen's speech. It is written by the Prime Minister and says what the government thinks. Whether the Queen thinks those things or not it is a total secret. And she reads it out in the most dull monotone but the thing is everyone knows who it is really. And we also know who wrote the speech. There are other inconsistencies in the British constitution but I won't bore you with them.
>> No look‑alikes to (Off microphone).
>> RT. HON. ALUN MICHAEL MP: Oh, I wouldn't know about that. It would take an American to think of such a substitution. There are also issues about print ‑‑ how you deal with legislation in this area. As a legislator I am very reluctant for us to legislate unless I know what the impact is. The impact to Internet issues is highly unpredictable. Things are changing and moving too fast. One example a few years ago when we had the bombings in London the telephone network collapsed under the weight of use. This year during the riots in a number of our cities that didn't happen. The Smartphones, the change in technology had moved on very, very rapidly. So if we had been legislating on how to deal with these issues, for instance, one suggestion was you close down the public network in order to let the emergency services have, we would be completely out of date by the present time. At the same time during events this summer police saw Twitter and Facebook being used a lot. Members of gangs were directing to where the next break in would be. Did they think of closing it down? No more positive engagements. The police went on the scene and said that's where you are going, we are going, too. I think that makes it all the more important that what we are doing is making clear what principles and responsibilities are rather than trying to put in place regulations and legislation that is technology specific or specific to a particular point of the development of these ways of using communications.
Going on to the next slide, of course, part of the problem but also part of the strengths and part of the reason why the IGF is so important is the fact there is no central control of the Internet. There are many organizations who have a finger in the pie, the UN, the ITU and so on and so forth. But ‑‑ and there are drivers of identity if we go to the next slide, which again are evermore complex. And in day‑to‑day life people are making choices which are based on the assumption of knowing who they are engaging with. So that raises the questions for identity governance within the wider issues of Internet Governance that we have been debating all this week.
So who would be appropriate? United Nations? I don't think so. Topdown bureaucratic summons response is the one that we have avoided through the creation of the IGF process. Who could have the remitting authority? Is it a question of control or a question of standards? I put the Co‑op in there as a suggestion because Cooperative Governments is a lot more sophisticated than most other forms of human governance and in a way the IGF model is a cooperative model. It is also a problem I think that many of the issues are discussed in silos. I have a number of occasions I have been asked to chair or participate in events which brings people together to talk about the issue of privacy and then a week later you are with a different group of people talking about how to exploit the potential of the technology or different forms of software.
>> RT. HON. ALUN MICHAEL MP: Of different problems. Sometimes in different countries, sometimes different content, sometimes within an individual country. So the question is how can we balance privacy and security. They are both important. If we have a conversation that's purely about privacy or purely about security ‑‑
>> WILLIAM SMITH: When I was at Sun my ‑‑ and we developed a set of standards around online identity and it did so in a federated manner. If I could I just around the balance topic, things that we considered important then and Paypal considers important now are anonymity, pseudonymity and attribution. And we believe in using attribution in various levels as and when necessary. There are interactions on the Internet that require no attribution and anonymity should be preserved. In the United States that was a very important part of the founding of our country, the ability to speak anonymously and it is embedded in our constitution.
In order to also balance one of the things to look at when you are looking at attribution is what is the context in which you are operating in. What is the purpose. What is the environment you are in. And what are your risk or threat models that you are operating under. At Paypal, we, basically every transaction we are looking at risk and making decisions based on risks in the moment based on a variety of factors that I won't describe because I am not allowed to.
But it is because that's a security thing for us. But you can look at credit card companies and things that they might do and I am sure you ‑‑ everyone here or likely people here have had this happen where you attempt to purchase something and the merchant says well, the credit card wants to talk to you. And what they are trying to do is they are saying well, your behavior is a little unusual. How we are seeing this card used seems unusual for you. You have never been to some place or you never travel and all of a sudden you are some place. We will do the same types of things. See you coming in from a strange IP address.
It is important to remember there are stages for identity. It was discussed earlier around authentication but there is also authorization and then finally audit. Authentication is around do you have a credential. I am a U.S. citizen and I have a passport. It is a credential. What it does is it is federated. This is acceptable in any country on the planet I believe as a form of identification. And it can be used to authenticate who I am by looking at my picture and does it match.
The vetting that is necessary for this for the production of this credential is federated. Each of the countries on the planet is allowed to issue passports. It is their responsibility to make sure that the identities are, in fact, correct. That it is a valid document and it ties to a true person. And there are problems with this as was pointed out. The problems in the real world and problems in the virtual world. Other thing is trust. That is done by agreements. In the business world if you are going to a federated system you have to have trust on the party side.
Another thing for businesses where and when does the liability move. What is the flow of liability. If you think in the credit card industry, you have merchant banks, the issuing bank for the card and the liability flows from one transaction to another and it is always known where the liability rests. That's why at times you have to enter additional information to engage in a transaction. This should be true and we think should be true online. You blog post anonymous. The site might want to know well, this is the same person coming back but we don't need to know who they are. I am certain I am going to want attribution when we are engaging in commercial transactions. Paypal certainly wants to know who we are dealing with. Our merchants want to know either who they are dealing with or that there is someone who is standing by. And backing in this case Paypal a payment.
And so I think, you know, to ‑‑ how do you ‑‑ how can you get trust in identities? Well, one way is through some model of federation. And possibly governance model would be multilateral template treaties. Whether through businesses, Governments or some other mechanism and we should look in the real world for solutions in the virtual world. My passport again is a credential. Am I authorized to enter Kenya? I have a Visa. It specifies my passport number and other things. And that allows me entry in here. I am authorized. It is separate from the credential that says who I am. Okay?
And we need to do things ‑‑ we need to look at those types of things as well and those decisions get made in the moment. Okay? If I am coming in from Kenya attempting to transfer, you know, all of my life's savings, my bank should ask me for additional information. Right? They should not just say oh, great, you enter and used a password and it is a weak password and we are going to transfer your life savings to ‑‑ I won't pick a country. But, you know, some less than reputable country and not in Africa.
I would want them to ask for additional information. Right? And they should. And it should be because of the context of the ‑‑ of the transaction. Am I authorized to do it? What's the risk? Okay? And too often in computer systems we have ‑‑ we have not implemented our systems that way. We do user name and password to a system and once you are in, you can do anything. Whatever it is that you are authorized to do you can do it. There are no checks made after the fact. And that is something we certainly don't agree with and that we evaluate risk on each and every transaction. And so I think that's an important part of identity. There are significant issues with security. We have issues with security, national security. But we think it is important to protect anonymity, protect privacy but also give us the actuals and law enforcement to mitigate crime and to go after the bad guys and prosecute when we can. Thanks.
>> LOUISE BENNETT: Thank you very much, Bill. I would like to open the dialogue to everyone now. And in order to keep a good flow if you want to say something that is a real follow‑on or a clarification from the previous person, if you put your hand up with one finger. If you want to start a new topic can you put your hand up. Okay? Because we are having a bit of trouble with remote participation, could I bring in a remote participant first?
>> IAN FISH: Thank you. Yes. We have Dee Williams in St. Lucia who has observed, an observation and might deserve some comment from the panel that there appears to be a clash which I notice in the Caribbean between privacy which is a European basic principle and openness which is a U.S. basic principle. And they say it can get quite uncomfortable because at least here in St. Lucia we have a tendency to rest on privacy, i.e., the European principle. I wonder what the panel might think about that.
>> LOUISE BENNETT: Who would like to answer that?
>> RT. HON. ALUN MICHAEL MP: I think this is why an international debate is necessary apart from the business of negotiations between Governments and so on. Because that comes out and has come out in the debates during this week. Sometimes one person's absolutely iron principle is open to question by others and you have to actually go behind that and discuss it through before you can understand how to apply principles in relation to the Internet. I think it is an important point that is made.
>> WILLIAM SMITH: Recognizing there are very strong differences between the U.S., how the U.S. views privacy and how it is viewed potentially in the rest of the world, certainly in Europe. At the same time the two systems can interoperate and we do interoperate or operate in parallel. In terms of is there a conflict between privacy and openness I actually don't think so. You know, we respect individual's right to privacy. We should I think generally in the United States at least respect it more.
But at the same time openness, I have made this comment in another session, if I am engaging in a transaction or some communication on the Internet, I kind of ‑‑ I have a right or should be able to know who I am transacting with or communicating with if I choose to. If I want to know who I am communicating with, should be able to ask and should be able to get a reasonable answer back. Certainly if I am engaged in a commercial transaction I want to know who I am dealing with that should the transaction fall through I have some way to readdress. And in addition I have to typically when engaging in those types of transactions I have to hand over personally identifiable information and I want to know who I am handing it to. So the openness for entities engaged in commercial transactions is important. And this is in EU law that, you know, at least in certain countries on a Website if you are engaged in transactions you must publish who you are. It has to be on the Website.
So I think there is a balance. And there is a difference between an individual or an EU terminology natural person not engaged in commercial activities. They have a right in EU to privacy and that right even if true in the U.S. that right is not absolute. For example, in the United States if I am involved in a traffic accident, I have an obligation to disclose who I am, my driver's license, my car registration, my proof of insurance. Considerable amount of information that I have to turn over. In the U.S. there aren't many, if any, restrictions on what I can do with that when I hand it over. But the other party as this was pointed out earlier, the other party has a right to that information as well because it is not a criminal activity but I have been engaged in something where there is potential conflict and both parties have a right to the information at that point. And privacy is in a sense trumped at that point.
>> LOUISE BENNETT: I think you wanted to follow on on this point.
>> PATRICE LYONS: Yes, I would like to take up on that because class ‑‑
>> LOUISE BENNETT: Give your name.
>> PATRICE LYONS: I am an Attorney in Washington D.C. and my name is Patrice Lyons. In recent years it has become more focused about the information about your identity in digital form and how to manage that. That there are different kinds of privacy contexts and most of them right now that I see that are terribly important have root in the law and we have been working on new apps in the medical care area and health and human resources home have very specific privacy requirements. Some of them you can debate whether they are required or not. But it all depends on what information it is represented in digital form that you are supposed to maintain in privacy. I have written lots of nondisclosure agreements where you have to say that you can't take this information and put it out in the Internet but can use that Internet capability to actually convey the information. Perhaps encrypt it, whatever.
>> LOUISE BENNETT: Okay.
>> MARIAM MEMARSADEGHI: Thank you. My name is Mariam Memarsadeghi. I am here as part of a freedom house delegation. I am originally from Iran and I run a NGO project called Tavaana E‑learning Institute for Iranian Civil Society. I just wanted to suggest also for the discussion that just as though there are different standards between Europe and the United States perhaps, there is a very big difference between how repressive regimes operate and how free Governments operate. And while Human Rights are universal the way that corporations and technologies function in these two very different contexts are very different. And so what is a good technology or a good Internet Governance approach for the free world or even the partly free world has very different uses and affects in a country like Iran where we operate. We have to take many protocols and steps technologically and in terms of our human resources to ensure the anonymity of the students that come and take classes on our online institute. Having said that Iran is a country. People who are familiar with Iran are very conscious about the national security threats about terrorism and how the Internet and its openness are used and manipulated by terrorists and Governments to spread terror.
>> LOUISE BENNETT: Thank you very much. If you would like to ‑‑ Andy?
>> ANDY SMITH: This is something that I actually have quite a bit of experience with. I spent a couple of years working in Saudi Arabia, Dubai, Bahrain and it is very interesting there. You get the Government, even the GSM network doesn't have encryption turned on. Basically so the Government can listen in to every single telephone call all in the name of national security.
So they have gone to the other extreme. And you don't have privacy which is a shame. And it is because of those sorts of countries that go to that extreme. Yeah, China is one that everyone picks up on. The countries in the West go to the other extreme and go to the, you know, we want pure anonymity and privacy and we don't want to share information.
And I think we need on a more global basis to try and find how we can get this balance right so that people in Iran have their right to privacy but it doesn't affect how much the state worries about national security and denigration of culture and people in the West don't go over the top of privacy and prevent law enforcement from doing their jobs properly. It is a real conversation that needs to be had around this.
>> LOUISE BENNETT: Yes.
>> MARIAM MEMARSADEGHI: What I meant is more that Iranian‑‑ it is not a concern for their interest in national security. It is that as activists we are concerned about how they repress citizens using the Internet.
>> ANDY SMITH: Yes. This is the other part of it. It is ‑‑ they are not just ‑‑ and in Saudi it is very obvious. It is not so much about looking for criminal activity. It is looking for anyone who wants to denigrate the culture. They have fixed views on what the culture should be and if they see anything that goes against that, if they see people wanting to have their freedom and I mean if you tried sort of walking down the road in Riyadh with the bible you basically wouldn't last very long.
But you should have the right to do that. If you want to read the bible in Riyadh you should have the right to do that. But it is again on the online stuff, they are looking for people in Saudi who are trying to look at the bible online or trying to look at things that are not a part of their culture. And because they are doing that and doing it for the wrong reasons, it actually makes it very hard to justify the national security aspects in other countries.
>> LOUISE BENNETT: Yes. Bill, you wanted to say something?
>> WILLIAM SMITH: Yes, I think in response this is for me, this is one of the reasons why it is important to be able to be anonymous, pseudononymous and to rely on attribution. And they are used at appropriate times. In a repressive regime anonymity is going to be far more important. And extra measures will need to be taken. But if the ‑‑ if there is an identity architecture, as long as it supports these things it will be possible. If it doesn't support these things it will be impossible.
In my country people still ‑‑ people want to be anonymous at times. I understand the need in a repressive regime to be extra careful. I think it is important that the architecture support it and we shouldn't ignore repressive regimes. Nor should we in my opinion design everything around that.
We need to be aware of it and hopefully the world will move away from repressive regimes to more open.
>> LOUISE BENNETT: I am going to take one follow‑up on that and go to Bob who has been trying to get in since the beginning. That's right. Yes.
>> I am Tapani from Electronic Frontier Finland. I have lived in Riyadh and I know people who hide their bibles there. The key point here some measurement mechanisms that work in democratic societies and some that don't work in repressive regimes is an important point and regimes can change from democratic to repressive. We should try to develop such systems that actually work only in democratic societies. At least to the extent that they are not too effective for repressive regimes. We look at ‑‑ consider if I am a government, now democratic Government, what kind of measures shall I set up that will not be useful if I turn bad? And basically the police should not be too efficient, it should not be too efficient that it keeps the majority of the population under control.
>> LOUISE BENNETT: I am going to go to Bob now.
>> Bob: That was one of the points that you made about the Nazis going in to the Netherlands. The Netherlands had a very open democratic society and a repressive regime came in and used information they had to their advantage. Any model we put up on the Internet if the regime changes they suddenly can't make use of that for the wrong reasons.
>> LOUISE BENNETT: Okay.
>> I am inclined to almost talk about encrypted bibles but don't let me go down that path. I think any discussion identifiers really has to bring in to play the policy aspects and the technology that would support it. They don't exist independent of each other. I have had a long history of dealing with identifiers and I am currently involved in identity management stuff in a very serious way having to deal with discovery of authenticated information. Let me just say that in the history of identifiers on the Internet for the most part they have all been very technology dependent and I think that's a big mistake. And in the future I think what we need to do is look for identifier systems that don't depend on the technology that implements them. I think it is possible to get to. If you look at the history of computer networking the very first network I was involved with was ARPANET. That was the very first Internet of things because it is about machines and every machine was identified by the wire to which it was connected to the net. That would not stand the test of time especially since that net no longer exists.
When we got in to the Internet environment we created the IP addresses and even that you could argue is somewhat technology dependent because we could move from IPv4 to 6 and the old address could not be valid in the future. Whether it be the DNS or file conventions and machines and the like and that could all change. So the approach that we have taken is to simply say that let us deal with the technology independent identifier approach and for the things that we want to identify, if you think about it at large, most people start thinking about identity management in terms of actual users but in fact, we need to broaden that out to talk about all the resources that are out there on the net, whether they be applications, computational services, whether it is that is being dealt with as well as the information that's produced along the way. It could be a person wrote something and you want to get the thing that they wrote and may want to identify that separately as the publishers have been doing for more than a decade in a very technology independent way or you may want to identify things that came out of a service that were produced at a given point in time.
If you are going to go down that path, then you are going to have undoubtedly over time different identifier systems. So we have to deal with some of the issues of intraoperability. And I want to pop up a level and let's assume we can agree on a mechanism today and when you could have one kind of identifier which is a binary string that exists in a net, but another way of identifying people is by virtue of the credential that they keep and for me the most effective credential is the private key. Now when you use a private key to authenticate yourself to someone else, or you use someone else's private key to authenticate them to you, all you are really doing is basically saying that the party that I am dealing with is the party that currently holds the private key. So you get one other layer of mapping that has to now take place and that who is this private key supposedly assigned to and who had the trust to make that mapping.
And so if it is Alun, and he has a private key, who is it that basically understood that he is who he purports to be or that Queen Elizabeth is who she purports to be. Somebody has to make an assertion with authenticity. You trust that they made the right judgment but more generally, you know, it is probably going to be an organization that's going to do a little more in‑depth analysis. Most Governments, for example, when they credential their employees they do background checks and they talk to members of their family, friends and relatives and they might do DNA testing. There is various levels of penetration they can get in to to make sure that the party that they are saying maps to this identifier is, in fact, the party that would appear to be. So given that the very first question for me that comes up is, you know, to what extent can information about this identifier be made known publicly and to what extent most information about the identifier keep private, it is a very fundamental question. And along with that comes the question of the extent to which anonymous identity can be sustained in the environment and for what purposes.
There are some activities in life where you cannot easily do them anonymously, like travel around the world. You need a passport and it has to be credentialed usually by a Government entity. They can be forged and you are looking for the proper representation of that credential. Anonymity in the Internet is around and should be around for a long time but on the other hand not for everything. How do you validate an identity? Somebody gives you or you get it by discovery. How do you know that it is the right one. You want to look for Bill's e‑mail and somebody says we run that service and here it is. Now you are trying to have a private discussion. Maybe he can validate himself and you don't care whether they have give you the right e‑mail address, and the first exchange with him remember the thing that we talked about at the last meeting we had and he said what, you are probably wondering whether he has a bad memory or it is not the right person.
Another way to deal with this, normally these identities are given out by organizations. Just generally label as just frameworks or many different terms that are used for. But how do you know that this is a trust framework that you want to depend on to do that mapping. Well, one way to do it is for places that you trust and maintain lists of trusted organizations. If they say this is an organization you can trust, maybe you trust it because you trust that organization. That leads to the next question about how the trusted organizations find out about each other. What do they do to make those determinations. Have they done the in‑depth analysis that you would have expected a given trusted organization to do about somebody they were identifying.
And then the final comment I wanted to make is about intraoperability. I think we have to assume we are going to have different ways of identifying things. And there may be different ways to disambiguate one from the other. It will save us a huge amount of grief in the future. And if we put our focus on these metalevel aspects it will serve us very well going forward. People have often asked me why is it that the Internet has been around for so long. I mean if you look at most technologies in the world they come and a few years later they are obsoleted by something else. And the Internet has been here for 40 years and in some way, shape or form will continue in to the foreseeable future. It was not about specific technology. I mean the Internet was not about a specific network. It was not about an ATM. It was not about Ethernet. It was not about fiber rings. It was a general mechanism whereby different components could all work together and at that level it is above all the technology. It is what I call a metalevel architecture. But by being at this metalevel you ensure whatever you invest could sustain over time as technology changes and evolves and I think that's a real challenge.
Good metalevel structure for dealing with not only identity but all the mechanisms that assure that identity is valid is what we should be shooting for. Thank you for letting me expound like that. I think that's a good basis for thinking about these problems.
>> LOUISE BENNETT: I think that is an essential basis. Have we got any other remote questions?
>> IAN FISH: This is a comment again from Dee which says that really following on from this particular discussion which was just that she can speak and expect that people to listen to my words without jumping to conclusions by looking at me. So ‑‑ and she also said the bit about which we were originally going to include in our presentation about on the Internet nobody knows you are a dog and I have gone back and said yes, but somebody probably has a profile on that you have a particular type of dog with a specific coloring and that you really love a particular dog food and she said that's why I don't belong to Facebook.
>> LOUISE BENNETT: Okay. And there was another ‑‑
>> RAFID FATANI: Hello. Hi Rafid Fatani, Saudi Arabia strategic consultancy. What was discussed earlier was broader than the Saudi context. We can't take away the importance and the genuine terrorism concerns that come with it. So yes, the privacy is quite important and what I might say now is very controversial. I would take away the right of someone to bring a bible in the country over the death of people in another country. Within a global context terrorism still exists and the quiet of anonymity is important but the right of people's lives if saved via that is crucial.
>> LOUISE BENNETT: I think you are absolutely right. I think in Human Rights it is important that we emphasize the right of the victim or the potential victim.
>> Can I make a comment? I thought that somebody made a good point yesterday in looking at the UN charter of Human Rights. We should be looking at all rights listed in that and making sure that we understood the need for checks and balances, otherwise no point in having a withhold charter. You could have a single right.
>> WILLIAM SMITH: If I could follow up on that, the ‑‑ I absolute agree. At Paypal we want to be able to mitigate crime. That's the group I am in. There are analogies to terrorism and we prefer to keep them separate. It causes people to basically become very heightened emotionally. So we say let's just look at the crime aspects and for us actually it is hard money crime, not even Intellectual Property theft. Let's look at this and see what we can do. Even in that context though we still believe strongly in the right to anonymity and privacy, but we can even without some information make ‑‑ track down and go back on some criminal activity. And I would argue that that can be done as well with terrorism. It is a balance. We have to respect the right of people to be anonymous and we have to be cautious about what that may bring. Those responsible for tracking down crime or terrorism what are the tools available to us and make sure there is a balance there. I think it is possible to do both.
>> LOUISE BENNETT: I think indicating someone, I wasn't seeing who was. Yes. Right.
>> Hi. My name is Alexander. I am an IT consultant. I would like to boil down in shorter form those concerns that were raised by Mariam and the comment from the Paypal representative. For us it is kind of a nightmare. The idea when there will be introduced global authority for identities on the Internet where every person will be required to have one identity because it will make us (inaudible) on the Internet because we need to be anonymous but almost all services will be oriented only on citizens with one identity.
So we will be kind of pushed away from global network. So I would like to ask what Paypal business's identity, it would think about the idea which partly was covered here when our identity would be based on a cryptographic piece when I am as a ‑‑ I as a citizen would be able to generate different keys, identity keys, my sign‑in keys to use for different things. One for Paypal, one for Google, one for my Government.
>> WILLIAM SMITH: So Paypal does not subscribe to the belief of a single identity. So to answer that question I don't think it is a good idea to have a single identity for everything online. When you are dealing with Paypal, though we expect you to be using an identity that we recognize which is a Paypal identity. Stepping aside from ‑‑ with Paypal hat off there are ways to do federated mechanisms where you have certain identities. When you are engaged in certain transactions it is important for people who you are doing transactions to know who you are or to know where your identity came from. The assertion from there there is trust there and the transactions that follow from that or authorized as a result, that the liability flows in the right direction at the right time. So no, we do not subscribe to a single ‑‑ the belief in a single identity. I think that's a mistake. And, you know, with respect to the specific suggestion around different cryptographic, I don't think we have a position on that.
>> LOUISE BENNETT: Thanks. You wanted to pick up on that.
>> Just a quick point. Multiple identities is very good but even Paypal does not really need to know who you really are. All you need to know is that you can pay what you say you can pay. Just like when you are buying something with cash you don't need to prove who you are as long as you can prove your money is good.
>> WILLIAM SMITH: So actually there are times when we do need to know. We are a regulated money transfer agent and we have requirements, reporting requirements when we see certain types of activity. So it is important for us to know. Yes, we can do things more anonymously.
>> PATRICE LYONS: There's also a commercial requirement and legal requirement.
>> WILLIAM SMITH: Legal requirement and commercial requirements as well as a money transfer agent. We have limits on how much we can allow identity, business to engage in before we have to cut it off.
>> PATRICE LYONS: Just very quickly, that legal requirements are one thing. We are discussing what they should be. You need to have that type of requirements, that's the key point.
>> WILLIAM SMITH: Yes. We do. These laws are around money laundering, terrorism and I believe very strongly that yes, we do need to maintain those laws.
>> ANDY SMITH: This is actually quite an important point. There is often only one organization that needs to know your root identity and needs to know who you really are. And that's the Government. And quite often that's not even for criminal prosecution. If you commit a crime, what the law enforcement and judicial process needs to know is that the person that comitted the crime is the person they have put in prison. They don't even know you are who you claim to be. They don't care what you are called, but they care the person who committed the crime is the person who is punished. When it comes to online transactions, quite often it is the case that you need to be able to prove that the person performing the transaction is able to accept the liability and is able to pay. There are a lot of laws around money laundering, around criminal fraud, et cetera, which require a level of knowledge of the identity.
But quite often that can be used as long as the organization that's actually performing the financial transactions has access to that information should they need it. The transactions themselves you can use 0 knowledge, proof of knowledge, one way trust actually in the transactions. So the identities themselves can be pseudononymous or linked to a root identity. Picking up on one point you made one of the things that we are trying to do, that the British Government is trying to do is look at how you can put authentication systems in place with identity protocol conversion. So rather than trying to get everyone to use the same credentials or the same authentication mechanisms, actually putting in protocol converters so someone can use PKI, someone can use SAM wall and you have got devices that can accept the trust from one authentication system and pass it on to another authentication system and this will hopefully allow different systems to interact with each other and actually try and get some of these commercial models more stable.
>> I wanted to follow up on Bill's comment what you described is one possible way to proceed. There will be other ways of doing it as well. And we will have to sort them all out. But the example you gave, Bill, about two parties interacting that rely on Paypal, and Paypal identifiers come in to play, it works well when there is a trusted third party that both parties rely on. You are trying to pay somebody and they are trying to accept the money and they accept Paypal as an intermediary. And that's what you see in the mobile telephone world. You go out with a phone. You are registered with, I don't know Verizon, in the U.S. and you show up in Italy and get on Italian Net with a chip that's been backed by Vodafone and it has an agreement with Vodafone and your identity is validated between agreements between other parties. They were essential parties as opposed to ones that you relied on for authentication. Two parties, one has an identity and the other has an identity and they don't necessarily have an intermediate or a set of intermediate parties that are relevant to this particular transaction.
You can push it back in to the mode where they are forced to rely on those but from the research and policy perspective be very interesting to see if two parties can have these transactions directly and be able to authenticate when there is no central party that is guaranteeing identity.
>> LOUISE BENNETT: Have I got any recants?
>> WILLIAM SMITH: To follow up on Bob's point, I agree with you on the research question. I think some things that would be useful potentially are reputation based on identities. And that I could look at your reputation, you could look at mine and decide in some ways, decide whether we will trust each other.
>> Bob: I am willing to trust you directly.
>> WILLIAM SMITH: On the telephone, mobile phones they really do all subscribe to a more or less common agreement though. And in fact, stuff comes through the ITU around payment systems. So the fact that they are a phone company is ‑‑ they agree to exchange information and to make the ‑‑ they are contractually obligated to honor the other.
>> LOUISE BENNETT: Thank you.
>> PATRICE LYONS: There is a nuance on that that I noticed when we came to Kenya. Where you have the identifier associated with the chip and that identifier is used ‑‑ it is registered on the registry of that system. You can pay all sorts of bills and that identifier is essentially the identifier for the individual that they are using for other purposes. But the actual agreements, I never got all the agreements to see how that works but it wouldn't be through the ITU and mobile phone to mobile phone, but they have to have agreements with the electric company and grocery store. It would be a whole complex of things that you would have to work out as far as I am aware. I would have to look in to it further.
>> LOUISE BENNETT: Is there anyone from the Kenyan mobile payment system here that could tell us how it really works?
>> (Off microphone).
>> LOUISE BENNETT: Yes.
>> My understanding on that is that it is the local carrier is the one who is on the hook for the phones. Because having a bank account here is a rarity. But having a mobile phone account is very common.
>> But also, for example, putting given money to a rural area. So they are actually playing banker in some ways, but in doing that there has to be some way to have identification of the actual other party and that's I guess through this registry system.
>> Sophie from the Council of Europe. The point I would like to highlight is this link and this balance with privacy and anonymity. There are different levels in terms of service of Governments. We have seen Mr. Lehu calling for anonymity in e‑Government service. Commercial purposes we just mentioned reputation and take the example of eBay where it is a community that is trusting the other on the fact that users have granted support and trust to someone. Maybe what I like to say is that at a European level we are now revising the legal frameworks both EU and Council of Europe and the question of biometric data is a very sensitive data. It is not yet defined by sensitive data. And I think the whole context of the use of the data has to be studied. And finally I would like to raise the issue of the reliability of the system and of the identity assurance. Thank you very much.
>> LOUISE BENNETT: Thank you. You want to ‑‑ yes.
>> BRIAN HUSEMAN: Hi. I am Brian Huseman from Intel Corporation. There is a lot of technological developments going on with facial recognition technology. But there is also potential benefit of being used in a proidentity way and proprivacy. There is technology that is under development that would use facial recognition as a way of encrypting or decrypting files on your computer. Unless your face is in front of the computer then the file would not be decrypted.
>> LOUISE BENNETT: I think that's a very good point. There was a system that started to be used in hospitals in the UK that won an award last year which is facial recognition of doctors and other people who have access to sensitive data. And so they can all be logged on to the same machine. As soon as they walk away and their face is not there no one can see that data and it is closed down and it saves a lot of time and gives privacy to medical records. I think it is a very exciting way of doing it. I use my biometric to log on to my machine. It seems much safer than anything else and it is much quicker. And I think that people often say that biometrics is bad but in privacy it can protect your privacy very well.
>> I am ‑‑ I have done quite a lot of work in biometrics mainly around identification of people traveling across borders. And in Europe a lot of countries have now started implementing automated gates which use facial recognition. And this is actually a really good system. It does improve privacy but also significantly improves security. Because what you have is the facial image stored as a digital image on the chip which is electronically signed using a PKI and you have an automated gate which checks the signature on the facial image. So can be sure that the facial image was put there by the passport authority issuing the passport and does a biometric check of that face against the one that's printed on the page and against the individual standing in front of the gate. Does a three‑way comparison before it lets you through but only comparing the facial images and the information stored on the chip. There is nobody looking at your personal data. You get the benefit of both and more and more you are seeing fingerprints used in recognition systems.
And if you can tie a person's identity to the individual using mutable credentials like biometrics it does make things a lot better because it prevents people stealing the identities or makes it a lot harder to steal the identities because you have to replicate whichever biometrics you use. If you see EHC is being implemented on European passports. With that you got a choice of fingerprints that you use. So if you want to get across the border and they have got fingerprints implemented, you haven't just got to replicate fingerprints of one hand, you have to have both hands to achieve it, which makes things a hell of a lot more secure.
>> I want to point out that these are all mechanisms that can be used, but ultimately you are dependent on a trusted party that can validate the information. Fact that somebody has your image doesn't mean that they are going to necessarily maintain the database that's separate that matches your image with the person you are. And the same somebody could have a DNA reading right from yourself and somebody could have a false DNA database and map it to something else. So even if you can contain it on your own machine, then you become your own authority. You have to say what I am putting in there I am going to vouch for and then rely on it. But ultimately these are mechanisms and they do depend on trusted third parties in order to make them work.
>> LOUISE BENNETT: Anyone who hasn't caught my eye who wants to say something because there is another remote person?
>> IAN FISH: Thank you. Just so you don't think that I am only talking to St. Lucia I am also talking to Brendan Querbas from Syracuse, New York and he wonders ‑‑ he said he missed some of the information. He is curious if U.S. and NSTC came up and how it might be shaping global governance.
>> LOUISE BENNETT: It hasn't come up but Bill is ‑‑
>> WILLIAM SMITH: NSTC has not come up and I am familiar with it. We will see where it goes. It is the U.S. Government making I think a good effort at bringing private industry together with Government. So I don't know that it applies here.
>> LOUISE BENNETT: Right. Is there anyone else who hasn't spoken who would ‑‑
>> ALAN BURR: Hi. My name is Alan Burr. I am an independent consultant. I have listened patiently to all the statements that have been made. I am sad with ‑‑ I am hearing about the ease with the way we are putting our biometric data to make it available and store it online even though we are so aware of the quite serious concerns that exist. Any computer system in the world can be secure against attacks or theft. I raise my question if the comments in some of the ‑‑ sorry, some of the principles upheld here by some of the panelists whether there is indeed support for such a thing as a right to privacy. Thank you.
>> One of the points that you really need to take in to account if you are doing biometrics properly, if you are taking fingerprints you don't store the raw fingerprints on the credential. You store the template. That means that someone can't recreate the template. They can steal but they can only steal that template. Templating, digitally signing the biometrics so they can't be used unless they are signed by the correct authority also prevents biometrics being misused. And we were looking at a system where you digitally sign the biometrics as they come off the right reader. Only those with the right keys can decrypt the biometrics. It is a case of putting the protection mechanisms and the more it is used and the more easily they are available on the Internet and the harder it is going to be to regain control of that. But I think the mechanisms that certainly European Governments is putting in with BAC, EAC are addressing these problems.
>> WILLIAM SMITH: So to respond to the comment or question again Paypal believes very strongly in right to privacy. And the other thing I would say is that, and I believe I addressed this in my opening comments, is that when information is required, attribution information is required it should depend or the amount of information that is asked for should be kept to a minimum and what is appropriate for the transaction given the context in which it is happening. So there are times when a simple user name and password is enough. And there are other times that I am going to say no, I need to really know who you are. And as a consumer that's actually going to enhance my privacy even though I am being asked for additional information in my opinion. It is going to enhance my not losing money and potentially lots of other information. For example, access to an information system is being granted to someone who just came in with a simple user name and password, but if instead no, you have to swipe your fingerprint at this point because you want to get your medical record, that enhances my privacy even though I had to use a biometric to get it.
>> RT. HON. ALUN MICHAEL MP: Your point that you are disappointed that you haven't heard something about the conversation and perhaps you should have come in earlier in the case. I wanted to pick up on the question do we believe in the right to privacy. You can't answer that question in general terms. It has to be specific. Privacy for what purpose? What aspect of privacy do you have to compromise in order to be recognized as the person who can undertake certain things where assistance or in commercial transactions? So I think that would take us right back to the beginning of the discussion. There are certain rights that should be universal in terms of privacy, but it is not an absolute right taken on its own as against the rest of the issues that come up. The rights of others as well as the rights of yourself and that takes us back to the point that was made earlier that was raised yesterday about the need to look at the whole of the Human Rights agenda rather than looking simply in silos of individual rights as if any single right can be absolutely absolute whatever the context.
>> LOUISE BENNETT: I think that's absolutely right. Looking at the time I need to wrap up now. And I would like to wrap up by asking a couple of questions and just have a show of hands on a couple of issues. We had quite a lot of talk about whether people should have one I.D. or many I.D.s. Could everyone who thinks people on the Internet should have one I.D., put up their hand? Should be allowed to have many I.D.s.? That's pretty conclusive which is quite helpful. Consensus, yes.
The second point that I'd just like to ask you is do people think looking at our second question that the way to deal with remote I.D.s is through trusted third parties? Do they think that is a route that is worth pursuing? And again those who think that is a route that's worth pursuing in this area could you put up your hands? Little bit less consensus there. It depends. Okay. And those who don't think that ‑‑ well, so I think it is ‑‑
>> (Off microphone).
>> LOUISE BENNETT: No. It is ‑‑
>> Third party should be part of this ‑‑ (Off microphone).
>> LOUISE BENNETT: I think we have consensus on that. Is that a remote ‑‑
>> IAN FISH: Can I have a final word? Dee Williams in St. Lucia wants to thank everyone in this room for an excellent workshop.
>> LOUISE BENNETT: I think would like to thank the panel who I think have done a very good job. Thank you.