5 nov gsma_eema
DESCRIPTION
Sharing presentation given at GSMA London offices, at the European Association for e-Identity and Security (EEMA) / Open Identity Exchange event. November 5, 2013TRANSCRIPT
ATTRIBUTE QUALITY ASSURED AUTHENTICATION
Dr. Rachel O’ConnellGroovyFuture.com
1
2
WHO AM I? PhD online criminal activity: implications for investigative strategies
Chief Security Officer Bebo, VP AOL
Research Consultant
Oxford Internet Institute: Effective Age Verification Techniques: Lessons to be Learnt from the Online
Gambling Industry
Ctrl_Shift A market analyst and consulting: changing personal data landscape.
Member of OIX and the GSMA’s UK Assured legal working group
Advisor to commercial organisations on both the policy requirements and business opportunities associated with digital and mobile ID
Co-founder of GroovyFuture.com.
3
KEY POINTS:
Traditional data sources for ID and age verification: Artificial barriers COPPA compliance
Increase in the number of data sources: Tipping point Age is simply an attribute of identity: permissioned, quality assured attributes.
Age related attributes enable the following: Improvements in customer acquisition and on-boarding processes Uplift in, and/or generation of new revenue streams Creation of new business development opportunities Effective compliance with consumer protection and data protection regulation
Benefits to a number of business sectors including mobile operators, payment providers, retailers, platform providers, digital media producers and advertisers-
4
TRADITIONAL ID AND AGE VERIFICATION
5
BELOW 18 YEARS
Guarantor model - leveraged traditional data sources
Burdensome compliance cost
Little or no elevation in assurance
Open to repudiation
Privacy concerns
No viable commercial or liability models
Not scalable, absence of standards
Not an effective means to mitigate risks
Barrier to innovation
View of a child online
6
EUROPEAN E-ID LANDSCAPE
Electronic ID cards exist in: Belgium, Estonia, Finland, Germany, Italy, Portugal and Spain.
Other forms of e-ID, like citizen cards and access tokens are used in: Austria, Czech Republic, Denmark, Lithuania, Luxembourg, The Netherlands, Slovakia, Slovenia and Sweden.
17 EU countries also participate in a project called STORK which has proven that e-IDs can be safely recognised across borders.
https://www.eid-stork.eu/index.php?option=com_processes&act=list_documents&s=1&Itemid=60&id=312
7
PRACTICAL APPLICATIONS
Austria and Iceland enable 'Safer Chat' for 14-18 year olds where users need their e-ID card to enter chat rooms for 14-18 year olds.
SaferChat has been tested as a platform for safer online communication cross borders, providing useful eID services for e-learning.
Pilot can be taken as an illustration of attribute based authentication with maximum data protection.
Businesses or governmental organizations can utilise this approach, adapting it for specific purposes.
Open Source.
8Scalability/Flexibility Various National
Credentials
The SaferChat pilot has proven to be very flexible in terms of scalability, both smart cards and SIM cards are used to access pilot applications.
At the outset Icelandic and Austrian credentials were supported
During pilot lifetime support for further cross border electronic identities was added (Estonia, Spain, Italy, Latvia, Luxembourg, Portugal, Slovenia and Finland).
‘This could be done without any serious effort due to sufficiently flexible and scalable STORK project specifications’.
9
STORK 2.0: AQAA
Attribute Quality Authentication Assurance (AQAA) framework
Multiple Data Sources
Business Needs /business rules
Legal Framework
MINOR’S TRUST FRAMEWORK
11
DATA SOURCES
IDaaS platform e.g. Avoco Secure, provide a user centric approach (SFA)
Academic attribute providers: SAML International Student Card: Mobile
ID (pilot project) Banks – miicard Payments infrastructure – Vocalink,
Zapp
12
DATA SOURCES
Government issued ID docs – Secure key OCR – ID Checker
Digital Life Data – Trulioo Personal Data Empowerment Tools
and Services Biometrics Traditional data bureaus and CRA’s
13
BankID NORWAY
Age attributes accessibleExamples of when you can use BankID: BankAxess (a new payment service for
online shopping) Log-in and payment via internet bank Change of address with the postal service Placing a bid when buying property Login on municipal websites Purchasing units in equities funds
BankID can be used as an electronic proof of identity, for example logging in at a BankID user site.
DOB data was originally included so students could avail of discounts.
14
ECONOMIC SOCIALISATION
15
16
BUSINESS NEEDS
COPPA 2.0 Email+ 20%-40% SPAM FOLDER
Permissioned attributes
Spending limits
Diversity of product offerings
Shared devices
4.4 m -
2.7m
4.8 m
17
AGE GATING AND ENGAGEMENT ADVERTISING
18
EVOLUTION OF PARAMETERSAGE VERIFICATION: 2008 ATTRIBUTE QUALITY ASSURED: 2013
Burdensome compliance cost Business enabler / return on investment
Little or no elevation in assurance Attribute Quality Authentication Assurance
Open to repudiation Granular assurance / business rules
Privacy concerns Privacy preserving, data minimisation principles
No viable commercial or liability models Legal framework / scope for viable commercial models
Not scalable, absence of standards Trust frameworks /interoperable standards
Not effective personal safety risk mitigation
Augments security / business risk
Barrier to innovation Foster innovation, product diversity, virtuous cycle
View of children: passive, vulnerable Active participant, economic socialisation,
Data Protection Act: Free market Proposed DP: Human rights, Consumer Protection Directive, Digital Agenda 2020
19
AQAA:VIRTUOUS CYCLE
Attribute assurance /token re-use within ecosystem
Consumer satisfaction
Improved service delivery
Regulatory compliance
Customer satisfaction
Customer loyalty
Higher sales, profit
margins =Return on investment
20
BUSINESS ENABLER
A greater variety of data sources will be accessible and permissioned, these can be cross checked and combined to meet specific business rules. Higher levels of customer acquisition
Remote on-boarding Seamless customer experience
Trust elevation – LOA’s, as per business rules Low integration costs Modular, highly configurable Scalable, viable low cost Reusable tokens UX Reputation, foster brand loyalty
Challenges: Cross sectorial consensus, time frames, information security, Information security, managing the processes of accreditation, oversight, redress
21
Thank You
Twitter: @racheloconnell
www.GroovyFuture.com
22