In this age of phishing, hacking, identity fraud, and other forms of cybercrime, answering two simple questions – “Who are you?” and “How can you prove it?” – is fast becoming a critical requirement for online business activities.
In fact, this issue of online identity was elevated to a key priority by the White House a few years ago when it released its National Strategy for Trusted Identities in Cyberspace (“National Strategy”). With this document, the Administration began the process of tackling the difficult problem of facilitating a trustworthy online identity management capability.
While there are many different approaches to identity management, they all involve three basic processes: (1) one-time identification, (2) issuance of a credential to reflect that identity information, and (3) authentication of that identity information on multiple occasions with multiple different parties.
Driver’s licenses provide a familiar offline example. Issued by a state following completion of an identification process, a driver’s license is a credential that a wide variety of relying parties can use to verify the identity of an individual. The association of the identity information in the license with an individual presenting himself in person is authenticated by comparing the picture on the license to the physical person. And this single identity credential can be used in situations involving many different relying parties. Common examples include the TSA agent who uses the driver’s license to verify the name of a person seeking to enter an airport boarding area, and a bartender who uses it to verify the age of a person ordering a drink.
The vision of the “National Strategy” is to extend this concept to the digital world so that businesses and government agencies can rely on an identification process performed and identity information provided by any one of several third party private sector identity providers. This would allow individuals and businesses to use a single digital identity credential of their choosing to conduct online transactions with numerous enterprises, just as an individual might use a driver’s license for a variety of different offline transactions.
Achieving this goal requires building identity systems that are secure (e.g., protected against falsification or hacking), where identity credentials are interoperable (so that one credential can be used with numerous relying parties), that address privacy concerns (so that individuals will be in control of their personal information), where participation is voluntary (so it doesn’t turn into a national ID card), and that are cost-effective and easy to use. It also requires balancing individual privacy concerns against the need for trustworthy online identity verification mechanisms.
This requires, of course, implementation of appropriate software and communication technologies. But it also requires adherence by all participants (e.g., subjects, identity providers, and relying parties) to a common set of rules, including technical standards, operational requirements and legal rules sometimes referred to as a trust framework.
Like the Visa payment card rules, a trust framework is a master set of contract-based rules that governs the operation of the system and the performance of the parties. It specifies the technical and operational requirements, makes them legally binding on and enforceable against the participants, defines and governs the legal and privacy rights, responsibilities and liabilities of the participants and clarifies the legal risks parties assume (e.g., warranties, liability for losses, risks to the privacy of their personal data). It may also specify enforcement mechanisms, termination rights and measures of damages, penalties and other forms of liability.
A foundational issue for any identity system, trust framework is protecting the privacy of personal information, since by its nature any form of identity management typically involves the collection (by an identity provider) and disclosure (to a relying party) of some personal information about a subject. This requires ensuring that the information identity providers collect about subjects during the identification process, and disclose to relying parties during the authentication process, is verified, maintained in an accurate form, kept confidential, not shared with third parties and not otherwise misused or exposed to unauthorized individuals.
The National Strategy views the privacy issue as a key one. It argues that identity trust frameworksmust offer individuals better means of protecting their privacy by establishing clear rules and guidelines that address not only the circumstances under which participants in an identity system may share information, but also the kinds of information that they may collect and how that information may be used.
The other primary legal concern of importance to the participants in any identity system is determining who will bear the risks associated with faulty identification or authentication, failure of technology and other problems or failures of performance that might lead to unauthorized access through identity fraud or mistake.
Concerns regarding liability represent a key barrier to private sector adoption of interoperable identity management solutions. The U.S. National Strategy anticipates that liability issues will be best addressed by contractual agreement among the participants, and this is the approach we see with the credit card and electronic payment system models. At the same time, the National Strategy also recognizes that legislation may be ultimately necessary to address some of those concerns. The EU recently adopted such legislation, and Virginia has recently introduced legislation to do the same.
Trustworthy online identity management is critical to cybersecurity and e-commerce, and solving the privacy and liability issues is key to making it work.