Robin Wilton's esoterica

I went to a very interesting event yesterday; a workshop hosted by the DTI Department for Business, Enterprise and Regulatory Reform, and jointly run by the hugely capable team from Kable.

Among other things, it reinforced the fact that there is a healthy, well-informed and experienced UK community of interest around identity and privacy; at the risk of offending someone (whether by inclusion or omission!), my list of the 'usual suspects' would include Dave Birch, Caspar Bowden, Stephen Crane, Conn Crawford, John Harrison, William Heath, Mark Lizar, John Madelin, Luke Razzell and Toby Stevens.

There was also a lot of participation from the academic community, which I found very encouraging; Royal Holloway was represented by Fred Piper, and I also met people from UCL and the Universities of Reading, Edinburgh, Hertfordshire, Newcastle and elsewhere (apologies if I have left you off the list!).

The purpose of the workshop was to help the DBERR's Technical Strategy Board (TSB) air its plans for the Network Security Innovation Platform's programme of work - and as such it represented an extremely welcome opportunity for open and constructive dialogue between stakeholders such as the TSB itself, the Identity and Passport Service, the Information Commissioner's Office, and the academic and vendor communities. Specifically, we were looking at the issues of Privacy and Consent in Identity Management Infrastructures, which is a topic close to my heart.

We also had a series of breakout sessions to consider a list of 17 challenges (only 17, I hear you cry... what lightweights!). I'll cut &N paste them here (so apologies if the formatting is crummy - I'll try and tidy it up if so). Answers, naturally, on a postcard, please...

Challenge 1 - Do the public care about Privacy? How do they define Privacy and Identity Information and measure the value or loss? Are people too trusting, ill informed or just complacent?
Challenge 2 - Can technology help to replicate the risk based decision making seen between two parties in a face to face scenario, in remote online scenarios and what privacy enhancing technologies are available ‘before the fact’ versus ‘after the fact’?
Challenge 3 - Can technology and process really reduce harm (and risk) to an acceptable level and what inconvenience would individuals be prepared to bear to re-gain control and trust?
Challenge 4 - What human interface options could assist the individual to understand the difference between being informed versus participative consent?
Challenge 5 - What consent and technology models exist to allow an individual to consent and understand how his data is collected, stored and disseminated?
Challenge 6 - How can technology aid an individual to revoke his consent such that he has confidence and assurance that no further use or dissemination can occur?
Challenge 7 - If the advance of technology has been a catalyst for the privacy debate, which technologies when combined can answer the range of privacy concerns? (Privacy of what, from whom and at what cost)
Challenge 8 - What harms (risks) exist to an individual’s privacy in the differing identity management approaches and what technology options might mitigate such harms?
Challenge 9 - How can privacy enhancing technologies applied to one identity management architecture be inter-operable with another? (i.e. Centralised non shared translated to Federated)
Challenge 10 - What technologies are privacy protecting, and what ones can detect and respond to breaches in policy including alerting the individual to a breach?
Challenge 11 - If the individual has corroborating evidence of their identity or entitlement how can technology support exposure of only that information specifically required to complete the transaction?
Challenge 12 - If trust and consent models are technically possible, what is the market failure in developing commercial applications, or are there other influencing criteria? (What are the barriers to practical implementation?)
Challenge 13 - What are the limits of technology in privacy and consent schemes being discussed? Beyond those limitations what else would be required to bring realisable solutions? (Can you design technologies which are non discriminatory?)
Challenge 14 - How can technical functionality be supported by legislation to meet the range of privacy needs now and in the next 5 years?
Challenge 15 - Can we and how do we come together to provide more technology enabled services which people want to use because they feel their privacy and consent is foremost?
Challenge 16 - What extra measures/role  for the Information Commissioner Office and what required governance would engender and build trust by the public in any scheme and why?
Challenge 17 - How can privacy policies be both realised and inter-operable across the range of Identity Management approaches and national boundaries?