A Decentralised Digital Identity Architecture

Current architectures to validate, certify, and manage identity are based on centralised, top-down approaches that rely on trusted authorities and third-party operators. We approach the problem of digital identity starting from a human rights perspective, with a primary focus on identity systems in the developed world. We assert that individual persons must be allowed to manage their personal information in a multitude of different ways in different contexts and that to do so, each individual must be able to create multiple unrelated identities. Therefore, we first define a set of fundamental constraints that digital identity systems must satisfy to preserve and promote privacy as required for individual autonomy. With these constraints in mind, we then propose a decentralised, standards-based approach, using a combination of distributed ledger technology and thoughtful regulation, to facilitate many-to-many relationships among providers of key services. Our proposal for digital identity differs from others in its approach to trust in that we do not seek to bind credentials to each other or to a mutually trusted authority to achieve strong non-transferability. Because the system does not implicitly encourage its users to maintain a single aggregated identity that can potentially be constrained or reconstructed against their interests, individuals and organisations are free to embrace the system and share in its benefits.Comment: 30 pages, 10 figures, 3 table

Identity in research infrastructure and scientific communication: Report from the 1st IRISC workshop, Helsinki Sep 12-13, 2011

Motivation for the IRISC workshop came from the observation that identity and digital identification are increasingly important factors in modern scientific research, especially with the now near-ubiquitous use of the Internet as a global medium for dissemination and debate of scientific knowledge and data, and as a platform for scientific collaborations and large-scale e-science activities.

The 1 1/2 day IRISC2011 workshop sought to explore a series of interrelated topics under two main themes: i) unambiguously identifying authors/creators & attributing their scholarly works, and ii) individual identification and access management in the context of identity federations. Specific aims of the workshop included:

• Raising overall awareness of key technical and non-technical challenges, opportunities and developments.
• Facilitating a dialogue, cross-pollination of ideas, collaboration and coordination between diverse – and largely unconnected – communities.
• Identifying & discussing existing/emerging technologies, best practices and requirements for researcher identification.

This report provides background information on key identification-related concepts & projects, describes workshop proceedings and summarizes key workshop findings

Face Off: An Examination of State Biometric Privacy Statutes & Data Harm Remedies

As biometric authentication becomes an increasingly popular method of security among consumers, only three states currently have statutes detailing how such data may be collected, used, retained, and released. The Illinois Biometric Information Privacy Act is the only statute of the three that enshrines a private right of action for those who fail to properly handle biometric data. Both the Texas Capture or Use Biometric Identifier Act Information Act and the Washington Biometric Privacy Act allow for state Attorneys General to bring suit on behalf of aggrieved consumers. This Note examines these three statutes in the context of data security and potential remedies for victims of data breaches or mishandled data. Ultimately, this Note makes policy proposals for future biometric privacy statutes, particularly recommending a private right of action as the most effective remedy for victims of biometric data breaches

Web Tracking: Mechanisms, Implications, and Defenses

This articles surveys the existing literature on the methods currently used by web services to track the user online as well as their purposes, implications, and possible user's defenses. A significant majority of reviewed articles and web resources are from years 2012-2014. Privacy seems to be the Achilles' heel of today's web. Web services make continuous efforts to obtain as much information as they can about the things we search, the sites we visit, the people with who we contact, and the products we buy. Tracking is usually performed for commercial purposes. We present 5 main groups of methods used for user tracking, which are based on sessions, client storage, client cache, fingerprinting, or yet other approaches. A special focus is placed on mechanisms that use web caches, operational caches, and fingerprinting, as they are usually very rich in terms of using various creative methodologies. We also show how the users can be identified on the web and associated with their real names, e-mail addresses, phone numbers, or even street addresses. We show why tracking is being used and its possible implications for the users (price discrimination, assessing financial credibility, determining insurance coverage, government surveillance, and identity theft). For each of the tracking methods, we present possible defenses. Apart from describing the methods and tools used for keeping the personal data away from being tracked, we also present several tools that were used for research purposes - their main goal is to discover how and by which entity the users are being tracked on their desktop computers or smartphones, provide this information to the users, and visualize it in an accessible and easy to follow way. Finally, we present the currently proposed future approaches to track the user and show that they can potentially pose significant threats to the users' privacy.Comment: 29 pages, 212 reference

Options for Securing RTP Sessions

The Real-time Transport Protocol (RTP) is used in a large number of different application domains and environments. This heterogeneity implies that different security mechanisms are needed to provide services such as confidentiality, integrity, and source authentication of RTP and RTP Control Protocol (RTCP) packets suitable for the various environments. The range of solutions makes it difficult for RTP-based application developers to pick the most suitable mechanism. This document provides an overview of a number of security solutions for RTP and gives guidance for developers on how to choose the appropriate security mechanism

Research identifiers: national approaches to ORCID and ISNI implementation

More and more countries are making collected efforts to provide ORCID identifiers for their researchers and encouraging implementation of ORCID iDs into the national and local research information infrastructure. In June 2015, Knowledge Exchange brought together representatives from its five member countries for a Knowledge Exchange Workshop on National approaches to ORCID and ISNI implementation. The aim of the workshop was to share national perspectives on ORCID and ISNI, including the challenges, solutions and lessons learned with regards to implementation of ORCID and ISNI on a national scale. Issues discussed included legal and regulatory challenges, authentication and integration and also outstanding issues of functionality, interoperability, policy and sustainability. This report gives an account of the meeting and presents some outstanding challenges, some possible solutions and begins to take stock and look ahead; what lessons have we learned that should we take into account when moving on to organisational and other identifiers