Trust in the Digital World 2016 - The round tables
Back to homepage
Click here for an overview of all news articles
Day 1 / 15 June 2016 / 14:00 – 15:30 / Plenary
Moderators: Jacoba Sieders, ABN Amro & Esther Makaay, SIDN
This was the part of the programme we handed over to the participants, to discuss any topic they missed in the programme, any subject they wanted to elaborate on and any issue they’d like to discuss with peers and professionals. And they took the cue! Seven tables filled up with anywhere between 5 and 20 participants per table and topic and got seriously engaged in discussions. When asked halfway through if they’d like to switch topics or venture out for coffee, they gave a clear response (“no, we’re working, this is interesting, please don’t interrupt”).
A lot of attendees indicated they would have enjoyed a prolongation of this part of the programme, but after an hour and a half the organisers had to end it to continue with the planned conference.
We received highly enthusiastic comments on the Round Tables. Participants stated they had found peers and interesting new acquaintances through shared discussions and viewpoints. They said it had felt like taking the coffee-break-talks into a session, only more focused and on a much more relevant level.
The seven topics discussed at the tables were:
- Identity Federations: necessity or nuisance?
- Privacy Legislation: effective protection for data subjects?
- Blockchain: hype or happening?
- Internet of Things or Internet of Threats?
- Trust Collaborations: new ways to bind transactions
- Artificial Intelligence for Trust
- Bio-PIN Code: eID based on a personal, provable biological code?
And being merely moderators, not being part of most of the discussions, relying solely on the notes taken, we provided a short reflection of what went on at these tables. But in truth: you needed to be there.
Speaking for the organisation, we would love to bring this type of open sessions back on the programme next year and give participants the opportunity to gain value by discussing current and present issues that matter to them. We are however a bit hesitant to invite people to a conference programme that has a large blank in it, fearing this would entice them to skip a part or even a day of the conference. So we asked them: if we hand a part of our conference over to you next year, will you take it and show up?
| Identity Federations: necessity or nuisance? |
Table Chair: Jacoba Sieders
- Is federation the standard way to go?
- What are the risks and drawbacks? How to dealwith them?
- Is there a business case to become Identity Provider?
It was determined that there’s a great need for mapping the diversity of Identity Federations. Create a form of ‘bird watchers’ guide’ so to speak. Because Identity Federations (or Trust Frameworks) are divergent ecosystems with many concepts and standards.
It makes a lot of difference whether you’re talking about Business-to-Consumer, Business-to-Business, Government-to-Business or Government-to-Citizen. And this influences e.g. the auditability of transaction security. And when looking at the internal aspects of a federation, a difference should be made between various approaches such as identification/authentication and signing. And the legal context for this (VS vs. EU). The identity is a special bird within this context: it is unique per person/user and credentials are bound to this central entity.
With IoT, a further expanse on diversity is expected, with lots more ID-entologies, because IoT = federation, but with a much shorter life cycle for transactions.
Apart from the variation in federations, there’s also lots of different roles and parties involved, each with their own perspective.
For example, the role Microsoft plays with the Azure offering is ‘just’ as a broker. As Ronny Bjones demonstrated in the second day plenary, it’s a ‘bring your own Trust Framework and Agreement set’ proposition: MS built the platform to host what you bring, using standardised models. (See also OIX, the Open Identity eXchange).
From another viewpoint, the role of identity provider is debated, stating the need for personal identities (such as in a bankID) is blocking economic growth; they’re only useful for persistent relations such as commodities and ehealth. But the demand is there. Or is it?
It’s agreed upon that standardisation is necessary for interoperability. And interoperability is needed both technically and legally. And governance, because where to put liability when a ‘weak’ credential has gained access against existing agreements?
|Privacy Legislation |
Table Chair: Jeroen Lubbers
Will legislation ever be effective to protect data subjects?
Exploring this theme, these were some of the remarks and relevant aspects mentioned:
- The context during authentication is important: based on user behaviour, certain assurance levels can be acquired.
- Identity theft is not happening inside companies, it’s happening outside!
- Privacy starts with consumer rights
- What about commercialising user profiles without consent? And profiling and behavioural advertising?
- General Data Protection Regulation: effective?
- Content in your mails -> behavioural advertising or phishing?
- Value based trade-off: Dutch insurance company -> customers give personal data, but then you can lower your insurance.
- What about control over your data?
- Data Protection legislation will never stop cybercrime! Analogy with traffic: for everything you do wrong, legislation will apply. On the Internet, it is not as clear how to interpret the provisions.
- And don’t forget the territorial scope. For example the right to be forgotten.
The key take-out of this session:
Legislation will not solve / stop cybercrime, but it can provide means to tackle it.
|Blockchain – hype or happening?|
Table Chair: Peter Hoogendoorn
- Is there a business case for blockchain?
- How to build incentives into other applications for blockchain?
- Will public or private blockchains rule?
- What industries will be disrupted?
This table had many more questions than time allowed for them to be discussed or answered. A lot of people are still looking for good information on blockchain and are not yet very knowledgeable. Luckily, the programme still had a full session and keynotes planned on this topic. And TDL offered a full blockchain day following the conference on Friday.
The notes reflect only a few of the emergent questions:
- Is blockchain the solution for digital identities? (Or does it need identity more than the other way round?)
- Is it related to know-your-customer? Can it be related?
- Can it be used for security and ID services?
- What are the possibilities for applications in eGovernment?
- Could we do PKI distributions for blockchain?
- Applications for blockchain are so hyped due to bitcoin.
- But contracts are an interesting feature. And you can build trust relationships through a blockchain?
The most important question was formulated as: It’s a very new technology. Are different blockchains (with different business cases) really possible? (Or does it need to be a reflection of bitcoin to fly?)
|Internet of Things |
Table Chair: Harm Jan Arendshorst
- Internet-of-Threats: how to apply security to smart-things-big-data
- Internet-of-Bricks: whose ‘thing’ is this? The risk of failing support/functionality for smart things, turning them dumb
- The group involved in this session set out to map all the various aspects involved in securing the Internet of Things and came up with a large matrix/relationship-model.
This probably deserves more credit than our report can give, but the notes get slightly lost in translation.
IoT concerns: Device, Data, OS, Network, Application, Integration, People
It involves Sharing, bringing along the notion of Ownership. Owners imply semantics
Applying security adds concepts of: Certification, Detection, Intelligence, Trust Level, Data Classification, Relationship, Privacy/consent, Crypto, Profiling, Risk (high/low), Scale Impact
Bringing along features such as Key management, Life Cycle management, Backup, Reset
Limitations apply for: Awareness, Cost, IT management, Age, Ease of use
User experience is very important
Standards are key. Reduce complexity, segmentation.
|Trust Collaborations: new ways to bind transactions |
Table Chair: Rieks Joosten
This topic was contributed by Rieks Joosten, who is working for TNO on a
model and tooling for managing relational risk. This is helpful in
collaborations (such as trust frameworks and identity federations) to
provide a basis for fostering trust in transactions.
It allowed for a discussion that went deeper into the details of his presentation in the session ‘Universal Transactions & Identity Requirements for the Private Sector to Secure a Physical & Digital World’.
The basics of this model are multi-party business transactions. A transaction normally takes place between 2 parties, negotiating criteria regarding the request, delivery and acceptance of the transaction. In collaborations, more and different parties need to enter these negotiations and agree (commit) to the outcome.
Especially when small organisations are involved and no central authority is in place, it is virtual impossible for all stakeholders to oversee the consequences and truly understand all implications of a multi-party agreement. TNO offers a model where each stakeholder can participate in the transaction negotiations based solely on their own concerns, requirements and commitments. The negotiations take place in the form of a ‘group chat’ (a round table in itself) where each party and stakeholder can take a seat and put their needs and concerns (risks) on the table. They can also address or relieve needs and concerns of other parties. This process is facilitated by tooling, aiding the participants in defining their concerns and the meaning of the variables involved.
This approach can help collaborations in the identity world work out successful framework or scheme agreements. There’s also another identity aspect to this model and tooling: asserting that the appropriate and qualified representatives are entering the various seats at the round table negotiations also needs some form of authentication and thus identification.
|Artificial Intelligence for Trust |
Table Chair: Huma Shah
The conversation at this table touched on:
- The use of artificial intelligence in authentication
- Connecting users and consumers with companies. A lot of questions were raised about the (in)effectiveness of AI in the context of user/consumer trust.
- Artificial intelligence can be guiding, augmenting human control. But a human decision maker is needed. Can AI (‘the computer’) overrule the outcome?
- There’s a false trade-off between security and privacy.
- Shared information in context.
- Artificial intelligence is not a bonus for trust.
It’s difficult to summarise his exploring discussion, but one of the general conclusions was that a human should always be in control over, or at least able to intervene with intelligent systems.
|BioPin code |
Table Chair: Dr. J.J. Nietfeld
- An e-ID based on a personal, provable biological PIN code?
- Or an e-ID based on an impersonal, unprovable number code?
Dr. Nietfeld used the Round Table session to have a more thorough discussion of the usability of his work on Bio-PIN (as presented in the session ‘Privacy in a Digital World: Guiding the Future’) in other sectors than the biomedical field for which it is designed.
A Bio-PIN is a cryptographic code based on a person’s Distinguishing Biological Characteristics. For each person, different Bio-PINs can be created that are always unique. From a Bio-PIN it is not possible to retrace the underlying characteristics or person.
The discussion touched upon:
- A random number (identifier) versus biological attributes
- Not using a single number/identifier for multiple purposes
- Multiple codes possible based on distinguishing biological characteristics
- Transformation in Bio-PIN: bio material -> DBC -> BioPIN (128 -> 10.000) permutation
- An eID could consist of BSN + BioPIN (QR)
- Practical applications through an ID by phone & IDcard
- Transparency or obscurity? (replay attack)
- Voice recognition – Role-based access?
BioPIN offers multiple codes for multiple purposes.
In practice, it could be a big step forward: private key based on biometrics.