Trust Who You Are Online With

Big Data identity platforms and social media have gone some way to improving online identity, but is the internet forever catching up with its users? Wendy M. Grossman looks at the successes and stories.

When Jamie Bartlett, a researcher at the Demos think tank, was writing his 2013 book, The Dark Net, one of his biggest surprises was discovering that the best customer service in the world was to be found on the Silk Road site. Despite - or perhaps because of - the questionable legality of many of the site's offerings, the reputation and ratings system kept the site's sellers competing to please and provide meticulous information about the quality of their offerings.

Until the Feds came along and shut the thing down, these sellers were, in Bartlett's account, more trusted by their customers than many big brands are. The site arguably proves what many have contended since the dawn of the internet: reputation can be established without binding it to a real-world identity.

To explain the trust at Silk Road, "Directories automate discovery," Don Thibeau, the founder of the Open Identity Exchange (OIX), said at the early December 2015 Personal Information Economy conference (PIE 2015), run by the specialist consultancy Ctrl-Shift.

"Registries build trust through transparency." His prime example was Lloyd's, which operated an underwriting register anyone could use as long as they agreed to the terms and conditions. But, "There is no global registry for trusted identity systems." It's this that OIX, a cross-sector, technology-agnostic non-profit, is trying to build. "We have to look at every tool to increase trust".

The basic problem is that the internet was built, famously, without an identity layer. That is, its design includes no way for anyone to know with certainty what or which whom they are connecting. For applications such as publishing it doesn't really matter. But the lack of that identity layer is a crucial problem in digitizing government and financial services, and it's the cause of many of today's security problems.

As Kim Cameron, the identity architect for Microsoft, wrote in his widely cited 2005 paper, "Seven Laws of Identity", the systems we all use today are workarounds, a result he called "pernicious". The result: the internet is a vector for criminals because we have no way to evaluate when a site can be trusted or when we're sending personal information to the wrong people.

Cameron's ideas were implemented in Vista and Windows 7 as Cardspace, an effort Cameron now calls "disastrous", though "a technical triumph". Since 2005, large companies like Facebook and Google have geared up to offer the identities consumers have built up on those services as a federated identity for everything. But would you want to use your Facebook account as your login to pay your income tax?

That approach - a centralized identity provider who ultimately gets to know everything about you - has been the dominant model for the last 20 years. The structure optimises the amount of data organizations can collect about their customers, thereby maximizing both the risk to customers when there are data breaches and the potential for privacy intrusion by the organizations themselves.

As David Evans, the BCS membership director, put it at PIE: “We're creating a world where moral, well-intentioned people can't achieve their business objectives without doing things they're uncomfortable with.”

Ideas for alternatives are as old as the commercial internet; even in the early 1990s cryptography experts like Carl Ellison were suggesting using encryption techniques to separate roles and provide only the minimum information necessary to validate a transaction.

A bar owner, for example, doesn't really need to know the identity of the young-looking person who just ordered a beer, just to verify they're over legal drinking age. Today's standard approach, however, has you showing ID that gives your name, address and birth date, with little recourse if the bar insists on scanning the ID and keeping a copy.

Alan Mitchell, co-founder and strategy director of Ctrl-Shift, points out how much extra risk this structure creates for all concerned. “One of the key points we're saying,” he says of his company, which aims to assist companies navigate a digital economy in which the audience is in control, “is that the problem with the current way that data collection is structured is that it creates honeypots of data which encourage hackers because the data is in large, centralized databases. On top of that, there's been a culture of not really seeing data security as being important.”

The fact that until recently so many companies (Ashley Madison may be an exception - and a turning point) survived data breaches with little apparent damage has fed a certain complacency. Even Target, which in March agreed to pay the victims of its 2013 hack $10 million, and replaced its CEO, still fills its stores with shoppers.

The result, Mitchell suggests, has been to breed a culture of arrogance, in which many companies focus their efforts on grudging, minimal compliance with the law. But, "when a brand or company's entire reputation is on the line they make sure they get it right," he says. "So, for example, flying a plane from here to NYC is far more difficult than keeping data secure - and yet they manage to get that right virtually all the time. And the reason that they get it right there is because it's a number one priority to make sure it's safe."

Cameron's "laws" were not so much rules as observations of the successes and failures of attempts at digital identity systems. More recent data breaches such as Sony and Target have proven his contention in explaining law number two, "minimal disclosure for a constrained use", that "we should build systems that employ identifying information on the basis that a breach is always possible.

“Storing just a flag that says a user is ‘over-18’ instead of a birth date, for example, is much less helpful to identity fraudsters. Ten years on, he believes the laws he outlined were all correct but incomplete: they failed to incorporate power dynamics.

"What I learned was wrong with the laws of identity," Cameron says now, "was that they didn't take into account the privileged position of the service provider, the relying party." Going forward with what the industry has begun to call "me2c" will require an identity solution that both relying parties and consumers are willing to embrace.

"You can have as many as you want - it doesn't matter what the movement is coming up with unless service providers adopt it." There are, Cameron says, a number of consequences for how the necessary technologies should be built, but he sums up the most important lesson this way: "We have to build technology for the relying parties in which we simply enable privacy, security, me2b [me to business], and so on."

Newer identity systems being implemented now such as the UK Government's Verify, a product of the Government Digital Service, have three elements: a consumer; an identity provider; and a relying party.

The element that needs to be verified, whether it's an address, an age group, or the existence of a license to drive, is an attribute. So, say an individual is applying for a free pass for public transport that has two requirements: 1) applicants must be over 60; 2) they must live in a specific catchment area. Both of these are "attributes" to be checked; the relying party in this case is the issuer of the free pass.

In that scenario, the identity provider acts as an intermediary: checking the proofs that the individual has the claimed attributes and passing on verification that they exist - but not the proofs themselves. Trust is key all along this chain: both consumers and relying parties must be able to trust that the identity provider has done its job correctly.

But it limits any one party's visibility, since identity providers know only which services it has helped a given consumer access but not what they've done with them or via another identity provider, and consumers' personal data is exposed only to the identity provider.

One of the early implementations of these ideas is the UK government's Verify, now in public beta and created under the aegis of the Government Digital Service, formed in 2011 to transform the provision of public services. Verify aims to create a marketplace of multiple identity providers, offering people the option of using different providers for different uses.

The system should both avoid the creation of huge honeypots of data for criminals to target, or vulnerabilities to expose while giving consumers more genuine control over how and where they give consent for the use of their data.

The key to make this structure succeed, says Tom Loosemore, GDS's founder and the leader of Gov.UK for its first five years, is relentless focus on the user. At GDS, Loosemore's goal was to create Government as a platform, an effort to build a new public infrastructure that he compares to the 1850s effort to build a sewage system to improve sanitation and public health.

"In our time," he said at PIE 2015, "that public infrastructure is made of data." The reinvented infrastructure should mean that someone wanting to start a business could do it in three minutes rather than months spent chasing paperwork, while simultaneously protecting citizens from "themselves, others, and Governments".

Sequestered inside a company - or, perhaps even more so, a Government department - it's easy to lose touch with who users actually are. On an in-house corkboard, GDS staff have a photo with a Post-It note saying "our users". It points to a picture of people in an ordinary street scene, meant to serve as a constant reminder of who government services are meant to be designed for and who has to navigate the jargon language and complex, opaque infrastructure that are obvious to insiders.

Says Loosemore, "The most important generator of trust is speaking human."

What’s Hot on Infosecurity Magazine?