Looking back at 2011: what was new, and what could have been (IDentity.Next newsletter)

2011/12/21

I wrote an article for the IDentity.Next newsletter that came out today (21 December 2011). It is here, and for convenience, also copied below.

Looking back at 2011: what was new, and what could have been

18-12-2011

With 2011 almost over, the question IDentity.News had for me was to look back to 2011 what were new developments in the area of digital identity. Since I’m in the business of innovation, looking forward is more in my DNA than looking back. And so a little out of my comfort zone, below three major new developments of 2011, and, also, three developments that did not happen in 2011.

1. Trust frameworks- in the US (e.g. NSTIC, OIX), in NL (e.g. eHerkenning) and elsewhere trust frameworks as a way to ensure a fair and trusted ecosystem to provide identity-related services are catching on. Experience with large scale deployment is still limited though. I guess we just have to do and learn. And the alternative for trust frameworks (i.e. government issued identities) also stays popular (e.g., the new German ID card, the Dutch DigiD/eNIK).

2. Cloud and identity-as-a-service– it seems impossible for a self-respecting event in the area of identity not to spend significant time on the combination of cloud and identity. And something similar seems to apply to identity experts J. There is also progress here; especially commercial offerings of identity-as-a-service have been progressing. On making the cloud identity-enabled, things have developed slower than I would have expected a year ago. Although I guess everyone (?) agrees that companies want to have centralized authentication, authorization and provisioning (efficiency, control etc), adoption of standards is still too limited, which is at least part of the reason this is going slow.

3. DigiNotar (and other security fiasco’s in the identity area) – while a disaster for DigiNotar and potentially a huge disaster for an unknown number of Iranians, there is actually a bright side. It resulted in more attention at ‘higher levels in organizations’ for information security and identity. And I’m sure many security consultants had sufficient work in second half of 2011. The downside of this attention is that I rather have digital identity associated with ‘enabling online services’ than with security risks.

There are also three developments that did not happen, but could have. I stay close to home for these.

What first comes to mind is that there is still no clarity on introduction of a Dutch electronic identity card (eNIK), although the responsible Minister of Internal Affairs promised parliament a proposal before the end of the year (still two weeks to go!).

What also did not happen in the Netherlands is the Dutch national electronic health record, instead the Dutch senate seems to prefer faxes, or maybe smoke signals. Not that the proposed law they stopped did not have its flaws from a privacy and authorization perspective. But the proposal could have been improved upon, and current practise is much worse in my opinion. Hopefully the Dutch national health record will continue in another form, there are signs it might.

The third development that did not happen is a breakthrough in a re-usable consumer identity solution on Dutch national or, even better, European or worldwide scale: we still have the same long list of username/passwords for every website that offers personalization.

Maarten Wegdam (principal consultant Novay – IDentity.Next member panel)

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Do’s and don’t's for DigiD

2011/12/20

Nieuwe logo DigiD

DigiD is the Dutch national digital identity solution for citizin-2-government. Although not the most secure solution around, it is one of the more succesful ones with respect to actual usage. DigiD is actually not only for e-government services, but also for online services in healthcare and pensions (since they can use the Dutch social security number). For such a ‘lucky’ company, which is going to use DigiD next to an own identity solution for consumers, we did a series of interviews to determine the do’s and don’t's of implementing DigiD. My colleague Wouter Bokhove was in the lead for this, and published a blog post summarizing some of the main finding. It is in Dutch, and be be found here or for your convenience copied below. Amongst others we advised on using the new SAMLv2 interfaces or the ‘old’ A-Select interfaces, and on how to use te Levels of Assurances concept.

 

DigiD: een goede voorbereiding is het halve werk!

Stel: je hebt als organisatie in de pensioen- of zorgsector een Mijn-omgeving waar je online zaken kunt regelen. Een deel van je gebruikers heeft een account tot deze Mijn-omgeving op basis van een gebruikersnaam en wachtwoord (met alle nadelen en beperkingen van dien), maar je bent op zoek naar een goedkoper, veiliger en/of gebruikersvriendelijker alternatief.

Is DigiD dan het antwoord? Wanneer is het nuttig om DigiD te implemeteren? Waarom zou ik nog een eigen gebruikersnaam/wachtwoord-combinatie aanbieden? Wat is belangrijk bij het implementeren van een DigiD koppeling? DigiD heeft verschillende koppelvlakken, welke moet ik kiezen? Wat gaat er met DigiD 4.0 veranderen, welke ontwikkelingen zijn nog meer relevant en welke impact zullen deze veranderingen en ontwikkelingen kunnen hebben op de keuzes die ik nu maak? Hoe zorg ik voor een toekomstvaste identiteitsarchitectuur die hiermee om kan gaan?

Novay heeft voor een grote Nederlandse financiële dienstverlener een aantal adviezen geformuleerd die op deze vragen een antwoord geven. Hiervoor is niet alleen gekeken naar de huidige situatie van deze klant en de publiek beschikbare informatie over DigiD, maar is ook uitgebreid gesproken met ervaringsdeskundigen uit de zorgsector, system integrators en met Logius. In deze blogpost schrijf ik kort een paar van de aanbevelingen die interessant zijn voor een breder publiek:

  • Er kunnen verschillende redenen zijn om gebruik te willen maken van DigiD:
    • het wordt mogelijk om diensten aan te bieden waarvoor een hoger zekerheidsniveau nodig is (t.o.v. een eigen gebruikersnaam en wachtwoord);
    • het gebruik van DigiD verlaagt de drempel voor klanten om gebruik te maken van de Mijn-omgeving; hierdoor zullen meer klanten gebruiken van dit (typisch goedkopere) kanaal;
    • er zal minder gebruik gemaakt worden van het eigen authenticatiemiddel, waardoor nieuwe identiteiten uitgegeven hoeven te worden en er minder belasting zal zijn voor de helpdesk (bv. voor het resetten van vergeten wachtwoorden);
    • het is eventueel niet langer noodzakelijk om een eigen authenticatiemiddel aan te bieden (dit is o.a. afhankelijk van het feit of alle klanten wel een DigiD kunnen aanvragen).
  • Er moet gekozen worden tussen koppelen met het ‘oude’ A-Select koppelvlak of met het ‘nieuwe’ SAML v2 koppelvlak. Het gebruik van SAML v2 is aan te bevelen omdat dit meer toekomstvast is (SAML v2 is een OASIS standaard). SAML v2 wordt vanaf DigiD 4.0 ondersteund (SAML v2 is nu ook al beschikbaar bij DigiD Eenmalig Inloggen). De release hiervan is echter uitgesteld van 1 oktober 2011 tot na 1 april 2012.
  • Ondanks het feit dat het gebruik van DigiD en de begeleiding bij de implementatie van DigiD door Logius momenteel nog gratis is, is het verstandig om rekening te houden met het feit dat dit op termijn anders zal worden. Het is op dit moment niet te voorspellen hoe duur dit zal zijn, en of dit zal verschillen per zekerheidsniveau.
  • Doe een risico-inventarisatie van de huidige en geplande diensten voor de Mijn-omgeving en bepaal welke zekerheidsniveaus hiervoor nodig zijn. In verband met de toekomstvastheid is het verstandig hierbij gebruik te maken van de zekerheidsniveaus zoals deze gedefinieerd zijn in het Europese STORK project (D2.3, geschreven door Novay in opdracht van het ministerie van BZK).
  • Logius is zeer streng met betrekking tot de communicatie-eisen en het blijkt dat Logius freuent (pre-)productie-omgevingen afkeurt als deze niet voldoen aan deze eisen. Dit betekent dat een aansluitende partij zich geen enkele vrijheid kan veroorloven ten aanzien van de voorgeschreven teksten en het gebruik van het DigiD logo.

Bovenstaande adviezen zijn opgesteld in de periode voor ‘Lektober‘. Naar aanleiding van de DigiD-gerelateerde recente veiligheidsproblemen bij o.a. gemeentes die hieruit naar voren zijn gekomen, kan er nog een advies worden toegevoegd:

 

1 Comment | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Internet banking fraud in the Netherlands: three time more incidents, twice the damage

2011/11/15

The Dutch Banking Association (NVB) in the Netherlands provides numbers of internet banking fraud, I think twice a year (see also my last post on this). Yesterday the announced new numbers, together with a new awareness campaign for the public. The numbers they announced yesterday about the first half of 2011: amount of incidents is 2400 and the damage is €11.2M.

I extrapolated these numbers for the whole of 2011 by simply multiplying them by two (which is probably optimistic) and compared them to the 2009 and 2010 numbers.  The bottom-line is is that internet banking fraud still increases a lot with more than twice the damage in 2011 than in 2010. The relative increase is however less dramatic than from 2009 to 2010, when it increased with a factor of five. The amount of incidents increased with a factor of about 3.5, and thus there is also good news: the amount of damage per incident decreased (to an average of ~€4.500 per incident). I guess this is because the Dutch banks improved their detection of internet fraud, and are more effective in quickly stopping money mules.

Non-technical countermeasures such as continuing awareness campaigns and the Electronic Crimes Taskforce (which hunts cybercrimes) are needed, but really preventing internet banking fraud also depends on better authentication means and other more technical measures. What I found somewhat remarkable is that the NVB press release and also e.g. the article in the Volkskrant (a Dutch national newspaper) talked about ‘old fashioned’ phishing emails a being a big part of the problem, while I’m personally more worried about malware on the consumers devices (laptop, smartphone, tablet etc). An anecdote is a colleague of mine that was very recently the subject of an attack involving advanced malware that infected his PC irrespective of up-to-date patches and virus scanners. The malware then waited till my colleague made a transfer, and added a transfer to empty his acoount to a money mule in Portugal. Such malware is undetectable for ‘normal people’, including the browser indicating a valid website certificate. He however noticed this right after the transfer because the browser was acting strangely, and was able to stop the transfer by calling his bank. I’, however sure that for someone less ‘nerdy’ the browser’s strange behavior would have been too suble to notice.

The below graphs show the fraud numbers for 2009, 2010 and (extrapolated for) 2011.

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Edentiti wins Novay Digital Identity Award!

2011/11/10

Yesterday was the second edition of the IDentity.Next (un)conference, and also the second time Novay putted an innovation in the area of digital identity in the spotlight by awarding it with the Novay Digital Identity Award. Congratulations to Edentiti, and its founder Kevin Cox!!!

Edentiti is an Australian started-up that does online identity verification. What I personally like most about Edentiti is that they have a very pragmatic approach to identity verification which exploits a range of existing online databases and previously established identities. They provide increasing levels of trustworthiness of the identity verification, with increase in trust means more hassle for the user (and probably more cost for the service provider) but for many online services a lower level of trustworthiness is already good enough. And it all cases, the service provider doesn’t have to do the identity verification himself, and the user is in control how his identity is verified. A ‘trick’ they use is that users can verify their identity by proving that they have existing relationships with organizations. For more details, check out this webpage from the greenID verification service that they provide together with a partner.

The photo with this  blog post is the award itself. The artist is Alexandra Veneman (from Ommen in NL, same of the 2010 award). The wave pattern symbolizes that identity if off all times and all areas. The I and the D of course stand for identity. She used the color purple from the Novay logo.

I copied the official announcement of the award below.

Edentiti wins Novay Digital Identity Award!

The Hague, November 9, 2011 – At the Identity.Next’11 conference today, the Australian Edentiti has won the Novay Digital Identity Award for the best new concept or product in the field of digital identity. Edentiti provides online identity verification by checking information
from various online data sources, and does so under the control of the end user.

Identity verification is the process of verifying if someone is who he or
she claims to be. It can be used to prevent identity theft, for age
verification where the purchase of alcohol or gambling is concerned and for several other reasons. What the jury found particularly appealing about Edentiti is the efficient
and innovative manner in which they rely on existing online identities that a
user has, and use these as a basis for identity proofing for new online
services. In the system Edentiti offers,
individuals can verify their identity by proving they have existing
relationships with organizations. Proof is obtained by the individual using
the Privacy Principle that says that individuals can ask any organization
that might hold personal information on them “Do you have any information
about me? Yes or No?”. The number and quality of the “Yes” relationships
determine the trust in the verification. Edentiti is also provided through Deloitte Digital under the brand name greenID, addressing Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) legislation.

Hermen van der Lugt, director of research institute Novay and chairman of the jury: “It is easier for end-users and less expensive for online businesses than
traditional face-to-face identity verification approaches. Additionally, Edentiti lets the individual control the whole process of identity
verification, which is a big plus, considering the privacy
sensitivity.”
Edentiti has an approach and business model that allows for incremental growth: in number of users, in number of
customers and in the level of trustworthiness of the identity verification. The jury believes that their
approach has the potential to be expanded to other countries through
partnerships. Organizations which use the system, include Australia Post, the Australian Superannuation Fund
and the National Australia Bank. More on Edentiti’s approach can be found at www.edentiti.com.

Apart from Edentiti, three more organizations were nominated for the award. Qiy (www.qiy.com) is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (www.wayf.dk), a Danish identity federation, connects over 90 service providers with over 130 identity providers in education, libraries, health care and government (including the NewLog-in national authentication system). WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR (www.tiqr.org) is an open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

The award is part of the IDentity.Next’11 conference in The Hague, organized by the IDentity.Next foundation that focuses on developments in digital identity. With the award, IDentity.Next and research based ICT consultancy Novay want to recognize and support new developments and innovations that are shaping the future of digital identity. Co-organizer of the conference is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the jury is available at www.identitynext.eu.

5 Comments | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Nominees Novay Digital Identity Award announced

2011/10/26

The submission were quite diverse, and from more different countries than last year. Since it was difficult to narrow it down to intended maximum of three nominees, the jury decided to select four :) My congratulations to edentiti, Qiy, WAYF and tiQR!! The jury is not done though, the winner still has to be selected among the nominees.

Below the ‘official’ press release, copied from the Novay website

On November 9, one of  four nominees will be granted the Novay Digital Identity Award at the IDentity.Next’11. The nominees for the best new concept or product in the field of digital identity are: the Australian edentiti, the Danish WAYF and the Dutch Qiy and tiQR.

Edentiti (http://www.edentiti.com) is an Australian identity proofing system that provides online identity verification by checking information from various online data sources, and does so under control of the user. Qiy (http://www.qiy.com) is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (http://www.wayf.dk), a Danish identity federation, connects over 90 service providers with over 130 identity providers in education. WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR (http://tiqr.org) is an
open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

Most people have one or more digital identities. As we use more online services, this number increases and the question of who knows what about whom becomes increasingly complex. And then there’s the digital keychain, which yields more annoyance than convenience.  With this award – IDentity.Next and ICT research institute Novay recognize and support new developments will shape the future of digital identities. The jury is chaired by Herman van der Lugt, Director of Novay. The jury also includes
Ziggur, last year’s winner. Ziggur provides a service that gives users control over what happens to their online identity after their death.

The award is part of the IDentity.Next conference in The Hague, organized by the Identity.Next foundation that focuses on
developments in digital identity. Co-organizer is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the program is available at www.identitynext.eu .

 

Leave a Comment » | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

SIM augmented authentication as alternative for SIM based?

2011/10/20

We recently did an assessment of a so-called SIM augmented authentication token, or VASCO’s new DigiPass Nano product to be more specific. We did this for SURFnet, for which we previously also did an assessment of Mobile PKI. We liked Mobile PKI, but it has a big disadvantage: you depend on your mobile network operator to be able to use it (and in the Netherlands they are not deploying this any time soon). This disadvantage is the main motivation to look at SIM augmented tokens. These are, as the term suggests, added to in stead on being ‘inside’ the SIM card.

So what is a SIM augmented authentication token? Physically it is a sticker with an embedded chip that you stick on your SIM card and sits between the SIM card and the mobile phone. The chip stores a secret used for authentication, which is more secure than storing the secret in a ‘normal’ mobile app. This secret is used by an authentication application that is also runs from this chip. This application, from the perspective of the mobile phone, appears to be a normal SIM application, and can work on basically any phone (smart of dumb). The only SIM augmented authentication token that I’m aware of is the above mentioned  DigiPass Nano from VASCO (let me know if you know of others?). The DigiPass Nano implements an event-based one-time-password functionality, i.e., it generated a new code every time the user asks for it.

We did an assessment of the usability, security and business model aspects. Below I copied the conclusions, but the bottom-line is that we believe from a security perspective this is a good alternative to other one-time-password solutions, and it more secure than solutions implemented as a mobile app. The main benefit is that it works on basically any phone (also non-smartphones), and you you can deploy it without needing help (and investments) from your mobile operator. The main disadvantage is the user experience. We did some limited testing with putting the sticker on, which was ok, but the user experience of getting a one-time-password can be troublesome. It requires the user to find SIM applications on their mobile phone, which are often hidden somewhere deep in the menu’s. My estimate is that this usability limitation will need to be addressed for this technology to get acceptance beyond specific enterprise use-cases. Or to put it differently, I’d do very carefull usability optimizations/testing before deploying this to millions of consumers.

This assessment was joint work with my colleague Martijn Oostdijk, see his blog for more details on especially the security aspect. The full report of our assessment is available via the SURFnet website. If you’re looking for a wider perspective on the combination of mobile and digital identity, see this previous blog post on our mobile-centric identity vision.

6 Conclusions

The Digipass Nano uses a form factor that is relatively unique in the authentication token market. It is a SIM augmented token, a thin patch/sticker including an embedded chip that sits between the SIM and the user’s mobile phone. The key advantages of this form factor are:

  • secure storage of credentials under a “security domain” that is distinct from the other stake holders (e.g. mobile operators, handset vendors),
  • while at the same time the ability to use the user-interface of the user’s existing GSM handset,
  • and, potentially, the use of the mobile phone’s GSM or 3G network.

As most users will always carry their mobile phone with them, this means that the token will be present during transactions in many different contexts.

The technology underlying SIM augmentation is based on standards that have existed for a long time, are present in billions of GSM handsets around the world, and have proven to be relatively secure given the threat landscape thus far. The DP Nano does not use all features offered by this technology (it only uses the user interface features, not, e.g., the network features present in GSM 11.14). However, a number of variations of the DP Nano exist (see [10], apparently targeting different markets) which do utilise the networking capabilities of the GSM SIM, and which appear to more strongly bind the token to either handset (“IMEI lock”) or SIM (“IMSI lock”).

On paper, from a technological and security perspective, SIM augmented tokens compare well to other mobile and possession based tokens such as SMS OTP, OTP tokens, mobile soft tokens, and smart cards. As to the security, threats from malware on the handset are minimal as long as the SIM toolkit API interface is properly implemented on the handset.

The user experience may cause some problems for certain groups of users, depending on the issuance and installation process (e.g. whether users are required to install the token themselves). The DP Nano requires the user to navigate through unfamiliar text based menus in order to start up the application when asked by the SP to provide an OTP. This is the most prominent drawback when compared to e.g. the Mobile PKI experience (as described in [8]) where the authentication application on the handset it triggered over the air.

From a business model perspective SIM augmented tokens are interesting as they separate the role of SIM based authentication provider from the role of MNO. Obviously, being the first of its kind and relying on a server side licensing model and proprietary implementation, whether a choice for the DP Nano provides a positive business case when compared to MNO provided SIM based authentication remains to be seen.

Interesting features to add could be:

  • Lock the token to IMSI or IMEI (possible, according to [10])
  • Use the network to initiate authentication transactions (drawback: implies sending service SMS messages to the token, which may mean cooperation of a MNO or at least per-transaction costs)
  • Use the network as an OOB channel during an authentication session (e.g. to display transaction details, similar drawback as above)
  • Use the network to “blacklist” a token when a token is reported stolen
  • Combine SIM augmented solution with a handset resident application to provide a better user experience (may be dependent on operating system and handset to provide installed apps with an API for communication with SIM)

The latter option is particularly attractive as a way to enhance the security of SURFnet’s tiqr solution (see [11]) and other mobile app solutions.

Since a one-size-fits-all solution to authentication does not exist, in the end SIM augmented solutions will likely find a market alongside authentication tokens with different form factors.

Leave a Comment » | Uncategorized | Tagged: , , | Permalink
Posted by Maarten Wegdam

Digital identity in the Netherlands: DigiD for consumer-2-business?

2011/10/05

On Tuesday 4 October we organised a Novay networking event called Tuesday Update, with digital identities as the subject. The main subject of discussion was the need for re-usable identities, and especially who should be the identity provider: government or private parties. This is a hot subject in the Netherlands, also because of the recent security incidents (DigiNotar). Hein Aanstoot, director at SIVI, argued very well that the insurance sector increasingly needs a consumer-2-business identity solution, and would they be allowed to use the national citizin-2-government solution DigiD then this would help insurance companies a lot. This is however not allowed in the Netherlands, and Kees Keuzenkamp from the ministry of Internal Affairs explained the policy developments in this area (NL and EU), including the planned Dutch eID smartcard (called eNIK, elektronische Nederlandse Identiteits Kaart). Bottom-line (in my wording) is that the decision on eNIK will be taken end of this year (after which it goes to parlement) and that it is very unlikely that DigiD/eNIK can be used as a generic consumer-2-business identity solution. Hein Aanstoot also gave some insight into a new initiative with several large insurance companies to create a breakthrough in a re-usable identity for the insurance sector, I think it is good for these insurance companies that they do not make themselves (too) dependent on the government or others (banks). I also presented, and gave my perspectives on consumer-2-business identities, why this is so difficult (privacy, trust etc), the outcomes of our cidSafe project, my views on DigiD (and eHerkenning) and what the role of government should be (especially: solve it or be very clear you’re not going to do so). I also presented three innovations we are working on that we believe will increasingly become important: user control over their data, mobile-centric identity and context-enhanced authentication/authorization. My presentation is on slideshare (dutch!).

 

Leave a Comment » | Uncategorized | Tagged: , , , , | Permalink
Posted by Maarten Wegdam

Hacks will happen, but the damage can be less (DigiNotar)

2011/09/06

Below a blog post in Dutch on the DigiNotar certificate authority hack, and two lessons we can learn from this. The bottom line of the post is that DigiNotar wasn’t the first and won’t be the last certificate authority to be hacked. Although I support that the PKI system needs to be changed, this will take a long time. In the mean time, since hacks are IMHO unavoidable, we should make sure we do better damage control. Lesson 1 is make sure there is a very serious obligation for Certificate Authorities to report hacks e.g., prison). Lesson 2 is that companies should make sure they can switch to new certificates more quickly (so that the now untrusted certificates can be revoked immediately without loss of business continuity, contrary to what is happening now).

Hacks zijn niet te voorkomen, drama’s wel (DigiNotar)

De media staan bol van de cyberaanval van Iraanse hackers op de Nederlandse digitale certificaten leverancier DigiNotar en de verstrekkende gevolgen daarvan. Elektronische dienstverlening wordt lamgelegd of loopt tenminste een gevoelige deuk op als het gaat om het vertrouwen. DigiNotar is niet de eerste en ongetwijfeld ook niet de laatste digitale certificaten leverancier die gehacked wordt. Het DigiNotar drama heeft ons wel twee zaken geleerd om de schade te beperken: zorg ervoor dat dit soort hacks meteen gemeld worden en zorg dat bedrijven/overheid snel kan overstappen op alternatieve certificaten.

Dagelijks is het in juli gehackte bedrijf DigiNotar in het nieuws. Hackers hebben digitale certificaten aangemaakt waardoor ze zich kunnen voordoen als bijvoorbeeld Google’s emaildienst gmail, of DigiD (zie Fox-IT rapport van 5 september 2011). Met grote gevolgen voor privacy en vertrouwen, we weten namelijk niet met welke website we communiceren. DigiNotar, dat beveiligingscertificaten uitgeeft, krijgt veel kritiek over het te laat melden van de cyberinbraak. Nu, zo’n zes weken na dato, worden alle certificaten afkomstig van het bedrijf ongeldig gemaakt. Het probleem is dat daardoor ook bonafide gebruikers van die certificaten, zoals DigiD, problemen hebben om hun dienstverlening te continueren. De hack zorgt dus niet alleen voor veiligheidsproblemen (bv afluisteren internet verkeer), maar ook voor business continuity problemen.

DigiNotar was een geaudit en gecertificeerde leverancier van digitale certificaten (zie bijvoorbeeld dit PWC certificaat van 1 november 2010), en stond als betrouwbaar bekend. DigiNotar is gehacked ondanks deze certificering en audits, en uit het Fox-IT rapport is gebleken kwam dit omdat er het nodige mis met de beveiliging bij DigiNotar (en niet bijvoorbeeld omkoping of ‘pech’). Het is niet de eerste keer dat een certificaten leverancier gehacked is, eerder dit jaar gebeurde dit al bij Comodo. Het heeft er ook alle schijn van dat het om dezelfde hacker gaat. Er zijn meer dan 500 leveranciers van digitale certificaten, en het is een kwestie van tijd voordat dit weer gebeurt. Er is en zal de komende tijd nog veel gesproken worden over waarom de hack bij DigiNotar gelukt is, en mogelijk worden andere certificaten leveranciers voorzichtiger. Dit verandert echter niks aan het feit dat 100% veiligheid in de digitale wereld onmogelijk is, dat geldt ook voor de certificaat leveranciers en dat dit zeker geldt voor 500+ leveranciers. Ik sluit mij aan bij velen die oproepen voor een nieuw systeem voor certificaten, zie bijvoorbeeld Moxie Marlinspike, maar ben tegelijk sceptisch of dit snel genoeg en echt structureel voor een oplossing zorgt.

We kunnen echter wel twee lessen leren uit het DigiNotar drama die helpen de schade te beperken na een hack bij een certificaten
leverancier. Les één is een serieuze meldplicht voor certificaat leveranciers. We moeten de regels zo aanpassen dat een
certificaat leverancier meteen bekend maakt als ze gehacked zijn. Er kunnen dan meteen maatregelen genomen kunnen worden (lees: de certificaten van die leverancier niet meer vertrouwen). Een meldplicht is echter gemakkelijker gezegd dan gedaan. Het bekend raken van een hack leidt tot grote reputatieschade en kan makkelijk tot faillissement van de leverancier leiden. Een simpele meldplicht zal dus niet werken. Het alternatief van niet melden moet ‘erger’ gemaakt worden dan deze schade. Dit kan door, zoals ook door PvdA tweede kamerlid Martijn van Dam wordt gepropageerd, door strafrechtelijk vervolging. Probleem hierbij is wel dat er certificaat aanbieders zijn over de hele wereld. Nederlandse wetgeving alleen heeft zo een vrij beperkte invloed, op zijn minst moet dit Europees.

De tweede les is gaat meer over business continuity. Gebruikers van certificaten moeten per direct over kunnen schakelen op een andere leverancier. Dit zodat de niet meer vertrouwde certificaten per direct ook niet meer gebruikt hoeven te worden, zonder de continuïteit van de dienstverlening in gevaar te brengen. Na het bekend worden van de DigiNotar hack zijn de PKI Overheid certificaten nog een tijd lang gewoon gebruikt, en minister Donner heeft zelfs Microsoft zover gekregen een update uit te stellen die gebruikers zou vertellen dat deze certificaten niet meer vertrouwd zijn. Dit omdat de Nederlandse overheid en anderen blijkbaar niet in staat zijn snel over te schakelen op andere certificaten. Dit is een kwalijke zaak. Naast technische maatregelen is de doorlooptijd van het registratieproces onderdeel van het probleem. Immers moet de certificaataanbieder verifiëren dat de aanvrager is wie die zegt dat hij is, vaak door een face-2-face controle. Bijvoorbeeld door voor kritische diensten alvast een certificaat van een ander certificaat aanbieder aan te vragen kan deze doorlooptijd vermeden worden.

Inmiddels gaan er ook stemmen op voor een grotere taak van de overheid in deze. Dat is een les die mijn inziens niet getrokken kan worden uit dit drama. Wat er door de overheid en wat er door het bedrijfsleven gedaan moet en kan worden is een genuanceerde afweging, en veiligheidsincidenten zijn en blijven er ook bij de overheid zelf.

Een les die we ook niet kunnen trekken is dat e-dienstverlening niet veilig genoeg kan. De risico afwegingen en maatregelen vereisen wel meer aandacht van zowel politiek als hogere managementlagen van het bedrijfsleven. De positieve kant van deze DigiNotar inbraak, maar ook bijvoorbeeld de recente inbraak bij Sony playstation network, is dat ze zo publiek zijn dat die aandacht er ook eindelijk komt.

1 Comment | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Submissions for Novay Digital Identity Award 2011?

2011/08/09

If you are working on an innovation in the area of Digital Identity: my employer (Novay) in collaboration with the IDentity.Next (un)conference will grant the Novay Digital Identity Award for the second year now. Last year’s winner was Ziggur, a company that innovates our digital death… I’m organizing this award (but not in the jury, influencing me will not help you get the award :) ).

The deadline is October 11. For more information, see http://www.identitynext.eu/award.php or below.

Submissions wanted for Novay Digital Identity Award 2011

On November 9, the Novay Digital Identity Award will be granted to the best new concept or product concerning digital identity. The award is part of the conference Identity.Next’11 in The Hague. With the award, Identity.Next and ICT research institute Novay want to recognize and support new developments that are shaping the future of digital identity. Submissions are welcome until October 11.

The conference in November 9, 2011 is organized by the IDentity.Next association, a non-profit organization on Digital Identity, in cooperation with EEMA, Europe’s leading independent, non-profit e-Identity & Security association. Identity.Next will bring a program with top experts, professionals and industry stakeholders to discuss the world around Digital Identity and best practice. The (un)-conference will consist of debates, workshops, and presentations in four tracks: ‘Social consumer’, ‘Mobile-me’, ‘Private Eye’ and ‘eCitizen’. The award-winning concept the organization is looking for, should relate to one of these themes.

Innovative concepts, projects and products on digital identity can be submitted for the award until October 11, 2011. Submissions will be judged by a jury, chaired by Hermen van der Lugt, CEO of Novay. Criteria include innovativeness (technological as well as business model); success & impact; how the privacy aspect is dealt with and added value for users and for stakeholders.

For more information, including jury members, factsheet and submission form, see http://www.identitynext.eu/award.php.

Leave a Comment » | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Consent from the EU legal perspective

2011/07/27

The Article 29 Data Protection Working Party wrote an opinion on the definition of consent. Not everything this Working Party produces is of interest to me, or even understandable (‘too’ legal for mere mortals). I however did find this opinion interesting since it describes when consent is needed from a legal perspective (based on Data Protection and e-Privacy Directives), and it has examples making it relatively easier to interpret.  In my work on this area I usually take the user’s perspective on consent (e.g., on consent for the SURFfederatie), and how to enforce this (architectural/technical perspective), but a legal perspective is of course also needed.

The statement in the summary that especially got my attention was that if consent is used incorrectly, the data subject’s control becomes illusory. I couldn’t agree more, of course, consent cannot be used as an excuse, and in some cases a different legeal ground is needed, and that consent should be informed, freely given etc. I however do want to make a point here that even in cases that privacy law requires a different legal ground for data exchange than consent, it does not forbid to additionally ask for consent. I therefore argue that the decision if and how to offer consent should be primarily based on whether users want it.

Below I quote and interpret parts of the opinion that I found most interesting, and further motivate my position on doing consent-even-when-not-legally-needed.

… obtaining consent does not negate the controller’s obligations under Article 6 with regard to fairness, necessity and proportionality, as well as data quality. For instance, even if the processing of personal data is based on the consent of the user, this would not legitimise the collection of data which is excessive in relation to a particular purpose.

Consent is related to the concept of informational self-determination. The autonomy of the data subject is both a pre-condition and a consequence of consent: it gives the data subject influence over the processing of data. However, as explored in the next chapter, this principle has limits, and there are cases where the data subject is not in a position to take a real decision. The data controller may want to use the data subject’s consent as a means of transferring his liability to the individual. For instance, by consenting to the publication of personal data on the Internet, or to a transfer to a dubious entity in a third country, he may suffer damage and the controller may argue that this is only what the data subject has agreed to. It is therefore important to recall that a fully valid consent does not relieve the data controller of his obligations, and it does not legitimise processing that would otherwise be unfair according to Article 6 of the Directive.

Or in my wording: if a data processor has obtained consent then this does not mean the data processor can do whatever he wants with the data, it has to be a reasonable usage of the privacy sensitive data, the data processor still has a liability and last-but-not-least the person has be in a position to really make a decision.

Transparency is a condition of being in control and for rendering the consent.

Or in my wording: without insight there is no actual control.

There is in principle no limits as to the form consent can take. However, for consent to be valid, in accordance with the Directive, it should be an indication.

The form of the indication (i.e. the way in which the wish is signified) is not defined in the Directive. For flexibility reasons, “written” consent has been kept out of the final text. It should be stressed that the Directive includes “any” indication of a wish. This opens the possibility of a wide understanding of the scope of such an indication. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller. The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action).

Or in my wording: consent can be implicit in an action, but not implicit in doing nothing.

Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.

In several opinions, the Working Party has explored the limits of consent in situations where it cannot be freely given. This was notably the case in its opinions on electronic health records (WP131), on the processing of data in the employment context (WP48), and on processing of data by the World Anti-Doping Agency (WP162).

Or in my wording: a consent given in a situation where the person did not really have a choice is basically no consent, and another basis for processing the data is needed. I guess the consent could be considered a form of conformation that the person was at least informed, but the opinion did not state that explicitly.

To be valid, consent must be specific. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.

To be specific, consent must be intelligible: it should refer clearly and precisely to the scope and the consequences of the data processing. It cannot apply to an open-ended set of processing activities. This means in other words that the context in which consent applies is limited.

Consent must be given in relation to the different aspects of the processing, clearly identified. It includes notably which data are processed and for which purposes. This understanding should be based on the reasonable expectations of the parties. “Specific consent” is therefore intrinsically linked to the fact that consent must be informed. There is a requirement of granularity of the consent with regard to the different elements that constitute the data processing: it can not be held to cover “all the legitimate purposes” followed by the data controller. Consent should refer to the processing that is reasonable and necessary in relation to the purpose.

The need for granularity in the obtaining of consent should be assessed on a case-by-case basis, depending on the purpose(s) or the recipients of data.

Actually, this one does not help me much. Completely open-ended consent is of course not valid, but there are many gray zones here … I guess doing a user survey on what users expect what the consent would reasonably include would be an approach, but don’t know if that would hold up in court.

“consent by the data subject (must be) based upon an appreciation and understanding of the facts and implications of an action. The individual concerned must be given, in a clear and understandable manner, accurate and full information of all relevant issues, in particular those specified in Articles 10 and 11 of the Directive, such as the nature of the data processed, purposes of the processing, the recipients of possible transfers, and the rights of the data subject. This includes also an awareness of the consequences of not consenting to the processing in question”

Two sorts of requirements can be identified in order to ensure appropriate information:

• Quality of the information – The way the information is given (in plain text, without use of jargon, understandable, conspicuous) is crucial in assessing whether the consent is “informed”. The way in which this information should be given depends on the context: a regular/average user should be able to understand it.

• Accessibility and visibility of information – information must be given directly to individuals. It is not enough for information to be “available” somewhere.

I do not understand the difference with transparency, but it certainly makes sense that consent needs to be informed. This is in my opinion also very difficult in reality, since users will often not be willing to spent time/attention to be informed. There are trade-offs here. I think in current practise the quality of information requirement is violated with long legal texts that no-one wants to read or is able to understand.

As time goes by, doubts may arise as to whether consent that was originally based on valid, sufficient information remains valid. For a variety of reasons, people often change their views, because their initial choices were poorly made, or because of a change in circumstances, such as a child becoming more mature.This is why, as a matter of good practice, data controllers should endeavor to review, after a certain time, an individual’s choices, for example, by informing them of their current choice and offering the possibility to either confirm or withdraw. The relevant period would of course depend on the context and the circumstances of the case.

This is what we call “timed consent“. I didn’t realize this was a good practise from a legal perspective :) Our primary motivation for introducing timed consent is also different, we did it because people will forget what they consented to, not because they changed their mind or circumstances changed.

What becomes clear in the opinion, is that simply asking for consent is often not enough. There has to be an actual choice, and the data processor has to provide different legal grounds if this choice is not there. This is also argued by this blog post of Andrew Cormack (JANET). Although I, of course, agree with this, I do not think this means that a consent functionality is therefore not beneficial in cases that a different legal ground is needed.

To make this more specific, taking the consent-from-a-user-perspective pilot we did as an example. In this case, in the SURFfederatie. personal information is exchanged between universities and service providers. Some of the provided services a student simply has to use to be able to complete some course. In this case, there is little choice and there needs to be a different legal ground for the data exchange (and I think there is). However, I believe there is added value in still offering a consent question during the login user experience because:

  1. The users are informed that this exchange takes place, which in my opinion is a goal in itself.
  2. There are also services that the user does have a choice, and consent is needed as a legal ground to exchange data, and we need a consistent user experience for all services
  3. Last but not least: users appreciate the consent question, as our research showed (85% in our pilot)

Or to make it as simple as I can make it (repeating my earlier statement): even in cases that privacy law requires a different legal ground for data exchange than consent, it does not forbid to additionally ask for consent. I therefore argue that the decision if and how to offer consent should be primarily based on whether users want it.

2 Comments | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

« Previous Entries
Follow

Get every new post delivered to your Inbox.