The 5th IDESG Plenary Meeting
Due to the news coverage of other major security-related conferences like DEFCON and BlackHat at the end of July, many people may not have noticed that the Identity Ecosystem Steering Group (IDESG) held its fifth plenary meeting at the MIT Media Laboratory on July 24-26. Since the decisions of the IDESG would likely impact CryoKey's development in some way, I decided to attend and hopefully catch a glimpse of their vision of an "identity ecosystem."
Now, if you've never heard of the IDESG before, don't worry; it's a relatively new organization that likely doesn't affect you directly. The IDESG was born out of the National Strategy for Trusted Identities in Cyberspace (NSTIC), signed by the president in 2011 to help pave the way for a new generation of online identification technologies. The NSTIC is the plan, while the IDESG is one of the bodies executing on the plan.
From what I can tell, the IDESG is basically an advisory body made up of public and private organizations that are involved in standards and technologies related to online identification. The group does not seek to directly draft specifications, protocols, procedures, or other formal standards. Instead, it advises on relevant standards to make sure they can work together to create a consistent user experience (which is what I consider the "identity ecosystem"). While it's mainly an advisory body, the IDESG will ultimately establish an accreditation process that sort of gives a "works within the identity ecosystem" stamp of approval to compatible technologies.
At the moment, the IDESG is in a very formative state, so ironically, they are still grappling with their own identity. This was the fifth plenary meeting after all, and the first meeting was only the August of 2012! Therefore, most of the plenary activity revolved around administrative and organizational topics. Yet you could see the potential of the IDESG by looking at the minds and ideas assembled at the meet. I was certainly surprised to encounter so many concerned individuals from such unexpected fields as real estate. Secure identification truly affects everyone!
One of the highlights of the plenary meeting was the "Unique in a Crowd" talk by Alex 'Sandy' Pentland, who gave a talk on the value of information as an asset, and how the information can be used for all sorts of beneficial purposes. Just by using anonymous, aggregate data, you can make detailed projections of things like poverty, crime risk, and even pandemics. In fact, personal information collected from everyday activity can uniquely identify an individual and even predict things like health and disease better than genes.
Apparently, a fingerprint typically needs 12 sample points to uniquely identify an individual, but only four points of human mobility data could assure the same level of identification. To drive home the point of mobility-based identification, Dr. Pentland's research team issued Android devices installed with tracking software to volunteers at the start of the plenary meeting. The volunteers didn't know anything about the research or the information being collected, but carried the devices for the 24 hours before his talk as they went about their business. When Dr. Pentland finally revealed the purpose of the devices during his talk, all but three of the devices were able to uniquely distinguish the volunteers - based solely on periodic scans of nearby Wi-Fi stations! (And of the remaining 3 that couldn't uniquely distinguish a user, 2 of them failed due to technical problems.)
While the results were impressive, identification based on personal tracking data still faces many significant issues. For example, users will still need a way to identify themselves when they break out of their baseline behavior patterns. Also, user-controlled data is at least subject to manipulation, as demonstrated by some mischief during the happy hour event. While musing over the point of the Android devices and the kind of information they were gathering, Andre Boysen of SecureKey and I traded our tracking devices just to see what would happen. At worst, I figure that we would invalidate our results and irritate a few researchers. But in a real world scenario, such data manipulation would surely carry greater consequences!
In addition, the implications of personal data are pretty profound, and certainly raise a lot of concerns about abuse and privacy. People are even more sensitive to privacy these days due to the recent backlash over government monitoring. So part of the research involves the proper sharing of such data under the openPDS project. But even with user-authorized sharing, information is still vulnerable to theft or misuse, and the consequences are not clear yet. Therefore, the proper use of personal data is still an open debate, one that will hopefully be resolved if this technology is to ever see widespread adoption.
During his talk, Bob Blakley, the plenary chairman, mentioned that he hoped the dialogue would be productive and "fun" - to the extent possible in the world of security, I suppose. After all, I don't think most people consider the grim world of security as their idea of a fun time. But hey, I can say that I had a good time observing the wheels in motion as I met many fascinating people and listened to thoughtful conversations. The happy hour was certainly fun, and I was able to meet the good folks at TraitWare, a unique identification/authentication technology based on dynamic Qr codes.
In any case, the IDESG is definitely an interesting group, one that has a very worthy goal (to foster an identity ecosystem). Security and identification is a complicated beast, and heaven knows that the current state of online identification could use some direction! The IDESG is still trying to hammer out a common definition of the identity ecosystem and their own place within this ecosystem. But I'd love to see how the IDESG looks after they've had another year to organize themselves and start making more functional (rather than organizational) decisions.
