Keynote at the Consumer Identity World 2017 EU in Paris, France
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the Consumer Identity World 2017 EU in Paris, France
Keynote at the Consumer Identity World 2017 EU in Paris, France
Good morning, everybody. Welcome to the final day of the consumer identity world in Paris.
As usual, we have a series of keynotes in the morning and happy to have Tony brown here. She's very long title. I think she has the longest title list, president digital ID and council of Canada. Okay. And she will talk about consumer ID will move GEP, public private partnerships, fuel to digital economy.
So Tony, what's your term. Thank you, Martin. Bon. Good morning. Thank you everyone for joining us this morning as mentioned, I'm joining Brennan, and I'm going to talk to you a bit about the digital identity approach within Canada, perhaps what some of the uniquenesses and where we see the space going and particularly around the economic focus. So to start with, I think it's good to recognize that identity is very cultural. And so I don't know where else, but in Canada you could have a, a con a concept of let us be French, let us be English. But most importantly, let us be Canadian.
So we are very cultured, the culture and the history that we come from will shape the shape of our identity program, as well as the, the model of our governance will also shape the identity program. And so when I say identity, a cultural, think that a model or a solution that may work great in Finland may not be a model or solution that can work very well in Canada and the same goes the other direction. And primarily one of the reasons for that is because we have Canada is a Federation of governments. We have 14 governments, 13 provinces and territories, and one federal government.
And they're all a bit sovereign in terms of how they work with each other. So we, we by nature have to cooperate and have to have this Federation for our identity. And because of that model, we have 14 roots of where our identity, our legal identity is instantiated within those provinces and territories. And if you're an immigrant within the federal government.
So, so that history will shape the, the, the direction that we've gone within the Canadian marketplace. And so the question we are asking ourselves within Canada, and I know many countries and regions are asking these questions and some of them have answered it already. What is the cost of not solving for digital identity of people, organizations, and relationships. And so when we, when we think of this question and when we, when we bring this into our mind, and one of the things that that we're very committed to is, is this holistic scope.
So not only the government identity, the citizen to government identity, but the identity of businesses, the identity of organizations, universities, and then the relationships between each, because we feel this dynamism, this, this holistic view is the, is the view that we actually need to take in order to grow the economy, the digital economy in particularly within. So to get a few ideas around where we see some of the numbers from our stat, can we have approximately $236 per user? This is the, in the enterprise.
So this is the employees, and this is the funds that a company will spend per employee on digital identity, password related issues from the consumer side victims of identity theft spend approximately 600 hours recovering their identity. And that is a result results in approximately $16,000 in lost income. So that's a unrealized income. So that's a view from the consumer and again, from the business as well, there, it takes approximately 173 days for Canadian businesses to identify their security breach. It takes another 60 days to contain it.
That ends up in being approximately 5.6 million in loss for each company that suffers on, on average for each company that suffers a breach. So, so our view, our vision is that identity for the digital economy is broken. And that's the problem that we're working to solve in the lens that we take within Canada. So very non-scientific simple math. What we come to is at least 4.3, 3 billion of unrealized economic opportunity within the Canadian market. And that's only looking at the, the, the enterprise loss in terms of the password management issues.
When you draw the $236 across the approximately 18 million that are in the workforce in Canada, while we're here, I'll just to give you an idea. Canada is about 38 million in population in total. The province where I'm from itself is 4.6 million. So we generally have a reasonable size population that we're working from that is spread across the second largest land mass country in the world to solve these issues. So we know there are quite large numbers. We know that we're, we're in the billions of dollars and, and likely much more than, than 4.3, three billions of billion.
And so we're commissioning a study that we'd like to release early in 2018, to help to give the world an idea of the economic opportunity and, and loss that we're facing. If we do not solve for digital idea of people, organizations, and relationships within Canada and what we can achieve going forward by collaborating to do so.
And again, we've seen Australia has already reported about 11 billion in their report from I believe two years ago in unrealized income into the Australian economy. And I believe it's 2012, the European union around the digital single market identified an realization of 440 billion or more into the European union economy by not solving for these digital identity challenges. So where are we? Well within Canada, we're, we're in the same place. I would say, as many of us from the consumer view we have, of course, you know, the social login. We have the connect Facebook connect.
We have login with Google. We, we have Twitter. So we have this, this landscape that, that average citizen consumers are very aware of.
In fact, this consumer social login has actually been a very helpful for those of us. Who've been working in Federation for a number of years.
This, this consumer social login has actually helped average people to understand what it is when we're talking about when we talk about single sign-on. So it's a great beginning. Some of the challenges that we have there is, are on some of the security. We have low assurance. Many of the identities in the consumer login are self asserted. There is a trade off, it's not privacy enhancing. So the trade off there is to connect your social login, but to trade access to some of your personal information for that.
And so the social login has low trust and doesn't draw into the economy for higher risk, higher value transactions. It is a good beginning, however, and continuing on. So looking at the, a bit of that consumer side in the citizens of government side, we also have a great beginning within Canada. So we have a, a model of leveraging third party credentials, primarily from the financial institutions. We also have a, a credential of last resort that the government will issue as well.
If you, as a Canadian are not comfortable using your financial login. And this, this model is concierge model is run by actually a non-government service, a company, which is called secure key concierge. And it's a great beginning.
And, but what it does offer is offers a citizens who log into their federal government services. So you can do everything from logging in to do your taxes, to making a reservation at parks, Canada, to the federal parks, great beginning, but some of the challenges there, and it us have higher assurance because it's leveraging the KYC and AML that the banks have performed to create those credentials. So we get choice Canadians get choice in, in, in what credential they'd like to use to log on.
And they're much more likely to remember their banking credential than they are to remember a government credential that they would only use once or twice a year, very privacy enhancing. It's a triple blind model.
So I, the credential identity providers don't know which government agency you went to. The federal government agencies don't know which credential that you used. So there's a lot of privacy enhancing protection. I think consult Hyperion did a study of the identity authentication hub models around the world, and actually identify the Canadian model as being the ones who potentially have the most power to draw across into the private sector. But so the drawbacks is, is that this model is only used for authentication.
So we don't get any access to attribute verification, and we don't get any capabilities out of this great beginning model that gets drawn across into the economy. So we still haven't unlocked that economic view, that economic lens that we've been talking about, but we have a, we have a great beginning in this service is, is live today. I would say another challenge as well here is that again, we have 13 provinces and territories, and each of them have their own login and their own service for your, to access your provincial government services. So this really is limited to the federal space.
So, so we're, of course we wanna evolve into the next model to build upon these two great beginnings now to solve for digital ID. The thing that we've learned is in Canada is that require a paradigm shift. And this paradigm shift must be delivered through a collaborative effort. No one organization alone can solve for digital ID of people, organizations, and the relationships in between. They cannot solve it alone. So they must work together.
So the, this realization that first of all, we, we want to unlock the economic benefits to help, to help society as well. And we cannot do it alone. And so that was a big realization within Canada. And that's being, I would say part of the, the beginning of our public private collaboration that we'll talk a bit more about as we move forward. So what does the paradigm shift look like?
It looks like the, a model where we can actually recognize the specific and unique capabilities of the different partners and actors within the Canadian economy, and then deliver those capabilities across into the ecosystem. And so I'm a little bit challenging on the concept of the consumer identity space. We firmly believe that we need to unlock the best capabilities of the consumer identity world with the best capabilities of the government.
So since the government identity world, and then leverage the capabilities of the enterprise to get a holistic model that will then have the power to fully move the G DB GD to move our economy, the gross domestic product, and to, and to unlock and remove the transactional, the transactional friction, that average everyday users feel as well as governments and as well as businesses.
So this model looks to leverage the authentication and KYC of financial institutions, the tele code geolocation and mobile device capabilities, as well as the technology service providers there, the universities, the community within the universities, within the research as well. And the government assertions to verify, to verify attributes, to be able to say, am I over the age that I need to be to make this purchase? Am I within the salary range that I need to be to access this financial loan or this grant?
Am I in, do I live in the province that I need to live in in order to transfer this land title and perform these higher transactions online? So the model is that's evolving, is distributed. It leverages some of the notions of blockchain, particularly Hyperledger. I will be very clear that there is no notion of storing identity data in the blockchain with a blockchain in this case is being used for more. So is for the cryptographic protection of a consent event, not for identity data and also tokenized model.
And so we're looking toward where, where, and how does the tokenized approach play into this model as well, so that we can get near term solutions as well as move toward the longer term paradigm shift for attribute sharing and attribute validation. The major partners here, the major banks, the telcos and the payment networks are all collaborating with the universities and the government to, to both codify and standardize this model.
And ideally identify standards that exist in the world that will support this model, but then also identify where perhaps new standards need to be created to fit the direction that we're moving and not removing. And, and so if you think about, we all have mobile phones, we would, I, you know, in my younger days you would check for your keys and your wallet before you left your house, then your keys, your wallet, and your phone, perhaps in the future, you're just gonna check that you have your phone in your house.
And so we all know that we have these phones, they're consistent with user behavior, and they're something that we're all aware of. And in fact, mine is right here. We would know right away if we lost it, we would know if there were some sort of bad actor that was, that had gotten access to our phone. And so again, if we go back to the beginning where we talked about 173 days to identify a breach, if we take that long to identify a breach, we're never going to be able to solve for this paradigm.
And so when we bring the phone in, when we bring the user behavior in the consistent user behavior, something that they value and they care about, then we have more opportunities for shared signals because people will let you know right away that they lost their phone and do a, a wipe of that phone and, and stop the damage that might have been occurred by, by losing access to that. As well as in this model, we have the concept of data requesters as well as data verifiers.
And so again, the, the authentication hub model was great for authentication, but quite often the real interesting piece is do I have the right attribute verification to be able to perform the transaction that I want to am I over the right age? Am I within the salary range? And the key here is data minimization. We don't need to continue to fill out forms and push data around. We need to only be able to answer these yes or no questions, and we need to sustain the relationships that businesses want to have with their customers.
And that governments want to have with their, with their citizens and governments need to have with their citizens. So it is a shift in thinking, in terms of how we, how we achieve the ends to our means. And key here is privacy by design security, user centered and giving Canadians choice and how they interact. So now public private collaboration model, it is a quite a long title. The digital identity authentication council of Canada. You will not be quizzed on that title.
So, so rest easy, but the, our public private partnership was created out of, it was a result of the electronic payments task force. It basically in 2008, 2009 in the global financial crash, the minister of finance calls for an electronics payments task force to review Canada's payment system, that task force had members of the public and private sector together. One of their recommendations in order for Canada to have the best secure privacy enhancing payment system was that we needed a digital identity and authentication framework. That kernel was the kernel that formed the DIAC in 2014.
Of course we realized it's actually way beyond authentication as well, but it was a salient finding. And that's the kernel of our creation. I would also draw your attention to something that might be slightly different about the DIAC is that our mission is actually to unlock the benefits of the digital economy for Canadians.
And, and so that's slightly different. We are an identity association, but our mission is to unlock the digital economy. And so that gives us a slightly different lens as to how we look at the picture. And that's part of why we view the people, organizations and relationships as being the minimum that you need to verify for a trusted ecosystem. The three functions that we perform as an organization is outreach innovation and interoperability. And I'll tell you a little bit about the outreach. I often have to go into visit MPS and explain digital identity.
And so these are people of influence perhaps within government. They don't really understand what the challenges are. And so again, it's critical that we all work together on this kind of an outreach, because we, we will achieve this paradigm by working together. And one thing that all of, whether you're in government or business can understand is growing the economy. And so it's that economic lens that has actually made our public private partnership work within Canada, we're growing sector or we're growing organizations.
So you can see, we do have government orders of government sitting together with major financial institution, telcos banks, and more so it is a, a growing community as well as international, as well as international members as well. So we believe if we can verify the people, the relationships and the organizations, we will actually meet the needs of the digital economy versus only focusing on the personal identity piece of the puzzle.
So where we're going is to identify our requirements, to feed into a trust framework, business, legal, technical requirements, with the, with the needs of simple, secure, and privacy by design, as our, as our guiding lights and our principles, the public private partnership will also help to sustain Canada's workforce, which we do need to sustain to, to fill these jobs of tomorrow, to support our startups, to help with partnerships of small, medium size enterprises and help to connect those capabilities of our banks, our government, our universities, and our businesses, so that Canadians will have a model that they can use with confidence.
And that that model will be interoperable around the world as well. So it may be a interesting view, perhaps a slightly different view than some of the other regions are taking. But I think in principle, we're all working toward the same achievement. And I would leave you with identity is very cultural and Canada is, has never actually been a melting pot. Like the us it's been more of a tossed salad. So we need to be able to recognize all of these different cultures, all of these different pieces.
And that's why our system is focused on choice control privacy by design and security that Canadians can use with confidence, both at home and around the world. So that's our approach and thank you for your time.
Thank, thank you, Tony. And I think it's very interesting because what you're talking about, decoupling the identification and the customer record. So I think it's a frequently found misconception that you, that those are directly coupled. And I think this is something you, you do different, but one question which pops up in these discussions, I think very frequently is about liability. So what if something goes wrong? Who's liable.
Yeah, you must have accountability. And so one thing that we find that is also interesting around moving more toward a network or, or networks for digital identity attribute verification, is that having, I think at least within our realm, there's a lot of interest within Hyperledger, for example, so that when you can you verify organizations that are coming in and you have a good understanding of who they are, we have to be able to read back to the, to either the government or the banking KYC, so that we know that that was performed.
And we have to have the model of say what you say, what you're going to do and do what you said that you could do, and then prove it. I think also in terms of liability, we're, we're shifting a paradigm as, as well, a bit in terms of starting to think about it as the destination service, who wants to consume the identity, sets their own bounds for what they're willing to accept in terms of the risk.
So it's starting to move a little bit more dynamic and levels of assurance and into a place where I, who, who wants to perform a transaction and this network set my own bounds, and then I can be matched with an attribute verifier provider or provider who also matches within those bounds. Okay. Thank you. Thank you.