Pre-Conference Workshop | Standards Matter. Trustworthy use of Identity and Personal Data

People trying to get in, but also people are waiting online. So we decided just to start, we have plenty of time. We can,
We can do whatever we do. So first of all, what the topic for this year's workshop is the transfer to use of identity and personal data. And we would like to shed some light into how to build that trust elements on building trust based on standards as that's the second title of the workshop standards matter. The next thing I have to apologize for again, is I was, or we were planned to be joined by KK, unfortunately, due to personal reasons, she's not able to attend this year in person, but I think the, she might be online already. Who knows?
Additionally to that, I do have here Andrew, huge, who will support me and do all the Contrera internal stuff, because he's far more experienced with that. Then we do have John John Munk over here and Stephen Amar joining us for different sessions on our agenda. So what we do today is first talk about our, our mission, what we do, what can terror is able to provide you to help you building trust markets or the participate in the trust markets? What this matters. What's the value proposition we do have from Canera side Canara and summary and missing one slide here later on the overall agenda. After that Canara summary will go into the work groups and see, okay, what happened during the last 12 month or more in the work groups and the discussion groups. And in the end, roughly 10 o'clock no 11 o'clock. Maybe we do have a panel talking about what do we talk about? Third party assessments for privacy data. So, Andrew, I think it's your stage.
Okay. Thanks arson. I will grab the controller from you. So hi everyone. I'm Andrew Hughes, director of identity standards of paying identity started there in September, 2021. And it's an exciting place to work if you want to come and join me, come talk to me afterwards. So as Thon mentioned, I'm gonna start with a, an overview of Cantera initiative at Cantera. We find that nobody knows who we are. Nobody knows what we do, but you, you see that in the work that we do at the board level, the assurance program level, and at the community work groups level, we have an incredibly passionate and focused group of experts who are getting very high value from their participation in Cantera. So today we'd like to tell you about what's going on. I know that usually with pre-conference workshops, especially at EIC, we get a lot of friends and family who wanna catch up and see where Cantera has been this year.
So we'll give you a three year overview since it's been three years, since we've been in person and tell you what's going on at the board level, some strategic initiatives and areas you might be in, interested in participating or following. Okay. So the first thing, our mission, actually, the first thing is I'm on the Cantera board of directors. I have a seat there and I'm also chair of the leadership council of Cantera, which is all the chairs of all the work groups. And we set the work program for Cantera. So the board sets the strategic direction and handles the financials in running the business. And the work groups are where the work is actually done. And don't tell the other board members, I said that, please. Okay. So in 2020, we did a, a refocusing effort to take a look at what we were telling the market that Cantera does and what, what our business is because Canter's business, it's a nonprofit not-for-profit business based in the us, and now the UK. And also we've got an office head office for the EU version in Estonia, for many reasons, which I will not tell you. It's very complex.
And we arrived at a revised mission statement. So the idea with the mission statement is when you participate in Cantera, what is the one thing you're trying to accomplish for everything you do around the Cantera work? What is the one thing that north star that keeps you focused on the path ahead? And this is what we arrived at it's to grow and fulfill the market for the trustworthy use of identity and personal data. Okay. We understand there's a trust deficit. We all know that. And there's a need for institutions that people and organizations and governments can look at to see what's good and bad. That's really what it comes down to in the marketplace for identity and personal data. Okay.
And you know why this mission right now, we used to have a mission that was about identity assurance, which outside of this room is completely meaningless. But as we've, as we've, as we've heard over the last four or five years with all the revelations about, you know, the big tech companies and personal data abuses, and I increased in fraud and identity theft, there is this need for new institutions to, to arise and get together to help shape that north star for the industry. And that's what Ken Tara has been and is growing stronger at being as we go forward. So here are some of the, some of the issues in today's internet and online world. Everything's very confusing, you know, do I use my phone? Do I not use my phone? What about these passwords? Why is everyone starting to say don't use passwords? I thought we were supposed to security is becoming very big concern. We see governments starting to actually care about protecting the data that people have, gov sorry, governments outside the EU begin to care more about the, the data that people have and that they have. And this whole thing about surveillance and misuse of data is becoming a top line concern with governance and industry. It all amounts to a lack of trust.
Okay.
Cantera believes that trust in the systems that manage personal data and identity interoperability between those systems as well can be achieved by discovering setting the standards for appropriate use, correct use secure use of the data and accrediting and testing systems and organizations for conformance to those standards. If you think about the rest of your life standards. So I assume everyone here, it's probably a bad assumption, but I assume everyone here understands that our modern world has standards throughout the basis. Everything we do is standardized, even though you don't see it, most of the time, the reason I can plug in my north American electric toothbrush into the power system here is because of standards. There's safety, compatibility interoperability. The same thing applies to, to data and identity systems. The same thing should apply to data and identity systems. It doesn't yet. So the standards are being developed and as they're developed, Cantera establishes formed assessment programs and certification programs to allow consumers and vendors to declare that they meet the standard and that they are practicing as they should, that they're fit for purpose. And you can see a, you know, a fairly typical diagram here where, you know, the relying party that relies on the information and decisions based at the solution providers and they work together to give trust and reliability to the consumers and citizens. Okay.
I love this diagram, but that's just me. It's a diagram that we it's, it's a, you know, a value creation diagram that we created while talking about the mission and, and vision for Canara. So you can see relying party, solution providers and consumers. They want different things out of trustworthy identity and personal data systems. So consumers want peace of mind, right? As they become aware of certification programs because vendors and governments and other industry players are advertising and marketing for that, they can see the value in that. They can see that, you know, the companies with the trust mark have put their brand on the line to stand in front of that trust mark. And then through the, you know, through participation and industry examination, transparency increases because you can look at the criteria and how those things are assessed solution providers, identity providers in, in other slides, the accreditation basically gives confidence that those solutions are doing what they're supposed to be doing, whatever that is, whatever standard we're talking about, that they're doing that right. And relying parties, which purchase services from the solution providers, the identity providers can avoid vendor lock in. So we know that relying parties have to sign up to all the different trust frameworks and all the different frameworks. And they have to put a foot in every place to, to address their whole market. Because there isn't really a lot of interoperability between between trust frameworks. Yet other organizations are working on harmonizing and creating those crossover points between trust frameworks, which is great. Canera is doing its part as well to advance that, that work.
Now I I've gotta say that. I can't remember what slides are in front of me. So if I look surprised when I see a slide, that's why, and, and also you and the audience online, and in person, you have the choice to make this a lecture or discussion. We have microphones for people in the audience. We'll run them around. If you have a question, comment, just raise your hand and we'll do that. We've got, we've got people online as well, so we'll make sure they can hear the questions and they'll bring us questions from the chat as well. If someone can wrangle this magical piece of equipment that will communicate messages from the ether to us in the room. Okay. So what does, Cantera do? Collaboration and accreditation. That's what we do. So we participate in industry through workshops and conferences. We partner in with many other like-minded organizations.
We are doing work. We started doing more work in associations that are not identity related associations because it's lovely to talk to all the people that we all know, but it's better to talk to people with, with real businesses in the real world that need the services of our identity community and, and industry. So we're trying to do that kind of outreach as well. And as, as I mentioned before, we run assures program right now, we're focused on the us N 863 version three set of guidelines and standards for identity, identity, proofing, authentication, assurance, and Federation assurance. We're expanding out into the UK right now, as we'll hear later on in the slide deck. And we're looking for opportunities in, in other markets as well, and then working groups again, we tackle issues and opportunities in the markets.
So the membership structure of Cantera as both companies and individuals there's, as, as I will mention, many times, there's a lot of expertise in the canter Cantera work groups, the programs and the board. So here are some of the reasons that corporate members join up. We are the only organization right now that certifies against 863 version three. So if you do business with the us federal government, and if they tell the vendor that you must have this certification, we provide the only independent third party assessed or tested statement of conformity to these, to this guideline. There are others that, that do it as a, not as an established formal program, but we have, we have a formal program of assessment and conformity, conforming assessment and certification with accredited accredited auditors.
If you're a business brand Def brand differentiation is great. The Ken trust Mars allow you to make claims about the quality of your services that your competitors may not be able to. We're deeply embedded in other global private global centers, organizations, for example, ISO I'm on far too many ISO committees as are many others in our, in our community. It's a mechanism to take the industry discussions and informal and semiformal discussions within Cantera and encode those themes and concepts into international standards that are referenced by countries, right? So that's a very, it, it's a hidden part. It's a very crucial part of, of the Cantera proposition. As we'll hear from John later on, we're doing work on requirements on criteria for privacy enhancing systems to protect personal information, of course, and you'll benefit from interoperability in that last bullet. There, it's all about, you know, the, the level playing field and transparency through assessment and conformity individuals, the reasons are similar.
It's, it's a very good vehicle for individuals to discuss with other experts that are outside of their company group. For example, it's, it's a, it's, it's an interesting career boosting environment because you have access to international standards, organizations and other associations that are related to identity that as individuals, they're hard to get to, but if you go through Canera, the organization maintains the overall relationship so that individuals can take part and be part of the, the overall industry standardization effort. Okay. I find, I found that Cantera is very good for career ladders. So if you need to tell your boss that you're doing important international work, this is a way to do it.
Okay. So what's new. This, this slide, basically, this is new stuff that's happened in the last 18 months or so. Okay. You know, as a boards, we've reinvigorated, we've shifted more from a discussion group to more of an action oriented board. So, you know, more work to do, but that's, that's good. It's all, it's all good. We've created three major, three major subcommittees of the board. Each is led by a board's director and we are including participants from across the organization to, to make progress. First one is the diversity equity and inclusion committee, basically to do what it says, right?
With identity information systems. Clearly there's lots of opportunity to do bad and be unequitable and exclusive. So through this committee, we are actively working to be inclusive and diverse and equitable. Our anticipation is that as we participate and partner up with other organizations on this topic, we can start to influence the standards and conformity programs that I was talking about previously. It, it has been a blind spot in industry. So we're doing our part to, to shine a light and improve. Second one there modernization of the nest 863 guidelines Canera is held in high esteem across industry in identity assurance topics. So we have, we have the ability to discuss and access some of the authors, some of the governed agencies that are using nest 863, a lot of our corporate members service that community. So we can bring usable and pragmatic advice back to N for consideration as the improved the 863 standard for identity assurance and authentication assurance, you know, and, and, and they know as well that it's a place that they can ask questions in a smaller group so that, you know, they don't have to get a thousand responses.
They can get 500 responses if they, if they wish one of the observations that we've had with 863. And it's common observation is that it's really rooted in document based identity verification, and not in sort of the more dynamic methods of identity proofing and verification. So for example, dynamic evaluation of devices currently in 863, that's not a factor. It's not a consideration in determining if you should trust the authentication coming from advice. Many in industry, including at Cantera are looking for a way to include that sort of topic because it's time, the industry is becoming more mature around dynamic risk and device evaluation, and it's time for, to start bringing that in. They realize it too. And we're trying to provide insight onto how that might happen. We're doing work on evaluation of biases in biometric systems as well. Cuz that's a major concern from the us Congress.
They've given instructions to this, to reevaluate 863 in that light. They're doing studies and tests right now. And we're, we're finding our way into that discussion international expansion. So we are actually a global organization, even though we might talk in north American accents. A lot of the time we've just started a certification program in the UK, more slides later on that to assist the UK government in evaluating identity verification companies for UK programs. Right? So we're just in the pilot phase of that with several other companies that do certification and assessment. And there's a long lineup of verification providers that need to get their accreditation before they can solve their services. So we're, we're developing that and in the broader EU, we're looking for other opportunities to do similar things.
Okay. That's the general now the last general, any comments, questions, anything online coming in? Okay. No, one's left. This is great. Okay. So no, no it's not a low bar. It's the best measurement of, of, of speaker. I, I think at least the identity assurance framework. So this is gonna be a, a quick overview of what's in the program today and where we hope to take it over the next year, two years, five years. Okay. So the identity assurance framework has been around since 2010. It was developed in conjunction with the us federal government really enhancing and codifying the state hundred 63. So if you look at the time, the detailed timeline, which is very complex, the Cantera framework and the N work grew up together in the early days. So this, it was a way for N to get industry feedback and assessors and service providers at that time to actually produce products that were fit for purpose.
This purpose, we use independent third party assessors, which is critical because companies don't always, they're not always fully open with all available information about the quality and performance of their services. I think I said that correctly, having an independent third party auditor who is trained in identity and security topics gives a higher level of confidence that by both the company being assessed and consumers of their services, that things are following the standard appropriately, right? And you can see certain trust marks that we offer. It's a fairly complex matrix. So I hope I don't have to go through each one, but the idea is that there's a standards document. That is the basis for a trust mark and the assessors determine conformance to that standard. And if successful, the Cantera board provides a trust mark for that underlying standard. Okay. That's why you see so many different ones.
So what's the difference between the regular and the technical.
So question from the, from the audience, what's the difference between the technical and the, the regular trust marks? The technical trust mark is for strict conformance to the NS guidelines themselves. It does not include operational factors of the business, operating a system for identity proofing and authentication. So we have assessment criteria for, for the company itself, the organization itself, its ability to do business and back up its claims as an organization. And that's, that's why they're, they're distinct. I don't think we've ever granted a technical yet because the company's realized that it's of limited use in the marketplace because people ask the question, why didn't you claim that you are a viable company and they have no answer. So we, we find most people go through the, through the center trust mark.
So here's a process diagram from the documentation of the, of the assurance framework, visually setting out the governance structure and the controlling documents and which part of Cantera manages them quick show of hands who wants a detailed description of what this diagram is. Oh no, put your hands down. Okay. Let's do a medium dive into this. So inside the blue box, we have the identity assurance work group. I a w G these are members of the industry, community volunteers, contributors, and I'm, I actually, I'm actually the chair of the identity assurance work group as it happens. So I just started last week on that we managed the documents that the criteria that companies are assessed against. So we translate standards, the requirements from standards into assessment criteria that assessors use to evaluate companies, processes, practices, and systems. And as you can see in the bottom there, the, we, we basically manage the documents of the certification scheme. Okay.
We have the Canterra assurance review board at the top, which accepts reports from auditors on conformance of a company to the certification scheme requirements. Anything that's needs to be remediated, any future work, any, any gaps that sort of thing are presented. And the assurance review boards does a quality check on the report. So they investigate anomalies. They, they do due diligence on the auditor's report about the company. And if it's, and that's sort of in the review team. So the review team, a subset of the review board assesses each individual conformance letter for each company. And then the overall board decides on granting a trust mark or not how many seats
On the Kenter
Question from the audience, how many seats on the ARB? I don't know. I forgot to look that up. It's about it's around seven or eight right now. One of the interesting things about the review board is that it's actual work. It's not, it's not just rubber stamp. So as our volume of applicants grow and our volume of assessments grow, we are expanding the board and we're discussing perhaps segmenting the board into specific topic areas. We're, it's, it's under discussion right now. How will, how we deal with the extra workload. Okay. On the, I'm not gonna shine the laser pointer at my monitor. I'm gonna shine it up here. Here you go. So the CSPs credential service provider is a term from the N standards. They're basically the proofing service or the authentication service, and they, they design their services and build controls to meet the criteria that we define. And on the other side, we have accredited assessors who are the independent auditors that use the criteria to assess the CSPs. Okay. Okay. Did I say all of this already? I might have
Through your cycle?
Yeah. So the new information on this slide is that as with other conformity assessment programs, we've adopted a three year cycle. So the trust mark is valid for three years with UN under the condition that if there are major changes or, or once a year, a partial assessment is done to catch up on any changes and any non-conformance in the service provider. But after three years, the, the service provider has to undergo a full assessment again, just to make sure that they're keeping up to date with the criteria, which are keeping up to date with the, with the underlining standards requirements from the audience, you asked the right question at the wrong time. So here's the difference between the two trust marks. Technical is strictly conformance to the 863 specs. And the normal trust mark is including the organizational requirements.
So this is an outline of the, the approval process it's in the it's, it's in all the packaging around the program. So if you wanna become an assessor or a CSP, you can download the, the guidebook, talk with the director of the assurance program and walk through all the details of this. There's no surprises in this process. It's pretty, pretty straightforward. The idea here is that the assessor and or, and service provider coordinate the assessment activities with the assurance review board and the director of the assurance program, to make sure that we have capacity on the Canera side to process the, the package as it goes through the, the Canera board works closely with all of the assessors, making sure that the criteria are understood and are assessed in common ways. The last thing we need is for two different assessors to interpret criteria differently that doesn't help anyone. And if necessary findings and discussions from those discussions with assessors and service providers make their way back into the identity assurance work group, if necessary to update the, the underlying documents. I'll let you look at the slides on the download afterwards. Okay, exciting.
So the UK department of culture, media and science, the DCMS, I don't like acronyms either. They launched a pilot program earlier this year to accredit organizations like Cantera to be a certification assessment body for providers of identity, identity verification services for these two government programs, the right to work right to rent, and also the disclosure and borrowing service. So these are trust frameworks or assessment schemes, or sets of criteria and requirements that the UK government has published. Now they're looking for conformance assessment against those schemes. So Cantera is one of, I think it's, it's a number fewer than 10 companies that are being selected to go through the pilot, demonstrate our assessments against these criteria and help the help the DCMS improve their program and establish known vendors of conformance assessment through independent auditors and overall evaluation. So we're quite excited to be doing this because it might be possible that people in Cantera believe that this is a fundamental part of trust in the online ecosystem possibly. So it's exciting to see that other countries, other jurisdictions are putting serious time and effort into establishing conforming assessment and not just writing guidelines and criteria. You'll, you'll find around, around the world. There's lots of frameworks. There's lots of guidance. There's lots of standards, but there's very few conformance schemes that put the companies on the spot to demonstrate that their products are fit for purpose and doing what they're supposed to do. And that's why this is a very important breakthrough in the overall industry for conformity assessment to the identity standards,
A flow chart. So interest in identity assurance is growing, oh, you want the flow chart. It is a flow chart. I'm not gonna go through it.
So we're finding a very significant uptake uptick in interest, in, in identity assurance specifically for nest 863, because over the years, the us federal government has been instructing their agencies to, to use 863 for identity proofing and authentication and Federation. And now internally in the us federal government, they're starting to require more proof that the agencies are doing what they're supposed to do. And using companies that are, that conforms the standards, because for those of you that work for public sector, you know, that the policy set by the center is almost never executed at the edges, but due to recent breaches and problems and uncertainty in identification systems, the us federal government is now insisting that the agencies address this, this gap. So recently over the last, maybe two years, the social services administration and also the internal rev revenue service have required their vendors to be missed IAL, two approved. And now word has gotten out all the identity verification providers are lining up to, to get their approval. The standards are mature enough, and now there's a market for the trust marks, not just the services. So we, we find that very encouraging on the Cantera website. We have a trust status list, which is the current listing of the, of the approved entities.
Okay. And for anyone that's joining our crowds, now we encourage you to come forward so that we can address the local audience here anyways. So here's a quick overview of numbers for Cantera. We're holding steady in terms of numbers of members, which is very good. Our, the, these numbers don't account for the numbers of certified service providers. These are just the active members supporting and building the work inside of Cantera. And with the degree of expertise we have around the table and the relevance of the work we're working on our membership tends to stay fairly steady. We do get peaks as we address current topics. As John will talk about the, one of the initiatives in the work group for privacy enhancing mobile credentials, that's garnering some interesting interest, but the organization is healthy and growing and expanding internationally, which is a, a good sign. A good sign, lots of growth. Potential ahead. I think I put this slide in this morning, by the way. You're welcome. So let's have a 30 minute break. Does that sound right? Toson yep. Okay. Grab coffee, grab a snack. We'll resume at the top of the hour. Okay.
Speaker 11 01:07:27 Dad graduation trip. Yes.
Just waiting. So we're, we're gonna get started in a couple minutes again after the break. So please come in and we're gonna talk about the Kenter work groups and the community working groups that we're working on. I encourage you to move to a concentrated part. Thank you for moving forward. Okay. Yes. Thank you. Thank you for that. So we're gonna resume in a couple of minutes, so please come on in, take your seats.
Speaker 11 01:08:02 Thank you.
You're welcome, John.
Speaker 11 01:08:06 Just testing my microphone.
Okay. You're gonna start, start up again in a couple minutes. So please come on in.
Speaker 11 01:08:25 Whenever I say that whoever's standing door. So person I, well, cause only the people in the room knew that we were having a break to the top.
Yeah, I do think I just have to want that one slide to show and then give back. Yeah, we would, there is a slide between the break and the next one, which is great. Have you been working on that today? In the morning? I was doing this morning.
Speaker 11 01:09:44 The spacer.
Yeah. I was still sleeping seven.
So can we start? Are we online? Okay. Thumbs up. Okay. Welcome back to cartel workshop, European identity conference in Berlin this year and yeah. Business as usual. Maybe we do have this part every year on news from the, from the work groups and discussion groups, the community groups, something that is very important to Contrera participation, just yeah. Working on new standards as standards matter. And we have a couple of work groups currently running. I think we are eight, eight work groups, something like that. We have selected a few of them, which are most active right now. And that's in, in names, the humor, work groups, acronyms privacy enhancing mobile credentials. Is that correct? Yeah. From John, then we have the advanced notice constant receipt. Got it. And the identity assurance working group, which you already covered?
No. Pardon? Not yet. There's more to cover. Oh,
Sure. Sorry. So we'll start with the,
So I'll just do a quick intro as the leadership council. Oh yeah. And thank you to appreciate it. I'll grab the many apps. Do you? You clicker. Thank you. Okay. So hi everyone. Welcome back from the break. Andrew Hughes from ping identity, for those of the you that were here earlier, I was here representing the organization. Now I'm here as the leadership council chair, could someone grab the door? It's getting a little noisy up front here. Thank you. The leadership council is all of the chairs and vice chairs of the work groups and discussion groups. That form the working part of Cantera. This is an essential part of Cantera without the working groups, we would have the accreditation program certification program, which is great. But half of Cantera is about innovation and finding the hot topics that need to be covered in personal identity, personal identity data, and sorry, it's late at night for me right now, personal identity data. So what you see on the screen here? Thank you. Thorson was the, the four work groups that we have represented in Berlin right now, the other four couldn't attend. So we're leaving them off this iteration of the workshop. What we do with these conference workshops is we, we gather Cantera members to talk about Cantera for everyone else in the crowd. So it varies every time.
So with that, I will call Steve and we'll grab microphone. Now I will be running around with another microphone. If there's questions for you. And we'll figure out how to case the exec director is actually online, helping to handle the online chat questions as well. So user manage access off you go,
Speaker 13 01:13:36 All right, that's forward. That's back. Okay. Well, good morning here. And good day, anywhere else. I'm Steven Vema from Ford rock fairly recently joined the user managed access for those of, you know, mailer. I actually report to her and I've been taking over some of the duties in Canera. So user manage access work group, why we call Uma or some people say Yuma, but there we go. They're just gonna quickly go through why and how it does it and some of the capabilities. And then I'll talk about our some recent work and future work. Hopefully getting people, other people interested in it as well. So why this is something that's actually from a personal level. Very interesting, even to me, and might be very interesting to you. And that is the problem of how do I control, who can see my data. This is sort of the usual approach that, that we see where we any given.
Speaker 13 01:14:47 This is me times 120 different what we call walled gardens, different identity systems at different companies. And a key question is how can I share access to my data and services with others without sharing it all? How do I, how do I control it? And this is, this is actually a difficult problem. And so what if we could create a, an ecosystem where users can, can actually control that for these different wall gardens. We, we're not proposing getting rid of the wall gardens because that's probably more than we want to take on right now. And there may be some good reasons to have them particularly around data sharing and privacy within the gardens. But what if we could make it really simple for us to share for, and I can come up with an example of, I want to share certain financial records with my financial planner. There there's some ways to do that today, but they're all very different. How could we make it consistent?
Speaker 13 01:16:04 So how do first of all, how do we do it? And basically if you think about the box, the, the left two thirds of this large box, this is basically oat two there's four, four roles. If you will, the resource owner, the authorization server, the resource server, which is where the actual data lives and the client. But in oat two, we have really, the resource owner is, is granting delegated authority to a client to access particular resources. What we're doing with Uma is adding this, this other role, which is a requesting party, unfortunately, acronym wise, that's RP, but that also is relying party. So we'll often use the abbreviation R QP lowercase Q for a requesting party. So this would be the, the organization or that the person or organization that wants to access your resources in actually in an asynchronous fashion. You shouldn't need to be online right when they want to access it as the resource owner.
Speaker 13 01:17:20 So the idea is then rather than sort of a me Alice to Alice sharing, it's Alice to Bob data sharing. And, and how do you control that? Of course is, is where things get interesting. So a, the idea is a make it asynchronous so that the resource owner doesn't have to be online when the requesting party that should have said R QP, sorry about that is requesting access to a given resource. Also, the ability to federate is, is a pretty interesting capability so that you don't have to have the authorization server and the resource server in the same, let's say wall gardens. It's what we're doing in, in the Uma work group is aligned with O IDC at so open ID connect. If you try to spell out our acronyms here, we could also do verifiable credentials. When if, and when that becomes a big thing, there's nothing wrong with, with doing that. This is more of the, the underlying mechanism to share the data. So I'll pause there for questions just on. This is the, how, how it works. I've got going into detail of protocol flows and all that here, but yeah. So there's one question, and Andrew's gonna bring the mic.
Speaker 13 01:18:57 There you go.
Speaker 14 01:18:59 Michael Adams here, apologies for my ignorance, but is this working group specific to, or Orth and open ID connect and VCs, or is it, would it work across, you know, a variety of technologies so that you can focus on the business functionality of the user managed access rather than the technology, you
Speaker 13 01:19:31 Know? Well, it does, it does build on OAU two in terms of not wanting to reinvent the wheel. There it is a technical specification, more than a say, a business process, the business processes leverage that, but the idea is to allow those businesses to enable their users. And I'll go into some more complex use cases in a moment, but yeah, we don't wanna reinvent the wheel and, and oat two is really kind of foundational for most everything we do with authorization these days. So I guess I, I haven't heard of use cases that would drive towards other underlying capabilities, but I, I agree that user manage access is a, is a big problem overall. And this is one way to approach it. Be interesting to hear use cases from you if you have any
Speaker 14 01:20:32 Well, well, I suppose the, the thing that comes to mind is kind of the offline use cases where you're not, you know, the two parties that communicating via proximity connection, neither of them online, and they want to,
Speaker 13 01:20:48 So it's like my phone to your phone type of thing. When we're standing next to each other,
Speaker 14 01:20:54 You have a, for example, if you have an IBAN attribute a bank account, and you want to give somebody, for example, corporate users with permissions account based permissions, kind of want to have that described in a way that can work with O or, and work with VCs, but also can work offline as well.
Speaker 13 01:21:25 Yes. So I need to think about that one a little bit. Okay. So let's try to come back to it. Thanks. Depends on the access token. Yeah. Yeah. There's a bunch of depends in, in this, so, alright, well, I'm just gonna move on with this. So what, what are we really enabling here? We have a resource owner is able to define rules for requesting parties to access the resource owners resources. We have the requesting parties, may a synchronously request and gain access to the resource owners resources. So the, the idea is that the online presence of the resource owner is not required. You can redefine the policies about who can access what and examples include, say medical records. I mentioned final financial transactions earlier government services. I'll, I'll get into a few in another slide. Some of the use cases that are in use architecturally, the idea is that from an authorization server perspective, you could protect mini resource servers and vice versa. You could have one resource server actually trust many authorization servers for different requesting parties. Again, also I mentioned earlier that the authorization server and the resource server can be decoupled. So that, I mean, they aren't the same physical machine and they are using the standard protocols to communicate.
Speaker 13 01:23:12 Yeah. So that just touched on the third bullet. Also we're agnostic to the actual data types of the resources. So it's all, you know, think restful interface type of assumptions there, although it could really be anything. So what kind of, what, what do we really get out of this? We have, we have that the, the, you know, we have one authorization server that can protect many data actual resources. The, the idea is that the services are, don't have to know about the authorization details. That's kind of part of what OA two does as well. The, a person requesting access from a different data owner and subject is, is able to do that. If the user can also create a fine grade authorization policy. So for example, I could give you access, but not you access, but your access could be only for one day or one time.
Speaker 13 01:24:23 It could also be like, oh, you can access it twice. And then you're done. So there's lots of variations on those themes. And what you get out of this is, is a kind of interoperability that I personally think that we really need in sort of this personal data in identity ecosystem and it's user centric, which is really where we want to be in terms of user friendliness. I think, I don't know. I I'm sure all of you are from, you know, the us and you and so on. Have there's different ways to share, say your medical data, but there's no consistent way to do it today. There are some things going on that build on some of these capabilities in terms of other work groups. I think we're not touching on those today. So let's see. So the effects of using this, why do ecosystems loosely coupled identity agnostic?
Speaker 13 01:25:28 Because it'll work with any IM system out there, ERs existing standards, like about two and ODC and user-centric experience. So there's a lot of implementations of this on the left. There's some interesting work going on or already completed that have listed a few on the right. The UK pensions dashboard is one that's using it. That's in process. Now Ontario trusted account that's for the province Canadian province of Ontario. There's a hospital that's using it. These are just example deployments. There are others that aren't sort of publicly referencable, let's say so recent and future work. This I is a report that is in the draft work state. As of about a month ago, this is a fairly extensive report around using a patient named Julia and her parent and how data gets shared between different parts of the medical establishment.
Speaker 13 01:26:44 You can see the roles here. We have a, we have Julia's mother acting on behalf of Julia. We have, you know, the authorization server. We have one specialist, we have a, a physician's Porwal that the specialist can use. We have the electronic health record system. And part of what the report details is, how as Julia ages up, she gains more control over her own data. And how does, how does that whole process happen as well? That's actually kind of where things get really interesting for managing access to private data. And, you know, the reverse can happen over time. Maybe Julie has gotten elderly and one of her children is going to be helping out manage her, her health interactions. So that's another sort of evolution in this space, but what the report actually goes into is how Julia is basically when she turns and, and the age is different in different countries. But let's say when she gets to be age 13, for example, which is true in some of the us states, she has control over how some particularly say reproductive health data is shared that in those states, the parents can be excluded from that data. And then, you know, when she turns 18, there's a whole nother stage of things that happen, right?
Speaker 13 01:28:23 Again, that's in the us, it'll vary by jurisdiction, but so there's a lot of complicated flows that happen with this. And there's lots of details in the draft spec I'll or not. It's not really spec, sorry, it's a report, but it's based on the Uma spec. I won't go into all the details of this, and it's actually just a piece of the puzzle. I think that's all I'm gonna go into on that one. So future work, we wanna do another report that is really focused on the financial industry and particularly open banking. There's a lot of interesting work that intersects partially with what is doing. So there's sort of this comparison and alignment exercise that we plan to start off on this year. And then of course, just helping with adoption in terms of example, implementations and whatever other re reports or use cases that could help others adopt it. So this is the last slide for those of you online. And, and I believe we're making the slides available in person as well. These are probably the most important links. This is, there's a, a, a kind of a how video, and there's some specs that you can dig up here on the Canara Wiki confluence pages. And this is our work group home. If you're interested in joining in, we encourage that. So I'll stop for how are we doing time wise? Are we okay?
Or, yeah, you're doing good. Lots of time for questions. Any,
Speaker 13 01:30:12 Yeah. Any questions remote? Let's see. I'm not sure. I see a tablet here. I don't have my glasses on.
We, we haven't figured out the technology to look at.
Speaker 13 01:30:23 Torso's gonna take a look here. I have no idea, but
At least I see a lot of zero questions, so. Okay.
Speaker 13 01:30:32 All right.
I expect that means no question.
Speaker 13 01:30:36 All right. So with that, then I guess we'll move on to this one. Who's who's
Handling this. Thanks very much, Steve. Yeah. Next up. It's John Wonderlich. I'll walk into the camera frame here. So John is the chair of the privacy enhancing mobile correct work group with a wonderful name and
Speaker 15 01:31:05 Testing. Am I live? Okay, good. Excellent. 15 minutes. Excellent. Thanks.
Okay. Take it away, John. Thanks.
Speaker 15 01:31:14 So from Uma, which has had multiple reports and multiple variations, and is now on version two and a release spec, I want to take you back in virtual time. So something that's very early in its development, which is privacy enhancing mobile credentials. So the way Cantera works is there's discussion groups and work groups, discussion groups, produce reports, and there tend to be terminal that's the, the end of it. And last year we finished the discussion group with the awkward acronym of PIM deal, privacy and identity production, and mobile driving license ecosystems. And we published the report last year, and that was really based around, and I apologize in advance for the number and, and acronym soup, ISO 18 0 13 5, which is the MDL specification. That's been published by the O for mobile driving licenses. And they're specifically because dash five in person presentation, right? So how do you protect privacy when you're using a mobile driving license?
Speaker 15 01:32:30 So that reports on the Cantera Cantera initiative.org. If you go to reports, you can, you can, you can find a copy of the report out of that report. We launched later last year, a new work group work group, not a discussion group called privacy enhancing mobile credentials. And the charter approved is approved in November. And the current state of work is that we're working on a early draft, an implementer's draft report. This isn't the report. That's gonna be the specification. It's a report for companies or individuals that are working in the space of mobile credentials, like driving license, deserving, presented in person on how you can do privacy in that space. And this is my, my day job. My John wonderlook and associates is in enterprise privacy consultancy. So I provide advice to corporations and governments and, and organizations that want to here in Europe, you call it data protection in Canada, where I'm from, we call it privacy, but it's much of a muchness.
Speaker 15 01:33:50 And, and how do you, how do you provide that? And to the point that Andrew made earlier, it's the difference between the identity assurance technical report and the, the full certification on identity assurances. It's the organization as a whole. And privacy's very much the same thing, especially when you use the word trust, right? Cuz if I talk to a cybersecurity person or somebody who's versed in crypto, they have a very different definition of the word trust than I do when I'm talking to my friend at a bar and I lean over and whisper in his ear, something that I want kept private, right? Because I trust my friend that there's an implicit rules talk to sociologists, but I'm trusting him. The technical trust that we talk about is that whisper in his ear. Cuz now Alice is talking to Bob and you know that the, the channel is reasonably secure.
Speaker 15 01:34:54 It's going just from me, from my mouth to his ear or Alice to Bob. And that's the technical trust. But for me to trust an institution with my information, that's the smallest component of trust. That's the smallest component of I trust my personal information with that organization, right? So the charter for the work group here, I'll I'll quote, the purpose of the proposed work group is to create a set of requirements and conformance required criteria to protect the privacy of individuals holding or using mobile credentials, such as mobile driving licenses. And then I go, we go on to talk about existing standards, provide technical and transactional assurance, which is true, but failing to respect the consent of mobile credential holders or the legal authority of the verifier to collect identity and could violate the privacy of the mobile credential holder. So what does that mean when it's at home, if you think of the standard trust triangle.
Speaker 15 01:36:02 So I assume if we're in this room, you've seen that, that, that trust triangle, whether it's self-sovereign identity or identity credentials or mobile driving licenses, where you've got an identity provider and individual in a relying party, we've all seen that diagram. Many anybody not familiar with that diagram in the room, right? The, the three parts of, of the trust triangle in the, the ISO MDL world, those three parties are called the issuing authorities like a, a motor vehicle branch or a ministry of transport or that issues, the credentials, the MDL holder, the person holding the driving license on their phone and the MDL verifier, right? It's the same trust angle differently labeled. And the question then becomes, well, if you look at ISO 18 0 13 dash five, it talks about the interfaces between those three parts and making sure that they're secure. And it has some fundamental privacy assurances. For example, the consent you, you don't have to present. You always, you always have a choice now, whether the choice is free and informed when you're pulled over by a police officer and requested to show your driver's license, you don't have a choice. You have a choice of, of whether you, you show the mobile one or the physical one, but you're gonna be, have to pull over.
Speaker 15 01:37:27 But nonetheless built into that standard is that, is that implied consent? So what do we do? What are we working towards in, in this report? Not just, not just mobile driving license, but any kind of mobile credential. So because behind the three corners of that, of that triangle are the entities that we have to invest the trust in. So if you think your Alice or Alexei coming to John's bar on grill, so I'm Bob in this scenario, how, and I've, I, you want to, you want to present your ID to my bouncer or doorman to, to make sure that you're okay. Right. So right now you present your driving license. And if my doorman or bouncer's not trustworthy, not only does he see your picture and validate the age to let you in, but he can also harvest. If he's quick with his eyes, he can also harvest your address and a stalking situation evolves. If that's done digitally and in a privacy enhancing manner, all he sees on his screen is a, a picture that he doesn't retain to make sure it's actually you holding the proof of presence and a green check mark that says your and nothing else is retained. I have a question in the audience.
Speaker 15 01:39:01 So while the mic is running over and the sort of standing joke in the, in, in, in our work group is that driving licenses are used much. The actual use case for driving licenses being implemented are used much more for drinking than they are for driving, but that's a separate one. Go ahead.
Speaker 14 01:39:19 How can you be sure that they won't retain it?
Speaker 15 01:39:24 That's the point of the work group? The question is, how do we, how do we ensure there won't retain it because that's an assurance that's done in the, in the protocol for MDLs and for other ones, but what we're working towards. And you'll, I can talk about this more later is exactly that a privacy enhancing mobile credential is a trust mark, that a verifying organization, not the technology or an issuing authority or the manufacturer of the wallet or whatever it is or the app that's on your phone is actually doing what they say they're going to be doing. That's the whole point of the trust mark.
Speaker 14 01:39:58 So is your objective to stop transmitting biometric data to the relying party? No. Which you then trust them to throw away when they're done.
Speaker 15 01:40:08 We, we, we can't specify what can be transmitted. There's use cases where a biometric data should be transmitted right in high security. Like I, in a prior existence, I was an air traffic controller. Believe me getting into a control tower is a high security environment. And another question,
More of a comments, sort of an answer. So in the context of ISO mobile driver's license standard, the ISO work group is actively working on mechanisms to prove that the presenter is who they're supposed to be without sending the biometrics. Good. There's good. There's no good technology answer yet, but we're working on it trying to figure it out. So not a, not an answer from the work group, but from the ISO specification itself for driving, driving licenses,
Speaker 14 01:41:03 Is it because you don't trust the person on their, let's say on their smartphone, being the person that is touching the fingerprint center, you can't be sure that it is that person that's doing face ID or touching the fingerprint center. If I may is not the problem,
Speaker 15 01:41:26 This is what I said about the difference between trust. If I'm Alice and I trust his organization, I really don't care that much about the technical elements about what I'm giving him, because I trust him that he'll, he'll, he'll do the right thing, but none of that's built into the technical specification. So how do I build that trust between me as the, as the, as, as the holder and him as the fine organization. It Andrew's right. And so are you, it's a wicked hard technical problem. But part of the way of avoiding wicked hard is being a trustworthy entity that I can trust. Well, they may or may not get it right, but I can trust them to do the right thing. How, how much time have I got Andrew?
Speaker 15 01:42:12 So what we're and there's been delays, COVID travel at that time of the year. We're trying to get this report out eight to 10 page report, just guidance for verifiers and providers and issuers on where we're skating towards, sorry, hockey analogy. Well, very famous quote in Canada. You wanna skate to where the puck is, is going to be not where the puck is now. So we want to give that kind of guidance to organizations that wanna produce or be part part of the system. So if you go to the report, the, the discussion group report you'll find sample requirements. And this is where we're trying to go just to, to end with this. So in our report, the we're going on, the guidance for issuers, how do we enhance holder privacy? So we wanna provide guidance related to the provisioning process. So if I'm issuing a mobile credential, how do I issue that in a privacy enhancing method, guidance related to the app or the wallet, functionality and guidance related to credential maintenance?
Speaker 15 01:43:20 So a sample requirement for issuers might be the issuer must ensure the existence of functionality, allowing selective data release. So I've got all this information on my, I've got my address, my date of birth, all that kind of stuff on my mobile driving license, but in the context of whatever transaction, maybe I only need the check mark. This is I'm above the age of majority and I can buy cannabis in this store or, or not. Right. And then the ephemeral picture to make sure presence for providers, similarly, guidance for providers to enhance holder privacy, guidance, to entities that produce applications or software APIs used by developers of mobile credential applications or wallets. And you can look at the list of participants in the work group, and you'll see that some of the major players in this space are part of the work group guidance related to the operation of an application or wallet on a user's device, including presentation, data transfer logging. So that's where we're gonna get into the weeds of the kind of thing that you brought up and guidance related to application or wallet maintenance. So an example of a requirement for a provider here is somebody's just asking to share my wifi pass is Joanie entered in the room, Joanie.
Speaker 15 01:44:46 So exactly. See what Joanie and I are you doing our, I, I guess we got our contact list on, we are both using apple devices. So apple says, oh, do you wanna share the wifi password to Jodi in the room? Okay,
Speaker 15 01:45:08 Couldn't have come at a better time. Right? So sample requirement for providers, transparency to hold at mobile credential presentment. So if I'm presenting a, my credential, is it transparent? What's being asked for why all that kind of thing, whether this might intersect with some of the work that the anchor work room around consent receipts and, and then finally information for verifiers, similar set of guidance and the sample requirement here is, and this one is a requirement that actually applies to verifiers issuers and providers, all identifying data shall be transacted through encrypted channels, right? That's kind of built into things like DICOM. That's kind of built into ISO. It is built into ISO 18 to 13 five. Although the encryption on Bluetooth or NFC, there, there may be technical issues. So that's, that's what we're working on. First the report. And then if your company or you are interested. This is early days, you get to, you get to shape what that, what that set of requirements looks like. And if, if we get where I'm hoping we will, we'll end up with a similar space with as with the identity assessment work group, where there's an actual assessment and trust mark, so that organizations can start to reclaim their customers or consumers trust. Thank you. I got about a minute left for any questions, anything online? Jonie. Did you get online? Okay.
Speaker 17 01:46:46 Question for you afterwards, but
Yeah, I got online. Thank you
Speaker 15 01:46:52 Question now for the group or for later
Later.
Speaker 15 01:46:55 Okay. Well, I think my time's up, so thank you very much. And I'll hand it back to Andrew.
Okay. Thanks John. Okay. Andrew Hughes again with my, was it how many hats are we up to for now? Like three, four, no
Library.
Okay. We had a presenter for the, for one of the other work groups who is unable to attend and isn't quite online. So we're gonna skip over that one. Once again, the slides are available afterwards for download, and of course we invite you to the Cantera initiative website for the work group work itself and the various reports that are coming out.
So the last work we're gonna cover before our break. So wait, before you go on a break as the identity assurance work group, I've just got one slide, but how many hours do we have to speak on this one? Three? No. Okay. I'll give you a quick overview of the work at, at the IA WG. As I mentioned earlier in the, in the session IWG is one of the cornerstone work groups. We manage the identity assurance framework criteria, which involves analyzing the standards that we want to check conformity against determining what assessors must do to determine conformance with the requirements in that specification, and then writing them out, getting community consensus, testing them out, figuring out if they're clear enough, if they can be used by both the companies being assessed and the assessors doing the assessing to come up with reasonably consistent answers. And then we fine tune them and revise them and take into account new developments in technology process. And generally in the industry,
Be thankful that I'm not showing you the spreadsheets that comprise the IAF there's do you know how many criteria there are? I'm pointing at an assessor in the audience, hundreds. Hundreds. Yeah, basically it's every aspect of your identity proofing practices, every aspect of your authentication authenticator deployment. So lots of detail. Welcome to go to the site, to, to take a look at that. Another role of the identity assurance work group is that we react to industry developments and try to come to a, an industry consensus, an informed consensus on a reaction, a position on those developments. So as you heard from John with the privacy enhancing mobile credential work group, that began as a discussion group, just another kind of group, which was addressing the fact that the ISO standard for mobile driver's license only covered technology and a very limited set of technology at that.
And the ISO work, the ISO work report specifically only addresses the technology because that's all it's supposed to do at Cantera. We recognized it would be a hot topic that needed more work around the practices, policies, and procedures of implementers, of issuers, of verifiers. And that's where the, the work arrived for the P C. And I realized that I strayed completely off topic, but with, with the identity assurance work group, the kinds of topics that were, that were discussing and gonna produce reports on are things like N 863 and modernization, I mentioned earlier today, things like dynamic risk assessment of devices, you know, the instant teleportation problem, that sort of thing. It's not really covered in the N standard, but it should be. So we're hoping to get together, write reports, develop a position to provide to N as input into the next revisions. That's the sort of work we do there. There we go. We produce reports. Another thing with identity insurance work group is that we do have a deep pool of expertise in the insurance programs. And I see a question in the audience, give that man, a microphone
Speaker 15 01:51:47 Since the delayed question from your prior presentation, the diversity equity and inclusion work group. And then I see that the UK assurance is for access to social benefits, which my original university training was a social scientist. And there's all kinds of stuff in privacy about how means tested or otherwise tested social benefits are not good for the privacy of marginalized populations. So I know it's not in the identity assurance work group yet, but is, is that one of the things that's on your roadmap to look at how you can protect marginalized, pop population's privacy and still provide identity assurance
Not directly yet. We're we're in the early days of the DEI diversity equity inclusion board subcommittee, and haven't begun the integration out to the work groups yet, but as we go forward, we'll be working closely with them. For sure. Now we do know that, you know, authorities like nest producing the standards are very concerned about that topic and it it's clearly in our future very soon. We just haven't done any concrete planning around it yet.
Okay.
Thanks for that. Okay.
So one of the things that the identity assurance work group does to help out other bodies in the industry is basically act as a pool of expert resources and a place to consult between frameworks, between programs. So we, you know, we keep our eyes out for publications, from other other organizations and provide comment and provide input as, as appropriate and as needed. And, you know, we, we've got a, a fairly regular cadence of those. I think we do about four and five a year. That's about the time we have allocated to that. And of course, we come out here and talk to people about the assurance program and how it applies to different different use cases and hopefully different industries as we go forward.
Okay.
That's my super fast version question
Speaker 18 01:54:22 Is the diversity equity inclusion work group. And I'm sorry if you said this and I missed it, is it focused mostly on how that gets integrated to the framework or is it broader than that?
It's actually broader than that. So it's, it's a board subcommittee as opposed to a regular working group with our board subcommittee structure, we have the ability to basically hand work over to a, a formal working group to work on. But right now the DEI initiative is for Canera as a whole and all of the work within Cantera and our expectation once the once that work group progresses is to start driving down into specific bodies of work within Cantera and hopefully out to, out to the rest of the industry.
So
Any other questions for the assessors in the room he asks leadingly. So once again, we've got lots of material on the website, which we're not going to Wade through in this, in this session. I think we're ready for a break,
I think as well. Yeah. We're a little bit early just cuz we missed one run GUP, so we'll do 20 minutes break.
Okay. So we'll resume at five minutes past the hour, we're having a panel on data protection and privacy impact assessment. So five minutes past the hour, we'll resume. Thank you to, we're going to start in a couple of minutes. We're going to start in a couple of minutes,
Speaker 11 02:16:47 Right?
Okay. Thanks for closing the door. We are back with the final panel on data protection and privacy impact assessments and the value of independence. Third party assessments and the current state. We do have our panel lacking one person who's unfortunately, remotely only, but we have still a great panel. I think I would just ask them to introduce themselves. Maybe they don't need to do it at all, but you have a phone.
So I'll, I'll start. Hello everyone. I'm back again. Hughes director of identity standards at ping and several roles at Cantera and that's my introduction, unless you wanted to hear more.
John,
Speaker 15 02:18:03 John Wonderlich I some Berlin I should pronounce it wonder, but in my day job, I'm an enterprise privacy consulting, providing advice and support to large enterprises to make sure that they do data protection, Europe, privacy, Canada, north America in, in a, in a way that meets reasonable customer expectations in Cantera. I share the privacy enhancing mobile credentials work group. I used to be part of the Uma work group and I think it was one of the co-authors one of the contributing editors to the blockchain and smart contracts group.
Speaker 18 02:18:46 Hi, I'm Joni Brennan. I'm president of the digital ID and authentication council of Canada. I'm based in Vancouver, British Columbia. We are an organization that's working to that has developed and delivered a Pan-Canadian trust framework. We are launching a program around this framework now, and we're also an adoption accelerator. So we're helping organizations to reduce uncertainty around adoption for digital ID in a prior life. I was ed for Canara initiative and in a prior life before that I was, I wore many hats in a old organization called the Liberty
Alliance. So I might have dated myself.
Speaker 15 02:19:29 I was in, I was in one of the expert groups in the Liberty Alliance. Yay. By the way, three Canadians
Front we're taking over the we're not taking, not supposed to say that. Thanks for little balance. I would try to introduce myself as what I'm Charles CEO and founder. Videocon here in Germany. So not only Canada now, but I do haves in visits. We're friends for qera working in different work groups, discussion groups, and currently on the board. Yeah, that's it. So let's dive in, I've prepared a few slides as an intro, as a current situation. Some, some details on what we currently do or try to do in, in, in Europe on that. So first of all, what is this all around? We talk about assessments and certifications. And the first thing to ask is what can you certify or assess? We do have different touches, which might be organizations, people, processes, devices, short entities, not strengths, thanks entities. Something that can be certified. The next question to ask is how do we do the assessment on that? We could do it eternally, or we could do it by a third party. I do not think there's anything else you can do.
The next thing is how do we confirm or assess the confirmative to something, to some, to, to what? And we will have a in interesting view from a poll that was conducted in Europe two years ago related to this here. So we do have technical standards legislation or let's call it normative framework, whatever that means. So some common rules people have agreed on that would be good to do. And in the end we have the question, what is it about this certification? Is it a mandatory certification? I do need to do something your questionnaire and or is it voluntary or is it just beneficial? It's good to have that. It's good to have the logo on the screen, the famous general data protection regulation, which came into effect a few years ago to have two articles, which do deal with the topic of certification or certification schemes, and that defies a more or less aims to do to your certification scheme, to voluntarily demonstrate compliance via a third party assessment.
That's the goal in article 43, we will find or can find the requirements for certification and supervisor bodies in that respect. So what is the current status to that? It still aims to do that. Those two areas are commonly known as the EU data protection seal, and it's still work in process. So it's not there yet. We are still discussing that, which is not uncommon in Europe. We do have plenty of member states where we need to put them all together and agree on something that takes time. It's normal. In 2009 90, we had to study on the data protection certification mechanisms and we'll have, or see a few reports or results from that in a, in a few minutes. And the other interesting part available right now is a certification criteria that was established or, or is available from Luxembourg, the GDPR CAPA, which is as far as I know, the most major one currently for that.
So that's a study data protection certification mechanism. You have the ISBN number can be downloaded 300 pages or something like that without the annexes. And it has surveys against certification bodies, assessors industries, economics, whole lot of surveys questions. And there was a short overview on the current certifications available. So what are the certifications that are available related to privacy assessments, privacy certifications. And we do see most of them two third, somewhere in the EU EU or former EU European union, Switzerland, UK. We have 32 in America region and a few in Asia Pacific and South Africa, Africa region. So there are already certifications available on the market.
Do we trust them? That's a big question. Is it trustable? Is it a trustable certification? Most often it's just a certification from some company which has some certification scheme, no one checks this study. The first part of the questions were around data protection authorities and national accreditation bodies, the blue one, the red one. And the question was, what are the factors relevant to access the expertise of an auditor conducting a certification process? And if we concentrate on those, let's say about 40%, we have the education background relevant to data protection experience in private sector, data protection or public sector, data protection, audit experience, and so on. And lot of other, we could check the survey list. Now, as I said, 300 pages, it's not important. You would see later where this will bring us to the next question or area of question they had were okay, what does the stakeholders, so what are those who would like to achieve that certification or take part of that? We had small and medium enterprises. They ask industry association, certification bodies, standardization, bodies, and large enterprises. In the end, they send out roughly 900 questions, question sheets to 900 different associations companies, whatever. And that got back 82. Okay.
Lot of answers. I have chosen here, those with more than 60%. So the question is what would be a good reason for you to participate in that certification effort? The question is it effective? Doesn't make sense at all the level of endorsement of such certification by data protection authority. So kind of cover your a whatever style business partner do they value that certification and the rest of, and that is always very visible and, and important for the EU, especially for the digital digital European digital market. Is it recognized the rest of the EU? So those are the most important things for enterprise cap. So big companies, big companies here means up to two more than 250 employees, which is not really big, but okay. Then the same question for certification bodies. What is the most important factor here? The question do they see it effective the customer level of enforcement in the European union recognition of certification within other EU sta states a legal, protective effect of certifications for the GDPR. Again, cover a area. And those are the, the, the most important factors that they do identify. I I'm sorry. I have to resort a little bit. Come later. This is one of the things when I read the study, that was for me, the driver to initiate this panel.
If you check this question, so is your certification mechanism? So that's a question to a certification book. Is your mechanism based on certain technical standards and 44% said, no. Interesting. Another question has your organization developed privacy data protection related standards? 85% said no. So maybe that's a good market for Canaro. How could that be? I mean, how do they certify? What, what, how can we reach not a European, a global agreement on privacy certifications, trust marks, certification marks, however we call it, how can we solve that problem? And with that question, I think we can try to, to get back to our panelists.
Speaker 15 02:30:10 Let me pick up on that last point. I remember
Speaker 15 02:30:15 Probably 12 years ago now I was doing a working for a, a ministry in Ontario related to a health initiative, a health data initiative. And I was doing the assessment on a provider. And one of the questions I asked as part of that assessment is what training, because even then you could do training on secure software development, life cycle, other kinds of training or certifications do your staff have with respect to developing this software. And they essentially said, we've been doing this for 10 years, leave us alone. We know what we're doing. The, this sort of culture of we're good at what we do. The tech bro culture almost trust me. Yeah, trust me. I know what I'm doing. We've been doing this for years, right? That was just gimme a break.
So as I, as I'm quickly looking for standards numbers in the ISO SC 27 program,
Mr. ISO,
Mr. ISO, yes. As it happens within the ISO standardization environment. So ISO standards, specify requirements, which needs to be fulfilled by organizations generally in subcommittee 27, working group five, which is dealing with identity management and privacy technologies. There's a few standards that have been written around requirements for privacy information management systems. That's not obviously not the same as GDPR, but for privacy information management systems, we have the set of requirements. And there's a second document for requirements for assessors of conformance to privacy in information management systems. That's the critical document. So not only are the required technical standards developed and exist, there's a companion assessment, one for conformity and the qualifications of people doing the assessments without that anybody can claim to do what they want to do.
Okay. So that question, how do I certify the, the, the assessor or assess the assessor that is already in the ISO standards? ISO working groups discussed over there
In, in many ISO work groups. Yeah. In, in, in the body of work of ISO, they talk about conforming assessment and certification. And for any of the certification schemes like ISO 2 7, 20 7,000 series for information security management, for example, there are specific standards on the qualifications needed to do the assessments and bodies doing, doing certifications against the ISO standards, the same thing as possible with regulations like GDPR. I haven't done a lot of research in that area. So I can't point at any specifically, but that those, the rules of doing assessments and certification schemes is, is required. Otherwise you get random results as, as you can see in the survey,
Tony, how does it work in the, in, in Canada, have you do a Canadian data pro privacy certification scheme planned?
Speaker 18 02:34:05 Yeah. So we're probably in a similar landscape in the sense of
Speaker 18 02:34:12 A good program and programs in Canada should be leveraging the requirements set out by the cert certification conformity assessment that are in ISO. We do have a national body that also is the body that provides that, that explicit accreditation underneath the umbrella of ISO. So I'd say within Canada, we have both organizations that are specifically under that national international accreditation umbrella, as well as those that have developed to be aligned with that way forward from the work that we're doing within the DIAC. We have built to align with the ISO certification body and conformity assessment requirements with a plan to go through that program and actually piloting in our current status as how we've we've been developed. And so we've been developed in that, in that way forward. So certainly the ISO baseline is, is one that should be worked toward for an ecosystem, whether that's very close alignment or, or direct accreditation through that ecosystem for any organization, who's going to do third party conformity assessments on standards, normative frameworks, and any of those artifacts that are in the space. So we're moving in that direction also.
Okay, thanks. I've I've put back that slide here for, we do have a twofold in two articles in GDPR 42, just trying to define a certification scheme, voluntarily demonstrating compliance. And the other one is really that area requirements for certification supervisor bodies to really, and, and we see it as important when we got those. Do you have a technical standards for your certification? No, it will not work with that. So a very good view or the best view so far, I have seen that's phrases that way is from the Luxem Luxembourg area, where they have put the current requirements into three sections, accountability criteria with policies, procedures, DPO, data breaches reduces of processing activities. And so on. So more or less the, the general discussion around GDPR, we have to remember, there's no way to certify some technical detail in GDPR it's or process related.
So it's the whole, you can't certify against single point of that, but they try to do that. The reason for that, I don't know if they think, okay, we will do a threefold or a three part certification where you can certify for one and two, but not three. I don't know, more likely it's something where you have to, or can certify against section one accountability that needs to be done by everyone. And then we have the two areas of data controller and data processor joined responsibility between them two define GDPR, but you might be a processor, but not the controller. So we could switch and distinguish between those two with my here, with different areas specific for the data controller or owner of the data, not the owner controller propose, accurate storage limit outsourcing and so on. So the whole process worked for the controller and on the other side, the process world for the processor related to security, subcontracting, and so on, that is one of the best I've seen so far, every two or three month, we get a new request for comment, let's call it that way. I forgot the correct word for that against the European data protection board, but that is discussed. And it's quite interesting so far. I think we have 12 of those documents. We're still missing four or six, four of them. And I think before we get this, the certification agreement, how could the certification look like? It will take another four years.
So what is the result? What is the outcome? What is, what is, what is our next step? What should we do? Where can we as an identity industry, standards, idea, body, whatever help. And do
I found the number
You found the number great. I was not sure about that anymore.
That's tracking my social stats, sorry. It's not changed. So the, in the, the ISO specification is 2 7 0 6 privacy information management systems.
You have an acronym for that
Pins, not the drink for the, the standard and part two of that is requirements for bodies providing audit and certification of privacy information management systems. So I see a question back there in the audience, don't
Speaker 15 02:40:01 Forget 2 7 7 0 1 2 7 7 2 applied to PIs.
Yes.
Speaker 21 02:40:08 He needs no microphone.
It's it's for the online crowd. Yeah. Yeah.
Speaker 23 02:40:18 Okay. So I'm gonna ask sort of the elephant in the room. My, from my perspective, the thing that makes certification adoptable is a requirement and some way to make it beneficial to organizations to adopt that certification. If, if it, if there's no value to the organization, as the CFO cannot say, we spent this on the certification and this is what we get for it. It's hard to do that. And so in, on sort of the question that you just brought up, what are we doing that gives a benefit to organizations to have the certification, something that is, that is real and tangible to the organization to spend the money.
Speaker 15 02:41:02 So if the CFO's asking the question, the CFO's probably gonna want a SOC two type two attestation. That's an accounting attestation has to be done by an accountant statement of controls. That's what's SOC two type two has five sub-themes. One of which is privacy, which is the one that I know, and like an ISO 27,000 certification. It's all in the statement of work, that when you engage the accountant to look at a particular part of the business, one of the ways that it, and I've done this with some enterprises, that it makes it easier for a CFO. And by easier, the CFO means cheaper to get an attestation from an accountant. Cuz those are all as expensive is if internally they use standards like this to develop their internal processes, whether that's a PIs with 27,006, or whether it's an information security isms with 27,002, they may or may not seek the certification cuz certification's expensive.
Speaker 15 02:42:07 But a lot of information security, it's almost a standard now in enterprises to use the isms 27,000 in two set of controls, they may not seek certification, but when they go for the atha station, which is what they need often, when they're looking for a contract with another enterprise, we need something to provide assurances for contract in the procurement process. So that's a long way around to get to what it is, but a CFO's gonna want to something from an accountant, your technical and policy team don't work necessarily very well with accounting standards. But if they do a standard like this, then it becomes a lot easier for the accountants to do the attestation. I don't know. Does that answer your question?
Speaker 22 02:42:54 Kind of? Yeah.
So
Speaker 24 02:42:56 It lowers the cost of risk management. Yeah.
Speaker 15 02:42:59 Yeah. That's the short version, but I never go with a short version
And I have a, a, a different take when you're talking about products, products and services in, in that, in that environment, certifications are requirements from the purchaser side. So it's all wonderful to do an internal assessment and so on. But if a purchaser says the minimum requirement is you shall be certified for this, that and the other it's done. There's no question about it. There's no real debate. So for example, if you're providing cloud services to the us, federal government, you and you're handling personal data or PII personally identify information of federal agencies themselves, you get your FedRAMP certification. It's really expensive, really extensive, but without it, you can't do business with the us federal government. So you go and get it. So that's one, one way to motivate it is if your line of business requires it in order to sell the discussion is not, should we do it? But how soon can we get it done?
Any other questions? I do have questions noted. Huh? I forgot that.
So, so one question I have for my fellow panelists perhaps is when there's a requirement like GDPR, which is a regulatory requirement, do you think there's the same kind of dynamic in play where instead of a monetary or business benefit to satisfying a purchase requirement, you're lowering the risk of a regulatory action against your company, which could keep you in business. So is it, it could be viewed in part as a defensive mechanism. Is that strong enough motivation in your, in your experience?
Speaker 15 02:45:07 I think there's, there's two branches to the decision tree that enterprises go down. One is a compliance. I have a regulatory requirements. How do I hit the check boxes to make sure that on, on the journey to sale, I, I'm not gonna have any encumbrances.
You, you don't go outta business before you get to sell the stock.
Speaker 15 02:45:25 Exactly the, and depending on the industry and the enterprise, the other element is if your core competence or your core offering to the customer is related to trust or privacy, then you go beyond compliance and start talking about building trust and those certifications and those processes can, can help in that manner.
And it's product differentiation capability differentiation
Speaker 15 02:45:52 At that point. Yeah. I, I know that when Cisco said that their privacy engineering and privacy compliance efforts improved their time to sales cut six weeks off their procurement, their, their average procurement, if, because they had certifications and, and, and trust marks, I forget the exact details. You can go, go look at, look it up, but it improved their procurement throughput significantly.
Speaker 18 02:46:29 Yeah. I think it's a multi-pronged ecosystem. And so, you know, the carrots and the sticks, you talked about lowering the cost. You talked about risk reduction from
Speaker 18 02:46:42 Again in the stick side, from regulatory coming, coming down on you for something that you haven't prepared. I think in addition to market differentiation, there's also the opportunity to define a product that may have the opportunity to integrate with another product and so easier partnerships that can come in and, and, and fulfill more end to end scenarios. So, so market recognition also of other partners to, to be able to work in a space together. I think different clients in the ecosystem have different motivators. And it will also depend on if you're an organization that is primarily a selling services to the public sector, or if you're an organization that is one that is concerned with selling services to public and private sector, you may have different combinations, thereof and different priorities around those drivers. And particularly if you're doing both, you, you might wanna cover all of those bases possible. So yeah,
Speaker 15 02:47:48 One of my pet peeves though, is when organizations claim their GDPR compliant, that's not the same thing as these, an article 45 certification, right? That's like GM claiming we're producing a car that makes you highway traffic compliant. No, you can still speed. You can still crash the car, right? They, so there's a, there's a lot of marketing what's that curve marketing
Speaker 18 02:48:16 Implementation would be GDPR compliant. Not necessarily
Speaker 15 02:48:19 You, well, not even then you, you can't claim compliance to operations. That's why the GDPR talks about is focused on processes and because you still, and one of the things you need to certify is your breach response mechanism. Cause exactly. Yeah. You know, the, you know, you, you can't ID 10 proof operations and write that out. If you want to see what I'm talking about.
So are all the, the marks, the certification marks that are on the market right now, are they useless
Speaker 18 02:48:51 Now? No.
Why?
Speaker 18 02:48:54 So
Speaker 18 02:48:58 To, to achieve full, full interoperability or full assurance alignment across an entire digital economy is a, is a massive undertaking. And that's going to take some time. And we know that services that are at the intersection of digital identity do have that intersectionality of local governance and local culture in terms of what type of solution would be more appropriate for one ecosystem versus another, and the type of regulatory schemes and, and, and foundational governance that that regional ecosystem is going to have. And so there is a challenge with trust scaling at massive global digital economy scale. And so one of the best ways to, to make trust operate is bringing it to the level of the locality solving for what you can in the locality. And then these, the frameworks such as the ones that we're talking about today, the regional frameworks, like the Pan-Canadian trust framework, for example, that has actually written for Canada and for the digital economy, working together with these frameworks in terms of the mappings, where they overlap, where they don't, where the deltas are.
Speaker 18 02:50:06 These are giving us real assurance tools to start to put together a landscape that looks maybe less like a melting pot, but more like an assurance mosaic of how different organizations can move from jurisdiction to jurisdiction and still have that compliance. And, and on the positive side, many of these organizations that are working in this assurance framework space are also working together in terms of mappings and where our line are and where they are not. So I think that it's, there is, I know there's value in going steps at a time in our localities, and then bringing together into the global ecosystem, through mappings and other other tools and mechanisms.
So there's still help and fear.
Speaker 18 02:50:48 There must be
Good. Christians are always great.
Speaker 25 02:51:02 So the three of you for Canada, so maybe you can speak that way, but as an accredited assessor, not an accountant, I wouldn't wanna do your taxes, but someone that is trying to expand my services to the EU and to the UK, typical, the localities are very restrictive in the ability for assessors to operate into jurisdictions. How do we stop that? Because that is limiting the quality of the assessors that operate in, in the jurisdictions that are there to reduce risk as part of the scheme.
I hope you're not looking at me.
Speaker 18 02:51:44 Okay. You wanted us to, to answer as Canadian. So I'll try my best
Also representing
Speaker 25 02:51:51 Challenges. You're also representing challenges as representatives of Cantera that also wants to get into jurisdictions.
Speaker 18 02:51:58 Yeah. Yeah. It's, it's, it's unfortunate that we don't have Ruth Punte from my team here because she's in all, all the, I think we all know Ruth Puente, if you don't, you should, she's amazing. She's in all the nuts and bolts of these details, but some, some of the things that we looked at is that it, it does come down to having the right coverage from a risk management perspective of the organizations. It does come down to it's possible for an assessor who's based in one jurisdiction to provide an assessment in another jurisdiction, but they need the right levels of insurance coverage to be able to do this. So, so largely what it comes down to in with assessors, being able to perform assessments. If I understand the question correctly in more than one jurisdiction is that they do have the right contractual obligations. They do have the right insurance coverage and, and, and with those pieces in place, this is, this is something that can absolutely be done
From my side. What I think at least in Europe, we try to harmonize that so that if you are certified for one country, you're certified for other countries, well, one of the most important things, even from a survey to integrated scale, we need to have this digital ID digital market in Europe. And that means a common framework, common regulatory settings,
Speaker 18 02:53:27 And the assessor requirements are built after the ISO. I can't remember if it's 17 0 20, but the assessor requirements are that are, are being leveraged in our program are the same modeled after ISO as well. So, so it shouldn't be too much Delta
Speaker 15 02:53:40 One hopes. I mean, Europe is lucky because of the GDPR and the unification of assessment across that. But I know you're not an accountant, but personal information, privacy identity is becoming increasing like tax law, right? Every jurisdiction is, is gonna wanna put its own yellow mark in the snow. And so you have to do jurisdiction by jurisdiction, conformance and capability testing just because that's the way it is. Right? So I, I sympathize and the GDPR, us federal tax code, Canadian federal tax code. But in Canada we have 10 provinces. So you have to file federal and provincial taxes. We have last time I counted 27 different privacy data protection laws in Canada also to provincial and federal jurisdiction. So if you're certifying, because you've got jurisdictional requirements, it's always gonna be a fur ball. The, the fact that we have things like ISO Cantera, these overarching provides a basis for getting into that, but you may always have to have some jurisdictional layering on top of that.
Speaker 18 02:54:59 I think also we have, you know, in that metaphor, we do have have tax treaties, right? We do have so, so, so that's a place that we'd wanna get to similarly in, in, in this ecosystem. And then I think back to the first question around, is there value in the work that's being done? One of the massive values is that we're seeing where do we align and where do we not align? Because ideally we wanna say, well, if we've got five jurisdictions doing something and the sixth is not behaving like the other five Quebec, maybe we can go back Quebec. Maybe we can go back to the six and, and see what's happening there and bring that to a harmonization. And so that, that alone has massive value and actually seeing documenting what's happening and trying to bring that, that alignment together
Speaker 15 02:55:48 To be fair. Quebec's latest law, probably more aligned with GDPR
Speaker 18 02:55:51 There as, as close as can be with GDPR in Canada right now.
So we are heating for the least come on, denominator on that. Well,
Speaker 15 02:56:01 Check me if I'm wrong here, Andrew, but international standards where you have to get a hundred people from a hundred countries with 80 languages in a room to agree on something is the very definition of the lowest common dominator, right. Especially when at least 10 people in the room don't want the standard to go forward. Right.
Speaker 18 02:56:20 I think they have a term for that. It's called exhausted consensus.
Yeah.
Speaker 15 02:56:24 Sorry. Did you say exhausted consensus?
Okay. With that exhausted consensus, I think we can close the panel if there's no question anymore. Apparently not so many things to your great to have you here. And with that, I think we can close the whole Canera workshop as well. Do we have something left over
Speaker 15 02:56:48 Networking
Time? See you next year. Bye.
Speaker 15 02:56:52 Thank you everyone.