Marouen Bloggin' his Life

In this session organised by the Oxford Internet Institute (among others), many speakers presented their experience/views (or the one of their organisations/companies/Countries) in the field of the management of security. More focus was dedicated to the transaction level and identity (ID) management architectures used on the online work nowadays.

Caspar Bowden, Chief Privacy Advisor EMEA Microsoft, started his speech by presenting the evolution of solutions used to check IDs online. He presented later the identity relationships in the real world where somebody shows an ID token and he is offered another one (the example of the hotel where a room key is given after presenting a passport in the reception). He presented after that a general abstraction of this model in the online world and linked it to the work of Microsoft in this area by confirming the identity of the person of the organisation in the real world and translating it into an encrypted data encapsulated in the set of ID tokens. Answering to the question of a German chap concerning the privacy, he explained the actual technical ability of interaction between several ID management web services. However, the issue of the right to use it or not remains a policy question which is a decision not only limited to the private sector. This said, Microsoft is always working on new designs for a safe transactional model in terms of privacy and liability.

According to the second panellist, Tulika Pandey, additional director in the department of Information Technology of India, many efforts were made in order to make internet banking transactions safer for end users like pushing the banks to provide softwares for customers to limit the impact of phishing with the new customers. He confirmed then that this is not enough and a lot remains to do but the costs of ID management are usually very high.

Simon Davies, founder of Privacy International presented few examples in Europe and the US of online services guaranteeing that the final services host only hashs of passwords and not the original ones. He continued by explaining that new systems are taking over slowly and electronic tokens are not the unique solution for the ID management issue. Solutions like biometrics are good if people agree with especially when they have other possibilities too. Concerning phishing, as one of the examples of ID theft, he reckon that the effort and investments spent at the policy level should be redirected to education purposes and to find technical solutions for the issue without threatening the final consumer like what some countries does. He also suggested at the end of the session a root identity system as a ‘gate keeper’ which should be set up and administrated by the governments.