The first presentation of the session about Web and Cards is from Xavier Larduinat, speaking on behalf of Eurosmart (a non-profit organization advocating smart secure devices). His interest is here to look at things from the point of view of the user of a Web service, and to figure out how to get a feeling of security when using services like gmail, Flickr, Twitter, or others. I give below some of the ideas put forward during that talk, with a few personal comments.
The first question is to understand how privacy and trust are similar and different from the typical security issue. A first interesting thing is that the smart card industry is one of the rare industries that is able to ship 4 billion personalized objects every year. That makes it suitable for use with companies like Google or Yahoo! who deal with hundreds of millions of customers.
The kind of things that smart card vendors usually propose in the Web arena are the following:
- Two-factor authentication. This can be provided in the form of OTP (one-time-password) applications, or solutions reusing the eID infrastructure using in goverment applications.
- Privacy enhancements. A card may securely store credentials, and only release them as needed and required (with appropriate proof), without disclosing the entire information. Think of a system that would simply assure that you are over 18, without disclosing your name.
- Identity management. Identity with a token can improve authentication with Web mail, instant messaging, and more, and then allow the enforcement of better access control policies.
The next issue is to figure out how this matches the needs of digital security, which are as follows:
- Protecting our digital identities. That’s something where smart objects can bring an immediate value, as we have seen ajust above.
- Protecting our digital assets. Our assets on the Web are very varied (contacts, images, and all kinds of content) need to be protected, from other people, and also from the Web service providers, who may be tempted to abuse them.
- Protecting our e-transactions. Online transactions today are often very simple, and involve a low-level of security. There are proposals from the smart card industry, but they do not always match the requirements of Web service providers.
This view is very valid, but it is also a very traditional view of digital security. It may be more interesting to look at the things that become possible when our digital assets are well protected. By bringing more security, we bring more value and more freedom to the users, because there will be new ways to exploit these assets, which are not possible today. Eventually, mandating a higher level of digital security brings more choices to the end user, not less choices.
If we dig a bit deeper into Web services, we all love them because of their ubiquity. They are accessible from anywhere, they don’t put constraints on us like updates and backups. We love this, but we also need to be aware that there is a tradeoff between availability and security.
As an example, the tendency towards free, viral services that later monetize their user’s data suffers a few exceptions. In particular, there are few such services around money management and personal health record management. This means that most users don’t place enough trust in Web services to allow them to manage what they regard as their most sensitive data. The kind of issues that Web services face include the following:
- No network, no service. This is slowly becoming a thing of the past. Slowly in some cases (roaming, for instance). We can provide solutions, but they should not be our main focus.
- Security limited to username and password. There isn’t much worse in terms of security.
- Privacy. Users basically have no choice. You need to accept the service provider’s conditions, or use another service.
- Trust. There are no standard metrics to establish trust like there can be in the smart card business.
If we focus even more on security, privacy and trust, the challenges for Web services are as follows, from the user’s prospective:
- Identity theft.
- Unclear data access control
- Unclear service definition
- Unclear terms and conditions
Another aspect of things is data protection, which is another set of user worries:
- Storage. Where is my data? What is the disaster process? How are permissions set? How can I control the access to my data?
- Revision Management. Is there a tracability of the changes? A possibility to be warned of canges? A possibility to track changes and review them later?
- Life cycle (retention/termination). How to terminate hosting data?
Next, we get into the heart of the topic: what is it possible to offer from the smart secure devices point of view? The first initiative is about transforming the World Wide Web into My Web, by combining several aspects that restrict accesses:
- IP Geo-Localization. Make some services accessible only when I am located in a given area or set of areas.
- Appliances ID restricted access. Make some services accessible only from some computer (based on a more or less secure characteristic of the computer).
- Time restricted access. Make some service accessible only at a given time, like allowing children to access instant messaging only between 4:00PM and 8:00PM.
Next, there are solutions for data protection:
- Data encryption, RAID applied to data centers, with smart secure devices controlling it.
- Smart Secure Devices acting as Proxy server. Re-route SOAP messaging via a proxy, and apply some filtering at that level.
The last idea consists in plugging a Smart Card Web Server into a fixed device (for instance, a home gateway, or “box”), and to make it accessible from Internet. Such a device can have many uses, and its main advantage is that it is not with you at all times. There are many applications for this, ranging from basic secure proxy/filter to two-factor authentication. Of course, there is a trick here, since your second factor is actually on the Internet, so you will need to use a different kind of credential on these things, to prove who you are. One of them, provided by Xavier Larduinat, consists in presenting you the pictures of 20 random Facebook members, including your friend Alice, and to ask you to click on Alice’s picture. I’ll come back on authentication in later posts, because there are many new ideas in this area.
To conclude, Eurosmart pushes in favor or regulation, in particular at the European level:
- Rules about identity ownership and accountability.
- Data protection as a fundamental right
Such regulations could be interesting, mostly because they would facilitate the establishment of trust between users and service providers, which would in turn make the development of new services, based on that new trust, that could grealty enhance the user experience.