Canada Post is willing to do something few Canadian retailers do: Federate an identity service with other firms. It’s something more organizations here are going to have to do, an identity conference was warned Wednesday, or they’ll be crushed by online competitors.
“There’s a freight train coming” in ecommerce led by Google, Apple and others, said Graeme Gordon, the post office’s vice-president of digital channels “and if we don’t get ahead of it it’s going to run us over.”
That was one of the messages that came out from the annual IdentityNorth conference in Toronto, which drew about 150 retailers, government officials, software developers, service providers and researchers to talk about problems and solutions in digital identity and authorization.
It’s more than doing away with passwords. The number of public and private sector online transactions expand every year and will continue, with the public demanding easier ways of doing things besides going to stores and government offices to pay for goods or to prove their identities, age or residency.
So, the conference heard, people might want to open a bank account online by using a cellphone without going to a branch, or a province might want to hold an online public consultation on a controversial issue but wants to digitally verify participants actually live in the community without exposing their full address.
But what is still needed, conference experts said, are secure ways governments, banks, telcos, utilities and others can securely share customer personal information – and, ideally, giving customers the ability to approve the use of their information from various sources at various times to limit exposure of their personal data.
For example, one speaker asked, when trying to get into a bar why should a person show their driver’s licence, which includes a home address, when all that is needed is proof of age? Why can’t a digital piece of information be pulled from a government database along with a photo on the person’s cellphone to show proof of age?
Many are hoping work being done by the Digital ID and Authorization Council of Canada (DIACC), a public-private partnership building on the work of the federal Pan-Canadian Trust Framework, a digital identity and authentication management architecture will point the way for organizations to create platforms to expand opportunities in the global digital economy.
On Monday DIACC released its second proof of concept white paper, showing how an online service that would verify an individual’s place of residence would work. IT was a follow-up to the release last year of a strategy paper.
DIACC chair Dave Nikolejsin, who is also deputy minister of B.C.’s ministry of natural gas development, told one panel that the industry needs to more to live demonstrations to show the concepts work. “Historically Canada bad at moving ahead before it’s totally safe,” he said. “Let’s not start with health care, the stakes stakes are too high.” But, he said, there must be some “safe areas” where an organization could “push the boundaries….It’s time to get on with some things.”
Canada Post, for one, is ready to integrate its FlexDelivery service for sending third party customers’ purchases to the nearest post office for pickup, Gordon told the conference. which saves a buyer from going to a retail store. But customers have to register for the service. They can do it on the Canada Post Web site, but better would be to register on the retailer’s Web site through a link, trusting the retailer’s customer identification process. Through federation this would be done behind the scenes linking to the post office. The key is the customer doesn’t leave the retailer’s site, giving the treasured seamless experience.
“So in the end I end up with more revenue, more knowledge of my customers,” Gordon said in an interview. “Customers end up with a better experience and the retailers benefit because they’ve been able to offer a service delivering [products] to other places easily.”
But, he warned, big service providers like Google are already working hard on federation. In this country “federation is in its infancy and we’re falling behind,” he said.
Telus is another company hoping to take the plunge. Lloyd Switzer, the carrier’s senior vice-president for network transformation, told the conference it has developed an identity validation system allowing a subscriber to create a bank account through a mobile device, with the bank trusting the carrier to identify the person through an identity score (Switzer didn’t detail, but it would be easy to infer that, for example, the person has had the same phone number and same address for X years and paid their bills for Y years, therefore has a high identity score). The score – not personal information – is transmitted to the bank. For every bank transaction the account’s identity is approved the same way.
This guarding of privacy is crucial to the future of e-business, Ann Cavoukian, head of Ryerson University’s privacy and big data institute, told the conference. Privacy isn’t a barrier, it should be a positive that will work for organizations, and gain a competitive advantage. It will not stand in the way of business goals and objectives.
However, Canadian Kim Cameron, a Microsoft identity architect who created the seven laws of identity, warned CIOs there’s an urgent need to professionalize application identity management.
Too many firms try to create their own identity regimes rather than use well built systems including cloud-based ones. These home-built systems are often the ones that are most vulnerable to hackers, he said.
Attackers are “fully professionalized,” often having more PhDs working for them than big software companies. “We need ways to fight back.” he said. “We have ways, because if we put together all the knowledge of these attackers we can understand what they’re doing, the patterns.”
For some the golden ideal is to somehow link the many trusted parties with pieces of identity – such as banks, telecos, governments, credit scoring firms – into one ecosystem. Greg Wolfond, CEO of Toronto’s SecureKey Technologies, said his company is working on a solution where users can pull and mix attributes for identification and authorization as needed from their smart phones– approving one bundle of ID for getting into a bar, another for approving your child’s participation in a minor league hockey team, another for logging into your financial advisor’s Web site, another for approving a donation to a charity.
The concept would be built on the blockchain technology behind digital currencies that includes security, privacy and usability.
Every use of ID is done with user approval – or, as Wolfond says, “we’ve Uberized the experience.”
Today, he said, too much relies on paper. For example, a school emails a permission form for a parent to fill out mail in a cheque so their child can go on a field trip. “This is ridiculous. It’s 2016. Why can’t I say ‘I agree to the terms and conditions,’ my bank app digitally signs it [to verify] and then go to the bank app and digitally move the money to the school account.”
The model wouldn’t have a broker in the middle handling transactions.
He didn’t give a timeline on when it might be realized.
(Earlier version of this story incorrectly identified Canada Post’s vice-president of digital channels. His name is Graeme Gordon. We regret this mistake)