Mark Lizar is the Secretary of the Privacy and Public Policy Work Group (P3WG). Mark has been active with the group since June 2009 and is an important part of the team and the ongoing development of privacy and trust frameworks.

Hailing from Canada, Mark now lives in London, England. Mark’s has an interesting education studying in computer science, network engineering, law and sociology. Mark worked in technical security, testing token authentication and RADIUS servers. He also worked at Entrust, which was an enterprise PKI (encryption) organization. Since then, Mark’s efforts and interests have been in the trust side of identity.

In Mark’s spare time he enjoys family & friends, playing the drums, and traveling. Learn more about Mark here

Find out about Kantara’s P3WG and how to become involved here

Registration is open for pii2010.   Taking place August 17-19 in Seattle during Seattle Geek Week, pii2010 will explore the future of digital privacy, identity and innovation, and how to strike a balance between protecting sensitive information and enabling new technologies and business models.

It’s an all-hands-on-deck conference where industry executives, technologists, consumer advocates, policy experts and other stakeholders will come together as a group to examine critical issues llike:

• How emerging technologies & business models are impacting the way data is created, shared and aggregated
• Effective approaches for building online trust with users
• Ways in which user preferences and social norms are shifting
• Changes in the regulatory landscape, in the U.S. and internationally
• The role of anonymity and the future of reputation management on the Web
• The latest developments in user-centric identity management

In addition, pii2010 will serve as the official launch pad for pii Labs, an open forum for brainstorming and collaborating where you will have an opportunity to share your ideas and projects with other participants.

Contact Dervla O’Reilly, dervla[at]kantarainitiative[dot]org for the discount code (for Kantara Initiative’s members) to save 20% off of pii2010 registration.

Review the 3-day schedule online.

In Jose Manuel Barroso’s recent reshuffle of the European Commission, there were a couple of moves which bear some further inspection, from a privacy/identity perspective.

The former Commissioner for Information Society, Viviane Reding, is promoted to one of the Vice Presidents of the Commission, and given a new portfolio as Commissioner for Justice, Fundamental Rights and Citizenship. She has also been given the task of overhauling the Data Protection Directive (now 15 years old…).

Her former role passes to Neelie Kroes, who was previously Competition Commissioner (and oversaw, for instance, some of the Commission’s fiercest battles with Microsoft – on media player bundling, IE/Windows bundling, publication of technical interoperability documentation, Microsoft Office “Open” XML, and so on, and so forth…).

She has a reputation for being able to dive into the detailed technicalities of a brief, and for being extremely tenacious in pushing towards her intended goal.

There’s no doubt in my mind that, had the task of reviewing and revising the Data Protection Directive been left on the Commissioner’s desk at DG InfoSoc, Dr Kroes could have taken it on with competence and determination… which leads me to wonder what the implications are of Commissioner Reding taking it with her to her new role.

With the background of her four years heading DG InfoSoc, Commissioner Reding should have all the subject-matter expertise needed to make a proficient job of revising the Directive. However, what is perhaps more significant is the departmental context in which she will now undertake that work.

Instead of doing it from within DG InfoSoc, she will now do it in the same DG as is responsible for programmes such as this; the development of a framework for a European society based on notions of fundamental rights and rights derived from EU citizenship.

That suggests to me that, if anything, the revised DP Directive will be founded on even stronger links to notions of fundamental human rights and the social/citizenship context.

I foresee some lively discussions of principle between the EU and its partners, particularly where those partners either take a different view of what are fundamental rights, or of how great a role they should play in determining policy on the processing of personal data.

If Commissioner Reding wished to live in interesting times, I think her wish may have been granted.

It is now a year since the European Court of Human Rights’ (ECHR) ruling on UK vs. S and Marper. The court’s ruling in that case was clear: the UK government’s policy of systematic and indiscriminate retention of DNA samples, DNA profiles and fingerprints of those acquitted of any offence is disproportionate. The government had, it says,

“overstepped any acceptable margin of appreciation in this regard”.

Grudgingly and slowly, the government is considering amending its policy – but only to the extent of conceding on indefinite retention. [Editorial update: as of December 9th, the Council of Europe expressed its concern that the new proposals probably still fail the proportionality tests required by the ECHR. They are keeping the dossier open, and will review the UK position again in March 2010].

Under the Home Secretary’s current proposals, the data and samples of the innocent are now only to be held for 6 years (there’s an excellent summary paper here, on the House of Commons Library website). The ruling in full is accessible online here. It’s well worth a read; almost every paragraph contains something to back up the view that the policy on DNA retention is intrusive and obnoxious. For instance, how about this section on the Police and Criminal Justice Act 2001 (my emphasis):

27. As to the retention of such fingerprints and samples (and the records thereof), section 64 (1A) of the PACE was substituted by Section 82 of the Criminal Justice and Police Act 2001. It provides as follows:

“Where – (a) fingerprints or samples are taken from a person in connection with the investigation of an offence, and (b) subsection (3) below does not require them to be destroyed, the fingerprints or samples may be retained after they have fulfilled the purposes for which they were taken but shall not be used by any person except for purposes related to the prevention or detection of crime, the investigation of an offence, or the conduct of a prosecution. …

(3) If – (a) fingerprints or samples are taken from a person in connection with the investigation of an offence; and (b) that person is not suspected of having committed the offence, they must except as provided in the following provisions of this Section be destroyed as soon as they have fulfilled the purpose for which they were taken.

(3AA) Samples and fingerprints are not required to be destroyed under subsection (3) above if (a) they were taken for the purposes of the investigation of an offence of which a person has been convicted; and (b) a sample or, as the case may be, fingerprint was also taken from the convicted person for the purposes of that investigation.”

Even the ECHR judges somewhat understate the case against retention – for instance, in this paragraph:

“78. It is common ground that fingerprints do not contain as much information as either cellular samples or DNA profiles. “

Unfortunately, that is not accurate. The fingerprints themselves (as opposed to any scanned or photographic record of them) consist of natural oils and skin cells – which of course contain the subject’s DNA. There is plenty of published material on the practicalities of small-sample DNA analysis, and the technique has been used by UK law enforcement agencies. In other words, fingerprints not only contain the same information as cellular samples, they contain cellular samples in a very individual layout – the fingerprint itself.

But I digress…

What I really wanted to do was point to three excellent blog posts on the “justification” for DNA collection and retention in the UK system.

The first is this one from Privacy law specialists Amberhawk – correlating the government’s own re-offending statistics with their assertions about the benefits of 6-year retention.

The Tech and Law blog has further analysis of the Amberhawk piece, here, including a link to a trenchant letter questioning both the practicality and the proportionality of the current policy.

And finally, Toby Stevens adds his excellent analysis here, setting out (among other things) four fundamental flaws with the current approach. In passing, he notes that the UK’s national DNA database is (perhaps thankfully) unique; no other country has one like it, or uses DNA in the same way.

Which brings us back to the ECHR’s judgement in UK vs S and Marper. Sections 47 and 48 of that judgement bear repeating in full (my emphasis):

“47. The United Kingdom is the only member State expressly to permit the systematic and indefinite retention of DNA profiles and cellular samples of persons who have been acquitted or in respect of whom criminal proceedings have been discontinued. Five States (Belgium, Hungary, Ireland, Italy and Sweden) require such information to be destroyed ex officio upon acquittal or the discontinuance of the criminal proceedings. Ten other States apply the same general rule with certain very limited exceptions: Germany, Luxembourg and the Netherlands allow such information to be retained where suspicions remain about the person or if further investigations are needed in a separate case; Austria permits its retention where there is a risk that the suspect will commit a dangerous offence and Poland does likewise in relation to certain serious crimes; Norway and Spain allow the retention of profiles if the defendant is acquitted for lack of criminal accountability; Finland and Denmark allow retention for 1 and 10 years respectively in the event of an acquittal and Switzerland for 1 year when proceedings have been discontinued. In France DNA profiles can be retained for 25 years after an acquittal or discharge; during this period the public prosecutor may order their earlier deletion, either on his or her own motion or upon request, if their retention has ceased to be required for the purposes of identification in connection with a criminal investigation. Estonia and Latvia also appear to allow the retention of DNA profiles of suspects for certain periods after acquittal.48. The retention of DNA profiles of convicted persons is allowed, as a general rule, for limited periods of time after the conviction or after the convicted person’s death. The United Kingdom thus also appears to be the only member State expressly to allow the systematic and indefinite retention of both profiles and samples of convicted persons.”

Back in late November I Twittered from the Ministerial eGovernment Conference in Malmø (#egov2009), expressing the hope that the press release would contain a bit more substance than the keynote announcement of the Ministerial Declaration. I am delighted to say that when I got my hands on a copy of the full text, it did. (PDF of the Declaration available online here.)

First, though, here were the policy priorities announced by Mats Odell, Sweden’s Minister for Local Government and Financial Markets:

• Use eGovernment services to empower citizens and businesses;
• Improve mobility in the single market;
• Improve efficiency and effectiveness in eGovernment.

On that basis, you can probably see why the initial announcement left me somewhat underwhelmed. Was this, I wondered, really the culmination of four years’ policy and implementation work since the Manchester Declaration (which, at the time, I had actually thought was quite good…)?

Second, I have to say there is also still quite a lot in the full text which mostly prompts the reaction: “Oh…. well, weren’t you either doing, or supposed to be doing that anyway?”. For instance, Article 13 promises to involve stakeholders in public policy processes. Well, good.

Incidentally, while we’re on page 3 of the document, Article 12 will raise more than a few hollow laughs:

“We will explore how we can make our administrative processes more transparent. Transparency promotes accountability and trust in government”.

Not 10 days ago, the Court of Auditors declined to sign off the accounts of the European Commission for the 15th year in a row. Is it facile to suggest that as a starting point?

That good old standby “reduction of the administrative burden for citizens and business” still gets an airing (Article 17) – and rather disappointingly, “respect for privacy and data protection” gets buried under that heading, whereas I would have thought it deserves to headline in an article of its own.

Artcile 18 is a bit “meh” as well: policymakers should “consider how organisational processes could be improved”. Laudable, but it doesn’t exactly make me want to run out and have it printed on a t-shirt.

OK, so having got some of the gripes off my chest, what did I pick out as being positive aspects of the Declaration?

Well, actually, the opening Background statement is pretty good. It notes that the economic, social and environmental landscape is grim, and that despite (or perhaps even because of) that, citizens’ expectations for open, flexible and collaborative government are high.

It goes on to acknowledge that eGovernment extends beyond national boundaries, and across the divide between the public and commercial sectors.

It also suggests – which I think is fair – that some of the progress to date in e-government, and in collaboration between different member states, has happened because of the political will expressed through the precursors of this year’s Declaration.

Other positive signs:

• The tone of the Declaration is one which acknowledges that the eGovernment services of the future will be co-produced by citizens and third parties. That might not be going far enough, of course: there’s already evidence that citizens and third parties are creating public services without the direction or collaboration of government – so the latter might find that it needs to re-calibrate its notion of “open and collaborative” quite radically.

• There’s an explicit call, in Article 19, for public administrations to exploit IT in their efforts to reduce carbon footprint.

• Article 21 is explicit about the benefits of using open specifications – not least, to stimulate effective and open competition in the market. If the political will persists to enforce that effectively over time, the potential benefits are huge.

There’s more (if you count the nested lists, there are about 40 paragraphs in total), and in essence the full text does a lot more than the keynote suggested. I compared it rather unfavourably with the Manchester Declaration earlier; in retrospect that’s probably not giving a fair picture.

The current Declaration treats some of the key Manchester themes almost as “solved problems”: for instance, “trustworthy electronic identifiers” for citizens pops up only in Article 26 (d) – in the final recommendations – with a note that “activity should be intensified” and “gaps closed in cross-border interoperability and mutual recognition”.

The way I see it is this: there are definitely eGovernment problems to solve today, which only present themselves because of the increased sophistication of some current implementations (and those implementations, of course, are based on previous progress). In other words, solving one set of problems usually just raises you within reach of the next set. To extend that analogy a little: previous work has built a ladder which means we can reach out towards the next set of goals. My worry is that some of the rungs below us (and, if we’re unlucky, bits of the ladder itself) are either missing or not very well put together.

However, we are where we are – and the heartening thing about this year’s exhibition area was the sophistication and practicality of many of the systems being shown. To me, they suggest that there is good practice out there in abundance, if the rest of us are only prepared to look and learn.

In my previous post on cookies and privacy in the new EU Directive, I mentioned, in passing, the question of user consent. I think it’s time to return to that for a closer look. First, a couple of references to set context:

• Ralf Bendrath’s comment, here, on the recently-adopted Stockholm Programme. This, he notes, includes an amendment in which the European Parliament

“… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective”.

This is a clear indication of the way the Parliament thinks that balance ought to tilt.

• This analysis from Pinsent Masons’ Out-Law blog, in which they compare the text of the new cookie law with the interpretation of the same by some online advertising bodies. The advertisers point to a clause in the preamble of the telecom package, which says:

“Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

According to the advertisers, this lets them off the hook – because a user’s consent can be inferred from the fact that their browser is set to allow cookies or block them.

However, there are several rather fatal flaws in that argument. A couple are pointed out by Struan Robertson (whose previous analysis I quoted in my other post):

“Most browsers don’t default to blocking all cookies and most people don’t change their browser settings, so it’s hard to say that effective consent is conveyed by browser settings,” said Robertson. “Also, browsers can’t tell you the purpose of a cookie.”

On a strict interpretation, the point about “purpose” ought to be fatal in itself: it would generally mean that relying on the browser setting to imply consent would fail the test of compliance with the Data Protection Directive (purpose of collection == purpose of use); if the user has no indication of purpose of collection, how can they meaningfully consent (and how can inappropriate use be detected)?

Next – given the number of people who pay little or no attention to the default cookie settings of their browsers (assuming they are even aware of them in every browser or internet terminal they use), it would be tough for a website owner to prove that the setting in effect on a given visit was chosen by the user, as opposed to merely being a default setting. What’s more, the new law repeatedly mentions the need for the user to be clearly informed before access is effected to their device – so this law isn’t just calling for implied consent, it’s calling for informed and explicit consent. (Note the clear qualification in the preamble: “Where it is technically possible and effective…”).

Now, it’s fair to argue that explicit consent is an unreasonable expectation unless and until there is a general change in people’s awareness of cookies… and advertisers will doubtless maintain that it’s not their fault we like to ignore or dispense with cookie warnings in the interests of convenience. But that argument can also reasonably be countered by saying that poor consent-seeking practice up to now can hardly be used to excuse it in future.

Finally, the Pinsent Masons article makes one other extremely valuable contribution to the debate, in quoting Commissioner Reding’s clarificatory comments on the question. I use the word clarificatory in its loosest possible sense.

According to the Commissioner, there are two kinds of cookie: “technical cookies”, without which the internet would cease to function (and which, therefore, we are presumably to allow without question), and “spy cookies”, which are the ones this law is clearly intended to regulate.

This reminds me of that Not The Nine O’Clock News sketch in which a disgruntled aide induces his president to include phrases like “cupcakes” and “big, floppy, dangly bits” in a public address.

Quite apart from the glaring absurdity of browser manufacturers now having to enhance their products to include a Privacy Settings option which allows users to turn “spy cookies” off while leaving “technical cookies” in place, there’s also the minor (though not entirely unexpected) problem that the law itself does not, of course, make any mention of these mythical creatures.

We all understand the difficulties which can arise when a legislator tries to express technical concepts in terms which are meant to be accessible either to other legislators or to the general public – but the perfectly-coiffured Commissioner has been in post now for almost exactly five years. Surely that – and her professional career as a journalist – must have taught her the danger of such ill-conceived dumbing-down?

Noted anti-virus vendor Eugene Kaspersky has weighed extravagantly into the larger security problem, arguing that  “anonymity causes security headaches and should be outlawed <http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity>” (http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity).  So he wants an Internet Passport.

This is surely madness.  The social repercussions are obvious, while it’s not at all clear what problem it might solve.

Most cybercrime is actually associated with an *excess* of arbitrary identification, with inadequate safeguards.  For the average user, anonymity in reality has become a luxury.  The simplest credit card purchase requires an inordinate amount of identifying information to be divulged, to total strangers, who then pass it all onto third party processors no one has ever heard of.

Mainstream authentication is so difficult to use that most users choose the same password for all services.  The Federated Identity and Single Sign On movements, typified by OpenID, amount to the same thing.  Everything gets linked to everything else.  This is hardly the “anonymity” that Kaspersky so dreads.

It’s also likely that, like many before him, he’s underestimated the legal complexity and cost associated with general purpose Internet identities.  Who will issue and warrant an Internet passport, vouchsafing the bearer in all contexts?  This is what’s stopped authentication brokers schemes to date.  Some of my own analysis of these issues is presented in brief at  http://lockstep.com.au/library/babysteps/babyste13-identity-silos and http://lockstep.com.au/library/babysteps/babystep-15-introducing-ident.

Of course, what would happen is that any real world Internet passport would come with risk-managed warranty limitations.  It wouldn’t be good for all conceivable transactions, only ones that the issuer has been able to analyse and circumscribe.  For other uses, the holder would need to supplement their passport with other credentials suited to teh context … and we’d be back where we started.
Advocates of Internet passports should re-visit how a conventional passport works, and reconsider their metaphor.  A passport is not a universal key to cross all borders; many countries require you need to obtain a visa, to make sure you meet their security, cultural and political norms.  That is, risk profile, appetite and management strategies vary from one country to another (just as they vary in e-business from one segment to another) and there really is no universal passport.

So I say to Kaspersky, an Internet passport is utopian, and proper anonymity would be a blessing!  To solve cybercrime, we don’t need any new passport, rather we need to protect the plurality of identities we already have against online theft and abuse.

Posted on behalf of:

Stephen Wilson
Lockstep Group
http://www.lockstep.com.au

UK readers will probably remember one of those legal wrangles which make for such easy satire – the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course…)

It looks as though the European Commission is heading towards a similar argument about cookies – though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.

This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn’t often you see a lawyer describe proposed legislation as “breathtakingly stupid”… but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.

The amendments in question are apparently intended to regulate the storing and use of cookies on end users’ devices. I say “apparently”, because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.

I’ve no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter – several of them probably fatal.

The way the amendment is phrased (it’s a replacement of Article 5.3, for those who like to read that kind of thing – see Struan’s post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user’s machine. In other words, if you want to put something on my PC, or read something you put their earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

• What if I’m using my PC outside the EU?
• What if I’m inside the EU, but accessing a cookie-setting site which is outside the EU?
• What about non-EU citizens, in the EU, accessing EU sites?
• Or non-EU citizens accessing EU sites from elsewhere?
• Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
• … and so on and so on…

There are many other aspects one could dive into similarly – such as “what counts as consent?”, or “how on earth will users cope with all those pop-ups” – but we haven’t got all week.

Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

• the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the “up-link”, the “down-link”, or some combination of both;
• internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.

All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn’t follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty’s Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale… whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.

I recently attended a very engaging lecture at the London School of Economics (LSE) by Prof David Lyon – who spoke about “Identity as Surveillance – Security, Surveillance and Citizenship”.

I do hope he subsequently saw this article from the BBC, on the opening day of the Labour Party Conference: “Lord Mandelson denied entry to conference“, because I’m sure it would give him a good laugh.

Apparently, the Noble Lord, First Secretary of State, Secretary of State for Business, Innovation and Skills, President of the Board of Trade and Lord President of the Council could not, initially, get into the conference because there was a problem with his pass. Maybe they couldn’t fit his title onto it. The press were naturally quick to savour the irony that Peter Mandelson, the man perhaps most identified with New Labour, should be unable to identify himself to the satisfaction of the party’s gatekeepers.

What this has to do with Prof Lyon’s talk is this: one of his themes was the way in which identity systems (particularly national ones) permit, enable and encourage judgements to be made about individuals on the basis of “actuarial criteria”, even if other methods would be more reliable (and more respectful of personal privacy).

An example Prof Lyon gave was this: research work by John Taylor and Miriam Lips (full text of paper available online here) investigated the use of online identity data by the DVLA ([UK] Driver and Vehicle Licensing Agency) when someone applies online for a driving licence. The researchers noted that the DVLA submits the applicant’s details to the credit reference company Experian, which attempts to corroborate the applicant’s identity assertions by matching them against databases of Credit Applications and Addresses. Experian then applies a weighting which assigns a ‘trust score’ to the applicant’s assertions, based on the apparent quality of the applicant’s digital footprint (as revealed by the database enquiries). These actuarial measurements are then used by the DVLA to govern the subsequent processing of the application transaction.

Prof Lyon’s point was that this ‘trust score’ mechanism goes beyond a simple assessment of whether or not the applicant’s address can be corroborated. The score is enhanced more, for instance, if the applicant’s records indicate that they have had a lot of interactions with clearing banks, than if the indication is that the applicant has had a lot of interactions with mail-order companies.

The implication of this is that subsequent processing of the DVLA application is determined not just by past records, but by inferences based on supposed future behaviours of the applicant – whether or not those inferences are in fact accurate.

Basically, this is what starts to happen, the more you architect systems on the basis of actuarial criteria in support of the categorisation of individuals, and the more you remove notions of human judgement and discretion from the process. Admittedly, that’s not always a bad thing – after all, humans are fallible too. But if you design humans into the process rather than out of it, you get fewer embarassing incidents such as the sight of Labour’s “eminence grise” being locked out of his own conference…

As you may know, I’ve recently set up the Privacy and Public Policy Work Group (P3WG) for the Kantara Initiative, and as we start mapping out the areas in which the Group wants to exercise an influence, one topic has generated more discussion than anything else on the mailing list. It goes by the rather uninformative name of “LOA”, or Level of Assurance. Even if you’ve never heard of LOAs, they have played a major part in your life online and off.

I’ve blogged before about what I call the “Chain of Trust” – namely, the sequence of events all of which need to be working if a credential is to work properly when you present it. In other words, for instance, if you apply for a passport in the name of Michael Mouse and the passport office doesn’t bother to check whether there’s any evidence that that is your name, the resulting passport won’t be that reliable as an indicator of your identity (even though people may assume that it is). Similarly, driving licences would not be much use as an indicator of which vehicles you’re entiteld to drive, if it was possible for you to alter what the licence says… and if you tell someone the PIN of your ATM card, it is no longer effective as a way to ensure that only you can take money out of your account (in fact, the bank is likely to take it as de facto evidence that you must have been responsible for the transaction, even if it wasn’t you who actually used the card and PIN…).

These are just three examples of the many ways in which the Chain of Trust can fail, at the Registration/Verification phase, over the life of the credential, and at the authentication step, respectively. There are many other points at which the Chain can be compromised and the reliability of the credential (or the assertions made using it) undermined.

LOA is about protecting the first of these – the point at which someone decides whether or not to issue a credential which represents you in some way. In other words, if you can present a relying party with not just a credential, but a ‘score’ which indicates how reliably that credential was issued to you, can judge whether it’s more likely that you are actually Michael Mouse, or that whoever gave you a passport saying so was not doing their job very well.

That, in turn, will give them useful information about what decisions to make next, particularly if they decide that the answer to your authentication question is “yes”.

The UK and US governments both have relatively simple 4-level LOA models (though, inconveniently, one runs from 0-3 and the other from 1-4…). Omitting the ‘index value’ for a moment, the four levels look remarkably similar. In fact, if I adopt a slightly different scale, just to paper over that difference, we might get something like this:

Rare

UK: no authentication of identity

US: little or no confidence in the asserted identity

Medium rare

UK: basic authentication

US: some confidence in the asserted identity

Medium

UK: greater level of assurance (e.g. credentials based on proof of identity to a third party)

US: high confidence in the asserted identity

Well done

UK: identification beyond reasonable doubt

US: very high confidence in the asserted identity

So far so good. However, when it comes to putting this simple model into practice, and because we’re talking about assurance here (and therefore judgement), a couple of different approaches emerge.

One is to give a technical specification of the kinds of authentication technology which should or must correspond to an implementation claiming to be at a given LOA level.

Another is to relate the LOA levels to levels of risk, and allow the implementer to work out how they think that risk is best mitigated.

You might think that a third, better solution would be to combine the two… define organisational risks in a way which allows them to be assessed against the four-level model, and then have a technical specification list which says: “if you face this level of risk and you want this level of assurance, you need technology such as ‘x’, implemented with the following governance measures.

Actually, I have a better idea… if you have opinions on this question (better still, if you have a good answer), come and sign up to the Kantara P3WG and join the discussion. We’d love to hear from you.