Making Identity Use Predictable UNCITRAL Colloquium on Identity Management and Trust Services 21 April, 2016
Why Am I Here CertiPath High Assurance Identity Trust Framework Supports Aerospace and Defense Product Maker Attempting to make online identities easier and safer to use everywhere While I am not a lawyer There is a legal problem in digital identity First hand experience with the problem There is a legal solution(s) Co-wrote a digital identity law Enacted in the Commonwealth of Virginia in the USA
Cyber Security Today Without the identity problem solved we can only hope for honest people to be honest. The Internet was not created with Identity in mind Virtually every attack in Cyberspace leverages an identity exploit 1. Password Compromise 2. Spear phishing
The Devolution of Identity: Anonymity Breeds Crime 5 July,1993 Every day since (or at least just this week) Half a billion identities were stolen or exposed online in 2015 It s cheaper than ever to buy someone s stolen identity off the internet Online dating fraudsters: Why are we still falling for them? Fraudulent Tax Return Total could soar to $21B this year [US]
What Makes an Identity Valuable? 1. How strongly does it represent me? 2. What can I do with it? Number of relying parties Number and diversity of applications Everything else is a derivative of 1, 2 or both A US DoD badge is more valuable than a corporate badge because of mostly 1 and some of 2 The UID/PWD to Warren Buffet s bank account is more valuable than a US DoD Badge
Where are we with Identity Today? Identity Transactions online are overwhelmingly commercial Governments represents <1% worldwide Governments do not make the technology Governments do not take liability BUT they are often a key breeder document provider Most people want eid based on government issued ID Gets confusing when looking at requirements for B2B, B2C, G2B, G2C There is not likely to be a one size fits all identity approach What does this mean for legal mechanisms supporting eid? Physical identity has been refined for literally centuries
Federation As a verb, to share identity information across system and organizational boundaries Essentially attributes about employees, suppliers and customers Security and privacy are critical to this capability Users perceive this as Single Sign-On Leverages authoritative identity data across all systems Vast security improvement and vast cost savings this is RARE There are legal ramifications My company (A) is relying on another company s (B) personnel records and hiring processes Or a commercial process from a third party (C) identity provider under contract to (B)
Federation Hallmarks Virtually all federations have: Common Operating Rule Sets Technical Interoperability Requirements Legal Frameworks A commercial model that sustains it Minimally one or more use cases Often business cost reduction is cited Larger and/or more mature federations utilize service providers Operational Service Levels Security
Why we Need Identity Laws In effect with respect to liability - we don t know what we don t know You will not win the hearts and minds of CFOs with this We have 10 years of slow, random adoption as a result Virginia Law intends to make the distribution of liability predictable It is mostly analogous to the distribution in the credit card model Identities, like credit cards, are not used solely in one geo-politically defined area If the incentives line up with the behavior you want, you get compliance. Ideally we reward good behavior.
Why are Federations Central to Digital Identity? Scale Bilateral relationships are described by: OR Where n is the number of entities in the federation For n = 5, 10, 50, 100 5, 45, 1225, 4950 = Contractual Bilateral Agreements respectively We should aim to minimize the proliferation of bilateral agreements: Virginia Law uses Federations as an aggregation which can be evaluated Virginia Law does not contemplate the agreements a federation may require with its members or those who rely upon it Watch this space carefully
What are the Major Issues? Risk transference enables business Insurance underwriters Bilateral contracts are not a given Ubiquitous usage likely means a lack of underpinning bilateral agreement Credential itself as a means to put some limited obligations on relying party What is a wrong in identity? Where does it take place? The individual transaction with a mis-issued credential? The original credential issuance?
Timeline of the Virginia Law A&D companies have their own corporate identity credentials 2006 offer identity credential to their supply chains for a fee and offset their own costs 2007 all companies, save Airbus, dropped those plans for legal concerns TSCP opened a work stream to research these issues Open vs. closed model Law Review article Contacted by Virginia s Attorney General s office Virginia is known for passing forward looking internet-centric legislation. In the US, liability cases are first brought at the State level 3.5 years of lobbying for law Legislative answers to technology market failures are not for the faint of heart Law enacted mid 2015 as SB 814
SB 814 Reduces the legal ambiguity of 3 rd parties relying on identity credentials Outlines specific liability across a number of scenarios Prohibits shotgun lawsuits These plague the medical community in the US Specifically: Issuers who follow the rules of their federation are not liable Issuers who did not are Seeks to enforce FO/IdP contracts that describe specific liability per their community rules Provides a gross negligence backstop failing all else