Event Recording

Ethics in Security Design - For Digital Identity

Name: Ethics in Security Design - For Digital Identity
Uploaded: 2023-05-11T12:00:00+02:00
Duration: 23 min

Posted on May 11, 2023

Digital Identity and Security solutions impact our environment, typically in a positive and securing manner. However research shows that increasingly digitization of identity services, for digital identity, also exclude and harm individuals.
In this presentation Henk will detail his research into the impact of digital identity solutions on nation state level and how to start involving ethics in the design and implementation of these solutions.
The findings also apply to designing and implementing security solutions for other purposes than digital identity.
The approach to engage with ethical conversations during design will be explained theoretically, linking to the background of Value Sensistive Design (https://en.wikipedia.org/wiki/Value_sensitive_design) and made practical by case studies of Ethics in Security Design.
Henk has been researching the ethics of digital identity at Leiden University, NL, in 2022.

Show description

Speaker

Principal Consultant
SonicBee

Drs. Henk Marsman

Henk Marsman is independent researcher on Digital Identity and Ethics as well as principal consultant with SonicBee, an IAM Advisory Organization. Before that Henk was Global Service Owner Identity and Access Management at Rabobank and prior to that senior advisor and lead of the Deloitte IAM...

View profile

Show Transcript

So my name is Hank Marshman. I have to rectify one thing right from the start. I do not have a PhD. So in that sense, I'm not a doctor, but the DRS that I have in front of my name is the Dutch way of saying you've done a master's. On the other hand, I did spend an a year and a half at university doing actual research. So I'm somewhat of a researcher, but I don't have the title yet. However, if there is any professor in the room with promoting rights do come talk to me afterwards.
And I actually wanted to start with saying that I'm very happy to be here because I get feedback this time. And I assume that most of you know what happens if you have a system with a broken feedback loop, that system will become unstable and will go off the road. So last year I was at this beautiful conference and I joined hybrid league and I was giving a presentation online and I found out what the effect is of not having a feedback loop. Then all of a sudden you get a very hard stop because you exceeded the time. So I'm glad to be here getting feedback, being able to look at the clock, which is not doing anything at the moment. So I still have 20 minutes and I'm gonna talk about ethics, insecurity, design for digital identity.
And before this, I'm gonna start with that. I see I left out a slide so the slides were not updated too bad. What I wanted to start with is that over the past couple of days I've been listening to a lot of presentations and there were a couple of quotes that that rang a bell with me. There was Emma Lindley in the, in the first day talking out of the women in identity research and you see, and she said, she made the statement, I have bias. You have bias. So let's get over the fact that we should not or would not like to have bias. We have bias and we need to deal with it. And then Vittorio came up with a presentation and somewhere along his great presentation there was this brief line of identification is a civil liberty. Now that's hardly a technological statement. Then we go into the realm of political science and they've connected to me with Ian with his boxer story saying we need to fill consistently. Well I'm gonna show you a failure that we don't want to make consistently, but we want to be able to address it consistently.
And the last quote I had was by Mike Kaiser saying somewhere in the q and a that yeah, should we give individuals this power? Should, should we give that to them? And he said, yeah, I think individuals will act in the interest of the group. Well, I don't know if I can find a lot of historic evidence for that, but that's not a technology claim. And I think with those observations, so kind of feedback from the conference, during the conference, you can already see that we're out of the technology domain with our topic. So what did I do?
I made a small puzzle mainly to make clear what I'm not gonna talk about. I want to talk about two things related to ethics and digital identity. And the first question that I want to answer is saying, why should we consider ethics as a topic of a deep cybersecurity technology domain of identity and access management? And then if we should do something with that, how can we do something with it? Cuz I can imagine that everybody, if I ask the question, is ethics important? We'll raise their hand. And then if you ask the follow up question, do you think ethic is difficult? Maybe also everybody will raise their hand. So that's where I want to help by, out of the research that I did, given demos or or show what the harm is that happens, then give a moral perspective on it, an ethical perspective that you can use and then make it really practical on how it's applied. And actually we're currently in the Netherlands doing that.
And to start off, this is the article that my research resulted in cuz three, three years ago I started at Lida University and I said, I want to prepare for a PhD, I want to investigate this digital identity because I read the claims by McKinsey, Accenture World Bankless, give everybody a digital identity and we'll solve a lot of problems. And on the other hand, I've read a couple of cases on where we see that these things go off real. So I started at university, I said I want to figure out what a good digital identity is. And they said, well that's interesting because good as a word, as a concept is coming out of moral philosophy. So we're gonna send you off that way and we are also gonna send you off in the digital identity track and how nations, how states are handling these type of solutions.
And one case that I came across and that I wanna highlight here is that of Uganda. Uganda in Africa is a country that is working on a digital digital identity solution. And their national national identification or digital identity solution is called Naga Muntu. And they've been rolling that out over the past couple of years. And you probably know of Ahart has been a lot of research in that area, but also in the, in the African countries there are a lot of initiatives in this area to see what they can do with biometrics, with digital identity. So in this case in Uganda, the national identity cart is a physical cart with a machine readable zone and it has stored your fingerprints and your facial biometrics. And that is connected to both access to physical services and online services. And by the time that the government thought it was a good idea to close down services like healthcare and make such a cart a rec, a prerequisite, not everybody had a cart yet.
And that led to, to a lot of problems. And the two two specific cases, the one on the left hand side is a young lady, 20 years old. And during the whole program where the government was rolling out this, this digital identity solution or national identity solution, she, she was not there during the registration. She was young, she was pregnant, she dropped out of school and then she realized that I need, I need to have this identification card because I need it. And she went to the local district to register kind of in a second, second attempt. And I told her, you can do that. It, it's gonna cost you a little bit of money. Of course the first time was free but now you need to pay. So there we have the first exclusionary factor.
And at the time she was still not 18 yet, so she couldn't register at the central office. And indeed I think a year later she needed medical treatment. She went to the hospital and she said, well if you have this N I C card, we will help you. She didn't have the card and and the literal description was they threw a book at me and said I should just go away because in order to be helped you needed to have that identity card. Luckily she did receive help and, and the researchers talked with a lot of these people and he says what they did is they tried to find the young nurses who had a little bit of compassion for the human, for the individual and kind of bypassed this weird requirement. And the other case is he was 88 years old and by the time that this program came along to register everybody, he couldn't prove his age.
So he didn't have a birth certificate. And what then happens is that they start asking questions like, okay, so who was the ruler when you were young? What historic events do you recollect? And then they tried to build this, this frame that and they said, well I we think you're 70. That also meant for this guy that he waited, had to wait another five years before he would get his senior citizen grant again because he was 88, he got his pension senior citizen grant. So now by the registration making him 10 years younger, he lost that he's frill traveling to that district office to correct it is difficult for him hearing stories about how cumbersome that process is makes it even more unattractive for him to do that. So here we see like two cases and there are a couple of more described in that research where see what the impact is of identification projects, digital identity as well if they've, if they negatively impact human life and individuals, I can of course wonder is this is this digital identity and and in the non-digital world also people are harmed should we really care about this case?
And it's true that also in the non-digital world people are left out and we have exclusion but we have a couple of hundred years of experience of correcting that and we have our ways for that. And the other aspect is like is this an isolated case or not? It is not an isolated case. So in the keynote on Tuesday, Emma shared with us the women in identity report. Kevin from the UK is one of the cases they have who is struggling to get registered for an identity in India. They have, and there is a situation in 2019 where they mixed it up with the citizen register and they said, well actually all these people that came across from the border are are not really citizens. They're like immigrants. And by connecting that citizen, non-citizen ship to aar, losing AAR means no identification means no bank account means no mobile phone subscription means no supports, no welfare.
And actually the US also got a, a notification here cuz that's where the state and the IRS outsourced the identification services to ID me. And they also found out that the registration there was very difficult. So early on this stage somebody said the most costly part of identity nexus management is the registration. It's also one of the most challenging ones. So I think as I am practitioners, the question is do we care or not? And I decided I care. So I started digging into this and and basically my question was how can we make it better? Because this quote Mr. Berg stuck with me, huh? Technology in itself is not good or bad, but it's also never neutral. You will use it in a certain way, take the biases that were mentioned earlier and that means that it will have impact. And if you do that in a system without a proper feedback loop, it can go on for a long time before it gets corrected.
And in the Netherlands we have our own experiences with poor artificial intelligence algorithm solutions. The other thing that I learned from this one, and that's a quote by Mark stain researcher at Taino. He said, we are technologists, we are engineers and actually engineering is a moral activity. I was like, what do you mean? He said, yeah, well if you're an engineer, you have a problem. You wanna make it better, better good is a moral philosophical concept. So actually as engineers we are also ethicists because we wanna make this world a little bit better. We're solving a lot of problems.
So then the question is how are we gonna do that? And for that my slides are a bit messed up so my storyline is also messed up. But for that I found out in my research that we need to have an idea of what, what mental model, what moral concept can we apply and then how can we apply it? And you already could have taken it from the title from my publication is that I came across the capabilities approach. So if you dive into the philosophical archives and the the world of Plato and Aristotle, you find a lot of lines of thought like utilitarianism. If the end is well then the means to that end are well virtue ethics duty at count. But it was one that stuck out and that was the capability approach. And the capability approach is developed by Amaren and further developed by Martin Nusbaum.
And Amaren is an development economics and a philosopher and he worked in India and there they said, well we see that the GDP growth of this province, GDP per capita has increased. So we're we're improving, we're getting better. Connecting that to welfare and wellbeing. And then they dug in deeper and they saw that actually the education was going back, it was not, it was not not getting better. So what happens that the DI division of the funds was not equal and they looked at possession in the sense of money but they didn't look what people could do with that. And that's when they came up with the capabilities approach because they said if we want to go from A to B and we give everybody a thousand euros, is that fair equal just, well it depends because if I'm in a wheelchair, I need to get a cap that can carry the wheelchair and me to this location and it's gonna cost me more money.
So we should not focus on like an equal distribution, which is kind of libertarian concept. We should look at what people can actually do. Do we have equal capabilities? Do we have agencies or can we choose freely? And then also they introduce another aspect and that is context or conversion because say for mobility we give everybody a bike, but I live in the desert then it's not really gonna help me. So you also need to look in what situation is this person with these capabilities. If I'm in a culture where it's not allowed as a female to drive a car or ride a bike, then these things won't help me. So that's a way of looking at are we improving things? Is this better for wellbeing and welfare by looking at the individual, the human, the capabilities he or she has and also how much effort they need to make to use and apply those capabilities, the conversion factors in their context.
So with that in mind, I started looking at digital identity solutions on a national scale. And that's a different presentation because what I wanted to do now is kind of give you some really practical ideas on then how do we do that? So I'm engaged in a project at a customer, at a government, how do I then make it practical and then out of academia there are a lot of models but I find kind of a common threat there. So I'm, I'm not picking on a specific one that is in the notes on the, on the agenda, you can look that up as well just tell you sensitive design. But I'm gonna focus on those three aspects. It's always about the context of technology and its use, it's about stakeholders and the users and then it's on impact and values. And there are many ways to do that.
There's one that I want to give out as an example and that is guidance ethics approach where they say ethics is not a judge but it's actually more like a coach. It will guide you and you should start off by describing the technology in its context cuz identity management in the Netherlands is different than in the UK and that's both in Europe, not completely anymore, Netherlands and Germany. But in Africa it's different. In Asia it's different. In the US it's different. So in technology operates in context, then you're gonna have a discussion with everybody involved about what are the effects of technology. And then also it's important to make space in those conversations for feelings. Cuz feelings are signals for values. Doesn't feel right, doesn't it feels yuck in privacy. We have that with the decree line when things exceed the Cree line, even though they're legally okay, what we had in the Netherlands with i n g and a large supermarket combining forces in a, in a loyalty cart, legally it was okay but the customer said it doesn't feel right.
Something is happening here with my privacy, with my autonomy. In those conversations you come up with improvements for your design and you should also incorporate them in the operation that can be in the solution itself. So you make a better identity management solution, it can be in the environment. So there is no privacy law. Well let's get a privacy law in place, get a policy in place and you can also do something towards the individual training, raising awareness. Now in my updated presentation, I had a very nice case, but there's not that much time. But the case was about the care robot in a senior citizen's home where they did this and they kind of found out that there were 18 actors there interest cuz it's not just the senior citizen and the nurse and the doctor, it are the parents and the children of the senior citizen.
It is the supplier of the care robot. And for example, things like this thing can read out your medication but the senior citizen is sending next to somebody else. So a privacy screen was one of the things that they come up with to incorporate this value of privacy. So there are two links there. The interesting thing is that I'm involved with the Dutch government activities around ADAS and the European digital identity wallet and they just kicked off with doing four of these workshops, four digital identity wallets in the Netherlands in the context of adas. So I'm really curious what will happen there and it's at least an an deliberate effort to discuss values in a quite technologically and and complex solution.
Also, there's already a lot of material available. You start digging into this. So this is more for you to have a look at in the plane back or in the train back at home if you think this is interesting. What I found especially interesting is that we can bridge and learn a lot from academics here who've been thinking about this for years already and apply that to our practice because the domain of identity and management is now really touching society as a whole. And that's where we see that it's like what they say with ai, we build a car and release it and we haven't really test driven it yet. So that is something to do perhaps a little bit slower and have those conversations about what is, what is the impact, what will happen when we do this digital identity thing. The other aspect that struck me today was that when design, we usually go for the happy flow and the majority and there are always those edge cases.
I think this is one of the change points, the inflection points where we, where we find out that our edge cases may be etched to the design but they're central to our humanity. So if we design for the edge cases, whatever solution we will get, we'll be able to handle those edge cases and it will also be able to handle the general audience. So with that thought, I'd like to conclude if you wanna know more, if you have questions, might be a little bit of space for questions now. Otherwise tap me on the shoulder later today or tomorrow. So thank you very much.
Yes, thank, thank you very much indeed. So there don't seem to be any questions online, but I I was reflecting as I listened to what you talked about, that the cases that you brought up were an intersection between law and technology and not always technology because for example, the problems in the UK about the so-called wind rush didn't involve any technology. It was simply that the paper records of what had happened to these people or where they'd come didn't exist. And so it it, it technology can be a convenience but if the law doesn't, if the law is wrong, then the law will cause the, the the problem. So is it that you are saying you have to always design the system in the wide, wider context or have I got something wrong there?
I think you've on the right track there. I think for these like, like if we do digital identity on a national level, we should expand that scope because then we're not just dealing with employees or third parties or customers, but then we're dealing with everybody in society. That's where we have governments who play a specific part where the jurisdiction and the legal framework does that as well. So you, you need to include that in thinking about how it will run and also on that level. So on the national scale, you cannot drop in digital identity and, and let it float there. There's another case where people did that, they focused on the use case of voting. So everybody from 16 and up got this digital identity and by doing that they neglected birth registration. So what happened 16 years later, people would come up for a voting idea but they didn't have the birth certificate. So that kind of breaks the change. So you really need to, as a, on a government level, you need to take one or two steps back to consider the whole. And yeah, in another occasion in Kenya the digital identity project was paused because of the lack of data protection, impact assessment, data privacy impact assessment. So yeah, it's, it's, it's a big thing that we have here.
Yes. And it, it is a major problem for the people. And the examples you gave are only a few. I think it's, it's sort of, there are many other cases that you can just be born in the wrong place or at the wrong time and it can be almost impossible to get an identity. So are there any further questions further? No. Okay. Well, so I think we've got to say thank you very much. Thank You're welcome. And thank you for your thoughtful presentation. Thank you. Yes, bye.

Playlist

European Identity and Cloud Conference 2023

Event Recording

Defining the Protocol for Internet-Scale Digital Trust

May 10, 2023

The Trust Over IP Foundation (ToIP) is focused on the centerpiece of the ToIP stack: the trust spanning protocol that will do for identity interchange what the Internet Protocol did for data interchange. This panel will explore how this will enable ubiquitous, trusted, interoperable identity exchange.

The internet was designed without a trusted identity layer to connect physical entities to the digital world. This layer is now emerging in the form of decentralized digital identity systems based on digital wallets and digital credentials. ToIP was founded by a pan-industry group of leading organizations with a mission to provide a robust, common set of standards forming a complete architecture for internet-scale digital trust. The ToIP Technical Architecture Specification V1 was completed earlier this year. Now ToIP is focusing on the keystone to ubiquitous identity, the ToIP Trust Spanning Protocol. This protocol will do for identity interchange what the Internet protocol did for data interchange.

This interactive panel, moderated by ToIP’s Executive Director, will explore the views of its member organizations for a lively and engaging debate on how we finally establish trust in the digital age. Come to this panel to understand the why, how, and when of this new protocol.

Watch

Event Recording

Access Management Trends in a Connect Anywhere World

May 11, 2023

The combined impact of the pandemic driven shift to remote work with a connect-anywhere paradigm and the ongoing digital business transformation has inspired a higher awareness of cybersecurity concerns, requiring a profound change in the way we define Access Management.

New contact-free onboarding experiences from the workforce to the customers; the need for managing human-to-device relationships; passwordless authentication as the new normal; decentralized identities as a new way for dealing with identities; the impact of policy based access; the convergence of IGA and Access Management: All these are just some of the trends we observe. In this session, we will talk about the Access Management trends and provide guidance on how to leverage and extend your existing Access Management towards a future-proof Access Management.

Watch

Event Recording

The Killer Credential - Spotting Verifiable Credentials That are Absolute Must-Haves for Every Party in an Ecosystem

May 10, 2023

Watch

Event Recording

Spicing up Authorization - A Zanzibar inspired approach

May 11, 2023

As a global OEM of highly critical and complex industrial devices, managing access to hundreds of millions of IIoT device resources spread across customer sites all around the globe is already a challenging task.
Use cases for providing a digital service platform need to address end customers accessing devices owned by themselves as well as priviledged access for in house and third party analytics applications and serice personnel. A combination of requirements for excelent user experience, authorization management and high performance for cross-tenant queries for endless scenarios can become a nightmare.
The task was to analyze the access requirements, abstract them and then deploy a “Zanzibar” inspired approach to manage access authorizations with a swift and reliable backend architecture, able to handle millions of information assets to be protected against unauthorized access.
Creating a mere access model does not do the full trick - it has to be cleverly designed into data storage structures and queries to achive the required performance goals!
The talk quickly introduces the problem set and then dives deeper into how to implement data storage optimization magic to get quick response times and swift adjustments of authorizations.

Watch

Event Recording

The Art of Creating a Framework for Responsible AI

May 11, 2023

Watch

Event Recording

The eID Threat Landscape – Stay Ahead of the Fraudsters

May 10, 2023

Cash grab-robberies are out, online fraud is in. When multinational hacker groups target senior and vulnerable citizens as a business model.

Learn how BankID is fighting fraud and helps you stay on top by identifying, preventing and notifying you of fraudulent usage in real time, while preserving top user experience.

The dream of tomorrows digitalized society is already a reality. Sweden is one of the world’s most digital and innovative societies. The fast and secure digital identification provided by BankID is a corner stone in this, to many, futuristic ecosystems. Many shops and stores do not accept cash and the amount of cash is low, something that inflicts digital threat. Studies shows a steep growth curve of digital fraud in several markets. In some places, fraud has surpassed drugs in turnover and profitability and fraud factories are popping up globally. Talented social engineering fraudsters and patterns with efficient crime-as-a service software, modus and tools. Fraud schemes including native and international fraud clusters targeting Swedish bank customers.

Learn more around the Risk and Anti-fraud toolset in the BankID Identity Platform. Digital identity is an area where the need for innovation is extensive. Whatever future eID scenario you discuss, security is always at the core.

Watch

Event Recording

Building a Secure Digital Experience Without Friction

May 10, 2023

As the number of digital touchpoints in the customer journey increases, IT teams rely on customer identity to optimize security and user experience. However, ensuring one doesn't overshadow the other often requires multiple integrations and custom development, creating internal friction and slowing innovation.

In this talk, Sadrick Widmann, CEO at cidaas, will explain how to remove barriers and improve cross-functional collaboration to bring seamless, secure customer experiences to market faster.

Watch

Event Recording

Market Overview: Identity Governance & Administration (IGA)

May 10, 2023

The Identity Governance and Administration (IGA) market is continuing to evolve through more integrated Identity Lifecycle Management and Access Governance solutions that are now increasingly aided by intelligent features. In this session, KuppingerCole´s Nitish Deshpande will share with you insights into the IGA market, providing you a compass to help you find the products that can meet the criteria necessary for successful IGA deployments.

Watch

Event Recording

A 4 Year Journey Towards a Smooth and Strong e-Signing Solution in a Multi-National Insurance Company

May 10, 2023

A journey of the multi-national insurance company to find and introduce a smooth corporate e-signing solution, both legally and technically well-justified. A story of considering and aligning different dimensions to find a tiny path between legal trust and protection, technical constraints, smooth user experience, global EU Regulation (eIDAS) and country-specific local habits.

It was a huge puzzle to identify and solve all the critical actual and future needs of the different business use cases for e-signing across the company to come up with a singe corporate solution and move gradually away from the very fragmented and mainly technically driven landscape of signing solutions.

Traditionally those have been introduced as the ad-hoc remedy to some local needs in isolation from other initiatives and without proper validation of both short and long term legal impact to the company.

Watch

Event Recording

Modern Authorization: The Next IAM Frontier

May 10, 2023

Identity and access have always been joined at the hip. In the age of LDAP, authenticated users were granted permissions based on group membership. But this mechanism hasn’t transferred into the federated identity landscape.

Instead, modern identity systems try to generalize permissions into scopes that are embedded into access tokens. But this doesn’t facilitate fine-grained authorization - a “read:document” scope doesn’t typically mean the user can access every document!

While identity has moved to the cloud, we still don’t have fine-grained, scalable mechanisms for generalizing authorization. So every application builds its own, and IT ends up administering every application differently.

Fixing this is arguably the most pressing challenge for the IAM industry. In this talk, we propose a set of principles, inspired by zero-trust and the latest work in cloud-native authorization, that should underlie the solutions we build:

Support for fine-grained authorization (both ABAC and ReBAC), delivering on the principle of least privilege. Google’s Zanzibar provides an important blueprint.
Managing authorization policy-as-code, enabling separation of duties and policy-based access management. Open Policy Agent is a good building block.
Performing real-time access checks for continuous verification. This function should be downstream from authentication.
Collecting fine-grained decision logs, providing the underpinning for comprehensive offline auditing and access analysis.

Watch

Event Recording

Market Overview CIAM: Customer Identity & Access Management

May 12, 2023

This session provides an overview of the CIAM solution market and provides you with a compass to help finding the solution that best meets your needs. In a recent Leadership Compass, KuppingerCole´s Senior Analyst John Tolbert examined the CIAM market segment, product/service functionality, relative market share, and innovative approaches to providing SOAR solutions.

Watch

Event Recording

The Human Factor & Access Governance

May 11, 2023

One of the fundamental problems of identity and access governance lies in very unclear relationships between real business needs, access policies and decision making about allowing certain action on the assets. For years we are trying to develop access policies which at the same time corresponds to business expectations, digital security rules and regulations, and people-centric to minimize deviations.
In this session, we will discuss human factor in IGA program and how to provide human factor analytics in access governance using new three-dimensional model called NPR (need, policy and resolution). We will show how NPR reports will help the organization to determine necessary adjustments of the policies and their implementation in Identity Governance workflows and processes to improve maturity, decrease risk of breaches, policy deviations by users and cost of managing and enforcing policies also known as Costidity. We will also show the sample reports based on data from higher education customer.

Watch