Rachel O'Connell is a research consultant who has studied effective age verification techniques. Her presentation discusses how age verification and identity management are reaching a tipping point due to emerging technologies and data sources. These include electronic IDs, mobile IDs, trust frameworks, and personal data empowerment tools. In the future, a variety of data sources could be accessed and permissioned to verify attributes like age for business purposes. This would allow underserved groups like minors to participate more in the digital economy while protecting privacy and enabling new social contracts and regulatory systems.
2. BACKGROUND
• Research Consultant
• Oxford Internet Institute:
– Effective Age Verification Techniques: Lessons to be Learnt from the Online Gambling
Industry
• Ctrl_Shift
–
A market analyst and consulting business
• Member of OIX and the GSMA’s UK Assured legal working group
• Led the UK Council for Child Internet Safety (UKCCIS) project group on age
verification and report back to minsters on an annual basis.
• Advisor to commercial organisations on both the policy requirements and
business opportunities associated with identity management and age
verification
• Co-founder of GroovyFuture.com.
3. AREAS COVERED
• The 2008 perspective and the artificial divide
• Catalysts and Tipping Points: Pit stop in 2013 and a 2020 horizon scan
• Emergence of a data driven economy:
–
–
–
–
–
–
Trust Frameworks
Electronic ID – NSTIC – Minors Trust Framework ($1.6m)
Mobile ID – alpha projects, introduction of age verification into payment protocols
Digital economy – disruption in the payments sector, sub-accounts
Internet of Things –
Personal Data Empowerment Tools and Services – Quantified self
• E-ID ecosystem, IDAAS, IDPs, Attribute Exchanges
– Business use cases: ROI
– Sources of attributes
– Opportunities and challenges
4. 2008 View of Age Verification
•
•
•
•
•
Burdensome compliance cost
Little or no elevation in assurance
Open to repudiation
Privacy concerns
No viable commercial or liability
models
• Not scalable, absence of standards
• Not an effective means to mitigate
risks
• Barrier to innovation
5. Artificial Divide
• ID and age verification – lessons from the evolution of data bureaus and
CRA’s to meet specific business sector needs
• Lack of access to datasets not only about children and young people but
also the unbanked – thin files.
• Assumption that under 18’s had limited purchasing power
• Data sources: Government, schools, banks
• COPPA requirements: Permissioned access – sites excluded young people
aged 12 and below (to difficult box)
• Struggle to identify business cases with a clear ROI – not seen as a
business enabler
9. ELECTRONIC ID
•
•
•
Electronic identity ecosystems are a key enabler of the
“digital economy”
NSTIC aims to enable “Individuals and organizations [to]
utilize secure, efficient, easy-to-use, and interoperable
identity solutions to access online services in a manner that
promotes confidence, privacy, choice, and innovation.”
•
Provide scalable, privacy preserving, commercially viable,
privacy preserving permissioned use of attributes.
STORK
•
Proposed regulation
•
Alpha project – retailers
•
Reducing the barriers to permissioned use of age
attributes
11. MOBILE ID
•
•
•
•
Mobile ID – GSMA/ OIX Commercial Trust Framework
SIM-based digital authentication solution
Embedded SIM/MIM – Machine Identification Modules
With the huge market potential and demand stimulated by immense
traffic from trillions of connected devices, the Internet of Things provides
operators with the means to expand their service portfolios and increase
revenues.
12. ASSURED UK
Assured UK is a collaborative forum established to develop a
personal data and identity attribute exchange marketplace
It encompasses the whole ecosystem
Banking
Retailers
Mobile Network Operators
Identity experts
Government
12
13. VISION
Establish a secure and trusted marketplace that enables consumers to
control, share and benefit from their digital identities and personal
information
PRINCIPLES
1. The consumers interests are uppermost and at all times the individual controls
storage and exchange of data
2. We will seek to reuse existing standards work where ever possible and align with
the work of UK government.
3. We will seek to enable the maximum product and business model diversity,
consistent with inter-working between participants.
14. OBJECTIVES
Define an end-2-end framework and pilot use case by
year end
a) Architect standards for identity attribute verification and
authentication
b) Define a permissions system for the exchange of those attributes
c) Develop a legal framework that will facilitate the interoperability
between different players in the ecosystem, while ensuring users’
data protection and privacy, encompassing:
i.
ii.
iii.
iv.
Risk & Liability flows
Auditing framework
Privacy
Regulatory compliance
d) Establish and prove a commercial model for identity attribute
exchange
e) Pilot and demonstrate efficient marketplace for digital identity and
attributes
15. TRUST FRAMEWORKS
• Trust is central to the operation of a data driven economy.
• Trust is crucial in the context of delivery and consumption of electronic
interactions between parties including consumers, governments and the
private sector.
• In order to both provide and benefit from digital services, companies,
public administrations and consumers need to distinguish between
trusted and non-trusted counterparts online; they also need to be
recognised as trusted parties themselves.
• A trust framework can reduce the need to negotiate a multitude of
individual commercial contracts.
17. INTERNET OF THINGS
• Education
• Assert trusted credentials (LoA)
• Recognise trusted intermediaries
(accreditation)
• Quantified self - Databetes
• Convenience, security
• Active participants
18. IoT INFORSEC AND TRUST
• Inofsec properties of the IoT are often
difficult to understand for its users, because
they are hidden in pervasive systems and
small devices manufactured by a large
number of vendors.
• Trustworthiness, security functions and
privacy implications are vast, and must be
assessable to users and consumers.
• uTRUSTit enables system manufacturers and
system integrators to express the underlying
security concepts to users in a
comprehensible way, allowing them to make
valid judgments on the trustworthiness of
such systems.
19. PDETS TRUST FRAMEWORKS
• Forging new social contracts
• The Respect Trust Framework is designed to give
individuals control over the sharing of their
personal data on the Internet.
• Mydex, the personal data store and trusted
identity provider, has also had its “Mydex Trust
Framework” listed by the Open Identity Exchange.
• Connet.me has had its Trust Model and Business
Model for Personal Data listed by OIX
• The Personal Network: A New Trust Model and
Business Model for Personal Data
• Access to data that companies make available and
authoritative personal data sources – university
exam results
20. GOVERNANCE AS A SOFTWARE SERVICE
• ID³ believes, governance principles should be expressed as software that is
then able to evolve to incorporate advances in technology and to support
changing market and societal requirements.
• Using these tools, people will be able to ensure the privacy of their
personal information, leverage the power of networked data, and create
new forms of online coordination, exchange and self-governance.
• They will be able to forge new “social contracts” and participate in new
types of legal and regulatory systems for managing organizations, markets
and their social and civic lives. These systems will conform to both
international legal standards and to the specific social norms and priorities
of its members.
22. DATA SOURCES:
Permissioned Attributes
Pit stop 2014 -2015
•
•
•
•
•
•
•
•
•
•
E-ID e.g. Spain, NEM ID
WAYF, SAML
Mobile operators - International student card
Banks
Government issued ID docs – Secure key
Digital Life Data – Trulioo
Personal Data Empowerment Tools and Services
Biometrics
OCR
Traditional data bureaus and CRA’s
23. BUSINESS NEEDS:
• COPPA 2.0 – email Plus
• 20-40% of email+ emails end up in
Spam folders
• Freemium model
• Permission dashboard – set spending
limits –
• Enable self-regulatory measures –
• ROI
•
•
•
•
Omni-channel retailers
Payment providers
Alcohol
Advertising industry - broadcast
versus engagement
24. BENEFITS
• Permissioned use of attributes (includ. age)
– Higher levels of customer acquisition
– Trust elevation – LOA’s
• Remote on-boarding
– Differing levels of assurance
• Tailored to meet business rules
–
–
–
–
–
–
Low integration costs
Modular, highly configurable
Scalable, viable low cost
Reusable tokens
UX
Reputation, foster brand loyalty
25. LOOKING TO THE FUTURE
•
•
•
•
•
•
•
•
•
•
•
•
A greater variety of data sources will be accessible and permissioned, these can be
cross checked and an assurance level/ risk profile calculated to meet specific business
rules.
Granularity with respect to permissions (e.g. time stamped - miicard) and user centric
controls
Artificial barriers removed – young people will be enabled to become active
participants in the digital economy, internet of things, manage their personal data
New social contracts will be forged
Business development and ROI opportunities
Many other benefits..
Challenges
Information security
Threat vectors – bad actors, untrustworthy intermediaries
Scale of potential unintended consequences
Roles and responsibilities of regulators
Managing the processes of accreditation, oversight, redress
26. THANK YOU FOR LISTENING
HAPPY TO ANSWER ANY QUESTIONS?
rachel@technologist.com
Twitter: @racheloconnell
www.GroovyFuture.com
Editor's Notes
Trulioo Internet Life Verification utilizes “digital life data” - social network interactions, crowd sourcing, Internet information repositories and behavioral data – to perform identity vetting and information verification.