If you work in digital identity, it’s likely you’ve heard of Colin Wallis, as Executive Director of the Kantara Initiative – the international industry association globally acknowledged for its ethos of no barriers to participation most recognised as a Trust Framework Operator of conformity assessment and Trust Marked schemes for digital Identity, Credential and Consent Management Service Providers. Kantara is the only organisation operating a 3rd party assessment and assurance scheme for digital identity solutions seeking conformance with US’s NIST SP 800-63-3 standard. Kantara actually comprises of three entities – Estonian incorporated Kantara Initiative Europe, the Kantara Educational Foundation as well as the original entity, established over 10 years ago, the Kantara Initiative Inc.
Colin develops and executes the Kantara Initiative’s strategic plan in concert with the Board and Leadership Council, driving the organisation forward on a broad front with the financial support of private, public sector and individual members from every region of the world and the assistance of a dedicated band of expert volunteers. Colin’s work has been recognised by his being named one of the Top 100 Influencers in Identity by independent research company One World Identity. I grabbed him from his busy schedule to ask him what the latest is from the Kantara Initiative and his thoughts on the digital identity space in this period of rapid change.
How are Kantara and its members experiencing and reacting to the current global situation?
With our members and participants spread across the world, there’s great comfort in sharing and contrasting experiences in our global community. Whatever our individual case in our country, we are united in our goal towards effective, secure and privacy respecting digital identity solutions whether it be in contact tracing, evidence of testing or eligibility for emergency assistance.
Members digi/me, ID.me, Identos, Folio ID, MIT Trust:Data Consortium’s Safepath and Transmute Industries amongst others, all reworked their solutions and re-focussed their expertise to respond to the crisis and Kantara is proud of them and other efforts in the wider international community.
How do you see the effects of the pandemic impacting digital identity beyond 2020?
I think it has been a fundamental wake-up call and a game-changer for digital identity but also privacy of (and agency over) personal data. This pandemic and the ones that follow will sharpen the debate about the contexts under which anonymous, pseudonymous or veronymous identification should take place, just as it will sharpen the debate about the context under which personal data attributes, including COVID-related attributes are stored and released.
I see that as a good thing – perhaps one of the very few positives that might result from this truly awful period in our history. These are difficult conversations to have and often made harder because to date, relatively few people have cared. It’s unfortunate that it has taken the magnitude of a global pandemic for statistically significant numbers of people to take personal, risk-based decisions for themselves and in so doing, become more sensitised to the risk-based decisions authorities are making on their behalf in a range of contexts. And that’s fine in developed nations where the choice is possible, but not at all fine in under-developed nations and in authoritarian nation states where choice is not possible.
Global crises are perfect environments for exploitation, exampled through identity fraud and identity extremism, attacking good people going about their business and organisations doing good work. As a result I do foresee extra impetus (should more be needed) towards self-issued credentials in certain contexts.
What’s high on Kantara’s agenda right now?
Having the broad scope that we do, that ‘high’ list is substantial! Nevertheless, Trust Marked conformity assessment and certification through our Assurance Trust Framework continues to top the list. It is driven by both new policy and the practical realities of the current situation, where the demand for evidence of legitimacy of digital identity solutions from reputable globally acknowledged organisations like ours has never been greater in our 10 years of Trust Framework operations.
Recent demand for higher levels of identity and authentication assurance and for federation assurance in 800-63-3 has seen our Identity Assurance Work Group very busy with developing the assessment criteria for those. Not surprisingly given current circumstances, Healthcare and Financial Services has joined the US public sector in driving that demand. As more digital identity and privacy Trust Frameworks around the world exit their development phase and enter an early operational phase, there’s greater interest in Kantara potentially white-labelling those operations.
It doesn’t stop there either. As the ISO standards to support the mobile Driving Licence get closer to fruition, so does the potential to use them as a mobile identity, outside of their core purpose. Conformity assessment and assurance is necessary in that context also, to give the relying party confidence in them appropriate to the identity related risk in the use case, and Kantara is receiving expressions of interest for its community to develop and offer services in that space too.
Beyond its assurance related Trust Framework operations, high on Kantara’s agenda right now is further developments on its Consent Receipt specification (both upstream towards a broader framework and downstream towards jurisdiction-specific profiles) and its User Managed Access specification standardised extensions for new permissioning and delegation flows to reflect current practice in Healthcare and Financial Services.
Could you tell our readers a little more about Kantara’s Consent Receipt project?
I figured you’d ask me that because it was one of the projects that attracted Ubisecure to Kantara some years ago!
The provenance of the work goes back many years but its beginnings in Kantara was around 2012 – a year or so after Kantara’s formal liaison with ISO SC27 Working Group (identity and privacy technologies). As the community became more aware of the likely shape and form of the GDPR and people’s need for both data portability and interoperability to manage the ever more interwoven online relationships over time, the complexities relating to consent as one of the six purposes for processing of personal data, became clear.
On a blank canvas since nothing existed, the form fields of the Consent Receipt were drawn. A simple example of the Consent Receipt can be found in Annex B of ISO/IEC 29184 Online privacy notices and consent. To this day the liaison with ISO continues to inform the direction and selection of work to support international standardisation efforts, ISO TS 27560 Consent record information structure in very early draft form, being a case in point.
Today, multiple Kantara project streams, from high level frameworks through refined receipts to ontology and taxonomy, all aim to provide a suite of supporting artifacts for input to these and other standards & specifications, not only in ISO but also in other industry consortia and SDOs. Brian Behlendorf at the Linux Foundation recently remarked that aspiration does not always stop at the exit of the work from the group that developed it – it can and should carry forward into the execution and operation of the artifact in the field too. I think Kantara’s mantra ‘nurture, develop, operate – that’s what we do’ goes a long way to achieving that virtuous circle’s synergy.
Find out more
Colin was the very first guest on Ubisecure’s Let’s Talk About Digital Identity podcast. Listen to the episode here.
Oscar Santolalla, Sales Engineer at Ubisecure, demoes the Kantara Consent Receipt on YouTube. Watch the video here.
Follow Colin on Twitter @KantaraColin.
Follow Kantara on Twitter @KantaraNews.
Feel free to ask questions below!