In this age of phishing, hacking, identity fraud, and other forms of cybercrime, answering two simple questions—“Who are you?” and “How can you prove it?”—is becoming a critical requirement for online business activities.
This issue of online identity was elevated to a key priority by the White House in April 2011 when it released its National Strategy for Trusted Identities in Cyberspace (“National Strategy”). Through this document, the administration began the process of tackling the difficult problem of facilitating a trustworthy and interoperable online identity management capability. Various forms of federated identity management, where a third-party identity provider plays a key role, are emerging as a preferred approach. Critical to making it work is the requirement for an appropriate, and typically voluntary, legal framework that will define the rights and responsibilities of the parties, allocate risk, and provide a basis for enforcement.
Identity management basics. Although the term identity management is relatively new, the underlying processes have been in use for many generations in an offline environment. Passports, driver’s licenses, and employee ID cards are all components of what might be referred to as identity management systems: They are credentials issued by an entity for the purpose of identifying individuals, and they are used by such individuals to validate their identity. A key element is that the use of these credentials is not limited to transactions with the entities that issued them. Rather, these credentials are often accepted by third parties (such as airport security) when proof of certain aspects of one’s identity is required.
Although there are many different approaches to identity management, it essentially involves two fundamental processes: (1) verifying certain identity attributes about a person and issuing an identity credential to reflect those attributes; and (2) verifying that a particular person presenting that credential and claiming to be that previously identified person is, in fact, such person.
The identification process involves associating one or more identifying attributes (e.g., name, address, Social Security number) with a person in order to identify and define that individual to the level sufficient for the contemplated purpose. At the end of the identification process, the subject’s identity is typically represented by data in a paper or electronic document issued by the identity provider and referred to as an identity credential. In the physical world, identity credentials include driver’s licenses, passports, and employee identification cards. In the online world, the identity credential might be as simple as a user ID or as complex as a cryptographically based digital certificate that might be stored on a computer, cell phone, ATM card, or flash drive.
When a person presents an identity credential and seeks to exercise a right or privilege granted to such individual, an authentication process is used by a relying party to determine whether that person is, in fact, who he or she claims to be. It is a transaction-specific event that requires a process to tie the person to the credential.
Once a person is authenticated, the relying party uses an authorization process to determine what rights and privileges are accorded to such person. An online example is the typical ATM transaction whereby an individual with an account at Bank A uses the ATM card to obtain cash from an ATM machine operated by Bank B (with whom he or she has no relationship).
Building an online identity system. With its National Strategy, the United States seeks to chart a course for the public and private sectors to collaborate in an effort to address the problem of online identity management. The vision of the National Strategy is that businesses and government agencies will be able to rely on an identification process performed by, and identity information provided by, any one of several third-party identity providers—a so-called federated model where identity information would be portable across different systems and entities.
The need for a trust framework. Making such an identity system work in an open online environment requires not only the implementation of appropriate software and communication technologies but also adherence by all participants to a common set of technical standards, operational requirements, and legal rules. Achieving that goal requires building what is often referred to as an identity trust framework.
An identity trust framework is a governance structure that consists of two general categories of components: (1) the technical specifications and operational rules and requirements necessary to make the system functional and trustworthy and (2) the legal rules that define the rights and legal obligations of the parties and facilitate enforcement where necessary.
The technical and operational specifications of an identity trust framework define the requirements for the proper operation of the identity system, define the roles and operational responsibilities of the participants, and provide adequate assurance regarding the accuracy, integrity, privacy, and security of its processes and data.
The legal rules consist of both existing statutes and regulations and agreements between or among the participants. They regulate the content of the technical and operational specifications, make them legally binding on and enforceable against the participants, and define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system. They also clarify the legal risks parties assume by participating in the trust framework and provide remedies in the event of disputes among the parties, including methods of dispute resolution, enforcement mechanisms, termination rights, and measures of damages, penalties, and other forms of liability.
Addressing the privacy issues. To benefit from participation in an identity system, subjects must disclose personal information and thus expose it to risk. Yet a vital part of maintaining their confidence in the process is ensuring that the information identity providers collect about them during the identification process and disclose to relying parties during the authentication process is verified, maintained in an accurate and up-to-date form, kept private, not shared with third parties, and not misused or exposed to unauthorized individuals.
In the United States, there is generally little or no law to govern the privacy of this data. The National Strategy contemplates new privacy requirements and advocates a user-centric approach under which subjects control the use of their identity credentials, rather than identity providers or relying parties.
Addressing the liability issues. The other primary legal concern is determining who will bear the risks associated with faulty identification or authentication, failure of technology, and other problems or failures of performance that might lead to unauthorized access through identity fraud or mistake. These concerns include questions such as: What is the liability of the subject for failing to protect the password or key necessary to activate an identity credential and initiate an authentication process? What is the liability of the identity provider for failing to follow proper identification procedures that result in an incorrect identity assertion? What is the liability of the relying party for relying on fraudulent identity information?
The National Strategy anticipates that liability issues will be best addressed by contractual agreement among the participants but also recognizes that legislation may ultimately be necessary to address some of those concerns.
For More About the Section of Science & Technology Law
- This article is an abridged and edited version of one that originally appeared on page 10 of The SciTech Lawyer, Fall 2011 (8:2).
- For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221 or visit www.thescitechlawyer.com.
- Website: www.americanbar.org/scitech.
- Periodicals: The SciTech Lawyer, quarterly magazine; Jurimetrics, quarterly scholarly journal; SciTech E-Merging News, quarterly electronic newsletter featuring the most up-to-date substantive practice perspectives and news on Section activities and opportunities.
- CLE and Other Educational Programs: The Section offers a variety of CLE and learning opportunities through both webinars and in-person sessions throughout the year; visit the Section’s website for a full calendar of events.
- Books and Other Recent Publications: Data Breach and Encryption Handbook; Foundations of Digital Evidence; Information Security and Privacy; Technology Licensing: A Practitioner’s Guide.