[KI-LC] Media query from SC Magazine - deadline 2/26/2016 17:30:00

Mike Schwartz mike at gluu.org
Mon Feb 22 15:11:16 CST 2016


I'll can offer to take a stab at responding to these questions by the 
date requested on a Gluu blog.



On 2016-02-22 11:13, Colin Wallis wrote:
> Thanks Ken
> We'll consider this question dealt to.
> Anyone else want to take on one of the others?
> Cheers
> Colin
> .....................................
>> At airports around the world, travelers' identities are routinely
> verified using biometric identification. Recently in India, a new
> facility for pension distribution adapted an iris authentication
> scanner to validate citizens. New generations of fully integrated,
> end-to-end cloud identity management platforms offer clients secure
> and flexible means to pick and choose which services they need. For
> this latest ebook from SC Magazine, we speak to a number of experts
> with hands-on experience about how these advances in technologies are
> changing the face of identity management and opening up new
> opportunities for the enterprise to become more secure—and we’ll
> throw in a few caveats (for one, what happens to privacy when
> biometrics are added to the mix?) that any organization should heed
> when revamping its identity management strategy.
>> Here are the questions he's exploring:
>> What are the latest advances in ID Management technology?
>> How has it evolved over the years?
>> What happens to privacy when biometrics are thrown into the mix?
>> How are ID management systems and access management/roles-based
> management converging?
>> ID management has been largely about people in the past. How will
> the Internet of Things change that, if at all?
>> Is authentication keeping up with trends in ID management?
>> My identity as my wife sees it may be different to my identity as my
> bank sees it, which may be different again to my identity as my
> employer sees it. How do we cope with multiple attributes in ID
> management?
>> How do we maintain and preserve identity in the long term, as a
> person's life and circumstances change?
>> Are there standard for ID management?
>> What are the biggest challenges facing companies that want to design
> and deploy their own ID management systems?
> -------------------------
> Date: Mon, 22 Feb 2016 06:58:22 -0500
> Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline
> 2/26/2016 17:30:00
> From: kendaggtbs at gmail.com
> To: colin_wallis at hotmail.com
> CC: lc at kantarainitiative.org
> Colin,
> I agree fully that the first two paragraphs address the scope of his
> question regarding biometrics and privacy.
> However, your comment, "sense of direction of travel for SC Magazine
> being towards Data Protection" prompts me to include the rest of the
> material regarding Privacy. In my opinion, a focus solely on data
> protection misses the boat on respecting privacy and probably does it
> a disservice. As you are aware, having the best data protection
> practices in the world while using an individual's PII for unstated
> purposes or disclosing it inappropriately, still means the
> organization is not respecting an individual's privacy.
> I agree with your concern regarding "a compromise in the sample or the
> templates database" being a major issue with respect to an individual
> having to re-establish and re-bind their identity. However, I would
> argue that the same holds true for any piece of an individual's PII
> that is used by an organization. Biometric data, because it is viewed
> as unique to an individual, is in some organization's minds, viewed as
> a silver bullet with respect to Identifcation. However, in my opinion,
> it is just another piece of data that can be used to mitigate the risk
> of misidentification. If the consequences of misidentification are
> severe it should still be corroborated with other PII. In other words,
> it is not a silver bullet.
> This being said, I restructured the answer to address the "silver
> bullet" concept as well as the out-of-scope text. I would recommend
> including the background in the response as I believe that it is
> important to raise the "technology neutral" idea with respect to
> privacy policy/legislation. I would like to start the process of
> changing the perception held by many people that current policy is
> outdated or has been overtaken by advances in technology. (My soapbox
> rant for the day)
> Wile we probably aren't going to be killed for not answering all the
> questions I hope that others can address some of them.
> Ken
> ==============
> The perception that something should happen to privacy because
> biometrics enter the mix is erroneous.
> Privacy is a state that is respected when an individual understands
> and consents to how their personally identifiable information (PII) is
> collected, maintained, used, disclosed and disposed. Biometric
> information, given its uniqueness to each individual, should be
> considered to be PII.
> Regardless of its apparent uniqueness, an organization that wishes to
> mitigate the risk of misidentification of an individual should not
> look at biometric data as a "silver bullet". If the consequences of
> misidentification are high they should still corroborate the biometric
> data with other PII during their authentication. The process, whether
> in the digital or real world, still requires an organization to
> identify the consequences of misidentification before it puts in place
> procedures and techniques (such as the use of biometric data) to
> mitigate that risk.
> Background on Privacy
> It should be noted that jurisdictions around the world have identified
> that respect of an individual's privacy is technology neutral.
> For the US Government NIST Special Publication 800-122 defines PII as
> "any information about an individual maintained by an agency,
> including (1) any information that can be used to distinguish or trace
> an individual‘s identity, such as name, social security number, date
> and place of birth, mother‘s maiden name, or biometric records; and
> (2) any other information that is linked or linkable to an individual,
> such as medical, educational, financial, and employment information."
> In other countries with privacy protection laws derived from the OECD
> privacy principles, the term used is more often "personal
> information". This term, in general, is broader than PII. For example,
> there are two pieces of legislation that cover privacy at the federal
> level in Canada: the Privacy Act and the Personal Information
> Protection and Electronic Documents Act (PIPEDA). The Privacy Act
> relates to an individual’s right to access and correct personal
> information the Government of Canada holds about them or the
> Government’s collection, use and disclosure of their personal
> information in the course of providing services (e.g., old age
> pensions or employment insurance). PIPEDA sets out the ground rules
> for how private-sector organizations collect, use or disclose personal
> information in the course of commercial activities across Canada.
> Both acts is essence define personal information to be any factual or
> subjective information, recorded or not, about an identifiable
> individual. This includes information in any form, such as:
> * age, name, ID numbers, income, ethnic origin, or blood type;
> * opinions, evaluations, comments, social status, or disciplinary
> actions; and
> * employee files, credit records, loan records, medical records,
> existence of a dispute between a consumer and a merchant, intentions
> (for example, to acquire goods or services, or change jobs).
> Excluded is information concerning the name, title, business address
> or telephone number of an employee of an organization.
> Both acts identify how personal information should be collected,
> maintained, used, disclosed and disposed. Of interest is the
> requirement to identify a retention period for the personal
> information that is collected about an individual and how that
> information is expunged from an organization's records.
> Also of interest is how the power and versatility of re-identification
> algorithms have significantly increased the ability of identifying an
> individual without the use of PII. As such, Big Data is becoming an
> issue in privacy circles.
> <snip>
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/lc

Michael Schwartz
Founder / CEO
mike at gluu.org

More information about the LC mailing list