The Identity R/Evolution

Thank you. So it's, it's great to be here. Apologies. I couldn't be there in person. I really wanted to, but had some other commitments, which made it impossible. So I'm gonna go through today and just talk a little around privacy and the decentralized sleep, but I wanna kind of start with some foundational stuff and just, and just walking back a few steps to talk about kind of price and identity and how we've come to where we are today. And if you look around kind of 15 years ago, the digital identity thought leader, Kim Cameron shed light on the missing identity layer of, of the internet.

And since he laid out the unified identity meta system and is evergreen, the laws of identity research and mature in technology that aimed at fusing identities and digital personas together, it's, it's often argued that in identity access management has spearheaded the space with a long history of developing security and fine grade access controls and the growing shielded of grow field of consumer customer identity, which includes single sign-ons.

The multifactor authentication, the personalized interactions, the consent, the preference management activities to name a few, but digital identity is a fundamental issue for trust, safety and privacy in our, in digital age. And it's also against a backdrop of massive privacy change. That's occurred over the last decades.

And, and you'd argue that in 2022, privacy's really never been higher up. The organizational political agenda countries have picked up privacy legislation probably faster than any other type of regulation on a, on a global scale. And if I would've put myself back 10 years ago, I'd never have believed in 2022, that over 50% of the world's population would now be covered by a privacy law. And actually if you include China and India in that it's about 80% plus of the world's GDP will be subject to privacy laws.

So very, very significant change over over the last 10 years. Now, when you look at identity, a huge number of technologies have been developed to address these identity challenges, but also trying to kind of evolve and seek to address some of the privacy challenges that have been raised by the individuals as well as the new regulatory changes and the, and the landscape as it's evolved.

And the new developments in consumer identity aiming to fill user expectations are giving more and more control to individuals over their personal data pushing for that next waves or decentralized user-centric and portable solutions based on solutions like mobile wallets. Increasing the relevance of privacy is, is clear with the drive when you're driving towards digital identity solutions that are decentralized, and you can see citizen digital identity schemes, allowing citizens to access online public services like education banking, medical, or also really kind of driving the field.

But how do we get to the position where kind of privacy was becoming such a, such an issue in, in digital identity and, and, and particularly becoming a key component of the decentralized digital identity agenda? Well, if you look back to the, to the 1960s, when Fernando cab Barto first introduced the computer password, it's been the kind of staple for access for a long period of time, but it's primarily the user who has put in charge of creating and managing the dozens of accounts and passwords for all the services. The internet offers.

This brings several kind of disadvantages and challenges from a privacy perspective. Firstly, despite good password management practices, there are problems of reuse, recent passwords, weak passwords persist. Some argue that passwords are leading to ongoing security incidents and our root cause for, for privacy breaches, which understandably because significant privacy issues for the individuals and the organizations and with ever increasing regulatory fines and complicated privacy laws, including the breach notice requirements, is that really sustainable from a privacy perspective.

Secondly, the data itself that is used to validate the individual is, is generally personal information. It includes user names, passwords, and other personal information elements to help identify an individual. And this is repeatedly being stored in databases of a huge number of different service providers, multiplying individual privacy risks. I have a digital password manager.

I have over 500 different accounts with different organizations, which when I looked at it, it's, it's a mind blowing number all at some point I had a use for, but you can go back to the ones you've not used for years and frankly, no surprise my own. Password's still active.

And I can, I can still log in. And my personal information is still being processed. How much of a burden is it on the individual to manage and address this versus the organization to apply data deletion principles in a, an appropriate manner?

Thirdly, managing such a big variety of passwords is time consuming and tiring and costly for a business. From a perspective of an organization. The user only exists because they have an account in the system that is a user is allowed to link to a website service or application because the provider lends them some credentials to represent them. In the end. These credentials are kind of owned and controlled by the organization.

And this leads me onto my, my fourth point, if an individual deletes or requests for deletion of the, of the account, often their account will cease to exist, but the data will still reside in the organization for a period of time. This is really interesting because as an individual, the way you interact with that organization is primarily through, through that account. If that account is no longer there, it becomes increasingly challenging for that individual to have sufficient control of the data, to whom the data belongs. Sure.

They can look at leveraging the data, subject rights under applicable laws and regulations like the GDPR, but it's not an easy route. Often it's time consuming. It doesn't lead the same results and desires as having an account of being able to interact the organization in a kind of realtime basis. Some of these issues could be argued to have led to some of the kind of single sign on uses authentication methods enabling uses to sign on with just one set of credentials to multiple applications. But this in itself does carry significant privacy issues.

Internet based, single signer sauna services have actually created quite a lot of privacy concerns due to the amount of data that's being collected. And given back to the provider of the login service. And this is often a, a two way exchange of data. This could be a simple exchange such as kind of just the credentials itself, or it could be actually quite as significant a change looking at kind of account parameters, as well as the behavior of, of individuals.

Even at the most basic level, you can learn a great deal about a user's behavior in particular, which sites they access when they access them and the, the periods in time, they access them as well as the geographic location of the, of the individuals accessing different sites at different times, clearly not desirable if you're an individual who is privacy conscious and wants to kind of hide their behavior from the providers that having services with, but also with third party organizations.

And if you are a provider, how do you ensure that you manage your consent obligations, ensuring that it's freely given and the user really informed about what data is being passed between and gathered between the different services. Some of these issues have kind of continued in other models, such as federated 70 solutions. And there are new methods that are looking to kind of try and minimize that. So some of the identity commons, some of the internet identity workshop has been looking at research to try to, to mitigate a lot of this.

But from an identity question, I'm saying that we often keep coming back to is how much data do you need to process for identification of an individual? And this is a really, really challenging question, a lot of the time, because what is appropriate for identification and how long should that information be stored and how should long should it be processed?

So it gives you a purely privacy perspective, according to the data minimization principle within the GDPR, and you'll see equivalent within other legislation globally, you only should let the information necessary to perform the service which you're providing from a user perspective. In many cases, there are no need to learn about kind of the identity of other users. On the other hand, there may be cases where you need to understand who the other users are.

And actually there may need to be a specific case where you are going to a higher level authentication because of the need to authenticate an individual, to enable them to undertake particular processing activities. But how far do you go for authentication and identification of individual is a, is a particular challenge for a lot of organizations, especially when you start gathering more data, there's an increased risk, more privacy perspective, but I'm just gonna give a use case around age verification.

And you can see that regulators are increasingly tracking if websites and mobile applications that offer adult content such as online betting alcohol pornography, adequately protecting minors from their services in EU. There are a number of regulations that have been spun up designed to perfect, the protect the individuals from harmful content, one being the EU audio visual media services directive. Another obviously is, is the GDPR, which is a highly prevalent and relevant piece of privacy regulation.

Implicitly establishing the needs of verify individual in article eight, stipulating that online service providers have an obligation to check the age and where necessary gather parental consent in addition to making reasonable efforts to do so, taking into account the technologies available recent regulatory efforts underlying this, and they talk about building state-of-the-art technology in the guidelines on consent, which were issued in May, 2020, the European data protection board emphasized that any measures for age verification should be proportionate to the nature of the risks of the processing activities.

They go on to say, it's implicitly required by the GDPR. If a child give consent, why not big old enough, it will render the processing of data unlawful real, real challenge, how you do this at scale, but the GDPR doesn't specify practical ways to gather the parental consent or establish that is somewhere is entitled to perform this action. And the EDP argues that for a proportionate approach, focusing on a limited amount of data, which is relevant to undertake activities again, what what's reasonable, what does that really mean?

Would depend on the risks as well as the processing and the available technology. Third party verification solutions may offer ways to kind of administer this, but it is a real challenge. If you look on a EU level, there are obviously commission funded, EU consent is working on E wide computer network for completing online age verification and, and securing parental consent.

But if I give you a couple of just country examples, and I'll talk about France and the, and the UK of just a, just a couple in the interest of time in France, the E there's an opinion by the premiere, which echo the ed reg review, which emphasize the relevance of the principle of data. My minimization in the context of age verification, collecting information about age solely for verification practices increases the risk of likability identification of individual users.

They talk about kind of the needs when doing age verification, be proportionate, minimize robust processes, be simplistic, standardize, and minimize the risk of of third party intervention. It suggests that proof of age systems incorporate double identity mechanisms in a similar context, the UK published in a opinion on age assurance in the children's code last year, expanded on the idea of third party suppliers and how they can contribute to data protection compliance.

And then also in, in the, the UK's proposal for the new online safety bill, just, just a couple of months back proceeds a new procedure where web applications offering kind of use end to end content will need to validate people to ensure they are over over 18. There are a lot of technical specifications that kind of not laid out in detail, but that is clear that if this moves ahead in the way it is looking like it will, that companies will need to implement some form of robust measures for age verification to really ensure children can't access such services. So I've gone through quite a lot.

And, and, and the answer to this question really is it depends. And I think that's okay because like many other of privacy, it requires organizations to really think about digital identity and the data which they're collecting, establishing what is enough given the specific services that, that are there. What are the risk posed to the personal information that has its processed and more broadly by the organization in the context of that specific interaction, but how are technologies looking to solve some of these privacy challenges?

Well, about a decade ago, new technologies, we're looking at kind of addressing privacy concerns and the concepts of privacy by design in the digital identity world, kind of intensified. At the same time, we were kind of embarking on a, a kind of some would say a revolutionary change in kind of zero knowledge and zero trust. All of these sort of topics were starting to really emerge and privacy, heart and technologies such as zero knowledge proofs were starting to, to kind of mature.

So zero knowledge proofs to keep it simple are cryptographic protocols that allow the end user to send proofs of some properties of data to a service provider, not actually the data itself, per my example, when we're talking about age verification, this could be for example, transmitting information to be an adult without, without transmitting the exact date of birth. Zero knowledge proof were realized in privacy, preserving a attribute attribute based credentials, which introduced their kind of real shift in identity solutions.

We saw on of big providers, such as IBM and Microsoft developing solutions, as well as EU finance research project, ABC trust in the most basic sense, these are allowing users to collect credentials from various identity providers and allow the providers again, vouch for their, their correctness. And this information is stored in a, a digital wallet. Users can decide themselves how much information they want to disclose. This is achieved by hiding some of the attributes of the receive credentials.

At the same time, the digital signature of the issue remains verifiable confirming the partial information that was sent to the verifier. This introduced a completely new concept and opportunity for digital identity and a privacy perspective, really enabling data minimization at a completely different scale.

However, when we talk about the user centric stage, there was a problem of trust and reliability of the transaction, which remained open, and there's still a central authority responsible for that validation. So we still run into the challenges of kind of the data is residing kind of a kind of central location. And the privacy issues that reside with that this gap can be kind of helped film by blockchain technology, which essentially functions as a ledger and applies different, enabling the electronic identification elements to be kind of distributed. The fundamental difference from existing.

The basically currently exists is this enables it to be decentralized in so-called node. The nodes will then reach a consensus and that's considered as their correctness for entry into the, into the register. Another innovation was the verifiable credentials data models described in the w three w three C standard. This parallels physical credentials in that user hold the user, holds the cards and can present them to anyone at any time without informing or requiring their position of the card. Issuer verify credentials can digitally represent the same information as a physical credential.

This includes identifying an individual, for example, pair a photo, a name identification number can be used to identify the relevant issue authority. For example, a public authority, an insurance company, a healthcare provider can used to identify the type of credential, for example, a passport, a driving license, or a educational degree or certification. And it could be used to identify specific attributes, for example, nationality classes of vehicle data, birth, cetera.

In addition to information about the credential itself, for example, the expiration date terms of use, et cetera, like in the physical world, the information is usually first generated by some sort of authority. This issuer could be, for example, a university, for example, one could be used to validate the certification in a digital wallet of the data subjects confirmed.

It also can be used to enable verifiable digital identity across, across a broad range of, of organizations and technologies, but there's still a lot of privacy questions which remain around this and kind of transparency given the complexity use at scale, but they do show significant promise for the future.

Gonna jump a little bit into some of the legislative developments now and European countries have been spearheading the implementation of self-sovereign identity concepts for a while in 2019, Germany in Spain announced the corporation agreement on building an ecosystem of user-centric digitalized identities. The federal German government stated that it recognizes that digital identities, a fundamental building brought for successful digitalization, and it's therefore pursuing developments of an infrastructure which allows secure exchange of attributes.

And it wants to be kind of for Europe wide use and it functions equally for identities of people, institutions, and things in the basis of self sovereign identity technology. And in 2021 generally signed a similar declaration with Finland to drive the developments of solutions based on self-sovereign identity and promote the I L 2.0, there's also a French dis identity app, which is based on kind of self-sovereign identity the end of 22 last end of last year, sorry. End of April, for months back, France announced an update to Ali cam, which is their national digital identity system.

The European commission has also been looking at the IRS, the regulation and follow the limited uptake that was, which resulted as a result of that. They introduced a new proposal, feed us to which included the concept of the European digital identity wallet. The concept of this wallet is to provide EU citizens, residents, and businesses with the ability to prove their identity throughout Europe users, to still be able to store credentials and features relating to their identity and display them online or offline at request.

And this could be a significant turning point for digital identity, kind of at scale at a, a kind of organization at a European or continent based level. However, the proposal still lacks clarity on some of the privacy measures.

So there'll be some surely be some challenges, and there's a lot of elements that need to be considered from privacy perspective as we, as we move forward, but gonna jump into considerations for kind of the privacy pros now, and privacy for identity and identity is an area which often privacy pros lead to the cyber teams often, cuz it's quite complicated often because they don't necessarily understand all the ways in which their kind of identification is taking place and the data which is used to support it.

But some of the absolute key considerations are really, really important for a privacy perspective and for, for all organizations. And the first is accountability and this is a key feature of the GDPR and it really replies organizations to actively demonstrate their compliance with and commitment to data protection legislation ensuring accountability throughout the digital identity system provides a great opportunity. And I was demonstration for how organizations manage privacy and comply with applicable laws and regulations to develop and sustain people's trust.

And if you look at the GDPR, it talks about undertaking of data protection, impact assessments, and some of the guidelines working paper 2 48 from the Euro data protection board established a low threshold to trigger the requirement for a data protection impact assessment. So it's quite likely that given the nature and volume involved in identity solutions, that these sorts of digital identity solutions that are kind of being talked about and self identify, these things are going to need some form of data protection impact assessment. Next thing I'm gonna jump onto is, is governance.

And it's critical to have the right governance frameworks. Well, I define roles and responsibilities as well as rules and this won't be anything new for kind of identity professionals, but it's really around the ecosystem that resides there and the system with independent oversight and how you effectively manage the privacy elements of part of this and whatever the digital identity model is.

There are likely to be a number of parties in the process from the oversight that will provide some form of oversight to the digital identity systems and the different players will have very different roles and there's need for very clear governance about all the different stages so that things are appropriately joined up.

This will help ensure there's no duplication of effort as well as guaranteeing a clear pathway for individuals in respect to their right to address as well as the regulatory chain and for service providers in the, in the ecosystem to make sure it's clear on where the liability sits and where the need to fulfill the different privacy obligations at each stage would be. The next one is around really putting the user at the center of a, of a solution.

The users need to trust the solution and make sure that the, the approach that's undertaken has the right controls and provides the right controls over data. Those the control to, to utilize the data, but also choice and agency about the disclosure of the personal data is really, really important. And a long time, when you are from a, from a price perspective, those kind of needs expectations and desires of those individuals are not necessarily fully, fully understood in how they vary market by by market.

The next one is around the management of privacy risks and the risk posed by digital identity solution are very significant. And, and as we touched on earlier, can lead to some significant consequences, a simple personal data breach on its own could lead to financial harm. It could lead to emotional distress distrust. You can help with a misuse of personal information and, and understandably loss of trust, but moving beyond the breach, there are a lot of other risks such as the potential for correlation over individual's activities across multiple service providers.

How do you manage the processing versus on device or off device? How do you ensure that personal information is used in line with the purposes for which it was collected? What do you do in the respect of a, a loss of trust or a warranted intrusion? You've got the concepts of fair and lawful and transparent processing.

It's one of the core principles and of data protecting legislation and organizations need to process the personal data, lawfully fair, fairly and an in transparent manner, but given the complexity of some of the systems, what is their extent, an ability to explain this in a user friendly way, truly addressing all the different legal and regulatory requirements, which exist across different jurisdictions and in a way that somebody's gonna really understand accuracy.

And when we talk about accuracy, we're talking about ensuring that robust engagements are in place to ensure that the underlying data in system within the framework is accurate up to date and relevant, incorrect out of date information could lead to members of the project being unfairly refused services or being disadvantaged in some way, or actually having marketing materials, which are no longer relevant to them, kind of not say bombarded, but significantly, significantly intruding on their, on their day-to-day lives.

One of the things you'll hear a lot about in closely world is around the risk of AI, automated processing, machine learning and everything else. And you're increasingly seeing in the digital identity space that automated processing is, is becoming part a much more part of the, an AI's part of the identity ecosystem. And you can include algorithms and artificial intelligence and whatever else you want to throw in the bucket, but regulations quite clear.

Well, some of the post records started to be quite clear on the, on the impact of AI and the GDPR talks about in article 22, restricting the automated decision making that has a legally or similarly significant consequences on, on individual.

When you talk about this, it's, it's quite important because to what extent does kind of a denial of access to something that you should have access to become a significant effect on a, on an individual and even where automated processing is not covered by kind of article 22, there's often a need to consider the kind of data protection, rights and obligations. That will be part of a part of an ecosystem.

We talked a little bit earlier around children's privacy and where there's a increased likelihood of a denial of service, which may be intentional proof age verification systems, but actually it may be unintentional. And you have to think about the consequences of a minor being refused access to a service, which they may actually need for providing them with education or, or something more prevalent and how that could be potentially disadvantage individuals and, and based on kind of demographics and, and so on and so forth. Talk about data minimization quite a lot.

And I don't wanna do that on this point too much, but it's really important that digital identity solutions do not collect excessive data for identification and there's not function creep so that we don't have multiple organizations holding increasing amounts of information against this backdrop of data minimization. There, we do run a challenge that as more and more breaches occur, it's much more difficult for organizations to rely on the data sets, which we previously relied on.

So looking to go above and beyond that, to ensure you're getting appropriate protection for the organization and security storage limitation, quite simply making sure that you're not storing the data for longer than it's needed to fill the purpose, which it was collected. And this is a challenge in an account space, particularly on in a digital world, how long is, how long is relevant enough.

If I've got an account, for example, a kind of a token which enables me to travel around and, and move on to buses or tubes or whatever it may be, what's an appropriate time to retain that monetary value on that account and keep that, that account live. If there's no monetary value, what is the realistic timeline for that account to stay live? And this is something that organizations really, really, really, really struggle with. And for a price perspective, it's not, again, it's not a, not a, not a black and white answer.

So just gonna quickly jump onto that to the challenges and, and, and kind of the outlook watching the dynamic growth of identity proofing, identity resolutions, and mobile identity and the platforms that are kind of moving forward around decentralized identity and the kind of integrated identity solutions. There are a lot of concepts that are really kind of starting to balance the way privacy and security and identity can come together to really add a differentiated experience to the user.

So the verifiable credentials enhanced privacy by enabling entities to express any of those aspects of their persona, that appropriate.

Given a, given a situation, we talked a little bit about W3C early on, and there's a huge number of use cases that can benefit from selective disclosure, including education, retail, finance, professional credentials, healthcare, and legal identification, as well as device management and for businesses distributed credential environments could allow them for automation or send the automation of business processes where individuals can verify kind of things that choose their age.

They can support employee or customer onboarding and eCommerce transactions to really help reduce those operational costs. There's also a kind of more sort of social aspect to it. And you looked at the world's bank's identity for development database, and there are about, about a billion people globally that lacked proof of legal identity in, in 2018. And lots of initiatives have looked at creating or trying to address this gap.

And there's really an opportunity here for actually, how can we help people get some form of, of identity in these spacing, really helping to fill the gap that often it's a challenge, but how do you deliver cash aid to refugees where you can't validate identity? So, and can't validate kind of attributes about them from really wherever they come from and so forth. And we're gonna see hopefully technologies for privacy and heart solutions kind of becoming a, a kind of standard in some way, shape or form. And that supporting technologies continue to evolve.

There's a lot of work still to do from a, a regulatory perspective and getting the, the frameworks, right. But there are quite a few initiatives that are going on that are trying to look at what's the best way to work through some of these, some of these challenges. So there's strong potential for the realization of, of these solutions and the EU digital wallets. It will however need support from both the private sector, as well as the regulators to really work together, to make sure that it all comes together in a, in an ecosystem.

And hopefully at some point we'll get to a truly privacy enabled identity ecosystem, but there's still quite a long way to go from a privacy perspective on that note, any questions.