Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy and the Edge

June 10, 2019 / ricardo@samsungnext.com
@ArgesRic
https://mastodon.social/@ricardojmendez/
Identity, Privacy and
the Edge
Ricardo J. Méndez

@argesric @samsungnext
• Give a small taxonomy of useful labels and categories;
• Walk you through what a layered conceptual model for identity could be like;
• Talk about the privacy implications for how we go about implementing things;
• Hopefully convince you that the closer to the edge we process things, the better
it is for the user…
• … but that the edge does not guarantee privacy.
Goals!

●Justine Humenansky
●Ricardo J. Méndez
●Gus Warren
●David Crocker(BBW)
●WesleyDunnington (Ping Identity)
●JacobyThwaites (OnFido)
●PG, DJ, AL (*)
Work in progress…
Samsung NEXT Internet Identity Workshop XXVIII
* Didn’t hear back about naming them.
Privacy and GDPR, y’all!

Identity is everything that
defines you.

Digital identity is what emerges
from your online life.

Facts and Characteristics

• Specific details about an individual.
• Personally-identifying information, such as:
• Your name…
• Username/password pairs…
• Shipping addresses…
• Phone and passport numbers.
• Facts are involved in verification and authentication.
Facts

●Mailing address
●Username/password
●Phone number
●E-mail address
●Legal name
●Driver’s license
●Passport
●Income statements
Two types of Facts
Self-asserted Externally Validated
CredentialsIdentifiers

Which one depends on context.

I am not a bundle of Facts.

• Characteristics emerge from your daily activities, can be scried from the data
exhaust:
• Personal interests, tastes, habits;
• What you avoid;
• How you react to things;
• Can change through the years;
Characteristics are unstructured

Characteristics can have value
even divorced from Identifiers.
That relates them to behavioral
patterns and monetization.

OSI Model
https://en.w ikipedia.org/wiki/OSI_model

Helps you answer: where does a
new piece fit?

Layer Name Description Examples
7 Application
User- or system-levelflow sthat involve identities and other
systems
Sign-in account recovery, payment, w allet app on smartphone
6 Workflow
Protocol flow s between connected identities only (external
choreography)
DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data
formats/ encryption
5 Transaction
How runtime capabilities of an identity are defined and
invoked (internal orchestration)
Retrieval of attributes including PII, derived PII and their computation,
attestations, plug-in capabilities
4 Connection
How identities accept connections fromother identities and
systems
Evernym w allet connection w ith verifier, REST endpoint, DNS janedoe.me
3 Reference How an identity is referenced externally foo@bar.com, did:foo:bar, +1650112332, Evernym connection, QR Code
2 Validation What trust systemvalidates an identity ICANN, Bitcoin, PKI, self-signed certs
* WIP. Created during two sessions at the MV Internet Identity Workshop, May2019
7-Layer Conceptual Model of Identity*

Layer Name Description Examples
7 Application
User- or system-levelflow sthat involve identities and other
systems
Sign-in account recovery, payment, w allet app on smartphone
6 Workflow
Protocol flow s between connected identities only (external
choreography)
DID routing (cf. Sam's talk), REST over TCP/IP, SMS & associated data
formats/ encryption
5 Transaction
How runtime capabilities of an identity are defined and
invoked (internal orchestration)
Retrieval of attributes including PII, derived PII and their computation,
attestations, plug-in capabilities
4 Connection
How identities accept connections fromother identities and
systems
Evernym w allet connection w ith verifier, REST endpoint, DNS janedoe.me
3 Reference How an identity is referenced externally foo@bar.com, did:foo:bar, +1650112332, Evernym connection, QR Code
2 Validation What trust systemvalidates an identity ICANN, Bitcoin, PKI, self-signed certs
7-Layer Conceptual Model of Identity*
* WIP. Created during two sessions at the MV Internet Identity Workshop, May2019

Vocabulary helps you communicate.
Communication is fundamental.

System design and its
impact on privacy

https://www.nytimes.com/2019/05/07/opinion/google-sundar-pichai-privacy.html
“We'll take all your data and just
not sell it directly.”
(Paraphrasing)

https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/
“We’re going to be private
because we’ll be encrypted.”
(Paraphrasing)

• If you trust…
• Their pinky-swear promise of not being evil;
• They will properly implement controls so that no employees can abuse their
power;
• They are infallible engineers whose data will never leak;
• Not like, say, people who keep passwords in cleartext…
• … for over 14 years. *
• Then that’s fine, I guess.
Pinky-swear privacy involves trust
* https://www.businessinsider.com/google-g-suite-passwords-stored-plaintext-2019-5

Edge processing can be
privacy-enhancing.
It is not privacy-guaranteeing.

• I am online usually in a specific time zone,
• Which IP addresses my connections come from,
• That I got served ads that skew towards movies and anime,
• That I click on ads about cat food every 3-4 weeks,
• That I never click on ads about nearby KFCs.
Encryption != Privacy
Five data points…

You don’t even need
someone’s identity facts, if
you know all their
characteristics.

Facebook announced a $3-5Bn fine.
Their valuation shot up by $40Bn.
https://www.washingtonpost.com/technology/2019/04/24/facebook-sets-aside-billions-dollars-potential-ftc-fine/

• Regulation and fines aren't going to get us out of this mess;
• People won't leave because of scandals or screw-ups (or they'd have done it
already);
• People won't switch because your solution is more ethical - we already have
those, and people don't use them.
If you’re working on identity

Give them a good reason.
Enable them to do something
they couldn’t do before.

Identity is sticky.
There’s a fear of impermanence.

“Government must come to be
the place where the most basic
online identity will be grounded
in the long term.”
Jaron Lanier, Who Owns the Future?

Users’ identity will always be
subordinate to whomever
controls the root.

Online identity must be self-
sovereign.
Christopher Allen, The Path to Self-sovereign Identity
https://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

This is not only a moral necessity.
Self-sovereign identity will enable
new interactions.

Users must be in control of their data.
We need to move it to the edge.

The Edge needs a
humanistic focus

Think not only about where we
process the data, but about who
controls that node and its output.

We are not talking about edge devices.
We are talking about people.
Control must lie with them.

Let’s talk.
Contact: ricardo@samsungnext.com

Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy and the Edge

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy and the Edge

Ähnlich wie Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy and the Edge (20)

Mehr von Techsylvania

Mehr von Techsylvania (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy and the Edge