On Tuesday 4 October we organised a Novay networking event called Tuesday Update, with digital identities as the subject. The main subject of discussion was the need for re-usable identities, and especially who should be the identity provider: government or private parties. This is a hot subject in the Netherlands, also because of the recent security incidents (DigiNotar). Hein Aanstoot, director at SIVI, argued very well that the insurance sector increasingly needs a consumer-2-business identity solution, and would they be allowed to use the national citizin-2-government solution DigiD then this would help insurance companies a lot. This is however not allowed in the Netherlands, and Kees Keuzenkamp from the ministry of Internal Affairs explained the policy developments in this area (NL and EU), including the planned Dutch eID smartcard (called eNIK, elektronische Nederlandse Identiteits Kaart). Bottom-line (in my wording) is that the decision on eNIK will be taken end of this year (after which it goes to parlement) and that it is very unlikely that DigiD/eNIK can be used as a generic consumer-2-business identity solution. Hein Aanstoot also gave some insight into a new initiative with several large insurance companies to create a breakthrough in a re-usable identity for the insurance sector, I think it is good for these insurance companies that they do not make themselves (too) dependent on the government or others (banks). I also presented, and gave my perspectives on consumer-2-business identities, why this is so difficult (privacy, trust etc), the outcomes of our cidSafe project, my views on DigiD (and eHerkenning) and what the role of government should be (especially: solve it or be very clear you’re not going to do so). I also presented three innovations we are working on that we believe will increasingly become important: user control over their data, mobile-centric identity and context-enhanced authentication/authorization. My presentation is on slideshare (dutch!).
Last week the Dutch online retail association Thuiswinkel.org published a press release and position paper (in Dutch) on online identity services. The press release contains five recommendations aimed at ‘parties in the online identity services area’. I think it is good that this is thuiswinkel.org apparantly considers this an important subject, and I agree with most of what they state in the recommendations. I do however have some comments on the specific recommendations. I translated each recommendation below, and give my comments to each of them.
- Re-use of existing consumer identities, such as login data, bank cards and phones
My comment: yes! this is/was also a key element in our vision for a trustworthy consumer identity in the cidSafe priject (see whitepaper and authencation overview) especially the “existing” in this recommendation is important because of the business case and user convenience implications.
- Choice for online retailers between several providers that each provide universal access to identities, also internationally
My comment: this seemed a bit naive, that there will be several providers that can provide universal access. But checking the explanation in the position paper itself made is clear that they refer to intermediate brokers between the online retailers and the identity providers. These may make life easier, see a previous post on 3 vs 3.5 vs 4 party models.
- The user determines which parts of his identity he reveals, the online retailers determine the desired trust level
My comment: good! Where in many case revealing “nothing” should be an option …
- Good communication about online identities for users
My comment: absolutely, the question is more the ‘how’, and where the trade-offs are between keeping the solutions simple enough so we do not need to explain too much, and having an open and flexible solution.
- Government should start with a pilot with verified attributes that online retailers can use, including age
My comment: no 😦 see below
In the press release, and following press articles such as this one, focus on the online age verification recommendation. This is a hot subject in the Netherlands, also because of legislation on what you cannot sell to minors, e.g., porn, violent video games or gambling to 16 years or younger. In the offline world this can be (but is not always …) checked by cassier, in the online world there is currently no way to do so. I however disagree with the fifth recommendation because of two reasons. The first is that it is more general on the verified attributes than age, and with minimal data disclosure in mind I do not see why this needs to be so general (with post-payment as a possible exception, but more creative things can be done there). Secondly, it assumes a government solution. Why exclude a private market solution? Actually, Novay (in the person of my colleague Bob Hulsebosch) did a impact & feasibility study on using iDEAL for online age verification for online retailers. Our client was a public-private working group from the Ministerie of Security and Justice and NICAM. iDEAL is the Dutch online payment service provider for retailers and is used by 81% of Dutch web shoppers. Online retailers would in this case rely on the banks behind iDEAL for age verification. See also this recent article in emerce with an interview with workinggroup lead Willem van Teeseling from Buro 240a. Of course, also a private market solution may benefit from ‘encouragement’ from the government, but that’s not what the fifth recommendation states (contrary to section 6.5 of the actual position paper which is more in line with my position on this).
Only somewhat related to the above, in the position paper a few sentences discuss combining identity with payment, which would streamline the user experience. We all know: less clicks, more convergence, thus this is IMHO a good point: payments providers have an edge as identity providers especially when it comes to online retail. And the point they also make is that the mobile channel needs a user friendlier identity solution (with less user input) , is also very true I think.
I spent most of this week in Munich, at Kuppinger Cole’s European Identity Conference. This had again a full program with presentations and panels on digital identity, GRC and, of course, cloud. Some personal high-lights were presentations and panels on:
- externalization of authorization (XACML 3.0 won an identity award)
- privacy (including personal clouds/datastores, Qiy won an identity award)
- consumer identity/trust frameworks/OpenID (including an interesting presentation by Andrew Nash from Paypal).
- and mostly the off-sessions discussions with leading people in the digital identity area
I also had a presentation myself on consumer identity, and participated in panel. I presented my ideas on government issued consumer/citizin identities versus doing this through the market via an identity trust framework.
While catching up on my reading my favorite blogs, I read Bruce Schneier’s blog post on IT security in 2010 (already a couple of weeks old …). Worth the read, especially these quotes:
One old trend: deperimeterization. Two current trends: consumerization and decentralization. Three future trends: deconcentration, decustomerization, and depersonization.
IT security in 2020 will be less about protecting you from traditional bad guys, and more about protecting corporate business models from you.
With decustomerization Bruce refers to the trend that we get IT services for free, but then become the product contrary to the customer, e.g., Google, or Facebook. Eve Maler also has some blog posts on this, for example “The price of free service“.
Together with my colleagues Ruud Janssen and Dirk-Jan van Dijk we have been working for SURFnet to help them if, and if so how, they should add a user consent feature to their SURFfederatie identity federation service. See also this previous post on user-centric SAML that describes what we did last year. We continued this year, doing additional user studies, deciding on architectural issues, developing a prototype and doing a pilot. This pilot started two weeks ago J, see also a SURFnet news item (Dutch) on this. The pilot is with three of the bigger Dutch universities, and students/employees that go to the selected service providers will be asked to participate in the pilot. They go through the consent pages, and we bother them with two online surveys to get their feedback. It’s too early to predict the outcome, but the pilot itself seems be going well.
At ISSE 2010 I gave a presentation on the current status of this work, the presentation is on slideshare. In December we’ll finalize a report with the outcome of the pilot, after which it’s up to SURFnet to decide if they’ll add this feature to the SURFfederatie.