Identity & Privacy: It’s Canada’s Game!

From IIW

Identity & Privacy: It’s Canada’s Game!

Wednesday 3D Convener: Joni Brennan

Notes-taker(s): Joni Brennan & Mei Lin Fund

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Founded 2012 ~ Made for Canada Trust Framework bringing people together to accelerate development of trusted identity serices solutions for use in Canada and globally

Identity critical for ecommerce and payments

DIACC – membership – Federal representatives and industry participants (Innovation Science and Economics), province of BC, Ontario, SME’s

Fed, Provincial, private working together

Proof of concept pilots to solve real world challenges via commercially viable services

What problems need to be solved

Eg confirm age prior to alcohol purchase Fill critical prescription online

Diacc principles

Workgroups and meetings

Pan Canadian Identity Trust Framework

Joni Brennan worked in US and international space

Wanted to stay away from many iterations of trust frameworks, different approaches – wanted 1 scalable model, public or private that allows for lots of innovation

US does not have a trusted attribute authority – US laws prohibit agencies from talking about identity information

Canada does have one and wants to be privacy respecting

There is a layer of trust in Canada – to assert attributes for digital identity

Allows Pan Canadian Trust initiative vs Kantara (US entity) / At gov level there is a clear distinction between Identity and credential in US. In US, there is a credential service provider category – its much more than 1 big idea

What is a trust framework?

A set of rules and tools that a community uses for its digital identity transactions to government – used to govern a particular community – rules for participating in a particular federation

Trust Framework Pillars

Standards and protocols and Business Legal Operational Policies (business, legal and technical processes)

Could be at a federation level, or national level, territorial or private sector

Challenge in the US – every state has its own way of doing caucuses – federation of 50 states with turnover with CIO, under federal umbrella

Canada has 10 provinces and 3 territories – Vision – citizens and businesses enjoy simple convenient and secure access to services in a manner they choose and manage

  • Enable a whole of gov approach for seamless e-service delivery
  • Improves client experience and user convenience by supporting a “tell us once” approach
  • Enables jurisdictions to trust and leverage each other’s identity

Kantara initiative worked closely with GSA – had a trust framework for criteria for assessment – identity services, token manager services – worked hard to meet criteria set by NIST

Made contributions into ISO – so could not put in “check your state drivers license”

By having the trust framework specify how to create a solution – painted innovation into a corner

Found edge cases that didn’t meet criteria – it's a big challenge to have flexible frameworks that allow innovation and prescriptive enough that you can verify trust

Do I need to check if 3rd parties have been verified? Eg checking weather is low risk to your reputation – no. If more risk to your reputation, need verification

Need service agreement to know if 3rd party is in breech.

What is right level that verifies trust and does not over burden

Identity cuts across everything – tent keeps expanding Special snowflakes but at the end of the day, all water

Need to have a CORE and then profile off of that

Example – working for financial institution, PCI compliance, ISP 2700, KYC, outside money laundering….already doing all this – if financial institution has already jumped thru these barriers

How do you recognize trust – if we can trust that you have a valid compliance eg PCI, ISO 27000 – identify same ones specific to identity

These are the challenge spaces

US trust frameworks – enforcement becomes less clear – FTC enforces breeches of trust frameworks

FTC is regulatory, but trust framework (rules and tools) supports the policies.

Violations not clear who enforces

Multi party relationships – agree to same set of rules and tools – in the US – for gov agencies delivering citizen services – instead of one off contracts with each contractor – US recognizes a set of trust frameworks as ok – so provider of service contracts to comply

In Canada – these are eco systems with many parts and components – to have trust, governments have to trust certifying bodies to carry out certifying on behalf of governments

Primary mission of govs is delivery of service assistance – Trust Turtles all the way down – build up that trust so as not to re-invent each time

Anil John – US has transitive trust relationship with entity they certify – assess the assessor – its not true in other jurisdictions

Canada is evolving – does body have mutual governance, are they transparent?

Don’t want each gov agency to do the identity proofing every other time At a higher level of abstraction – started from the top – define objectives, what are the outcomes we are trying to get out of this trust eco system

Personal data is private Secure

Based on Kim Cameron’s 7 IDentiy laws and a few more

  1. Roles within an identity eco system
  2. Objectives – what outcomes which each of the actors must meet

DIACC principles of a digital identity ecosystem for Canada

  1. Robust secure scalable
  2. Implement, protect and enhance privacy by design
  3. Inclusive open and meets broad stakeholder needs
  4. Transparent in governance and operation
  5. Provide Canadians choice control and convenience
  6. Built on open standards-based protocols
  7. Interoperable with international standards
  8. Cost effective and open to competitive market forces
  9. Able to be independently assessed, audited and subject to enforcement
  10. Minimize data transfer between authoritative sources and will not create new identity databases

Andrew Hughes – Registration for service

Someone signs up for service, organization and partners decide on the rules of what constitutes evidence of identity – how much they depend on drivers license

That's a profile

Framework says responsibilities are to verify against known sources and store reliably

Anil – US and Canadian difference – Canada said they are the authoritative source of information for their citizens

In the US, going to data brokers to assert identity

In Canada while not issuing credentials – will be vouched for by government –its regulated, vital stats dept, passport, citizenship collect – they don’t tell others

Andrew - Canada has a authority – rules for access and modify are not providing access to other Canadian entities (even gov)

Anil – a Canadian citizen trying to get canadian services, it is a Gov entity that approves you. The agency program delivering the service does the proofing.

The Gov agency in the US doing this is using commercial services to do proofing

Andrew – in certain profiles, high assurance requirement – only gov service providers will be allowed to do the work. In more commercial usage, someone will do those services probably private sector

In future state – gov will have some assurances about what they do, because they subscribe to the framework

Getting a trust framework is difficult – herding cats

Canada 2 pillars

  1. Modernization of Government Service Delivery (inside gov)
  2. Full participation in the digital economy (outside Canadian gov – including global)

Changing government with Trudeau administration – PM writes mandate letters for which Ministers are accountable for

His thing is Open Govt – published all the ministerial letters – they call for central hubs to deliver gov services – leveraging Key Concierge to private sector

DIACC delivers Pan Canadian Trust Framework. Done 2 proofs of concept:

  1. Remote opening of bank account
  2. Proving provincial residency – user centric model to allow a citizen to leverage other records opt in – privacy by design up front – did you use your ATM card in the province

Looking for 3rd proof of concept

DIACC is doing research and offering commercially viable service that would benefit citizens

DRAFTing Pan Canadian Trust framework – will publish in June and people will adopt and test and get feedback to make sure provide value, meet the needs.

Cross border use cases

BC Gov – taken drivers license and Care Card are now on 1 card – Services Card – to allow it to be leveraged for multiple services. Each walled off in trusted module technology. Already deployed

Jbrennan@DIACC.ca | www.www.DIACC.ca | @mydiacc

There are rounds of public consultation – to get regular people to share concerns, diverse focus groups, lots of public outreach.

At start, were lots of concerns about privacy – people are supportive.

In British Colombia – CARE card is health insurance card- and they had 9 milliion cards for 4 million people – huge fraud issue.

Until 2012, cards didn’t expire. Now will be 5 years.

Canada has strong privacy regulations – all outside businesses must meet Canadian regulations and must comply.