Citizen Bill of Cyber Bill of Rights

Created in December of 2011 as I reflected on the emergence of the Cyber Risk

My identity is mine electronic or otherwise

I will be prudent in its use

I understand if I enter into an agreement that you can prove it was me
Then I am responsible

I will carry with me an object that can be kept safe from intrusion and can easily be remotely destroyed

You, those entities human and other that I enter into a relationship with
Can offer me anything I am willing to opt-in to

Using a defined set of cryptographic relationships
I agree that a digital contract can be signed and agreed and has the full force of the law behind it

You will recognize that I am your human equal and will,
Save for acts of God and Nature,

Endeavor to provide quality and service

 

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.

NSTIC and EMV should merge

October 03, 2011

Cyberspace trust: Proving you’re not a dog

A very real discomfort underlies the classic joke: “On the Internet, nobody knows you’re a dog.” How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate’s Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you’re reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.

http://portalsandrails.frbatlanta.org/2011/10/cyberspace-trust-proving-youre-not-dog.html

Philip thinks:

  • The next step is to merge the identity sought by everyone and easily relegated to the Banks to manage.  Facebook and GMail offer an option if their KYC can be improved.  With face to face meeting it is possible to truly prove identity, requiring a branch network.
  • Transaction processing is legacy in the developed world while the emerging economies offer an opportunity to build new.  Existing standards and processes need to be respected as they transform to absorb the new information attachments and Internet offers we now need to cope with.
  • The Wallet forms the basic unit to create a trusted network employing smart cards, trusted computing, persistent computing and inteligence to enable the consumer experience.
  • Privacy and integrity of that trust is essential to the system
  • The individual is key
  • Respect rights and obligations

 

 

 

 

EMV is truly becoming the base for secure Card Authentication and Cardholder Verification

INCREASING EMV CARD AND TERMINAL DEPLOYMENTS CONFIRM EMV AS GLOBAL PAYMENT STANDARD
06 October 2010: As of 1 September 2010, over one billion EMV®* cards and 15.4 million EMV terminals were active globally. These are the latest EMV deployment figures reported by EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa.

http://www.emvco.com/download_agreement.aspx?id=561

e-ID – a public utility or a space of trusted third parties

In response to the article published by Consult Hyperion

Conference paper e-ID as a public utility Neil A. McEvoy

 

 

Universality

Interesting that as soon as you identify that I should be able to provide my identity to anyone anywhere you state that a national government can offer such a scheme.  That is counter intuitive and fraught with the issue of achieving global standards of identification, given the bureaucracy of most national governments. 

Yes, ICAO was able to agree on a template and specification for the e-passport.  Fortunately they had a template and various agreements and treaties to justify the work.  But when we start out with the basic premise that my identity is how I wish to project myself; we immediately move into a world of nuance with built in mechanisms to embrace and resist change.  That being said Homo sapiens’ have a perchance to employ tools we morph as society and our world evolves.

Picking the right band of stakeholders to assure universality requires that at some point people abandon the idea that there is Profit in defining how we will digitally represent a person’s identity.  Instead because the consumer/citizen wishes to project or required to provide their identity; we leave it to those seeking to receive the information to find the profit in knowing something about me. 

Having been raised in America I am drawn to the words in our declaration of independence that give us the right to life, liberty and the pursuit of happiness.  Behind these words I believe I also have the right to my privacy and do not want to learn that morphing my identity into a digital form puts my identity at risk.  The citizen/consumer must be able to decide when and what information someone is able to scan.

All of this tempers my thinking about who should be engaged in defining the global standard for digital identity.

The two-way street

I could not say it better myself.  Like my business card, a police persons badge or a company id card.  We present these to each other to create trust between various parties and provide a degree of certainty that:

·         I am who I say I am

·         This is how you can locate and communication with me

·         Here is proof that I have the following rights and capabilities

Quick transaction

Very well said the exchange of information about my identity must be as easy as handing you my business card.  Everything after that is about the context of the transaction and will parallel the discussion and negotiations between the parties.

The gadget

My only addition to the supposition that the phone is the right gadget is the reality that we are talking about something that the citizen must be able to carry most anywhere.  So it must be the one object we always carry.  Some would argue this is the mobile phone; I would suggest that we not forget the more primitive device the purse or wallet.  Maybe as we think of identity we must also think of ergonomists and think about merging the phone into the wallet not the wallet into the phone.  Leather is eco-friendly warm and comfortable to the touch.  Metal or plastic tends to be brittle and cold. 

The next thought in respect to the gadget is it becomes the device I trust and will protect at almost any cost.  Should I worry about how trustworthy your device is?  All I want from you is the information you wish to share and any certificates others provide you that allow me to authenticate your rights and capabilities.  My trusted gadget is what I use to share information and certificates and what helps me absorb and as appropriate verify information and certificates others offer to me.

Extensions

Yes my information is mine and what I offer to others is my choice.

Scheme considerations

I am not convinced of the need for a central register.  Yes there is a need for third parties to attest to the citizen’s identity that others can trust and in lies the complexity of introducing a digital solution.  In fact what the citizen needs is a device they trust.  A device we trust, carries the information and certificates that third parties, who the counterparty trusts, capable of exchanging the appropriate digital data electronically.  In order to achieve this goal we must develop and support a cascade of standards, regulations, contracts and relationships that enable global interoperability thus assuring a meaningful means of exchanging our digital identity.

Before we go about defining the techniques that should be employed, I think we must first establish base principles.  Key must be the idea that there is no centralized register.  Instead those parties we as consumers are willing to trust and wish to position themselves as trusted third parties can build registries, recording those individuals they are willing to authenticate.  The citizen may wish to contract with an entity to provide support for the trusted gadget and the various relationships it supports. 

The author’s position on protecting privacy and meeting the needs of law enforcement is laudable yet scary.  I’d rather the protection offered by a distributed environment that still is capable of responding to directed queries from law enforcement and not blanket access to everything I or others have collected about me.

Make my gadget the gate keeper; allow service providers and those parties wanting the security of digital identity the ability through standards to build affordable infrastructure to read, with my permission, data stored in my gadget.  Avoid the complexity of establishing a global resister.  What we need to define is the architecture for a gadget that is capable of carrying and supporting a myriad of digital relationships with their linked need to assure proper identification.  We then need to agree on a common set of information that all sectors share.  Maybe the v-card is the base.

For more information I offer the following background and a concept for consideration.

The Promise of multi-application Smart Cards, refined to consider the device as the media

A bit of research to prove the consumer will understand