Federated Identities, Circles of Trust & Decentred Regulation in M-commerce

Transcription

1 Federated Identities, Circles of Trust & Decentred Regulation in M-commerce Project Outline Adapting data protection law to fit mobile commerce: the roles of federated identity management and decentred regulation Researchers Andrew Charlesworth Dr Sean Smith November 2005

2 The Project What will be the impact on data privacy regulation of the advent of new mobile commerce technologies? Will new regulatory strategies for achieving data privacy be required, and, if so, how might an effective balance be reached between the need to demonstrate an appropriate level of privacy protection, and the need to encourage technical and commercial innovation? This ESRC - funded project, which was launched in July 2005 and runs for 18 months, aims to identify how the development of new mobile e-commerce business models will both affect, and be influenced by, data protection regulation, as new frameworks for mobile technology develop which permit commercial/consumer transactions to take place in circumstances to which existing regulatory practices cannot be readily applied. The Researchers ANDREW CHARLESWORTH is Senior Research Fellow in IT & Law, and Director of the Centre for IT & Law, a joint research venture between the Law School and Department of Computer Science at the University of Bristol. Dr SEAN SMITH is a Research Fellow at the Centre for IT & Law. Previously he was Research Associate on the 3-year, Intel Research-funded, RIS:OME project at the University of Surrey, investigating privacy and mobile phone use in the United Kingdom. The Centre for IT & Law The Centre for IT and Law is a pioneering centre at the University of Bristol dedicated to tackling the new legal challenges associated with the fast-moving world of information technology. It is a cross-disciplinary venture, building on existing strengths in the School of Law and Department of Computer Science. The Centre is sponsored by Vodafone Group Services Ltd, Barclaycard, Herbert Smith, Hewlett Packard Laboratories and the Law Society Charitable Trust. The Centre's main areas of research are in the fields of privacy, digital rights management, cybercrime and e- commerce. The Centre is currently conducting research funded by the Joint Information Systems Committee of the UK Higher Education Funding Council, and by the UK Economic and Social Research Council.

3 Introduction Most mobile e-commerce (m-commerce) currently functions on a walled garden model where mobile telephone operators give consumers access only to services within their limited network. The advantage of the walled garden for operators is control of revenue flow and the prevention of consumer/ revenue leakage. The disadvantage of the walled garden is the restriction of consumer choice with the concomitant restriction on revenue streams the necessity for operators to employ large numbers of service developers, and the need to purchase external service developers, rather than lease their ideas. Additionally, consumers may wish to access services outside the walled garden; although consumer desires will always be the least important consideration given they are the most transitory, appearing and disappearing as consumers adopt and discard different types of technologies and services. Current European Union data protection regimes are based primarily upon a command and control methodology, in which a regulatory agency, usually an Information Commissioner, requires data controllers to have and to be able to show they have certain processes in place to protect consumer data. EU data privacy regulation operates through the rights it provides to data subjects and consequent obligations it places on data controllers, a key premise of which is that data subjects are sufficiently empowered to ensure data controller compliance. Should this rights/obligations framework be rendered ineffective, accidentally or deliberately, it becomes difficult to realistically map existing regulatory techniques to actual commercial practices. Within a walled garden model, the data protection regulatory regime creates certain obligations for mobile telecoms operators. These obligations may be seen as a hindrance by the operators; however, within a walled garden model, they are broadly achievable and acceptable levels of operator compliance can implemented technically and administratively at reasonable levels of cost. As operators see the advantages of the open network model smaller start-up costs, lower staffing and IP costs, greater diversity of service provision as increasingly outweighing the disadvantages - increased revenue and consumer leakage then the efficacy of these data protection regimes may be called into question. As a result, as the walled garden model with its clearly identifiable data protection relationship between consumer and operator begins to break down, the rights and obligations framework of current data protection regimes risks becoming ineffective. The project s contention is thus that the commercial imperatives of mobile commerce are likely to result in the development of m-commerce models that exceed the capabilities of current data protection regimes, resulting in regulatory failure..overt failure of the existing regulatory process is likely to damage public confidence in the ability of government to adequately regulate to protect the public interest in a key area of the Information Society, hinder innovative commercial strategies as unnecessary or unwieldy regulatory processes obstruct the effective roll-out of new forms of mobile e- commerce; and damage public confidence that their privacy requirements can be adequately met in the m-commerce environment. One possible solution to this scenario of regulatory failure is to adopt a decentred regulatory approach which is hybrid (combining governmental and non-governmental actors), multi-faceted (using a number of different strategies simultaneously or sequentially), and operates indirectly rather than via a command and control structure, in order to co-ordinate, steer, influence and balance interactions between the actors/systems involved in the data protection regulatory process.

4 M-commerce and Regulatory Failure It is claimed by the open standard organisation, the Liberty Alliance, that federated identity management (FIM) systems will be a key element in the development of this architecture/business model. It is also suggested that FIM systems may permit users to exercise greater control over the use and transfer of their personal data. Whether the latter claim is the case remains to be tested, but what is increasingly apparent is that the design of federated identity management systems, as currently envisaged, means that they will not lend themselves readily to existing methods of data protection regulation. The Liberty Alliance Project s model of m-commerce is based around the concepts of Circles of Trust and Federated Circles of Trust. A Circle of Trust is said to exist when: the user and service providers rely on Identity Providers as trusted sources for authenticated user information. There is an agreed upon identity sharing protocol that separates control of the identity from its usage. This fosters a relationship in which the members in the Circle of Trust can reduce identity theft, minimize intrusion of privacy and simplify the task of identification and authentication. Sun Microsystems. Strategic Implications of Network Identity, This provides the consumer the choice of supplying their identity details either directly to the merchant, or via the Identity Provider who managed their identity profile on their behalf. Where a consumer wishes to conduct a business transaction with a merchant, the merchant can authenticate the consumer s identity via the Identity Provider. This is the basic Circle of Trust model. For example, I might set up an identity profile with a mobile telecommunications provider (MTP), which supplies my mobile phone. Because of their position in the mobile services supply chain, the MTP might act as an Identity Provider for a circle of merchants whom I access through my mobile phone. Thus I might deal with a merchant via the MTP, or directly, and if I deal with the merchant directly, the merchant has the option to verify my identity via the MTP. Neither the MTP nor the merchant need disclose any other information about me than is required for the verification process. A Federated Circle of Trust sees the federation, or linking, of Circles of Trust into networks. Here, an Identity Provider may provide identity profile services not just within its own Circle of Trust, but link with other Identity Providers to permit identity profile sharing with merchants in other Circles of Trust allowing consumers to seamlessly move between them, without constant need for reauthentication. For example, my identity profile with the MTP, which is acting as an Identity Provider, may allow me to access not just the merchants within the Circle of Trust for which my MTP is Identity Provider, but also the merchants within Circles of Trust for which other mobile telecommunications providers are acting as Identity Providers. In an FIM system, both Identity Providers and merchants must trust their partners to vouch for their users. Equally, users must trust that Identity Providers and merchants are exchanging only the data needed to facilitate the authentication and provision of services processes. Both the Circle of Trust and Federated Circles of Trust models of m-commerce map poorly to the EU framework of data privacy regulation, as they involve: distributing personal data across a range of data controllers in order to allow seamless service provision i.e. without asking explicit prior and limited consent; allowing cross-border transactions as necessary, again without explicit consent; limit consent practices to a single sign-on facility; and

5 processing personal detail in great detail and for an indefinite number of reasons, in order to facilitate the seamless consumer experience. The disjuncture between the actions and goals of the m-commerce industry and the data protection regulators thus runs the obvious risk of regulatory failure. Julia Black, in her article "Decentring Regulation: Understanding the Role of Regulation and Self Regulation in a "Post-regulatory" World" outlines three elements of regulatory failure: instrument failure (the use of inappropriate regulatory techniques); information failure (lack of expertise or understanding on the part of the regulator); implementation failure (ineffective processes and/or compliance monitoring). Where these elements combine, there is a high likelihood of compliance failure with the regulatory process and/or the stifling of innovation. Neither widespread non-compliance nor the stifling of m-commerce innovation are aims that data protection regulators are pursuing, and so structured research into existing data protection regulatory regimes, and the development of strategic planning based on the research outcomes, is required in order to avoid negative outcomes. On past history, regulators are likely to be justifiably sceptical of self-regulatory claims made by industry, given the obvious conflict between protecting the interests of consumers and pursuing the interests of industry. This scepticism is likely to result in resistance amongst regulators to the idea of devolving regulatory powers to m- commerce operators or their sectoral representatives. That resistance that is unlikely to be overcome unless it can be demonstrated that regulatory goals can still be adequately achieved via the transformation of the current command and control style of data protection regulation into a more nuanced decentred regulatory instrument mix (the use of a range of regulatory elements, e.g. command and control, co-regulation, and selfregulation). Developing a decentred style of data protection regulation may provide a different set of problems, not least concerns about the possibility of capture of the regulatory process by either the m-commerce industry, or wider commercial interests - resulting in a regulatory process that addresses commercial goals and not public interests. Thus any consideration of proposals to alter the current regulatory structure needs to assess the probability of such capture and the likely degree of harm, and consider suitable mechanisms to counter any undesirable effects. The Research Questions Can data protection regimes function in a distributed m-commerce world? How would this occur? What are the risks, for operators, regulators and users? What transformations are required by the various actors within the network of mobile data protection regulation in order to achieve effective distributed m-commerce regulation? And what would effective data regulation for distributed m-commerce look like? Hence: five specific research questions: A: Do current regulations work? B: What variable factors influence regulators decision-making processes?

6 C: How do m-commerce operators regard and implement data protection practices within their business processes? D: What is the relationship between m-commerce operators and regulators, and how does this impact regulation? E: What are the risks of alternative data regulation regimes, particularly decentred regimes, advocated by m-commerce operators? The project s initial contention is that neither the current regulatory regime, nor a fully self-regulated data protection environment, are desirable or likely long-term solutions; rather, that solution will, we contend, be found in a combination of regulatory techniques. Thus, the project will assess possible regulatory instrument mixes in terms of efficacy (of outcome), efficiency (of process) and acceptability (to actors). Methodology The fieldwork for this research project will involve the study of European Information Commissioners perceptions of the flexibility of the EU data protection regulatory framework, and in particular, their perception of the discretion afforded to national regulators in their choice of the use of particular regulatory techniques when faced with new business practices or technologies the nature of the regulatory conversations between Information Commissioners and data controllers, which take place after formal legal rules have been defined and established, how data privacy requirements, and in particular their relationship to technical concepts and innovations, are explained and understood in regulatory-oriented conversations between organisational units within companies e.g. technical implementers, legal departments, top-level management, how data privacy requirements, and in particular their relationship to technical concepts and innovations, are explained and understood in regulatory-oriented conversations between sectoral groups of companies wishing to co-operate in federated identity management systems, e.g. members of the Liberty Alliance. This research will be pursued using qualitative research techniques, principally semistructured interviews, focus groups and participant observation. The advantages of these approaches are that they allow the researcher to approach the research topic from the point of view of the participants, and allow the researcher to follow the research narrative through the inevitable twists and turns of product and policy formulation without prejudicing either the outcome of these formulations, or the researcher s view of these outcomes. Semi-structured interviews allow the respondent to answer questions in the terms they prefer, and allow the researcher to follow up on whichever points they require, thus allowing data to arise which otherwise might not have been observed. Participant observation circumvents observational bias : by following participants as they go about their everyday work practices, and observing how they incorporate points of research interest into their processes, the researcher gains data about these questions free from concern that the respondent is simply answering as they think the researcher may want them to. Similarly, focus groups allow the researcher to test various contentions in a group discussion with concerned parties, without the parties

7 feeling beholden to the researcher, and free to adjust or confront the terms of the contentions as laid out by the researcher. The usual problems of qualitative research need to be confronted in this project: indepth participant observation runs the risk of the other sort of observer bias a research capture analogous to the regulatory capture we are investigating. Further, qualitative research is wholly dependent upon the quality of access to respondents it can achieve if suitable respondents cannot be found, or will not participate, then the value of the research decreases significantly. This is a perennial problem in qualitative research, and consequently is the area that qualitative researchers spend their most time working on. Research commitment and a refusal to under-estimate the scale of the problem are usually effective remedies to this risk. Finally, qualitative research suffers the problem of metric-deficiency that is, unlike quantitative research, qualitative research can rarely point to statistical measures of success such as response rates or sample representation. However, qualitative research of this kind does not aspire to either representation or sampling measures: the benefit of this sort of research is that it provides a detailed examination of one part of a problem which is in itself representative of the larger problem as a means of shedding light on possible solutions. Thus, our detailed casestudies of mobile operators stand as templates for other such m-commerce operators, and the interviews with data protection regulators if conducted professionally will be expected to address the relevant concerns of data protection regulators across the EU regarding data protection in m-commerce, even though the constraints of project financing mean that not all regulators will necessarily be interviewed. As the project concludes, presentations will be made to representative bodies of interested actors, allowing for wider feedback on our results as well as providing material benefit to the actors participating in the research, which, in tandem with standard processes of peer-review in academic and professional publications, allows suitable scope for evaluating the success of the project. Aims and Objectives The key objective is to formulate a model data protection regulatory instrument mix for the m-commerce environment. Given the cross jurisdictional nature of m-commerce the project aims to ensure that this proposed instrument mix is of potential international application. It will be based on qualitative analysis of the empirical work undertaken, and aim to address both the broad policy goals expressed by the national regulators, and the practical requirements of public and private sector organisations wishing to engage in m-commerce. In order to do this, the proposed instrument mix will, on the one hand, have to address the public interest in data privacy, and avoid or minimise the harmful effects of industry capture, whilst on the other will need to provide public and private organisations with an environment in which technological innovation is encouraged, and in which they can clearly assess their regulatory and trading risks and make provision for rational investments and insurance strategies. This technical and legal assessment will be of importance to legislators, regulators, commercial associations and organisations when formulating their approaches to data privacy regulatory needs over the long term.

8 The Centre for IT & Law Department of Computer Science School of Law Andrew Charlesworth, Senior Research Fellow, Centre for IT & Law and Principal Investigator Dr Sean Smith, Research Fellow, Centre for IT & Law The School of Law The University of Bristol Wills Memorial Building, Queens Road, Bristol, BS8 1RJ, UK Tel: +44 (0) Fax: +44 (0) Acknowledgments This research is funded by an Economic and Social Research Council grant (RES ) as part of the e-society Programme. We would like to thank the Centre for IT & Law s sponsors, Vodafone Group Services Ltd, Barclaycard, Herbert Smith, Hewlett Packard Laboratories and the Law Society Charitable Trust for their support. In particular we would like to thank Stephen Deadman, senior solicitor at Vodafone, for his input into the original project proposal, and his continuing support and guidance during the fieldwork process.