Identity & Privacy: It’s Canada’s Game!
Identity & Privacy: It’s Canada’s Game!
Wednesday 3D Convener: Joni Brennan
Notes-taker(s): Joni Brennan & Mei Lin Fund
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Founded 2012 ~ Made for Canada Trust Framework bringing people together to accelerate development of trusted identity serices solutions for use in Canada and globally
Identity critical for ecommerce and payments
DIACC – membership – Federal representatives and industry participants (Innovation Science and Economics), province of BC, Ontario, SME’s
Fed, Provincial, private working together
Proof of concept pilots to solve real world challenges via commercially viable services
What problems need to be solved
Eg confirm age prior to alcohol purchase Fill critical prescription online
Diacc principles
Workgroups and meetings
Pan Canadian Identity Trust Framework
Joni Brennan worked in US and international space
Wanted to stay away from many iterations of trust frameworks, different approaches – wanted 1 scalable model, public or private that allows for lots of innovation
US does not have a trusted attribute authority – US laws prohibit agencies from talking about identity information
Canada does have one and wants to be privacy respecting
There is a layer of trust in Canada – to assert attributes for digital identity
Allows Pan Canadian Trust initiative vs Kantara (US entity) / At gov level there is a clear distinction between Identity and credential in US. In US, there is a credential service provider category – its much more than 1 big idea
What is a trust framework?
A set of rules and tools that a community uses for its digital identity transactions to government – used to govern a particular community – rules for participating in a particular federation
Trust Framework Pillars
Standards and protocols and Business Legal Operational Policies (business, legal and technical processes)
Could be at a federation level, or national level, territorial or private sector
Challenge in the US – every state has its own way of doing caucuses – federation of 50 states with turnover with CIO, under federal umbrella
Canada has 10 provinces and 3 territories – Vision – citizens and businesses enjoy simple convenient and secure access to services in a manner they choose and manage
- Enable a whole of gov approach for seamless e-service delivery
- Improves client experience and user convenience by supporting a “tell us once” approach
- Enables jurisdictions to trust and leverage each other’s identity
Kantara initiative worked closely with GSA – had a trust framework for criteria for assessment – identity services, token manager services – worked hard to meet criteria set by NIST
Made contributions into ISO – so could not put in “check your state drivers license”
By having the trust framework specify how to create a solution – painted innovation into a corner
Found edge cases that didn’t meet criteria – it's a big challenge to have flexible frameworks that allow innovation and prescriptive enough that you can verify trust
Do I need to check if 3rd parties have been verified? Eg checking weather is low risk to your reputation – no. If more risk to your reputation, need verification
Need service agreement to know if 3rd party is in breech.
What is right level that verifies trust and does not over burden
Identity cuts across everything – tent keeps expanding Special snowflakes but at the end of the day, all water
Need to have a CORE and then profile off of that
Example – working for financial institution, PCI compliance, ISP 2700, KYC, outside money laundering….already doing all this – if financial institution has already jumped thru these barriers
How do you recognize trust – if we can trust that you have a valid compliance eg PCI, ISO 27000 – identify same ones specific to identity
These are the challenge spaces
US trust frameworks – enforcement becomes less clear – FTC enforces breeches of trust frameworks
FTC is regulatory, but trust framework (rules and tools) supports the policies.
Violations not clear who enforces
Multi party relationships – agree to same set of rules and tools – in the US – for gov agencies delivering citizen services – instead of one off contracts with each contractor – US recognizes a set of trust frameworks as ok – so provider of service contracts to comply
In Canada – these are eco systems with many parts and components – to have trust, governments have to trust certifying bodies to carry out certifying on behalf of governments
Primary mission of govs is delivery of service assistance – Trust Turtles all the way down – build up that trust so as not to re-invent each time
Anil John – US has transitive trust relationship with entity they certify – assess the assessor – its not true in other jurisdictions
Canada is evolving – does body have mutual governance, are they transparent?
Don’t want each gov agency to do the identity proofing every other time At a higher level of abstraction – started from the top – define objectives, what are the outcomes we are trying to get out of this trust eco system
Personal data is private Secure
Based on Kim Cameron’s 7 IDentiy laws and a few more
- Roles within an identity eco system
- Objectives – what outcomes which each of the actors must meet
DIACC principles of a digital identity ecosystem for Canada
- Robust secure scalable
- Implement, protect and enhance privacy by design
- Inclusive open and meets broad stakeholder needs
- Transparent in governance and operation
- Provide Canadians choice control and convenience
- Built on open standards-based protocols
- Interoperable with international standards
- Cost effective and open to competitive market forces
- Able to be independently assessed, audited and subject to enforcement
- Minimize data transfer between authoritative sources and will not create new identity databases
Andrew Hughes – Registration for service
Someone signs up for service, organization and partners decide on the rules of what constitutes evidence of identity – how much they depend on drivers license
That's a profile
Framework says responsibilities are to verify against known sources and store reliably
Anil – US and Canadian difference – Canada said they are the authoritative source of information for their citizens
In the US, going to data brokers to assert identity
In Canada while not issuing credentials – will be vouched for by government –its regulated, vital stats dept, passport, citizenship collect – they don’t tell others
Andrew - Canada has a authority – rules for access and modify are not providing access to other Canadian entities (even gov)
Anil – a Canadian citizen trying to get canadian services, it is a Gov entity that approves you. The agency program delivering the service does the proofing.
The Gov agency in the US doing this is using commercial services to do proofing
Andrew – in certain profiles, high assurance requirement – only gov service providers will be allowed to do the work. In more commercial usage, someone will do those services probably private sector
In future state – gov will have some assurances about what they do, because they subscribe to the framework
Getting a trust framework is difficult – herding cats
Canada 2 pillars
- Modernization of Government Service Delivery (inside gov)
- Full participation in the digital economy (outside Canadian gov – including global)
Changing government with Trudeau administration – PM writes mandate letters for which Ministers are accountable for
His thing is Open Govt – published all the ministerial letters – they call for central hubs to deliver gov services – leveraging Key Concierge to private sector
DIACC delivers Pan Canadian Trust Framework. Done 2 proofs of concept:
- Remote opening of bank account
- Proving provincial residency – user centric model to allow a citizen to leverage other records opt in – privacy by design up front – did you use your ATM card in the province
Looking for 3rd proof of concept
DIACC is doing research and offering commercially viable service that would benefit citizens
DRAFTing Pan Canadian Trust framework – will publish in June and people will adopt and test and get feedback to make sure provide value, meet the needs.
Cross border use cases
BC Gov – taken drivers license and Care Card are now on 1 card – Services Card – to allow it to be leveraged for multiple services. Each walled off in trusted module technology. Already deployed
Jbrennan@DIACC.ca | www.www.DIACC.ca | @mydiacc
There are rounds of public consultation – to get regular people to share concerns, diverse focus groups, lots of public outreach.
At start, were lots of concerns about privacy – people are supportive.
In British Colombia – CARE card is health insurance card- and they had 9 milliion cards for 4 million people – huge fraud issue.
Until 2012, cards didn’t expire. Now will be 5 years.
Canada has strong privacy regulations – all outside businesses must meet Canadian regulations and must comply.