Monthly Archives: May 2019

Canada’s Digital Charter – Trust in the Age of Technology

In today’s digital-first society, conversations concerning our digital economy have never been more important. At the Digital ID and Authentication Council of Canada (DIACC), a non-profit coalition of public and private sector leaders, we know that digital identity is vital to the growth and efficiency of the digital economy, touching almost all aspects of digital life.

A secure, interoperable digital identity offers more security and more opportunities for Canadians and Canadian organizations to participate economically and socially with a high degree of confidence. This is why Canada’s new Digital Charter, unveiled on Tuesday May 21st, is monumental, will help position Canada as a leader in the global digital economy.  

The Digital Charter is intended to protect Canadians’ privacy and establish requirements and regulations for how organizations can use personal data. Rooted in a foundation of trust, the Digital Charter will set a baseline for how companies, citizens and governments interact and transact online.  

“We applaud the new Digital Charter. The renewed commitment to updating privacy policies will ensure transparency in every aspect of digital life, from social media to healthcare and digital ID,” said Joni Brennan, President of the DIACC. “For DIACC, an organization whose key values and principles include transparency in governance and operation, as well as providing Canadians with choice, control, and convenience, this is a tremendous step in the right direction.”

Trust is at the center of the Charter, which emphasizes Canadians’ control over their personal information through ten key principles. Similar to the DIACC’s mission to unlock social and economic opportunities for Canada, while reducing costs and enhancing service delivery, the Charter aims to support all Canadians as they navigate a world where the divide between online and offline is increasingly blurred and the consequences of poor data management are serious.

“No single group can solve the identity challenge alone – so creating an ecosystem of collaborative partners is necessary to enable the secure digital identities needed for Canadians and our businesses today. “

– Joni Brennan, President of the DIACC

Notable principles in the Charter include open and modern digital government, keeping digital platforms safe from hate and violent extremism, and universal access for all. These principles underpin the work DIACC is leading in developing the Pan-Canadian Trust Framework (PCTF). The PCTF will enable Canada to securely participate in the global digital economy, while supporting economic innovation, service delivery, and the principles of an open government. The framework is being developed using a collaborative approach that takes into account the different perspectives of public sector and private sector stakeholders, as well as international experts, liaisons and the general public.

Building on the ten principles, the Charter sets out ambitious actions to enable and support Canadian innovation and leadership in the global digital economy.  These include a National Cyber Security Strategy and modernizing Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – which has not been substantially updated since the early 2000s.

“These principles lay down the foundation that will allow us to build an innovative, people-centred and inclusive digital and data economy [founded] on trust,” outlined the National Innovation Minister Navdeep Bains, in a video posted on the government’s website.

The Charter is informed by insights gleaned from the government’s National Digital and Data Consultations. Canadians want more transparency in how their data is being collected and how it is being used, and recent data breaches have raised questions and public concern around this.

“No single group can solve the identity challenge alone – so creating an ecosystem of collaborative partners is necessary to enable the secure digital identities needed for Canadians and our businesses today. We recommend re-examining our policies on an annual basis,” said Joni Brennan. “As our connectivity grows and we seek to lead in the information age, our privacy and cybersecurity tools need to evolve just as much as our policies do.”

Keeping a pulse on industry trends, emerging threats, and new approaches in digital identity and across the digital economy is no small task. To stay ahead of the curve and protect Canadians’ best interests, the DIACC takes a unique approach, bringing together leaders from the public and private sectors and across Canada. Creating the conditions where otherwise competing or siloed organizations can work together as one team, the DIACC is committed to enabling Canada’s full and secure participation in the global digital economy. Members share resources and collaborate to develop industry standards, research, and proofs of concepts.

In today’s digital-first society, the Digital Charter and DIACC are Canada’s response as part of a wider, global movement to modernize outdated laws and prepare the country to adapt and thrive in a changing economic landscape. The government has laid the foundation, now it is time to continue the conversation. Learn more about becoming a DIACC member, participating in shaping Canada’s digital economy, and solving the real-world challenges of today.

Profiles in Identity Leadership: Ken McMillan

Ken McMillan

In our most recent ‘Profiles in Identity Leadership’ video, Joni Brennan spoke with Ken McMillan, who was Acting Director, Digital Identity at Treasury Board of Canada Secretariat, and co-chair of DIACC’s Trust Framework Expert Committee (TFEC). The committee is responsible for delivering Canada’s Digital Trust Framework, including the Pan-Canadian Trust Framework (PCTF).

In terms of a strategy to advance digital identity, Ken believes that Canada has the opportunity to take a lead. Canada doesn’t invest all the influence and decision making in the federal government. Rather, our strategy benefits from second, third and fourth opinions from the provinces, territories, and the private sector.

“In a sense, not being a single state that has a unitary approach.. and instead one that says we have to collaborate and we have to compromise, it puts us in a good position. That’s something that Canada can bring to the table,” he said.

In developing the PCTF, Ken has benefitted from the involvement of various groups in the TFEC.

For instance, if we can access – with privacy, consent, and security – some attributes that come by virtue of one’s banking or interactions relative to their internet service provider, then all of that information feeds into an understanding of whether an asserted identity is credible. A key question is: what do we minimally need to know about this individual to deliver a service?

“We need to complement that [interaction] with the data that is available in the private sector in terms of having a validation of identity that reflects currency as opposed to knowing once a year whether you file your taxes…we really benefit from having those Canadians at the table and the Trust Framework Expert Committee and being able to talk about how we make these systems work together.”

While his work in the area initially focused solely on just pure authentication with usernames and passwords, and not necessarily attaching identity to it, “that grew into an appreciation for some of the complexities of the problem.”  

“What I have enjoyed about DIACC is the amount of learning that takes place,” Ken said. “I like the idea that wherever I go I’m going to be surrounded by people who know a lot of things that I can learn from. [DIACC] brings a lot of different opinions, people tend to recognize that there is a stipulation to stay away from the sales pitch element and just talk about what we know, and what we’re learning, and demonstrate the humility of other things that we don’t know.”

Request for Review and Comment: PCTF Verified Login Component Overview V0.06 and Verified Login Conformance Profile V0.03 Discussion Drafts

Le français suit

STATUS: This review is now closed. Thank you for your participation!

Notice of Intent: DIACC is collaborating to develop and publish a Verified Login industry standard as a Component of the Pan-Canadian Trust Framework to set a baseline of standards and practices that guide public and private sector interoperability of identity services and solutions.

Veuillez trouver la traduction française ci-dessous…

Summary:

The Verified Login Component defines a set of processes used to enable access to digital systems and a set of conformance criteria for each process. These processes include binding a credential to a subject, binding authenticators to a credential, as well as lifecycle management functions that include updates, suspension, recovery, and revocation, and session management. For the purposes of Verified Login, a subject may be a person, organization, application, or device.

The objective of the Verified Login Component is to ensure the ongoing integrity of the login processes by applying standardized conformance criteria for assessment and certification. Verified Login is a set of processes that are intended to help establish confidence and trust in the use of a trusted digital identity. A certified process is a Trusted Process that can be relied on by other participants of the Pan-Canadian Trust Framework.

Invitation:

  • All interested parties are invited to comment including identity issuers, identity consumers, developers, and potential users.
  • The Discussion Drafts have been developed by the DIACC Trust Framework Expert Committee (TFEC) that operates under the DIACC controlling policies.

Documents:

Period:

Opens: May 15, 2019 at 23:59 PST | Closes: June 17, 2019 at 23:59 PST

Process:

  • All comments are subject to the DIACC contributor agreement;
  • Submit comments using the provided DIACC Comment Submission Spreadsheet;
  • Reference the draft and corresponding line number for each comment submitted;
  • Email completed DIACC Comment Submission Spreadsheet to review@diacc.ca;
  • Questions may be sent to review@diacc.ca.

Value to Canadians:

The Verified Login Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem.

Context:

The purpose of the Discussion Draft review is to ensure transparency in the development and diversity of a truly Pan-Canadian, and international, input. In alignment with our Principles for an Identity Ecosystem, processes to respect and enhance privacy are being prioritized through every step of the PCTF development process.

DIACC expects to modify and improve these Discussion Drafts based upon public comments. Comments made during the review will be considered for incorporation to the next drafts and DIACC will prepare a Disposition of Comments to provide transparency with regard to how each comment was handled.

Demande de révision et commentaires: Aperçu de la composante de connexion vérifiée V0.06 et profil de conformité de la connexion vérifiée 0.03 – ébauches de Discussion

Déclaration d’intention: Le DIACC collabore pour développer et publier une norme de l’industrie pour la connexion vérifiée en tant que composante du cadre de confiance pancanadien, afin de définir une base de normes et pratiques guidant l’interopérabilité des services et solutions d’identité dans les secteurs public et privé. 

Sommaire:

La composante de connexion vérifiée définit un ensemble de processus utilisés pour permettre l’accès aux systèmes digitaux et un ensemble de critères de conformité pour chaque processus. Ces processus consistent notamment à relier un identifiant à un sujet et des authentifiants à un identifiant, et incluent aussi des fonctions de gestion du cycle de vie, entre autres les mises à jour, la suspension, la récupération, la révocation et la gestion des sessions. Pour les besoins de la connexion vérifiée, un sujet peut être une personne, une organisation, une application ou un appareil.

L’objectif de la composante de connexion vérifiée est d’assurer l’intégrité continue des processus de connexion en appliquant des critères de conformité uniformisés pour l’évaluation et la certification. La connexion vérifiée est un ensemble de processus destinés à donner confiance dans l’utilisation d’une identité numérique. Un processus certifié est un processus de confiance auquel les autres participants du cadre de confiance pancanadien peuvent se fier. 

Invitation:

  • Toutes les parties intéressées, notamment les émetteurs d’identité, les consommateurs d’identité, les développeurs et les utilisateurs potentiels, sont invitées à faire des commentaires.
  • Les ébauches de discussion ont été développées par le comité d’experts du cadre de confiance du DIACC, qui est régi par les politiques de contrôle DIACC.

Documents:

Période:

Début : 15 mai, 2019 à 23 h 59 HNP | Fin : 17 juin 2019 à 23 h 59 HNP

Processus:

  • Tous les commentaires sont assujettis à l’entente de contribution DIACC;
  • Utilisez le formulaire fourni par le DIACC pour soumettre vos commentaires;
  • Faites référence à l’ébauche ainsi qu’au numéro de ligne correspondant pour chaque commentaire soumis;
  • Envoyez le formulaire de soumission de commentaires du DIACC dûment rempli à review@diacc.ca;
  • Pour toute question, veuillez écrire à review@diacc.ca.

Valeur pour les Canadiens:

La composante de connexion vérifiée apportera de la valeur aux Canadiens, aux entreprises et aux gouvernements en établissant une norme de base pour guider l’intéropérabilité des solutions et services d’identité dans les secteurs public et privé. Le DIACC a pour mandat de développer ainsi que fournir, en collaborant avec d’autres, des ressources visant à aider les Canadiens à effectuer des transactions numériques avec sécurité, confidentialité et commodité. Le cadre de confiance pancanadien, qui est une de ces ressources, présente un ensemble de normes de l’industrie, pratiques exemplaires et autres ressources qui favorisent l’interopérabilité au sein d’un écosystème de services et de solutions d’identité. Le DIACC est une coalition à but non lucratif de membres des secteurs public et privé qui font un investissement considérable et soutenu afin d’accélérer la mise en place de l’écosystème de l’identité du Canada.

Contexte:

L’objectif de l’ébauche de discussion est d’assurer la transparence dans l’élaboration et la diversité d’une contribution véritablement pancanadienne et internationale. Conformément à nos principes sur lesquels se fonde un écosystème de l’identité, les processus visant à respecter et à renforcer la protection de la vie privée sont priorisés à chaque étape du processus de développement du cadre de confiance pancanadien.

Le DIACC prévoit modifier et améliorer cette ébauche de discussion en fonction des commentaires venant du public. Les commentaires apportés lors de l’examen seront pris en compte en vue d’être intégrés dans les prochaines ébauches et le DIACC va préparer un recueil de commentaires afin de montrer d’une façon transparente comment chaque commentaire a été traité.

Letters from the President: A Collaborative Road less Travelled – Delivering a PCTF that Works for Canada and Around the World

DIACC’s approach

In Canada, DIACC is the singular organization focused on accelerating the establishment of a Canadian Identity Ecosystem – the singular organization where Canada’s identity experts and practitioners connect to share the deep knowledge needed to deliver a framework that will support our vision of an identity ecosystem where every Canadian has access to the societal and economic opportunities that digital identity can enable.

DIACC is unique among its global peers because our focus is on:

  1. enabling identity that works for both the public and private sectors;
  2. prioritizing privacy, security, and user-centred design;
  3. and enabling economic growth.

Meeting the needs and priorities of members across Canada and around the world is not a simple task. And, while our technology and virtual tools help us to connect Pan-Canadian interests, in-person meeting opportunities always help us to move our shared vision forward. In this context, the DIACC Board of Directors (comprised of public and private sector leaders) and the Trust Framework Expert Committee (TFEC) recently held a co-located in-person meeting in Ottawa.

At this meeting, the primary focus of the Board of Directors was a strong reaffirmation that every Director is committed to one approach for interoperability of identity across Canada. That one approach will provide and prioritize security, privacy and convenience of use. That one approach will prioritize privacy, security, and user-centred design to ensure that Canadians have choice, control, and consent by design, in terms of which systems they participate in, and in terms of how they participate.  That one approach will also recognize that various sources of data verification will be interoperable and available for Canadians to use to perform transactions. In that one approach, service providers will determine their verification needs and Canadians will choose which sources they wish to leverage to provide verification of only the minimized information needed to perform a specific transaction.

Pan-Canadian Trust Framework (PCTF) Development and Operationalization Principles


Through DIACC, Canada’s public and private sectors work as one team, with one vision to define the strategic and the operational way forward including – the industry standards, best practices, and tools needed to ensure systems and solutions align with Canadian principles and with international standards. Our diverse stakeholder collaborative approach ensures that PCTF development considers broad Canadian and international feedback and recognizes areas that may require contextual specialization.  Ultimately, one true test of the value of the PCTF will be its broad adoption.

To support the development of the PCTF in alignment with this vision, the Board of Directors developed and affirmed PCTF Development and Operationalization principles including:

  1. PCTF must provide value to the public and private sectors by defining a minimum set of requirements which encompasses standards and practices. The PCTF will promote interoperability that unlocks public and private sector identity capabilities and supports Canada’s economic growth.
  2. PCTF will define the baseline set of requirements for public and private sector, and there may be requirements that are defined as optional.
  3. The PCTF represents a willing community coalition, and is authoritative to those who adopt it.
  4. PCTF may be profiled by communities of interest to tighten the PCTF baseline for a specified use case.
  5. PCTF is developed, maintained and published by DIACC, based on the broad input of public and private sectors, international experts, liaisons and the general public.

These principles are designed to help us to move forward as a diverse community and to continue to evolve the PCTF to ensure that it meets broad stakeholder needs across Canada and around the world. These principles draw our focus to our PCTF approach while encouraging communities to develop profiles as a mechanism to inform and evolve the PCTF baseline of public and private sector criteria. And while these principles are intended to be more inward facing for our collaboration needs, they further support our foundational DIACC Principles for an Identity Ecosystem. Finally, we recognize that, although Canada is taking a road that is informed by the experiences of others around the world, ours is the public and private sector collaborative road that is less travelled.  Our priority is to meet the needs of Canadians and our hope is to inform the roads that others will take around the world.

Spotlight on Yoti

Meet Yoti

  1. What is the mission and vision of Yoti?

Our mission is to be the world’s trusted identity platform. We want to be the solution to fears around transparency, trust, privacy and control.
To achieve this, we need to build trust, which is not an easy task today for any company. So we’re building Yoti around principles which are regulated by an independent Guardian Council – the antithesis of big tech and data companies. By staying on track to our principles and working in close collaboration with all of our stakeholders including businesses and governments, we can achieve our goal of putting people in control of their data and fixing the broken identity system.

2. Why is trustworthy digital identity critical for existing and emerging markets?

The current identity system is broken – organisations and governments still rely on paper or card-based forms of identity verification, because proving who we are online to a high degree of certainty has been difficult. This process of creating physical forms of identity can take days or weeks instead of seconds, and often results in us sharing excessive amounts of personal information, putting us at great risk of identity theft. Millions of ID documents are lost every year, over 1.1 billion people around the world don’t have any form of identification, and the costs of online scams and fraud are spiralling. Having a trusted digital identity system is critical in fixing these issues.

3. How will digital identity transform the Canadian and global economy? How does Yoti address challenges associated with this transformation?

The ability to seamlessly use digital identities will empower individuals, businesses and government, and help unleash the true potential for a digital economy.

A digital identity lets individuals prove their identity online and in-person in a seamless, simple and secure way. They can share specific identity attributes, such as their name and date of birth, without disclosing their full identity with ID documents; helping to protect them from the ever-growing risks of identity theft. Individuals have a more convenient way to prove their identity across a range of industries and sectors – from financial services, travel, healthcare, dating and retail. More people will be able to take part in society and access essential services such as healthcare, education and finance, without being held back by lack of documentation, geography or wealth.

Companies have a cost-effective and efficient way to verify the identity of their customers, saving time and money, as well as reducing the risks associated with identity fraud. Additionally, governments can be sure that the right person is involved in the transaction, empowering them to offer a greater range of online services with the confidence and certainty that the users are who they say they are; leveraging technology to create a digital ecosystem.

Yoti is a global digital identity platform and free consumer app that gives individuals a simple, fast and secure way of proving who they are, online and in person. Each account is linked to biometrics and an ID document, so businesses and governments can be confident in the details shared with them – creating more trust and transparency. Challenging the existing way of doing things is never easy, but it’s time for a better way to prove who we are.

4. What role does Canada have to play as a leader in the space?

Canada has many advantages in the digital identity space. End-user demand is high for ubiquitous and low-friction access to digital services and information.  Canada has highly-evolved financial infrastructure and cybersecurity methods to balance end-user demand with secure identity and authentication. The regulatory environment is demanding. We believe Canada will be harnessing these factors to develop world-leading identity management and authentication processes in the coming years and will likely assume a leadership role in this area.

5. Why did Yoti join the DIACC?

As Yoti expands into Canada, we are seeing active participation in the local Digital ID community being of paramount importance.  While we are looking to grow our business and develop opportunities in Canada, we also want to contribute to the development of an ethical, safe and trusted Digital ID framework across the country, as we have done elsewhere in the world.

6. What else should we know about Yoti?

Yoti has achieved some significant milestones and partnerships, including:

  • Working with Heathrow Airport to explore biometric travel for passengers
  • Selected as the official digital ID provider for the Government of Jersey
  • Partnered with the Improvement Service in Scotland to help deliver digital services to Scottish citizens
  • Partnered with social networking site Yubo, who are using Yoti Age Scan to flag accounts where the person appears to have significantly misstated their age; an important step in safeguarding young people on social networks which would be expensive to do manually each day
  • Working with Jagermeister to let individuals use Yoti to prove their age when buying age-restricted products on the new www.jagershop.co.uk, promoting responsible alcohol sales online with digital identities
  • Gained accreditation for SOC2, FCA Sandbox and UK Government G-Cloud
  • Over 4 million installs of their app since launching in November 2017
  • Has a team of 250 staff, headquartered in London with offices in India and the U.S.
  • Yoti has 25 separate patents and applications in the U.S. and the U.K. Their core digital identity patents (which cover the core Yoti system and our method of storing and sharing identity attributes) have a very early priority date in the digital identity industry.