Identity, Privacy, and the Edge

Transcript

1. June 10, 2019 / [email protected] @ArgesRic
 https://mastodon.social/@ricardojmendez/ Identity, Privacy, and

   the Edge Ricardo J. Méndez

2. @argesric @samsungnext • Give a small taxonomy of useful labels

   and categories; • Walk you through what a layered conceptual model for identity could be like; • Talk about the privacy implications for how we go about implementing things; • Hopefully convince you that the closer to the edge we process things, the better it is for the user… • … but that the edge does not guarantee privacy. Goals!

3. @argesric @samsungnext •Justine Humenansky •Ricardo J. Méndez •Gus Warren •David

   Crocker (BBW) •Wesley Dunnington (Ping Identity) •Jacoby Thwaites (OnFido) •PG, DJ, AL (*) Work in progress… Samsung NEXT Internet Identity Workshop XXVIII * Didn’t hear back about naming them. 
 Privacy and GDPR, y’all!

4. Definitions

5. @argesric @samsungnext Identity is everything that defines you.

6. @argesric @samsungnext Digital identity is what emerges from your online

   life.

7. @argesric @samsungnext Facts and Characteristics

8. @argesric @samsungnext • Specific details about an individual. • Personally-identifying

   information, such as: • Your name… • Username/password pairs… • Shipping addresses… • Phone and passport numbers. • Facts are involved in verification and authentication. Facts

9. @argesric @samsungnext •Mailing address •Username/password •Phone number •E-mail address •Legal

   name •Driver’s license •Passport •Income statements Two types of Facts Self-asserted Externally Validated Credentials Identifiers

10. @argesric @samsungnext Which one depends on context.

11. @argesric @samsungnext I am not a bundle of Facts.

12. @argesric @samsungnext • Characteristics emerge from your daily activities, can

    be scried from the data exhaust: • Personal interests, tastes, habits; • What you avoid; • How you react to things; • Can change through the years; Characteristics are unstructured

13. @argesric @samsungnext Characteristics can have value even divorced from Identifiers.

    That relates them to behavioral patterns and monetization.

14. A conceptual model

15. @argesric @samsungnext OSI Model https://en.wikipedia.org/wiki/OSI_model

16. @argesric @samsungnext Helps you answer: where does a new piece

    fit?

17. @argesric @samsungnext Layer Name Description Examples 7 Application User- or

    system-level flows that involve identities and other systems Sign-in account recovery, payment, wallet app on smartphone 6 Workflow Protocol flows between connected identities only (external choreography) DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data formats/ encryption 5 Transaction How runtime capabilities of an identity are defined and invoked (internal orchestration) Retrieval of attributes including PII, derived PII and their computation, attestations, plug-in capabilities 4 Connection How identities accept connections from other identities and systems Evernym wallet connection with verifier, REST endpoint, DNS janedoe.me 3 Reference How an identity is referenced externally [email protected], did:foo:bar, +1650112332, Evernym connection, QR Code 2 Validation What trust system validates an identity ICANN, Bitcoin, PKI, self-signed certs 1 Storage The de minimis form of an identity that means it exists A blockchain entry, disk connected to a virtual server, a database record on the cloud or a smartphone, a DID record * WIP. Created during two sessions at the MV Internet Identity Workshop, May 2019 7-Layer Conceptual Model of Identity*

18. @argesric @samsungnext Layer Name Description Examples 7 Application User- or

    system-level flows that involve identities and other systems Sign-in account recovery, payment, wallet app on smartphone 6 Workflow Protocol flows between connected identities only (external choreography) DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data formats/ encryption 5 Transaction How runtime capabilities of an identity are defined and invoked (internal orchestration) Retrieval of attributes including PII, derived PII and their computation, attestations, plug-in capabilities 4 Connection How identities accept connections from other identities and systems Evernym wallet connection with verifier, REST endpoint, DNS janedoe.me 3 Reference How an identity is referenced externally [email protected], did:foo:bar, +1650112332, Evernym connection, QR Code 2 Validation What trust system validates an identity ICANN, Bitcoin, PKI, self-signed certs 1 Storage The de minimis form of an identity that means it exists A blockchain entry, disk connected to a virtual server, a database record on the cloud or a smartphone, a DID record 7-Layer Conceptual Model of Identity* * WIP. Created during two sessions at the MV Internet Identity Workshop, May 2019

19. @argesric @samsungnext Layer Name Description Examples 7 Application User- or

    system-level flows that involve identities and other systems Sign-in account recovery, payment, wallet app on smartphone 6 Workflow Protocol flows between connected identities only (external choreography) DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data formats/ encryption 5 Transaction How runtime capabilities of an identity are defined and invoked (internal orchestration) Retrieval of attributes including PII, derived PII and their computation, attestations, plug-in capabilities 4 Connection How identities accept connections from other identities and systems Evernym wallet connection with verifier, REST endpoint, DNS janedoe.me 3 Reference How an identity is referenced externally [email protected], did:foo:bar, +1650112332, Evernym connection, QR Code 2 Validation What trust system validates an identity ICANN, Bitcoin, PKI, self-signed certs 1 Storage The de minimis form of an identity that means it exists A blockchain entry, disk connected to a virtual server, a database record on the cloud or a smartphone, a DID record 7-Layer Conceptual Model of Identity* * WIP. Created during two sessions at the MV Internet Identity Workshop, May 2019

20. @argesric @samsungnext Layer Name Description Examples 7 Application User- or

    system-level flows that involve identities and other systems Sign-in account recovery, payment, wallet app on smartphone 6 Workflow Protocol flows between connected identities only (external choreography) DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data formats/ encryption 5 Transaction How runtime capabilities of an identity are defined and invoked (internal orchestration) Retrieval of attributes including PII, derived PII and their computation, attestations, plug-in capabilities 4 Connection How identities accept connections from other identities and systems Evernym wallet connection with verifier, REST endpoint, DNS janedoe.me 3 Reference How an identity is referenced externally [email protected], did:foo:bar, +1650112332, Evernym connection, QR Code 2 Validation What trust system validates an identity ICANN, Bitcoin, PKI, self-signed certs 1 Storage The de minimis form of an identity that means it exists A blockchain entry, disk connected to a virtual server, a database record on the cloud or a smartphone, a DID record 7-Layer Conceptual Model of Identity* * WIP. Created during two sessions at the MV Internet Identity Workshop, May 2019

21. @argesric @samsungnext Layer Name Description Examples 7 Application User- or

    system-level flows that involve identities and other systems Sign-in account recovery, payment, wallet app on smartphone 6 Workflow Protocol flows between connected identities only (external choreography) DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data formats/ encryption 5 Transaction How runtime capabilities of an identity are defined and invoked (internal orchestration) Retrieval of attributes including PII, derived PII and their computation, attestations, plug-in capabilities 4 Connection How identities accept connections from other identities and systems Evernym wallet connection with verifier, REST endpoint, DNS janedoe.me 3 Reference How an identity is referenced externally [email protected], did:foo:bar, +1650112332, Evernym connection, QR Code 2 Validation What trust system validates an identity ICANN, Bitcoin, PKI, self-signed certs 1 Storage The de minimis form of an identity that means it exists A blockchain entry, disk connected to a virtual server, a database record on the cloud or a smartphone, a DID record 7-Layer Conceptual Model of Identity* * WIP. Created during two sessions at the MV Internet Identity Workshop, May 2019

22. @argesric @samsungnext Vocabulary helps you communicate. Communication is fundamental.

23. System design and its impact on privacy

24. @argesric @samsungnext https://www.nytimes.com/2019/05/07/opinion/google-sundar-pichai-privacy.html “We'll take all your data and just

    not sell it directly.” (Paraphrasing)

25. @argesric @samsungnext https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/ “We’re going to be private because we’ll

    be encrypted.” (Paraphrasing)

26. @argesric @samsungnext

27. @argesric @samsungnext

28. @argesric @samsungnext • If you trust… • Their pinky-swear promise

    of not being evil; • They will properly implement controls so that no employees can abuse their power; • They are infallible engineers whose data will never leak; • Not like, say, people who keep passwords in cleartext… • … for over 14 years. * • Then that’s fine, I guess. Pinky-swear privacy involves trust * https://www.businessinsider.com/google-g-suite-passwords-stored-plaintext-2019-5

29. @argesric @samsungnext Edge processing can be privacy-enhancing. It is not

    privacy-guaranteeing.

30. @argesric @samsungnext • I am online usually in a specific

    time zone, • Which IP addresses my connections come from, • That I got served ads that skew towards movies and anime, • That I click on ads about cat food every 3-4 weeks, • That I never click on ads about nearby KFCs. Encryption != Privacy Five data points…

31. @argesric @samsungnext You don’t even need someone’s identity facts, if

    you know all their characteristics.

32. Make it better

33. @argesric @samsungnext Facebook announced a $3-5Bn fine. Their valuation shot

    up by $40Bn. https://www.washingtonpost.com/technology/2019/04/24/facebook-sets-aside-billions-dollars-potential-ftc-fine/

34. @argesric @samsungnext • Regulation and fines aren't going to get

    us out of this mess; • People won't leave because of scandals or screw-ups (or they'd have done it already); • People won't switch because your solution is more ethical - we already have those, and people don't use them. If you’re working on identity

35. @argesric @samsungnext Give them a good reason. Enable them to

    do something they couldn’t do before.

36. @argesric @samsungnext Identity is sticky. There’s a fear of impermanence.

37. @argesric @samsungnext “Government must come to be the place where

    the most basic online identity will be grounded in the long term.” Jaron Lanier, Who Owns the Future?

38. @argesric @samsungnext Users’ identity will always be subordinate to whomever

    controls the root.

39. @argesric @samsungnext Online identity must be self- sovereign. Christopher Allen,

    The Path to Self-sovereign Identity https://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

40. @argesric @samsungnext This is not only a moral necessity. Self-sovereign

    identity will enable new interactions.

41. @argesric @samsungnext Users must be in control of their data.

    We need to move it to the edge.

42. The Edge needs a humanistic focus

43. @argesric @samsungnext Think not only about where we process the

    data, but about who controls that node and its output.

44. @argesric @samsungnext We are not talking about edge devices. We

    are talking about people. Control must lie with them.

45. @argesric @samsungnext Let’s talk. Contact: [email protected]