IdentityNORTH Annual Summit 2018
CONFERENCE REPORT
June 19th & 20th, 2018 Mattamy Athletic Centre Toronto, Ontario
Brought to you by: Annual Summit 2018 Conference Report Letter from 2Keys
IdentityNORTH Annual 2018 Summit was significant and organized to add new value to digital economy in many ways - from new attendees, sponsors and participants. This year we learned about the progress speakers, to increased attendance, and to the learning of blockchain, how the public sector is focusing of new and important initiatives, technologies and on citizen-centric digital services, and advances in aspects to consider. biometrics.
The conference continues to expand in influence, Lastly, we also learned a bit about the coming impact scope and even conference locations. With an of quantum computers and what that will mean for industry and Canadian economy that is awakening the technologies that exist to protect our data, our to the importance and value of digital identity, and enterprises and our digital identities. The lead time with an interconnected digital operating environment that is required to begin this work should start now! that must keep pace with today’s risk and concerns, there was much to learn and much to discuss amongst attendees.
To keep the momentum going this report provides attendees with summaries of each of the sessions. We hope that you find them useful.
When you review these summaries, you will be struck by how broad a topic and how deep the issues can be when it comes to the opportunities and challenges of digital identity. Education, awareness and dialogue are the main goals of the conference and with increased John Scott participation from more and more industries, speakers CEO, 2Keys and sponsors, IdentityNORTH is well positioned to remain the best conference in Canada.
Of note this year was the clear sense that ‘it takes a village’ to define, sustain, and evolve the foundations for strong, safe, secure, and privacy enhancing digital identities. This must be a ‘community’ effort ifwe are to be successful in helping to grow the Canadian digital economy.
Also of note is that much is happening that is relevant and informative in other jurisdictions outside of Canada. This year we learned about how GDPR is being thought about and how it is likely to affect data and identities in the European Union. We continue to have much to learn as to what is working well (and why) and what didn’t or isn’t working so well (and why) in other places.
In addition, a long-standing theme at IdentityNORTH has been the discovery, evolution, and maturity of new technologies and how they can be adapted
identitynorth.ca @IdentityNORTH Brought to you by: Annual Summit 2018 Conference Report Index
Round Up
Summit Report 39 Session - NAFTA Threat Landscape 3 Preparing for a Canadian revolution in digital identity 41 Session - Cross Border Interoperability
Round Up - Day1 43 Session - Fast 15 4 Collaboration, inclusion could be competitive advantages for Canadian solutions
Round Up - Day2 6 Digital identity systems of the future must Unconference Notes transcend borders to appeal to global citizens Unconference 1 46 - Informed Consent From Uninformed Users Sessions 48 Unconference 2 - Customer Experience 8 Session - Keynote 50 Unconference 3 - Trust Framework 10 Session - DIACC Leadership Panel 52 Unconference 4 - Liability Models 12 Session - GDPR 54 Unconference 5 - Business Models 14 Session - Citizen First
16 Session - Convergence Of Payments
18 Session - Quantum Threat
21 Session - Economic Story
23 Session - Blockchain
25 Session - The Future Is Now
27 Session - Leadership & Ingenuity
29 Session - Women In Technology
Session - Evolution Of Identity 31 Supported Experiences
Session - Higher Education Meets 33 Higher Standards
35 Session - Start Up Panel
37 Session - Canada’s New Digital Strategy
identitynorth.ca @IdentityNORTH Brought to you by: 2 Annual Summit 2018 Conference Report Preparing for a Canadian Revolution in Digital Identity
PREPARING FOR A CANADIAN REVOLUTION IN DIGITAL IDENTITY IdentityNORTH summit reveals how the country is poised to become a global leader in solving identity problems
Collaboration is key “It’s a win-win,” said Franklin Garrigues, vice-president of digital channels at TD. “The public sector brings No one player can solve everyone’s needs, no single strong digital identity, and the private sector brings solution will work for every business, country, or innovation.” individual. Likely each solution will require contributions from many suppliers. Organizations from across all Canada can be a supplier to the world sectors must, therefore, work together to create interoperable solutions. Canadian technologies and solutions providers should be given preferential opportunities on Canadian “People are starting to come together to solve (digital projects. They will naturally embody the key design identity), which is a really big change,” said Hamilton principles we want to see in the future, said Hamilton, following the summit. “This year we saw demonstrated naming privacy by design, data minimization, and user- several collaborations between solutions providers, centric-design as areas where Canadian organizations and there was a lot of excitement around the more excel. complete solutions they were stitching together.” The country’s very structure and values define its “The risk of not collaborating is significant”, said Asif solutions, said Andre Boysen, chief information officer Savvas, senior vice-president and partner, Canada and at SecureKey and a speaker at IdentityNORTH. “But Middle East, Simeio Solutions, and a director on the Canadian solutions could work for other countries. DIACC board. “The opportunity is to create a global standard,” he “The risk is that everyone goes out and creates said. “We can simplify working across borders.” their own standards,” he said, “and there is no cross- pollination of ideas.” “Canada could be an international leader,” said Janice Wagner, managing director, national digital lead, public Hamilton noted that next year’s IdentityNORTH summit sector, PricewaterhouseCooper LLP, and an outgoing will likely highlight more demonstrations of projects director on DIACC’s board. that bring at least three parties together because they represent more complete solutions. Consider the unimaginable Canada is uniquely positioned IdentityNORTH is a place to stop leaning on the people In Canada, the private sector and public sector are and influencers that you’re comfortable with. already successfully collaborating on digital identity, said DIACC President Joni Brennan as she introduced “We ask you to stop thinking linearly. Break out a panel featuring directors of the non-profit coalition. of routines and habits,” said Hamilton in summary. “Consider the unimaginable even though that means “The diversity of our membership is one of our risking failure.” strengths,” said Brennan of the council. “It’s our North Star, because it’s unlocking interoperability,” “It’s only by getting comfortable with using your said Brennan. “Each one of these organizations have imagination and getting comfortable with possible different puzzle pieces that can come together to solve failure that we can truly create a culture prepared for the problems of digital identity.” the digital economy of the future.” identitynorth.ca @IdentityNORTH Brought to you by: 3 Annual Summit 2018 Conference Report Collaboration, inclusion could be competitive advantages for Canadian solutions
COLLABORATION, INCLUSION COULD BE COMPETITIVE ADVANTAGES FOR CANADIAN SOLUTIONS To become a global leader in digital identity, Canada must build on foundation of trust between public and private sector, develop inclusive industry
“Help each other consider the unimaginable,” said Identity norms need transformation Aran Hamilton, chair of IdentityNORTH, when he kicked off the 2018 summit about digital identity and Keynote speaker Pamela Dingle identified pervasive authentication on Tuesday. trends in identity management that are driving the need for change. As director of identity standards at Speaking to more than 300 participants on the first of Microsoft, she has an up-close view of the challenges. a two-day gathering at the former Maple Leaf Gardens in Toronto, Hamilton challenged attendees to advance Predictable passwords and ritualized consent are progress by thinking creatively. specific areas that need work, she said. People tend to reuse and change their favourite passwords in “Linear change will never happen,” he said, describing unsurprising ways, which makes them vulnerable to how transformational change happens exponentially, attack. pointing to the example of how digital technology has transformed how Canadians use photographs in the They also click to give consent without reading or 21st century. understanding the request for consent, which can have disastrous effects if they provide consent to nefarious “When I think about how many photos I have from the actors, such as in 2017 phishing scam in which a bogus first 33 years of my life, and then I look at how many email from what looked to be Google Office asked photos I have of the past 14 years of my life — that’s users to providing access to their email. exponential change.” identitynorth.ca @IdentityNORTH Brought to you by: 4 Annual Summit 2018 Conference Report Collaboration, inclusion could be competitive advantages for Canadian solutions
Dingle charged her colleagues to address these and laws, code becomes the social norm. Sure, be challenges of human behaviour in their organizations, agile, iterate. But be inclusive. Interrogate from that and to share knowledge in the blogosphere and on perspective, because what might be right for some social media with everyday people. may not be right for others.”
Women in technology can make it safer for everyone, Working together to create change said Brennan, who was also a panelist. “It’s important that we’re welcoming empowering for women, but also Government has an undeniably important role to play for all types of diversity.” in moving the needle on digital ID, enterprise is equally important, noted DIACC leaders who took part in a It actually goes deeper than diversity, said panelist Ria panel discussion on how the public and private sectors Lupton, head of marketing at GrowthGenius. “Diversity can work together. is inviting someone to the dance. Inclusion is asking them to dance with you.” The relationship between the public and private sectors is unique in Canada, noted Janice Wagner, digital lead at PricewaterhouseCoopers and a director on DIACC’s board.
“What Canada is trying to do is different because What Canada is trying to do is it’s bringing private and public together to create scalable, trustworthy, interoperable platforms with “different because it’s bringing guiding principles and a set of criteria through the trust private and public together to framework,” said Wagner. create scalable, trustworthy, Defining how Canada will take part in the global interoperable platforms with economy, The Pan-Canadian Trust Framework, a set guiding principles and a set of guidelines created by DIACC in 2016, has helped to of criteria through the trust create a unique environment of collaboration. framework. “Around the world, we have the strongest collaboration that I’ve seen,” said Joni Brennan, DIACC president, - Janice Wagner ” adding that banks in the United States have not been as open as those in Canada. “It takes time and cooperation to work together and to find value together, but we’ve excelled in that way.”
Inclusion leads to change
One of Canada’s challenges in transforming digital identity lies in attracting talent. But inclusion can help solve the problem, said panelists who took part in a discussion about women in technology and digital identity.
“Technology entrenches existing power dynamics,” said Bianca Wylie, head of the Open Data Institute.
“When you’re building stuff, in the absence of policies
identitynorth.ca @IdentityNORTH Brought to you by: 5 Annual Summit 2018 Conference Report Digital identity systems of the future must transcend borders to appeal to global citizens
DIGITAL IDENTITY SYSTEMS OF THE FUTURE MUST TRANSCEND BORDERS TO APPEAL TO GLOBAL CITIZENS As Canada’s public and private sectors work together to create a trustworthy digital identity framework, interoperability is a key goal
Interoperability emerged as a universal goal for both “The level of trust that we have in Canada between the public- and private-sector participants at this week’s public and private sectors is not comparable around IdentityNORTH, an annual summit dedicated to the world.” contemporary identity topics in Canada.
“One of the key themes that’s coming up is … the A shifting global landscape importance of Canadian solutions that also think outside of our borders,” said Aran Hamilton, chair of Several IdentityNORTH sessions were designed to IdentityNORTH, as he introduced a panel about cross- help Canadian organizations understand how recent border interoperability on the second day of the two- changes to global privacy and trade laws could change day event in Toronto. cross-border business.
Moderated by Dave Nikolejsin, deputy minister of “GDPR is actually an incredible opportunity right now, natural gas development in the province of British especially with NAFTA and what’s happening south Columbia and board chair of DIACC, the panel explored of the border,” said David Broad, information security how Canada has the potential to become a global lead at Echoworx, which offers email encryption to leader in the identity field. customers around the world.
“We’re are getting interest internationally … from Recent challenges to the EU-US Privacy Shield mean other countries on franchising our model,” said John that some European businesses won’t be able to do Sharpe, vice-president at CGI and a director of DIACC. business in the U.S. as easily as they have in the past, identitynorth.ca @IdentityNORTH Brought to you by: 6 Annual Summit 2018 Conference Report Digital identity systems of the future must transcend borders to appeal to global citizens said Broad. That presents opportunities for Canadian at the Treasury Board of Canada Secretariat when he businesses. introduced a pilot project called SignIn Canada.
There is also opportunity in European countries, The project is a universal login service that will allow provided you do privacy right, Broad said. “In the citizens to use provincially issued identification to U.S., some companies have blocked European access access federal services online. just because they’re afraid of GDPR. But if you take a step back and aren’t afraid, it’s actually a roadmap to There is still work to be done successfully do business in every country in the world.” Such success stories can help attract more organizations, Collaboration is a competitive said Hamilton in his closing remarks. advantage “There is a huge opportunity to get the other guys here,” he said, noting he’d like to see some of Canada’s Around the world, approaches to digital identity tend major municipalities at the table. to be insular, said Andre Boysen, chief information officer at SecureKey. Everyone is creating their own There is still more work to do, but Hamilton pointed to approach, but fragmentation represents an opportunity an increased number of students and startups at the for Canadians to create a global standard and export it conference as a sign that things are moving in the right around the world. direction.
“There’s a uniqueness to our approach and it’s married “Having more people at the table and being active is with Canadian values and systems,” said Boysen. going to be really important.”
There’s a uniqueness to our “approach and it’s married with Canadian values and systems, - Andre Boysen ”
Learning from Canadian success stories
Canadian success stories demonstrate interoperability. Speakers and panelists from government bodies in New Brunswick, British Columbia, Ontario, and the federal government shared news about new projects that reveal how it could look.
Government organizations and businesses will one day be able to securely share data amongst themselves, said Ken McMillan, acting director of digital identity identitynorth.ca @IdentityNORTH Brought to you by: 7 Annual Summit 2018 Conference Report Session - Keynote 2018: The Year the World Paid Attention
2018: THE YEAR THE WORLD PAID ATTENTION
Pamela Dingle, Director of Identity Standards at Microsoft
It’s time for a change. The internet Predictable passwords are creating a significant was created upside down and the security risk, she said. effects are here. Facebook and election “We have spent 10 years working on eliminating impersonation,” she said, describing how those efforts results, blockchain super-valuations, have been frustrated by human behaviour. ransomware and fraud, etc. How do we Showing a slide of 50 most popular passwords, Dingle invest now for tomorrow? explained that people change their favourite passwords in highly predictable ways to fit complexity guidelines, “Who thinks people will start reading terms of and when faced with an expiring password. That can service?” asked Dingle at the start of her keynote at lead to security breaches. IdentityNORTH2018. The question elicited sighs and head shakes among the audience. Equally troublesome is the fact that many people give consent to requests without reading or understanding The digital identity industry must design for the way them. people actually use technology, she said. “Once it’s really hard to steal a password and Dingle described two pervasive trends that are impersonate a person, the next best thing is to trick negatively affecting identity management today and them into doing what you want.” called on attendees of IdentityNORTH to start working on solutions in their own organizations. identitynorth.ca @IdentityNORTH Brought to you by: 8 Annual Summit 2018 Conference Report Session - Keynote 2018: The Year the World Paid Attention
Describing one scam in 2017 in which a bogus email that seemed to come from Google Office asked people to give consent for access to their email.
“People said yes,” she said. “Lots said no, but enough people said yes … You just gave an application an ability to read and use your email, to send phishing emails to Consent is not just that one every single one of your contacts! “question. It’s not just, in the “Consent is not just that one question. It’s not just, in moment, is it okay to do the moment, is it okay to do something? It’s starting something? It’s starting with with their preferences on the lowest level... Who can see your camera, the devices you use, the apps you their preferences on the lowest connect to, the third parties who get shared data.” level... Who can see your
Dingle advised attendees to bring multi-factor camera, the devices you use, the authentication and end-to-end proof of possession apps you connect to, the third into their organizations. parties who get shared data. Talking about digital ID will help educate Canadians, - Pamela Dingle she said. “Make sure you’re talking about it. Push it onto Twitter and the blogosphere.” ”
identitynorth.ca @IdentityNORTH Brought to you by: 9 Annual Summit 2018 Conference Report Session - DIACC Leadership Panel: How Canada’s Private and Public Sectors Are Collaborating and Learning From Each Other
DIACC Leadership Panel: How Canada’s Private and Public Sectors Are Collaborating and Learning From Each Other
Joni Brennan, President of DIACC (moderator) Janice Wagner, Managing Director, National Digital Lead, Public Sector, PriceWaterhouseCooper LLP, Director on DIACC’s board Franklin Garrigues, Vice President of Digital Channels, TD, Director on DIACC’s board Asif Savvas, Senior Vice President and Partner, Canada and Middle East, Simeio Solutions, Director on DIACC’s board
“Thank you for prioritizing digital identity,” said DIACC bring something important to the table, said Franklin President Joni Brennan to attendees as she kicked Garrigues, Vice President of Digital Channels at off the first panel on the agenda at IdentityNORTH TD Bank. “The public sector brings strong identity 2018. “It’s one of the most overlooked topics that is documents, and the private sector brings innovation.” foundational to advancing digital culture.” The risk of not collaborating is significant, said Asif DIACC was founded in 2008 as a way to collaborate, Savvas, Senior Vice President and Partner, Canada noted Brennan, who became president of the council and Middle East, Simeio Solutions. “The risk is that in 2016. “We’re working off the federation of Canada,” everyone goes out and creates their own standards she said. “It’s in our DNA to collaborate, and that’s been and there is no cross-pollination of ideas.” a foundational element in the work we’re doing and in our strategy.” Banks are interested because they want to be where their customers are, said Garrigues. Additionally, he “DIACC has allowed us to bring public and private said, banks see digital identity as a way to lower the sectors together, said Janice Wagner, a Managing cost of acquiring new customers, since the process of Director at PricewaterhouseCoopers and a director onboarding is streamlined. on the DIACC board. “We can see the problems and opportunities, and solve the problem in a way that is Brennan asked the DIACC leaders to share calls to consent-driven and will allow for interoperability.” action to drive forward digital identity.
Public and private sector members of DIACC each Wagner and Garrigues both called for more small and identitynorth.ca @IdentityNORTH Brought to you by: 10 Annual Summit 2018 Conference Report Session - DIACC Leadership Panel: How Canada’s Private and Public Sectors Are Collaborating and Learning From Each Other mid-sized businesses to get involved in DIACC and digital identity issues.
“When you look at where growth is going to come from, We can see the problems much is coming from small and mid-sized businesses… If you don’t see yourself represented at DIACC, join. It “and opportunities, and solve is a diverse group, and we don’t yet have everyone at the problem in a way that is the table.” consent-driven and will allow for interoperability. - Janice Wagner ”
identitynorth.ca @IdentityNORTH Brought to you by: 11 Annual Summit 2018 Conference Report Session - GDPR: What Canadians Need To Know
GDPR: What Canadians Need To Know
Beth Dewitt, Partner, National Leader for Data Protection and Privacy Services, Deloitte Irene Reverte, EU Privacy Lawyer, Cyber Risk Services, Deloitte
The accounting and professional services firm The GDPR is a risk-based regulation, she explained. Not Deloitte has been helping Canadian organizations all organizations are expected to comply in the same with operations in the EU to protect personal data as way. The measures each organization puts in place will mandated under Europe’s new privacy law, the General depend on the level of risk attached to their business. Data Protection Regulation (GDPR), for the past two years, says Beth Dewitt, Senior Manager of Cyber Risk Working with organizations of different sizes on GDPR Services at Deloitte. has provided insight, said Irene Reverte, an expert on GDPR. The regulation came into effect on May 25, 2018 and it responds to the European Commission’s strategy of harmonizing separate data protection laws for 28 European countries. There is now one single set of regulations instead of many. What most organizations know “about GDPR is that it comes The rules were designed to create trust between individuals and organizations in the digital economy, with heavy fines, and they don’t said Dewitt. “Individuals weren’t sure how their want to see those fines, information was to be used and protected.” - Beth Dewitt “What most organizations know about GDPR is that it comes with heavy fines, and they don’t want to see ” those fines,” she said. identitynorth.ca @IdentityNORTH Brought to you by: 12 Annual Summit 2018 Conference Report Session - GDPR: What Canadians Need To Know
Responding to an audience question about fines, Dewitt shared that it’s not clear yet how fines will play Reverte identified the top five out. But, she said, we do know that internationally, challenges of GDPR: regulators will work together on investigations. Reverte noted that other countries around the world 1. Obtaining and managing informed consent are creating privacy laws similar to GDPR. “Some countries are trying to adopt the same requirements to 2. Operationalizing the right to erasure across the make it easier for companies who do business around enterprise the world.” On the path to an integrated and interoperable digital 3. Developing a record of personal data processing identity system, GDPR can be viewed as a global activities that can be kept up to date step toward privacy by design and a reaffirmation of Canadian values of trust and integrity. 4. Keeping records to demonstrate compliance
5. Allowing for data portability in certain situations
Reverte also shared five key lessons:
1. We’re not starting from scratch. We have a strong privacy legislative system in Canada that organizations already work with. Even though GDPR comes with new regulations, some systems are already in place.
2. Record of Data Processing Activities (RDPA) is a key strategy piece. Develop and maintain a register of personal data processing to add value to your GDPR compliance strategy.
3. GDPR is a risk-based piece of legislation. Assess the risk that your processing activities pose on individuals before allocating resources to mitigate them.
Train your teams. Everyone should know what 4. their privacy and security responsibilities are as
part of their job duties, and what to do if there
is a breach.
5. GDPR is enabled by all business functions. It is no longer owned just by the privacy, legal and compliance functions. It is a team sport.
identitynorth.ca @IdentityNORTH Brought to you by: 13 Annual Summit 2018 Conference Report Session - The Burning Platform
The Burning Platform
Aran Hamilton, Chair, IdentityNORTH (Moderator) Sophia Howse, Executive Director, B.C. Identity Management Program Jeff Borsato, Program Manager Ministry of Environment and Climate Change Ontario Colleen Boldon, Director, Digital Lab and Digital Identity, Service New Brunswick Balraj Dhillon, Director, EHealth Ontario
How to think “citizen first.” In a world And in British Columbia, the government has issued a services card containing a chip that acts as both a where data is the most valuable drivers’ licence and a health card. The province is also currency, how do we create a data working on allowing citizens to identify themselves framework that works for citizens, using a mobile phone and biometrics. businesses and government Howse said the B.C. government is responding to citizens and considering future opportunities for Bringing together four leaders from provincial creating a centralized place to access information. governments in Canada, this panel looked at innovative Citizens have asked for better access to health and projects across the country and how all service prescription information, as well as transcripts, providers can prioritize the user experience. vaccines, criminal records, and forms for public schools and universities. In Ontario, the Ministry of Environment and Climate Change collects data that tracks and monitors how The principles of service design are key, agreed human activity is impacting climate, said Jeff Borsato, Borsato. Transparency is also a factor. “(People) need program manager for the ministry. to have a clear understanding of our process, the way we regulate our climate.” Also in Ontario, EHealth makes medical information available securely to healthcare providers. In healthcare, the challenge now is around issuing credentials to providers, said Balraj Dhillon, director identitynorth.ca @IdentityNORTH Brought to you by: 14 Annual Summit 2018 Conference Report Session - The Burning Platform
of EHealth Ontario. The organization is seeking a streamlined process and building in multi-factor authentication.
Among the future developments these provincial leaders said they’d like to see:
• a single digital ID that would work across all (People) need to have a clear sectors and jurisdictions “understanding of our process, • a proof of concept about how provinces share the way we regulate our climate. data - Jeff Borsato • an app that would allow patients to access their own medical records ” With cross-province and territory conversations and increased collaboration across the country, these developments can be realized and Canadians will enjoy even more leading, service-driven solutions to government initiatives and public services.
identitynorth.ca @IdentityNORTH Brought to you by: 15 Annual Summit 2018 Conference Report Session - Exploring the Convergence of Digital Identity and Payments
Exploring the Convergence of Digital Identity and Payments
Suzan Denoncourt, Managing Director, Ingenico Group Canada Pierre Roberge, Chief Technology Officer and Senior Vice-president Solutions and Innovation, Prodigy Ventures Andre Boysen, Chief Information Officer, SecureKey
With the Internet of Things (IoT) “Are they going to give me yet another password? It has to be simple enough that I can do it, and trustworthy increasingly becoming an integral part enough that I can share my personal information.” of Canadians’ lives, enabling secure That’s especially so when it comes to donations, a type payments and trustworthy identity of transaction that is often abandoned if the consumer verification on IoT devices is a step experiences friction in the process of giving. forward in providing a seamless Suzan Denoncourt, Managing Director of Ingenico customer experience. This demo Group and Pierre Roberge, Chief Technology Officer at will show an integrated customer Prodigy Ventures, and Andre Boysen, Chief Information Officer of SecureKey, talked about a stand-alone experience for charity donation. donations kiosk that helped raise money for SickKids.
Introducing a joint presentation from representatives The large-screen kiosk was installed in a mall, where of Ingenico Group, Prodigy Ventures and SecureKey, passersby could use a mobile phone to make a IdentityNORTH chair Aran Hamilton explained how the donation using Verified.Me technology. The technology Internet of Things has increased the need for easy and allowed users to verify their identities to receive a tax secure interaction with the many devices connected to receipt quickly and easily, without displaying personal the internet. information on the large screen.
identitynorth.ca @IdentityNORTH Brought to you by: 16 Annual Summit 2018 Conference Report Session - Exploring the Convergence of Digital Identity and Payments
It’s one approach to the challenge of allowing in-person donations in a public setting.
We’re building on the idea of tap to pay, said Boysen. Now we’re tapping for identity. “So many people give up a donation when asked to type a name and address, so it really eliminates friction.”
Users must register to use the soon-to-be-launched Verified.Me service, but once they’ve registered, they can use it across many different organizations.
“It’s backed by banks,” said Roberge. And when banks adopt a technology, people trust it, added Denoncourt.
Use cases such as this, that demonstrate the value and integral nature of digital identity are critical as we continue to expand notions of what’s possible and what’s necessary when people consider digital identity. Bringing attention to new approaches like tap for identity offers a user-friendly approach that maintains privacy and drives home the foundational, cross-sector solutions that digital identity can provide.
identitynorth.ca @IdentityNORTH Brought to you by: 17 Annual Summit 2018 Conference Report Session - What does the quantum threat mean for digital identity and what do we need to do about it?
What does the quantum threat mean for digital identity and what do we need to do about it?
John Scott, Chief Executive Officer, 2Keys (Moderator) Bridget Walshe, Director, Cryptographic Security and Systems Development at Communications Security Establishment, Government of Canada Bruno Couillard, Co-founder, President and Chief Technology Officer, Crypto4A Jennifer Fernick, Director, Customer Protection and Cryptographic Services, Scotiabank
As digital capabilities look to drive Scott asked panelists and audience to consider the amount of lead time and other activities that should be our digital economy, what should going on now to prepare for the eventuality of quantum stakeholders be aware of now to computers. better prepare for coming policy, “Why should we be worrying about this now?” Scott process, operations and technology asked Bridget Walshe, Director of Cryptographic Security at Communications Security Establishment in choices? the Government of Canada.
“We should be thinking ahead to prepare for a time “Cryptography (and the digital assets and information when quantum computing is here. they protect) that we’re holding today could be attacked by a quantum computer of the future. Adversaries could And what we need to be doing about it.” Aran Hamilton, take it from the internet today and when a quantum chair of IdentityNORTH said when he kicked off a late- computer exists in the future, they could decrypt it. morning session about the quantum threat. So information that is long lived - like individual “Digital identity drives the digital economy, and digital identities - that is exposed today, even with stakeholders, frankly, may be blind to the ways we need encryption, should be considered data at risk. Data to be better preparing for it,” Hamilton said, introducing protection strategies should be considered now. This moderator John Scott, Chief Executive Officer of 2Keys. consideration should involve looking at long-term data, identitynorth.ca @IdentityNORTH Brought to you by: 18 Annual Summit 2018 Conference Report Session - What does the quantum threat mean for digital identity and what do we need to do about it? medium-term data and short-term data. that you’ve encrypted and handed to a third-party once the algorithms used to protect it are no longer secure.” It’s a two-part risk. The first part is to do with confidentiality, protecting the secrecy of information that we’re holding,” she said.
“So we’re looking at replacing cryptography that is at risk,” she said, explaining that assessing what you need Quantum computers will be to replace comes as a first activity. “able to break most of the “There are interim things we can do for protection. cryptography used in protocols Offline keys are a mitigation to ensure it can’t be underlying HTTPS connections, decrypted in the future.” encrypted email, mobile devices, “The second risk is the way cryptography protects secure communications, IoT, from a cyber-attacker,” said Walshe. “That risk isn’t internet key exchanges and most materialized until quantum computers exist.” blockchains, Update systems where there is the most risk. We need to building new systems that can be protected, she - Jennifer Fernick said, adding that advice and guidance is out there for ” assessing risk, pointing to the Communications Security Establishment as a resource that is available to help. Scott then asked Bruno Couillard, Co-founder, “To put a time frame on it, the current estimate is that President and Chief Technology Officer at Crypto4A, in 2030, $1 billion dollars will produce a quantum how the technology industry is preparing for this risk. computer,” said Walshe. “We have to promote a worldwide effort to create the Scott noted that it took the industry around a decade replacement of at-risk algorithms,” said Couillard. to migrate from DES to AES. “We also need to build the ability to sustain with “So how extensive is this risk inside today’s modern cryptography through software updates, and that enterprise?” Scott asked Jennifer Fernick, Director of means starting at the connection that the manufacturer Customer Protection and Cryptographic Services at builds into its devices,” said Couillard. “It’s the machine Scotiabank. protection angle that we need to start thinking about.” “Quantum computers will be able to break most of “We must engage with academia and work with industry the cryptography used in protocols underlying HTTPS to understand their need to protect themselves from connections, encrypted email, mobile devices, secure the quantum threat,” said Walshe. communications, IoT, internet key exchanges and most blockchains,” she said. “It is important for people to “What can we do right now?” Scott asked Fernick. understand – particularly in this age of analytics – that data that is protected with quantum-vulnerable ciphers “Start by understanding where your enterprise’s most will soon enough not be protected at all.” high-value and or long-lived information assets are, and how cryptography is used to protect them,” she Fernick rhetorically asked, “What isn’t at risk?” – in the answered. enterprise or in the extended supply chain, given the extensive use of algorithms which are known to be at “You need to understand only the basics of post- risk to quantum computing. quantum cryptography. You don’t need to understand the math, but you really do need to understand “You must also ask yourself what will happen to data identitynorth.ca @IdentityNORTH Brought to you by: 19 Annual Summit 2018 Conference Report Session - What does the quantum threat mean for digital identity and what do we need to do about it? how cryptography is used across your enterprise, particularly in places where algorithm performance could be constrained or where substantial retooling of codebases or even architectures may be necessary.”
“Undertaking a large cryptographic migration takes substantial time and resources. It is important to socialize your expectations with both your existing technology vendors, who need to transition toward quantum-safe solutions, as well as the senior executives who are ultimately responsible for risk, finances, and the protection of your enterprise’s data.
“This risk is real and the board level needs to understand it now. A focus on safety is on the horizon,” said Couillard. “Our belief is that in the foreseeable future, we’re going to need to see the internet as the protector of our digitized and interconnected world.
“Everything will be part of an ecosystem that will keep you safer. Start thinking about safety rather than security. With security, you’re trying to protect machines from attack by people, but safety is about protecting humans from device attack.”
Start by understanding “where your enterprise’s most high-value and or long-lived information assets are, and how cryptography is used to protect them, - Bridget Walshe ”
identitynorth.ca @IdentityNORTH Brought to you by: 20 Annual Summit 2018 Conference Report Session - Cause and effect: The economic story shaping Canada’s Digital ID industry
CAUSE AND EFFECT: THE ECONOMIC STORY SHAPING CANADA’S DIGITAL ID INDUSTRY
Neil Butters, Director, Payment Technology, Interac Corp.
“Interac has been working on a low-cost way for peer- 30 percent of Canada’s GDP, but their processes are to-peer payments, and we’re excited by the prospects of cumbersome, said Butters. what is to come,” Aran Hamilton said when introducing speaker Neil Butters, Director of Payment Technology “At Interac, we think about end-to-end. So, instead of at Interac. being penalized for not renewing your drivers licence plate, how about the police officer just asks you to pay “Digital ID is a complex and a daunting concept,” said for it maybe with a bit of a surcharge?” Butters. The identity ecosystem looks like this today: Digital natives expect digital service, and it can’t be Foundational elements are used to gain health cards, too difficult, he said. It has to make the digital lives of drivers licence, birth certificates. Then there are Canadians easier. extended pieces, such as bank accounts and credit cards. To a certain extent, you need the foundational The economic impact to Canada of solving the digital pieces to the get the extended pieces, said Butters. identity problem is estimated to be close to $15 billion. That’s about 1% of the GDP of Canada. “Interac operates in the outer ring, which prevents us from combating fraud. Digital commerce is estimated to grow from 21 billion to 28 billion in 2018, and identity is key to that growth. “The foundational pieces are being used for secondary reasons that allow you access to restricted services. Small and mid-sized businesses account for roughly identitynorth.ca @IdentityNORTH Brought to you by: 21 Annual Summit 2018 Conference Report Session - Cause and effect: The economic story shaping Canada’s Digital ID industry
“Secure printing technology is becoming out of date, it’s a zero-liability model for the end user. As a result, and it’s becoming commercially available. So personally people aren’t afraid to use the system. identifiable information is available all over the place, but it’s all we have for doing certain things like buying Interac has created a developer centre and intends to a house. use it to spur innovation and integration. By working with other parties and keeping the user at the core, “Which card do you use most often? A payment card? Interac demonstrates privacy by design values and how Drivers licence? Health card? collaboration is key to success for Canada’s digital ID ecosystem. Think of a use case that doesn’t involve an exchange of money or value.... We believe if you solve for one, you solve for both.”
Zero-knowledge proof has been creating buzz in the digital identity industry as of late. Interac has been in Security means fraudsters the zero-knowledge business for 30 years. “migrate to the U.S. The ability Interac debit cards use cryptography to provide a zero- for fraudsters to get money knowledge exchange. They have the ability to abstract out of the system becomes so your identity and build trust so two parties can transact small that they just give up, and together. that’s the kind of paradigm we “Security means fraudsters migrate to the U.S. The need to adopt in Canada, ability for fraudsters to get money out of the system becomes so small that they just give up, and that’s the - Neil Butters, kind of paradigm we need to adopt in Canada,” said Butters. ”
Forensic traceability back to the root keeps the fraudsters at bay. What’s the liability model? At Interac,
identitynorth.ca @IdentityNORTH Brought to you by: 22 Annual Summit 2018 Conference Report Session - Staying Ahead of the Curve with Blockchain
SESSION - STAYING AHEAD OF THE CURVE WITH BLOCKCHAIN
Jim Skipper, Assistant Vice-president and Chief Architect, Sun Life Financial Andre Boysen, Chief Executive Officer, SecureKey
What is blockchain and why should the digital “It’s all built on crypto, rock-solid ledger. It’s immutable identification industry care? so you can’t erase what’s already out there.”
Jim Skipper explained it all at IdentityNORTH2018. One of the areas that digital identity security is important is for Know Your Customer (KYC) processes. “Recently, my son needed to rent a townhouse ... I It’s a regulator-intensive process of making sure you was livid at what I needed to show so my son could are known enough that you are not going to be put in rent a townhouse: payment statements, passport too much risk. information, financial statements. “You might think we’re doing something deceitful at “I know it’s sitting at the super’s office now, and I would first to get your information, but it’s really driven by love to be able to provide that information on a secure regulation. network.” With blockchain, now people are going to have the Blockchain is one possible solution to that problem. option to do it from their phones. “It’s like saying, I don’t really want to tell you about my financial holdings, but But what is it? I’m okay with you getting it from SecureKey. “Sometimes we associate Bitcoin and blockchain. “Why is that important to us? It cuts a two-week process Blockchain is plumbing, and Bitcoin is an application, down to two minutes. It allows us to not intimidate you built on the plumbing.” on first contact. identitynorth.ca @IdentityNORTH Brought to you by: 23 Annual Summit 2018 Conference Report Session - Staying Ahead of the Curve with Blockchain
“We offer the option: Would you like to provide your information about your holdings? Or would you like us to get it from the SecureKey environment?”
It could help in the future with the complex and high- value coordination of benefits, an area that is open to fraud. People sometimes file the same claim with two different companies, said Skipper. Sometimes we associate “The ideal would be to form a consortium such that “Bitcoin and blockchain. we could use a digital ID framework and network to Blockchain is plumbing, and say: ‘Have you submitted this to anyone else?’” It would Bitcoin is an application, built lower operating costs for both benefits providers and on the plumbing. for employers, said Skipper.
Increased user choice, reliable data, and secure - Jim Skipper documentation are all available through blockchain ” technology. The technology represents a significant leap forward for many industry professionals who face more and more threats in the hyperconnected online environment.
identitynorth.ca @IdentityNORTH Brought to you by: 24 Annual Summit 2018 Conference Report Session - The Future Is Now
THE FUTURE IS NOW
Sajith Nair, Partner, Cybersecurity and Privacy, PricewaterhouseCoopers LLP (moderator) Rolf Lindemann, Chief Technology Officer, Nok Nok Labs Ravi Bijlani, Chief Partnership Officer, Payfone Kristen Palmer, Fraud Prevention and Strategy, Canadian Tire Bank Robert Blumenthal, Chief Identity Officer, EnStream
Next-generation identity solutions here “Recognizing people and authenticating them are two different pieces,” said Rolf Lindemann, Chief Technology and abroad, including mobile identity Officer at Nok Nok Labs. “It has to be secure, butit verification, Fast Identity Online (FIDO) also has to be convenient. Finally, we see companies and Mobile Connect. recognizing that.” “We’ve been doing instant credit,” said Kristen Palmer, Moderator Sajith Nair of PricewaterhouseCooper Chief Partnership Officer, Canadian Tire Bank. “If you asked participants on this IdentityNORTH 2018 panel engage with a representative in-store you can apply to describe trends they see on the digital identity for credit, you can get instantly approved, and shop in landscape. store same day… We want to make it low effort for the “Your smartphone is your proxy for everything you do,” consumer.” said Ravi Biljani, Chief Partnership Officer at Payfone, “There’s a separation between authentication and a company that is a digital authentication network for identification,” said Robert Blumenthal, Chief Identity mobile. Officer at EnStream. “Authentication needs tobe “The key message is that it has be more secure,” he scaled and global, whereas identity tends to be a more said, but Payfone’s service has major success stories local matter.” in the healthcare and finance industries, where it has “It’s an important distinction between those two ideas, removed friction for consumers. identitynorth.ca @IdentityNORTH Brought to you by: 25 Annual Summit 2018 Conference Report Session - The Future Is Now
and it’s important to understand which technologies out there will do both components.”
There is no silver bullet to digital identity, said Blumenthal. He challenged the audience to think about it this way: In the future, will we still have hundreds of passwords or worse, hundreds of apps on our phones to do the things we need to do?
Or will digital identity go the way of credit card companies, with two or three companies that provide proof of payment? He asked the audience to consider how, in the future, we’ll have to trust IDs from third parties.
As the industry continues to evolve and change, with higher consumer expectations and increasing flexibility granted by new technologies, it is important that organisations stay up-to-date. Community conversations, an eye on new technologies, and an ongoing emphasis on user experience will help teams maintain relevance and security.
There’s a separation “between authentication and identification. Authentication needs to be scaled and global, whereas identity tends to be a more local matter. - Robert Blumenthal ”
identitynorth.ca @IdentityNORTH Brought to you by: 26 Annual Summit 2018 Conference Report Session - Leadership and ingenuity: TCS and Toronto District School Board work together in public-private partnerships to prepare Canadian youth with the latest technology skills
LEADERSHIP AND INGENUITY: TCS AND TORONTO DISTRICT SCHOOL BOARD WORK TOGETHER IN PUBLIC-PRIVATE PARTNERSHIPS TO PREPARE CANADIAN YOUTH WITH THE LATEST TECHNOLOGY SKILLS
Antoinette Ellis, Corporate Social Responsibility Program Specialist, Tata Consultancy Services
Antoinette Ellis, CSR program specialist, came to can’t afford an after-school program.” IdentityNORTH to share how Tata Consulting helps spur technology education in Canada. In Canada, 6000 students have benefitted from the program. “There is a problem with STEM,” said Ellis, explaining why science education is a priority for Tata. “A lot of kids TDSB, Skills Ontario and others to deliver a program are not choosing enough STEM (science, technology, called GoIT. Grade 8 and 9 students are asked to take engineering and math) courses. A million jobs will be on robotics and app-building projects. available, but there will not be enough people to fill Students in the app-building stream competed against them. each other. The winning group was a team of young “Twenty years from now, who is going to be sitting in women who created an app designed to streamline your seat?” she asked the audience. record-keeping around vaccinations. With the intention of saving patients time and money, the team set out to They had to take a new approach to get kids excited digitize the current yellow vaccination card. about learning. “We asked ourselves: How can we demystify computer science. They think it’s hard, The approach reinforces the importance of digital difficult.” identity for healthcare and reveals the sophisticated expectations and ideas for digital services in the next “Our computer technology program is free. Because generations. not all schools can afford a robotics program and they Tata volunteers help facilitators from the schools deliver identitynorth.ca @IdentityNORTH Brought to you by: 27 Annual Summit 2018 Conference Report Session - Leadership and ingenuity: TCS and Toronto District School Board work together in public-private partnerships to prepare Canadian youth with the latest technology skills a program that encourages kids to have fun with STEM and try ambitious projects. They also create awareness about computer science careers.
“How can we use digital identity for social good?” asked Ellis. “How can you share what you know with students?”
A lot of kids are not choosing “enough STEM (science, technology, engineering and math) courses. A million jobs will be available, but there will not be enough people to fill them. - Antoinette Ellis ”
identitynorth.ca @IdentityNORTH Brought to you by: 28 Annual Summit 2018 Conference Report Session - Women in Technology and Digital Identity
WOMEN IN TECHNOLOGY AND DIGITAL IDENTITY
Krista Pawley, Principal, Imperative Impact Ria Lupton, Head of Marketing, GrowthGenius Bianca Wylie, Head of Open Data Institute Joni Brennan, President, DIACC
“I’m looking forward to the day where we no longer a parent to young children. need to call out this conversation,” said Krista Pawley, moderator of an IdentityNORTH panel about women “We’ve heard about discrimination in firms around in technology and digital identity, as she introduced a someone getting pregnant. But there is a lot of upside panel of three women. for people who raise children,” she said, describing how she became more efficient to manage the new At a time when recruiting talent is a challenge, being demands on her time. a woman in technology can sometimes mean you feel defined by a single identity, said Pawley, asking “What about forging relationships with men?” asked panelists to explain how they cope with that challenge. Pawley. “How, in the age of #metoo, do men enter into mentorship relationships? … I’ve heard people say: People should understand that “part of managing ‘I’m feeling less inclined to have those conversations different identities means sometimes you’re not because I worry.” privileged enough for people to accept all of those identities,” said Ria Lupton, Head of Marketing at “It’s about being respectful when you want to be GrowthGenius who came to Canada eight years ago. involved in the conversation,” said Lupton. “You have to educate yourself.” The panel emphasized that challenging mindsets in the workplace is essential. “Maybe some of the things “White women are as much the problem as men,” said people think about people with children aren’t true,” Wylie. “But there has to be an opportunity to do it said Bianca Wylie, Head of the Open Data Institute and wrong... White women can lead by example, they can identitynorth.ca @IdentityNORTH Brought to you by: 29 Annual Summit 2018 Conference Report Session - Women in Technology and Digital Identity
say ‘I don’t know what to say here.’ When you own the ‘I don’t know what to do,’ then you get into learning better.
“We might want to think about a universal set of things to do when you work with people,” said Wylie. “Let’s think about gender in a less binary way.” When you’re building stuff, “Be vulnerable,” said Lupton. “Just showing up is not enough. You have to make yourself heard.” “in the absence of policies and laws, code becomes “Technology entrenches existing power dynamics,” said social norms. Sure, be Wylie. “When you’re building stuff, in the absence of policies and laws, code becomes social norms. Sure, agile and iterate, but be be agile and iterate, but be inclusive. Interrogate from inclusive. Interrogate from that perspective, because what might be right for one that perspective, because person may not be right for someone else.” what might be right for one “Diversity is not inclusion,” explained Lupton. “Diversity person may not be right for is inviting someone to the dance. Inclusion is asking someone else.. them to dance with you.” - Bianca Wylie “Have empathy,” advised Brennan. “When you’re ” meeting people and working with them, think about what they may be going through. Ask, ‘How can I be an ally to them?’”
With more women driving progress in digital identity from all areas of the field, there are no excuses for exclusionary practices, policies, teams or panels.
identitynorth.ca @IdentityNORTH Brought to you by: 30 Annual Summit 2018 Conference Report Session - Having it all: The evolution of our expectations of identity-supported experiences
HAVING IT ALL: THE EVOLUTION OF OUR EXPECTATIONS OF IDENTITY-SUPPORTED EXPERIENCES
Shri Kalyanasundaram, Head of Digital Identity Services, TELUS Andrew Johnston, Principal Technology Architect, TELUS
Shri Kalyanasundaram, Head of Digital Identity Services he said, naming Airbnb as an example of this model. at TELUS led a session at IdentityNORTH 2018 about Users sign up with verified ID, but over time, trust is how consumer expectations have changed over the established through behaviour. Someone with two years when it comes to identity-supported online reviews is seen differently than someone with 80 experiences. reviews, he explained.
At one time, when digital services were first being Then there’s the Amazon experience, known as a step- provided, the customer experience was not good. up authentication. “Without any interaction with the user, they’re using background information — cookies Then, user experience started becoming a differentiator. for example — to know me and say ‘Hi Shri’ when I go But there was a tension between convenience and to the website. They only ask me to confirm my identity privacy. once I’m ready to make a purchase.”
Federation started to look like the answer and social Now the industry is moving down a path of blockchain, logins began. But in this model, Kalyanasundaram said continued Andrew Johnston, Principal Technology an organisation could be passing on information an Architect at TELUS. individual actually thinks should be private, but they consented to its being shared because they didn’t read “How can we blind people to details they don’t need the terms of service. to know, while still allowing them to trust and make a transaction?” he asked. Now there’s a concept of progressive enrollment, identitynorth.ca @IdentityNORTH Brought to you by: 31 Annual Summit 2018 Conference Report Session - Having it all: The evolution of our expectations of identity-supported experiences
Showing a slide that pictured his own health card partially covered in masking tape to conceal everything but his picture and his first name, Johnston said a digital equivalent of masking could be useful, but still poses significant challenges.
“The digital equivalent of (the masked card) is a model we could aspire to,” said Johnston.
With new solutions to empower user control over personal information, there are countless possibilities and use cases with massive transformational potential. Keeping ease of use and strong security at the forefront of design considerations will ensure competitiveness and longevity as the industry grows and changes.
identitynorth.ca @IdentityNORTH Brought to you by: 32 Annual Summit 2018 Conference Report Session - Higher education meets higher standards for security and efficiency
HIGHER EDUCATION MEETS HIGHER STANDARDS FOR SECURITY AND EFFICIENCY
Peter Wilenius, Vice President of Business Development, Canarie
Exploring how digital identity and Canada’s educational and research institutions to each collaboration will benefit schools and other and to organisations around the world. students, and how it can help them With the Eduroam network, students and faculty can walk into any university and easily access high-speed realize the great potential of a truly wifi. interconnected research and education “Students can access it with one credential, no matter system where they are,” said Wilenius, explaining that students expect such seamless service in a modern digital Peter Wilenius, Vice President of Business economy. Development for the non-profit Canarie, described in an IdentityNORTH session how his organization “It’s a trust fabric formed by federated management provides access to a digital infrastructure for students, of identities and services,” he said. “Trust is the most faculty and researchers. important part of identity.”
Canarie gets funding from the federal government Canarie is looking at embarking on new projects with promote the advancement of information and SecureKey, a leading authentication provider that communications technology, Wilenius explained. simplifies access to online services.
Together with 12 of the 13 provinces and territories, “We’ve talked to research and education institutions ... Canarie delivers digital infrastructure that connects We started asking them what problems we could help identitynorth.ca @IdentityNORTH Brought to you by: 33 Annual Summit 2018 Conference Report Session - Higher education meets higher standards for security and efficiency
them solve … and (now) we’re getting ready to show them some ideas.”
The work Wilenius and team are doing demonstrates how digital identity can benefit users from all demographics and industries, and support research and development. With the right tools and access protocols, more collaborative learning and support can be provided for the next generation of innovators and leaders.
We’ve talked to research “and education institutions ... We started asking them what problems we could help them solve … and (now) we’re getting ready to show them some ideas. - Peter Wilenius ”
identitynorth.ca @IdentityNORTH Brought to you by: 34 Annual Summit 2018 Conference Report Session - Startup panel: What’s on deck for 2018
STARTUP PANEL: WHAT’S ON DECK FOR 2018
Peter Wilenius, Vice President of Business Development, Canarie Douglas Soltys, Editor-in-Chief, BetaKit Rohan Pinto, Founder, 1Kosmos BlockID Patrick Drolet, Vice President of Operations and Product Strategy, Notarius Steve Borza, President, BluInk Don Waugh, Co-Chief Executive Officer and Chairman of the Board, Applied Recognition
An IdentityNORTH panel discussion moderated by on a user’s smartphone. Douglas Soltys, Editor-in-Chief of BetaKit, explored what’s on the horizon for startups in the digital identity Applied Recognition is an authentication system that space. allows people to sign in using facial recognition rather than a password, said Don Waugh, the company’s Co- “We intersect identification with blockchain,” said Chief Executive Officer. Rohan Pinto, Founder of 1Kosmos, explaining his startup’s vision. “We think it’s time to change the way “Eighty-one percent of data breaches are caused identities are managed by giving complete control to by passwords,” said Waugh, explaining the need for the user. What is collected. How it is shared. How it is biometric technology. used. Those are the things that matter to users.” When asked what has helped them in the field of Notarius makes legally reliable documents, said Patrick digital identification, panelists offered a wide range of Drolet, Vice President of the company. “It’s not sexy, experience. but it’s essential,” he said. “You rely on system integrators and their perception Steve Borza, President of BluInk, said his company matters,” said Drolet. “So, if you’re a startup, don’t works with phone authentication and has a contract forget a system integrator.” with the province of Ontario to develop an identity “It’s been incredibly valuable to be associated with platform that would store electronic versions of driver’s the Government of Ontario, said Borza. “That gave us licences, health cards and other government-issued ID credibility.” identitynorth.ca @IdentityNORTH Brought to you by: 35 Annual Summit 2018 Conference Report Session - Startup panel: What’s on deck for 2018
“As a small company we’re nimble,” said Waugh. “We are the risk takers.”
Waugh went on to say that startups benefit from working with a bank or a government, but they work on a different scale and at a different pace. Identifying and respecting these differences can create more successful projects. “We bring these innovations to Eighty-one percent of data you, then we have to do (proofs of concept) for free … “breaches are caused by Don’t make us do it for free.” passwords, Session moderator Douglas Soltys of BetaKit, the Canadian startup news publication, asked if there will - Don Waugh be one winner in the identity space or if opportunities ” exist for startups to work together.
“By using open standards, you can interoperate properly,” said Waugh. “Many can exist. We want to support the industry and we design ourselves to integrate with it.”
identitynorth.ca @IdentityNORTH Brought to you by: 36 Annual Summit 2018 Conference Report Session - Canada’s new data strategy: SignIn Canada and the vision for the ecosystem surrounding it
CANADA’S NEW DATA STRATEGY: SIGNIN CANADA AND THE VISION FOR THE ECOSYSTEM SURROUNDING IT
Ken McMIllan, Acting Director of Digital Identity, Treasury Board of Canada Secretariat, Government of Canada
Exploring how digital identity and the holder of that (digital) identity. Everything else is a collaboration will benefit schools and derivative. students, and how it can help them “Because we’re not Estonia, we have to do it differently. But how do we look at their user experience and adapt realize the great potential of a truly it for our country?” said McMillan. interconnected research and education system The government must look at three factors: • Is it the same person? Ken McMillan, Acting Director of Digital Identity at the Treasury Board of Canada Secretariat, appeared • Is it a real person? on stage IdentityNORTH 2018 to share news about Canada’s new data strategy, SignIn Canada, and the • Has this person given consent for a transaction? vision for the eventual ecosystem around it. SignIn should work for: The federal government is working on a universal • Any service SignIn strategy, said McMillan. It’s now in procurement. • Any device The Canadian government is working on adopting open standards and interoperability. A government is • Any partner identitynorth.ca @IdentityNORTH Brought to you by: 37 Annual Summit 2018 Conference Report Session - Canada’s new data strategy: SignIn Canada and the vision for the ecosystem surrounding it
Right now we have a panoply of services in Canada. It’s a patchwork of mechanisms and data sharing is spotty.
“The idea is that we create an ecosystem where we can have different applications, and you can use a provincially issued ID to interact with federal services,” said McMillan.
“The value of this is we’re taking friction out of the system.”
McMillan went on to describe how it could be useful to everyday citizens by using an example from his own life.
I had all my family’s benefits taken away because there was another Ken McMillan in the system,” he said. “I had to convince them that I had a wife and kids.
“We need to have that role that brokers the relationship, but protects my information.”
The idea is that we create an “ecosystem where we can have different applications, and you can use a provincially issued ID to interact with federal services, - Ken McMIllan ”
identitynorth.ca @IdentityNORTH Brought to you by: 38 Annual Summit 2018 Conference Report Session - How Bad is Bad? NAFTA’s Threat Landscape
HOW BAD IS BAD? NAFTA’S THREAT LANDSCAPE
David Broad, information and security audit lead, Echoworx
“There’s been a lot of discussion around GDPR, and “People say we should probably avoid Europe. In the the impact of that,” said David Broad, Information and U.S., lots of companies are blocking European access Security Lead at Echoworx at the start of a talk about just because they’re afraid of GDPR. It’s not that easy.” the NAFTA threat to Canadian organisations. In the U.S., all 50 states have unique laws. Europe “There’s a lot of fear, so I’ll try to dispel those myths and implemented GDPR. Canada has PIPEDA. Mexico has show that GDPR is actually an incredible opportunity embedded privacy and protecting information in its right now, especially with NAFTA and what’s happening constitution. south of the border.”
Echoworx does encryption for email, offers capabilities, and operates in North America, Ireland and the UK, with customers in more than 30 countries around the world. People say we should probably “avoid Europe. In the U.S., lots of Broad has more than 20 years of experience in security, but noted: “I’m not a lawyer, and this isn’t legal advice.” companies are blocking European access just because they’re afraid Recent studies show that breaches are continuing, he of GDPR. It’s not that easy said, and any cybersecurity or information security professionals know that. With GDPR there are a lot of - David Broad risks, and that scares people. ” identitynorth.ca @IdentityNORTH Brought to you by: 39 Annual Summit 2018 Conference Report Session - How Bad is Bad? NAFTA’s Threat Landscape
They’re all based on common principles and practices. How do we grow Canadian business? How do we grow If you break it down to those key elements, it becomes in different markets and take advantage of the current a lot easier to understand. administration in the United States?
Key concepts: “Encryption services can help you do business in different environments, and the legal environment can • Collect only what you need provide an advantage for Canadian businesses over American businesses.” • Tell people what you’re doing with it Leveraging the regulations as an opportunity to • Get rid of what you don’t need compete and excel, rather than a barrier, can create • Protect what you’ve collected a competitive advantage and reinforce Canadian businesses’ commitment to privacy. • Manage your vendors and contractors
• Prepare for problems and be ready
• Tell people quickly if you have a problem
• Privacy should be incorporated as default and by design
“How do you meet requirements of 50 different states for personally identifiable information?” asked Broad. “Just treat everything as personal information. It makes all subsequent problems easier.”
Doing privacy well has benefits from a global business standpoint and internally. It creates better standardization across the board and makes interoperability, security, and trust much easier to manage.
Isolate the data, anonymize it, and encrypt it… If you’ve isolated your data correctly, it’s not lying around on multiple platforms. It makes good business sense to avoid duplication and it protects privacy.
The U.S. is about to lose the E.U.-U.S. Privacy Shield. The structure they’ve been offering it under means a lot of European businesses won’t be able to do business in the U.S. as easily.
“Canada should be able to maintain those relationships and continue doing business.”
If you do privacy right and follow the guidelines then you’ll be able to do business and have more opportunities.
identitynorth.ca @IdentityNORTH Brought to you by: 40 Annual Summit 2018 Conference Report Session - Preparing for cross-border interoperability
PREPARING FOR CROSS-BORDER INTEROPERABILITY
Dave Nikolejsin, Deputy Minister of Natural Gas Development, Province of British Columbia, DIACC Board Chair (Moderator) Andre Boysen, Chief Identity Officer, SecureKey John Sharpe, Vice President, CGI Allan Foster, Vice President of Global Partner Success, ForgeRock
“One of the key themes that’s coming up is … the thinking,” said Andre Boysen, Chief Identity Officer importance of Canadian solutions that also think at SecureKey, a leading digital ID and authentication outside of our borders,” said Aran Hamilton, Chair of provider. “From a Canadian perspective, we can create IdentityNORTH, as he introduced a panel about cross- an export opportunity to take these technologies border interoperability. around the world.
“We’re are getting interest internationally … from “Banks around the world are using same standards in other countries on franchising our model,” said John payments,” said Boysen. “We can do that with identity, Sharpe, Vice President at CGI and a director of DIACC. too… There’s a uniqueness to our approach. It’s married “The level of trust that we have in Canada between the with Canadian values and systems.” public and private sectors is not comparable around the world.” “We’re not too big and not too small,” said Foster, explaining that the country is big enough that the Allan Foster, Vice President of Global Partner Success at problems are real, but small enough that they are ForgeRock explained how, in other countries, it’s either achievable to solve. the government “putting its foot down” to impose regulation without consultation, as in Singapore, for Whereas a small country like Estonia could use an example. In other countries, the private sector are enterprise solution, it wouldn’t work in a country as doing things despite inaction from their governments. large as the U.S., where the armed forces alone is larger than a small country. “In identity around the world, most of it is insular identitynorth.ca @IdentityNORTH Brought to you by: 41 Annual Summit 2018 Conference Report Session - Preparing for cross-border interoperability
Compared to other countries, Canada is putting attention on this issue, said Sharpe. “I think we’re moving at light speed,” he said. “It’s high on our priorities list.”
“We’ve solved digital identity in enterprise,” said Foster. “The real problem is interoperability. That’s our interest. That’s why we’re involved.”
In wrapping up the session, Hamilton took a moment to explain the twin purposes of DIACC and IdentityNORTH Banks around the world are to summit participants. “using same standards in • IdentityNORTH aims to educate Canadians and payments. We can do that raise the level of literacy around identity and with identity, too… There’s a future of the economy uniqueness to our approach. • DIACC aims drive action by finding great It’s married with Canadian Canadian technology solutions for digital values and systems. identity and help them find opportunities in Canada and around the world - Andre Boysen Anyone can come to IdentityNORTH, said Hamilton, ” whereas organisations must be invited to join the DIACC.
“If you want to make change, if you have limited resources of time and money, if you have to choose between IdentityNORTH and DIACC, do DIACC,” said Hamilton.
identitynorth.ca @IdentityNORTH Brought to you by: 42 Annual Summit 2018 Conference Report Session - Fast 15
FAST 15
Shawn Heeley, Vice President, Customer Solutions, 2Keys Jonathan Drover, Senior Manager, Customer Solutions, 2Keys
“Organisations need to deploy a platform that is and private. agnostic and standards based,” said Shawn Heeley, Vice President of Customer Solutions at 2Keys, a Canadian “You have to give proof of age, but you don’t want to company that designs, deploys, and operates digital give them all the information, you just want them to security systems for governments, financial institutions know you’re 19.” and businesses. Jonathan Drover, Senior Manager of Customer “You need to be able to add and remove identity Solutions at 2Keys, gave a demo of a prototype 2Keys providers,” he said, explaining that there will always be is working on, revealing how biometrics could be used a need for both public and private sources of identity for identification. validation. Registrants would create an identity profile using a “It depends on what is needed, but you need the ability passport photo. to mix and match and plug and play.” Then, using a phone, Drover showed how the user can There is a need for biometrics, he said, but “we need to take a photo of their face to prove their identity. The wait for the tech to catch up” in that area. photo is compared to the photo of record.
Canadians need a digital asset that can be used online “It ensures that the person holding the phone is who as well as in person, said Heeley. Buying alcohol is an they say they are,” said Drover. “Verify yourself and example where such digital ID could be both convenient then you’d be able to perform a number of services.” identitynorth.ca @IdentityNORTH Brought to you by: 43 Annual Summit 2018 Conference Report Session - Fast 15
In concluding the session, Aran Hamilton, Chair of IdentityNORTH, pointed out how important such technologies are for the digital economy.
“We need to find solutions now that close the gap and help organisations move those higher value services online.”
identitynorth.ca @IdentityNORTH Brought to you by: 44 Annual Summit 2018 Conference Report Select Unconference Notes
Select Unconference Notes
identitynorth.ca @IdentityNORTH Brought to you by: 45 Annual Summit 2018 Conference Report Unconference Session 1 - Informed consent from uninformed users
INFORMED CONSENT FROM UNINFORMED USERS
Led by Andrew Marshall, Senior Consultant at CGI, and Bill Pezoulas, CTO of Valid8ID
“Everyone skips the past licensing agreement,” said Another participant hopes to see step-up authorization. session leader Andrew Marshall, Senior Consultant at An example is where Amazon spots the cookie on your CGI. “People don’t read it. How are we going to train browser and recognizes you, but doesn’t make you people to pay attention to that? What do you know? login until you buy something. “You should have ability Is there something you can bring that can help us to inform the user as they go.” understand this?” Another participant noted that: “The thing about “In the past, consent was a long document,” said one informed consent is that it’s an education activity. participant. But it’s moving toward layered consent. It’s not a click activity. Layered gathering of data and The user gets more detail as they click on links, but the consent is becoming more possible now.” upfront page is very short. “Removing consent has to be part of the design,” said Some of consent is about defining the laws. Do we Marshall. know if the laws actually work for the user? Marshall asked. “At the community level we could have representatives thinking about consent, rather than having to think Involving lawyers in consent language complicates it, about the fact that they will click unless I make a clear said one participant. “The legal documents become so negative impact,” said one participant. broad and general that you can’t understand what they do with data.” Marshall asked the participant if he had an idea of who would form the communities. He replied that identitynorth.ca @IdentityNORTH Brought to you by: 46 Annual Summit 2018 Conference Report Unconference Session 1 - Informed consent from uninformed users
he had recently come to Canada from the U.K. The communities should come from local culture and he asked for input from other participants.
In British Columbia, the government consults its community through surveys administered in 62 bricks- and-mortar locations. That results in valuable feedback about digital issues, said Sophia Howse, Executive Director at B.C.’s Identity Information Management program.
“We are talking about consent from a regulatory and legal perspective, but how many people remember what they’ve consented to?” asked Robert Blumenthal, Chief Identity Officer at EnStream.
“Consent is a one-way direction,” said Blumenthal. “There is no ability for the user to go and look at what they consented to, and when. Is there a model where users have an ability to ask what did I consent to in the past?”
Privacy dashboards are being developed, said one participant.
“It’s a privacy by design question,” said Marshall. “Someone has to be in the team at design time to build the architecture. And not a lot of people are asking the right questions at design time.”
identitynorth.ca @IdentityNORTH Brought to you by: 47 Annual Summit 2018 Conference Report Unconference Session 2 - Customer experience
CUSTOMER EXPERIENCE
Led by Stacy from Canada Post
Unconference session leader Stacy started this session verification” said Robert Blumenthal, Chief Identity by explaining her interest in the challenge of customer Officer for the company, which is piloting a program experience. It’s always a trade-off: Security and privacy called Mobile Connect. vs. customer experience. It’s a mobile authentication service, Blumenthal “I’m a business-side product manager” said Stacy. “I’m explained, adding that it’s the first such service based concerned with making sure I don’t have fraud in a on emerging global standards. service called mail forwarding. We need to ensure that people purchasing mail forwarding are really who they Blumenthal noted it’s important to distinguish say they are. But if we make it too onerous, they think between the two basic processes: identification and we’re invading their privacy, and they abandon their authentication. purchase.” “Verified.me is identity first,” he said. “But then on an What does consumer experience look like in omni- ongoing basis, interacting with a service that requires channel interactions?” she asked. “You can buy a fake authentication, Mobile Connect is solving that problem. ID for $60 and it looks really good. So if we’re going to I can authenticate easily, whichever channel I’m trying replace that with digital ID, how does that look?” to access.”
It’s moving to mobile phones, said one participant. Robert noted that there is no technology that uses EnStream offers “real-time access with device biometrics for identity. Such technology is only used for authentication of a verified user. identitynorth.ca @IdentityNORTH Brought to you by: 48 Annual Summit 2018 Conference Report Unconference Session 2 - Customer experience
“How do you get Canadians to use these apps on their phone?” asked one participant. “Should we expect a consumer awareness campaign from Verified.Me? How do I find out about verified.me in a way that makes me want to enroll?”
“Awareness is next,” said Matt Jaksik from SecureKey, which will launch its Verfied.Me program this fall. Canadians can expect a mass media campaign for education and awareness.
Trust is backed by Verified.Me’s bank partners, added Jaksik.
Adoption is better when an identification or authentication service works with many different organisations, noted one participant.
From the user perspective, it would be great to have a single provider of ID, said another participant. “But are we not introducing one single point of failure? Does it mean my entire online presence will be compromised if there is a breach?”
Diversified identifiers solve that problem, explained Blumenthal. “If your service provider has a breach, the breach is only for that service provider.”
One participant questioned whether using mobile phones for authentication would work for everyone. “If you don’t have a phone, you can’t use that service?”
But phones are ubiquitous, participants seemed to agree.
“I would challenge you to find someone who doesn’t have a phone,” said Blumenthal. “In Canada, it’s virtually 100 percent.”
identitynorth.ca @IdentityNORTH Brought to you by: 49 Annual Summit 2018 Conference Report Unconference Session 3 - The Pan-Canadian Trust Framework
THE PAN-CANADIAN TRUST FRAMEWORK Rob Clark, CGI, Vice Chair of Trust Framework Committee in DIACC Joni Brennan, President of DIACC
“The Pan-Canadian Trust Framework is a set of Ideas The identity layer cuts across all sectors, said Brennan. and processes to create a trust fabric,” said Rob Clark, DIACC isn’t here to say how payments should work, or Vice Chair of the Trust Framework Committee on the how academia should work, or how health care should DIACC. He led an unconference session on the subject work. alongside Joni Brennan, President of the DIACC. “But there is a horizontal layer about identification,” It’s a set of industry standards that is contributed to she said. collaboratively by public and private and members of DIACC, who may or not may be Canadian, said Brennan. She gave an example of how digital solutions could create more trustworthy processes. “There should be a The framework is designed for interoperability in a digital way to show that you actually work somewhere, global digital economy, said Brennan. say at the CRA” she said. “You can tell LinkedIn that you work there, yes, but there should be a way that the The digital economy is important for government, CRA can say you work there.” business and Canadians, and it’s about unlocking the digital economy, reducing fraud, and improving Brennan said people going back to their organizations efficiencies. should talk about how digital identity is linked to the digital economy. People sometimes ask if there is a framework from around the world that we could adopt. There isn’t, said The DIACC’s white paper estimates $15 billion (CDN) Brennan. can go back into the Canadian economy because of identitynorth.ca @IdentityNORTH Brought to you by: 50 Annual Summit 2018 Conference Report Unconference Session 3 - The Pan-Canadian Trust Framework
lost potential by solving digital identity. Brennan noted that’s a conservative estimate.
“I think the value is more like $40 billion.”
“The communication piece has turned into a big component,” said Clark. “It’s incumbent on us to make it clear what we’re doing. Our challenge is to educate and popularize this concept.”
identitynorth.ca @IdentityNORTH Brought to you by: 51 Annual Summit 2018 Conference Report Unconference Session 4 - Liability Models
LIABILITY MODELS
Andre Boysen, Chief Identity Officer, SecureKey
“Everybody starts getting nervous about holding the participant. Just enough to get you in the door, just liability bag,” said Andre Boysen in a conversational enough to get you to buy a product, said one participant. unconference session at IdentityNORTH about how Is that bare minimum of trust going to cause a massive liability models might look in a world of digital identity amount of liability when something goes wrong? where third parties provide ID and authentication. “Businesses are competitive,” said Boysen. “You don’t “The pragmatic point of view on how it should work,” want a high hurdle if the other guy has a low hurdle. said Andre Boysen, Chief Identity Officer of SecureKey. It’s not about zero risk, but it has to be acceptable risk.” “It’s the model we have in real-world identity. Every destination self-insures. When I use my TD bank “Every destination is careful because their business is at statement to prove my identity, TD doesn’t know that risk if they’re not. We want to keep that model. I think I’m using it….Nobody is going to buy your liability from we should copy that. If people have additional risk they you. can go to the insurance market and complement that.
“Wrapping liability into the model drives the cost into “The industry is at a breaking point now,” said Boysen. the roof,” said Boysen, whose company will soon launch “Users have 100 IDs and passwords. Verified.Me, a service that allows users to prove their “What GDPR changes is the consequence of getting identity using a mobile phone. it wrong. Fines are much higher and it changes the Businesses work on a bare minimum of trust, said one dynamic. CEOs are getting fired when they don’t manage the data well.” identitynorth.ca @IdentityNORTH Brought to you by: 52 Annual Summit 2018 Conference Report Unconference Session 4 - Liability Models
Boysen envisions a future where there are several identity providers, as there are in the credit card space.
“Do you find there are outstanding liability issues that are stalling the process of adoption?” asked Patrick from Notarius, a company that provides legally reliable documents.
“Everyone is doing what they’re doing already. We’re trying to create something new. So there’s awareness, and overcoming status quo.”
“Banks do not want anyone in between,” Boysen added. “But it’s necessary. Amazon could not exist without Visa.”
identitynorth.ca @IdentityNORTH Brought to you by: 53 Annual Summit 2018 Conference Report Unconference Session 5 - Business models
BUSINESS MODELS
Carlos Dominguez, AltoAzul Consulting Inc. Don Cameron, Mwameme
“Data is the new oil,” said Carlos Dominguez of AltoAzul “You can’t charge the bank for giving them your Consulting, at a lively session at IdentityNORTH about address,” said Dominguez. “They won’t allow that.” the future marketplace for data. “Some even say data is the new soil.” “The way to exert control,” he said, “is, you can make something scarce.” “It’s about giving (people) control so they can monetize it,” said Dominguez. IdentityNORTH Chair Aran Hamilton noted that “Facebook profiles on users cannot be managed…. But Dominguez led a discussion about how everyday it’s not about the data that I’m handing over. It’s the people might someday make a profit by selling their data they’re amalgamating and stitching around it that data to entities that want it very badly. is valuable.”
So how will it look? Dominguez replied: “It’s what they’re making out of it, the derived data.” “The way we talk about identity is a set of attributes. I could have a very complete record of my health data. The social media model won’t work, said Dominguez. What’s relevant is whether I’m healthy or sick.” “Facebook is monetizing my data. Generally the owner of the asset is the one who gets paid.” How might people go about selling the layers of their data? He asked participants to consider, “Do you want to sell or do you want to rent? Because once you sell identitynorth.ca @IdentityNORTH Brought to you by: 54 Annual Summit 2018 Conference Report Unconference Session 5 - Business models
something it’s gone. But when you rent something it’s passive income.”
When imagining the future of monetization, Dominguez said he’s looking at smart cities for ideas. Opportunity may lie in selling data to companies who make decentralized artificial intelligence (AI) systems. They can use the data people create on their phones to train AI and then sell that technology.
“Decentralized AI is a data hub that’s five or 10 years down the road,” said Dominguez.
Don Cameron, an entrepreneur at Mwameme, talked about the idea behind his business: That users could choose to operate on the internet using an online avatar rather than as themselves.
The data could then be sold to companies who would use it to create personas.
Companies want less fragmentation and more profile. If we want privacy, we are dependent on companies willfully blinding themselves.
The way we reconcile that is user-owned data and company-owned data.
Value creation is not that data exists but what that data means. Your basic attributes have no value, such as how tall you are. But there is a potential market for the generation and exchange of personas.
Monetization of data “becomes a revenue stream, renting your data to data-hungry companies,” said Dominguez. “I want to give that to people who have nothing.”
identitynorth.ca @IdentityNORTH Brought to you by: 55 [email protected] @IdentityNORTH identitynorth.ca