What is the impact of a device as an entry point into an online ecosystem / data platform? (W2C)

Session Topic: Impact of Devices as an Entry Point into Online Ecosystems/Data Platforms (W2C)

Convener: Vicki Milton

Notes-taker(s): Dave Hebert

Tags for the session - technology discussed/ideas considered: 

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Introduction How will this work? What role will the device have in this? How does the devices itself add value to this process now that identity is being tied to the device? Responses: 1.      There is a human factor once you get to the device itself.
 * Devices are increasingly building in the ability to incorporate digital identity into a device so that access to various services and the associated data can move across devices.
 * Online identity is being brought into the devices as an entry point into online services and potentially the data platforms associated with them.
 * Data platforms can tie devices together in the cloud.
 * Most discussions at this forum have focused on the protocols and services, but little attention has been given to the devices themselves used to access these services and platforms.
 * The device is actually a participant in this process.

2.      Devices could provide a better level of trust in the data  à “the device is something I have and that can be more closely identified with me.”

3.      A device adds an array of sensors that could be used to compliment à NFC, gps, camera, etc

4.      It is a huge jump to say the device “knows” about the identity. Just because I authenticate to a cloud platform from a device doesn’t necessarily provide identity to the device. I must have unique identifiers that are stored on or are part of the device (serial #, phone #, etc).

5.      Is this different if a device has multiple IDs? Depends on how the device is being used.

a.      Example of my address book àI could put all my personal addresses in an address book on a device that is unique to me making the device and the data stored more closely associated with me.

b.     A device can aggregate information in a way that cannot be done just in the cloud.

6.      What role does device play in protecting your privacy?

a.      Device could have a personal data store.

b.     A device may already store credentials that are not protected. I may store my credit card number on a device, but it 1) may only be marginally protected or 2) may not be connected to me in a claim-based way.

c.      Tokenization is one way to solve this on the device.

d.     The device could provide greater control over privacy concerns or issues. “I am better protected because the device is with me all the time. Other sensors on the device can indicate when I am away from the device and can protect me by securing the device, etc”

e.     Device security characteristics can provide compliant security systems

f.       Devices could provide cryptographic functions

7.      Challenges:

a.      Existing industry structures that require collaboration across many entities and the government àISPs will need to collaborate with mobile carriers, etc.

b.     Regulatory requirements in certain industries will place demands on the overall solutions (examples: Financial Services, Healthcare)

c.      Consumers are fundamentally naïve about both identification and privacy. Devices will need to perform identity and privacy events on behalf of users à make sure device is secure, let end user know what is going on and what risks they are taking. “Protect the naïve.”

d.     Data aggregation in the cloud: helpful tool, but very powerful. Without a secure device, I could 1) be compromised or 2) allow ISPs to use my data in a way I don’t want. How do you drag all this data into the light-of-day?

e.     Existing data platforms (examples: NOAA, Facebook, Google, PayPal, eBay, Twitter, Mint, etc) are fundamentally at odds with best interest of consumers/end users?

8.      How does the role of the Data Platform change when in a Wall Garden? As an Ecosystem?

a.      Doesn’t matter if the data can protect itself. Cryptographically protected blobs of data. Can the data protect itself

b.     There will be issues around management of keys

c.      Still would need a resource that vouches for user’s identity and/or related keys

9.      Things MSFT is thinking about (announced already for Windows 8):

a.      Support for using Windows Live ID in Windows 8 for device logon

b.     Use of additional components on the device like TPM to provide secure boot

c.      Ability to set up isolated accounts on the device (already present in Windows, but enhanced)

d.     Management of multiple online account credentials to provide single sign-on.

e.     Virtual Smartcard infrastructure

f.       Still early. More to be announced TBD