<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Colin, I can pitch in on some of these:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>What are the latest advances in ID Management technology?<br><br>How has it evolved over the years?<br><br></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>ID management has been largely about people in the past. How will the Internet of Things change that, if at all?<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>I can use UMA and IRM as an examplse and also bring in some of the things we have been talking about in the IDoT DG.</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> lc-bounces@kantarainitiative.org [mailto:lc-bounces@kantarainitiative.org] <b>On Behalf Of </b>Colin Wallis<br><b>Sent:</b> Monday, February 22, 2016 5:50 PM<br><b>To:</b> Mike Schwartz<br><b>Cc:</b> Kantara Leadership Council Kantara<br><b>Subject:</b> Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016 17:30:00<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>OK, thanks for that offer Mike.<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>But the thing is, the guy asked Kantara, so he is expecting a response from experts on behalf of Kantara.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Taking him to Gluu is kind of one step removed.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>I'm happy for responses to contain links to Gluu and elsewhere, but I think we are setting ourselves up for some copyright concerns if we point folks away, straight out of the gate.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Cheers<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif"'>Colin<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>> Date: Mon, 22 Feb 2016 15:11:16 -0600<br>> From: <a href="mailto:mike@gluu.org">mike@gluu.org</a><br>> To: <a href="mailto:colin_wallis@hotmail.com">colin_wallis@hotmail.com</a><br>> CC: <a href="mailto:lc@kantarainitiative.org">lc@kantarainitiative.org</a><br>> Subject: Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016 17:30:00<br>> <br>> <br>> Colin,<br>> <br>> I'll can offer to take a stab at responding to these questions by the <br>> date requested on a Gluu blog.<br>> <br>> thx,<br>> <br>> Mike<br>> <br>> On 2016-02-22 11:13, Colin Wallis wrote:<br>> > Thanks Ken<br>> > We'll consider this question dealt to.<br>> > Anyone else want to take on one of the others?<br>> > Cheers<br>> > Colin<br>> > .....................................<br>> >> At airports around the world, travelers' identities are routinely<br>> > verified using biometric identification. Recently in India, a new<br>> > facility for pension distribution adapted an iris authentication<br>> > scanner to validate citizens. New generations of fully integrated,<br>> > end-to-end cloud identity management platforms offer clients secure<br>> > and flexible means to pick and choose which services they need. For<br>> > this latest ebook from SC Magazine, we speak to a number of experts<br>> > with hands-on experience about how these advances in technologies are<br>> > changing the face of identity management and opening up new<br>> > opportunities for the enterprise to become more secure—and we’ll<br>> > throw in a few caveats (for one, what happens to privacy when<br>> > biometrics are added to the mix?) that any organization should heed<br>> > when revamping its identity management strategy.<br>> >> <br>> >> Here are the questions he's exploring:<br>> >> <br>> >> What are the latest advances in ID Management technology?<br>> >> <br>> >> How has it evolved over the years?<br>> >> <br>> >> What happens to privacy when biometrics are thrown into the mix?<br>> > GONE GONE....<br>> >> <br>> >> How are ID management systems and access management/roles-based<br>> > management converging?<br>> >> <br>> >> ID management has been largely about people in the past. How will<br>> > the Internet of Things change that, if at all?<br>> >> <br>> >> Is authentication keeping up with trends in ID management?<br>> >> <br>> >> My identity as my wife sees it may be different to my identity as my<br>> > bank sees it, which may be different again to my identity as my<br>> > employer sees it. How do we cope with multiple attributes in ID<br>> > management?<br>> >> <br>> >> How do we maintain and preserve identity in the long term, as a<br>> > person's life and circumstances change?<br>> >> <br>> >> Are there standard for ID management?<br>> >> <br>> >> What are the biggest challenges facing companies that want to design<br>> > and deploy their own ID management systems?<br>> > <br>> > -------------------------<br>> > Date: Mon, 22 Feb 2016 06:58:22 -0500<br>> > Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline<br>> > 2/26/2016 17:30:00<br>> > From: <a href="mailto:kendaggtbs@gmail.com">kendaggtbs@gmail.com</a><br>> > To: <a href="mailto:colin_wallis@hotmail.com">colin_wallis@hotmail.com</a><br>> > CC: <a href="mailto:lc@kantarainitiative.org">lc@kantarainitiative.org</a><br>> > <br>> > Colin,<br>> > <br>> > I agree fully that the first two paragraphs address the scope of his<br>> > question regarding biometrics and privacy.<br>> > <br>> > However, your comment, "sense of direction of travel for SC Magazine<br>> > being towards Data Protection" prompts me to include the rest of the<br>> > material regarding Privacy. In my opinion, a focus solely on data<br>> > protection misses the boat on respecting privacy and probably does it<br>> > a disservice. As you are aware, having the best data protection<br>> > practices in the world while using an individual's PII for unstated<br>> > purposes or disclosing it inappropriately, still means the<br>> > organization is not respecting an individual's privacy.<br>> > <br>> > I agree with your concern regarding "a compromise in the sample or the<br>> > templates database" being a major issue with respect to an individual<br>> > having to re-establish and re-bind their identity. However, I would<br>> > argue that the same holds true for any piece of an individual's PII<br>> > that is used by an organization. Biometric data, because it is viewed<br>> > as unique to an individual, is in some organization's minds, viewed as<br>> > a silver bullet with respect to Identifcation. However, in my opinion,<br>> > it is just another piece of data that can be used to mitigate the risk<br>> > of misidentification. If the consequences of misidentification are<br>> > severe it should still be corroborated with other PII. In other words,<br>> > it is not a silver bullet.<br>> > <br>> > This being said, I restructured the answer to address the "silver<br>> > bullet" concept as well as the out-of-scope text. I would recommend<br>> > including the background in the response as I believe that it is<br>> > important to raise the "technology neutral" idea with respect to<br>> > privacy policy/legislation. I would like to start the process of<br>> > changing the perception held by many people that current policy is<br>> > outdated or has been overtaken by advances in technology. (My soapbox<br>> > rant for the day)<br>> > <br>> > Wile we probably aren't going to be killed for not answering all the<br>> > questions I hope that others can address some of them.<br>> > <br>> > Ken<br>> > <br>> > ==============<br>> > <br>> > The perception that something should happen to privacy because<br>> > biometrics enter the mix is erroneous.<br>> > <br>> > Privacy is a state that is respected when an individual understands<br>> > and consents to how their personally identifiable information (PII) is<br>> > collected, maintained, used, disclosed and disposed. Biometric<br>> > information, given its uniqueness to each individual, should be<br>> > considered to be PII.<br>> > <br>> > Regardless of its apparent uniqueness, an organization that wishes to<br>> > mitigate the risk of misidentification of an individual should not<br>> > look at biometric data as a "silver bullet". If the consequences of<br>> > misidentification are high they should still corroborate the biometric<br>> > data with other PII during their authentication. The process, whether<br>> > in the digital or real world, still requires an organization to<br>> > identify the consequences of misidentification before it puts in place<br>> > procedures and techniques (such as the use of biometric data) to<br>> > mitigate that risk.<br>> > <br>> > Background on Privacy<br>> > <br>> > It should be noted that jurisdictions around the world have identified<br>> > that respect of an individual's privacy is technology neutral.<br>> > <br>> > For the US Government NIST Special Publication 800-122 defines PII as<br>> > "any information about an individual maintained by an agency,<br>> > including (1) any information that can be used to distinguish or trace<br>> > an individual‘s identity, such as name, social security number, date<br>> > and place of birth, mother‘s maiden name, or biometric records; and<br>> > (2) any other information that is linked or linkable to an individual,<br>> > such as medical, educational, financial, and employment information."<br>> > <br>> > In other countries with privacy protection laws derived from the OECD<br>> > privacy principles, the term used is more often "personal<br>> > information". This term, in general, is broader than PII. For example,<br>> > there are two pieces of legislation that cover privacy at the federal<br>> > level in Canada: the Privacy Act and the Personal Information<br>> > Protection and Electronic Documents Act (PIPEDA). The Privacy Act<br>> > relates to an individual’s right to access and correct personal<br>> > information the Government of Canada holds about them or the<br>> > Government’s collection, use and disclosure of their personal<br>> > information in the course of providing services (e.g., old age<br>> > pensions or employment insurance). PIPEDA sets out the ground rules<br>> > for how private-sector organizations collect, use or disclose personal<br>> > information in the course of commercial activities across Canada.<br>> > <br>> > Both acts is essence define personal information to be any factual or<br>> > subjective information, recorded or not, about an identifiable<br>> > individual. This includes information in any form, such as:<br>> > * age, name, ID numbers, income, ethnic origin, or blood type;<br>> > * opinions, evaluations, comments, social status, or disciplinary<br>> > actions; and<br>> > * employee files, credit records, loan records, medical records,<br>> > existence of a dispute between a consumer and a merchant, intentions<br>> > (for example, to acquire goods or services, or change jobs).<br>> > <br>> > Excluded is information concerning the name, title, business address<br>> > or telephone number of an employee of an organization.<br>> > <br>> > Both acts identify how personal information should be collected,<br>> > maintained, used, disclosed and disposed. Of interest is the<br>> > requirement to identify a retention period for the personal<br>> > information that is collected about an individual and how that<br>> > information is expunged from an organization's records.<br>> > <br>> > Also of interest is how the power and versatility of re-identification<br>> > algorithms have significantly increased the ability of identifying an<br>> > individual without the use of PII. As such, Big Data is becoming an<br>> > issue in privacy circles.<br>> > <br>> > <snip><br>> > <br>> > <br>> > _______________________________________________<br>> > LC mailing list<br>> > <a href="mailto:LC@kantarainitiative.org">LC@kantarainitiative.org</a><br>> > <a href="http://kantarainitiative.org/mailman/listinfo/lc">http://kantarainitiative.org/mailman/listinfo/lc</a><br>> <br>> -- <br>> -------------------------------------<br>> Michael Schwartz<br>> Gluu<br>> Founder / CEO<br>> <a href="mailto:mike@gluu.org">mike@gluu.org</a><o:p></o:p></span></p></div></div></div></div></body></html>