Digital Identity and Privacy

Week 2

Dr Peter White
 Digital Identity
 Privacy and Identity

© P White 2017 2
 What is a Digital Identity?
 Sullivan defines it as
“Digital identity is all the information digitally
recorded about an individual. i.e. a natural person
that is accessible under the particular scheme”

 What is the purpose of a digital identity?

 What do you use a digital identity for?
 When do you create one?

© P White 2017 3
 Digital identity is now emerging as an important
concept for government
◦ Services for citizens are being moved online to provide:
 Better transactional efficiency
 Reduction in operating costs
 24x7 access to a range of different services
 But, the move online has created challenges
◦ Legislative issues & requirements
◦ Identity assurance issues
 People have more than one identity
◦ Fraud issues, including identity theft
 Government identity systems require uniqueness
& exclusivity:
◦ one person = one identity

© P White 2017 4
 Sullivan sees a digital identity as having two
components:
1. A set of defined, static information that is
presented for a transaction, such as name,
address, DoB, and other identifying
information, such as numerical identifier,
signature, etc.
◦ What other information do you think should be
included here to ensure proper identification?
 For a private use digital identity?
 For a government use digital identity?
◦ Should it include biometric information?
Sullivan, C. (2015). Protecting digital identity in the cloud. In Ko, R., & Choo, K.(Eds.). (2015).
The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA:
Syngress.

© P White 2017 5
2. Transactional data.
◦ This is a larger collection of “other” information that
is tied to the transaction identity.
 Note her use of terminology here – transaction
identity.
 What do you think this means?
◦ Transactional data is dynamic & augmented on a
on-going basis
◦ This data is generally considered personal
information & not available in the public domain
◦ This data is often protected by privacy laws and
regulations

© P White 2017 6
 Digital identification has two phases:
1. Authentication of identity
2. Verification of identity

 This process is based on the integrity of

transaction identity

© P White 2017 7
 Authentication
◦ An identity claim is authenticated by the claimant
providing identifying information, such as:
 User name and password,
 Identity number and password
 Biometrics and password
◦ Identifying information is regarded as being
associated inseparably with the individual

© P White 2017 8
 Verification
◦ The authenticated digital identity can now be used
to verify transactions, such as renew licences, claim
Medicare rebates, complete tax returns, etc.

© P White 2017 9
 Note that a human is not absolutely essential
to the identification process.
 Identification can be on a computer to
computer basis using previously stored, and
verified identity claims
◦ Think about Medicare rebates – the Doctor’s
surgery handles the complete claim for you,
including identifying the patient to Medicare

© P White 2017 10
 Identity Management has been defined as “the administration of
an entity’s digital identity so as to provide secure and controlled
access to the resources that the entity is entitled to use” (White,
2009, p. 5)
◦ The ‘administration of an entity’s digital identity’ implies that all aspects
of that administration, including identification of the entity and the issuing
of credentials, are part of the identity management process.
◦ It also implies the continued maintenance of the identity and its
credentials throughout their life-cycles.
◦ The need to provide ‘secure and controlled access’ entails not only the use
of a system of authentication to ensure that only the correct identities are
allowed access, but it also includes access control of the enterprises
resources. This ensures that the authenticated identity only has access to
those resources that it is entitled to use.
◦ The use of the phrase ‘entitled to use’ further implies that there must be a
system of provisioning to ensure that an identity is granted access only to
the resources that it is entitled to access.
◦ This leads to the implication that a system of governance must be in place
to monitor the entire process of identity management.

© P White 2017 11
© P White 2017 12
• The process of authentication
takes a user to an
authentication module
• There the user’s credentials are
compared with the stored set
• If the credentials match,
authentication then occurs
• The user is the passed to an
authorisation module
• Authorisation is the process of
granting the suer access to
resources that they are entitled
to access

© P White 2017 13
 Question:
◦ Is having less data about an individual equal to better
privacy?
 Answer:
◦ It depends.
 A single fingerprint stored may be more invasive than a full
credit history
 A small amount of identity information that is shared with
numerous parties may be more invasive
 A small amount of identity information that is not secured
may be catastrophic for the individual
 A small amount of identity information may be used to
profile an individual that can have consequences ranging
from reputational damage to criminal charges

© P White 2017 14
 Privacy guidelines
◦ Openness.
 The existence of systems containing personal data should be publicly known, along with
a description of the system's main purposes and uses of the personal data in the system.
◦ Individual participation.
 Individuals should have a right to view all information that's collected about them. They
should also be able to correct or remove data that isn't timely, accurate, relevant, or
complete.
◦ Collection limitation.
 Limits to the collection of personal data should exist. Personal data should be collected
by lawful and fair means and, where appropriate, with the individual's knowledge or
consent.
◦ Data quality.
 Personal data should be relevant to the purposes for which it's collected and used. It
should be accurate, complete, and timely.
◦ Finality.
 The use and disclosure of personal data should be limited. Personal data should be used
only for the purposes specified at the time of collection and shouldn't be otherwise
disclosed without the consent of the individual or other legal authority.
◦ Security.
 Personal data should be protected by reasonable security safeguards against such risks
as loss, unauthorized access, destruction, use, modification, and disclosure.
◦ Accountability.
 The keepers of personal data should be accountable for complying with fair information
practices.

© P White 2017 15
 Additional principles:
 Diversity and decentralization.
◦ Enrolment and authentication options should let
individuals choose the appropriate key for a specific
need. Designers should resist centralising identity
information or using a single credential for multiple
purposes.
 Proportionality.
◦ The amount, type, and sensitivity of identity information
collected and stored should be consistent with and
proportional to the system's purpose.
 Privacy by design.
◦ Privacy considerations should be incorporated into the
identity management system from the outset of the
design process. Considerations include safeguards for
the physical system components as well as policies and
procedures that guide the system's implementation.
© P White 2017 16
© P White 2017 17
 Privacy considerations:
◦ Lack of user control
◦ Unauthorised secondary use
◦ Data proliferation and cross border data flows
◦ Dynamic provisioning

© P White 2017 18
 Security considerations:
◦ Access – legal right to access data held
◦ Control over the data lifecycle
◦ Availability & backup
◦ Lack of interoperability standards
◦ Multi-Tenancy
◦ Audit

© P White 2017 19
 Trust issues:
◦ Trust boundaries
◦ Shared responsibility boundaries
◦ Non-transitive trust issues with use of
subcontractors or other cloud providers
◦ Customer trust issues – usually from lack of
visibility or control
◦ Legal issues between jurisdictions

© P White 2017 20
 Data handling mechanisms
◦ Classifying data
◦ Data location policies
 Data security mitigation
◦ Encryption?
◦ Data classifications
 Privacy design
 Standardisation
 Accountability
◦ Auditing & reviews
 Increase trust
◦ Governance frameworks, privacy rules, etc.

© P White 2017 21
 Read:
◦ Sullivan, C. (2015). Protecting digital identity in the cloud. In Ko, R., &
Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal,
Business and Management Issues. Waltham, MA: Syngress

◦ White, P. (2008). Identity Management Architecture: A New Direction.

Paper presented at the 8th International Conference on Computer and
Information Technology CIT 2008, Sydney.
http://ieeexplore.ieee.org.ezproxy.csu.edu.au/document/4594710/

◦ Hansen, M., Schwartz, A., & Cooper, A. (2008). Privacy and Identity
Management. IEEE Security & Privacy, (2), 38-45.
http://ieeexplore.ieee.org.ezproxy.csu.edu.au/document/4489848/

◦ Pearson, S., & Benameur, A. (2010). Privacy, Security and Trust

Issues Arising from Cloud Computing. Paper presented at the IEEE Second
International Conference on Cloud Computing Technology and Science
(CloudCom), 2010.
http://ieeexplore.ieee.org.ezproxy.csu.edu.au/document/5708519/
 Watch
◦ Digital Identity videos on Interact

© P White 2017 22