On behalf of Frank Villavicencio, chair of the Identity Assurance WG.  Also published at Frank Villavicencio’s blog page.

First off, I would like to would like to express my sympathy to those affected by the terrible earthquake that hit Chile this past weekend.

Envio mi palabra de aliento y de optimismo al pueblo Chileno. Tengo muy buenos amigos Chilenos y a todos les deseo lo mejor en vista de estas circunstancias, a sus familias y a todos los afectados… Las cosas de Dios son sin duda alguna indescrifrables.

In this blog post, I would like to share with you some recent developments in the world of identity assurance, which as you know from my recent blog posts: “Identity Assurance, an everyday life issue” part 1 and part 2, is a top of mind issue for me and for us here at Identropy. Quite frankly, I could not hope for better timing for these blogs to come about.

On Friday February 26th, 2010 the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) reviewed Kantara Initiative‘s latest submission and granted it Provisional Approval as a Trust Framework Provider at Levels 1, 2 & non-crypto Level 3 under the Open Identity Solutions for Open Government program.  The removal of the provisional status will hinge on the release by TFET of additional guidance for assessors concerning privacy and Kantara’s adoption of this guidance.

This is for me an extraordinary milestone, not only in my role of Chair of the Identity Assurance Work Group, but as an identity assurance activist altogether.  Kantara submitted its application for the US Federal Government adoption of the Identity Assurance Framework (IAF) in November of 2009. Prior to that date, the IAWG has been working very hard, collaborating with Kantara and the Assurance Review Board (who oversees the Kantara Initiative Identity Assurance Certification Program) to achieve this important goal (albeit still under provisional status).

The significance of this milestone is that it represents an important step towards fostering the adoption of identity-enabled Government services at known levels of assurance, relying on identity credentials issued and managed by non-Government parties (referred to as Credential Service Providers in the IAF). It will create the right conditions for the certification program to be adopted in real-life scenarios and for the industry to benefit from a proven, best-of-breed certification program that effectively enables interoperability and trust. This means that the IAF will not be just a “paper” standard, incarnated in a compendium of documents, but an actual technology-agnostic program that organizations can certify against.

With the adoption of risk-based models, identity federation can achieve Internet scale, and facilitate public access to online information at specific levels of assurance.  With adoption will also come economies of scale and further collaboration and interoperability across industries and Governments.

As someone who has been involved in identity management and identity assurance for quite some time, I cannot help but feel excited about the times I live in, and optimistic about what is to come.

I do anticipate and hope for more endorsements of the IAF in the near future by other organizations, and more importantly, the start of a paradigm shift in the way we all think about identity, both within the Enterprise and in a federated environment.  Ultimately, this path will allow the identerati to focus on the real end goal: delivering identity-enabled solutions and services with the level of trust and confidence that is appropriate for the transactions being performed.

But this is just a first step…

Frank

In Jose Manuel Barroso’s recent reshuffle of the European Commission, there were a couple of moves which bear some further inspection, from a privacy/identity perspective.

The former Commissioner for Information Society, Viviane Reding, is promoted to one of the Vice Presidents of the Commission, and given a new portfolio as Commissioner for Justice, Fundamental Rights and Citizenship. She has also been given the task of overhauling the Data Protection Directive (now 15 years old…).

Her former role passes to Neelie Kroes, who was previously Competition Commissioner (and oversaw, for instance, some of the Commission’s fiercest battles with Microsoft – on media player bundling, IE/Windows bundling, publication of technical interoperability documentation, Microsoft Office “Open” XML, and so on, and so forth…).

She has a reputation for being able to dive into the detailed technicalities of a brief, and for being extremely tenacious in pushing towards her intended goal.

There’s no doubt in my mind that, had the task of reviewing and revising the Data Protection Directive been left on the Commissioner’s desk at DG InfoSoc, Dr Kroes could have taken it on with competence and determination… which leads me to wonder what the implications are of Commissioner Reding taking it with her to her new role.

With the background of her four years heading DG InfoSoc, Commissioner Reding should have all the subject-matter expertise needed to make a proficient job of revising the Directive. However, what is perhaps more significant is the departmental context in which she will now undertake that work.

Instead of doing it from within DG InfoSoc, she will now do it in the same DG as is responsible for programmes such as this; the development of a framework for a European society based on notions of fundamental rights and rights derived from EU citizenship.

That suggests to me that, if anything, the revised DP Directive will be founded on even stronger links to notions of fundamental human rights and the social/citizenship context.

I foresee some lively discussions of principle between the EU and its partners, particularly where those partners either take a different view of what are fundamental rights, or of how great a role they should play in determining policy on the processing of personal data.

If Commissioner Reding wished to live in interesting times, I think her wish may have been granted.

Back in late November I Twittered from the Ministerial eGovernment Conference in Malmø (#egov2009), expressing the hope that the press release would contain a bit more substance than the keynote announcement of the Ministerial Declaration. I am delighted to say that when I got my hands on a copy of the full text, it did. (PDF of the Declaration available online here.)

First, though, here were the policy priorities announced by Mats Odell, Sweden’s Minister for Local Government and Financial Markets:

• Use eGovernment services to empower citizens and businesses;
• Improve mobility in the single market;
• Improve efficiency and effectiveness in eGovernment.

On that basis, you can probably see why the initial announcement left me somewhat underwhelmed. Was this, I wondered, really the culmination of four years’ policy and implementation work since the Manchester Declaration (which, at the time, I had actually thought was quite good…)?

Second, I have to say there is also still quite a lot in the full text which mostly prompts the reaction: “Oh…. well, weren’t you either doing, or supposed to be doing that anyway?”. For instance, Article 13 promises to involve stakeholders in public policy processes. Well, good.

Incidentally, while we’re on page 3 of the document, Article 12 will raise more than a few hollow laughs:

“We will explore how we can make our administrative processes more transparent. Transparency promotes accountability and trust in government”.

Not 10 days ago, the Court of Auditors declined to sign off the accounts of the European Commission for the 15th year in a row. Is it facile to suggest that as a starting point?

That good old standby “reduction of the administrative burden for citizens and business” still gets an airing (Article 17) – and rather disappointingly, “respect for privacy and data protection” gets buried under that heading, whereas I would have thought it deserves to headline in an article of its own.

Artcile 18 is a bit “meh” as well: policymakers should “consider how organisational processes could be improved”. Laudable, but it doesn’t exactly make me want to run out and have it printed on a t-shirt.

OK, so having got some of the gripes off my chest, what did I pick out as being positive aspects of the Declaration?

Well, actually, the opening Background statement is pretty good. It notes that the economic, social and environmental landscape is grim, and that despite (or perhaps even because of) that, citizens’ expectations for open, flexible and collaborative government are high.

It goes on to acknowledge that eGovernment extends beyond national boundaries, and across the divide between the public and commercial sectors.

It also suggests – which I think is fair – that some of the progress to date in e-government, and in collaboration between different member states, has happened because of the political will expressed through the precursors of this year’s Declaration.

Other positive signs:

• The tone of the Declaration is one which acknowledges that the eGovernment services of the future will be co-produced by citizens and third parties. That might not be going far enough, of course: there’s already evidence that citizens and third parties are creating public services without the direction or collaboration of government – so the latter might find that it needs to re-calibrate its notion of “open and collaborative” quite radically.

• There’s an explicit call, in Article 19, for public administrations to exploit IT in their efforts to reduce carbon footprint.

• Article 21 is explicit about the benefits of using open specifications – not least, to stimulate effective and open competition in the market. If the political will persists to enforce that effectively over time, the potential benefits are huge.

There’s more (if you count the nested lists, there are about 40 paragraphs in total), and in essence the full text does a lot more than the keynote suggested. I compared it rather unfavourably with the Manchester Declaration earlier; in retrospect that’s probably not giving a fair picture.

The current Declaration treats some of the key Manchester themes almost as “solved problems”: for instance, “trustworthy electronic identifiers” for citizens pops up only in Article 26 (d) – in the final recommendations – with a note that “activity should be intensified” and “gaps closed in cross-border interoperability and mutual recognition”.

The way I see it is this: there are definitely eGovernment problems to solve today, which only present themselves because of the increased sophistication of some current implementations (and those implementations, of course, are based on previous progress). In other words, solving one set of problems usually just raises you within reach of the next set. To extend that analogy a little: previous work has built a ladder which means we can reach out towards the next set of goals. My worry is that some of the rungs below us (and, if we’re unlucky, bits of the ladder itself) are either missing or not very well put together.

However, we are where we are – and the heartening thing about this year’s exhibition area was the sophistication and practicality of many of the systems being shown. To me, they suggest that there is good practice out there in abundance, if the rest of us are only prepared to look and learn.

In my previous post on cookies and privacy in the new EU Directive, I mentioned, in passing, the question of user consent. I think it’s time to return to that for a closer look. First, a couple of references to set context:

• Ralf Bendrath’s comment, here, on the recently-adopted Stockholm Programme. This, he notes, includes an amendment in which the European Parliament

“… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective”.

This is a clear indication of the way the Parliament thinks that balance ought to tilt.

• This analysis from Pinsent Masons’ Out-Law blog, in which they compare the text of the new cookie law with the interpretation of the same by some online advertising bodies. The advertisers point to a clause in the preamble of the telecom package, which says:

“Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

According to the advertisers, this lets them off the hook – because a user’s consent can be inferred from the fact that their browser is set to allow cookies or block them.

However, there are several rather fatal flaws in that argument. A couple are pointed out by Struan Robertson (whose previous analysis I quoted in my other post):

“Most browsers don’t default to blocking all cookies and most people don’t change their browser settings, so it’s hard to say that effective consent is conveyed by browser settings,” said Robertson. “Also, browsers can’t tell you the purpose of a cookie.”

On a strict interpretation, the point about “purpose” ought to be fatal in itself: it would generally mean that relying on the browser setting to imply consent would fail the test of compliance with the Data Protection Directive (purpose of collection == purpose of use); if the user has no indication of purpose of collection, how can they meaningfully consent (and how can inappropriate use be detected)?

Next – given the number of people who pay little or no attention to the default cookie settings of their browsers (assuming they are even aware of them in every browser or internet terminal they use), it would be tough for a website owner to prove that the setting in effect on a given visit was chosen by the user, as opposed to merely being a default setting. What’s more, the new law repeatedly mentions the need for the user to be clearly informed before access is effected to their device – so this law isn’t just calling for implied consent, it’s calling for informed and explicit consent. (Note the clear qualification in the preamble: “Where it is technically possible and effective…”).

Now, it’s fair to argue that explicit consent is an unreasonable expectation unless and until there is a general change in people’s awareness of cookies… and advertisers will doubtless maintain that it’s not their fault we like to ignore or dispense with cookie warnings in the interests of convenience. But that argument can also reasonably be countered by saying that poor consent-seeking practice up to now can hardly be used to excuse it in future.

Finally, the Pinsent Masons article makes one other extremely valuable contribution to the debate, in quoting Commissioner Reding’s clarificatory comments on the question. I use the word clarificatory in its loosest possible sense.

According to the Commissioner, there are two kinds of cookie: “technical cookies”, without which the internet would cease to function (and which, therefore, we are presumably to allow without question), and “spy cookies”, which are the ones this law is clearly intended to regulate.

This reminds me of that Not The Nine O’Clock News sketch in which a disgruntled aide induces his president to include phrases like “cupcakes” and “big, floppy, dangly bits” in a public address.

Quite apart from the glaring absurdity of browser manufacturers now having to enhance their products to include a Privacy Settings option which allows users to turn “spy cookies” off while leaving “technical cookies” in place, there’s also the minor (though not entirely unexpected) problem that the law itself does not, of course, make any mention of these mythical creatures.

We all understand the difficulties which can arise when a legislator tries to express technical concepts in terms which are meant to be accessible either to other legislators or to the general public – but the perfectly-coiffured Commissioner has been in post now for almost exactly five years. Surely that – and her professional career as a journalist – must have taught her the danger of such ill-conceived dumbing-down?

UK readers will probably remember one of those legal wrangles which make for such easy satire – the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course…)

It looks as though the European Commission is heading towards a similar argument about cookies – though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.

This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn’t often you see a lawyer describe proposed legislation as “breathtakingly stupid”… but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.

The amendments in question are apparently intended to regulate the storing and use of cookies on end users’ devices. I say “apparently”, because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.

I’ve no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter – several of them probably fatal.

The way the amendment is phrased (it’s a replacement of Article 5.3, for those who like to read that kind of thing – see Struan’s post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user’s machine. In other words, if you want to put something on my PC, or read something you put their earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

• What if I’m using my PC outside the EU?
• What if I’m inside the EU, but accessing a cookie-setting site which is outside the EU?
• What about non-EU citizens, in the EU, accessing EU sites?
• Or non-EU citizens accessing EU sites from elsewhere?
• Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
• … and so on and so on…

There are many other aspects one could dive into similarly – such as “what counts as consent?”, or “how on earth will users cope with all those pop-ups” – but we haven’t got all week.

Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

• the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the “up-link”, the “down-link”, or some combination of both;
• internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.

All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn’t follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty’s Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale… whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.

As you may know, I’ve recently set up the Privacy and Public Policy Work Group (P3WG) for the Kantara Initiative, and as we start mapping out the areas in which the Group wants to exercise an influence, one topic has generated more discussion than anything else on the mailing list. It goes by the rather uninformative name of “LOA”, or Level of Assurance. Even if you’ve never heard of LOAs, they have played a major part in your life online and off.

I’ve blogged before about what I call the “Chain of Trust” – namely, the sequence of events all of which need to be working if a credential is to work properly when you present it. In other words, for instance, if you apply for a passport in the name of Michael Mouse and the passport office doesn’t bother to check whether there’s any evidence that that is your name, the resulting passport won’t be that reliable as an indicator of your identity (even though people may assume that it is). Similarly, driving licences would not be much use as an indicator of which vehicles you’re entiteld to drive, if it was possible for you to alter what the licence says… and if you tell someone the PIN of your ATM card, it is no longer effective as a way to ensure that only you can take money out of your account (in fact, the bank is likely to take it as de facto evidence that you must have been responsible for the transaction, even if it wasn’t you who actually used the card and PIN…).

These are just three examples of the many ways in which the Chain of Trust can fail, at the Registration/Verification phase, over the life of the credential, and at the authentication step, respectively. There are many other points at which the Chain can be compromised and the reliability of the credential (or the assertions made using it) undermined.

LOA is about protecting the first of these – the point at which someone decides whether or not to issue a credential which represents you in some way. In other words, if you can present a relying party with not just a credential, but a ‘score’ which indicates how reliably that credential was issued to you, can judge whether it’s more likely that you are actually Michael Mouse, or that whoever gave you a passport saying so was not doing their job very well.

That, in turn, will give them useful information about what decisions to make next, particularly if they decide that the answer to your authentication question is “yes”.

The UK and US governments both have relatively simple 4-level LOA models (though, inconveniently, one runs from 0-3 and the other from 1-4…). Omitting the ‘index value’ for a moment, the four levels look remarkably similar. In fact, if I adopt a slightly different scale, just to paper over that difference, we might get something like this:

Rare

UK: no authentication of identity

US: little or no confidence in the asserted identity

Medium rare

UK: basic authentication

US: some confidence in the asserted identity

Medium

UK: greater level of assurance (e.g. credentials based on proof of identity to a third party)

US: high confidence in the asserted identity

Well done

UK: identification beyond reasonable doubt

US: very high confidence in the asserted identity

So far so good. However, when it comes to putting this simple model into practice, and because we’re talking about assurance here (and therefore judgement), a couple of different approaches emerge.

One is to give a technical specification of the kinds of authentication technology which should or must correspond to an implementation claiming to be at a given LOA level.

Another is to relate the LOA levels to levels of risk, and allow the implementer to work out how they think that risk is best mitigated.

You might think that a third, better solution would be to combine the two… define organisational risks in a way which allows them to be assessed against the four-level model, and then have a technical specification list which says: “if you face this level of risk and you want this level of assurance, you need technology such as ‘x’, implemented with the following governance measures.

Actually, I have a better idea… if you have opinions on this question (better still, if you have a good answer), come and sign up to the Kantara P3WG and join the discussion. We’d love to hear from you.

Posted on 10th July 2009

At last, there’s an article which thoroughly exposes some of the nonsense which has been talked about ICAO (International Civil Aviation Organisation) ‘requirements’ and biometric passports. It’s by John Lettice, writing in The Register, and was rightly tagged as “UK ID article of the week” by the folks at Privacy International.

While John’s primary purpose was to compare the stated policies of the 3 main UK political parties on ID cards and the National Identity Register, in doing so he offers a lucid and compelling analysis of the difference between what ICAO requirements for travel documents are intended to achieve, what they actually mean for the UK, and what we have been being told about them.

The reason this is worth drawing attention to (and the reason it exercises me so much) is that for several years now, UK policy statements have been made which go roughly like this:

“We understand (but don’t necessarily care) that proposals for the capture and storage of citizen biometrics excite distrust and concern, but our hands are tied… we’re just doing what ICAO requires”.

Rather than try to re-hash John’s excellent analysis, I will simply recommend that you read the article.

A few years ago I was given a very good piece of advice about technologists expressing a view on matters of policy: don’t.

“Think of three layers”, was the suggestion of my older and wiser colleague: “a bottom layer of technology, a ‘good practice’ middle layer, and a policy top-layer. Be aware that decisions at the policy layer are driven by all kinds of factors over which you will never have control… and however tempting it may seem to do otherwise, restrict yourself to opinions on the other two layers”. I took this advice to heart, and while I have had the occasional lapse, it has not let me down when I have stuck to it.

So, then, what to say about the UK government’s announcement, last week, of its plans to establish a cyber-security operations centre?

Well, I think there are three questions to ask (even as a technologist…):

1 – is there a pressing need for a cyber-security capability? I suspect the answer to that one is a clear ‘yes’. There’s no doubt that cyberspace represents an element of the Critical National Infrastructure (CNI), just like the transport, water, power, communications, financial and sewage networks on which our country depends. And just like all those other elements, the UK’s cyberspace presence is inextricably linked into the global network. (“Sewage?”, I hear you mutter… “How is the sewage system cross-border?” Ask the Dutch… I read a report that, if the Netherlands couldn’t export the excrement by-product of its bacon industry, the whole country would be ankle deep in pig-poo before the year was out. And with all those greenhouses, they use a lot of fertiliser…).

2 – is the government justified in maintaining/using an offensive cyber-security capability? This one is tricky to answer at the policy layer.

• At the technical layer, I have no reservation in saying that I want the security services to know how cyber-attacks work, and even in maintaining significant expertise: after all, they can’t mount passive defences if they don’t thoroughly understand the attacks.

• At the ‘good practice’ layer, offensive cyber-security capabilities tend to be restricted to getting malicious sites/services taken off the internet – and that only after going through ‘due process’ with the telcos, service providers, hosting companies and so on. Clearly, the latest policy announcement is based on the assumption that there may be cases where the security services expect to need to go further than that.

• At the policy layer, then, I think it boils down to this: what confidence can we have that those responsible for exercising such a capability are doing so proportionately, justifiably and accountably? In other words, it raises all the governance and oversight issues which have been so much in the political searchlight in recent months. There are established structures (such as the Intelligence and Security Committee – ISC) which are intended to make it possible for those ‘on the outside’ to be confident that those ‘on the inside’ have to at least tell a cleared and trusted few what they are up to. It is quite possible that those structures, though, are effective at providing policy oversight, but not effective at building and reinforcing public trust. For instance, Tory MP Michael Mates, a long-standing ISC member, has recently said that policy-forming documents he saw in the run-up to the Iraq War would “make people’s eyes water” if and when they are made public through the proposed enquiry… and yet, the Iraq War went ahead.

3 – Can the cyber-security team meet the security policy objective, while simultaneously protecting the UK against repercussions from the policy, safeguarding citizens’ use of the internet, and providing sufficient evidence of accountability to maintain the public trust?

In policy terms, the cyber-security announcement does include a statement about the appointment of an ‘ethics advisory group’ to complement whatever other governance measures are put in place. This group is apparently to monitor the ‘proportionality‘ of actions taken under the policy. But the ethical issues don’t stop there.

Supposing the cyber-security folks pre-emptively take down a malicious server outside the UK… presumably they would want to do that in a way which leaves no evidence of the attack having originated in the UK (for fear of reprisals…); perhaps they might consider launching the attack from elsewhere, in the hope that any blame (and retaliation) would fall on someone else.

I think the ethics advisory group is going to have a busy time.