Tuesday, 30 June 2009

Privacy paradox & personal data – do people really care?

Added: see the excellent summary of this and other WEIS sessions by Ross Anderson.

There’s been some focus lately on the inconsistencies between what people say and what they actually do online, in terms of:

  • how much personal information they’re prepared to give away, and
  • what precautions they take in practice to safeguard their privacy or the security of their personal data on the internet.

The Policy Maker's Anguish: regulating personal data behaviour between paradoxes and dilemmas (full paper) is an interesting paper by Ramón Compañó and Wainer Lusoli of the European Commission - Directorate General Joint Research Centre, from The Eighth Workshop on the Economics of Information Security (WEIS 2009), London 24-25 June 2009.

It defines this (much studied) “privacy paradox” as:

users are concerned about privacy but they disclose a significant amount of personal data and take no action to protect themselves.

The paper confirmed the privacy paradox is still alive and kicking, based on an August 2008 survey of over 5000 young people from 4 EU countries (France, Germany, Spain, UK), and outlined existing research on the paradox, including in the US.

(On the position in the USA, see also the 2007 Pew Internet research Digital Footprints: Online Identity Management and Search in the Age of Transparency.)

The privacy paradox

“In general, the public is primarily concerned about loss of privacy that lead to security problems but few everyday activities are considered extremely or very private. Our results confirm as much, as disclosure of 'basic' biographic information is unrelated to privacy concern; on the other hand, there is a very weak negative correlation (Pearson's R2 -.04) between these and disclosure of potentially more sensitive data (medical history, etc). The survey confirms that social networkers, particularly younger users, may well be ill informed about the detail they are making publicly available, as it is often unrelated to their privacy concerns. But the need to appear seems to justify disclosure in young people's eyes. Online social networking, for instance, is more about enhanced and increased personal disclosure than about the maintenance of wider social networks (Cachia, 2008; The Economist, 2009).”

See part 4 of the paper for discussion about:

  • the “control paradox” (”People desire full control on their personal data, but avoid the hassle to keep it up to date. People know that there are technology tools to protect them and think they may be efficient, but they do not use them”)
  • the “responsibility paradox” (“While most people believe that it is either their own responsibility, they seem to admit that many users do not have the knowledge to do this effectively”), and
  • the “awareness paradox” (“Data protection (DP) legislation is unknown and unloved… “personal experience may matter more than understanding of the legal system. It is not surprising that young people should ask for 'hands-on' regulation. Young people desire reassurance, via practical tools more than via awareness raising. Tools such as guarantees (labels and logos) appeal to young people, while they also appreciate tools that may assist control of personal data provided to public or private authorities.”).

Overall the paper takes the view, which will surprise no one, that policy makers need to take into account that citizens do not always behave rationally, and that a multi-disciplinary approach is needed:

“trust in rules (fair play by service providers) emerged as an important factor in addition to traditional understandings of trust. Indeed, there are multiple enablers of identity disclosure. Guarantees, assurance of data protection law respect and precise information on systems are likely to encourage the adoption of services based on personal data disclosure. Solutions based on these principles need implementing, regulating and enforcing…

An obvious approach to increase trust is to reinforce safety concerning privacy and personal data online through technical improvements of personal data management systems. In parallel to technical improvements, there is a need to monitor usage patterns regarding such systems and to understand perceptions in order to identify ways to enhance the take up. Young users place great value on privacy, data control, and free services, but not at the expense of security of procedural fairness. The traditional security / privacy paradigm still prevalent in policy circles needs revising to include a wider variety of parameters. Guarantees, assurances that data protection law will be protected, and precise information, all of which should encourage the use of eID systems, should be promoted. Finally, there is a need to harness young people's current practices.”

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 29 June 2009

Safeguarding Identity - UK government strategy launched

A cross departmental initiative led by the UK Home Office's Identity & Passport Service, involving over 12 UK government departments & agencies, has resulted in a new UK government strategy on identity (in relation to individuals) being launched today.

Safeguarding Identity strategy, HM Government, June 2009:
"aims to deliver a common framework for the use and handling of individuals' identity information."
Via Philip Virgo - who says it's:
"an excellent summary of good practice in Federated Identity Management and showed a refreshing recognition of the realities of working across the silos of Central Government."

Haven't had a chance to read it properly yet but a layered approach to identity and seemingly recognising the benefits of minimal disclosure have to be good things.

Philip also notes that implementing this strategy:
"does, however, require mindset transplants on the part of those who persist in ignoring political, economic and technical reality, let alone professional good practice."

For all our sakes, let's hope those transplants happen PDQ!

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Digital identity management primer for policy makers & others


Diagram 1: Individuals (Data Subjects [smileyface]) and Providers of Services, Claims, and Identifiers: Who Holds the Personal Data and What are the Links between These Parties?
(Click diagram to enlarge)

A very good concise introductory non-technical guide /summary of the main issues.
To quote from its foreword, it:
"aims to provide policy makers a broad-brush understanding of the various dimensions of digital identity management (IdM). Consistent with the Seoul Ministerial Declaration [for the future of the internet economy], it also aims to support efforts to address public policy issues for securely managing and protecting digital identities, with a view to strengthening confidence in the online activities crucial to the growth of the Internet Economy."
On IdM for individuals only, not non-natural persons; but has an excellent overview of:
  • key concepts / processes
  • how (very broadly) idM may be used in government, business and socially, and
  • technical / organisational / public policy issues.

Table 1: Features of Technology Models for IdM systems


Siloed Centralised Federated User-Centric
Method
of Authentication
The user authenticates to each account
when he wishes to use it.
The user authenticates to one main account.
The user authenticates to an identity
provider, with this one authentication serving for the federation.
The user authenticates to identity providers,
and service providers have to rely on that authentication.
Location
of Identity Information
Identity information is stored in separate
service provider accounts.
Identity information is stored in the
one main account, a super account.
Service providers in the federation
keep separate accounts in different locations. They may have agreements
for sharing information.
Identity information is stored by identity
providers chosen by the user. The user can help prevent the build-up
of profiles that others hold about him.
Method
of linking accounts/ learning if they belong to the same person

There is no linking between accounts
and no information flow between them.
Linking between accounts is not applicable.
(A user’s full profile resides in that single place.)
The identity provider can indicate what
identifiers for accounts with federation members correspond to the same
person.
Uses of cryptography can prevent linkages
between a user’s different digital identities, leaving the user in
control.
Trust
Characteristics (who is dependent on whom, for what)
The user is reliant on the service provider
to protect their information, even if limited. The absence of information
sharing has privacy advantages.
The user is reliant on the service provider
to maintain the privacy and security of all of his or her data.
Users have rights from contracts, but
they may be unfamiliar with options. The federation has leverage as
it is in possession of the user’s information.
Users can keep accounts separate and
still allow information to flow, but bear greater responsibility.
Convenience
Siloed accounts are inconvenient for
users and service providers due to multiple authentications, redundant
entry of information, and lack of data flow.
This arrangement is easy for the user
since he or she only has to deal with one credential to call up the
account and since he or she has to authenticate just once.
Other members of the federation avoid
the burden of credential management. Organisations that provide services
to a user can coordinate service delivery.
Users may be ill-equipped to manage
their own data (also a vulnerability) and may need training and awareness-raising.
Vulnerabilities
Siloed systems offer the advantage of
having limited data on hand, thus creating less of an incentive for
attack. They also have a better defined and stronger security boundary
to keep attackers out and limit exposure from failures.
The central party controls the person’s
entire profile; other entities have little to check that profile against,
and an insider could impersonate the person or alter data. Currently
there is no way to safeguard data after it has been shared.
Users have little input into the business-partner
agreements. Some service providers will set up federation systems to
exploit users. Currently there is no way to safeguard data after it
has been shared.
Concentration in the market for identity
providers could leave them with much power. Currently there is no way
to safeguard data after it has been shared.

Note: The diagram and table above are excerpts from the above OECD paper (pp. 18 and 19) and are © OECD 2009.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 28 June 2009

Kim Cameron - Market Overview: eIdentity Comes of Age - European e-Identity Management 2009 conference, 25-26 June 2009

Some highlights from an interesting keynote at the European e-Identity Management 2009 conference by Kim Cameron (of Laws of Identity fame, who is Chief Architect of Identity at Microsoft).

Note: Not verbatim or in exact order; any errors are mine alone.

Identity management

We’re at the tipping point. But can we withstand success?

Identity = claims based access to resources / services, personalisation etc. (Added note: see this paper for a helpful summary of claims based access etc.)

The emphasis must be on claims because it’s necessary to contemplate that aspects of a system may be suspect, corrupt, untrustworthy.

Goal: reusable identities which can cross boundaries.

Enterprise perimeters are under pressure, becoming permeable, as cloud computing, outsourcing etc reduce the costs of IT.

How to make applications available across boundaries, allow people into resources from the outside, take identity from one context and use it in another?

Identity federation

Identity federation components:

  1. Federation server – allow exchange of claims using SAML etc
  2. Framework – ubiquitous, consistent way to build apps that are claims-aware
  3. Infocard selectors – federation clients that put users in control. Home realm discovery, missing browser protocols.

Example – Microsoft’s Geneva, coming out in H2 2009, supports WS-Federation, WS-Trust, SAML 2.0, IMI standards, infocards; works with any federation software / service that supports these standards. No marginal cost with Active Directory which is widely adopted and deployed.

Cloud providers are adopting the same technology to exchange info – cloud identity federation gateways.

Platforms will have claims as built in feature; products will increasingly accept this infrastructure.

(Current standards are more enterprise focused. We may need more lightweight http / REST standards to emerge.)

(Added note: see the Information Card Foundation’s white paper “The Information Card Ecosystem: The Fundamental Leap from Cookies and Passwords to Cards and Selector” (abstract) for a good overview of the joint industry initiative to “advance the use of the Information Card metaphor as a key component of an open, interoperable, royalty-free, user-centric identity layer spanning both the enterprise and the Internet”. Launch FAQ.)

Non-technical obstacles

The framework is in place but there are non-technical hurdles such as untested business models, and governance & legal frameworks – a real barrier; we must try to get templates / mechanisms so it’s not so expensive to set up digital relationships.

Consumer standards are in flux: OpenID, OAuth, Infocards.

User acceptance will gate success. End user acceptance is king. They must use it and want to use it – know and understand the paradigm, that the technology is safe and will survive adoption (e.g. scale as the numbers of ID providers and relying parties increase). User acceptance has to include acceptance of developers to work in the area.

Application developers are only beginning to understand how claims can benefit them. It’s important to get developers to make supporting products – they won’t if things are silo’d. There are opportunities for related products – tokens etc.

Privacy and security

Importance of privacy & security – impact of personalised marketing, breaches if technological choices are not right.

Multilateral security – the 3 biggest threats are:

  1. insider attacks
  2. social engineering
  3. organised crime.

Connecting systems is good, sharing vulnerabilities is bad.

Systems should fundamentally distrust systems with which they interact – build systems on the assumption that there will be breaches, and figure out how to limit the damage.

“Need to know” internet – minimal disclosure is fundamental in a federated world. Release as little as possible.

The military is the primary adopter of such technologies – learn from them.

It should be the minimum needed for the process at hand – notion of proportionality.

Example: go to site, prove your age; use the same ID token and card, but only release gender and the fact that you’re over 21 (not exact age). But it’s verifiable, not anonymous.

“Common sense” is not good enough. We need to debug self evident fallacies, and go forward on the basis that:

  1. Privacy is not opposed to security – it is a precondition of multilateral security.
  2. Identifying the masses is not likely to identify professional criminals, who already know how to get around it. Identification will be most useful for non-criminals and is not a panacea.
  3. We can prove we are not on (or on?) a list without revealing who we are.
  4. We can audit without creating privacy and security vulnerabilities.

We need a framework for raising understanding of what is achievable – see the paper proposing a common identity framework: a user centric identity metasystem coauthored by Kim Cameron, Dr. Kai Rannenberg and Dr. Reinhard Posch.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.