Want to know if you can trust my credit card? Ask my fridge

My fridge is quite smart in a dumb sort of way.  It knows a lot about me. It knows where I live, because we cohabitate. It knows that I was at home at 7:30 this morning because it sensed my fingerprints when I opened the door and used the last of the milk.  It knows where I am because it has a direct link to my GPS phone. It knows my credit card because I purchased it using the same card.  You know you can trust my credit card because you can call my fridge on your phone and ask it if the person about to pay for the milk is carrying the same phone and credit card. Disclaimer.  My fridge isn't that smart just yet and the bank and the local store haven't yet made their IT systems Welcomer Enabled; but one day they will.

 

An API for Personal Data

With the Welcomer approach any organisation can provide APIs for use by applications to access personal data held by the organisation.  The API and associated personal data for an organisation is controlled and approved by the organisation. Personal data across applications can be linked by the individual concerned making links between common data elements held by different organisations. So if a person's name is held by two organisations, with Welcomer, the person can link the occurrences of the name. The APIs enable the person to gather all the linked occurrences and to see a list of names the person has used across different organisations. Personal data differs from other data because access to personal data requires permission and consent from the person as well as permission and consent from the organisation charged with the responsibility of holding the data.  Personal Data differs from other data because it is scattered and duplicated across applications and organisations and API access has to provide a way to link distributed common data elements while respecting privacy and ensuring security.

The Welcomer APIs satisfy these constraints by controlling data access via rules within applications rather than rules applied to the data.

  • The person accesses their own data via applications they agree to use.
  • The system links common data elements across organisations where each data element is kept separately from other data elements
  • The only meaning attached to a data element is its name.
  • Organisations approve the applications that are permitted to use the APIs
  • Meaning of the data is provided by the applications
  • Organisations approve other organisations who are allowed to see individual data elements they hold.
  • Data held by an organisation always remains with, and under the control of, the organisation
  • The organisation holding the data being viewed can be anonymous to the receiving organisation
  • The organisation viewing the data can be anonymous to the holding organisation
  • The person providing the data can be anonymous to both the viewing and holding organisation
  • Every time data is copied there is a record kept by the organisation allowing the copy to be made. The details of the copy are only available to the person concerned.
  • A history of access can be retained.

The Functions of the APIs

There are two APIs for any application. The first API is a setup API that defines the rules associated with each data element for an application.  This API is called by the organisation administration and the rules are stored with the data and under the control of the organisation.  The second API is an access API that is called when a person uses an application.  The second API returns a list of the data stored for the data element. It can also send changes it makes to the organisations holding the data for them to decide if they wish to change the value of the data element.

Administration Application

The administration application calls the administration API. The application has a list of all the data elements for all applications permitted by the organisation and the rules associated with each data element for each application. The only party permitted to access the administration application is the organisation.  It decides independently of any other organisation the rules it wishes to apply to linked data elements.

The Organisation Personal Data API

This API receives a list of personal data element names and how recently and how each data element has been authenticated by the person.  These data elements can be any personal data but are things like password, device, voice print, name, email address, telephone number, date of birth, location, home address, credential, bank balance.  The access rules for each data element is set by the organisation.  A rule may be not to allow the value of the data element to be returned but only to say it exists. Another rule may be to pass the data element value but only if the individual has been authenticated with at least two factors.

The PEDDAL algorithm is applied to each data element in the call.  This asks for all values of all data items to be returned to the requesting application.  If the application now asks for a value of the data element to be stored by the application then the data element is put into the circular linked list of occurrences of the data element held by all organisations.

 

A Common Change of Address Application

Personal data is stored in existing organisational databases and each application used in an organisation has its own store of personal data. The difficulty of providing common services involving personal data is that most applications require data from other applications and often from different applications in other organisations. The data is distributed. Three approaches to common services involving personal data to a group of organisations are:

  1. a common service using a single data base or index to all the personal data held by all the organisations. (e.g. personal databases such as MyDex)
  2. a single signon service (Federation of Data or a whole of country myGov)
  3. the data remains siloed in organisational databases and the data is linked with a distributed algorithm such as PErsonal Distributed Data ALgorithm (PEDDAL). The data is accessed via an API that returns previously recorded values of the data no matter where it was stored.

The first two approaches require the creation of a "single entity" around which the data is organised. The third approach leaves the data distributed and collects the data as needed through a network algorithm.

The use of 3 is illustrated with a change of address application. This is followed by an outline of other applications that might use the links established with 3.

Change of Address

An organisation has decided to deploy the change of address application and it is made available to the organisation. The organisation can either install its own version of the application or it can use a trusted version of the application provided as a set of calls to a webservice.  When an organisation installs the application it can see all the other organisations that are using the application and it decides if it wishes to allow the users from those organisations to see their address via the organisation.

Let an organisation have a form into which a person can, or has, entered their home address.  The application uses PEDDAL to assist the person enter or change their address by showing them a list of all the unique home addresses they have previously entered using other PEDDAL systems.  The person either selects an existing address or enters a new one.  If there are different address the person is asked if they wish to change their address in each of the other databases.  If they say yes then they can make the changes provided they satisfy the authentication of id requirements for the database to be changed.

What this means is that no matter where a person enters their address they can update all other occurrences of address in all databases that use the PEDDAL algorithm and where the organisations concerned permit the change.

When an organisation decides to use PEDDAL they store a copy of the address along with identity information needed to be authenticated for the data to be changed. This could be things such as name, email address, phone number, voice print, photoid, pin number, id number, date of birth or password. This information is only accessible from the organisation.

For example assume the electoral office, the passport office and a Bank all use the PEDDAL algorithm for address and all use name and date of birth as identifiers for the person.

A person goes to the bank website to change their address.  They are shown other examples of addresses they have entered but not where the addresses come from. They select the one they wish to use or they enter a new one.  If they enter a new one that is different to others in the list then they are taken to the organisation where they authenticate themselves according to the rules of that organisation.  If this is the Electoral Office they simply press OK.  If it is the passport office they might be asked to enter their passport number.

It should be noted that the bank does not know that the person has records with the Electoral Office and Passport Office and vice versa.  All identifying information is kept within the siloed databases controlled by the organisation who has collected the information. It is not revealed to the person with the address change and retrieve application.

Once the databases are linked other applications can use the links established with the address application.

  1. a person may be required to pay to purchase a Passport.  They could be directed to the bank to make the payment without having to enter any other information except identify themselves to the bank using the bank's identification system.  The linkage of the person was through the links obtained by linking their residential address.
  2. Immigration may wish to verify that the person has a bank account with the Bank to issue a visa.
  3. Immigration may direct a person to open a bank account in Australia before issuing a Visa and let the person choose from PEDDAL organisations.
  4. Bank may wish to verify that a person has a valid visa before opening a bank account.
  5. The Electoral Office may wish to verify that the person has changed their address with another party such as the Bank.
  6. The Bank may wish to verify that the person has left the country when there is a credit card request from overseas.
  7. Immigration may wish to ask the person to confirm where they have travelled by getting them to show electronic purchases made through the Bank.
  8. Immigration may wish to confirm that a student has a steady income by getting the person to show regular payments from overseas.  (verification of ongoing income).

NRMA ScaleUp Application

White Label Personal Clouds has submitted NRMAVoiceID to its ScaleUp program. The NRMA runs two programs to foster innovation.  The first program is JumpStart and is for early stage companies who have an idea and want to develop and commercialise.  The second program Scaleup is for companies who have a product and need a customer.  The NRMA selects 4 companies from over 50 applicants for the ScaleUp to have NRMA and its 2.5M members as a customer.

Here is a short video describing NRMAVoiceID

Identity, Data Sharing and Personal Privacy

This article puts the proposition that Electronic Identity, Electronic Personal Privacy is enhanced by giving people access to previously entered data so they can reuse the data in different circumstances.  This objective of giving people, enter once - use many times, is valuable in its own right and it also addresses the problem of leakage of personal data from existing organisational data silos of personal information.  The article proposes an algorithm that implements both the reuse issue and helps prevent leakage of personal data. Identity and the sharing of personal data pervades the Internet.  It is the foundation for the trust we have in electronic relationships with organisations and with other people.  Trust in data is built on knowing that the data provided is accurate and refers to the person concerned.

The Internet has allowed data to be easily shared and transmitted.  Personal data is held in organisation databases where the organisation takes the responsibility of identifying the persons and keeping the data secure and private.  These systems are successful and work well.  Within this ecosystem there is a need for organisations to exchange personal data within their own boundaries and across organisational boundaries. Individuals by law are required to approve the transmission of personal data and the purposes to which the data can be used. In most cases organisations find it in their best interests to keep personal data private and follow the law.

This organisational centric system works reasonably well for organisations internal operations. It becomes difficult for organisations when data is used for purposes other than the reason collected and when it is moved across organisations. It does not work well for individuals because they have no easy way of reusing data they have previously entered and they must continually give permission for data to be transmitted.

Organisations overcome some of these difficulties by subscribing to surveillance services and by using big-data techniques to profile users.  Both these approaches are at odds with the objectives of maintaining privacy and of organisations keeping data in silos and organisations protecting their data.

To address this problem we need ways for individuals to easily reuse previously entered data with the agreement of the organisations who have the responsibility for keeping the data secure.  There are many suggestions on how this can be done. Most centre around the idea of people owning their own data and when the data needs to be shared the person collects it and distributes it. To reduce the sharing effort these system often include methods of providing user defined ways organisations can access information without explicit permission each time it is used. The difficulties with these approaches are they lead to centralisation of information about a person or centralisation of pointers to information about a person.  They sometimes require user permissions to allow access before the permissions are required. They create personal data stores of the data about a person from organisations but stored outside the control of the organisations responsible for the data.

The algorithm presented here is a different approach based on the idea of easily reusing personal data across organisational silos of information.  The algorithm is implemented in applications and results in previously entered data being made available to a person for use in other applications.  The algorithm is called PEDDAL (PErsonal Distributed Data ALgorithm).  It works on the principle that when a person goes to enter data in a PEDDAL application then all the previous instances of the data in PEDDAL applications are available to the individual. The data entered into the new application is then made available to other applications.

Organisations control and only allow PEDDAL to operate on data in applications they are willing for people to reuse. Data access is contextualised by the application that wishes to use the data rather than around the data itself. The use of PEDDAL applications results in a person having easy access to previously entered data items.  This in turn makes it easier for individuals to supply data to organisations rather than organisations having to rely on surveillance and big-data profiling to obtain the data.

Applications that use PEDDAL must be approved by each organisation that allows it to access organisational data.  The data associated with PEDDAL is kept within the administrative boundaries of the organisation responsible for the data.  Existing applications remain as they are but if they use PEDDAL then they become part of the PEDDAL network.

For an organisation to use PEDDAL applications or to add PEDDAL to existing applications the steps are:

  1. The organisation approves the application and approves which organisational data can be accessed by other PEDDAL applications and any restrictions that might apply to the access.
  2. An individual uses an application and for data items that are PEDDAL enabled they either select from previously entered data or enter new data.

We have implemented a MVP version of the algorithm which we call making an application Welcomer Enabled.

A short description of PEDDAL

  1. When asked to enter a data item the individual has the option of selecting the value from a list of the data entered in other applications.
  2. After the data is entered it put it in the list of previously entered data and made available to other applications.

The structures created from using PEDDAL compared to the structure of data in other systems

The list of data is implemented as a doubly linked circular list where the data elements are held in different applications that may or may not be in different organisations.

This can be thought of as ring of data.

With almost all other systems data is stored in heterarchical storages. This can be thought of as a collection of connected star shapes.

In the large the resulting storage structures for an individual can be represented as a set of linked rings resulting from the use of PEDDAL or a set of clusters resulting from the use of traditional index based storage structures.

The interlinked ring structure is visually and in practise more integrated and robust than index based systems. The ring structure is completely distributed but completely interlinked so that once an algorithm has access to one ring then it potentially has read access to all data on all rings.

Some Outcomes of using the PEDDAL Algorithm to create rings of interconnected data items

Using PEDDAL means:

  • Individuals enter their data once and can reuse it many times.
  • The individual has access to where the data has been used and can request the data be changed in different places with a data change application.
  • Credential data can be shared across many applications and so achieve single signon.
  • A person can verify their identity by reference to their connections with other organisations and applications.
  • Biometric data can be used across organisations and applications in a way that maintains privacy and only requires one copy of the biometric being used.
  • Sensitive data such as location can be controlled by the individual and only released for specific purposes and only kept in a ring structure.
  • Organisations only need to collect and maintain minimum personal data for an individual to conduct most transactions as transient data can be obtained elsewhere.
  • There is no central repository of information about a person as the data is kept in existing silos
  • The level of security for any transaction can be tuned to the risk associated with the transaction
  • Users can control applications that access the PEDDAL distributed data for their own purposes including ensuring their personal data is not being compromised.

Description of the PEDDAL Algorithm

The PEDDAL algorithm is implemented as a two stage system.  The first stage is deploying the algorithm in organisational applications in a controlled manner.  The second stage is the use of the algorithm by individuals accessing their data.  The first stage creates the framework and rules for how the rings are formed.  The second stage is the creation of the rings of data elements.

Stage 1 Setup

  1. A is an application that makes a copy of data held by an organisation O
  2. The data copy is broken into elements E.
  3. R are the rules applied by the organisation to the reuse of the copy of the Data through an application A.
  4. An organisation O explicitly agrees to an application being able to access data items by including the application in its catalog and by providing a certificate for the application to access data.
  5. The organisation creates a catalog of the elements in applications that have been permitted to access their data elements and specifies the rules R for access.  (A, E, O, R)
  6. Each time a person uses an application with an organisation they identify themselves to the organisation.

Stage 2 Use

  1. If a person wishes to reuse a data element held by another organisation they identify themselves to each organisation independently and link the two data elements provided the rules R for both organisations allow it.
  2. When one data element is reused in an application then all other data elements in the application are potentially available for reuse in any other approved application.

The application of this algorithm creates independent networks of linked personal data elements E accessed by a particular individual.

Examples of rules:

  1. A data item cannot be reused unless the person has been identified in three independent ways. (the default rule is that the person is identified independently in two ways)
  2. The source of a reused data element can only be revealed to specified organisations. (the default rule is that the source of a data element is not revealed)
  3. If a data element is changed then the change can be notified to all other copies of the data element. (the default rule is that data elements do not notify others of changes).
  4. The person making the request to view data must supply proof that they have recently established a link between themselves and the electronic request in at least two different ways in the last half hour. (The default for access is one factor. The default to change the data is three factors)

Example of applying Peddal.

  1. Organisation O1 has two applications A1 and A2.  A1 has elements E1, E2, E3.  A2 has elements E1,E4,E5
  2. Organisation O2 has two applications A1 and A3.  A3 has elements E1, E4, and E6
  3. A person uses applications A1 and A2 with organisation O1 which links E1 in A1 and A2
  4. The same person then uses application A1 with O2. This links E1 in A2 and A1 of O1 and E2 and E3 in A1 of O2
  5. The same person then uses application A3 with O2. This links E1 with with A1 in O2 and enables E4 in A2 in O1 to be linked to E4 in A3 in O2.
  6. Note that E1 is put into a two way circular list connecting all occurrences of E1 across all applications and all organisations.

Results of applying this algorithm

  • This algorithm will result in the creation of a ring structure of the same data element for each individual that uses the data element.
  • The data elements are connected but they do not know anything else about the other elements in the structure. They can find out by using other approved applications to supply information.
  • Applications only store the data elements permanently if the application requires the data in the future. It is expected most applications will only use the data and not store it.
  • The structures are distributed and there is no centralised control and no hierarchy of structure.
  • The structure is self organising in that an element can decide to go away and automatically connect maintain the ring. When a new application stores data then all the data elements stored in the application are put into their rings.
  • The structures are self repairing in that an element can disappear and the ring can regenerate when required.
  • The structures can be made to consolidate and to find extra linkages while not being used.  This is analogous to short term memory moving into long term memory in the human brain.
  • By cutting the rings to an organisation a person can be forgotten to an organisation.

Sharing Personal Data across Applications

There is an obligation on organisations for personal data to be kept confidential and private. Organisations, for commercial reasons, also wish to keep personal information confidential. However, for convenience individuals wish to have access to information previously entered to use with other applications and with the same application with other organisations. Making an application Welcomer Enabled satisfies these conflicting objectives with little impact on existing applications. An application is Welcomer Enabled by an application making a copy of the personal data that an organisation is willing to allow an individual to reuse, The copy remains under the control of the organisation. It is made accessible to the individual for use with other applications approved by the organisation. Welcomer Enabled applications have these controls.  The results is keeping organisational held personal information in silos but making it accessible to the individual concerned for use in other applications.

An organisation may not want to make its applications Welcomer Enabled but still wish to share data.  To do this they create a special application to extract the data it is willing to share.  A person may not wish to make a copy of the data, such as biometric data, but rather point to the original copy of the data.  The shared data can be thought of as a personal cloud and a personal cloud can be thought of as an electronic identity.

A person can have multiple electronic persona by choosing which data items to share with which other applications. The set of shared applications along with the shared data becomes a person's electronic persona.

Moving Data between Applications

Rather than thinking of the process as moving data we think of it as duplicating data across applications.  When an application is introduced to an organisation the organisation looks at all the other applications that are Welcomer Enabled and specifies the applications that are allowed to duplicate the data. These allow a person to duplicate data across applications. Links are not made until the individual specifies which data they wish to duplicate at the time they use an application. When a data item is duplicated a two way reference is made so that when the value is changed in one application the data may or may not be changed in the other application.

For each person the possibilities for data element X that is present in application A and in application B

  1. There is no value for X in either A or B.
  2. There is the same value for X in both A and B and the two are synchronised.
  3. There is a value for X in A and there may be a different value for X in B.
  4. There is a value for X in A and B contains a pointer to the value of X in A rather than duplicating the data in B.

1 occurs when neither application A or B has been used by a person.

2 is typically used for data that will never change such as date of birth.

3 is the most common where data can change and synchronisation across applications is not required or is not allowed.

4 is commonly used for items such as biometrics where the data elements are large.

For different application pairs X can have different rules.  Thus between A and B X may follow rule 2 while between B and C X may follow rule 3.

Clusters of Data around Applications.

Clustering of Data in the Welcomer system is around applications.  An application will be Welcomer Enabled and all its information will be internally linked no matter what organisation uses the application. So, for example, WelcomeAboard will enable a person to reuse data collected for one organisation with another organisation with WelcomeAboard.  Verifier will enable a person to reuse information collected for one organisation with another organisation using links established within Verifier.  When Verifier wishes to use data from the WelcomeAboard application then Verifier will create another copy for its internal use and the link will be made to WelcomeAboard for the person.

WelcomeAboard as an Example Application

Organisations have relationships with people as employees, customers, candidates, contractors, suppliers, and members.  These relationships require structured data to define contracts and data shared between the organisation and the person. For example an employee will have an employment contract and will supply the employer with taxation and superannuation information.  The organisation has a copy of these contracts and the structured data that defines the relationship.

WelcomeAboard provides a service that gives the person access to a copy of the contracts and data around the contracts. The copy remains under the control of the organisation but the person can use it for other purposes.  This means a person can reuse their information with other applications with the approval of the organisation.

The advantage of this approach is that it is simpler for the person, the person gets access to a copy of their contracts and relationship data for both reuse auditing and archival purposes. This in turn makes it simpler and more secure for the person to interact with an organisation particularly when the person uses different applications with the same organisation or the same application across different organisations.

RAMS - Whole of government Relationship Authorisation Management Solution

The Digital Transformation Office that is currently operating out of the Department of the Prime Minister and Cabinet has prepared a request for information (RFI) and released it for responses. The overview document can be found here.  15 47 - Part 2 - SOR Attachment A - High Level Design.  The full set of specifications can be obtained from the Australian Government Tender System.

Welcomer is preparing a response to this RFI.

From the document

INTENT

Implement a whole-of-government authorisation model linked to myGov and the ABR by June 2016, allowing users to nominate others to act on their behalf when interacting across government services (e.g. power of attorney, ‘universal’ delegations, roles).

DESCRIPTION

This recommendation is for the creation of a whole-of-government Relationship and uthorisation Manager (RAM) solution. Agency on-boarding to this solution will be a subsequent phase. The proposed solution builds upon existing VANguard & myGov authentication systems by allowing access control to be based upon relationships between identities and recording related delegation of functional access. The solution will record relationships specific to access management (regardless of entity type). Agencies will continue to manage the relationships intrinsic to their domain, thus requiring the RAM solution to query those agencies via attribute queries.

CONTEXT

  • Identity solutions for Business & Individuals is currently disjoint, making it difficult to provide a seamless experience.
  • Agencies have siloed authorisations solutions with legislative & policy barriers to sharing.
  • Some agencies assume AUSkey holder has permissions for all agency functions.
  • Some transaction require parties to impersonate others.
  • Some organisations don’t trust their own management of their AUSKey credentials
  • Power of Attorney has “legacy” complexities that are not present with nominations from one customer to another

CONSTRAINTS

  • A separate interim solution will be provided by Sept 2015 for “individuals in business” to connect ABN to MyGov. This solution will provide the long term solution.
  • Need WofG Authorisation solution by June 2016.
  • Privacy of individuals & confidentiality of businesses must be preserved.

ADDITIONAL DESIGN CONSIDERATIONS

  • Need to recognise industry players (Facebook, Google) are evolving standards based solutions, e.g. OIDC.
  • Consider privacy principles around consent and sharing Need to consider external systems, processes and environments
  • Need to ensure operates in wholesale and retail contexts
  • Authentication & Authorisation capability should be consistent across channels
  • Authorisation process needs to be simple and information kept current
  • Will record relationships & authorisations between any entity type (Individual, Organisation, Device).
  • Will leverage existing stores for attribute based queries (where possible)
  • Ensure credentials are not automatically elevated
  • Need to separate identity level & credential level.
  • Trusted 3rd parties may create relationships
  • Subject of relationship may not have a credential

KEY STAKEHOLDERS

  • Department of Human Services
  • Australian Taxation Office
  • Department of Industry
  • and rest of govt. who needs it!!
  • Lead Agency –ATO

Personal Clouds made from data held by Organisations

Organisations hold personal data about individuals.  The data is created with applications. A Welcomer Enabled Application makes personal data available to the individual so that the individual can access the data independently of the organisation.  Some of the data about the individual is generated by the organisation.  The release of this data to a third party is controlled by the organisation. When an individual uses a Welcomer Enabled application the organisation with whom they are communicating has a high degree of trust that the person is the person they say they are. This enables them to welcome the individual with confidence in the identity of the individual.  If they are not confident in the identity they ask the person to further authenticate their identity.

A Welcomer Enabled application makes data available to the individual by making a copy of the data and storing it separately from the original data held by the organisation. The organisation retains control over the release of the data by setting the rules on the release of the data to third parties.

Organisations control which applications they allow to access their data and so have effective control over the data exchanged with individuals.

A Welcomer Enabled application for a single organisation provides value because the individual can access the data without impacting the production systems of the organisation. Value is also created because the copy of the data being accepted as true by the organisation has residual value as it can be used for future authentication.

We can have many applications used by Organisation X and we can have applications used by many organisations.

This means an individual has access to data held by organisations independently of the different organisations but under restrictions imposed by the organisations.

When an application is introduced into an organisation common data across other applications used by the individual is identified by the application builder. This establishes the meaning of existing data to the new application.

Almost all applications can use the copy of data held by other applications.

Remember Me and my Connections

Copies of data are not created without the individual's knowledge and permission.  The connections an individual makes between copies of the data are remembered but can be forgotten by the individual. An individual can ask for copies of the data to moved to a different place and to be removed completely.

An individual is able to build up disjoint networks of connections by using different applications.  Each  network becomes a separate electronic identity.  However, because the individual can break the connections and recreate them easily this enables electronic identities to be protected from attack and for identity theft to be detected and countered.

The properties of Welcomer Enabled Applications mean that privacy can be enforced by only allowing the transfer of data from the copies.  It also means that applications can be easily included or adapted to meet changing circumstances, such as the introduction of new laws, new organisations and to protect against new attacks.

Rogue applications, organisations and individuals can be contained by adapting the individual networks.  In a Welcomer Enabled system organisations and individuals can be interchanged. The role an entity takes on is determined by whether the data it accesses is a copy or is the original. In the same way that an individual has a set of connections defining its identity so an organisation has a similar set of connections defining its identity.

In a Welcomer Enabled system identity is defined by the entity connections to other entities.  This makes electronic identity robust, difficult to copy, and relatively easy to protect.

Welcomer Enabled Applications

If an organisation holds personal data it provides an individual with access to their personal data with a Welcomer Enabled Application.  Such an application requires a person to authenticate themselves as the holder of the personal data and then accesses the personal data via an API to the organisation personal data.  The organisation specifies what data can be accessed and the rules of passing on the information to a third party.  For example, the government may provide access to personal data as required under the privacy principles but can restrict access to a third party unless the government is paid a fee, the organisation is located in Australia, and promises not to pass the data on to any other party.

Existing applications can improve their efficiency by becoming Welcomer Enabled.  For example, a doctor can issue an electronic prescription instead of a paper prescription. The electronic prescription can be printed out by the patient or it can be made available electronically to a pharmacy.

Example uses of Welcomer Enabled Applications

Verification of identity

There are applications such as the registering of a birth or the issuing of a visa where identifying information about a person is created. This information can be the name of the person, the date of the action, the type of the action and where the action took place.  If these applications are Welcomer Enabled it is possible for the individual to reuse this information in a directly analogous way to a person using a paper copy of a birth certificate or a passport.

Biometric Authentication of Individuals

If an individual stores a biometric, such as a voice print or photo id or secret or location or device, in one application then this biometric can be made available to other applications.  This means that the individual can reuse a biometric across many applications and link the biometric use.

Reducing data entry by individuals

Because the individual has access to previously entered data there is no need for the data to be reentered.  It can be copied by the individual.

Remembering previous interactions

Many applications build upon previous uses of the application.  A Welcomer Enabled application automatically gives an individual access to these previous uses of the application.

Use of personal data across organisations

Welcomer Enabled applications makes data available across organisations by linking the data via the individual with the individual's permission. This removes the need for organisation to organisation agreements regarding the sharing of data.

Uses of Welcomer Enabled Personal Clouds

Digital Mail Box for Invoices

A digital mail box for invoices is an application which takes invoices from an organisation and enters them into a person's common invoice store.  The digital mailbox transfer can be initiated by polling or by a trigger when the invoice is generated.  Individuals when they purchase something agree for the invoice application to put the invoice in their store or digital mailbox.  Alternatively the person's own digital mailbox application  can poll all organisations that issue digital invoices to the person.

Digital Records of transactions or receipts

Many applications result in the transfer of goods or the provision of services.  In most cases when a payment is made a receipt is issued and provided to the receiver of the goods or service. A Welcomer Enabled application provides a way for the receiver of the goods and services to have its own electronic copy of the transaction in a form that it can be reused for future transactions independently of the supplier of the goods and services.  However, the supplier of the goods and services can put restrictions on the use of the information such as not revealing the identity of the supplier or receiving a payment each time the information is provided to a third party.

Staying in Contact with Customers, Members, Clients, Associates, etc.

Any application that is Welcomer Enabled provides a secure, private electronic way for organisations to stay in close contact with the people with whom they deal. Most successful applications have this characteristic. Most applications have bespoke methods for staying in contact with individuals.  Welcomer Enabled applications use a generic approach that permits applications to cooperate to provide greater value to organisations and individuals through lower costs, better privacy, and more tailored intent messages.  WelcomeAboard is a typical application that also provides a way for an organisation to continue the dialogue with employees to the benefit of both employees and employers.

Verification of Identity

Verification of Identity is showing an entity is known to other organisations.  Applications such as as greenID can be made Welcomer Enabled and can then use connections an individual has made with other organisations as the means of verifying identity.

Authentication of Identity

Authentication of Identity is proving that a person is who they say they are.  This is achieved through Welcomer Enabled applications by the individual being able to show that they are the same person as has conducted previous transactions and has left biometric information with organisations.  Welcomer Enabled applications can share authentication information across applications.

Verification of Proof of Entitlement

Many applications require an individual to prove they are entitled to or able to receive some service or benefit. They do this by proving characteristics about themselves. Verifier Proof of Income does this for loans by a person being able to show from their record of previous transactions, such as receiving a salary, that they are able to repay the loan and hence are entitled to apply for a loan.  Similarly a person can prove they are unemployed, or a student, or of pensionable age, or are disabled with the use of Welcomer Enabled applications.

 

Reducing the cost and risk of employing people

welcomeAboard The Australian Payroll Association conducts an annual survey on the cost to produce a payslip.  http://www.austpayroll.com.au/literatureretrieve.aspx?id=164985.

With outsourced services the cost of each payslip for businesses with less than 50 employees is an average of $157 with the top performers averaging $35.  If payslips are produced in-house the cost per payslip averages $3,268 with the best performers costing $1030.

Clearly it is better for businesses to outsource their payroll processing through such services as Xero payroll.  Even with outsourcing the costs are still high and there are further efficiencies to be made.

WelcomeAboard.me is one way to reduce the cost of producing payslips by reducing the cost of collecting information about employees and communicating with employees.  It is estimated that using WelcomeAboard will save employers $50 per year in direct costs per employee.

While the cost saving is useful the reduction in compliance risk is of much greater value.

Employers are responsible for keeping records about employment and of making sure employees have access to their employment records.  If there is a dispute with an employee, and there are no records or the employee did not have access to the records, the employee is likely to be given the benefit of the doubt.  Worse the employer can be fined for not keeping good records. For example fines of $3000 per employee can be imposed on a employer if they have not provided the employee with a copy of the Fair Work Information sheet http://www.fairwork.gov.au/ArticleDocuments/724/Fair-Work-Information-Statement.pdf.aspx

WelcomeAboard.me simplifies keeping basic records about employees.  Forms are used to collect Contact Information, Bank Account Details,  and Super Choice. Employees fill out a Tax File Declaration and sign they have received and read the Fair Work Information Sheet. The employees all receive a permanent electronic copy of their information that they can access at anytime including after leaving the Company.

There is no charge for the first employee to fill out the standard set of forms.  This means setting up WelcomeAboard is less than the costs saved and you can try out the system with an existing employee. Subsequent employees are cost $5 per employee which is 10% of the estimated cost of manual processing of forms.

If you are an employer and want to keep good employee records while saving money sign up to use WelcomeAboard at http://www.welcomeaboard.me.  If you are an employee encourage your employer to use WelcomeAboard, to save your time in filling out forms and so you can have a permanent electronic history of your employment.

 

 

White Label Personal Clouds raises $200K with a Convertible Note

White Label Personal Clouds (WLPC) has raised $200K with a convertible note loan from existing shareholders.  The convertible note is backed by the anticipated R&D rebate due at the beginning of the 2015-16 financial year. The funds will be used to continue development of WelcomeAboard the online service to help ensure employers comply with the Fair Work Act while reducing the cost of gathering and supplying information to employees.

The Convertible Note Deed Signing took place at Entry29 on Friday 8th May.  Pictured at the signing are Hugh Crawford and Kevin Cox, two of the participating shareholders.

Signing Convertible Note Deed2

WLPC will be seeking further equity funds in June to speed up the commercialisation of WelcomeAboard.

Address by Kate Lundy at WelcomeAboard Launch

Sarah Pearson from CBR Innovation chaired the launch. Michelle Melbourne from the Canberra Business Council introduced Kate. Welcome everyone.  Thank you Michelle.

Michelle’s leadership of the Canberra Business Council has reinvigorated the profile of Canberra as a dynamic hub of ICT innovation. Through initiatives like Collabit, Chelle has led from the front in breaking down silos across the R&D and small business and customer base landscape here in the ACT.

This is perhaps most powerfully symbolised by the fact that we are in the CBRIN. The Canberra Innovation Network itself is the product of a strong vision for this region by the ACT Government. It’s successful operation is proof of the need for such spaces and the collaboration they can facilitate.

I am very excited and proud to be here today as the Chair of Welcomer, to launch our first product, Welcome Aboard. Welcomer is based here at the CBRIN and is a member of Entry 29. I acknowledge Dr Kevin Cox, the technology entrepreneur and CEO of Welcomer.

Success is in his DNA. Kevin Cox was the founder of Edentiti, the company that developed the identity verification service GreenID. GreenID is used by many of Australia's largest financial companies across Australia to meet legislated Know Your Customer requirements.

He is well known to many of you, and now you all know what he has been working on since GreenID.

Our product, WelcomeAboard helps employers on-board new employees, reduce costs, and comply with Australian statutory regulations. The Federal Fair Work Act 2009 requires employers to keep records about their employees, and the Australian Privacy Principles require an employer to make those records available to employees.

WelcomeAboard does both with simple elegance, delivering both privacy and compliance by design.

Its as simple as the employer using their dashboard to send the employee an email which links to WelcomeAboard. The employee completes the forms and creates their own personal dashboard, which keeps both sets of data updated.

It is estimated that it costs an organisation at least $50 to ensure all their on-boarding forms are filled out, signed, stored and processed. By comparison, WelcomeAboard charges $5 per active employee per year, adding significant cost efficiencies into your businesses processing.

WelcomeAboard is already integrated into Xero Accounting software, and the 100,000+ Australian small businesses that are already using Xero for their accounting, can get started immediately with WelcomeAboard. It takes less than 10 minutes to start using it, and the cost will be recouped once the first employee uses the system’.

Welcomer is also in a position to collaborate with organisations using different systems to develop integrated WelcomeAboard services.

The platform has a strong future, with collaborations planned with:

- Intelledox to make their smart forms even smarter - ViewDS to integrate with existing LDAP systems - Verifier Proof of Income so lenders can comply with the Credit regulations, - greenID to allow employers to comply with Know Your Customer regulations, - Auraya ArmorVox to provide voice authentication

Representatives of each of these companies are here today.

I would also like to introduce to you our developers.

Paul Marando

Glenn Grant

Joshua  (Josh) Godsiff – not here

Luke English

We have set up a few laptops to demonstrate how it works and any technical questions, here and here…..

And there is a video demo available if you haven’t already seen it. We will run it shortly for anyone interested.

WelcomeAboard for employers with Xero is the first of many such systems.  We will make it available to any employer with any payroll system or HR system with manual entry of data from the electronic forms.  We are also able to integrate it into systems such as MYOB and other payroll and HR systems on demand.

And finally, you can imagine the possibilities if you apply the methodology to any business customer or membership management system.

The advantage of the system from the point of view of the individual is that it keeps a record of the registration accessible by the individual, and makes the data in the registration available for other uses by that person. In this way, the individual only has to type in data once.

From the point of view of the business, agency or member-based organization, Welcome Aboard or indeed other apps using Welcomer can keep their database updated more efficiently.

Welcomer Business Overview

Welcomer is the business name for White Label Personal Clouds products. Welcomer gives individuals access to their personal data no matter where it is held.  This idea has been implemented in the open source Welcomer Framework code.

The business reason for giving people access to their personal information is to reduce costs and for organisations to comply with their statutory privacy obligations.  Applications that use the Welcomer Framework can easily share personal data with other applications and across organisations.  The shared data is protected, private, reliable and secure.  The more applications an individual uses the greater the level of trust and the greater the protection for other applications.  Because it is easy to share data the less data has to be collected by each individual application using the Framework. Data from any existing application outside the Framework can be included by the application providing an API connection.

Using the Framework for a single application is cost effective. The more applications use the approach the greater the benefit.  Accordingly Welcomer has made the core Framework open source and will integrate with other frameworks and systems that give individuals access to their personal data.

Welcomer earns income from its own applications, from hosting other organisations applications, and from sharing in the income when hosted applications transfer data across the Framework.  The potential market for these services is very large because it is a global market and there are a many applications that involve personal information.  Giving individuals access to their personal data reduces costs and means there is sound business reason for introducing the Welcomer Framework.

Of great importance to the introduction of the Welcomer Framework is that access can be given to existing applications by providing an API to personal data. This enables incremental integration of new lower cost systems without other significant changes to existing applications.

WelcomeAboard - a standalone Welcomer application

WelcomeAboard provides a way for employees to share personal information with employers.  WelcomeAboard requires API access to any employers system so that personal information of employees can be shared reliably with the employer.  Xero has an open API that is available to developers and so WelcomeAboard has been first implemented to integrate into Xero.

Australian Employers are required by the Federal Fair Work Act 2009 to keep and maintain employment records and to make the information available to the employee.  WelcomeAboard provides a way for employers to fulfil these obligations and to provide employees with a permanent copy of the information collected and generated.

WelcomerAboard also provides a way for employers to meet their obligations under the Australian Privacy Principles.  If an employer collects information from an employee or generates private information for an employee then if they use WelcomeAboard they will automatically comply with the Privacy Principles.

WelcomeAboard reduces costs by saving many hours of filling out and filing forms for both employers and employees.  WelcomeAboard service is being sold directly to employers.  To make a sale an employer only has to login to their Xero application from the WelcomeAboard website.

WelcomeAboard can be adapted to Welcome Aboard any person who needs to fill out a form to interact with an organisation. This includes customers, clients, members, affiliates, or associates.  The approach can be applied globally but tailored to the individual no matter what their demographic or physical characteristics.

Verifier Proof of Income - a hosted application

Verifier Proof of Income is an application operated by InFact Decisions. Welcomer has an arrangement to develop and host the Application.  Welcomer will share in the income generated with hosting charges, and data transfer charges.  Proof of Income is a legislated requirement for lenders to check on the ability of borrowers to repay before granting loans.

Verifier has global application with a focus on countries with high levels of manual processing of loan application and/or strong privacy regimes.  Verifier includes a document upload/OCR capability but as more employers join WelcomeAboard it will no longer be necessary for the individual to upload payslips as the data can come directly from the employees personal cloud that contains both the payslip and the data in a machine readable form.

Sales and Marketing

Sales of WelcomeAboard for employees of small organisations is all Internet based and is self service and standardised. Sales to larger organisations can be tailored to the organisation.

Other applications, such as Verifier, that use Welcomer services will perform their own Sales and Marketing activities.

All Welcomer, and other application providers products will require funds for further development and sales and marketing. Development funds for each special requirements will be obtained through pre-sales of the product to customers who require extra functionality.

Once an individual has their own personal cloud their cloud becomes a convenient and controlled way for organisations to contact them.  For example, WelcomeAboard has a SuperChoice form and Super Funds can put in their Super Fund offerings if the person wants to see them.

The Potential

The Welcomer Framework implements the idea of giving individuals access to and control over their own data. Giving individuals access to their own information has benefits for organisations and individuals in the following ways.

  • Existing applications can be made lower cost, more private and more secure than traditional systems where organisations control the access of data and the movement of data between themselves and other organisations.
  • Existing applications can be retrofitted to use the Welcomer Framework by giving individuals API access to their personal information.
  • Existing legal and legislative systems support the use of the Welcomer Framework as applications that use the system are private by design. Privacy, or the lack of it, has been and will continue to be a barrier to adoption of many applications using traditional approaches.  Those applications become legally compliant if they use the Welcomer Framework.
  • New applications as evidenced by the operation of WelcomeAboard are easy to purchase and are self service. To make a sales the buyer logs in to an existing Xero system and clicks their assent to be invoiced.  There is no explicit registration of the people being Welcomed.  This increases take-up.
  • With Verifier Proof of Income a similar process is followed with individuals performing the task without any explicit registration.
  • Applications that use the Welcomer Framework have built in privacy and security of identity, or Privacy by Design.
  • The open source foundation of WelcomeAboard means many applications can start to use the Framework. Welcomer benefits the more it is used both through consultations, hosting and sharing in income generated when data is transferred.
  • Welcomer has the potential to have sales in the hundreds of millions of dollars within a relatively short period of time.

Kate Lundy appointed as Company Chair

Kate Lundy has joined White Label Personal Clouds as Director and Chair of the Company following her retirement, after 19 years, as Labor Senator in the Federal Parliament for the ACT.  She has a passion for collaborative community work, the empowerment of individuals, and the application of technology to that work.  She has taken on the role of Chair because of an alignment of her interests with the objectives of WLPC.

Kate has a distinguished record as Senator and member of the Australian Labor Party.  She became interested in Information Technologies early in her working career as a user and took her interest into parliament. She became the first Australian Politician to have her own blog.  Looking through the blog shows the level of interest and understanding of the issues in deploying and using IT.

Visit her archived blog at the National Library Pandora Website.

Kate's blog shows her long interest in the Internet, Local IT development, Open Source, Innovation, Privacy and Open Data.  She brings to the Company a deep understanding of the policy and workings of government and industry.  She has ideas on how to promote innovation and Welcomer will provide one avenue for her to turn those ideas into reality.

 

 

 

Single Touch Payroll Tax and Compulsory Super Reporting

The ATO called for comments and suggestions on the Single Touch Payroll processes.  http://lets-talk.ato.gov.au/single-touch-payroll-discussion-paper The discussion paper makes it possible for software suppliers to provide a higher level of automation on the processing of PAYG income tax deductions and deductions for compulsory super contributions.

The paper assumes the system is implemented as an organisation centric rather than as an individual centric system.  Welcomer made a submission that an individual centric system should be permitted and that the regulations around Single Touch Payroll should not preclude an individual centric approach.

The way Single Touch works is.

An organisation gets all the information about an individual and calculates all deductions and sends to the Tax Office the money for tax and the information on the payroll for each individual.  That is, the organisation has to know the individual's tax file number and has to report the tax for the individual.  They have to do the same for the compulsory super contributions but send the money to the super funds, the data to the super funds and the data to the tax office. The software systems will do all this.

At the end of the year the tax office, with the individual, reconciles all these payments.

The alternative - complementary approach is to use individual centric software where tax file numbers and super choices are handled by the individual and not by each different employer.  This would remove a considerable burden from employers as they would not have to know the individual's TFN or super fund.  These interactions would be directly between the individual and the tax office and the super funds without the employers as an intermediary.

Using this approach the individual's tax obligations are calculated for the year as it happens and there is no need for an end of year reconciliation with respect to PAYG tax nor Super Contributions.  This approach will save all parties time and effort.

[mc4wp_form]

Summary of Adrian Gropper Critique of Health Companion

Drummond Reed posted this link to a presentation by Health Companion on the ProjectVRM news group.  Drummond suggested Health Companion may be VRM friendly as the presentation used many of the words familiar to the VRM community.  Adrian Gropper said that the Health Companion presentation showed all that is wrong with the USA Health IT infrastructure and was VRM unfriendly.  Drummond asked Adrian if he could give an online critique and question and answer session on the system.  Adrian agreed and Lucas from GigoChat set up an online session for Adrian to comment on the Health Companion presentation.  The discussion lasted about an hour during which Adrian focussed on particular slides and answered Drummond's questions.
The slide at the 3 minute 53 second into the Health Companion presentation drew particular criticism.  Adrian explained how the Health Standard C-CDA document approach was not working. This is because the standards are extraordinarily complex and difficult to implement, doctors do not want to use them, and they add to complexity not reduce it.  He mentioned that $30Billion+ has been spent by the USA government on what is at best a $10Billion dollar problem.
The support of the Law mentioned in the slide is that the Law attempts to enforce compliance through penalties.  Penalties in this area are problematic and difficult to impose and only lead to unnecessary expense and rigidity.
Adrian posed the question that if institutions gave API access to data then Exchanges become unnecessary.
Adrian then considered the slide at 6minutes 23 seconds into the presentation.  This slide compares the transmission of Health Data through the Direct Project to the transmission of email.  Adrian pointed out that this is not a good analogy because, unlike email, two parties cannot transmit information between each other without the approval or authorisation of a certified exchange party.  As Adrian pointed out if exchanges are unnecessary for the transmission of data then the Direct Project simply adds an unnecessary, costly, intermediary.
Adrian then briefly discussed the way things could go with particular reference to the problem caused by the conflation of authorisation with authentication in systems that required intermediaries.  He discussed how by giving individuals access to their own information and having independent authentication would remove intermediaries in the transmission of health information.  He then cited the work of UMA and the linking of personal clouds in making this happen.
He believed that giving individuals control over who accesses the information on their personal devices could lead to a change in behaviour of institutions who would like to get access to that clearly private data.  Given that institutions want access to an individual's private data then it is reasonable that the individual should get access to the data on them held by institutions.
On the value of personal clouds and every individual storing their own personal data Adrian made the following statement.
 "Much better to be able to provide access to information than a copy of that information."
Drummond Posted a Reply and another summary of Adrian's session. This follows.
As Kevin explained, Adrian's core thesis was that this presentation about how health care data exchange is evolving, given at the Stanford Medicine X conference last September by the Chief Innovation Officer of Heath Companion, a startup founded by a few doctors, makes it sound like they are doing VRM for healthcare, but in fact the picture it paints is far removed from reality. Adrian explained the three primary reasons this is so:
  1. First, the trust model that Health Companion advocates in the presentation is not in fact working.
  2. Second, the document-based model for healthcare data exchange has been a disaster.
  3. Third, the economic incentives are all for institutions and vendors—they provide no motivation for patient-centricity/patient empowerment.
Following are some of Adrian's key supporting points for each:
WHY THE TRUST MODEL FOR HEALTHCARE DATA EXCHANGE IS BROKEN
 
WHY THE DOCUMENT-BASED SHARING MODEL FOR HEALTHCARE DATA EXCHANGE IS BROKEN
  • Under the Obama administraton, the U.S. government invested $30B to get healthcare providers to convert to EMR (Electronic Medical Records)
  • This includes the C-CDA standard (based on HL7) for document-based exchange of PHI (Protected Health Information) or PHR (Personal Health Records)
  • The fundamental problem is that doctors don't want incoming documents from other doctors
    • They don't want to see the results of tests they did not order
    • They are not sure of the provenance (source and validity) of the data
    • They don't want to merge those records with the doctor's own records
  • So, after all this money was spent focused on a document-based exchange model, now the industry is collectively realizing they should be using a policy-neutral RESTful API model based on access tokens
  • FHIR (Fast Heathcare Interoperability Resources) is being developed on top of HL7 to provide a RESTful API for health data
WHY THE INCENTIVES IN HEALTHCARE DATA EXCHANGE ARE BROKEN
  • The $30B spent by the U.S. government encouraged a massive wave of consolidation in the EMR industry (which was a $10B industry before that)
  • Only a few large players can compete at that scale—the large spending knocked out the smaller players
  • The large players are hardball about vendor-lock in, so none of that money got spent on interoperability
  • Now that the money has been spent, the only way to incent interoperability is penalties, which have a large political cost
WHAT IS ADRIAN'S VIEW OF THE SOLUTION?
  1. Move from document-based exchange to RESTful public APIs that are policy-neutral
  2. Eliminate trust intermediaries/brokers and let trust be negotiated directly between peers
  3. Let individual patients control access via their own authorization manager (AM) as envisioned by the UMA (User Managed Access) protocol
  4. Personal health records do not all have to be aggregated in a PDS (Personal Data Store) or personal cloud, rather the data can live in the system where it was created and be accessed via that system's API using OAuth access tokens managed by an UMA AM
  5. This way, the data itself does not need to be copied (creating both more security and privacy problems), only access rights need to be copied (and potentially even traded)
  6. This is the architecture being pursued by the new HEART (Health Relationship Trust) Working Group at the OpenID Foundation that Adrian along with Eve Maler and Debbie Bucci as co-chairs, and Justin Richer are leading.
[mc4wp_form]

 

VRM deployment, application by application, company by company

WelcomeAboard is an example of a VRM application. It gives individuals access to most of the information a company holds about them by ensuring that each time the individual supplies data to an organisation or receives data from an organisation the individual retains a copy in their own personal cloud. The individual can access and use this information independent of the organisation. If each time an individual uses an application like WelcomerAboard with any organisation then the individual has the choice on whether to connect the personal clouds created. The individual should have full control over this and will build up different personas consisting of linked data in different applications in different organisations.

WelcomeAboard uses the open source Welcomer Framework to create and maintain the connections in an individual's personal cloud.