The many contexts of eID (Part 1)
Mapping a model for online payments to electronic identities and authentication
In 2007 Innopay partners Chiel Liezenberg and Douwe Lycklama together with independent consultant Harry Smorenberg published an article titled “Understanding buyer and seller behaviour for improved payment product development” in the Journal of Payment Strategy & Systems (download here). In this article a context model for e-commerce transactions is described.
In a multi-part blog of which this will be the first entry, I will attempt to map this model to some e-identity concepts. I foresee that (a lot of) additional thinking and working out of ideas will be required, so a part 2, 3 etc. will probably be written in due course. For now let's start with a look at the original article.
The article introduces the concepts of Agree, Pay and Deliver as key components of a buyer-seller transaction and it shows that in early commerce these concepts were connected in time and place. E.g. on a market square in the Roman times you shook hands with your favourite farmer and paid on delivery of your turnip.
With new channels for doing business the agreement, payment and delivery are no longer as aligned anymore and new risks for buyer and/or seller are introduced. Risks that, according to the model, vary with the context of the transaction. That context can be described on four axes: Location (where are the buyer and the seller relative to each other?), Relation (how well do they know each other?), Product (what is it that is sold and what is it worth?) and Timing (how are the agreement, payment and delivery aligned in time?).
For commerce the answer to mitigating the risks for these different contexts is to use different payment methods, each tailor-made to that specific context, reaching an optimum between buyer and seller risk. For example a risk perceived by the buyer of online goods because the seller is unknown to him can be countered by offering a pay-on-delivery payment method. However this payment method won’t work for digital online products like PDF’s or streaming video.
So from this starting point we will try to map some concepts from the model to e-identity.
If we depict an identification transaction I think we can see components such as Identification, Authentication and Trust that may have some resemblance to the Agree, Pay and Deliver concepts from the context model, but I will leave that for next time.
Right now I want to zoom in a bit on the concept of risk balance. In an e-commerce transaction goods or services are exchanged for money. Both buyer and seller run a certain amount of risk (by paying, the buyer is exposed; by delivering, the seller is), risk that varies with the context. But for e-identity this is different. The risk is almost completely in the corner of the relying party. Who relies, runs the risk. Of course by identifying/authenticating him or herself a user exposes him or herself a little bit, giving up anonymity, but we leave that for another time.
The risk for the relying party becomes apparent in an e-contracting example. A user signs an online contract with an insurance company, the relying party. The insurance company is exposed to the risk of not authenticating the right person and ending up with a worthless contract. This risk is not balanced with the risk the user runs, which is virtually none. Of course the topic of mutual authentication (both actors in a transaction authentication each other) comes to mind here, but again we leave that for another time.
So for e-identity the relying party runs all the risk and that risk varies with the context of the transaction. This means that from different contexts for the relying party we should be able to derive corresponding risk levels. This may be a bold statement, I know, but I think it must be doable to come up with objective parameters that would allow us to define risk levels.
How to derive these risk levels from the context parameters of an e-identity transaction will be explored in more detail in a later part of this blog series. For now I'd like to close with some thought on the solution. In e-commerce, payment methods are the answers to the problem of differing contexts. So what would be the solution for different risk levels? Exactly: corresponding levels of assurance. The more I can assure you of my identity, the less you are exposed to risk. And the good thing is, these solutions already exist. For example the STORK project (www.eid-stork.eu) already provides a framework for determining the level of assurance of a specific e-identity solution. In a project for the Dutch government, called eHerkenning (www.eherkenning.nl/eRecognition) we use that framework for certification of e-identity providers that want to offer their services under the eHerkenning brand.
Enough deep thoughts on e-identity for now. We have a lot more to explore. I will keep you posted in my next blog. In the meantime I'm very curious about what you think. Please let me know via email or in the comments below.