Let’s talk about digital identity with Colin Wallis, Executive Director of Kantara Initiative.

Welcome to the very first episode of Let’s Talk About Digital Identity! Today we’re keeping up with the Kantarians, as they celebrate Kantara’s 10th anniversary.

Join Oscar as he chats with Colin Wallis, Executive Director, about the Kantara Initiative, how they’re different to other associations, their consent receipt project, and the main challenges in digital identity – present & future.

[Scroll down for transcript]

“You can’t really have good privacy without good identity, which relies on good security.”

Watch a short demo of the Kantara Consent Receipt on YouTube – www.youtube.com/watch?v=BW578dJRNCI&t=1s

Colin Wallis KantaraColin leads the Kantara Initiative Inc. a globally acknowledged ethics based, mission-led Trust Framework Operator of conformity assessment and Trust Marked schemes for Identity, Credential and Consent Management Service Providers, and the only 3rd party assessor of services seeking conformance with NIST 800-63-3 IAL2/AAL2. Kantara’s open and inclusive philosophy to community development attracts the leading edge of identity and privacy innovation in its Working Groups that in turn attract R&D and sponsored funding. Colin develops and executes the strategic plan in concert with the Board and Leadership Council, driving the organisation forward with the help of a dedicated band of expert volunteers. Colin’s combined public and private sector background in online identity and privacy continues to ensure that the Kantara Initiative program is aligned with multiple eGovernment strategies in Australia, Canada, New Zealand, Sweden and the US while influencing others in Europe and around the world.

Building on 15 years of contribution to international standards and consortia, Colin maintains other leadership positions across the consortium space in Information Security, Privacy and Trusted Identity. He represents Kantara on the OECD’s ITAC (Internet technical Advisory Committee) and is a Board Director of the US NSTIC IDESG. He resigned his role as NZ’s HoD in ISO JTC1 SC27, his Board post on the Cloud Security Alliance’s (CSA) NZ Chapter and his positions in OASIS all linked to his public service employment in New Zealand before moving to the UK early in 2016 to run Kantara. Colin was named in OWI’s Top 100 Influencers in Identity in 2018.

Find Colin on LinkedIn and on Twitter @KantaraColin.

Kantara Initiative operates conformity assessment, assurance and grant if Trust Marks against de-jure standards under its Trust Framework program whilst in parallel nurturing ‘beyond-the-state-of-the-art’ ideas and developing specifications to transform the state of digital identity and personal data agency domains.

Find out more at kantarainitiative.org and www.kantarainitiative.eu. You can also find Kantara on LinkedIn.

And here’s the link to Standard Label, as mentioned in the episode: standardlabel.org.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


[Podcast transcript]

Let’s talk about digital identity. The podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Welcome to the first episode of Let’s Talk About Digital Identity. Digital identity is a challenge for everybody; people, businesses, government. Thanks to open standards, we can navigate securely on the Internet. And this is a product of hard work by organisations such as Kantara Initiative, which this year celebrates 10 years. And we are going to hear more about Kantara Initiative and who could be the best person to tell us about it than our guest today.

Colin Wallis is the executive director of Kantara Initiative, the global non-profit trade association dedicated to improving trustworthy use of identity and personal data through innovation, standardisation and good practice.

Kantara operates trust frameworks to assure digital identity in privacy-oriented service providers and manages grant funds both sides of the Atlantic and is home to two open source specifications in the top 5 trends for 2018 noted by KuppingerCole – UMA and the Consent Receipt.

Colin’s combined public and private sector background in online identity and privacy builds on 15 years of contribution to international standards and consortia, Colin maintains leadership positions in OECD ITAC and ISO SC27 in topics around Information Security, Privacy and Trusted Identity. Hello, Colin.

Colin Wallis: Hello, Oscar, and thank you so much for inviting me on to the podcast. Thank you also to Ubisecure, who is supporting this. So, it’s a pleasure to be here and looking forward to spending the next 30 or so minutes with you.

Oscar: It’s always a pleasure hearing your voice. So, yeah, Colin, let’s talk about digital identity. And we are going to talk about Kantara Initiative. So, please start telling us a bit more; what is Kantara?

Colin: Right, okay. So, thanks; different accents here. So, you can tell that perhaps, although I’m personally based in the UK, that’s a New Zealand accent that you’re hearing; slightly flatter than perhaps New Zealand accents for people who have always lived in New Zealand. But that’s where I come from and it’s a pleasure to be here with you today.

Actually, in the introduction there, you quoted Kantara’s mission and vision statement, and that’s pretty accurate. Certainly, it’s around giving a better standardisation and increasing confidence and user trust in Internet technology. And that’s certainly what we do with our specific focus on digital identity and access control and personal data.

Certainly, it’s an interesting organisation because Kantara is really a mix of three organisations. And I should probably try and state that out a little bit more. You’re quite right; it’s been 10 years. We’re coming up for 10 years in June [2019], actually, since the inauguration back in the US.

And in those days, of course, we started off as one in the US parlance is called a 501 c(6) for tax purposes. That’s an industry organisation or business league. That is a non-profit tax structure.

And that was what we started with. And actually, right through, the first executive director was Brett McDowell, who’s now executive director of Fido, although you might have heard recently, this recent news, he’s moved to Hedera, I think, or at least in part. I think he’s sort of half his time in Fido and half of his time is in Hedera, in the blockchain distributed ledger space.

So, he was the first executive director. And in fact, it was under Brett that Kantara originally was established as a Delaware-based organisation.

And then that carried on very much through the next executive director, well known across the world as well, Joni Brennan. Joni is now the executive director of DIAAC (Digital ID and Authentication Council of Canada).

And I’m the third executive director. And this is where some things changed along the way, because I moved Kantara to a much broader scope. So, in fact, today, Kantara is not only the original 501 c(6) Industry Association incorporated in Delaware in the US, but also, it’s been joined by a 501(c)(3), which is actually a public good charity, really specifically around — Well, I’ll come to the history of what it is — but it’s certainly assisting grant funding in the US.

And probably most important for this audience is Kantara Initiative Europe, which was incorporated early in 2018, January 31st, to be precise. And that’s incorporated in Tallinn, Estonia, and continues to show great success throughout Europe.

So, it’s actually, effectively, Kantara is a brand. It’s a brand that associates — We would like to have various associations with that. One is its ethics and ethos that actually runs through all three of these different financial entities. And that is that it’s ethics-based and has a strong ethos of participation, low or no barriers to participation.

So, many non-profits these days, folks say, “Non-profits, they must be great. They’re not for profit, therefore they must be great.”

But a lot of non-profits, and they do some great work, but many of them are very exclusive in the way that they operate. So, they are absolute hard out pay-to-play. If you don’t pay your membership fee, then you get no benefits; you don’t get to participate.

So, it means that a lot of the work gets locked up in almost like sort of an exclusive club or cartel and that’s absolutely not what Kantara wanted to do. And Kantara’s board was adamant that we were going to strike off in a new direction in 2009.

And it certainly, is a difficult business model to build, because, in fact, when you open up your organisation to anyone who can come and participate on your community work groups to help build standards, and of course, by that, we get very good standards and best practice because we’re getting folks that perhaps sometimes can’t afford the large membership fees.

But nonetheless, they contribute greatly to it. And as a result, we’re able to get much better products, if you like.

But imagine when you’re giving away half your assets for free, it does make the business model difficult. Which means that we are hugely grateful to for-profit organisations, such as Ubisecure, who see in their corporate responsibility mode, see the need and the motivation to join Kantara and supply it with some funds to enable it to support the infrastructure to allow folks that don’t or haven’t joined, but still will have great value to add, to come into the business.

So, that’s where we are today. We’re basically three organisations. We’re a global brand. We have members from all over the world. We have members in the private sector, the public sector and also the not-for-profit sector and individual members as well. So, we cover the whole range.

And it’s interesting as we’ve gone on, we’ve started off in that; very close to the digital identity space and very much in the US. And as time has gone on, we’ve been actually joined by the personal data folks and the privacy folks, because they fully appreciate that you can’t really have good privacy without good identity, which relies on good security.

And so, it’s natural, really, when you look at personal data vaults in stores and consent management systems and so on, you can absolutely appreciate why they might be drawn to Kantara, because that was our original expertise; that was our focus point. And they understood that looking at some of our conformity assessment programs, which actually started with the US government and have moved out from there, that having that sort of kind of baseline, that deep understanding of how identity management service provision works and how to get that to a point where you can audit it and Trustmark it, is something very, very useful if you’re in the business of privacy and personal data.

And being able to, for example, thinking of one of Kantara’s other specifications – the Consent Receipt – to be able to basically make sure that you are actually delivering the Consent Receipt to the correctly identified and authenticated person who’s on the website. I mean, this is pretty critical stuff.

Oscar: Yeah. It’s as you said, this openness from Kantara –. Well, everybody who is really, truly interested and passionate about building standards on digital identity, it’s very beneficial. And I know it because I have been part of that already also for a bit more than one year and connected to the work group that works with Consent Receipt that you just mentioned. And, yes, there are people from wide backgrounds; individuals, consultants, academia and of course, companies.

And now that we talk about Consent Receipt and it’s one of the interesting points about Kantara, could you tell us what it is?

Colin: Yes, absolutely. It’s interesting, the work in the specifications and best practice, along with our R&D and innovation program, we call it KIPI (Kantara Identity and Privacy Incubator). Those two programs, if you like, the community-based standards and best practice development program and the R&D are really feeders into Kantara’s real focus point, which is around conformity, assessment and assurance and trust marking of solutions. So, these two are feeders into the into the sort of flagship, if you like.

Now, looking at Consent Receipt, it’s a perfect case, actually, a classic case of how Kantara has contributed, in a global way, to supporting the furtherance of privacy and personal agency over data about them around the world that individuals have.

And we actually do that not so directly with those end users, but through their companies. They are customers of organisations and service providers providing services on the web.

So, Kantara Consent Receipt was a classic case about how that came to pass. It actually started off as the Information Sharing work group, not the Consent and Information Sharing work group.

We actually started off with the information sharing agreement. And you could actually find that there are folks who have adopted that and carried it forward, ??? is possibly the most well-known of late.

But you’ll see that there was actually some early work called the standard label. So, if you look at standardlabel.org, you’ll actually find the original information sharing agreement and the structure out of that original work group. And that work group started around 2012, from memory. And that was probably our first foray, Kantara’s first foray, outside of the pure play digital identity space.

It was joined later on with consent, adding consent and information to information sharing. And that was with the knowledge that the European data protection, the directive was being replaced by the GDPR and that how critical consent was, as one of the six bases of processing and potentially, the most difficult for an industry practitioner to work with.

So, that’s really how the Consent Receipt came along. And we recognised very early on that there was going to be this need to be very transparent in the way that when you talk about the collection of the data, the purpose you’re collecting the data for, how long are you going to keep it for, and all of those things under GDPR, that you’re going to have to give the user a clear picture about what it is that we have agreed. And that would naturally be viewed through a viewer, but also go in a machine-readable sense into a personal data store.

What’s happened there is– here’s a classic case where industry saw a gap; there was just simply nothing there. And actually, to this day, there is no other equivalent to Kantara’s Consent Receipt.

So, we went and created it. And it’s now Version 1.1. And what we actually saw is other work coming up, out of ISO in particular, we saw that there were standards being created out of there. In fact, these {indistinct 16:25} were coming to draft international standard. It was {indistinct 16:28} just earlier this month, but it’s now draft international standard of ISO 29184 Online Privacy Notices and Consent.

And here was a classic case where consent was already being mentioned, but there was no ability to explain what that meant in words. So, Kantara was asked to contribute a sample of Consent Receipt in a sort of a pictorial form, physically what a user might see in the viewer, as an annex into that standard.

And that’s actually just going on. And it’s just a perfect case of showing how industry starts with a blank sheet of paper, builds something, refines it because we wanted to make sure that it was adopted by industry and we had good adoption rates before we submit it to an international standards organisation for internationalisation. And that’s a perfect case of what’s happened there.

So, what it is, is basically all of those fields that you might imagine when you look at a notice and the privacy notice is sort of telling you about the data process you are going to process, for how long is this going to be — Sorry, the controller is saying the data that they’re going to capture, who’s going to process it, for how long and so on.

We catch all those in a series of fields. Some of them are mandatory, some of them are optional. But the idea is that the user has a clear summary, just like you would in a physical receipt if you were buying something over the counter, a clear summary of what it is you bought and why you did it. That’s it.

Oscar: And we are really having these transactions all the time, right?

Colin: We are.

Oscar: For instance, you want to buy on a webshop you have to do that. You go to read a magazine, online magazine, they will ask your consent. So, this is all the time.

Colin: Absolutely, absolutely. And it brings me to mind, Kantara’s other flagship piece of best practice, which is UMA – user managed access. So, here’s another case where industry saw it’s built on OAuth, right? So, the OAuth  protocol, which is great.

But it was actually the OAuth protocol was really designed to be a two-party thing; it was never really built to be a multi-party thing. And so, many of the transactions that we have today, in terms of sharing data, involve multiple parties. I mean, if you think of financial services where you’ve got your bank, your insurer, your pension funds, all of these folks, your financial adviser, all of these folks need to have access to certain parts of your data and to be able to help you with it. And you want to, as a user, you want to have personal agency and control over how that is shared, who is having it, for how long and so on.

So, it’s very similar to the Consent Receipt in that sense, but it’s certainly more directed towards extending OAuth into particular cases where you need federated or authorised delegated access.

So, classic cases; I talked about the financial services, but health care is another great case where you’ll find that; where you’ve got your own general practitioner, your doctor who has some of your records, but your specialist will have other records. And the specialists will want to share some of those with the hospital because you’re due for an operation.

At the same time, you have a Fitbit, which also is being supplied to you because it’s regulating some part of your body temperature or pulse or whatever and these things are critical for the particular treatment you might be given.

This is very personal data and the way that the user is able to control and manage those and delegate access at the appropriate time, reduces the possibility of security and data protection issues by having all of that data duplicated. To say nothing of the time delay by photocopying and emailing and third party, which is just a sure way to have you in line for a data breach with all of your personal data spread across the health care system, rather than actually being in one place and allowing you to authorise its release to a second person.

Oscar: Another of your flagship specifications and projects that you’re working on are UMA and the  Consent Receipt. So, some products of the excellent work that Kantara is doing in these years.

Colin, it is great to hear this fabulous project you have just described with Kantara. I think something I didn’t ask you is what is the origin of the name Kantara?

Colin: Oh, yes. Yes, interesting. Interesting story there, actually. Because, like so many organisations, it’s made up of an acronym. You know, thinking of FIDO, Fast Identity Online, and DIAACC, Digital Identification Authentication Council of Canada.

Kantara’s is very long for an acronym. In fact, the name was contributed by an initial board member, Nomura Research Institute (NRI) And while that may mean not so much to folks listening to this podcast, certainly the Nat Sakimura will do.

Nat is the chairman of the OpenID Foundation and instrumental as the co-author of the OpenID Specification, OpenID Connect as well, which he did with John Bradley and Mike Jones and has certainly been instrumental in providing us with this name.

Now, what does it mean? Well, it actually means ‘bridge’ or more specifically, ‘wooden bridge’ in Arabic/mid-Swahili – that mid-African language.

Now, how would Nat, who is clearly Japanese, you can tell by that name, would actually provide us with an African-Arabic suggestion for the organisation?

And that’s because actually, Nat Sakimura’s parents were diplomats and while he was born in Japan, he spent a lot of his younger childhood in Africa, in various different countries throughout Africa as his parents were doing the diplomatic good works with the Japanese government there.

And so, he understood and learned Arabic and mid-Swahili while he was there. And he thought this was a perfect name, which reflects what Kantara does; bridge.

And actually, you can see that, if you go to Kantara’s website, kantarainitiative.org or kantarainitiative.eu or edu.kantarainitiative.org, you can actually see that it’s a — some people call it a rainbow, and that’s sort of coming quite close. But it’s that showing that kind of semicircle in different colours and different hues. And the rationale of taking that kind of that bridging effect, if you like, the rounded bridge to connect different communities together is a core part of what Kantara did.

And it probably leads in nicely to some of Kantara’s history. There was a time — Certainly, there’s always been, I think, between organisations, between industry, you know, there’s some friction at times. But in the early 2000s, there was a significant amount of friction in the early web services space, particularly between main industry players.

And potentially, we had certainly, with some of those large organisations at the time, CA, HP, Microsoft, Oracle, Sun and so on, IBM, there was a significant amount of friction around the web services specifications coming out of OASIS.

And of course, the specification was being done in OASIS, but the adoption and the extensions were proposed to be done in other organisations.

This was at the time of the birth of the web services, certainly the Web Services Federation (WSF), out of Kantara’s forerunner. And we also had web– WS, we absolutely had a similar thing from Microsoft.

So, actually, what we had is quite a lot of industry friction, if you like. And what we tried to do with that was to heal that. When we decided that — You know, “When we”… it was way before my time. But when the industry decided that actually, the whole movement had moved from XML and SAML and SOAP based to json and OAuth protocols, really there was nothing to fight over anymore; everyone knew that the technology had moved on, they needed sharper and shorter things, much easier specifications for developers to work to.

So, they basically put down their spears, put them back in the locker, and what Kantara wanted to do was to heal that, to be a broad church and to offer any player a role to come in and to contribute and not be forced in any way to pay to play or whatever.

And that actually remains absolutely a focus of the board today; that the board is adamant that it will not lose the ethos of allowing anyone in the community to come in and contribute to the best of their ability and to the motivation.

Oscar: So, the history of Kantara has been to build this bridge. And it’s nice to see now that you were explaining the logo, I just saw it in my screen and now I understand more of what the logo is saying. The circle bridge or curly bridge. How would you describe it?

Colin: Yes, that’s right. And that’s the history.

Oscar: That’s the history. And now it’s time to celebrate the 10 years. So, could you tell us where and when is the party?

Colin: That’s right. Still to be determined.

Oscar: Okay.

Colin: Certainly, you’re going to see in the next few months, much more coming out about the 10th anniversary.

The thing is, we struggled with the party because we’d need to have many parties in many parts of the world. We’ve got members spread right across the world.

But certainly, we’re going to be focusing around the events that we traditionally attend and plenaries, both in North America and in Europe. So, we’re looking forward to using those as opportunities to reflect on our past 10 years and where we go going forward. We’re looking forward to doing that.

Oscar: Yeah, exactly. That’s what I would like to hear now. But if we focus more on the present than in the future, what would you say now that are today, the main challenges in digital identity?

Colin: Well, certainly, we’ve got some really big challenges. I think most people are aware of the issues with passwords and this is a real big problem. And the thing about it is actually that you’ve got to be very careful about the role of digital identity. It’s absolutely critical. But it was never really designed to be an end in itself.

And I think that’s one of the issues that the industry has faced, certainly observing that many organisations find their niche in digital identity and therefore effectively recreate the challenge rather than moving on.

From a user’s perspective, they want digital identity to be ubiquitous. They don’t want it to be this awful enterprise-oriented username password thing that it is today. And that’s why it’s so important to support those folks, not only Kantara, but the other organisations, such as FIDO Alliance and Yubico and YubiKey, who have been doing so much work in providing easier ways in which to manage the authentication.

The other problem we’ve got with digital identities today is that we’ve got this replication or repetition and duplication of personal data sprinkled and spread across a multitude of services that the end user might be visiting, because they keep asking for that same data.

And part of the problem is, and this is not a technology thing– This just had to do with, first of all, that authoritative sources of data often are governments and government has been reluctant to expose that data in a way that can be received by relying parties with the consent and an explicit consent and permission of the personal user whose data it is.

So, from that perspective, I think that’s partly the problem why organisations tend to re-collect that.

Of course, the other reason is we know from the big social media platforms that data is the new oil of the Internet. This is the way in which they’re mining their data to be able to link it to other things and then add value to it without your knowledge, without the user’s knowledge or really explicit acceptance to make money as they sell that on in one way, shape or form to third parties. So, these are significant challenges today.

And we have many more techniques, not many of them new. If you even look at some of the blockchain distributed ledger stuff, I mean, it’s not new. It’s just recast for a different context and a different use.

So, I do think while there is a lot of hype on the blockchain and distributed ledger space, there are going to be some use cases where that’s going to be helpful. I also think that as security, and we understand how things can be better secured these days, that we’re going to have more authoritative sources finding ways to release that data in a secure and private way to third parties with the user’s consent in the flow. And I certainly see the adoption and the expansion of those things as pretty critical.

I think the other thing is, as we talk about digital identity and I’m coming back to my first point, was that digital identity is a ubiquitous thing. I mean, what are we doing digital identity for? We’re literally wanting to get to the point — It’s a path along the way to get to the point of entitlement. We just want to know that this is the person who’s entitled to a service and we’re not dealing with a fraudulent digital entity. And we want to make sure it is the right person that we are dealing with before we give them entitlements as serve as A or B.

And so, in that sense, that’s really why, of course, Kantara went into user-managed access and why that is currently sitting for international standardisation in the IETF very much as consent procedures fitting for standardisation in ISO.

It’s a step along the way and I think we’ve got to be mindful that we’re talking about a digital economy play of which digital identity is an important and necessary step, but it’s a means to an end, not an end in itself.

Oscar: And what are you expecting for Kantara in the next 10 years?

Colin: Yes, interesting. You know, we have a broad scope and that is a blessing and a curse. Because to try and keep an organisation spread across the world with a global brand, global membership, both doing feeders from its community groups for best practice and standardisation, as well as the R&D, a lot of it’s happening in Europe now, and all feeding into conformity, assessment and trust marketing and trust frameworks. It’s hard to know what to actually leave out.

And this is actually a monthly discussion, a fixed agenda or a topic on Kantara’s board that currently comprises ForgeRock, Experian, the Internet Society and digi.me, as well as Kantara’s own Leadership Council, the operational side of the work groups and so on.

And between the five of them, we have this as a fixed agenda item. Because it is a broad scope and yet not one board member is interested in letting one piece go because the rhythm of Kantara is essentially those three elements; the R&D, the conformity assessment and the standardisation group practice, working in a kind of orchestration. No one really wants that to leave the organisation because it’s really at the heart of it.

I do think, though, that we’re certainly going to see much more emphasis on third-party conformity assessments in the next 10 years than we’ve seen in the past 10 years.

We certainly started to see that, initially with governments and to some extent in the financial services industry, if you think of PLCs, DCIP and so on. But what I should say is that I do see much more emphasis on that. I also see a shift actually, I think, towards Europe.

One of the interesting things that Europe has done with GDPR and eIDAS and ePrivacy coming up, is it’s given motivation for industry to get on and do things in a way that sometimes, you would like to think that industry would be self-motivated to do, but doesn’t always achieve that. And I think we end up in that hodgepodge of some kind of regulation that we have in the US. But where no one party is strong enough to motivate a whole industry to change its behaviour.

I do see that in Europe. And I think that certainly Kantara’s presence in Europe through its Estonian base, certainly in the H2020 funding in GI Trust and some other some other H2020 projects coming up, will play a major role in how Kantara focuses and expands its trust framework operations and Conformity Assessment Programme in Europe. And certainly, looking forward to giving announcements on how that’s developing in quite a short time. Thank you.

Oscar: Yeah, it’s very interesting. There’s a lot  already fully planned at Kantara through your leadership and everybody who is working with you. So, many things are definitely coming and it is great to be part of that.

So, we are a bit heading to the end of this conversation. We’ve been talking about specifications, what the industry is doing, and the governments. I will ask you something that is more into the individual, something that any of us can do. If you can leave us with a tip of some practical advice, what can we do to protect our digital identity?

Colin: All right, thank you. Well, there’s a number of things, but I think the most critical today is to use a password manager. We still have far too many passwords. This is going to go, but generally, if it was a tip for today, I mean, it won’t be the same tip in a year or two years’ time. I think I remember saying this two years ago as well, but it’s been slow to take on.

But use a password manager to manage your passwords rather than have them sprinkled and spread around across the Internet and forgetting what they are and actually then reusing the same ones so that if one gets stolen, then you are in kind of deep trouble. Because you have used that, it only takes a hacker to hack your password once and because there’s a data breach on a particular service provider that you use.

And then, of course, you’ve got to think about where else you’ve used that password. You’re managing hundreds of passwords; you might have reused that password 60 times elsewhere. We’ve got to get out of that habit, I think is the very first thing.

And the second thing is be very careful about minimising the amount of personal information that you provide. So, look for sites where minimal identity information is being asked for. And be sure to be careful about how much you spread that around.

And I would look to focus on sites where you might have an existing longer-term relationship and be mindful of looking at new sites. Inspect new sites very, very carefully. Look for news sites such as when you look at a website, look for the green code for sure. Look for the green code to make sure that the site is a safe one; it’s got EMV certificates and so on.

Oscar: All right, thanks a lot for these tips; couldn’t agree more. And thanks a lot for this very inspiring interview with you, the history of Kantara and all the work you’re doing with other organisations, enthusiastic people in companies who are devoted to secure the identity of everybody.

Colin: Thank you, Oscar. And thank you Ubisecure for the opportunity. And looking forward to sharing more news as our 10th anniversary year rolls on.

Oscar: Thank you very much. And finally, please tell us how we can find you on the net?

Colin: Of course, yes. Well, me personally, @kantaracolin. And also, the Kantara website, www.kantarainitiative.org and also kantarainitiative.eu.

Those are probably the best places to find this. You could also, of course, find us on LinkedIn, just looking for Kantara Initiative. Look forward to seeing you there.

Oscar: Excellent. Again, Colin, it was a pleasure talking with you. And all the best.

Colin: Thank you. Thank you, Oscar.

Thanks for listening. Let’s Talk About Digital Identity is produced by Ubisecure. Be sure to subscribe and visit ubisecure.com/podcast to join the conversation and access the show notes. You can also follow us on Twitter @ubisecure or find us on LinkedIn. Until next time.

[End of transcript]