Global Trust Center

The Global Trust Center is a non-profit independent international organisation that develops policy, best practice and guidance to enable trust in digital interactions, such as on the Internet. It provides a forum for governments; businesses and civil society to carry out research and dialogue to develop a framework for users to enjoy significantly enhanced trust levels in the digital world.The mission of the Global Trust Center is to place the individual user, whether acting in the name of a legal entity or not, at the centre, and in control, of all digital interactions that they undertake. This will reaffirm fundamental values of legality, integrity, accountability, security, privacy, traceability and the protection of intellectual property.To achieve its objectives, the Global Trust Center acts as the:

* Champion of the user’s rights including property rights;
* Facilitator for the individual user to transition, seamlessly between the physical world with its multiple jurisdictions and the digital world;
* Policy making body for the development and implementation of users’ rights in the digital world;
* Developer and communicator of best practice and guidance on issues of digital identity and trust;
* Custodian of The Global Trust Center Policy on ‘Enabling Trust in the Digital World’.

The Global Trust Center's model is based on a hierarchy of policies with the Global Policy being the only policy common to all users. The policies have a number of elements arranged into logical groupings which are explained below.

The individual user

Any individual user with access to the Internet will be able to obtain the software needed to activate and manage a Personal Digital Identity (PDI). This is an anonymous process and there are no databases or records of who has made this download to activate and manage their PDI.

To activate the PDI, the individual user associates their PDI with a Global Trust Center compliant Witness Service Provider (WSP) of their choice. The opposite of activation is revocation, which is the termination of all associations with all WSPs or that the Owner of the claimed identity decides to stop using it.

Once the PDI is activated the PDI, and so the claimed identity, is under the control of the individual user. No one else can use it unless they are given that right by the owner of the claimed identity either by conscious or negligent disclosure.

The individual user is the only one who has the ability to access the facilities needed to verify their claimed identity. The ability to access this is subject to whatever level of authentication the owner of the claimed identity requires to be in place.

In all situations the owner of a claimed identity acts in a delegated role. This could be as a private individual, a citizen or in an agreed delegated role for a legal entity. The legal entity and the owner of a claimed identity can agree that the legal entity grants specific access rights, privileges and responsibilities to the owner of a claimed identity as part of their delegated role. The legal entity cannot force the owner of a claimed identity to accept the delegated role. The legal entity can remove the delegated role as it requires and the owner of the claimed identity has the right to resign from the delegated role.

To regulate the use of the PDI the owner of the claimed identity sets up a number of private policies. These policies are known only to the owner and the owner is able to set up as many private policies as required for regulating the use of the PDI.

Where the individual user is acting in a delegated role for a legal entity, they will have a number of inherited policies set up by the legal entity which regulate the way the individual user acts as part of their delegated role.

If an interacting party requires the owner of a claimed identity to verify their identity this can be done by the use of references. A reference is the confirmation of one or more digital interactions being carried out with the claimed identity. It is possible for the reference requester to independently verify the reference from the reference giver.

References can be obtained from anyone with whom the owner has claimed that they have interacted. This can be for a claimed identity for an individual; acting for themselves or in a delegated role. Where it is for a claimed identity in a delegated role, this is secondary to the gaining of references for the legal entity from the relevant business register, government departments or commercial business relations. Over time they will be able to claim more accesses and so the ability to obtain more references. This makes the claimed identity very difficult to forge.If the owner of a claimed identity loses the ability to access the facilities to verify their claimed identity, it is possible to for the owner re-establish this ability.

No-one without the owner of the PDIs permission and authority can ever assume the identity claimed by the PDI. This precludes government mandated identity takeover.

Legal entities

A legal entity is any partnership, corporation, association or other organisational form that has, in the eyes of the law, the capacity to make a contract or an agreement, the abilities to assume an obligation, to pay off its debts and be recorded in the relevant national register. A legal entity, under the law, is responsible for its actions and can be sued for damages. All legal entities have a unique identity in the physical world and this is mirrored in the digital world.

To allow a unique identity to be assigned to a legal entity in the digital world, it is necessary to verify that they exist and that they are recorded in the relevant national registers of legal entities. The exact details that can be verified will be in the relevant National Implementation Plan. Once the verification has been carried out a unique identity is assigned to it and staff with delegated roles will be able to perform digital interactions on its behalf.

The owner of a PDI and the legal entity are able to agree that the owner takes on a specific delegated role with its associated access rights, privileges and responsibilities. The legal entity cannot force the owner to take on a delegated role, but it has the right to remove a delegated role as required which terminates all access rights, privileges and responsibilities relating to that delegated role. The owner is also able to resign from a given delegated role.

Staff in a delegated role will be able to receive references from the legal entity stating that they are authorised to act in that delegated role. By linking the delegated role to the owner of a PDI, the legal entity is able to manage and control their intellectual property.

The legal entity can specify multiple policies for delegated roles so that they are able to specify the exact conditions for any digital interactions carried out on their behalf.Access to electronic information by anyone acting in a delegated role within the legal entity can be controlled using the delegated role. The audit trail will be written to the chosen witness providing evidence that can be used in case of need by the legal entity. The choice of witness for any digital interaction is set by the legal entity, giving control over where the audit trail is stored. This creates traceability of access to corporate electronic information as mirrored in the physical world.

The legal entity has the ability to set up a witness service for its own exclusive needs as defined below.

If a court of competent jurisdiction mandates access to the audit trail of any digital interaction, the process carried out in the digital world under the Global Trust Center Policy mirrors that of the physical world.

The audit trail may contain the content of the digital interaction or just a digital representation of it.

Witnesses

There are three different types of Witness Service Providers that can support the Global Trust Center Policy:

* Global Trust Center Witness (sometimes referred to as the notary – this is the Witness Service Providers set up by the Global Trust Center in each country or area where the Global Trust Center Policy has been adopted. These witnesses will ‘know’ all of the other Global Trust Center complaint Witness Service Providers (the ‘WSPs’) and be able to verify them. The services offered by the Global Trust Center Witness will be the provision of a free mandatory audit trail service for all individual users but there will be a fee for accessing the audit trail. All Global Trust Center Witnesses will be certified to one or more of the recommended international or national standards and will publish their Witness Service Provider Terms and Conditions. As this is a Global Trust Center compliant Witness Service Provider it is referred to as a WSP;
* External Global Trust Center compliant Witness Service Provider (the‘External WSP) – this is a witness set up by a legal entity to provide witness services to clients on a commercial basis. All External WSPs will be compliant to the Global Trust Center Policy and may optionally elect to become certified to one or more of the recommended international or national standards and will publish their Witness Service Provider Terms and Conditions. A legal entity may choose to operate an Internal Global Trust Center compliant Witness Service Provider (the‘Internal WSP') to their own organisation for their own needs. This is a matter for the legal entity to decide;
* Internal Witness – this is a witness set up by a legal entity for its own use for digital interactions inside the legal entity. It is not compliant to the Global Trust Center Policy and is operated by the legal entity according to its own processes and procedures. This will be referred to as an Internal Witness.

Where the type of witness may be any one of the three above, they are referred to as Witness Service Providers.

Additionally there is the:

* Signature Witness – who will witness an interacting party's signature in a digital interaction. The Signature Witness could be a WSP, any person who has a valid PDI, or any machine, sensor or application with a Digital Identity (DI).

WSPs will be able to claim a level of compliance with the Global Trust Center Policy based on the following:

* Self Assessment – High Level which is the lowest level of claimed compliance and consists of the completion of a short self assessment questionnaire to indicate the level of compliance that they claim;
* Self Assessment – Detailed Level which is the higher level of claimed compliance and consists of the completion of a detailed self assessment questionnaire to indicate the level of compliance that they claim;
* Certification Audit by a Certification Body – is a formal third party audit by a Certification Body can be undertaken against the set of standards derived from the Global Trust Center Policy and relevant standards defined by the Global Trust Center. This will provide independent assurance that the legal entity is compliant with the requirements of the Global Trust Center Policy.

The primary service that the WSPs offer is the secure recording of the audit trail of the digital interactions where the WSP was the chosen witness for the digital interaction.

The audit trail will store as a minimum:

* date and time of digital interaction;
* parties in the digital interaction;
* a unique digital representation of the digital interaction.

If there is a dispute about a digital interaction the audit trail can be recovered and has evidential weight as it was written contemporaneously and is held by an independent third party. All WSPs will use the same time source to ensure that all witnesses to a digital interaction record the same time consistently for a digital interaction to the audit trail wherever they are in the world.The Owner of an audit trail of a digital interaction can expect that when they need access to the audit trail for their digital interactions (typically in a dispute situation) that this will be made available by their chosen WSP for the digital interaction. The WSPs shall ensure that the audit trail, and any other data stored for a client, is protected against unauthorised access, modification or erasure.

Legislation

The Global Trust Center Policy will be implemented in many different jurisdictions. Each of the different jurisdictions will have different legal, regulatory and industry specific requirements that will affect the implementation of the Global Trust Center Policy.

The relevant National Implementation Plan for the jurisdiction or the Industry Implementation Plans for a specific industry segments will contain details of these requirements.

All individual users and legal entities will be required to comply with the legislation for the jurisdictions in which they reside or interact digitally.

Whilst there will be multiple jurisdictions, there will be the legal registers available that can be used to verify existence and status of any:

* claimed governmental organisation;
* properly constituted legal entities;
* citizen.

This will facilitate interoperability between individual users and legal entities in difference countries.

Every individual user, whether digitally interacting for themselves, or in a delegated role for a legal entity, will have to indicate the jurisdiction that they are interacting under for dispute resolution purposes. Where they are in a delegated role, this will usually be chosen for them by the legal entity who has assigned them their delegated role.

Every individual user, whether digitally interacting for themselves, or in a delegated role for a legal entity, will have to choose an appropriate WSP to provide witness services for the digital interaction. Where they are in a delegated role, this will usually be chosen for them by the legal entity who has assigned them their delegated role.

It is essential that this and the implications of their choices are understood and that the choice is appropriate and that the jurisdictional requirements are met. This process mirrors the physical world where it is possible to choose the jurisdiction for execution of a contract based upon business or other needs.

The Global Trust Center will build a library of best practice and guidance based on the development of Industry Policies, Process Control Policies and other documentation that it develops. This will be industry, business and jurisdiction specific.

Whilst there is the option for WSPs to become certified to the relevant international standards, the Global Trust Center has defined a minimum recommended level of security for protecting and processing client data. All Service Providers, including WSPs, will have to provide an annual statement confirming compliance to the minimum requirements defined by the Global Trust Center.

Technology

Technology is always changing and there is a risk that future technology will render existing solutions obsolete and that it cannot be used. The Global Trust Center will support current and future technology to limit the possibility of this occurring.

The WSP will always have to use Global Trust Center compliant technology to ensure the integrity and interoperability of all WSPs. The External WSPs will also, as part of their Witness Service Provider Terms and Conditions, have to commit to their clients that they will always be able to recover the audit trail of digital interactions during the agreed period of storage for the specific client.

The Global Trust Center Policy supports an open architecture which will allow any hardware manufacturers, vendors or system integrators to integrate Global Trust Center Policy certified technology into their products.

There is no proprietary architecture in place to restrict global uptake of Global Trust Center Policy certified technology.

Security

Interacting parties in a digital interaction will be able to perform their own risk assessments to determine their own levels of security requirements for each and every digital interaction they undertake. This can be achieved by logical and physical security measures including the use of multiple policies.

The Global Trust Center architecture is decentralised, meaning that there are no centralised ‘head office type’ systems that can be subject to attack or failure. If an attack against the Global Trust Center architecture were undertaken, the decentralised architecture means that there is no major system failure as each of the component parts of the architecture stands on its own and is independent of the other components.

As part of this decentralised architecture there is also no centralised database of information relating to owners of PDIs, such as the certificate authority in the PKI model. This means that there is a robust and resilient infrastructure.

Legal entities will have control over their delegated roles with associated rights and responsibilities and can finely tune the access rights that they give to those acting in a delegated role on their behalf. The use of a dedicated WSP allows legally admissible proof of digital interactions to be recovered and used where required.

The implementation of the Global Trust Center Policy provides increased security to legal entities and individual users though:
* authentication – the ability to know who has access to any delegated role and control or use it;
* identification – by providing processes to identify interacting parties and legal entities. This can be done by independently verifiable references or by use of the relevant business or citizen registers;
* protecting Intellectual Property Rights (IPR) – by being able to finely tune who has access to what resources and in what manner. The access rights and responsibilities granted, whether as part of a delegated role or as an individual user, will protect IPR and its ownership. Additional to the access is the ability to be able to prove that access at a later date, if required, from the secure audit trail held by the relevant WSP;
* assigning a delegated role – the legal entity can set up as many delegate roles and agree them with individual users so that they can mirror their physical world structure and responsibilities in the digital world. This allows clear responsibilities to be set;
* audit trail – all interacting parties will have their audit trials stored in the secure audit trail of their chosen WSP. The audit trail is held in a tamper evident environment.

International Council

The Global Trust Center has been evolving under the stewardship of an international steering group since 2003. The governance structure was upgraded in 2006 and 2007, with the establishment of the Global Trust Center International Council.

Following extensive consultation, individual representatives have been selected – one from each participating country – to form the circle of Council members. The members speak with their own voice and in a personal capacity. Their decisions are not legally binding or mandatory for their countries or home organisations. Their considerations should reflect concern for the good of the individual user and weigh the perspectives of all main stakeholders, governments, the private sector and civil society.

The prime task of Council members is to observe and advance the Global Trust Center Policy. The Council engages in substantive discussion and deliberation on key issues. An elected executive committee oversees micro issues in relation to management, budgets, and so on. The Council’s deliberations are led by a Chairperson and Vice Chairperson, elected by the Council. The Council agenda is supported by the Global Trust Center Secretariat.

Membership of the International Council at present is as follows:

Bangladesh - Abul Kalam Azad (Joint Director, Foreign Exchange Policy Department, Bangladesh Bank)

Bulgaria - Antoni Slavinski (Head of Department Telecommunications, New Bulgarian University. Chairman, Telecommunications Association, Bulgaria)

Denmark - Lars Klüver (Director, Danish Board of Technology)

Estonia - Silver Meikar (Member of Parliament)

Finland - Matti Oivukkamäki (Deputy Director General, Technology Department, Ministry of Trade and Industry)

France - Sylviane Toporkoff (Professor, Paris 8 University, Institute of European Studies)

Greece - Paris Kokorotsikos (President & Managing Director, Euroconsultants SA)

India - Mathew J Manimala (Professor of Organization Behaviour, IIMB, and Editor, South Asian Journal of Management)

Italy - Mario Rinaldi (Chairman, Cineca)

Jamaica - Arnoldo K. Ventura (Senior Advisor for Science and Technology, Prime Minister Office, Jamaica)

Republic of Korea - Joonghae Suh (General Director, Strategic Planning Bureau, Ministry of Planning and Budget)

Malasia - Shamsul Jafni Shafie (Director, Security, Trust and Governance Department (STGD). Malaysian Communications and Multimedia Commission (MCMC)

Netherlands - Elly Plooij-van Gorsel (Counsellor, EU and International Affairs, Security, ICT and Telecoms)

Norway - Morten Ween (Senior Advisor, ICT Security and Vulnerability, DnB NOR)

Oman - Darwish Almaharbi (Dean, College of Commerce & Economics, Sultan Qaboos University)

Pakistan - Zahid Jamil (Barrister-at-Law, Jamil and Jamil)

Romania - Florin Vrejoiu (Vice President, Romanian Association for electronic and software Industry)

Kingdom of Saudia Arabia - Sultan Bahabri (Chairman of the House of Integrated Technologies and Systems (HITS) Africa)

Sweden - Anders Flodström (University Chancellor, Swedish National Agency for Higher Education)

Thailand - Somkiat Tangkitvanich (Research Director, Information Economy, Science and Technology Development Programme)

United Arab Emirates - Mohamed Baka (Chairman of the ICT forum, Abu-Dhabi)

United Kingdon - The Earl of Erroll (Member of the House of Lords)

References

[enabling Trust in the Digital World] 'Enabling Trust in the Digital World', authors Thomas Andersson, Andreas Jacobsson, Andreas Mossberg, Jens Sorvik, 2006. Published by IKED, ISBN 978-91-85281-08-04

External links

* http://www.globaltrustcenter.org
* [http://www.kdcstaffs.com/it/main_view.php?mode=view&nNum=5059&parts=Cover] Article in Korea IT Times regarding the "OECD IT Ministerial Meeting" June 17/18 2008
* [http://www.etsi.org/website/NewsandEvents/SecurityWorkshop2007.aspx] Announcement of European Telecommunications Standards Institute (ETSI) Security Workshop: Future Security Sophia Antipolis 16-17 January 2007 including session on Global Trust Center.
* [http://arabinfomall.bibalex.org/En/OrgData.aspx?orgid=638&sectionid=5] International Organisation for Knowledge Economy and Enterprise Development (IKED) article in Arab Info Mall
* [http://www.brreg.no/porvoo13/documents/biometrics_max_snijder.ppt] Biometrics Expertise Group case study on use of biometrics under the Global Trust Center model and policies