The document discusses challenges facing the public sector in establishing digital identity systems. It argues that public sectors should demand a 21st century approach that places citizens in control of their personal information, enables minimal disclosure of data for transactions, and decentralizes identity governance across sectors. The goal is to establish trust in digital identities while protecting privacy, security, and democratic values like freedom of expression.

1. re-thinking identity – meeting public sector challenges
what should the public sector
demand?
Jerry Fishenden
National Technology Officer
Microsoft
blog – http://ntouk.com
twitter – http://twitter.com/ntouk

2. realities of the threat landscape
• hackers
• crackers
• script kiddies …
• … and governments ….?

3. we need trust in our digital lives
• any systems – private or public sector –
need to:
– recognise the importance of the rule of
law, security, and privacy and other core
democratic freedoms in contributing to
trustworthiness
– honour European values such as privacy,
freedom of expression, protection of
minorities, freedom of association, and
freedom of belief
• the public sector has a key role in
overall governance and compliance in
support of these important values

4. … not this …

5. … or this …

6. not a great model either …
your name, bank account
number, sort code number
… (conveniently embossed
for easy skimming)
… your signature, 234
“security code” and
“automated hacking
magnetic strip”

7. improvements

8. so how about this?
paper world digital world
no need for this
vulnerability
useful data … in the
wrong hands

9. and this?
• enables users to
use multiple
identity systems
• based on Web
services
• usable by any
application

10. • strong 2-way
authentication
• enhanced privacy
– at user’s discretion,
store personal
information on
PC/Phone/Device
or in “the cloud”
– fully informed
disclosure
– multiple personas,
a mirror of the real
world

11. so what should the public sector
demand …?
• not a 1940s-50s system based
around identity cards
• or a 1960s idea of computers
sitting at the centre and seeing
and knowing everything
– (psst. government is no better at
the centre of our lives than
Microsoft Passport was …)

12. the public sector should demand …
• a 21st century approach to identity
with clear value and incentives for
citizens, businesses and the public
sector
• proof of entitlement and authorisation
to use a service, without necessarily
identifying the user
– that is, the disclosure of only the bare
minimum of information necessary for a
transaction:
• for example, providing a proof that a person
is over or under a certain age threshold,
without disclosing their actual date of birth
or their age

13. • a choice of devices that makes sense
not only to government, but also to
us as citizens and to the commercial
sector
• the effective management of
electronic credentials throughout
the lifecycle between issuance and
revocation, in a privacy-friendly way
• decentralised governance of identity
infrastructure across the private and
public sectors, without the need or
desire for anyone to sit in the
middle and log and monitor
everything we do in our daily lives

14. minimal disclosure tokens / U-Prove

15. minimal disclosure tokens: basics
Name: Alice Smith DOB: 03-25-1976
Name: Alice Smith
Address:
Address: 1234 Crypto, Seattle, WA
1234 Crypto, Seattle, Reputation: high
Status: gold customer
Status: gold customer Gender: female

16. minimal disclosure tokens: basics
Which adult
Prove that from WA is
you are from this?
WA and over
21
? ?
Name: Alice Smith
Address: 1234 Crypto, Seattle, WA
DOB: 03-25-1976 proof
Over-21
Status: gold customer
Reputation: high
Gender: female

17. authenticated anonymity
Prove that
you are a
gold
customer
Name: Alice Smith
Address: 1234 Crypto, Seattle, WA
Status: gold customer

18. unlinkable data sharing
Name: Alice Smith
Address: 1234 Crypto, Seattle, WA
Status: gold customer
? UserID:
City:
Alice S.
Seattle, WA
?
No unwanted linkages
Name: Alice Smith
UserID: Alice S.
Address: 1234 Crypto, Seattle, WA
Status: gold customer

20. … and at the macro level
• fundamental reform of the
policymaking process:
– ensure technological and scientific
evidence is gathered and understood
prior to legislation being brought
forward
• eg avoid ‘the Identity Cards Act’ model,
where the mechanism/solution (cards) is
fused with the objective and policy
outcome
• don’t plan based on what you can
see in the rear-view mirror

21. conclusion
• the public sector can help raise the game for
everyone:
– placing the citizen at the centre and in control (not at
the centre under permanent and routine surveillance)
– empowering the citizen with additional safeguards
and protections well beyond those that the current
plastic cards in our wallets and purses provide
– acting as a catalyst to encourage the adoption of user-
centric, not provider-centric, models

22. • hence helping ensure that a twenty-first
identity framework …
– underpins the rule of law, security, and privacy
and other core democratic freedoms in
contributing to trustworthiness
– honours European values such as privacy, freedom
of expression, protection of minorities, freedom of
association, and freedom of belief

23. some links
• Kim Cameron’s blog
http://www.identityblog.com/
• Stefan Brands’ work
http://www.credentica.com/
• CardSpace http://msdn.microsoft.com/en-
us/library/aa480189.aspx
• Trust in Digital Life http://trustindigitallife.eu

24. re-thinking identity – meeting public sector challenges
thank you …
Jerry Fishenden
National Technology Officer
Microsoft
blog – http://ntouk.com
twitter – http://twitter.com/ntouk