Debit or credit card in hand, you’re set to make a quick purchase online only to be greeted by yet another form asking for your personal details. You spend 10 minutes filling out the form and since you’re new to the site, the online store asks you to choose your own unique password for the next time you shop at the site. You’re then passed on to a security page which wants to check you’re the legitimate owner of the bank card. Your password is requested. If you haven’t forgotten the password for the security check with your bank (you may have more than one credit card and the password isn’t the same as your online banking password or your cash card pin), then you’ll probably have forgotten your password to the online store the next time you shop there. Re-requesting all these user names and passwords slows us down from spending our own money or making a quick consultation on the internet. Simplifying the process This is a source of frustration which Vincent Etchebarne, innovative services developer at France Telecom’s Orange, understands. “When people go on the internet, they must systematically fill in forms asking for their name and address. Our idea was to memorise all that information and make it mobile so it could be accessed at any PC, whether you were in an internet café or at home,” he says. The challenge was to find a technical way to save and manage a customer’s information – while keeping it secure from fraudsters on the lookout to steal our personal information. In 2005, Orange partnered up with three other European telecoms operators – TeliaSonera, Telenor and the then Amena (now Orange) to develop a solution. The investigation became a EUREKA project called Fidelity, which stands for Federated Identity Management based on LIBERTY. The operators partnered with telecoms software and hardware developers Ericsson, Axalto and Italtel, three SMEs (Moviquity, TB-Security and Linus) and the University of Oslo, which had specialist knowledge of development and integration in IT systems. They decided to test a system where telecoms operators could act as “identity providers”. They would have a customer’s personal information and would give the necessary information to third parties after receiving the customer’s permission. “A hotel site, for instance, will ask Orange for your details and then Orange will ask you if you’re happy about sharing your details with the hotel,” explains Etchebarne. One of the advantages of the system is that customers can save time through having one password with their identity provider. A customer could visit a new website and it would be their identity provider who would handle the virtual paperwork on their behalf. The secure solution To make the process secure, the EUREKA partners decided the identity providers would operate within what they called a circle of trust – a circle to which the service providers (internet stores or online news webpages, for example) would also belong, along with attribute providers which securely host the customers’ personal attributes to be shared with service providers. The circle of trust would be a formal partnership where the members would sign a contract agreeing to certain terms such as how information should be exchanged, kept and deleted from databases at a customer’s request. “Since a contract exists, a customer can ask at any time to have their personal data removed from the records of a company,” says Etchebarne. Customers can also decide to only give limited information to a company. They could decide to just give the information a company or organisation needs to provide them with the service. “The system gives customers much more control,” says Etchebarne. “Because everything linked, if you change your address, you just change it with your identity provider, not with every website you use.” Although a customer would have a single password with their identity provider, for extra security, when she visits a website and gives her permission for it to receive her personal data, she would be given a unique security identifier for that website. “In the future, the weather site would be able to recognise it is me from the identifier,” says Etchebarne. “It knows where I live and every time I access the site automatically posts the weather for where I live. It won’t know my name or address. It only needs to know where I live.” One of the most innovative aspects of FIDELITY is that a customer who is with one identity provider in one circle of trust can also use service providers in other circles of trust. Etchebarne says the identity providers would sign agreements with each other in a similar way to the way in which mobile operators sign roaming deals so that customers continue using their phones abroad on another network. A bright future Since concluding the trials during the project which ended at the end of 2006, the FIDELITY partners have started putting the project to commercial use. Orange, for instance, has clinched a contract with the French government to build a web portal through which citizens will be able to access all their public services and share their data with the civil service departments. It will use the FIDELITY system on the portal.
Spain, Finland, France, Italy, Norway