Mission statement idplatform.eu

1. How to prevent the World Wild Web Identity Crisis By idplatform.eu a non-profit organization in the process of foundation Presented by Helmer Wieringa Contact details: [email_address]

4. Privacy?!... I don’t care; I have nothing to hide…

5. WANTED: YOUR IDENTITY BY Criminals Government Employers Business Relations Service Providers Family & Friends TO CONTROL YOU

6. But first some definitions… Identity Personal information Privacy

7. There are two sides of the identity coin…

8. idem identity, meaning an identity based on an arrangement; the purpose is persistent identification Idem identity Individual

9. ipse identity meaning the way you are identified and categorized by your self and others; the purpose is the construction of the self See summary of Future of Identity In the information Society FDIS The concept identity Ricoeur ; Beller ; Leerssen Ipse identity Individual

10. What includes personal information ?

12. Many definitions of privacy here follows just one…

13. An individual's privacy is their ability to control the flow , boundary , and persistence of their personal information*) *) Privacy in the Clouds A. Cavoukian

14. So, do you want still to be identified without knowing this and why and to be constructed by others?

15. I still don’t care That’s fine but stop listening to or reading of this presentation

16. We return now to the daily problems...

17. Users hate to register for services and are frustrated by lengthy enquiries and often back off

18. Users can’t remember user names and passwords

19. … and have on average hundreds of those user/name password combinations

20. Users are exposed to the risk of identity theft The number of US adult victims of identity fraud 8.4 million in 2007. Total one year fraud $49.3 billion in 2007 The mean fraud amount per fraud victim $5,720 in 2007.

21. Users don’t read privacy policies and don’t trust service providers anyway…

22. … and they are right… service providers change privacy policies without notification

23. Individuals have no idea what others think to know about them and why

24. It is often impossible to unsubscribe from e-newsletters

25. Often impossible to correct personal information in databases Kowsoleea is een Nederlandse ondernemer van Surinaamse afkomst die ten onrechte bij veel overheids- instanties te boek stond als een harddrugscrimineel . De reden hiervan was identiteitsfraude: een verslaafde aan verdovende middelen gaf zich met regelmaat voor hem uit. De overheid slaagde er niet in om de negatieve en zeer belastende registraties op naam van meneer Kowsoleea op de juiste naam, namelijk die van de echte dader te zetten .

26. Spam is distributed by the use of your own email address

27. Service providers - even with “good” reputation - track your behavior across websites by use of super cookies ...

28. ... only to be removed by special browser add-ons like Better Privacy for Firefox

29. Privacy legislation is too complex and is an obstacle for business and innovation; projects with insufficient privacy are rolled back.

30. Most organizations are not able to protect confidential data; information breaches are daily news

31. April 30, 2009 State officials are notifying more than a half-million Virginians that their Social Security numbers may have been contained in a prescription drug database that was targeted by a computer hacker April 30 . The hacker gained access to the Prescription Monitoring Program computer system, which is designed to deter prescription drug abuse, and demanded a $10 million ransom . The hacker has not been identified Virginia patients warned about hacking of state drug Web site http://hamptonroads.com/2009/06/officials-hacker-may-have-stolen-social-security-numbers

32. “ Almost one in five businesses in the UK has unwittingly breached the Data Protection Act meaning illegal data transfer to third party” according to research of the British Standards institute

33. Enforcement of privacy legislation is practically impossible

34. IN SHORT: IT IS A MESS

35. We need fundamental change…

36. To summarize: we should reduce the cost and effort for…

37. … user enrollment and participation in a community, by improving usability and transparency about what is agreed on

38. … users to cancel a service and give them assurance that they can….

39. … leave without a trace and fear of stalking, r esulting in more trust and openness

40. users to correct their personal information, by offering read/write access on their data

41. … service providers to effectively engage prospects and increase # of registrations , by rigorous standardization of procedures

42. … users to receive relevant and effective service and information by giving them control to define their needs in a consistent way.

43. … service providers to distribute targeted and effective information

44. … service providers to comply to data protection legislation

45. … service providers to design innovative personalized services by removing privacy headaches out of development projects

46. … service providers to regain trust by their users by embedding privacy enhanced technology

47. … providing transparency for users regarding service providers behavior by easy to understand standard notifications PRIVACY HIGH PRIVACY MEDIUM PRIVACY LOW PRIVACY ASSURED

48. … governments to enforce data protection and privacy legislation by embedding real-time auditability

49. All these improvements are necessary for two-way trust and effective communication

52. The problems have been predicted by writers, philosophers but have been actually addressed since 1970 in the information technology domain.

53. Explosion of activities to solve the problem…

55. And no surprise: no consensus yet

58. … which is a critical success factor for any digital identity system to be built

59. … ignoring this lesson will result in projects doomed to fail

61. … so compliance to legislation should be embedded in the technology without losing the freedom of the current Internet practice

64. … service providers should adopt the just-enough-data-to-do-the job principle and work with partial identity

66. … and develop a practical and feasible approach for semantically interoperability (shared profile)

68. Introduce the concept Certified Open Identity Provider which…

69. … acts on behalf of the individual

70. … is a trusted custodian of a part of individuals personal information

71. … can be compared to a financial bank : protecting personal information instead of money

72. … is intermediary for all personal data transactions

73. … should also be able to assure anonymity of users

74. … should provide personal information to third parties only with explicit consent of the user

75. … should store the history of personal information transactions, only to show the user who knows what about me

76. … notify me when a service provider is changing a privacy policy

77. … should - if desired - send legal request to delete information about me, as part of a service cancellation

78. Service providers can outsource a lot of data protection and privacy compliance headaches to an Identity Provider

79. … and focus on their core services

80. Some rules and principles for identity providers

81. Everybody is allowed to act as an Identity Provider…

82. … but there should be some rules…

83. … IDPs should be certified by an organization which is installed by government but independent of it (like the legal power)

85. Users can choose a Identity Provider they trust and should be able to switch/migrate data to another Identity Provider if they wish

86. Expectation: individuals will use 5-10 Identity Providers for special domains like travel.id; volunteers.id; financial.id; care.id, ngo.id, governement.id

87. Still a lot to remember but better than hundreds of passwords

90. Alice stumbles upon an access controlled site schools4africa.com which is member of i2c.com federation

91. Alice enters only i2c.com in a login field on the site school4africa.com and clicks on the let me in button I2C.com Let me in Schools4africa is member of i2c learn more>>>

92. … .meaning: hey schools4africa.com, you don’t know me yet, but let me in quickly the guys at i2c.com know some information about me

93. School4africa.com notices some knocking on the door, it is a stranger which is claiming to be member of i2c.com

94. Schools4Africa.com goes to i2c.com verify the identity of the stranger and requests do you know this person?

95. Two possibilities A. Alice is already logged on at i2c.com B. Alice is not yet logged on at i2c.com

96. If Alice is not logged on at i2c.com, 12c.com just requests to log on in traditional way user name/password

97. I2C.com does knows Alice’s identifying personal information

99. By the way: Alice does trust I2C because they assure privacy PRIVACY ASSURED

100. I2C.com confirms to Schools4Africa: we know the stranger knocking at your door, what do you want to know about this person?

101. Schools4africa to i2c.com: that is great, we need only information about the profession and nationality and the right to contact Alice. Can you ask this on our behalf to Alice?

102. I2C.com to Alice: For getting access to Schools4Africa this site would like to know the following information: Profession = “ school director ” Nationality = “ Gambia ” and they would like also the right to contact you Alice is that ok with you? … just click OK

103. I2C.Com to Alice …and by the way we don’t provide any further information to schools4africa other than an unique, dedicated reference number only known to you and schools4africa an us…

104. Assume this number to be an unique number representing your relationship with schools4africa; by the way you don’t have to remember this number : i2c does this for you Your relation number at school4Africa.com is http://i2c.com/re6tgw787w9hdh78wggfew555hh6hhh333656

105. Alice thinks that’s cool fasttrack registration! I like those smart guys at Schools4Africa now already. Of course are they allowed to know my nationality and profession.

106. So Alice is ok with School4Africa’s requests and confirms with one-click Profession = Schoolteacher Nationality = Gambia Right to contact = yes OK Alice if you click ok, this information is sent to schools4africa.com

107. Schools4Africa receives just partial information and redirects Alice to the special area about school projects in Gambia

108. In future sessions between Schools4Africa and Alice, more information can be requested; But future personal transactions will all be logged by i2c.com

109. Schools4Africa does not have Alice’s email address but they have the right to contact…

110. … this means that schools4africa can only send messages via the identity provider: [email_address]

111. Alice can cancel the account at Schools4Africa and request to delete every data stored about her at Schools4Africa

112. It is a pity for Schools4Africa but they can easily fulfill this delete request, because every piece of data is stored under the relation number.

113. School4Africa can’t contact Alice anymore the relation number is canceled, but if would illegally an email, they would get caught by I2C.com and receive a warning or a fine. The message will not be forwarded to Alice.

115. Facebook connect a transparent user interface…

116. Showing the user what is happening

117. Vidoop smart password management

118. Only three categories to remember Keys, Castles, Beverages Q Y P Every day a different password!

119. Confirmation of Vidoop registration

121. Establish an really independent organization to become the Certified Open Identity Provider as described

122. 1 standard agreement instead of 36 approaches negotiations & contracts 2 1 3 5 6 4 IDP independent neutral governance 

123. … and assure interoperability

124. Sharing partial identity across service providers 2 1 3 5 6 4 IDP independent neutral governance  Individual: Yes provider 2 and 3 sharing information about me is fine

125. One interoperability example

126. Interoperability: User attribute verification I2C.ID GAMBIA.GOV.ID CARE.ID Schools4Africa re6tgw787 Nationality = Gambia Federated Services providers I2C.ID has requested us to confirm your nationality for an unknown service provider logged on gambia.gov.id Yes, confirm my nationality I2C can you confirm nationality of the individual with # re6tgw787…. 1 2 Gambia.Gov.id can you confirm nationality ? 3 4 5 6 Nationality = Gambia Heath4Africa f45dlnqs9 logged on Government departments

127. Start simple and implement incremental improvements against a roadmap

129. An overview of inspiration, relationships and activities of the IdPlatform.eu Initiative IdPlatform.eu Developing awareness Political parties Public Governments Companies Non-Profit Funding Gouvernement Commercial Private Standards Protocols Semantics Interoperability Security Legal Obligations Enforcement Liability Portability Certification Idcommons.org (mainly focused on developments in the usa) Development Open source Usability Accessibility Project: European Digital Identity Innovation Virtual relation management Privacy enhancement e-Democracy includes activities : inspired by seeks collaboration with (?) Idealism Human digital rights organizations Knowledge Virtual communities Universities Innovation institutes Government programmes Standard organizations Commercial innovation inspired by: Knowledge management Conferences wiki.idplatform.eu Workshops DevCamps includes: Potential Identity Providers & Software vendors can support Potential Relying Service Providers invited to contribute

131. Roadmap [draft] Shared Rules & terminology E-Citizen Rights Shared approach Enrollment & password management device independent Shared user attribute profile schema approach Shared rules & terminology privacy policy & privacy assurance Shared Rules & terminology identifiers Select one of more code sets as starting point European Privacy Data Protection Directives 7-Laws of Identity XDI OpenID/OAuth PRIME Privacy and identity management for Europe Collect usability and accessibility guidelines Usability review Usability review Usability review Usability review Shared general architecture & terminology Shared approach User Data Exchange Federation rules European Digital Identity month location? Thursday Nov 5 Identity debate Weekend Nov 6-8 Devcamp Nov 9-21 Documentation Evaluation Weekend 23-25 Devcamp Aug Sept Oct 09 preparation phase