AGE VERIFICATION: REACHING A TIPPING POINT

SSSSSDr. RACHEL O’CONNELLISSE CONFERENCE, 2013.

BACKGROUND• Research Consultant • Oxford Internet Institute:

– Effective Age Verification Techniques: Lessons to be Learnt from the Online Gambling Industry

• Ctrl_Shift– A market analyst and consulting business

• Member of OIX and the GSMA’s UK Assured legal working group• Led the UK Council for Child Internet Safety (UKCCIS) project group on age

verification and report back to minsters on an annual basis. • Advisor to commercial organisations on both the policy requirements and

business opportunities associated with identity management and age verification

• Co-founder of GroovyFuture.com.

AREAS COVERED• The 2008 perspective and the artificial divide• Catalysts and Tipping Points: Pit stop in 2013 and a 2020 horizon scan • Emergence of a data driven economy:

– Trust Frameworks– Electronic ID – NSTIC – Minors Trust Framework ($1.6m)– Mobile ID – alpha projects, introduction of age verification into payment protocols– Digital economy – disruption in the payments sector, sub-accounts– Internet of Things – – Personal Data Empowerment Tools and Services – Quantified self

• E-ID ecosystem, IDAAS, IDPs, Attribute Exchanges– Business use cases: ROI– Sources of attributes– Opportunities and challenges

2008 View of Age Verification• Burdensome compliance cost• Little or no elevation in assurance• Open to repudiation• Privacy concerns• No viable commercial or liability

models• Not scalable, absence of standards• Not an effective means to mitigate

risks• Barrier to innovation

Artificial Divide• ID and age verification – lessons from the evolution of data bureaus and

CRA’s to meet specific business sector needs• Lack of access to datasets not only about children and young people but

also the unbanked – thin files.• Assumption that under 18’s had limited purchasing power• Data sources: Government, schools, banks• COPPA requirements: Permissioned access – sites excluded young people

aged 12 and below (to difficult box)• Struggle to identify business cases with a clear ROI – not seen as a

business enabler

CATALYSTS AND TIPPING POINTS

IINTERNET OF THINGS

E-COMMERCEDATA DRIVEN ECONOMY

DIGITAL IDMOBILE ID

PDETS

NASCENT INTEROPERABLE ECOSYSTEMS

• Electronic identity ecosystems are a key enabler of the “digital economy”

• NSTIC aims to enable “Individuals and organizations [to] utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.”

• Provide scalable, privacy preserving, commercially viable, privacy preserving permissioned use of attributes.

• STORK

• Proposed regulation

• Alpha project – retailers

• Reducing the barriers to permissioned use of age attributes

ELECTRONIC ID

MINOR’S TRUST FRAMEWORK

MOBILE ID• Mobile ID – GSMA/ OIX Commercial Trust Framework• SIM-based digital authentication solution • Embedded SIM/MIM – Machine Identification Modules• With the huge market potential and demand stimulated by immense

traffic from trillions of connected devices, the Internet of Things provides operators with the means to expand their service portfolios and increase revenues.

12

ASSURED UK

Assured UK is a collaborative forum established to develop a personal data and identity attribute exchange marketplace

It encompasses the whole ecosystem

Banking

Retailers

Mobile Network Operators

Identity experts

Government

VISION

Establish a secure and trusted marketplace that enables consumers to control, share and benefit from their digital identities and personal information

1. The consumers interests are uppermost and at all times the individual controls storage and exchange of data

2. We will seek to reuse existing standards work where ever possible and align with the work of UK government.

3. We will seek to enable the maximum product and business model diversity, consistent with inter-working between participants.

PRINCIPLES

OBJECTIVES

Define an end-2-end framework and pilot use case by year end

a) Architect standards for identity attribute verification and authentication

b) Define a permissions system for the exchange of those attributes c) Develop a legal framework that will facilitate the interoperability

between different players in the ecosystem, while ensuring users’ data protection and privacy, encompassing:

i. Risk & Liability flowsii. Auditing framework iii. Privacyiv. Regulatory compliance

d) Establish and prove a commercial model for identity attribute exchange

e) Pilot and demonstrate efficient marketplace for digital identity and attributes

• Trust is central to the operation of a data driven economy.

• Trust is crucial in the context of delivery and consumption of electronic interactions between parties including consumers, governments and the private sector.

• In order to both provide and benefit from digital services, companies, public administrations and consumers need to distinguish between trusted and non-trusted counterparts online; they also need to be recognised as trusted parties themselves.

• A trust framework can reduce the need to negotiate a multitude of individual commercial contracts.

TRUST FRAMEWORKS

TRUST FRAMEWORKS: E-ID, COMMERICIAL (MOBILE ID),INTERNET of THINGS, PDETS

INTERNET OF THINGS• Education • Assert trusted credentials (LoA)• Recognise trusted intermediaries

(accreditation)• Quantified self - Databetes• Convenience, security• Active participants

IoT INFORSEC AND TRUST• Inofsec properties of the IoT are often

difficult to understand for its users, because they are hidden in pervasive systems and small devices manufactured by a large number of vendors.

• Trustworthiness, security functions and privacy implications are vast, and must be assessable to users and consumers.

• uTRUSTit enables system manufacturers and system integrators to express the underlying security concepts to users in a comprehensible way, allowing them to make valid judgments on the trustworthiness of such systems.

PDETS TRUST FRAMEWORKS

• Forging new social contracts• The Respect Trust Framework is designed to give

individuals control over the sharing of their personal data on the Internet.

• Mydex, the personal data store and trusted identity provider, has also had its “Mydex Trust Framework” listed by the Open Identity Exchange.

• Connet.me has had its Trust Model and Business Model for Personal Data listed by OIX

• The Personal Network: A New Trust Model and Business Model for Personal Data

• Access to data that companies make available and authoritative personal data sources – university exam results

GOVERNANCE AS A SOFTWARE SERVICE

• ID³ believes, governance principles should be expressed as software that is then able to evolve to incorporate advances in technology and to support changing market and societal requirements.

• Using these tools, people will be able to ensure the privacy of their personal information, leverage the power of networked data, and create new forms of online coordination, exchange and self-governance.

• They will be able to forge new “social contracts” and participate in new types of legal and regulatory systems for managing organizations, markets and their social and civic lives. These systems will conform to both international legal standards and to the specific social norms and priorities of its members.

IINTERNET OF THINGS

E-COMMERCEDATA DRIVEN ECONOMY

DIGITAL IDMOBILE ID

PDETS

NASCENT ECOSYSTEMS: Sources and Consumers of Verified and Permissioned Identities and Attributes

• E-ID e.g. Spain, NEM ID• WAYF, SAML• Mobile operators - International student card• Banks• Government issued ID docs – Secure key• Digital Life Data – Trulioo• Personal Data Empowerment Tools and Services• Biometrics • OCR• Traditional data bureaus and CRA’s

DATA SOURCES: Permissioned AttributesPit stop 2014 -2015

BUSINESS NEEDS: • COPPA 2.0 – email Plus• 20-40% of email+ emails end up in

Spam folders• Freemium model• Permission dashboard – set spending

limits – • Enable self-regulatory measures –• ROI

• Omni-channel retailers• Payment providers• Alcohol• Advertising industry - broadcast

versus engagement

BENEFITS• Permissioned use of attributes (includ. age)

– Higher levels of customer acquisition – Trust elevation – LOA’s

• Remote on-boarding

– Differing levels of assurance

• Tailored to meet business rules – Low integration costs – Modular, highly configurable– Scalable, viable low cost– Reusable tokens– UX– Reputation, foster brand loyalty

LOOKING TO THE FUTURE• A greater variety of data sources will be accessible and permissioned, these can be cross

checked and an assurance level/ risk profile calculated to meet specific business rules. • Granularity with respect to permissions (e.g. time stamped - miicard) and user centric

controls• Artificial barriers removed – young people will be enabled to become active participants

in the digital economy, internet of things, manage their personal data• New social contracts will be forged• Business development and ROI opportunities• Many other benefits..• Challenges • Information security• Threat vectors – bad actors, untrustworthy intermediaries• Scale of potential unintended consequences• Roles and responsibilities of regulators• Managing the processes of accreditation, oversight, redress

THANK YOU FOR LISTENING

rachel@technologist.comTwitter: @racheloconnellwww.GroovyFuture.com

HAPPY TO ANSWER ANY QUESTIONS?