Trust in the Digital World 2016 - The round tables

Back to homepage

Click here for an overview of all news articles

Day 1 / 15 June 2016 / 14:00 – 15:30 / Plenary
Moderators: Jacoba Sieders, ABN Amro & Esther Makaay, SIDN

This was the part of the programme we handed over to the participants, to discuss any topic they missed in the programme, any subject they wanted to elaborate on and any issue they’d like to discuss with peers and professionals. And they took the cue! Seven tables filled up with anywhere between 5 and 20 participants per table and topic and got seriously engaged in discussions. When asked halfway through if they’d like to switch topics or venture out for coffee, they gave a clear response (“no, we’re working, this is interesting, please don’t interrupt”).
A lot of attendees indicated they would have enjoyed a prolongation of this part of the programme, but after an hour and a half the organisers had to end it to continue with the planned conference.

We received highly enthusiastic comments on the Round Tables. Participants stated they had found peers and interesting new acquaintances through shared discussions and viewpoints. They said it had felt like taking the coffee-break-talks into a session, only more focused and on a much more relevant level.

The seven topics discussed at the tables were:
And being merely moderators, not being part of most of the discussions, relying solely on the notes taken, we provided a short reflection of what went on at these tables. But in truth: you needed to be there.

Speaking for the organisation, we would love to bring this type of open sessions back on the programme next year and give participants the opportunity to gain value by discussing current and present issues that matter to them. We are however a bit hesitant to invite people to a conference programme that has a large blank in it, fearing this would entice them to skip a part or even a day of the conference. So we asked them: if we hand a part of our conference over to you next year, will you take it and show up?

Identity Federations: necessity or nuisance?
Table Chair: Jacoba Sieders
Questions discussed:
  • Is federation the standard way to go?
  • What are the risks and drawbacks? How to dealwith them?
  • Is there a business case to become Identity Provider?
It was determined that there’s a great need for mapping the diversity of Identity Federations. Create a form of ‘bird watchers’ guide’ so to speak.  Because Identity Federations (or Trust Frameworks) are divergent ecosystems with many concepts and standards.

It makes a lot of difference whether you’re talking about Business-to-Consumer, Business-to-Business, Government-to-Business or Government-to-Citizen. And this influences e.g. the auditability of transaction security. And when looking at the internal aspects of a federation, a difference should be made between various approaches such as identification/authentication and signing. And the legal context for this (VS vs. EU).  The identity is a special bird within this context: it is unique per person/user and credentials are bound to this central entity.
With IoT, a further expanse on diversity is expected, with lots more ID-entologies, because IoT = federation, but with a much shorter life cycle for transactions.

Apart from the variation in federations, there’s also lots of different roles and parties involved, each with their own perspective.
For example, the role Microsoft plays with the Azure offering is ‘just’ as a broker. As Ronny Bjones demonstrated in the second day plenary, it’s a ‘bring your own Trust Framework and Agreement set’ proposition: MS built the platform to host what you bring, using standardised models. (See also OIX, the Open Identity eXchange).
From another viewpoint, the role of identity provider is debated, stating the need for personal identities (such as in a bankID) is blocking economic growth; they’re only useful for persistent relations such as commodities and ehealth. But the demand is there. Or is it?

It’s agreed upon that standardisation is necessary for interoperability. And interoperability is needed both technically and legally. And governance, because where to put liability when a ‘weak’ credential has gained access against existing agreements?

Privacy Legislation
Table Chair: Jeroen Lubbers
Will legislation ever be effective to protect data subjects?
Exploring this theme, these were some of the remarks and relevant aspects mentioned:

The key take-out of this session:
Legislation will not solve / stop cybercrime, but it can provide means to tackle it.

Blockchain – hype or happening?
Table Chair: Peter Hoogendoorn
Questions discussed:
  • Is there a business case for blockchain?
  • How to build incentives into other applications for blockchain?
  • Will public or private blockchains rule?
  • What industries will be disrupted?
This table had many more questions than time allowed for them to be discussed or answered. A lot of people are still looking for good information on blockchain and are not yet very knowledgeable. Luckily, the programme still had a full session and keynotes planned on this topic. And TDL offered a full blockchain day following the conference on Friday.

The notes reflect only a few of the emergent questions:
The most important question was formulated as: It’s a very new technology. Are different blockchains (with different business cases) really possible? (Or does it need to be a reflection of bitcoin to fly?)

Internet of Things
Table Chair: Harm Jan Arendshorst
Questions discussed:
  • Internet-of-Threats: how to apply security to smart-things-big-data
  • Internet-of-Bricks: whose ‘thing’ is this? The risk of failing support/functionality for smart things, turning them dumb
  • The group involved in this session set out to map all the various aspects involved in securing the Internet of Things and came up with a large matrix/relationship-model.

This probably deserves more credit than our report can give, but the notes get slightly lost in translation.

IoT concerns: Device, Data, OS, Network, Application, Integration, People
It involves Sharing, bringing along the notion of Ownership. Owners imply semantics

Applying security adds concepts of: Certification, Detection, Intelligence, Trust Level, Data Classification, Relationship, Privacy/consent, Crypto, Profiling, Risk (high/low), Scale Impact
Bringing along features such as Key management, Life Cycle management, Backup, Reset

Limitations apply for: Awareness, Cost, IT management, Age, Ease of use
User experience is very important

Standards are key. Reduce complexity, segmentation.

Trust Collaborations: new ways to bind transactions
Table Chair: Rieks Joosten

This topic was contributed by Rieks Joosten, who is working for TNO on a model and tooling for managing relational risk. This is helpful in collaborations (such as trust frameworks and identity federations) to provide a basis for fostering trust in transactions.

 It allowed for a discussion that went deeper into the details of his presentation in the session ‘Universal Transactions & Identity Requirements for the Private Sector to Secure a Physical & Digital World’.

The basics of this model are multi-party business transactions. A transaction normally takes place between 2 parties, negotiating criteria regarding the request, delivery and acceptance of the transaction. In collaborations, more and different parties need to enter these negotiations and agree (commit) to the outcome. 
Especially when small organisations are involved and no central authority is in place, it is virtual impossible for all stakeholders to oversee the consequences and truly understand all implications of a multi-party agreement.  TNO offers a model where each stakeholder can participate in the transaction negotiations based solely on their own concerns, requirements and commitments. The negotiations take place in the form of a ‘group chat’ (a round table in itself) where each party and stakeholder can take a seat and put their needs and concerns (risks) on the table. They can also address or relieve needs and concerns of other parties. This process is facilitated by tooling, aiding the participants in defining their concerns and the meaning of the variables involved.

This approach can help collaborations in the identity world work out successful framework or scheme agreements. There’s also another identity aspect to this model and tooling: asserting that the appropriate and qualified representatives are entering the various seats at the round table negotiations also needs some form of authentication and thus identification.

Artificial Intelligence for Trust
Table Chair: Huma Shah

The conversation at this table touched on:
  • The use of artificial intelligence in authentication
It’s difficult to summarise his exploring discussion, but one of the general conclusions was that a human should always be in control over, or at least able to intervene with intelligent systems.

BioPin code
Table Chair: Dr. J.J. Nietfeld
Questions discussed:
  • An e-ID based on a personal, provable biological PIN code?
  • Or an e-ID based on an impersonal, unprovable number code?

Dr. Nietfeld used the Round Table session to have a more thorough discussion of the usability of his work on Bio-PIN (as presented in the session ‘Privacy in a Digital World: Guiding the Future’) in other sectors than the biomedical field for which it is designed.

A Bio-PIN is a cryptographic code based on a person’s Distinguishing Biological Characteristics. For each person, different Bio-PINs can be created that are always unique. From a Bio-PIN it is not possible to retrace the underlying characteristics or person. 

The discussion touched upon:
BioPIN offers multiple codes for multiple purposes.
In practice, it could be a big step forward: private key based on biometrics.