Enterprises increasingly require higher level of assurance credentials for authentication. How do enterprises inspire trust for users? How do they impart that identity management solutions value and uphold privacy best-practices and regulations? Jenn will highlight how the application of a user-experience discipline intersects both legal and trust issues surrounding cloud-based applications. Discussion will underscore legal advantages of user-centric identity management as an authentication compliance strategy. The industry goal of improving trust of a solution by focusing on user control will also be linked to consumer and relying party adoption as a market-differentiating privacy risk mitigation strategy.
2. Abstract
Enterprises increasingly require higher level of
assurance credentials for authentication. How do
enterprises inspire trust for users? How do they impart
that identity management solutions value and
uphold privacy best-practices and regulations?
Jenn will highlight how the application of a user-
experience discipline intersects both legal and trust
issues surrounding cloud-based applications.
Discussion will underscore legal advantages of user-
centric identity management as an authentication
compliance strategy. The industry goal of improving
trust of a solution by focusing on user control will also
be linked to consumer and relying party adoption as
a market-differentiating privacy risk mitigation
strategy.
3. Agenda
› Abstract
› Background
› Strategic privacy
› How to start?
› UX & UC
› Privacy toolbox
› Making the link
› Legal Implications/Advantages
4. Background
LDSS/VDSS
experiences
• Working with vulnerable
but savvy populations
• Providing all sorts of PII to
all sorts of people
• Dependent upon a trust
relationship
IRB (Institutional
Review Board)
• Ethics training (academic/professional) in
collecting and handling of human data
• “ensure(s) that human research involving VDSS
clients does not violate a client’s right to
privacy and protects them from harm or risk.
The board reviews research proposals and
data requests to determine how federal and
state human research subject regulations apply
to proposed research activities”
ww.dss.virginia.gov/about/irb.cgi)
NSTIC
(National Strategy
for Trusted
Identities in
Cyberspace)
• CSDII (Cross-Sector Digital
Identity Initiative)
• PEM
• IDESG Privacy
Coordination Committee
• CIPP/US, CIPM, CHPSE
5. Strategic Privacy?
› Holistic approach
› Get out of the silo and compliance tunnel
› Incorporate multiple disciplines into privacy, including
security measures and user-experience methodology
› Consider cross-sector/industry standards and innovations
› Don’t overcomplicate matters
› Tell the truth (don’t lie)
› Meet the business needs
› Comply with regulations
› Leave the control of the information to the rightful owner
› Think like a user
6. What’s the problem?
› Historical context: Businesses are realizing the breadth of
scope of privacy relevancy to industry collection, handling
and disposal of personal information.
› Current landscape: combination of increasing investigative
efforts, administrative promulgations, and the public’s
heightening sense of awareness and expectancy of certain
privacy controls, businesses are evolving their ad hoc
approach to a more advanced and robust privacy
protocol.
› Need: Organizations starting to recognize need for
comprehensive privacy programs and integrated privacy
and security policies and practices. There is a maturing of
policies into strategic approaches to applying privacy
principles through a graduated series of steps ranging from
remediation to compliance to commitment. What does
this look like?
7. Proposed Solution:
› Let’s start a discourse around strategic
application of particular practices industry
and agencies may employ to earn, retain
and resolve the public’s trust issues
› Focus on the maturation of a consent
process to a strategy of user-authorization
as incorporated by Cloud services
› Interweaves user-centric design as key to a
sound authorization practice
› Identifies legal consideration and
implications
8. So how do I start?
› Remember the goal – have people want
to use your service or product which
means keep them coming back which
means earning their trust – these days that
means being up front and fair about
privacy policies and practices
› How do I do that?
› Let’s explore a some of the common
privacy practices interwoven with UX
methodology and see where that gets us…
9. User What?
› User Experience (UX) is a data-driven strategy to making
interactive products that meet the needs of the people
who use them. It results in greater user adoption and use,
increased revenues, reduced costs, and if applied early
and consistently in the end-to-end product development
cycle it results in shorter time to market.
› User-Centric Design (UCD) is the operational and tactical
approach to implementing a UX strategy. UCD has dozens
of techniques, best-practices, and principles that can be
applied to the concept-development, user research,
product design, and evaluation of existing products and
products under development.
10. UX Principles for Identity
Management Products
› Truth – Don’t lie to users!
› Who – Let users know who they are interacting with at any given
moment
› Visible – Make as much of the interaction as possible visible to the
user
› Predictable – Ensure that the interactions are predictable to users
› Trustworthy – Design interactions with product/company to support
trust
› Valuable – Give users a reason to believe sufficiently enough to
adopt and use the product ecosystem
› Efficient Data Requests – Design systems to request information from
users once
› Language – Use the user’s language, not techno-lingo or legal-
ease or privacy-geek-babble
› Remedy – Fix the product, not the user
› Perspective – Remember: the user’s goal is not your goal
11. Privacy Toolbox
› Practitioners of any discipline know that
there are particular tools that are better
suited for certain works than others to
accomplish specific jobs
› Several well-vetted privacy risk mitigation
tools used by businesses and government
agencies today.
› Transparency
› Authority
› Auditing & Security
› Consent (the old stand-by!)
12. Consent – Get out of jail free
card?
› Consent is “permission, approval, or agreement; compliance;
acquiescence.” (www.dictionary.com; noun; #3)
› Privacy risks are thought to be mitigated or lessened when consent is invoked in
identity management solution.
› What is consent supposed to do for users of Cloud systems?
› Usually invoked once at the front page or first visit
› Usually a compound action
› Mostly all or nothing, with absolute consequences
› Complicated with legal-ease
› Related to the user’s interaction with the website or service, but not the activity of
the data or information between organizations
› So, with that, does consent really meet the privacy principles of transparency,
individual participation or individual control?
› Contemporary research into what consent accomplishes point to the need to
provide opportunity for authorization for transactions in addition to the consent
process.
13. Authorization is different than
consent?
› Authorization is the more granular process of
granting or denying specific requests for
access to resources. (IDESG Core
Operations).
› Why is this differentiation between consent
and authorization important?
› How does the incorporation of
authorization into the consent process
realize strategic privacy risk mitigation?
› How does this increase user trust and satisfy
legal implications of digital identity?
14. Authorization as a privacy
tool?
› Achieve transparency, adequate notice,
individual participation and individual control
› Mitigated risks
› breach of trust distortion
› exclusion
› induced disclosure
› loss of liberty
› power imbalance
16. How does a trusting user satisfy
my company’s legal risk?
17. Legal Considerations
› Enabling each identity owner to excise
control over the use and usage of her identity
reflects and establishes minimum criteria for
issuing, validating, and securing interoperable
digital identities.
› This ensures that communications, digital
identities, and records are reliable and resistant
to fraud and manipulation
› Legal controls considered include
› Reliable identities
› Independently verified digital signatures and
records
› Authoritative Source Record
18. Legal Advantages
› Enables compliance with LoA3 credential
assurance level requirements
› Enables user-centric control of digital
identity
› Enables custodians of records in the cloud
to fulfill legal control obligations
› Enables compliance with signing
requirements
19. Legal Advantages to User-
Centric Identity Management
› The strategic management of digital identity and privacy risk in the networked
Cloud environment must be based on evidentiary requirements for and user-
controlled methods of identification and authentication.
› For a digital identity to be deemed legally interoperable over time
› Must be standards-based
› Capable of enabling strong two-factor authentication for access
› Capable of logging of all uses
› Capable to detecting alterations
› Ensures relying party compliance with applicable confidentiality and
evidentiary requirements
› Network economics depend on clear legal rights in the form of access and
use rights to systems and records.
› Interoperable digital identity give users the capability of exerting legal control to
prevent unauthorized collection, use, and dissemination of personal information
in the acts of identification (i.e. linking a specific person to data) and
authentication (proving that the person is who she claims to be) and for
detecting content-level changes to records stored in the Cloud.
21. Contributors
› Jenn Behrens specializes in privacy, governance, and identity
management solutions. She was the Commonwealth of Virginia’s "Data
Maven" for her expertise in information management for departments of
social services. Jennifer was recently the Director of Privacy and
Compliance with ID.me; she currently leads privacy compliance for
multiple NSTIC pilots, and is the IDESG Privacy Coordination Committee
Chair. She may be reached at jenniferbehrens1977@yahoo.com.
› Tim Reiniger is an attorney currently serving as Special Advisor on Digital
Identity for the Commonwealth of Virginia. As Director of the Digital
Services Group of FutureLaw, LLC, in Richmond, Virginia, he specializes in
digital identity strategy and policy development and information
assurance protocols. He is a member of the ABA’s E-Discovery and
Digital Evidence Committee and is licensed to practice in California,
New Hampshire, and the District of Columbia. He can be reached at
treiniger@futurelaw.net.
› Darren Kall manages SecurityUX, a division of KALL Consulting, which
works with technology and technology-enabled companies. SecurityUX
designs or improves the user experience of security, privacy, and identity
management in products or enterprise implementations. By making
products more usable and more secure for all types of users, user-centric
design increases user adoption, productivity, and corporate revenues.
To discuss your products, Darren can be reached
at darrenkall@kallconsulting.com or darrenkall@secux.com.