Andy Smith FBCS CEng CITP, a member of the BCS Security Community of Expertise, reflects on the work SCoE is doing to shape our understanding of life online and also to inform government policy in the online sphere.

The SCoE represents BCS in the field of information security and, as such, we stand for BCS membership and ensure BCS has a voice at various forums. This covers a broad spectrum, including areas such as government policy development, standards creation and talking at conferences. During 2016, the SCoE presented at a number of conferences.

Chief among these events is the United Nations Internet Governance Forum - a large and very international event.

The IGF is a multi-stakeholder platform that facilitates the discussion of public policy issues pertaining to the internet. The 2016 Internet Governance Forum (IGF): ‘Enabling Inclusive and Sustainable Growth’, was held at the PALCCO Centre from 6-9 December 2016 in Jalisco, Mexico.

Online identity at IGF 2016

BCS is very active in the area of internet governance - it’s something our membership has indicated is a critical area. Across the calendar there are a series of forums, working groups and conferences that cover this area.

One of the reasons we aim to present in Mexico - and at other IGFs - is that BCS gets to input into a critical subject on the world stage. We get involved in sessions and debates covering many critical areas of the internet. These are on the website.

This year our workshop was on online identity, a key area we have been engaged with for five years, after members indicated it was a critical topic for them. The more we explore online identity, the more it becomes apparent that there is still a lot of work needed in this area.

Online identity is a critical aspect to who you are, how you are perceived and, more importantly, why you need to protect yourself online. Identity theft, misuse of stolen identity credentials, stalking, bullying and other nefarious activities are all made possible because people do not protect their identity effectively.

We held two sessions at UN-IGF and had a diverse attendance at both. We held the workshop as a discussion session rather than a presentation in order to solicit feedback on questions important to our members.

These are based on feedback from previous sessions and workshops. If you have any views or questions, we would love to hear from you by email at: The initial questions were:

  • How do you ensure identity systems do not foster exclusion?
  • How do you ensure identity system terms and conditions can be comprehended by everyone?
  • Should users self-govern their identities or should this be left to Government or commercial organisations?
  • How do you ensure identity systems are all inclusive, covering multiple languages, cultures and socio-economic constraints?

We had a lively debate with the participants. The goal of getting an international perspective was very successful. It was clear that there are general aspects that are the same worldwide.

For instance people will not use a system once it is publicly compromised or if the system is too difficult to use. Try to force people to use a system or make it too complex and people will work around it, adding vulnerabilities, such as writing down passwords they cannot remember.

One aspect discussed was that any system that only uses static credentials (e.g. passwords) is likely to fall prey to attack quite quickly, especially attacks involving malicious code aimed to capture credentials or social engineering attacks. Most agreed there is a real need to move to dynamic credentials to prevent these being such successful tactics for criminals.

The group felt that identity governance is critical to the ongoing success of the internet and the increased take-up in developing countries and across minority groups. It is critical to understand how you balance data protection and privacy with online identity assurance. On the one hand you have the ‘know your customer’ requirement, in the other, the need to protect people’s privacy.

Europe and the GDPR

One of our goals was to solicit feedback and gauge the understanding of the new EU regulation on data protection (GDPR) in other countries, as this will have a significant effect on cyber identity systems, from the terms and conditions, to how they are used.

This is because even where citizens of the European Union are using a web service in a far-flung country, that system suddenly comes into scope of GDPR, should it ask for personal information of any kind. It was clear that many providers in non-EU countries do not appear to have understood this yet.

Some of the questions resulted in enlightening responses. For example, a group of teenagers from the YMCA in Hong Kong discussed how many social network sites have minimum ages.

There appears to be a common theme that you need to be 16 or older to agree to the terms and conditions, which means you need to be over 16 to use the site; however, these sites are of interest to young teenagers.

It also means that new websites that use your logon from Facebook, Google or other services as an identity system may propagate incorrect information.

The topic of using biometrics was raised, as many of those present used smartphones or tablets to access the internet, with many not even having a computer. Thus they used fingerprint or facial recognition to unlock their devices and go online.

There seemed to be a general consensus that this method was much better as the user interface worked for most people. However, we did raise the point that many identity systems do not take into account disabilities or special needs. If the system is designed by white men in lab coats for white men in lab coats, it is not going to work for everyone on the internet.

We also confirmed the tendency to hurriedly agree to terms and conditions in order to access products or services. It is a known problem worldwide; people do not read T&Cs, especially when they run to many pages, they just click ‘accept’. This can be a serious risk, with some services claiming in the T&Cs that they own the right to use any data stored on their systems.

Also, there is an additional set of risks where T&Cs are only in English. A group from Mexico noted that to provide services there, the law requires T&Cs to be translated into Spanish. However websites that do not specifically target Mexico do not do this, resulting in additional risk.

In conclusion the workshop as proved beneficial and summaries are published on BCS’ website. There are many aspects to online identity that are still in their infancy and forums such as UN-IGF are critical to ensuring the ongoing multi-national dialogue. BCS will continue to remain engaged and ensure your input is included in such discussions.

Part of the community

Beyond our work in Mexico and its focus, this year, on digital identity, SCoE also contributes to many events and conferences throughout the year. These events focus on helping shape internet governance. They also give BCS a voice in forums where issues that impact on web users’ lives are discussed. Key events are:

  • UK-IGF - Our Chairperson, Louise helped organise and was in attendance at UK-IGF. The goal for us is to ensure that BCS has input to various aspects of internet governance and how it impacts the UK as part of the world community. There were a number of very interesting presentations including ministerial keynotes which you can watch.
  • EuroDIG - At the European Dialogue on Internet Governance (EuroDIG), BCS took the BCS Personal Data Challenge and sought international views on ‘The Monetisation of Personal Data’ which highlighted the complexity of identifying how people’s data is being collected and who has possession. Again the talks are on the EuroDIG website.