I had the privilege of speaking at IdentityNorth 2020 yesterday on managing global compliance over the next decade with identity privacy requirements.
I took on the lens that current compliance requirements may (and hopefully will) change, and that I was speaking to an ideal, not to where we are today, which is not ideal but dangerous for the personal information of Canadians.
It should also be noted this is a true privacy-first approach, and as such, there is no market for this solution today, or for the foreseeable future.
The big takeaway I wanted to get across is:
It is my proposal that we need a solution where the individual has complete control of their identity, and that both governments and corporations be mandated to start treating personal information like a liability, not an asset.
This would require changes to Canada’s privacy laws, which include effective penalties for non-compliance. In terms of private sector, this needs to be financially significant to have an impact to the bottom line as this becomes a business risk to be evaluated. This doesn’t exist today — Canadian privacy legislation is seen as a joke. In terms of public sector, the penalties to need to be more creative as it’s not effective to use tax payer funds used as a repercussion, and there needs to be a way to impact the individuals involved even if they are no longer involved with those systems — otherwise we can create weak or illegal systems and transition out without fear of repercussions.
We also need a solution that assume a data breach will happen.
In the case of ID VPN I explained how we’ve de-risked ourselves, the businesses and applications that use us, as well as the individuals. No other platform can make the claim as we can and I hope that changes. If you hack or steal our database, it’s just encrypted blobs using PKI you can’t decrypt without getting the private key of every user as well as the stolen database. If you compromise one of our business clients, you would only get the pseudonym of the user, so again — the business doesn’t really care and neither do you, the user.
I also proposed an innovative way to handle production orders. For those unfamiliar, a subpoena or warrant is when the police collect the evidence — a production order is when the police mandate you as a platform or provider provide them the evidence. This is common for FINTRAC or RCMP investigations, usually financial crime related, specifically around anti-money laundering (AML) or counter-terrorist financing (CTF).
Our proposed approach uses a multi-sig (3/5) approach where I give 5 civil libertarian lawyers across the country 1/5. When a production order comes in, if it looks legit, the lawyer “turns the key” and once 3/5 lawyers do this, the user’s real identity is decrypted using the private key of the production order keyring for that specific user.
To further de-risk myself and ID VPN, I have instructed each lawyer after 6 months to hand their key on to another lawyer, and tell that lawyer they should do the same. This prevents a malicious actor from putting a gun to my head and demanding access to the list of multi-sig lawyer keyholders, as 6 months into this system and I don’t even know the identity of the lawyers handling my production orders.
One of the challenges to solve for is if one of those lawyers becomes unresponsive — if they don’t reply to any production orders in a certain time frame, or they don’t respond to a specific amount of production orders in a row, their specific key would be revoked, and a new key would be created and deployed.
I mentioned how we have two logistic hurdles to handle to make a proper privacy centric (pseudonym based platform) ID management system work with compliance, would require a way to handle online payments and shipping. I mentioned how we have handshake agreements in place to become effectively a shipping proxy service (cost-prohibitive currently as you’re effectively paying for shipping twice and shipping in Canada is expensive already, as well as having our staff re-wrap the product in the middle) as well as the first payment card solution on the planet with a pseudonym on it.
The feedback I received on my talk was all great, which is a bit disconcerting, I was hoping for more critical gaps I may have missed, and I should note I didn’t get any feedback from government agents on the compliance side.