Sharing presentation given at GSMA London offices, at the European Association for e-Identity and Security (EEMA) / Open Identity Exchange event. November 5, 2013
2. 2
WHO AM I?
PhD online criminal activity: implications for investigative strategies
Chief Security Officer Bebo, VP AOL
Research Consultant
Oxford Internet Institute:
Effective Age Verification Techniques: Lessons to be Learnt from the Online
Gambling Industry
Ctrl_Shift
A market analyst and consulting: changing personal data landscape.
Member of OIX and the GSMA’s UK Assured legal working group
Advisor to commercial organisations on both the policy requirements and business
opportunities associated with digital and mobile ID
Co-founder of GroovyFuture.com.
3. 3
KEY POINTS:
Traditional data sources for ID and age verification:
Increase in the number of data sources: Tipping point
Age is simply an attribute of identity: permissioned, quality assured attributes.
Age related attributes enable the following:
Artificial barriers
COPPA compliance
Improvements in customer acquisition and on-boarding processes
Uplift in, and/or generation of new revenue streams
Creation of new business development opportunities
Effective compliance with consumer protection and data protection regulation
Benefits to a number of business sectors including mobile operators, payment
providers, retailers, platform providers, digital media producers and advertisers-
5. 5
BELOW 18 YEARS
Guarantor model - leveraged traditional data sources
Burdensome compliance cost
Little or no elevation in assurance
Open to repudiation
Privacy concerns
No viable commercial or liability models
Not scalable, absence of standards
Not an effective means to mitigate risks
Barrier to innovation
View of a child online
6. 6
EUROPEAN E-ID LANDSCAPE
Electronic ID cards exist in:
Belgium, Estonia, Finland, Germany, Italy, P
ortugal and Spain.
Other forms of e-ID, like citizen cards and
access tokens are used in: Austria, Czech
Republic, Denmark, Lithuania, Luxembourg
, The Netherlands, Slovakia, Slovenia and
Sweden.
17 EU countries also participate in a
project called STORK which has proven
that e-IDs can be safely recognised across
borders.
https://www.eid-stork.eu/index.php?option=com_processes&act=list_documents&s=1&Itemid=60&id=312
7. 7
PRACTICAL APPLICATIONS
Austria and Iceland enable 'Safer Chat' for 1418 year olds where users need their e-ID card
to enter chat rooms for 14-18 year olds.
SaferChat has been tested as a platform for
safer online communication cross
borders, providing useful eID services for elearning.
Pilot can be taken as an illustration of attribute
based authentication with maximum data
protection.
Businesses or governmental organizations can
utilise this approach, adapting it for specific
purposes.
Open Source.
8. 8
Scalability/Flexibility Various National Credentials
The SaferChat pilot has proven to be very flexible in terms of
scalability, both smart cards and SIM cards are used to access pilot
applications.
At the outset Icelandic and Austrian credentials were supported
During pilot lifetime support for further cross border electronic
identities was added
(Estonia, Spain, Italy, Latvia, Luxembourg, Portugal, Slovenia and
Finland).
‘This could be done without any serious effort due to sufficiently
flexible and scalable STORK project specifications’.
11. 11
DATA SOURCES
IDaaS platform e.g. Avoco
Secure, provide a user centric
approach (SFA)
Academic attribute providers: SAML
International Student Card: Mobile ID
(pilot project)
Banks – miicard
Payments infrastructure –
Vocalink, Zapp
12. 12
DATA SOURCES
Government issued ID docs –
Secure key
OCR – ID Checker
Digital Life Data – Trulioo
Personal Data Empowerment Tools and
Services
Biometrics
Traditional data bureaus and CRA’s
13. 13
BankID NORWAY
Age attributes accessible
Examples of when you can use BankID:
BankAxess (a new payment service for
online shopping)
Log-in and payment via internet bank
Change of address with the postal service
Placing a bid when buying property
Login on municipal websites
Purchasing units in equities funds
BankID can be used as an electronic proof
of identity, for example logging in at a
BankID user site.
DOB data was originally included so
students could avail of discounts.
18. 18
EVOLUTION OF PARAMETERS
AGE VERIFICATION: 2008
Burdensome compliance cost
Little or no elevation in assurance
ATTRIBUTE QUALITY ASSURED: 2013
Business enabler / return on investment
Attribute Quality Authentication Assurance
Open to repudiation
Granular assurance / business rules
Privacy concerns
Privacy preserving, data minimisation principles
No viable commercial or liability models
Legal framework / scope for viable commercial
models
Trust frameworks /interoperable standards
Not scalable, absence of standards
Not effective personal safety risk
mitigation
Barrier to innovation
Augments security / business risk
View of children: passive, vulnerable
Active participant, economic socialisation,
Data Protection Act: Free market
Proposed DP: Human rights, Consumer Protection
Directive, Digital Agenda 2020
Foster innovation, product diversity, virtuous cycle
19. 19
AQAA:VIRTUOUS CYCLE
Attribute
assurance
/token reuse within
ecosystem
Higher
sales, profit
margins
=Return on
investment
Consumer
satisfaction
Improved
service
delivery
Customer
loyalty
Customer
satisfaction
Regulatory
compliance
20. 20
BUSINESS ENABLER
A greater variety of data sources will be accessible and
permissioned, these can be cross checked and combined to
meet specific business rules.
Higher levels of customer acquisition
Remote on-boarding
Seamless customer experience
Trust elevation – LOA’s, as per business rules
Low integration costs
Modular, highly configurable
Scalable, viable low cost
Reusable tokens
UX
Reputation, foster brand loyalty
Challenges: Cross sectorial consensus, time
frames, information security, Information
security, managing the processes of
accreditation, oversight, redress
The Avoco IDP is both user-centric and privacy enabled. Underpinning the capability to scale and handle large volumes of transactions is an architecture that incorporates much of what has been learnt from social networking systems that have the ability to handle a billion identities. This avoids the limiting factors, that are prevalent in Enterprise identity systems, which have been adapted to try and deliver consumer mass market identity. Avoco offer several variants of Identity Provider Platforms. Each enables you to issue and manage online digital identities which are user centric, privacy enabled, simple to deploy in the cloud, or a local network, totally customisable and scalable to millions of users. Information Card (WS- Trust), Saml and OpenID digital identities are all supported by Avoco identity services. These services are based on an attribute/claims based architecture. The issued identities can be used with many types of credential including social network federated login, digital certificates, Mobile phone SMS text, username and password, etc. A service to issue and manage online digital identities that can then be used to access online services, secure documents and sign HTML web forms.Avoco Secure is an innovation company whose areas of focus are solutions for cloud identity, security, and privacy. Using an Avoco identity, you can access online services from iPads, mobile phones, PCs etc. in a simple, secure and easy to use way. Users can seamlessly log in and send data to online services. This is done in a secure manner that both mirrors and extends their everyday experience with social networks and webmail. Avoco solutions are user centric, enhanced by security and incorporate privacy by design.Vocalink study: Younger adults are especially likely to be mobile payment users (41% of 16 to 24 year olds), and around half of those who are not already using the service are interested in doing so.