(No.50) Aspects of Identity

This workshop is intended to enable the exchange of ideas around various Aspects of Identity on the Internet, allowing the panel of identity experts from the Middle East, Asia and Western Europe, to interact with the participants with the aim of achieving some consensus on key aspects of identity use. Importantly this needs to cover the global or “borderless” perspectives of identity over the Internet.
 
The workshop is titled Aspects of Identity as it was at the IGF 2011 in Nairobi as it covers a number of different closely related topics. There are three objectives for this workshop:
1. To look at the governance of identity on the Internet and its impacts on security and privacy.
2. Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development.
3. To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services.
 
This workshop focuses on registration of people onto Internet sites (and the protection of their personal data), either for obtaining identity credentials or for getting access to services. It does not cover access control, user authentication or any subsequent use for ongoing logon or authorisation systems.
 
It addresses aspects of three of the main theme questions and follows on from the workshop presented at IGF 2011, including the report (Aspects of Identity Yearbook 2011-12) and the presentations at the UK IGF, InfoSec 2012 and EEMA Identity Governance 2012 (links to these are provided below).
 
Identity Governance on the Internet – This topic follows on from the output of the workshop at IGF11. The discussion is about who should have control of personal identity and what legislative or standards framework would be practical for such a vast range of applications. The panel have some ideas and would like to solicit input as to their international practicality. The registration process for identity credentials can reveal vast amounts of personal information. These are not only at risk from malicious code (Trojans, keyboard loggers) and criminal elements (e.g. credit card thieves), but from misuse by organisations and in some cases governments that collect the data. How can a governance framework reduce the likelihood of misuse and allow safer registration for users? How will such a framework help Internet development especially in developing countries where online services may be much more practical than physical services in some cases, but where data protection is not enshrined in law?
 
Commercialisation of Identity – There are a lot of people who do not realise identity information has value and is often used as a currency on the Internet. Identity is used not only for buying access to information and resources, but also linking people together in social networks and in ways they may not want. It allows targeted marketing and is responsible for some of the value of many big organisations on the Internet. However, it also allows for targeted attacks and identity theft. This topic will generate discussion on how to make people aware that their personal information has value, to them, to organisations and to criminals and to look at how identity is used as a currency on the Internet. This will cross-pollinate with various other workshops around commercialisation of the Internet and privacy. Identity registration is one of the primary ways that personal information gets on to the Internet in the first place. Internet services such as using a mobile phone for both micro payments and online banking may be much more practical in some countries than traditional bricks and mortar banks. But how does a bank know the person registering is who they claim to be and how does the person know the bank will not misuse their information?
 
Identity theft and the misuse of online identity is a growing concern and identity data is becoming much more valuable to organised crime. This topic covers the balance between privacy, security and openness with aspects from registration of users to minimising the privacy impacts of registration. How do you protect the naïve from themselves? How do you get people to understand that what they put on the Internet stays there forever and can be seen in future interactions, such as when applying for a job or starting a new relationship? How do you make online registration safe and minimise the amount of information required and protect people’s privacy, but still allow that information to be corroborated to meet business risk management requirements? This topic is one of the fundamental issues facing the development of the Internet and its use. How can the internet be made safer for everyone by ensuring that anonymous activity is possible where it is not used for illegal purposes?
 
There are significant information resources on the Internet, for learning and development, but should identity be used as a currency to buy access to this information? These aspects are critically important for children accessing the Internet who do not realise the risks of revealing personal information in online registration or social networks. Should there be laws enabling redaction or real deletion of information from social networks? Can consent be revoked?
 
The workshop last year proved very effective in providing an international context and deriving useful answers to a number of key questions. This year the aim is to build on that work and try to address some of the areas that are becoming critically important, due to the widespread use of identity online and the cyber security risks now posed by organised crime and other threats targeting Internet commerce and government presence on the Internet.
 
The format is a number of short presentations (about ¼ of the time) followed by a panel based question and answer session, giving members of the audience the chance to contribute and provide both answers to the questions posed but also allow the audience to raise further questions and help develop a way forward.
 
This workshop is a feeder workshop to the main Security, Openness and Privacy workshop. The findings from this workshop will be presented by our rapporteur at the main session.
 
We produced a booklet following the IGF in Nairobi, which is freely available on the Internet and to all IGF participants. We commit to producing a similar booklet following this year’s IGF, taking in to account input from InfoSec 2012, IGF UK Nominet workshop 2012, EEMA workshops in 2012 and IGF 2012.
 
We intend to form a Dynamic Coalition following IGF 2012 and intend to seek input and membership in Baku. This will be managed by the BCS, which is a worldwide membership organisation with 70,000 members (www.bcs.org) but will be open to anyone on the Internet.
 
The panel is international with members from UK, Saudi Arabia and Sri Lanka. Those from the UK having spent decades working in many other countries, including various developing countries and the Middle East. All panel members are confirmed to attend and present.
 
The primary background papers for this workshop are the output from last year’s work including the workshop at IGF11 (see previous workshops) and the write up for the UK event earlier this year (see Background paper).
 
We are willing to merge this workshop with workshops that have the same discussion threads and outcomes, to support both our report and the formation of a Dynamic Coalition.
 
Remote hub was used last year successfully and will be integrated in to the workshop more fully based on the experience last year with the same moderator.
 
Workshop Agenda:
The workshop will consist of a short presentation (5 min) from each panel member on their specific areas of interest. The panel will then be opened up to questions and discussion from those present and remote participants. The aim is to try and address and discuss the 3 key themes:

• Governance of Identity on the Internet - how it impacts security and privacy
• The use of Identity in commercialisation of the Internet - personal information as currency
• The balance between privacy and openness including protecting the naive from themselves