Going BIG: The Open Identity Exchange Blockchain, Identity & Governance Forum

I’ve resisted jumping on the blockchain bandwagon. No doubt blockchain and DLT continue to be hot topics. But the conversation is now maturing.

Technical collaboration is happening at a rapid pace in places like the Decentralized Identity Foundation (DIF), a consortium formed earlier this year in a bid to promote interoperability and standards for blockchain-based ID systems. Serious contributions are focusing on a key piece of consortium success: governance.

I recently joined OIX members in presenting at MIT’s Workshop on Blockchain, AI and the Law. That event, together with great research on taxonomies, self-sovereignty, etc. by Omidyar, signals that traction on the role of governance in blockchain and DLT-based identity systems is now in play. Most importantly, several new members brought blockchain issues to OIX.

The crash of 2018 is coming. I believe the resilience, transparency and trustworthiness, or the lack thereof, will contribute to the downfall of many bitcoin-based consortia in 2018. While bitcoin is out of scope, DLT may enable verification to be done without needing to contact the issuer of the digital identity.

The potential to elevate and extend country-specific identity schemes to become globally verifiable with minimal effort is relevant to many OIX members. Many are seeing benefits in the ability for people to accumulate identity data about themselves, such as university degrees, professional qualifications, sports club membership, visas, inoculation evidence, etc.

 

The OIX Blockchain, Identity & Governance (BIG) Forum 

Accordingly, the Open Identity Exchange (OIX) is launching the “Blockchain, Identity & Governance” (BIG) forum in response to member requests and will be a public part of the OIX Member Forum. New OIX members like Evernym and Swirlds, and in collaboration with the Accord Project, will help focus the BIG Forum.

The OIX BIG forum is focused on the governance of identity systems that utilize blockchain/ DLT in the context of trust frameworks. They will look to develop governance models, examine the role of smart contracts and trust frameworks to establish the transparency and trust necessary for consortiums and systems to operate.

OIX is partnering with the Accord Project to develop a white paper focused on smart contracts that will be part of the OIX Trust Framework Series of papers. The OIX BIG forum will be informed by the Accord Project white paper to identify specific types of legal agreements that can be benefit from smart contracts. This type of work starts gathering the legal and contract expertise where the technologists are playing a more navigational than a driver role.

OIX’s focus is on the governance of blockchain/DLT implementations within trusted global identity systems. The points below highlight OIX’s BIG initiative:

  1. OIX membership includes leading experts in identity systems that know why it’s so important not to dump private information (even hashed or encrypted) onto a permanent ledger.
  2. Considered professional analysis concludes that the time is now right to engage the broader community in developing governance models.
  3. The OIX members understand the role of trust frameworks in enabling public/private sector cooperation. The Forum will focus on designing the trust frameworks to sit on top of a decentralized set of identity protocols.
  4. OIX has shown the value of testing of use cases with real people, taking the focus away from the technorati and into the use cases that bedevil our members.

 

What’s Next?

Members are welcome to join the Forum’s development of governance models through upcoming white papers and workshops. Next steps:

  1. OIX to launch Blockchain, Identity & Governance (BIG) forum in 2018.
  2. OIX and Accord Project to publish the Smart Contracts white paper.
  3. OIX and the CodeX Stanford Center for Legal Informatics at the Stanford Law School are planning workshop focused on Blockchain, Identity and Governance in Palo Alto in Q1 2018.

A Framework for the Future of Aviation and Trust

Aviation is changing drastically and a trust framework between airports, airlines and governments may be the hallmark of that change.

With number of people traveling set to almost double from the expected 4 billion this year to 7.8 by 2036, the airport operations and passenger facilitation that we know today will cease to exist. To meet this demand, airports will have to double their capacity in size and make more efficient use of infrastructure. Passengers will move faster, without friction through the airport to their flight. This seamless scenario starts with more of the travel preparation begun off airport.  Checking in by registering your identity on your mobile device and having your bag collected at home will begin the improved user journey. Once at the airport the passenger will be identified through matching their biometrics at required touch points like airside access, border control and boarding. The touch points at the airport will be passed at a walking pace, a seamless flow marked by an improved user experience with equally improved privacy and security protections.

The aviation industry is working to realize this picture of passenger journey today. There is one precondition they have to address: trusted data sharing between the many stakeholders. Stakeholders with competing plans, priorities and processes will have to cooperate to meet the demands of this changing world of aviation. The global aviation ecosystem requires these “teams of rivals” to collaborate to enable the passenger to pass airport touch points in a fast and secure way. Stakeholders will need to agree on the “tools and rules,” the business, technical and legal standards for the sharing of data. Aviation leaders have begun to organize themselves in agile governance structures to manage shared business, legal and technical standards. Those agreed standards will be memorialized in trust frameworks.

IATA’s OneID Task force has begun working with airlines, airports, governments and vendors to agree on the next generation of business, legal and technical standards. Airports, big and small, are updating operations in full cooperation with all stakeholders.  Industry leaders understand that the interdependence of airports to meet the increased privacy and security requirements will drive the necessary interoperability between airports. They’ve engaged with the Open Identity Exchange to learn how other industries are developing similar global trust frameworks. The seamless flow of passengers in airports and between airports is enabled by an analogous flow of data among stakeholders. The OneID Task Force is leading these teams of rivals and is taking up the challenge of developing a new set of “tools and rules,” the standards that will enable airports to offer a more secure, privacy protecting and seamless passenger journey in the future.

 

Authors:

Annet Steenbergen
Annet Steenbergen is co founder of the first seamless passenger facilitation, the Aruba Happy Flow, advises the Government of Aruba and is consultant seamless flow. She also chairs IATA’s Passenger Facilitation Working group.

Don Thibeau
Chairman – Open Identity Exchange
Executive Director – OpenID Foundation

International Identity Law & Policy Workshop

oix-transaba-transwb-trans

The Open Identity Exchange, along with the American Bar Association’s Identity Management Legal Taskforce and the World Bank, hosted a workshop on January 14, 2015 in Washington D.C. with the objective of discussing the main concerns surrounding the adoption of identity management law and policy, helping to develop a common language around internet identity.

Venn DiagramAttendees included industry leaders in identity and relevant regulatory bodies. The key theme reiterated throughout the event was the importance of focusing on outcome-based legislation. Participants voiced concern that legislation prescribing a specific technical process to implement identity standards would hinder innovation and ultimately prevent the success of a new legal regime.

The group was briefed on three main efforts to develop identity management-specific policy:

  1. United Nations Commission on International Trade Law (United Nations);
  2. Uniform Law Commission (United States);
  3. Identity Management Standards Advisory Council (Virginia).

Experts involved in each effort shared their opinions on how attendees could utilize their expertise to aid these efforts. These projects are moving forward at a domestic and international level to set the groundwork for a broader discussion around the impact of standards-based versus risk-based approaches to achieve the outcomes-based model regarded so positively in the discussions. Anti-Money Laundering (AML) is an important proof point in this regard for international banking.

In addition to leaders in US identity related legislation, architects of the EU eIDAS regulation were present at the event and shared their expertise on the development and function of identity-management specific law. The eIDAS team was able to show how the law they developed spurs the rapid development of solutions to problems to cooperation. They emphasized how the outcome focused nature of the eIDAS regulation allows it to continually adapt to changing technology. In examining the use case of eIDAS, attendees were able to generate new ideas of how a similar system could be adapted to the United States.

Discussions were moderated throughout the day on the following topics relating to identity management-specific law:

  1. Trust, Interoperability, and Enforceability;
  2. Liability;
  3. Privacy and Security;
  4. Business and Technical Standards;
  5. Participant Obligations;
  6. Legislative Goals.

These wide ranging issues gave attendees an update on the major critiques that potential legislation will face as it attempts to address the challenges of internet identity.

Ultimately, the group agreed on the need to develop a common set of issues that must be addressed in any identity management-specific law. Although there was disagreement over the standards surrounding privacy and security, attendees recognized the need to focus on developing law that allows industry to continue to innovate while protecting the interests of consumers throughout the identity management processes.

OIX encourages approaches that identity management law can be developed to serve in the cross-section of international law, identity management, and corporate policy. Follow up events planned in both London and Amsterdam on March 24 will give attendees and members of OIX the ability to continue this important conversation while learning from experts from across the identity ecosystem and develop a common language of internet identity.

The Venn of Internet Identity Regulation

WB VennOne of the take-aways from the Open Identity Exchange Economics of Identity Conference last week in London was potential impact of regulatory and legislative changes driven by the European Union’s eIDaSS program and the common digital market. Andrea Servida, Head of the EU’s Task Force on Identity, outlined the changes that will redefine digital markets and identity services in 2016 and beyond.

As a result, Open Identity Exchange is extending its core focus a bit to address international identity management legal and policy issues. Together with our co-sponsors we hope to obtain the views and recommendations of Open Identity Exchange members on the direction of soon-to-be-developed identity legislation. The meeting is co-sponsored by the Open Identity Exchange, the ABA Identity Management Legal Task Force, and The World Bank.   

The meeting will review several recent legal and policy developments that have important implications for identity transactions. In addition to identity management legislation recently enacted by the State of Virginia and the European Union, two key identity management legislative initiatives are in the works. First, the United Nations Commission on International Trade Law (UNCITRAL) has agreed to undertake a project to develop international legal rules for identity management. Second, in the U.S., the Uniform Law Commission is considering a proposal to establish a committee to draft uniform identity management legislation for enactment by the 50 U.S. states. 

The legal and policy choices made by these and other legislative processes will have a significant impact on everyone who issues or consumes online identity credentials. Thus, the meeting co-sponsors will be seeking your input and guidance regarding the appropriate direction of identity management law and policy, so as to inform the processes in both the U.S. and internationally. As with all Open Identity Exchange initiatives we’ll share the outcomes and hopefully help advance the conversations in the US, UK and Europe via OIX workshops, white papers and websites. 

The Authority of the Neutral Judge

Anyone who has been to a Yankee game in the Bronx knows that the umpire’s best day is when the fans forget he’s on the field. In his mind, he only gets recognized after having made a mistake. One can’t help but see the parallel to the United States Supreme Court in light of the past week’s rulings on issues from same-sex marriage to health care. Chief Justice John Roberts sees himself in a similar situation to the umpire in his role on the Supreme Court.

In the Chief Justice’s mind, “umpires don’t make the rules, they help apply them. While the rules are made elsewhere the role of an umpire is critical. They help everybody play by the rules, but it is a limited role. Nobody ever went to a ballgame to see the umpire.” [1]

In this way the role of the Supreme Court and the OIX registry are somewhat similar. The Open Identity Exchange registry is given multiple sets of rules and by publishing them for all to see makes enforcement possible. The Open Identity Exchange’s trust registry make enforcement possible in

three ways. First it exposes an organization’s compliance to a set of rules (whitelists, trust frameworks, etc.) to the judgement of its peers. None has a keener interest in a companies compliance than its competitors. The second enforcement dynamic is the powerful binding of an organization’s public self attestation to a set of legal claims and technical tests. The brand risk alone ensures a company thinks carefully before publicly declaring compliance. Lastly, the OIXnet.org registry invites a crowd sourced scrutiny of claims of conformance. In this way Open Identity Exchange uses a minimal viable governance approach to support a diverse set of trust frameworks, whitelists, listing services, etc.

A general purpose registry like OIXnet, as a neutral third-party publisher of rule sets, is able to provide authoritative information to all stakeholders on behalf of a variety of registrants. It is as if the umpire has outlined the strike zone in neon tape for the entire stadium to see. It would be hard for batters to argue when all of the information is available for anyone to see. Each set of the business, legal and technical requirements of a trust framework registered at OIXnet.org will be the neon tape for all to see. Through a “transparency drives trust” value proposition, “anyone, at anytime, anywhere, can see everything registered in the OIXnet.org registry without charge.” [2]

Although Justice Roberts is right that, “nobody ever went to a ballgame to see the umpire,” it would be hard to argue that it makes his role any less important. Although Open Identity Exchange will never develop its own trust frameworks, it would be hard to argue the role of the OIXnet.org registry any less important

[1] Rosen, Jeffrey. “John Roberts, the Umpire in Chief.” The New York Times. The New York Times, 27 June 2015. Web. 29 June 2015.

[2] OIXnet.org

First of a Kind/One of a Kind

At the OIX pre-discovery event in May, senior representatives from leading private and public sector organizations, many of them OIX members, collaborated on the first step of analyzing how they wanted to define open identity services in the UK. A federated approach to internet identity as the engine of a cross sector market model were favoured outcomes. The benefits of such an approach were seen in, increased customer acquisition and revenue, reduced fraud and compliance costs, all together in an improved customer experience. The OIX White paper written by Innovate Identity expands the outcomes of that day.

UK Members have asked OIX to accelerate the discovery project during the next two months with the purpose of articulating actionable plans for overall UK identity market standards across sector, and to share its findings in a OIX White paper that will inform discussions at OIX’s Economics of Identity II summit planned for November (date to be announced soon).

This increased pace and scope includes targeted industry engagement refined through a series of sector specific workshops surveys to capture industry feedback for analysis (see the white paper appendix for the survey questions). Innovate Identity working closely with OIX will drive the testing of user needs to anticipate stakeholder interests in federated identity ecosystems.

This project is the first of its kind and one of a kind in its scope, scale and ambition it may prove to be a significant step to a UK market where the public and private sector work together to create an open and trustworthy digital identity market

We hope you will participate, alongside our members – email oixuk@openidentityexchange.org to be involved in the project, attend the workshops and respond to the survey.

Don Thibeau

Using attribute exchange to gain customer trust and transform service delivery

The first principle of good on-line service design is to put the customer first. This can be quite straightforward when an organisation is in complete control of an online transaction. It becomes a lot more difficult when other organisations are involved. This is often the case in local government transactions where information about a customer’s entitlement or eligibility for a service is held by Government departments. The customer can then get lost in a difficult and time-consuming paper chase as they assemble the evidence they require to secure the service they need.

In those situations putting the customer first means finding a quick and efficient way of sharing eligibility and entitlement information on-line, in real time while the customer is filling out their on-line application form. And eliminating the paper chase isn’t only good for customers. It means local and central government can deliver services more efficiently and at lower cost.

The first challenge, then, is to develop effective, real-time data sharing mechanisms that allow eligibility and entitlement information to flow between organisations.

There is a problem, though. There have been a number of reports recently (see for example a recent report by the Digital Catapult) showing that the public do not trust organisations with their data and don’t know how that data is being used. This fear is fuelled by repeated stories of data breaches in both the private and public sectors.

So the second challenge is to share data in a way that customers understand, trust and are prepared to accept.

Warwickshire County Council has been working with The Government Digital Service and private sector partners (Verizon, Mydex andNorthgate Public Services) to deliver a number of Open Identity Exchange (OIX) sponsored projects that address these challenges head on. Last year we demonstrated that putting the customer in control of the data that is being shared in an online transaction can build trust and acceptance. The customers understood what data was being shared and why it was being shared. They were also delighted with the way the data sharing improved service delivery.

In our latest OIX project we have demonstrated that it is possible to build a technical solution that allows this data sharing happen for real. You can read about our findings in the white paper and technical paper on the OIXUK web site. We call the solution attribute exchange, and it has a number of key characteristics:

  • Data is shared online, in real-time so that complex transactions can be completed there and then
  • The customer is in control of the data that is shared and has to give consent before data is shared
  • We know it is the customer who has consented because they have used their highly assured UK Verify credentials to log in
  • Only the minimum data necessary to drive the transaction in hand is exchanged. In many cases the service provider only needs to get a yes/no answer back from the attribute provider. In our use case Warwickshire asked the DWP a simple yes/no question: “is this customer eligible for a Blue Badge?”
  • The solution meets the relevant privacy principles developed by the Privacy and Consumer Advisory Group for identity assurance
  • The solution is generic and standards based. It could be used for any service and any service provider/attribute provider pairing. It is applicable to the private and public sectors and could handle transactions that require a combination of private and public sector data

Attribute exchange can address the two challenges of providing online, real-time exchange of data in a way that customers trust, accept and welcome. The next challenge is to bring this solution to the market as a live service in order to deliver its transformative potential. This needs both the private and public sectors to participate. The private sector needs to provide the attribute exchange mechanisms. The public sector needs to embrace this opportunity to make life better for our customers while at the same time meeting demands for greater efficiency and lower costs.

There are signs that the private and public sectors are both prepared to step up to the mark. Watch this space.

Ian Litton. Warwickshire County Council

Open Identity Exchange Member Meeting Notes

OIX member meetings are “dog fooding” exercises. We walk our talk of transparency in the hope that members trust the organization they contribute their time and treasure. This is to share notes from our last meeting.

Survival, if not success, of organizations like Open Identity Exchange (OIX), requires a very clear, precise description of the value propositions from a number of member perspectives.

The value propositions of organizations like OIX, the OpenID Foundation and others are clearer now that the problem space has matured to the point that it can now recognize what Open Identity Exchange has to offer – e.g. a general purpose trust registry fits the needs of other organizations who need a trusted place to register trusted identity systems.  Organizational ears in the US, UK and Canada are tuning in.

The next set of needs for this emerging open market will be processes for terms/policy/rules standardization.  As the registry matures, it will expose more models available in the current landscape and enable Trust Framework Providers (TFPs) to be grouped and make it easier for the TFPs that follow. The OIXnet registry does not, by itself, fill in the gaps to help draw separate TFs together toward policy interoperability.  This interfederation won’t be extant in the early days, but as the network effect takes hold, it’s likely to be relevant.

OIXnet builds processes that are deliberately simple first to perform the enrollment function of informing with common information so separate processes can start to gravitate toward shared, broader interoperability requirements.  As the OIXnet registration data is made more transparent and markets react it can help strengthen federation and facilitate interoperability across TFP requirements.

OIX policy allows registrants to reduce risk by ensuring that other stakeholders are committed to the same set of (enforceable) terms and will in turn, behave more predictably.  This is what some call the “self-binding” issue, and it requires competitors to embrace the concept that some things that are better done in groups.  We have real examples in the UK and US with MNOs collaborating to build identity services available only when ubiquitous market coverage is available.

Each competitor, be they MNO or retailer, does an “outsourcing” calculus, weighing benefits and downsides of being dependent on a third-party platform they help build.  One doesn’t have to go far to reference similar outsourcing delegations to networks for shipping, payroll preparation, data processing, etc.  The latest “outsourcing” opportunity is identity services, and OIXnet could be seen as a market information platform to accelerate and govern these multiparty agreements.

OIX workshops, pilots and white papers assess and reflect progress on the pathway to date with the goal of pulling forward the futures members are impatient to manifest.  It’s OIX members that have got us to this place. A place where OIX is poised to make an even bigger positive impact to the many stakeholders it serves.