A couple of days ago, Christine Runnegar outlined all the Internet Security conferences, events, and activities happening this month related to Internet security. Today, I’d like to share some perspective on the work happening within the identity and privacy communities. In the last 18 days, I’ve been lucky enough to take part in conferences which brought together some of the most interesting specialists in these areas – from the UN’s WSIS+10 forum in Geneva, to Forgerock’s Identity Conference in the Bay Area, to Ping Identity’s Cloud Identity Summit in San Diego. Logistics aside, it was a valuable chance to hear about the state of the art, to experience the scope and breadth of this sector, and to reflect on how our thinking should adapt to the ever-changing circumstances of digital identity. I’ll be following up with some more detailed posts on specific topics, but in the meantime, here’s the high-level summary.
- Identity and privacy could not be more central to the work of the commercial and public sectors. We knew that already, of course, but as a foundational truth, it’s just getting stronger.
- In parallel, identity and privacy reach into our lives, as citizens and consumers, in ever-increasing depth and intimacy. Again, we know that, but the Internet of Things is about to introduce exponential growth in scale and detail.
- The online world is so immersive that we sometimes don’t notice the pace of incremental change… then we look up and find that everything has changed except our mental model of how things work.
At one level, I was reassured that the Internet Society’s work on identity and privacy, as key trust factors in the Internet, aligns so well with the technical direction of travel. We’re working on topics like:
- User consent and control, in the disclosure of personal data
- User choice in the selection of identity providers
- The ethics and user experience of privacy
- Integrity and security of the Internet infrastructure
And we’re engaging at several points in the life-cycle: in standardisation (with the IETF, the W3C, Kantara, OASIS and others), in policy-making (at the IGF, WSIS, the OECD, the European Commission, the Council of Europe and elsewhere); in awareness-raising, through our own regional bureaux and chapters, and in deployment, with projects like ToSback/2, UnitedID and Cryptech.
Our topics were reflected in so much of the technical and deployment work showcased over the last couple of weeks; here’s a fly-by of just some of what I saw:
- Breaking new ground on consent receipts, user-controlled data sharing, identity relationship management, at Kantara, Gluu and elsewhere
- Evolving the infrastructure for stronger authentication, with Yubico, Feitian, FIDO/U2F, SecureKey, etc.
- Building assurance, through US and UK programs for identity assurance, and related work by NIST, Confyrm, national and regional governments
- Adapting identity and privacy to the Internet of Things, with all that it brings in terms of scale and pervasiveness
- … and much, much more.
At another level, though, it’s impossible not to be somewhat awed by the scale of work going on, the pace of change, and the work ahead of us. Here’s another foundational truth:
Our work is not about getting to “finished”; it’s about getting to “better”.
We find problems, we take a crack at them, and we succeed to some degree. But in doing so, we change the nature of the problem, the world around us moves on, and next time we look, our solution is no longer the best we could do. So we iterate again. Solving the privacy problem for browsers is not the same as solving it for mobile apps, or for embedded systems, or for smart objects. Each set of solutions opens up new possibilities, and exposes a new set of problems to fix.
That’s why I think it’s so important, occasionally, to have the opportunity to take stock and update our own preconceptions. After all, as Ferris Bueller so wisely observed:
“Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.”