IGF 2017 - Day 0 - Salle 2 - The Challenges of Digital Identity Management in the Era of Internet of Things (IOT)


The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 




>> Sebastian:  Hello, is there someone from the organizer here in this room to talk about whatever we were supposed to talk?  The challenge of identity management in the area of Internet of Things?  If nobody, we need to self‑organise because we can't spend one half hour without doing anything or we leave the room or you can stay and make your other stuff.  But if you want to talk about this topic and I am not a specialist on that, just we self‑organise.  As I have no knowledge, I can Chair the meeting and ask you what you want to say about that if you wish, but if somebody with knowledge wants to do it, it would be great.  Thank you.

Okay, Ladies and Gentlemen, I am Sebastian from France.  And I have no specific knowledge on that topic, but if nobody from the organizer are here, I suggest that the people who want to talk about the topic today get organized and talk about that.

As you know, the topic of this room and there is no recording except that you can see on the blue bar, that all what I say, it's typed.  And there is no connection from outside.  And just the people inside the room can talk about the topic.  And it was supposed to be about the challenge of digital identity management in the area of Internet of Things.  IoT.  And if I can ask if somebody wants to take the floor and say something about the topic, present themself to say who and from where they are talking, I guess that it could be useful to have people from Internet management side, but also if there are people from IoT‑specific ideas will be great.  And the organisation who was supposed to organise this was international security electronic transaction organisation, I don't know them.  And I am totally agnostic of what was supposed to be done today.

Somebody wants to take the floor to start?  Yes, please.  Thank you.

>> I am Barry Leiba, I work for hallway.  I do a lot of work in the IETF and web consortium and some of it IoT.  And we had some discussion in what identity in this regard, so I'll talk about some things to start the discussion.

There's the identity of the owner of the device.

There's identity of the device.

There's identity of some sort of system in which the device operates, which may be, say, your home that's separate from the Internet as a whole.

And there are issues of how to manage these and keep privacy in consideration.  To what extent do our ‑‑ are my internal devices in my house connected to the Internet directly versus connect to some internal network that itself connects to the Internet?  And how do we manage all of that?  And so far all we have is a lot of questions and we hope in general for discussion to work out how those things are resolved.  So I'll throw that out as sort of a kickoff, start the discussion, especially since Sebastian said I had to be the first speaker.?

>> Sebastian:  Thank you very much.  Is somebody?  Yes.  Thank you, sir.  If you can present yourself.  Go ahead, please.

>> Yeah, hello, my name is Christoph Pedime.  I got interest in IoT security earlier in the year when I got contacted by an Israeli startup company that's looking at securing the IoT, especially using digital identities.  And what I got concerned with is really when we dig deep into this, that we should think twice before we connect IoT devices to the Web because in a way everything can be and mostly is sniffed out.  It's copied somewhere in clear text, right?  Nothing is really protected.  And the back end of technology is so highly complicated, highly virtualised; and especially Amazon and the Web providers make us pay for it dearly.

Today most of us trust in one or more of those four Big Data collectors, which is Amazon, Microsoft, Google and Apple.  And between them we end up hardly having secrets.  Which brand of dishwasher we use, they know it.  Where we work, where we live, when we get to work, they know it.  Especially, in essence, the pattern we live in, when we break that pattern, who we break it with, and why.  It's all distinguishable in this space.

Now, think about connecting our doorbell, connecting our baby video monitor and accessing all of these things through a web app.  There is a clear text copy of that stream somewhere in some virtualised machine and we don't even know where.  So it's a really, really critical need to protect our freedom that companies and societies agree on how to make the connected world really safe and keep our data private.  So this is really why I got interested in this whole topic.  And I would fully support the endeavor of creating rules, creating safe interfaces that enable an individual to manage the access rights and collection possibilities of this type of data in a much easier way as it's done today.  Today we can click "degree" on any terms of conditions, and I don't think anyone here in the room know exactly where we clicked agreement last week and what's happening with this data.  So it's crystal clear to me situation where we need to agree on rules, that countries abide by and companies abide by.  That's it.

>> Sebastian:  Thank you.  Other one want to talk?

If I understood well, it seems that you are talking about things that are dealing with yourself, with the people and with your life, like your fridge, your inside your house.  And maybe we need to make a distinction between those things and the one who ran factories, who are ‑‑ who take care of my bees or who are outside of my day‑to‑day life.  But do you have any idea where this discussion about privacy about the Internet of Things can be done?  Is there any organisation who would take care of that?

You talk about not putting on to the Web.  If I translated, you say not putting it to Internet, that means not using the Internet standards?  Like DNS or IP?  Offer your meaning was something different?  It's both of you who can answer.  If you want to start, thank you.

>> This is Barry Leiba.  Part of the answer to that is separating the networks having your home network behind a control their does not allow open access to the Internet but lets some things happen.

So, for instance, an example he gave was the doorbell.  If's not very useful to have a doorbell monitor if I'm here in Switzerland and can't look at my doorbell monitor.  So I have to do that over the Internet.  But I don't need to do it directly to the doorbell monitor.  I can do it through a home gateway that protects the privacy and only allows me in but does not allow Sebastian because I don't want you looking at my doorbell.

But companies as the previous guy mentioned, Apple and Google and Amazon, whatever, they want to be that gateway.  And I degree that if we start allowing that to be the gateway, we have some severe privacy issues that we have to deal with because we know what happens when we aggregate all of this information under one single provider.  So that's my take on it.

>> Fully agree.  So say you own a business, right?  And your products connect to your company through the cloud.  Also here I think people should think twice because the cloud provider is the middleman here.  So any customer of a cloud provider is not able to directly protect the data of its customers.  So this communication is dangerous.  It's vulnerable because the all knowing middleman gets hacked, guess who's liable?  It's probably the company, the customer of that online middleman to the customer of theirs.  So there is a clear risk both in industrial and in private applications for data breaches.  And the solutions proposed to date really fall short of a technical solution, really.  It's not only a policy question.  The technical piece that is of relevance here is the old client and server model in which only servers have an address and they can be talked to directly with a publicly known address on HTTPS, whereas clients or applications for instance on the mobile phone do not contain such an address.  So those applications cannot talk directly to one another unless there is a middleman who knows who is who.  So the technical issue that the world has here is to enable true peer to peer secured communication without the need of shared keys that are stored somewhere.  So that's really where other applications can help, and there are new technologies out there that are developing but it is crystal clear that for this to gain traction, there should be some standards and there should be some rules on how to utilize this because if that gets done, basically no connection between clients is ever hackable.

>> Sebastian:  Before I give you the floor, for example, we are currently or the electricity distributor is currently putting IoT in each of our houses in France and I am not sure that other people are very aware of what is happening but that means that this provider will have direct information on my electric consumption, for example, and they can know when I am ought home, when I am not home, what I am doing and if I am cooking and if I am washing my stuff or whatever.  And using that, this could be sold using some standards or it is something different.

And my other question is that when you say that there is no middleman, I can understand.  At the same time, sometime it's good to have one middleman I trust who is better knowledge than myself to help me with my transaction with some providers.  Just question, please, go ahead if you wish.

>> Barry Leiba again.

So I will put it to you that your electrical provider already knew whether you were home or not, whether you were using your appliances or not just by your electrical consumption without any smart devices.

So, yes, we're certainly giving them more information if our light bulbs and refrigerators and other appliances are connected to some sort of smart system that they are aware of.  But they have that information already at some level.

You asked earlier, though, where we talk about this stuff.  And that's a challenge because there are a lot of different standards‑related organizations that are working on Internet of Things, standards, best practices, that sort of thing.  And there is no one place that owns it.  And so as I say I'm working in the W3C web of things Working Group.  And we are having a liaison with OCF that's working on some of this stuff.  And the IETF is working on protocols related to it.  It's all over the place.

And we do need some coordination to make sure that the gaps are filled in, that we're not working on a bunch of different pieces that don't connect well.  And I don't have a good answer to that, but maybe somebody else has some ideas.

>> Hi, good morning, my name is Peter.  I work for DENIC, which is a country code domain registry, and I'm also with the German ISOC chapter but that's just for affiliation.  I was going to add to two or three remarks that I've heard from the previous speakers.  One is that we have a similar situation that you described, Sebastian from France, we do have that in Germany.  So‑called smart meters are imposed on households.  And the interesting question is actually yes, indeed, where's the governance?  And who is going to control or over the data and actually the security and safety aspects of this information because I slightly disagree with Barry that, yes, they did have some information.  But of course all these automation IoT stuff adds to the immediateness of that information.  They exactly know which TV programme ‑‑ '"They" exactly know which TV programme you're watching by having streamed that, somebody knows already.  But now there are more data points and that is on a personal scale it's probably already scary but on a societal scale, that is even more scary.  And when I guess the gentleman in the back for dish and other things for the security we need standards, that is something that we should dive into a bit deeper maybe at some other session because we always hear there are standards.  And Barry completely correctly mentioned yes the ITF is working on technical standards and protocols and interoperability but what we hear very often when we hear people say" we want standards," that means standards of behavior or in essence they mean regulation.  So there is kind of a bit of confusion of terms that we might want to be a bit careful about and strictly say what we mean.  And that is of course from the different spheres of people that are represented in a room like this, the use of these terms comes from different backgrounds.  So differentiating between technical and security standards which is another set of standards that doesn't play well that is adding to the complexity.  And resolving this complexity is one of the tasks of for alike this so we get the languages aligned before we move ahead and dive into solutions.  Thank you.

>> Sebastian:  Thank you.  Any other who wants to take the floor to talk about your experience?  The experience in your country?  Yeah, go ahead, sir.

>> Good morning.  My name is (gee how gee ‑ phonetic).  I'm from the permanent mission of China.  My experience tells me that actually there is no technical silver bullet to solve this problem, either parental control, you have certain type of configuration your computer, et cetera, to prevent your kid from being indulging themselves on the Internet.  We need to be responsible parents.  We have to keep our eyes on on watching them, tell them how to use the Internet responsibly.  That's the only way.

My experience, I myself and my wife just take the smartphone way from my son and prevent him from using it from Monday to Friday.  And we give him a couple of hours on the weekend.  But we are always watching him because whenever they're using this smartphone out of our sight, they do all kinds of things.  Browse the porn websites, buy equipment, virtual equipments for gaming which is very expensive.

And one kid of my senior, he just give his son a mobile phone used by senior citizens without the screen, with the big buttons.  But the kid still managed to have fun in playing certain kind of games on that basic type of mobile phone.  And it's really for parents, really a big headache.

And now my wife, she's in Beijing.  And we are ‑‑ on weekends, my son can use a couple of hours of the smartphone computer, but from Monday to Friday we give him a show me mobile phone which have no buttons.  Just the one button that he can call my wife, only one number.  And my wife can always find him where he is.  The trajectory on the map is always on my wife's side.

So it's a tough job.  And we hope that the government, the service providers can try their best to filter those pornographic things, this gaming, this gambling things.  But at the end of the day, we as parents have to do our job.  That's it.  Thank you.

>> Sebastian:  Thank you.  Even without phone, it's our job to be parents, definitely.

Any other thoughts?  I guess the people who came here, you read what was supposed to be the topic of the meeting.  I would say one of my questions before we will end up in less than 15 minutes, it's are this other meetings during this IGF where this discussion can be reported and could be useful to be reported?  Or do I need to go to the organizer and see what they wanted to do with that?  Because I think that while it's on the question raised by the organizer and what you have said here are quite important and useful and it could be good ‑‑ it could be useful to take that into account.  And if you know other meetings during this IGF, we'll talk about that, just tell me and I will bring that to them; if not, I will go to the organizer.

Anyone who want to talk?

>> I don't have anything specific, but there are a number of other Internet of thing sessions here.  And we should just go look through those and see which ones could benefit from looking at what we said here.

>> Sebastian:  Okay, great.  I will check the other sessions on IoT.

Okay.  Thank you for those three who spoke.  But I would like to know if the other 20, 25, 30 other people, you have something to say?  Yes, Madame, please.  Great, thank you.

>> Hello, everyone.  I'm from China.  I'm from IGF China.  And my personal background is from blocking technology.  And so I would just attend this conversation halfway, but I need to know what the discussion the first part.

What I want to mention, that maybe probably we can check across other technologies like ‑‑ because for the security we were concerned about the personal privacy and those kind of ‑‑ this kind of aspect.  Any blocking technology, it's perfectly solve this problem.  Actually, IoT and block chain, some of the startup companies already search for how to use the decentralised nature to solve this problem.  They give the authority to people, personal people, to control their own data.  But they also use the other technology like encryption technology to make it invisible to the public people.

So I think maybe we can also search for the other technology.

For me, I think IoT and block chain is perfect match to each other.  And it's perfectly solves the problem of IoT.

But the thing is:  I think the things what we need to consider is how to cooperate in more international level.  What standard?  Also block field, people work on the protocol part in this level.  But there are many different standards but I think we also need to like work together to enhance, to work on the international level to drive this happen.  Thank you.

>> Sebastian:  Thank you very much.  Yes, sir, go ahead.

>> Yeah, good morning, I'm Otto from Egypt.  I would just reply your question regarding the other events during the IGF regarding the IoT.  I invite you to participate in 19th of December for workshop which IDSC, information decision supports centre, from Egyptian cabinet is presenting for the linking between IoT and the decision support system and how we are trying to use it for supporting the decisionmaking.  So I invite you to participate and being there.  And I guess we will be hearing what we are trying to do in Egypt on that.  Thanks.

>> Sebastian:  Thank you.  Good, Barry.

>> Barry Leiba:  To the young woman from China, you said that block chains are perfect for solving the IoT problem.  But specifically what in IoT would you use block chains for?

>> Actually, IoT and block chain I think it's just a kind of different aspect.  Block chain's more like decentralised nature.  So it's kind of data, definite structure of data system.

And IoT is more the upper level of the block chain.  So it's actually block chain is matched to many other usage, not just to IoT.  But IoT can use it because the data storage is decentralised.  And there is no people to ‑‑ for the block chain, the system strong enough, there is no target.  So the penalty is very high for people to ‑‑ it or this kind of thing.

IoT is not just for the ‑‑ but for the encryption, including the encryption, the very critical data in the block chain.  Like where you can use chart the 56 or other encryption technology to do this.  So people need to encryption data.  So it solve this problem.  And every person peer to peer person, they can control their own data.  But it's safe.  I don't know whether ‑‑ thank you.

>> Sebastian:  Thank you.  Say your name because of the captioning please like that we know who is talking.  Thank you.

>> So my name is Christoph Piran.  On the question of how to use block chain to secure the Internet of Things, I fully agree.  The data storage is one aspect of the block chain where it is very strong.  Another aspect is to strong the peer to peer communication.  So there are ways to utilize a publicly trusted certificate an X509 certificate and wrap it into a block chain so it becomes a tree of trust.  And every leaf of the tree can check against another requester whether they belong to the same common ancestor.

So in a block chain, based on a publicly trusted certificate, access rights can be decentrally managed without the need of a central point of trust.  And that really takes the middleman out of the equation.  And to think it was mentioned earlier that obviously there are some services in the cloud which could be addressed for some things that really make sense; in these cases, the apps can decide to also put clear text copy into a cloud server such that these services can be performed, for instance language recognition.  But other services, simply a connection between my cell phone application and my vehicle to unlock my vehicle, I don't want any copy of this.  I don't want any thing of it in the cloud in clear text.

And today because of the technical infrastructure that everything is implemented, I am forced to allow my cloud provider to have a copy of it.  Including where my car is currently parked.  So all of these types of things are a technical problem.  And they can be solved with a technical solution.  And a block chain is a vehicle to do that if it's coupled with the peer to peer trust.  It really is a dissolution of what we have known for many years as the client server model, which is not applicable to the Internet of Things.  You know, it has been stretched by mobile.  But it will be completely blown up by the IoT.

>> Sebastian:  Thank you very much.  Any other?  I will say final words.  We have five minutes to go.  Other people who want to talk?

Okay.  Then I will try to do a quick summary on the fly.  I am Sebastian, and I was not supposed to lead this group, but I have the impression that there are a few things.

The first one and no other, but the first one is that I think the users, end user, needs to know what is done on their behalf.  For example, the example about the car.  I didn't know that my car information was on the cloud just because I wear the key of my car with me.  That's interesting.  And I think the same about the electricity providers, what they want to do with our data using IoT will be useful.

The second point is that it seems to be really necessary to have one place where we can put together all the body who talk about standards (coughing) sorry, standards or any type of way to understand how it's working, the IoT, for the user, for the provider, for the middleman and for all the chain of work.

And the third element I take from this discussion is that we need to have some discussion and work about IoT and block chain to see how it can work together, fit together to help to solve the question of privacy.

I hope it's at least some of the element for this what I think conclusion.  But I see that, Barry, you want to add something before we finish?  And that will be great.  Thank you.

>> Barry:  I will be adding many thanks to Sebastian by taking the bull by the horns and running this session.


>> Sebastian:  Thank you.  The session is adjourned and thank you very much for your participation.

(end of session)