Verified Identity Claims 1

Issue/Topic: VERIFIED IDENTITY CLAIMS – Scenarios and Business Models

Sessions: Tuesday, Session 1-2, Space G

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Ariel Gordon (Microsoft)

Notes-taker(s): Ariel Gordon (Microsoft)

Tags: Verified Claims; Identity Attributes; Privacy; Privacy Enhancing Technology; Cryptography; user-centric technology: user control.

Participants:
 * Thomas Hardjono	MIT-RC
 * Fan Xia	Google
 * Nishant Kaushik	Oracle
 * Guibin Kong	Google
 * Mike Mon	Booz
 * Jeff Hodges	PayPal
 * Eve Maler	PayPal
 * Ben Goodman	Novell
 * Stuart Proffitt	Novell
 * Rooly Eliezerov	Gigya
 * Emily Soelberg	AT&T
 * Henrik Biering	Peer Craft
 * Brian McGinnis	Janrain
 * Jeff Stollman	Secure Identity
 * Bret Tobey	Assa Abloy
 * Pat Mangiacotti	Equifax
 * Charles Andres	PBB
 * Dean Landsman
 * Markku Mehtala
 * Jon Webb	Sony PlayStation Network
 * Greg Turner	Sierra Systems
 * Kimberly Little	Lexis Nexis
 * Ariel Gordon	Microsoft

Discussion notes:

(Context) Microsoft's Verified Claims Team is working with customers and partners on Privacy Enhancing technology for identity information sharing. These sessions were about sharing perspectives on higher value transactions that are hindered by the lack of trust online. What are businesses doing now for identity proofing? (out-of-band boostrapping solutions, accepting low levels of identity verification and the higher fraud level? Etc.) Can we figure out ways to raise the trust bar in a privacy enhancing way and without introducing too much friction for the user? Canonical examples: age verification for online gambling, purchasing wine online; verified car ownership and information for participation in an online auction. John Bradley--

Trust frameworks are key--certification for identity proofing, privacy and more (e.g. certifying identity providers to US Government standards). Pseudonymous Level 3 scenario? E.g. prove that the user is a doctor without disclosing the real identity. This isn't a scenario that the government supports. Greg from Sierra Systems (?) in British Columbia--

Setting up "next gen" identity services for individual services and businesses They care about Legal Name, DOB, Residential Address, Birth Location (jurisdiction, how supporting documents are verified) Other folks in the room: we care about the following verified claims Kim Little from Lexis Nexis-- Helping customers with Identity Proofing needs. Determine if a person can receive a regulated good: right age? Right location? Have occupancy or ownership of the house they're receiving a service for.
 * Employer
 * Administrative role (in enterprise scenarios)
 * Credit Score / Has a credit card (and can actually buy something) / Has Credit History
 * Verified claims of relationship (parents, spouse, kids)

Lexis Nexis provides these kind of services? (by aggregating data from different sources and offers these services).

Note: one claim is "I'm employed", another claim is "I'm employed by Company X" Is Employed: typically useful for establishing ability to buy some financial services. Important to distinguish professional identity (am I employed somewhere/by company X) and personal identity Sending a document to a new address (not associated to my credit card). How do I prove my relationship to this address? Emily Soelberg from ATT--

They do In-person Verification, credit check, etc. Almost 100 million customers. Wanting to understand how they can leverage that.

Valuable verified attribute: Geolocation. Cellphone location can be used to verify that the user is in the same location that the transaction is taking place, and reduce fraud.

Not only B2C but also C2C--peer to peer transactions: interesting to be increase trust between strangers so that they can get in business together (e.g. selling a used car). Jon Webb from PlayStation Network--

One of their biggest problem: users don't value their identity, create multiple accounts, are sources of fraud and other problems. Don't have many fraud problem wrt credit card in the US but they are operating in 70 countries with cellphone payment methods or pre-paid, not as trustworthy as credit-card in the US or Europe. They're looking for ways to increase the verification while keeping friction low. COPA regulation in the US: companies are restricted by law about what information they can collect. TSA use case -- Can this individual carry a gun (don't care who this person is) Lloyd Burch from Novell--

Medical use case. Blue Cross providing a pseudonym identity + claim that this person is an auditor

Data minimization principles: banks understand it. Very different from the Web 2.0 crowd that are trying to maximize the information they collect. Hard for businesses to find a balance between minimizing data and monetizing the data they have: e.g. banks already have the Liability associated with collecting user's high value information (SSN…), so they might as well try to monetize it. Google is working on verified email addresses. Pamela Dingle from Ping--

Too much friction: I'm not going to set up the list of address for my family if I ever want to ship a package to them. Protecting revenue stream: cost vs. Risk.

Pat Mangiacotti from Equifax--

Equifax is validating identities for Governments and private corporations. Validating 1.5 million identities every day!

Also investigating: reversing the business model whereby consumers will effectively verify their identity on online social networks and being able to prove that they are who they say the are.

Employer information: one of Equifax's subsidiary has one of the largest employment information (validating employment information and income). Used for large purchases.

Using Trust Frameworks? UX: for the low value, high volume transactions, the friction need to be close to zero. Many businesses accept the fraud risk to keep the user friction low. Can we as an industry enable identity verification with minimal friction? Group agrees to have a follow-up session on Wednesday to specifically discuss UX. Bret Tobey from Assa Abloy--

Biggest manufacturer of locks/solutions for a range of customers from hotels to rack space to corporate offices to locker rentals in ski resorts. Can they leverage federated identity solutions to simplify their problem? They don't want my full identity, but a minimal set of PII e.g. do I work for this company or did I pay to get access to this locker/rack space/filing cabinet? They're interested in reducing friction and data minimization (i.e. minimal disclosure) Ben Goodman from Novell--

University and corporations should be able to assert the information that's on my LinkedIn profile.