Australians! Who are you, and who has the right to know?

W3C & ANU Future of the Web: Who is managing your privacy and identity on the Web

This may be biggest question yet facing our wealthy, Western democracies in their passionate embrace of digital services, digital consumerism and digital personas.  To quote from the Australian Consumer Policy Research Centre (CPRC), “87% of Australians were active internet users in 2017, more than 17 million use social networking sites, and 84% are buying products online.” Yet the CPRC also tells us that 95% of people want companies to give us ways to opt out of personal information collection. Most Australians do not want their phone numbers, messages, or device identities shared with others.  When asked, they are painfully aware of the unfair trade-off in access to digital services versus their own right to privacy and how their data can be used. Paradoxically, people still use Facebook and other platforms despite privacy fears. People seem very willing to sacrifice privacy for a service they want, or perhaps they do it opportunistically without full awareness of the price they pay.

In stark contrast to what Australians want, suddenly George Orwell’s fictitious 1984 is very, very possible.  Some would say that China is already there with its Social Credit  and mass surveillance systems, now being rolled out. 7 million “untrustworthy” people have already been denied access to state-owned transport services, and others denied schools, home purchase and access to their own financial assets under the system.  Shortly, playing too many video games or spending money frivolously may be punished.

In the press, the theme seems to be emerging that computer scientists in the tech industry are somehow the blind evil-doers,  and that it is the job of the social scientists and government to control their actions to bring some sense to protect the rights of civilians. Indeed, the very welcome EU GDPR and the proposed Australian Consumer Data Right head in this direction.  But while the tech industry may be set up as the bad guy, actually socially-conscious tech experts are working towards technological solutions.

For example, mathematician Cathy O’Neil brought our attention to the ethical risks of data analysis and machine learning in her very readable  2016 book  “Weapons of Math Destruction”.  In response, computing researchers like Roger Clarke design governance processes to ensure checks and balances are applied judiciously.  Here, we highlight research for people with disabilities, research for people in particularly sensitive situations, and W3C activity for people who want to manage their own identity.

While a lot of the concern about privacy relates, quite reasonably, to the potential applications of private information to harm individuals, what may be less well recognised is the fundamental role of identity in relation to privacy. Identity is simply who you are, or at least who the network thinks you are.   Identity is what makes it possible to link independent pieces of information about a person, thereby greatly improving the richness of detail and inference about the person, and also to link a digital persona to a physical, natural person.  It’s why German regulators ordered Facebook to desist from combining Facebook, WhatsApp and Instagram data only last week (ABC Radio News 8/2/2018).

Once, identity assurance was solely the function of churches, the only bodies keeping population records, but later it became a function of government as birth certificates, marriage certificates, passports and drivers’ licences rapidly become the government-assured identity credentials.  In 1985-6 the Australian government attempted to introduce a streamlined national identity system known as the Australia Card, aimed at government interactions, but it would have  become  the identity assurance  for commercial Australia too. The huge public backlash in the name of “privacy” mothballed the Australia Card, probably forever.  But in a more modern form, the concept remains very much alive. Was that the first time we really thought about privacy in national terms?

Nowadays the Australian Commonwealth, through the DTA, is building a Trusted Digital Identity Framework that aims to “achieve something no other trust framework in the world has achieved to date — to support the establishment and reuse of a digital identity across many different contexts, systems and environments.” Mandatorily, identity comprises a family name, given names and date of birth, with optional contact details like email address.  Some privacy of these core attributes is admitted by  computed (derived) attributes in place of core attributes (e.g. “age over 21”).  This would be a government-run system, that looks a lot like variations on the existing “100 points” system currently required by banks for identity assurance, together with a network of trusted identity providers and reliant service providers, all overseen by the government.   Although it is a digital approach, and offers a scale of assurance levels, is it fundamentally different to the Australia Card?

We also see, in practice, the dominance of large US IT corporations as digital identity providers (have you ever logged in to a new service via your Google or Facebook credentials?). Mobile telco companies , too, are very keen to become authoritative identity providers, for displaced persons at least. After all, they are equipped with built-in biometric services and follow you everywhere.

The battle for your identity has begun.

The W3C is spearheading an alternative model for “self-sovereign” identity. The idea behind self-sovereign identity is to place many details of a person’s online identity in their own hands. A W3C workshop on Strong Authentication and Identity in December last year, brought  together Web standards developers, Government, various industry reps, academics, lawyers and others.  The self-sovereign approach, using blockchain-driven verifiable credentials, can be used to verifiably attach claims about you (such as ”age over 21” ) to various parties that attest to the truth of the claims. This is like an unfakeable way of having you transmit an academic transcript from a University to your employer.  It relies on decentralised identifiers that are both sound and administered in a decentralised way by multiple independent authorities, so there is no need for your university to know whether you drive a car, or have travelled to Botswana, ever.  A citizen who privately uses Ashley Madison services, for example,  can separate that digital identity from the one used for their University and employment.

So, who is managing your privacy and identity on the Web?

The W3C Australia Office and the Australian National University are presenting a morning workshop on the topic in Melbourne, Canberra and Sydney in February as part of their Future of the Web roadshow series.  Chaired by W3C evangelist Vivienne Conway,  we have Marcos Caceres from Mozilla speaking on privacy protection in browsers like Firefox, and James Bligh from Redcrew on the consumer-controlled privacy protection in the new Consumer Data Rights.  Kylie Watson from Delloite will ask what else government can do for its citizens.  David Cook from Edith Cowan University speaks up for vulnerable citizens, looking particularly at the trade-offs uniquely required of people with a disability. From the Australian National University we have speakers Lesley Seebeck, Alex Antic, and Alwen Tiu presenting new research on technology in cybersecurity and the privacy it needs to protect for particularly sensitive matters. Grant Noble and David Hyland-Wood of ConsenSys present the emerging notion of self-sovereign identity and the exciting W3C activity making it happen.  We round up with a discussion panel chaired by Richard Schutte of startup coLab4, in which we invite your active participation.

For more information and registration, visit https://cecs.anu.edu.au/events/w3c-anu-future-web-who-managing-your-privacy-and-identity-web