ATTRIBUTE QUALITY ASSURED AUTHENTICATION

Dr. Rachel O’ConnellGroovyFuture.com

1

2

WHO AM I? PhD online criminal activity: implications for investigative strategies

Chief Security Officer Bebo, VP AOL

Research Consultant

Oxford Internet Institute: Effective Age Verification Techniques: Lessons to be Learnt from the Online

Gambling Industry

Ctrl_Shift A market analyst and consulting: changing personal data landscape.

Member of OIX and the GSMA’s UK Assured legal working group

Advisor to commercial organisations on both the policy requirements and business opportunities associated with digital and mobile ID

Co-founder of GroovyFuture.com.

3

KEY POINTS:

Traditional data sources for ID and age verification: Artificial barriers COPPA compliance

Increase in the number of data sources: Tipping point Age is simply an attribute of identity: permissioned, quality assured attributes.

Age related attributes enable the following: Improvements in customer acquisition and on-boarding processes Uplift in, and/or generation of new revenue streams Creation of new business development opportunities Effective compliance with consumer protection and data protection regulation

Benefits to a number of business sectors including mobile operators, payment providers, retailers, platform providers, digital media producers and advertisers-

4

TRADITIONAL ID AND AGE VERIFICATION

5

BELOW 18 YEARS

Guarantor model - leveraged traditional data sources

Burdensome compliance cost

Little or no elevation in assurance

Open to repudiation

Privacy concerns

No viable commercial or liability models

Not scalable, absence of standards

Not an effective means to mitigate risks

Barrier to innovation

View of a child online

6

EUROPEAN E-ID LANDSCAPE

Electronic ID cards exist in: Belgium, Estonia, Finland, Germany, Italy, Portugal and Spain.

Other forms of e-ID, like citizen cards and access tokens are used in: Austria, Czech Republic, Denmark, Lithuania, Luxembourg, The Netherlands, Slovakia, Slovenia and Sweden.

17 EU countries also participate in a project called STORK which has proven that e-IDs can be safely recognised across borders.

https://www.eid-stork.eu/index.php?option=com_processes&act=list_documents&s=1&Itemid=60&id=312

7

PRACTICAL APPLICATIONS

Austria and Iceland enable 'Safer Chat' for 14-18 year olds where users need their e-ID card to enter chat rooms for 14-18 year olds.

SaferChat has been tested as a platform for safer online communication cross borders, providing useful eID services for e-learning.

Pilot can be taken as an illustration of attribute based authentication with maximum data protection.

Businesses or governmental organizations can utilise this approach, adapting it for specific purposes.

Open Source.

8Scalability/Flexibility Various National

Credentials

The SaferChat pilot has proven to be very flexible in terms of scalability, both smart cards and SIM cards are used to access pilot applications.

At the outset Icelandic and Austrian credentials were supported

During pilot lifetime support for further cross border electronic identities was added (Estonia, Spain, Italy, Latvia, Luxembourg, Portugal, Slovenia and Finland).

‘This could be done without any serious effort due to sufficiently flexible and scalable STORK project specifications’.

9

STORK 2.0: AQAA

Attribute Quality Authentication Assurance (AQAA) framework

Multiple Data Sources

Business Needs /business rules

Legal Framework

MINOR’S TRUST FRAMEWORK

11

DATA SOURCES

IDaaS platform e.g. Avoco Secure, provide a user centric approach (SFA)

Academic attribute providers: SAML International Student Card: Mobile

ID (pilot project) Banks – miicard Payments infrastructure – Vocalink,

Zapp

12

DATA SOURCES

Government issued ID docs – Secure key OCR – ID Checker

Digital Life Data – Trulioo Personal Data Empowerment Tools

and Services Biometrics Traditional data bureaus and CRA’s

13

BankID NORWAY

Age attributes accessibleExamples of when you can use BankID: BankAxess (a new payment service for

online shopping) Log-in and payment via internet bank Change of address with the postal service Placing a bid when buying property Login on municipal websites Purchasing units in equities funds

BankID can be used as an electronic proof of identity, for example logging in at a BankID user site.

DOB data was originally included so students could avail of discounts.

14

ECONOMIC SOCIALISATION

15

16

BUSINESS NEEDS

COPPA 2.0 Email+ 20%-40% SPAM FOLDER

Permissioned attributes

Spending limits

Diversity of product offerings

Shared devices

4.4 m -

2.7m

4.8 m

17

AGE GATING AND ENGAGEMENT ADVERTISING

18

EVOLUTION OF PARAMETERSAGE VERIFICATION: 2008 ATTRIBUTE QUALITY ASSURED: 2013

Burdensome compliance cost Business enabler / return on investment

Little or no elevation in assurance Attribute Quality Authentication Assurance

Open to repudiation Granular assurance / business rules

Privacy concerns Privacy preserving, data minimisation principles

No viable commercial or liability models Legal framework / scope for viable commercial models

Not scalable, absence of standards Trust frameworks /interoperable standards

Not effective personal safety risk mitigation

Augments security / business risk

Barrier to innovation Foster innovation, product diversity, virtuous cycle

View of children: passive, vulnerable Active participant, economic socialisation,

Data Protection Act: Free market Proposed DP: Human rights, Consumer Protection Directive, Digital Agenda 2020

19

AQAA:VIRTUOUS CYCLE

Attribute assurance /token re-use within ecosystem

Consumer satisfaction

Improved service delivery

Regulatory compliance

Customer satisfaction

Customer loyalty

Higher sales, profit

margins =Return on investment

20

BUSINESS ENABLER

A greater variety of data sources will be accessible and permissioned, these can be cross checked and combined to meet specific business rules. Higher levels of customer acquisition

Remote on-boarding Seamless customer experience

Trust elevation – LOA’s, as per business rules Low integration costs Modular, highly configurable Scalable, viable low cost Reusable tokens UX Reputation, foster brand loyalty

Challenges: Cross sectorial consensus, time frames, information security, Information security, managing the processes of accreditation, oversight, redress

21

Thank You

rachel@technologist.com

Twitter: @racheloconnell

www.GroovyFuture.com

22