As numerous headlines attest, digital identity is broken but a new not-for-profit thinks the situation can yet be retrieved from the unfolding chaos of criminal data theft, thoughtless commercial mining and never-ending security breaches.
Founded last June but launching officially this month and called the Global Identity Foundation (GIF), it is the work of several tech luminaries, including experienced former CISO Paul Simmonds, former CTO of UK security success Secerno (acquired in 2010 by Oracle) Dr Steve Moyle, and CipherCloud chief trust officer Bob West.
The contention of the GIF is that, as things stand, nobody with the power to reform the way identity works has much incentive to do so. What is needed is a vendor-neutral independent body to come up with an open source model that can be used to the benefit of everyone, including not only vendors, enterprises and governments but citizens too.
It’s a huge challenge – the creation of what its founders call ‘digital identity 3.0’ - but one whose time might have come.
The GIF builds on the foundations of the Jericho Forum – Simmonds was an important figure in that movement - founded a decade ago to expound the then radical notion that perimeter security was a doomed network security model.
These days, the collapsing perimeter seems like an obvious problem even if many organisations unconsciously stick with its notions of security for the lack of an easy-to-hand replacement. According to GIF CEO Paul Simmonds, at the heart of many of the security problems that have beset the digital world is the inadequacy and obsolescence of its accepted modes for identifying people, citizens, and workers when they enter the online world.
“Digital identity is broken. Online credit card fraud, phishing, and cybercrime all succeed by fraudulently using someone else’s identity and users are rightly concerned about access to their personal information,” said Simmonds.
“In 2014 alone, millions of user records were stolen through data breaches including at Sony, eBay, and JP Morgan. In a world where we shop and bank online, and share personal details on social media, we urgently need to move beyond passwords and basic web security.
“What people want is a simple solution that will put them back in control of who they trust in their digital lives. Identity 3.0 has the potential to stop much of the cybercrime going on today.”
GIF has set up working relationships with universities, including MIT in the US but wants to forge new links across academia, security experts, business and potential sponsors to develop a working framework for Digital Identity 3.0.
But what will this be? According to Simmonds nothing less than a reset of digital identity, currently badly fragmented across proprietary systems, incompatible technologies and conceptual fog.
In the world of Identity 3.0, a person will have control over their identity and all information associated with it, sharing only what is needed for a specific transaction or event, logging into a service for example. The same identity will also work across personal and professional world, another huge fracture in identity that nobody has yet tried to glue back together.
Organisations that authenticate users will make what Simmonds describes as “risk-based decisions” about whether to allow that identity to access their services or whether they need extra data. The whole process should be invisible to the end user.
Most important, the system will not belong to anyone or be at risk of being captured by national or commercial interests (as some have claimed Internet body ICANN has been to US interests to pick only one example).
“There are companies that don’t see it as a big enough problem to put some money into it,” Simmonds concedes while remaining confident that the situation is now so bad that the impetus for change is now strong enough.
He even suggests that some might even have a vested interest in maintaining the status quo, however that crazy that seems from a more objective point of view.
According to fellow GIF member, Dr Steve Moyle, neutrality will be the key.
”Collaboration in a vendor neutral environment is key to making this work globally. We need to be able to answer key questions such as ‘will the Chinese accept a US identity and vice versa’ and ‘can I verify that identity attributes are authoritative’.
“Solving these and other identity problems is of benefit to all companies and governments on the planet today.”