Get Mind Smart
see the bigger picture
Overstand the Corporate Plan
Predictive programming is part of a spell,
Drawing us in to the corporate vision.
But we see through the veil and the spell cannot touch us,
For we think and feel and know for ourselves.
Empowered by truth we rise like lions
And shake off the chains that did bind us.
I am not a dog
Part One: IDENTITY CRISIS
Tsze-lu said, “The ruler of Wei has been waiting for you, in order with you to administer the government. What will you consider the first thing to be done?” The Master replied, “What is necessary is to rectify names.”
(Confucius, Analects XIII, 3, tr. Legge)
Cybersecurity has become the dominant concern for geeks and elites around the world, as governments and corporations attempt to exert control over the internet to protect their interests. News is hot with updates on the TPP and the like, but there is little coverage of the push to control identity.
For many years, the anonymity afforded by the internet has prompted discussions about the problem of not knowing who exactly you’re interacting with online, i.e. how can you tell it’s a real person, and not a dog? More to the point, how do you know who to trust?
Most of the technical aspects to resolving this issue have been successfully tried and tested for many years now, as those with the most to lose have implemented Identity and Access Management (IAM) systems which offer secure solutions for digital transactions. This has created a powerful industry, especially for military applications; in fact, the market for IAM is expected to grow to $12.3 billion by 2014, from just $2.6 billion in 2006.
This industry is now eager to expand into the civilian market, to provide each one of us with a unique global identification number, together with databases of all the personal information that makes us what we are. This is the age of e-governance, where just about everything is going online: relationships, government and business services, banking, and even law – increasingly these transactions can be done with a mobile device, bringing a whole new set of factors into play when it comes to identification.
Online and on the move, smartphone use is creating a multitude of e-IDs (electronic identities), as well as facilitating a massive rise in the use of RFID (radio frequency identification), such as contactless payments. Cybersecurity is achieved by using encryption protocols online as well as identity verification systems which employ RFID, or NFC (near field communication), i.e. scanners reading microchipped devices. With the introduction of IPv6, things are about to go wild. It’s a global market, after all... and every element will be itemised and accounted for.
The World e-ID conference has been held each year since 2004, and is now held together with the NFC World Congress. Delegates come from all over the world, and include business and government representatives. This year’s conference will have a specific focus on emerging countries, with the support of the World Bank. Experts will discuss key themes which relate to identity, such as e-driving licences, new national e-services, e-ID in emerging countries, the future of mobile e-ID, the EU Digital Agenda, and e-ID for healthcare. Administration of these services relies on knowing that users are who they say they are; they will ask you to prove you are not a dog.
When the Obama administration released the National Strategy for Trusted Identities in Cyberspace (NSTIC) in 2010, there was heavy criticism from those opposed to national ID cards and loss of privacy. There has been scant mention of the scheme in either the mainstream or alternative press since then, yet NSTIC is flourishing, alongside similar schemes around the world. The plan is to make each national system standardized, and able to communicate with systems in other countries; leading to interoperability on a global scale, where all citizens have a single, virtual, global ID. This ID will be smart: using an identity device which proves your credentials, which employs microchips, RFID, and biometrics to grant or deny access and other privileges.
At first the system will be voluntary, but eventually a tipping point will be reached where it becomes impossible to participate in society without submitting your personal details to an Identity Provider. Although most of our lives are already online, the push towards e-government and virtual finance represents the completion of this trend. Identity management for all looks set to be implemented by the end of the decade, by which time the few who have not joined up to the Trust Network will look very suspicious indeed – conspicuously so. All bureaucratic transactions will be done online: getting a driving licence, applying for a job, or a social security benefit. Banking and shopping are becoming increasingly mobile and virtual too, necessitating identity verification even further.
You’ll have to keep updating your attributes with your Identity/Attribute provider: things like change of address and health details, pregnancy, photos – anything at all related to ‘who you are and what you do and what you look/sound like’. Chances are that if you don’t, the employer who insisted you keep your ID up-to-date will sack you, or that your health insurance/driving licence/mobile banking, etc, will be invalidated. We are expected always to be responsible citizens, in the name of ‘security’ and ‘protection’.
All web transactions will be time-and-date stamped, to provide legal proofs and facilitate official investigations. There will be various ‘levels of authentication’ which you will have to provide online, with the highest level pertaining to banking and governmental bureaucracy, and the lowest to the use of social media. The ‘trust network’ will govern the rules of the identity ecosystem, and all members must agree to abide by the terms and conditions; failure to do so could result in your credentials being revoked. The police will also be interested in your details, to ‘help them in their inquiries’ should a crime be committed. More than this, analytics could be performed on the identity data to predict when crime is likely to occur.
There may even be a communitarian element to all this, where we are called on to sacrifice some of our rights to privacy, and join the identity ecosystem to realise global cybersecurity:
"Identity assurance schemes of necessity involve some intrusion into personal privacy. An identity governance framework must, therefore, recognise that different people will, at different times, require a different balance between their individual rights and the rights they cede for the greater good. It must recognise that too little privacy is just as damaging to society and security (by enabling more criminality or chilling the democratic process) as is too much privacy (by hampering law enforcement or enabling abuse of power). And it must ensure that the benefits the internet can bring are not stifled by an over-strict control on who can connect."
1. (i) Global Situation
Countries around the world have been establishing national identification systems, most of them include biometrics and the issuance of smart ID cards. Identity management (IdM) involves numerous bodies in continually updating all identity attributes and credentials, and working towards a standardised, federated system. Since most of the world is implementing IdM, and since travel, migration, and international trade all require ID verification, it seems possible that global interoperability may one day be achieved. Some of the countries currently involved include:
USA – much progress has been made on the National Strategy for Trusted Idnetities in Cyberspace (NSTIC). Multi-factor biometric identification systems being rolled out to ports, as part of the SAFE Port Act, and some airports.
Canada - has issued a strategy.
Brazil – fingerprint readers installed in many ATMs. Rolling out unique-ID cards with biometrics.
Mexico – biometric authentication for voter registration.
Kenya - National ID Card, biometric Resident Alien Card
Ethiopia – Biometric passport project
Namibia - Biometric driving license
Ghana - Biometric Voter Registration
Morocco - National ID with smart card
Cote D’Ivoire - Smart card project in the pipeline
Nigeria is moving towards a cashless society for which it feels identity management is crucial. This is being overseen by the National Identity Management Commission (NIMC).
South Africa has implemented biometric smart payment cards, which incorporate social security payments as part of MasterCard’s vision to create “a world beyond cash”. IdM in South Africa is being used for a population register, immigration and refugees.
Germany - biometric residence permits for third country nationals
France – compulsory biometric passports with option for second chip for ID verification.
Albania – citizens may only vote if they can authenticate their identity with biometric passport or ID card.
United Kingdom – preparing to introduce IdM
Numerous European projects to achieve federated identity management are underway, eg, Sweden, Germany, Belgium, Austria, Greece and Finland have taken part in the Global Identity Networking of Individuals. (see below).
Iraq – biometric ID cards, data held by U.S. Central Command.
Afghanistan – strategy for IdM; huge biometric database, controlled by US military, the FBI and the Department of Homeland Security.
Israel – voluntary biometric ID cards being developed.
The Gulf Cooperation Council, namely, Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates all operate biometric smart ID cards and are seeking to establish interoperability for e-ID management.
Malaysia – integrated ID card with biometrics
2. (ii) Cybersecurity and the The International Telecommunications Union (ITU)
From helping to settle patent disputes involving mobile device manufacturers such as Samsung, Microsoft and Apple to suggesting a kind of ‘web tax’ which could change the internet as we know it, the International Telecommunications Union (ITU) has also been a key proponent of IdM. They have formed a number of ‘study groups’ to research and report back on various aspects of this, and Study Group 17, which began work 2006, has done a lot of the groundwork for establishing a global IdM infrastructure.
The International Telecommunications Union was founded in 1865 to regulate telegraph communications, and is now an executive arm of the U.N. In December, the ITU will be holding a major conference in Dubai - the World Conference on International Telecommunications (WCIT) where the 193 U.N. member countries, each of which has a single vote, will meet to review the International Telecommunications Regulations (ITRs) which form a global, binding treaty between nations with regard to communications, whether by phone or computer, with voice, video or data, worldwide. This, of course, includes the internet. There is currently a furore about the potential meddling of countries like Russia and China with the freedom of the internet, with many fearing an end to the openness of the internet (the proposal to levy charges for internet traffic may lead to a ‘balkanised’ internet, according to a number of commentators).
However, there are several debunkers, who don’t believe the ITRs will change enough to have such a drastic impact. The ITU are dismissed by many writers as ineffectual – as they typically lack consensus and are slow to get things done. The group is also criticised for not being a multi-stakeholder model, lacking transparency, and for excluding private interests. A detailed and highly topical paper by Patrick Ryan (The ITU and the Internet's Titanic Moment) ), published in July (2012), argues that neither international law, nor treaties formed by the ITU, are totally binding. The influence of large corporations may, however, be significant, as the ITU have been continually involved with the private sector throughout much of their research, such as e-ID and online child protection.
One of the best analyses, however, comes from Dwayne Winseck's Media Blog
Even if the most repressive aspects of proposed changes and additions to the ITRs were approved, this would not bind the whole world to implementing a single internet model. It would, however, bless the national Web 3.0 spaces that are already being built on the basis of three layers of control: (1) the systematic use of filtering and blocking to deny access to restricted websites and the recognition of such measures in national law; (2) dominance of national internet-media spaces by national champions (Baidu, Tencent, Yandex, Vkontakte, Facebook, Google, Apple, etc.) and (3) the active use of government-driven internet-media-communication campaigns (propaganda) to shape the total information environment (See Deibert & Rohozinski, ch. 2). The changes to the ITRs being sought by some countries, notably Russia and China, would add a fourth layer – international norms steeped in 19th century models of state security – that would further entrench the web 3.0 model and further lay waste to more important international norms associated with the right to communicate and free press.
ITU Telecom World 2012 provides an arena for government officials and industry leaders to debate the global ICT agenda, focusing on the effects of the rapid advance of disruptive technologies, noting,
Last year’s conference attracted 237 companies from 41 countries – some of the big names from IdM attended.
“trusted identities and consumer control of personal information are essential to the effectiveness of transactions on the Internet. Trusted frameworks that provide identity assurance are a critical factor in the success of the digital identity ecosystem.”
It called for the development of standards-based operational models and common global protocol platforms for the trusted exchange of information. It also called for measures to safeguard both the security of biometric ID systems, and the privacy of personal data handled by Identity Providers (IdPs) and Accreditation Authorities.
The ITU have also formed another body which is worth noting: the International Multilateral Partnership Against Cyber Threats (IMPACT) is attempting to address global cyberthreats by forming a public-private alliance with companies which include Microsoft and Symantec. IMPACT is part of the ITU’s Global Cybersecurity Agenda (GCA), with the backing of 193 Member States as well as Interpol, academics, and other industry experts. Datuk Mohd Noor Amin, Chairman of IMPACT, is reported to have said “It is really only a matter of time until there is a new global framework to deal with cybercrime”. The main focus of IMPACT has been on ensuring online child protection. The partners from IMPACT held several meetings during the WSIS Forum this year; these were private meetings unavailable to other attendees, as all of them were closed. Each year IMPACT hosts the Global Cyberlympics, for which ITU Secretary-General, Dr. Hamadoun Touré, is the patron. The competiton involves “ethical hacking” in an effort to understand how to “protect and secure critical information and assets”, and enhance online child protection through education.
The ITU hosted the World Summit on the Information Society (WSIS) earlier this year. Stakeholders in the WSIS include the Internet Society; UNESCO; Intel; OECD; OISTE; GPII ; the Global Knowledge Partnership; the Commonwealth Telecommunications Partnership; Coverity; the World Economic Forum, and many others. Iran's Science and Technology University won the WSIS Award at the Forum.
The chief Managed Security Service Providers (MSSPs), including AT&T, Cybertrust, Getronics, IBM, Sprint, Symantec, VeriSign and Verizon, have been the industry leaders for many years now. Amidst a series of mergers and acquisitions, these companies have come to play a key role in the identity ecosystem, alongside internet giants Oracle, Google and Microsoft, and a host of other multi-nationals.
The Center for Identity, at the University of Texas at Austin, aims to be at the forefront of research and education in identity management.
The member partners of the centre are: CSID; Deloitte & Touche; Federal Bureau of Investigation; IBM; Indiana University; Intersections; LexisNexis; VISA; United States Department of Defense; United States Marshals Service; United States Secret Service; Texas Comptroller of Public Accounts; Texas Department of Public Safety; and TransUnion. The Center for Identity also hosts an annual conference and this year the managing director of Verizon spoke in connection with the NSTIC program.
There are already a number of well-established Trust Providers who have tried-and-tested the architecture of the accreditation and verification systems involved in identity management. The leaders in the field remain so in this transition period to global implementation. They include Accenture, ID/DataWeb, and Trulioo, which is working in the area of social identity verification.
The Kantara Initiative have approved several companies to be Identity Providers (IdPs) for the US ID ecosystem: evalid8, Deloitte & Touche LLP and Electrosoft received the first approvals; then on 26 July, 2012, it was announced that Experian has been approved as an Identity/Credential Provider at the highest levels of assurance (levels 2 and 3) certified by Kantara for the NSTIC program. Verizon has also recently been accredited as a level 3 Identity Provider by ICAM; Verizon claims it is “…leading an identity-management revolution with a simple premise: to let in the right people and keep out the wrong people”. Europoint has also been approved.
Other companies, such as the US Postal Service are also getting involved in the establishment of a world where you constantly have to prove who you say you are. There are, of course, countless other organisations and corporations financially involved with establishing global digital IDs, and these will become apparent from the information presented below.
2. (iv) The ID Management Industry
Virginia, which last year received more than $1 trillion in contracts from the federal government, boasts that the top cybersecurity firms have headquarters there, and include Verizon, Verisign, Lockheed Martin, Boeing, Raytheon, L-3 Communications, BAE Systems, Northrop Grumman, SAIC, General Dynamics, Booz Allen Hamilton, Computer Sciences Corporation (CSC), Apple, Cisco, Google, HP, IBM, McAfee, Microsoft, Oracle/Sun, and Symantec. These companies are the main players in the IdM industry.
The proponents and developers of the identity ecosystem claim the service will be a user-centric model, whereby the individual can control the types of credentials which are seen by the relying parties. The individual (‘user’) can have a variety of personas, and will have the illusion of choice, the sense of ‘control’, and even of hiding behind a persona (using a pseudonym), confident that they will be ‘protected’ by their Trust Provider. Maybe so, but still the data on the matrix which comprises their identity will have been aggregated to central hubs of information – these are the Attribute Providers, and the Identity Providers, and, ultimately, the Governance Authority for the ecosystem. Control is hierarchical, with each stage of governance and control representing the gatekeepers of the knowledge. You will only have one entry in the identity ecosystem – one account for each natural person. By signing up to the Trust Framework, you must agree to abide by all terms and conditions, because ‘without trust, the system cannot work’.
You will have one password to access the ecosystem and validate your identity for online transactions, and to gain access to documents, buildings, etc. Each transaction on the internet will involve you (the user), the person or organisation you are dealing with (the relying party), and the ‘go-between’ (Identity Provider), who validates your identities to each other, to verify that you can each be ‘trusted’.
Attributes are what make up an identity; the little bits of information about you that say who you are. They fall into three categories:
1) Immutable attributes - these are facts which cannot change, i.e. your biological parents, your gender at birth, and your date and place of birth, as well as certain biometrics such as iris colour and pattern.
2) Assigned attributes – this is recorded biographical information, i.e. name(s), titles, personas, gender, health, signature, nationality, reference numbers, links, recorded date of birth, and ‘assigned’ (e.g. adoptive) parents. Assigned attributes are the ones used for official purposes, like government services.
3) Related attributes – these are the details which are deemed to comprise your “wider identity”, and result from your interaction with the world. They need to be kept updated because these types of attributes can be changeable. They include your address, your work details, your government/ social/financial interactions, skills and qualifications, the personas you use, memberships, and even your religion, your relationship details, your ‘history’, and the context of each attribute. Together these details are said to comprise your biographical footprint.
Attribute Providers validate these aspects of an individual’s identity; for instance, banks and credit agencies can validate your financial attributes, and governments can confirm your recorded and biometric details. Identity Providers (IdPs) must be certified by the Registration Authority – they can then collect and assess the attributes for an individual, in order to issue a credential, which is stored on an identity device (e.g., USB/smartcard/phone). A parent company, e.g. the owner of an IdP, retains a legal right to access information, unless expressly prohibited by law. However, the whole point of identity management is to combat crime, and for all the protection we are promised, it is clear that our data will be made available to law enforcement agencies in the name of protection and security. It’s for our own good.
When it comes to privacy and anonymity, it is said that we need to balance this with the need for national cybersecurity, for what is in the best interests of the nation.
BCS Identity Assurance Working Group have produced a paper which examines various aspects of IdM as it now stands:
"One of the key success factors of getting public confidence in any identity assurance scheme is to ensure that the information is only available to legitimate agencies for specific authorised purposes and that the data subject is in control of its dissemination. However, to ensure the security of the state it is sometimes desirable for security agencies to have access to information about individuals. At times, for reasons of national security, it may be necessary for the state to do this without the individual’s knowledge. The issue is: how can this be achieved in a reasonable and proportionate way without losing trust in the system or transgressing personal liberties? State security certainly includes counter-terrorism, but what else? Are money laundering and tax evasion, for example, included? Article 19 is not definitive on this issue and different countries interpret the Article in very different ways." (my italics)
The paper goes on to pose a series of unanswered questions, as to the specifics of just who would be allowed access to identity information, how much of the information they would be allowed to check, and who would have the power to authorise access in the first place. There are also questions over whether people should be allowed to know if their details have been checked.
So just how much can they find out? The data you produce each day, as you form your ‘biographical footprint’, already feeds a lucrative market for datamining companies and advertisers. But with IdM in place, all transactions on the web are recorded, as blogger Aaron Titus notes:
"Transaction Information is a record of the benefit provided to the User from the Relying Party, and is analogous to a receipt. Transaction Information may include the name of a product purchased, a log of network access and User activity, or services provided."
For all the encryption and other ‘protections’ offered to you, the whole point of IdM is fighting crime, terrorism, etc. When the law wants to check out your credentials, and your biographical footprint, it will be granted access; ‘re-identification’ is easily achieved, and will be said to be necessary to ensure national, or even global, security. If your credentials are revoked, the Revocation Authority would also need to gain access to records during their investigations.
2. (v) The National Strategy for Trusted Identities in Cyberspace (NSTIC)
Citizen identity management in the US was kick-started in 2004, when federal employees were required to carry a smart ID card. Other initiatives followed, such as the Identity, Credential and Access Management (ICAM) committee, and lead to the release of the NSTIC and the plan for an ‘identity ecosystem’ by the White House. The NSTIC, which was signed by President Obama in April 2011, called for the establishment of a private sector-led steering group to administer the development and adoption of the Identity Ecosystem Framework.
According to the document, signing up with an Identity Provider (IdP) will facilitate:
In response to the release of the NSTIC document, there were 186 proposals to design a standards-based ID infrastructure, each competing for a share of over $16.5 million of funding committed by the US government. There were 27 finalists picked in April, including the Transglobal Secure Collaboration Program (TSCP), which is a consortium whose members include the US Department of Defence, the UK Ministry of Defence, Boeing, and Wave Systems. The TSCP uses the standards of Open ID Exchange, the Center for Democracy and Technology, and the Trusted Computing Group.
The full list of players involved in setting up the identity ecosystem in the US can be found at the new website for the NSTIC Steering Group. The Secretariat is Trusted Federal Systems.
The group responsible for implementing the NSTIC consists of a Management Council, a Steering Group, a Plenary, a Usability and Accessibility Working Group, a Security Working Group, and an International Coordination Working Group.
The US government acts as an identity provider, attribute provider, and relying party
An NSTIC blog reports that credentials within the identity ecosystem are issued according to the specified criteria for verifying the identity of individuals and devices. They must be resistant to theft, tampering, counterfeiting, and exploitation, and can only be issued by certified providers. It would appear, then, that identification is about more than just itemizing people, it’s also about verifying (tracking) the digital tools we use. Any fraud or f**k-up within the system would need to be quickly dealt with:
"Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.
…. there will be standardized, reliable credentials and identity media in widespread use in both the public and private sectors; and if an individual, device, or system presents a valid and appropriate credential, any qualified relying party is capable of accepting and verifying the credential as proof of identity and attributes." (my italics)
2. (vi) Progress in Europe
Like America’s IdM strategy, the project underway in Europe claims to be ‘user-centric’ and privacy enhancing. Known as GINI-SA, (Global Identity Networking of Individuals - Support Action) , the project is developing the infrastructure for federated European identity management; the architectural, legal, and regulatory requirements. Citizens are to be given an ‘Individual Digital Identity’ (INDI) which will link them to approved national data registries.
It is claimed the new market space created for handling and storing ID data will enhance privacy, because the proportionality and minimization principles will apply. However,
“… situations when identity retrieval is required by law, for fraud detection or conflict resolution, will require special consideration.”
The GINI agenda was presented at a special session on identity management organised by ITU/OISTE at the World Summit on the Information Society (WSIS) in May. GINI-SA also participated in the WSIS Forum this year, as well as the EEMA eID Interoperability, Concepts and Compliance Conference; the Cyber Security & Privacy EU Forum (CSP-EU); and the Global Forum.
Nokia, Microsoft, IBM and Deloitte are represented on the Board of Directors of EEMA (the European Association for e-Identity and Security), which is an industry led non-profit, formed in 1987. It is a members-only network for the IdM industry, working with governments and standards organisations to effect interoperability between systems, and legislation which advances IdM.
STORK is an IdM project involving industry, government, academics and research organisations, and is part funded by the European Union. The aim is to achieve interoperability of online identities, in part to strengthen the European digital single market.
STORK constitutes a pilot of IdM for citizens, which is attempting to achieve interoperability of e-ID systems across Europe and beyond, by trialling cross-border management of digital identities. These projects include a chat portal called ‘SaferChat’, verifying ID between young students and their teachers; secure online delivery of documents across borders; and the establishment of the European Commission Authentication Service, among others.
The UK government is now inviting tenders for the establishment of Identity Providers, which it intends to use with the new Universal Credit system. The Cabinet Office have published guidance on the issue and protection of credentials, highlighting the security breaches that a user can cause, such as leaving their password written down in view of others, or problems with using their mobile phone.
2. (vii) IdM Framework
The architecture of the identity ecosystem has been built and trialled successfully over the last decade in particular. There are already numerous frameworks in place, and a huge industry has built up around them. Those who stand to lose the most, i.e. the DoD, corporations, banks, and governments, are already using the Identrust trust framework. Like other trust frameworks (e.g. reputation) it establishes a set of principles and rules which all who sign up to the framework must abide by. OpenID, Google, and Shibboleth (ID management for higher education) use trust frameworks which are already operating successfully. Social identity management is provided by connect.me
(“It’s all about who you know”).
The key internet identity protocols are OpenID Connect, OAuth 2.0 and Account Chooser.
A group set up to bring ldM to the wider market, the Open Identity Exchange Corporation (OIX) was established as a Washington State Non-Profit Corporation in February 2010 as per the wishes of the Directors of the Information Card Foundation (ICF) and the Open ID Foundation (OIF). The founding Board of Directors of OIX includes representatives from the OpenID Foundation; Equifax; Google; PayPal; Verisign; and Verizon.
The OpenID Foundation Board of Directors represent JanRain; NRI; Google; Facebook; Yahoo!; New York Times; NPR; and Sears.
The OIDF Sustaining Members are Booz Allen Hamilton; Facebook; Google; IBM; LexisNexis; Microsoft; PayPal; Ping Identity; Verisign; and Yahoo!
The Information Card Foundation, another non-profit, was founded in 2008, “… for the purpose of advancing the adoption of Information Cards as a universal user experience metaphor for digital identity transactions based on an underlying identity metasystem that incorporates different technologies and token formats.” Most of its Board of Directors are elected by the OpenID community and include, Azigo; Burtonian; Microsoft; Ping Identity; Google; Deustche Telecom; and Meristic.
The OIDF Steering Members are, Booz Allen Hamilton; Equifax; Deustche Telecom; Google; Microsoft; Oracle; PayPal; and Verizon.
The Open Identity Foundation (OIDF) is collaborating with the Kantara Initiative on the NSTIC.
In the UK, it has just been announced that miicard is joining the OIX.
OASIS (Organization for the Advancement of Structured Information Standards) whose founding sponsors include IBM and Microsoft, is involved in the standardization of various aspects of internet management, including the smart grid, and identity federation. Members of the Technical committee include Microsoft, IBM, Cisco Systems, SAP, EBay, Ping Identity, Symantec, Boeing Corp, US Department of Defense, Verisign, Google, and Rackspace.
The International Organisation for Standardisation (ISO), has produced international standards for certain aspects of digital identity management and internet security.
The Global Trust Center was formed in 2003 by “a small group of individuals”, and aims to develop and communicate what it deems to be best practice and guidance on issues of digital identity and trust. Since 2006, the group has participated in several events and discussion processes arranged by IKED, the OECD, the Global Forum, UN, EU, ETSI, and ASEM. It has also been involved in setting up biometric e-IDs.
The Global Trust Council deals with rights and liabilities in digital interactions. There may also be a strong element of behaviour control from the outset – it is being made clear that there are strict global terms of compliance in the trust ecosystem, and that failure to comply will result in exclusion from the system. Your data will be shared with the criminal justice system if deemed necessary. There will be nowhere to hide.
VeriSign (and Symantec, which has now incorporated VeriSign) is a company that has been involved in designing and implementing the identity ecosystem for many years, working with the ITU and also on the NSTIC. Verisign was created in 1995 to act as a ‘notary public’ for the internet.
The company uses encryption software to secure online transactions with branded digital certificates and manages the internet's root directory service for the .com and .net domains, as well as providing the ONS (Object Naming Service) for RFID tags. As such, VeriSign serves as a steward of critical components of the internet's global infrastructure and is a key provider of cybersecurity mechanisms. VeriSign shares its technology and software-monitoring tools with the Department of Homeland Security, and has just been approved to run ICANN for another six years.
In 2005, the ITU criticised VeriSign’s monopoly over digital content, a result of their role in managing the core Domain Name Service (DNS) directory and maintaining the system of electronic product codes for RFID tags, which “could eventually identify billions of products (and even people). …. It is of the utmost importance that the current monopoly over the DNS system is not transferred to the future “Internet of Things”.
However, the ITU are now suggesting that they wish to work in partnership with ICANN. Dr Hamadoun Toure, the ITU’s Secretary-General, told the BBC that some countries were unhappy with the way ICANN had looked after the DNS, pointing out that there has not been enough consultation with governments around the world. He dismissed claims that the ITU want to take control away from ICANN, saying, “I truly believe there is a complementarity involved between our work – we can work together.”
Verisign continue to exert dominance in the field of internet governance, and last year hosted a symposium called ‘Building a Better Internet’, and, through Verisign Labs, has sponsored numerous university research programs this year, in addition to the infrastructure grants.
In 2011, President Barack Obama appointed Mark McLaughlin, president and CEO of Verisign, Inc. to serve on the President’s National Security Telecommunications Advisory Committee (NSTAC).
Neustar is a massive telecommunications company which was founded in 1998 as part of Lockheed Martin, and is said to have information on every cell phone in the US. In fact, many companies turn to Neustar to handle surveillance requests. It claims to provide cybersecurity, and the US government is one of its biggest partners. Last month it was announced that Neustar and Swisscom, another telecommunications provider, are to be the founding members of the global Trust Network. Neustar have been heavily involved with the NSTIC through the Kantara Initiative, alongside PayPal, NTT, Danish National IT, Deutsche Telekom, and the government of Canada.
There is a core group of identity security companies who also stand to profit enormously from the ID ecosystem; they are not household names but their influence is considerable. Ping Identity, for example, “provides cloud identity security solutions to more than 800 of the world's largest companies, government organizations and cloud businesses. With a 99% customer satisfaction rating, Ping Identity empowers 45 of the Fortune 100 to secure hundreds of millions of employees, customers, consumers and partners using secure, open standards like SAML, OpenID and OAuth. Businesses that depend on the Cloud rely on Ping Identity to deliver simple, proven and secure cloud identity management through single sign-on, federated identity management, mobile identity security, API security, social media integration, and centralized access control.”
Just how bad is it?
The OECD published a global survey last year of national strategies and policies being followed in OECD countries across Europe, America, Canada, Chile, Australia, Japan, Korea, and New Zealand. This was followed with the release of “Digital Identity Management for Natural Persons: Enabling Innovation and Trust in the Internet Economy - Guidance for Government Policy Makers”, which is based on the premise that digital identity management is ‘fundamental’ for innovation, trust, and security on the web, and necessary for the continued development of the internet economy. It calls for governments to work together to enable verification of digital identities across borders. As has been shown, this is now coming to fruition, and now that the architecture, technology, industry capacity, and legal frameworks are in place, the next step is to get the masses on board. This area has been, understandably, a sticking point for NSTIC, as for how to get small businesses and consumers involved with the ID ecosystem – how to bring all the ID authentication technologies to the market – one possible solution is Facedeals, which encourages consumers to register their facial biometrics with Facebook, so that they can then check in to venues who use the recognition software. By ‘liking’ businesses on Facebook, they would stand to be offered discounts by them when they check in online, or are scanned by facial recognition software as they enter the premises.
Symantec (now incorporating Verisign and the Norton Secured Seal) has also released a Personal Identity Portal (PIP) using OpenID , thereby expanding ID verification to the wider (non-technical) market. This is an update on a product which came out a few years ago, which now has a Facebook app, so you can share your identity with your friends. The PIP is still in beta mode, supporting just 70 popular websites (look out for the green address bar) so they are hoping to get positive feedback to make the project really take off.
Verisign has been working with the ITU on IdM for years. In 2009, for instance, Verisign proposed individual end-users are more concerned with “social networking, convenience, identity services (esp. location based services) and portability, controlling unwanted intrusions and mitigating identity theft”, so it can be expected that these factors will be part of any promotion of products like the PIP. It was also suggested that global verification specifications for IdM and website verification be implemented.
Social media is really starting to take off – reputation graphs are being used to decide who can ‘vouch’ for someone, to say they are who they say they are. The Respect Network Corporation is providing the Respect Network via Connect.me. It provides a way for people to manage their social identity online, as well as the personal data they are sharing, helping them to be more private. It is a peer-to-peer network, where people can build their reputation, and even become a ‘Trust Anchor’. Currently in beta mode, Connect.me is trialling a method which links an individual’s social graphs from Facebook, Twitter, and LinkedIn.
The best round up of the status-quo in the US was published by Zack Martin, at digitalidnews.com. He looks ahead to the next phase of the development of IdM, and notes that Don Thibeau, whose name figures prominently throughout IdM negotiations, and who is representing Google for the NSTIC, believes retailers can be brought on board by giving them a “value proposition”:
“When someone goes to Best Buy, be it brick and mortar or Web site, wouldn’t be useful to know the individual walking in the door?” he asks. “If you knew who they were you could make them a special offer and give them a better shopping experience.”
Martin’s article goes on to note:
"There also needs to be a governance structure before relying parties will participate, says Keith Ward, president and CEO at the Transglobal Secure Collaboration Program. Until corporations know what rules they need to abide by they will remain on the sidelines. “Relying parties don’t care about technology, they are focused on the legal and privacy issues,” he stresses.
Thibeau says that the Open Identity Exchange is in a perfect position as its membership is really a team of rivals each having a function in the identity ecosystem. Telecommunications, data aggregators and payment companies all are members of Open Identity Exchange and all have a place in the ecosystem. “The common denominator among all these rivals is that they need to figure out how to work with government,” he says.
Whether working with the government or the myriad of other players who make up the puzzle that is the identity ecosystem, progress is occurring. As pilots roll out later this year, trust frameworks and governance models are adopted and the steering committee is put in place, a year from now the identity ecosystem puzzle should have far fewer missing pieces."
The Transglobal Secure Collaboration Program (TSCP) is trying to address the problem of how to get more relying parties on board, ie those who only require low-level ID assurance. Currently there exist no incentives for the smallfry to join a trust network, but the TSCP are looking into ways to extend the use of federal PIV cards into other areas, i.e. using the credentials in the PIV card for other government services.
Jeremy Grant, Senior Executive Advisor for IdM at the National Institute of Standards and Technology (NIST) is predicting that the ID ecosystem will be fully implemented by January 2016. He also advocates government take-up to stimulate demand – this was instigated at the end of May, when the White House hosted a ‘colloquium’, where top companies were invited in an effort to get them involved with the ID ecosystem, by volunteering to become relying parties – some of these companies included Amtrak, Dell, Mastercard, and Amazon.
However, the ‘one password for everything’ part of ID management proposed by NSTIC has been criticised as unworkable – blogger Francisco Corella points out that other ID authentication regimes have so far not managed to avoid the password issue, which could be used by someone else. He also points out,
“anonymous credentials, have inherent drawbacks….. The difficulty of revoking credentials based on privacy-enhancing cryptography has led ABC4Trust, which can be viewed as the European counterpart of NSTIC, to propose arresting users for the purpose of revoking their credentials! See page 23, end of last paragraph, of the ABC4Trust document Architecture for Attribute-based Credential Technologies.”
The Governor of Virginia, where all of the top names in IdM and biometrics are based, recently promoted a special ‘CITER Day’ in Virginia, as he believes verification technologies are “critical to the continued safety of the citizens of the nation.” He received official letters of recognition from U.S. Senators Jay Rockefeller and Joe Manchin of West Virginia and U.S. Rep. David McKinley representing the 1st Congressional District of West Virginia.
As will be shown in Part 2, IdM will boost datamining, ID profiling and surveillance, and it is clear that many stand to gain financially from the aggregation of personal data. In fact, the World Economic Forum describes identity as a “new asset class”. But could it be that IdM will create yet another type of asset; identity as a product, to be bought and sold for profit? Blogger Aaron Titus thinks so:
"While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity.
…. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital."
Titus goes on to say that FIPPS are required, but not mandated, by the ecosystem:
" …. the Identity Ecosystem Marketplace enables Participants to more easily commoditize identity as an additional source of revenue. NSTIC recognizes that Participants should not be allowed to buy and sell identity information within the Ecosystem, but does not yet identify a credible mechanism to enforce this requirement."
(Throughout all of my research for this article, I have found no other reference to the need to safeguard personally identifiable information from datamining organizations.)
As for what it’s like to have a biometric ID, this comment from a Portugese resident gives just a few hints about the spread of this, and what it’s like to have one:
"Portugal has (sic) Biometric ID's for a few years now and before that, we already had ID's that displayed our picture and fingerprints. As soon as you're born, you need one. Actually, that ID came and took the place of 5 different documents and, within the European Union countries, it is used to travel instead of a passport. As such, I see no big deal in it. Germany has ID's with biometric pictures and they're adopting the full digital ones …. Italy and Spain have them, Belgium also has them just to name a few.
….. We're used to ID's and the fact that now they're Biometric is just another detail. The biggest moaning was over the work needed to get the new ID's (it's mandatory) and how it would be interesting if you lost something that is: your ID, your tax card, your social card, your health card and voter's card.
I for one, like not having to wait 10 years at a queue just for them to check my info. Read the chip and we're off. Same with not having to carry a stupid amount of different cards. One of the ways to prevent your ID being used if robbed is to not activate the digital signature it contains but of course, nowadays, exactly what technology if hack proof? There are downsides though... the news ID's rendered birth certificates useless to prove your identity in Portugal. If you lose the ID, you have to get 2 witnesses who will sign a responsibility contract stating that you are who you say you are. If you're posing as someone you're not and it's found out, all 3 will land in jail."
The Obamacare solution?
The Senate Healthcare bill HR3200, often cynically called ‘Obamacare’, has attracted a lot of controversy, especially as regards the mention of an implant. What has not been discussed, however, is the connection between this healthcare plan and identity management: e-health providers play a big part in the booming IdM industry and stand to gain handsomely from their involvement with all aspects of digital health and patient management.
The Kantara Initiative is involved with implementing many aspects of the NSTIC, of which the Healthcare Identity Assurance Workgroup plays a big part. The workgroup is developing a model for the voluntary initiative, which uses the internet to exchange health information across states, using Nationwide Health Information Network technologies (which provide federal agency connectivity). The project is called PIDS (Patient Identity Service) and is led by the eCitizen Foundation (a member group of ID Commons) and the Kantara Initiative’s Healthcare Identity Assurance Workgroup. There are also a number of other organizations and individuals involved. PIDS incorporates an e-ID for the healthcare system with the Health Information Exchange, and registers patients with an OpenID that serves as their unique global ID. It is attempting to establish a digital patient verification system in alignment with the National Strategy.
Other key participants include ApeniMed; an industry-leader in health information exchange, the Nationwide Health Information Network; Surescripts, which offers e-prescriptions and links with the Microsoft Health Vault; eHealth Ohio; Global Patient Identifiers, Inc.; SAFEBiopharma; and over 20 other organizations.
At the end of July, Thomas E. Sullivan, M.D., testified in favour of electronic prescription services in a hearing on “Sharing Trusted Identities in Cyberspace.” Dr. Sullivan, who for the past eight years has been working for a small electronic prescribing company in Rockville, Maryland, called DrFirst, was called as an expert witness, although he said he had been “unaware of NSTIC” until that point. However, he has been on the board of Global Patient Identifiers, Inc. (GPII) since 2008 – so it would be surprising if, in all that time, Barry Hieb, who left his post at Gartner to set up the non-profit GPII, had never mentioned his heavy involvement with NSTIC and the Kantara Initiative to the rest of the board. In fact, it would seem highly improbable that Sullivan could be “unaware of NSTIC” – so why did he say that? (See – ‘Office of the National Coordinator Hearing on Trusted Identity of Physicians in Cyberspace; July 11, 2012; Prepared Remarks of Surescripts, LLC.’)
Patients are said to be in control of their own credentials, and the same arguments used years ago by the Verichip Corporation are now being used to implement the system, such as safer and more efficient medical care, and reducing medical errors related to the mis-identification of patients, especially in emergency situations.
As documented in Part 2 of this article, Scott R. Silverman has seen the Verichip through a number of business incarnations. Silverman has also succeeded in finding alternative markets for the technology. In 2006, for instance, it was announced the iChip Corporation had acquired the distribution rights for all VeriChip radio frequency identification (RFID) products in South Africa, including the VeriMed Patient Identification System, which had received a positive response at the 11th International Convention of Telemedicine. The President of iChip had faith the products would be welcomed by the population, especially in the field of health care. Currently, iChip’s website is still promoting the Verichip as a solution to patient identification, along with various biometric solutions.
The patented iChip is now featuring as part of the “Individually Controlled Health Information Platform”™ provided by LifeNexus. The LifeNexus Personal Health Card is being marketed as crucial kit for everyone to carry at all times. It will enable people to provide their digitised health and insurance information to doctors and hospitals who employ the ‘Rapid Admission System’. Last year, LifeNexus enlisted VeriFone Systems, Inc. to provide payment facilities on the card (i.e. to add funds to the card, enabling it to be presented as payment for healthcare). The company has also partnered with the Center for Health Transformation (CHT), a think-tank founded by NewtGingrich, and Gemalto, who will enhance the security of the card.
Silverman (see Part 2) is now heading VeriTeQ, which has recently increased its power and coverage in the ‘implants for health and safety’ movement: earlier this year, the company merged with Connectyx Technologies, the maker of MedFlash®, an “electronic Personal Health Manager (ePHM)” which connects all health records to the internet. The merger helps pave the way for the Verichip to be used as a Universal Patient Identifier (UPI) – each chip has a 16-digit number which can be scanned to instantly provide all health information for the implantee. Not only can the Verichip ‘save your life’, you can’t lose it. Silverman has even lined up an alternative, for those who just can’t bring themselves to get the chip: Medflash provides the same service, but with a USB flash drive and a smartphone application instead of the chip.
Earlier this year, Experian and Symantec announced they had jointly developed a two-factor credentialing solution, which has been selected to provide Enterprise Remote Identity Proofing (ERIP) and Multi-Factor Authentication (MFA) Credential Services by the Centers for Medicare & Medicaid Services (CMS) in support of the Affordable Health Care Act (ACA) . This is to enable SAIC (Science Applications International Corporation), one of the biggest US defence contractors, with a $78 million contract with the CMS, to deliver secure credentialing for online access to the State and Federal Health Insurance Exchange, for more than 35 million U.S. citizens.
In his book, ‘Mass Mind Control’ (published by Adventures Unlimited Press, 1999 and 2003), Jim Keith noted,
SAIC is the parent company to a group called Network Solutions, which in turn owns a company called InterNIC. That group is in charge of all the website addresses on the Internet. The board of directors of SAIC includes NSA Director Bobby Ray Inman, as well as retired U.S. Army General W.A. Downing. Other alum of SAIC include William Casey, former head of the CIA [until], former CIA director John Deutch, former Defense Secretary Melvin Laird, Donald Kerr, former director of Los Alamos National Laboratory, and William Perry, the head of the Department of Defense. SAIC has been involved in remote viewing experimentation with American intelligence agencies, for which medical oversight, according to researcher Jim Schnabel, was provided by Louis Jolyon West.
Several mergers have taken place, which are consolidating the power of various e-health providers.
In May it was announced that “IBM's predictive analytics software enabled North Carolina to detect $6.2 million in potentially fraudulent Medicaid payments”.
IMPRINTS – SOCIAL ENGINEERING
An ambitious research project into the wider aspects of identity, and how it relates to cybersecurity, is currently underway. It involves several universities in the UK, working in partnership with American academics, including experts in Visual Analytics at Purdue University in the US. A large part of the work appears to be an attempt to understand public perception of identity control, and even metaphysical concepts which arise in attempts to define identity – what does it mean to be ‘me’?
The project was kickstarted in 2010, when the EPSRC (the Engineering and Physical Sciences Research Council) hosted a ‘sandpit event’, which matches industry and government needs with academic funding needs. The event centred on a research proposal sponsored by the EPSRC, funders of the Home Office INSTINCT Programme and the US Department of Homeland Security. (The EPSRC has funded a plethora of projects, e.g. “UBhave: ubiquitous and social computing for positive behaviour change”.) The proposal requested research programs related to specific aspects of establishing the identity of someone. In particular, the research would need to focus on how someone’s online persona relates to their ‘real’ identity, and how confidence is established and maintained. The aim is to develop scientific methods for assessing these, so the researchers would need to devise means to measure levels/types of confidence.
The project is now in full swing, and includes funding from RCUK Global Uncertainties, and the Department of Homeland Security. Global Uncertainties is part funded by the Department of Homeland Security, the UK Ministry of Defence, and several Research Councils.
The project has been split up into three separate research groups, each with their own defined areas of interest. IMPRINTS, for instance, is examining what is considered to be socially acceptable in revealing elements of an identity, and involves testing public opinion as reflected in art and popular culture, as well as common reactions to issues which touch upon ID management. The paper also notes the effect of 9/11: the new norm when it comes to risk is the precautionary principle, rather than prudence. Grusin argues this is due to “pre-mediation” – filling the public imagination with images of what could happen, from pre-emptive war games, to media coverage, to box office hits such as ‘Minority Report’ and other films. Others would call this predictive programming.
The IMPRINTS team fail to point out that manipulative pre-mediation is a form of social control: if films, art, TV, and newspapers start including future scenarios of identity management, for instance, if a film were to portray ID implants in a positive light, people would
‘get used to the idea’, and be more ready to accept its implementation in the future. In fact, this research into pre-mediation is the ideal way to find out how to begin programming citizens to secure e-ID for all, especially as the burgeoning ID industry is ripe for expansion, governments around the world are implementing biometrical e-IDs, and IdM is considered essential to protect the national interest. The IMPRINTS team also fail to acknowledge the effects of their own input: by laying the groundwork for the military and large corporations, they are helping to shape society into accepting the type of ID management already planned, and just waiting to be implemented on a global scale.
The team have envisioned various ‘future scenarios’, from which they predict:
“…. digitisation will further extend to all sectors of society, with the health sector being in the forefront of new procedures for authenticating patients and their records, but education and leisure quickly following. Hence, the individual – organisation context for authentication has expanded from the traditional types of interactions, such as border control, crime prevention and online shopping, to school access, online voting, access to popular events (such as music or sport festivals), plus access to leisure and cultural facilities including gyms, clubs, theatres and museums.”
Wearable technologies are also being extensively examined , as this will be the first level of widespread acceptability, though the team also include implants and ingestibles in their ambit, such as Proteus ‘Mindfulness pills’ (microchipped tablets, where stomach fluid acts as the electrolyte for the circuitry) to aid health monitoring.
The IMPRINTS team note, as I have discovered in my research for this article, that there is very little coverage of the topic in the press. They conducted a search for the phrase “identity management” in the Nexis newspaper data base, for all UK broadsheets (Daily Telegraph, Guardian, Independent, Observer, Times), and found only 92 articles from the last ten years of coverage, “five of which concerned the management of corporate identity. On average this means about nine articles a year, spread over five newspapers.”
The SuperIdentity project is examining the connections between real and cyber identities, and purports to be “a fusion of data, with the promise of supporting robust identification decisions, guiding intelligence and surveillance efforts, and revealing previously hidden information.”
The final project is called ‘Uncertainty of Identity’ and includes researchers from Arizona State University and experts in Visual Analytics at Purdue University. One of their aims is “to identify the geography of online behaviour, and to supplement conventional geodemographic measures of neighbourhood characteristics with indicators of online participation and behaviour”.