Identity, Privacy, and the Edge

June 10, 2019 / [email protected] @ArgesRic  https://mastodon.social/@ricardojmendez/ Identity, Privacy, and
the Edge Ricardo J. Méndez

@argesric @samsungnext • Give a small taxonomy of useful labels
and categories; • Walk you through what a layered conceptual model for identity could be like; • Talk about the privacy implications for how we go about implementing things; • Hopefully convince you that the closer to the edge we process things, the better it is for the user… • … but that the edge does not guarantee privacy. Goals!

@argesric @samsungnext •Justine Humenansky •Ricardo J. Méndez •Gus Warren •David
Crocker (BBW) •Wesley Dunnington (Ping Identity) •Jacoby Thwaites (OnFido) •PG, DJ, AL (*) Work in progress… Samsung NEXT Internet Identity Workshop XXVIII * Didn’t hear back about naming them.   Privacy and GDPR, y’all!

Definitions

@argesric @samsungnext Identity is everything that defines you.

@argesric @samsungnext Digital identity is what emerges from your online
life.

@argesric @samsungnext Facts and Characteristics

@argesric @samsungnext • Specific details about an individual. • Personally-identifying
information, such as: • Your name… • Username/password pairs… • Shipping addresses… • Phone and passport numbers. • Facts are involved in verification and authentication. Facts

@argesric @samsungnext •Mailing address •Username/password •Phone number •E-mail address •Legal
name •Driver’s license •Passport •Income statements Two types of Facts Self-asserted Externally Validated Credentials Identifiers

@argesric @samsungnext Which one depends on context.

@argesric @samsungnext I am not a bundle of Facts.

@argesric @samsungnext • Characteristics emerge from your daily activities, can
be scried from the data exhaust: • Personal interests, tastes, habits; • What you avoid; • How you react to things; • Can change through the years; Characteristics are unstructured

@argesric @samsungnext Characteristics can have value even divorced from Identifiers.
That relates them to behavioral patterns and monetization.

A conceptual model

@argesric @samsungnext OSI Model https://en.wikipedia.org/wiki/OSI_model

@argesric @samsungnext Helps you answer: where does a new piece
fit?

@argesric @samsungnext Layer Name Description Examples 7 Application User- or
system-level flows that involve identities and other systems Sign-in account recovery, payment, wallet app on smartphone 6 Workflow Protocol flows between connected identities only (external choreography) DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data formats/ encryption 5 Transaction How runtime capabilities of an identity are defined and invoked (internal orchestration) Retrieval of attributes including PII, derived PII and their computation, attestations, plug-in capabilities 4 Connection How identities accept connections from other identities and systems Evernym wallet connection with verifier, REST endpoint, DNS janedoe.me 3 Reference How an identity is referenced externally [email protected], did:foo:bar, +1650112332, Evernym connection, QR Code 2 Validation What trust system validates an identity ICANN, Bitcoin, PKI, self-signed certs 1 Storage The de minimis form of an identity that means it exists A blockchain entry, disk connected to a virtual server, a database record on the cloud or a smartphone, a DID record * WIP. Created during two sessions at the MV Internet Identity Workshop, May 2019 7-Layer Conceptual Model of Identity*

@argesric @samsungnext Layer Name Description Examples 7 Application User- or
system-level flows that involve identities and other systems Sign-in account recovery, payment, wallet app on smartphone 6 Workflow Protocol flows between connected identities only (external choreography) DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data formats/ encryption 5 Transaction How runtime capabilities of an identity are defined and invoked (internal orchestration) Retrieval of attributes including PII, derived PII and their computation, attestations, plug-in capabilities 4 Connection How identities accept connections from other identities and systems Evernym wallet connection with verifier, REST endpoint, DNS janedoe.me 3 Reference How an identity is referenced externally [email protected], did:foo:bar, +1650112332, Evernym connection, QR Code 2 Validation What trust system validates an identity ICANN, Bitcoin, PKI, self-signed certs 1 Storage The de minimis form of an identity that means it exists A blockchain entry, disk connected to a virtual server, a database record on the cloud or a smartphone, a DID record 7-Layer Conceptual Model of Identity* * WIP. Created during two sessions at the MV Internet Identity Workshop, May 2019

@argesric @samsungnext Vocabulary helps you communicate. Communication is fundamental.

System design and its impact on privacy

@argesric @samsungnext https://www.nytimes.com/2019/05/07/opinion/google-sundar-pichai-privacy.html “We'll take all your data and just
not sell it directly.” (Paraphrasing)

@argesric @samsungnext https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/ “We’re going to be private because we’ll
be encrypted.” (Paraphrasing)

@argesric @samsungnext

@argesric @samsungnext • If you trust… • Their pinky-swear promise
of not being evil; • They will properly implement controls so that no employees can abuse their power; • They are infallible engineers whose data will never leak; • Not like, say, people who keep passwords in cleartext… • … for over 14 years. * • Then that’s fine, I guess. Pinky-swear privacy involves trust * https://www.businessinsider.com/google-g-suite-passwords-stored-plaintext-2019-5

@argesric @samsungnext Edge processing can be privacy-enhancing. It is not
privacy-guaranteeing.

@argesric @samsungnext • I am online usually in a specific
time zone, • Which IP addresses my connections come from, • That I got served ads that skew towards movies and anime, • That I click on ads about cat food every 3-4 weeks, • That I never click on ads about nearby KFCs. Encryption != Privacy Five data points…

@argesric @samsungnext You don’t even need someone’s identity facts, if
you know all their characteristics.

Make it better

@argesric @samsungnext Facebook announced a $3-5Bn fine. Their valuation shot
up by $40Bn. https://www.washingtonpost.com/technology/2019/04/24/facebook-sets-aside-billions-dollars-potential-ftc-fine/

@argesric @samsungnext • Regulation and fines aren't going to get
us out of this mess; • People won't leave because of scandals or screw-ups (or they'd have done it already); • People won't switch because your solution is more ethical - we already have those, and people don't use them. If you’re working on identity

@argesric @samsungnext Give them a good reason. Enable them to
do something they couldn’t do before.

@argesric @samsungnext Identity is sticky. There’s a fear of impermanence.

@argesric @samsungnext “Government must come to be the place where
the most basic online identity will be grounded in the long term.” Jaron Lanier, Who Owns the Future?

@argesric @samsungnext Users’ identity will always be subordinate to whomever
controls the root.

@argesric @samsungnext Online identity must be self- sovereign. Christopher Allen,
The Path to Self-sovereign Identity https://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

@argesric @samsungnext This is not only a moral necessity. Self-sovereign
identity will enable new interactions.

@argesric @samsungnext Users must be in control of their data.
We need to move it to the edge.

The Edge needs a humanistic focus

@argesric @samsungnext Think not only about where we process the
data, but about who controls that node and its output.

@argesric @samsungnext We are not talking about edge devices. We
are talking about people. Control must lie with them.

@argesric @samsungnext Let’s talk. Contact: [email protected] 

Identity, Privacy, and the Edge

Identity, Privacy, and the Edge

More Decks by Ricardo J. Méndez

Other Decks in Technology

Featured

Transcript