[KI-LC] Media query from SC Magazine - deadline 2/26/2016 17:30:00

Colin Wallis colin_wallis at hotmail.com
Mon Feb 22 16:49:56 CST 2016


OK, thanks for that offer Mike.But the thing is, the guy asked Kantara, so he is expecting a response from experts on behalf of Kantara.Taking him to Gluu is kind of one step removed.I'm happy for responses to contain links to Gluu and elsewhere, but I think we are setting ourselves up for some copyright concerns if we point folks away, straight out of the gate.CheersColin

> Date: Mon, 22 Feb 2016 15:11:16 -0600
> From: mike at gluu.org
> To: colin_wallis at hotmail.com
> CC: lc at kantarainitiative.org
> Subject: Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016 17:30:00
> 
> 
> Colin,
> 
> I'll can offer to take a stab at responding to these questions by the 
> date requested on a Gluu blog.
> 
> thx,
> 
> Mike
> 
> On 2016-02-22 11:13, Colin Wallis wrote:
> > Thanks Ken
> > We'll consider this question dealt to.
> > Anyone else want to take on one of the others?
> > Cheers
> > Colin
> > .....................................
> >> At airports around the world, travelers' identities are routinely
> > verified using biometric identification. Recently in India, a new
> > facility for pension distribution adapted an iris authentication
> > scanner to validate citizens. New generations of fully integrated,
> > end-to-end cloud identity management platforms offer clients secure
> > and flexible means to pick and choose which services they need. For
> > this latest ebook from SC Magazine, we speak to a number of experts
> > with hands-on experience about how these advances in technologies are
> > changing the face of identity management and opening up new
> > opportunities for the enterprise to become more secure—and we’ll
> > throw in a few caveats (for one, what happens to privacy when
> > biometrics are added to the mix?) that any organization should heed
> > when revamping its identity management strategy.
> >> 
> >> Here are the questions he's exploring:
> >> 
> >> What are the latest advances in ID Management technology?
> >> 
> >> How has it evolved over the years?
> >> 
> >> What happens to privacy when biometrics are thrown into the mix?
> > GONE GONE....
> >> 
> >> How are ID management systems and access management/roles-based
> > management converging?
> >> 
> >> ID management has been largely about people in the past. How will
> > the Internet of Things change that, if at all?
> >> 
> >> Is authentication keeping up with trends in ID management?
> >> 
> >> My identity as my wife sees it may be different to my identity as my
> > bank sees it, which may be different again to my identity as my
> > employer sees it. How do we cope with multiple attributes in ID
> > management?
> >> 
> >> How do we maintain and preserve identity in the long term, as a
> > person's life and circumstances change?
> >> 
> >> Are there standard for ID management?
> >> 
> >> What are the biggest challenges facing companies that want to design
> > and deploy their own ID management systems?
> > 
> > -------------------------
> > Date: Mon, 22 Feb 2016 06:58:22 -0500
> > Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline
> > 2/26/2016 17:30:00
> > From: kendaggtbs at gmail.com
> > To: colin_wallis at hotmail.com
> > CC: lc at kantarainitiative.org
> > 
> > Colin,
> > 
> > I agree fully that the first two paragraphs address the scope of his
> > question regarding biometrics and privacy.
> > 
> > However, your comment, "sense of direction of travel for SC Magazine
> > being towards Data Protection" prompts me to include the rest of the
> > material regarding Privacy. In my opinion, a focus solely on data
> > protection misses the boat on respecting privacy and probably does it
> > a disservice. As you are aware, having the best data protection
> > practices in the world while using an individual's PII for unstated
> > purposes or disclosing it inappropriately, still means the
> > organization is not respecting an individual's privacy.
> > 
> > I agree with your concern regarding "a compromise in the sample or the
> > templates database" being a major issue with respect to an individual
> > having to re-establish and re-bind their identity. However, I would
> > argue that the same holds true for any piece of an individual's PII
> > that is used by an organization. Biometric data, because it is viewed
> > as unique to an individual, is in some organization's minds, viewed as
> > a silver bullet with respect to Identifcation. However, in my opinion,
> > it is just another piece of data that can be used to mitigate the risk
> > of misidentification. If the consequences of misidentification are
> > severe it should still be corroborated with other PII. In other words,
> > it is not a silver bullet.
> > 
> > This being said, I restructured the answer to address the "silver
> > bullet" concept as well as the out-of-scope text. I would recommend
> > including the background in the response as I believe that it is
> > important to raise the "technology neutral" idea with respect to
> > privacy policy/legislation. I would like to start the process of
> > changing the perception held by many people that current policy is
> > outdated or has been overtaken by advances in technology. (My soapbox
> > rant for the day)
> > 
> > Wile we probably aren't going to be killed for not answering all the
> > questions I hope that others can address some of them.
> > 
> > Ken
> > 
> > ==============
> > 
> > The perception that something should happen to privacy because
> > biometrics enter the mix is erroneous.
> > 
> > Privacy is a state that is respected when an individual understands
> > and consents to how their personally identifiable information (PII) is
> > collected, maintained, used, disclosed and disposed. Biometric
> > information, given its uniqueness to each individual, should be
> > considered to be PII.
> > 
> > Regardless of its apparent uniqueness, an organization that wishes to
> > mitigate the risk of misidentification of an individual should not
> > look at biometric data as a "silver bullet". If the consequences of
> > misidentification are high they should still corroborate the biometric
> > data with other PII during their authentication. The process, whether
> > in the digital or real world, still requires an organization to
> > identify the consequences of misidentification before it puts in place
> > procedures and techniques (such as the use of biometric data) to
> > mitigate that risk.
> > 
> > Background on Privacy
> > 
> > It should be noted that jurisdictions around the world have identified
> > that respect of an individual's privacy is technology neutral.
> > 
> > For the US Government NIST Special Publication 800-122 defines PII as
> > "any information about an individual maintained by an agency,
> > including (1) any information that can be used to distinguish or trace
> > an individual‘s identity, such as name, social security number, date
> > and place of birth, mother‘s maiden name, or biometric records; and
> > (2) any other information that is linked or linkable to an individual,
> > such as medical, educational, financial, and employment information."
> > 
> > In other countries with privacy protection laws derived from the OECD
> > privacy principles, the term used is more often "personal
> > information". This term, in general, is broader than PII. For example,
> > there are two pieces of legislation that cover privacy at the federal
> > level in Canada: the Privacy Act and the Personal Information
> > Protection and Electronic Documents Act (PIPEDA). The Privacy Act
> > relates to an individual’s right to access and correct personal
> > information the Government of Canada holds about them or the
> > Government’s collection, use and disclosure of their personal
> > information in the course of providing services (e.g., old age
> > pensions or employment insurance). PIPEDA sets out the ground rules
> > for how private-sector organizations collect, use or disclose personal
> > information in the course of commercial activities across Canada.
> > 
> > Both acts is essence define personal information to be any factual or
> > subjective information, recorded or not, about an identifiable
> > individual. This includes information in any form, such as:
> > * age, name, ID numbers, income, ethnic origin, or blood type;
> > * opinions, evaluations, comments, social status, or disciplinary
> > actions; and
> > * employee files, credit records, loan records, medical records,
> > existence of a dispute between a consumer and a merchant, intentions
> > (for example, to acquire goods or services, or change jobs).
> > 
> > Excluded is information concerning the name, title, business address
> > or telephone number of an employee of an organization.
> > 
> > Both acts identify how personal information should be collected,
> > maintained, used, disclosed and disposed. Of interest is the
> > requirement to identify a retention period for the personal
> > information that is collected about an individual and how that
> > information is expunged from an organization's records.
> > 
> > Also of interest is how the power and versatility of re-identification
> > algorithms have significantly increased the ability of identifying an
> > individual without the use of PII. As such, Big Data is becoming an
> > issue in privacy circles.
> > 
> > <snip>
> > 
> > 
> > _______________________________________________
> > LC mailing list
> > LC at kantarainitiative.org
> > http://kantarainitiative.org/mailman/listinfo/lc
> 
> -- 
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> mike at gluu.org
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20160223/f5d0b078/attachment-0001.html>


More information about the LC mailing list