The Challenges of Online Identity Assurance

in a Judicial Setting

Alison Knight, Supervisors: Prof. Steve Saxby (Law) & Dr. Mark Weal (ECS)LawILAWS

dog judge!

Welcome User 39 …

Who are you today? …

Our life in data…from cradle to grave

• The potential to chronicle individual lives exceeds anything previous in human history

• The ‘datafication’ of our lives involves a large ecosystem of participants, including identity intermediaries

Identity assurance is characterised by identification and authentication processesAuthentication is the process of associating

attributes with a known entity

1-factor authentication

2-factor authentication

3-factor authentication

Self-assertion

Third party verification

Direct verification

Detailed direct verification

The user makes a self-assertion of identity and there are no checks

Verification of identity is direct and detailed (e.g. for passport)

Verification of identity is direct (e.g. background check of clients)

Verification is left to third party (e.g. phone number)

Identification is the process that makes known an entity in a given domain

1) ISO/IEC 24760

Strong Digital Identities are characterised by a process of identification and authentication that is able to ensure the verification of the data provided by the individual and the secure authentication to its user profile

Soft Digital Identities, although sometimes they are used for commercial transactions (i.e. Amazon), do not require identification and authentication processes with high security levels (e.g. Social Networking Sites). These soft identities normally consist of a user name

and a password plus several attributes needed to use the specific services

+

-

Level of trust

The authentication is done through something that you know, or you have (i.e. password)

The authentication is done through something that you know and you have (i.e. token and PIN)

The authentication is done through something that you know, you are and you have (i.e. token, PIN, biometric)

What is the problem for the courts?

Research scope: example – how do the courts authenticate

authorship of a piece of social media text?

Direct evidence

Circumstantial evidence

Court

Individual A? Presented by

Individual B impersonating Individual A?

Technical challenges of authenticating authorship

of online text

How do courts establish who is behind the keyboard?

O Basic traceability issues

• Who is behind an IP address?

• Can you fake ‘metadata’ (machine-generated data about data)?

O The ‘account owner’ gap

• Who uses an account?

• Passwords are poor identifiers

Research value – trending now…“Social media (criminal law, evidence and procedure): The criminal law and

criminal rules of evidence and procedure may not have kept pace with the technological and social developments flowing from the rapid and widespread take-up of social media, such as Twitter and Facebook. …There are evidential challenges, for example in proving authorship and in relation to the technology used to generate and communicate messages through these media.”

Law Commission 2013, consultation for 12th programme of law reform, c. 2016 start?

“In relation to the problem of matching internet protocol addresses [to particular internet users], my Government will bring forward proposals to enable the … investigation of crime in cyberspace.“ (Background briefing note: “…need to know who used a certain IP address at a given point in time”)

Queen’s Speech to Parliament in 2013

Thank you for listeningComments & Questions?

More information at: http://www.southampton.ac.uk/superidentity/