SCIENCE AND TECHNOLOGY LAW: Verifying Online Identity

Vol 29 No 2

By

Thomas J. Smedinghoff is a partner at the law firm of Edwards Wildman Palmer LLP in Chicago, Illinois, and was the 1999–2000 Chair of the ABA Section of Science & Technology Law.

 

In this age of phishing, hacking, identity fraud, and other forms of cybercrime, answering two simple questions—“Who are you?” and “How can you prove it?”—is becoming a critical requirement for online business activities.

This issue of online identity was elevated to a key priority by the White House in April 2011 when it released its National Strategy for Trusted Identities in Cyberspace (“National Strategy”). Through this document, the administration began the process of tackling the difficult problem of facilitating a trustworthy and interoperable online identity management capability. Various forms of federated identity management, where a third-party identity provider plays a key role, are emerging as a preferred approach. Critical to making it work is the requirement for an appropriate, and typically voluntary, legal framework that will define the rights and responsibilities of the parties, allocate risk, and provide a basis for enforcement.

Identity management basics. Although the term identity management is relatively new, the underlying processes have been in use for many generations in an offline environment. Passports, driver’s licenses, and employee ID cards are all components of what might be referred to as identity management systems: They are credentials issued by an entity for the purpose of identifying individuals, and they are used by such individuals to validate their identity. A key element is that the use of these credentials is not limited to transactions with the entities that issued them. Rather, these credentials are often accepted by third parties (such as airport security) when proof of certain aspects of one’s identity is required.

Although there are many different approaches to identity management, it essentially involves two fundamental processes: (1) verifying certain identity attributes about a person and issuing an identity credential to reflect those attributes; and (2) verifying that a particular person presenting that credential and claiming to be that previously identified person is, in fact, such person.

The identification process involves associating one or more identifying attributes (e.g., name, address, Social Security number) with a person in order to identify and define that individual to the level sufficient for the contemplated purpose. At the end of the identification process, the subject’s identity is typically represented by data in a paper or electronic document issued by the identity provider and referred to as an identity credential. In the physical world, identity credentials include driver’s licenses, passports, and employee identification cards. In the online world, the identity credential might be as simple as a user ID or as complex as a cryptographically based digital certificate that might be stored on a computer, cell phone, ATM card, or flash drive.

When a person presents an identity credential and seeks to exercise a right or privilege granted to such individual, an authentication process is used by a relying party to determine whether that person is, in fact, who he or she claims to be. It is a transaction-specific event that requires a process to tie the person to the credential.

Once a person is authenticated, the relying party uses an authorization process to determine what rights and privileges are accorded to such person. An online example is the typical ATM transaction whereby an individual with an account at Bank A uses the ATM card to obtain cash from an ATM machine operated by Bank B (with whom he or she has no relationship).

Building an online identity system. With its National Strategy, the United States seeks to chart a course for the public and private sectors to collaborate in an effort to address the problem of online identity management. The vision of the National Strategy is that businesses and government agencies will be able to rely on an identification process performed by, and identity information provided by, any one of several third-party identity providers—a so-called federated model where identity information would be portable across different systems and entities.

The need for a trust framework. Making such an identity system work in an open online environment requires not only the implementation of appropriate software and communication technologies but also adherence by all participants to a common set of technical standards, operational requirements, and legal rules. Achieving that goal requires building what is often referred to as an identity trust framework.

An identity trust framework is a governance structure that consists of two general categories of components: (1) the technical specifications and operational rules and requirements necessary to make the system functional and trustworthy and (2) the legal rules that define the rights and legal obligations of the parties and facilitate enforcement where necessary.

The technical and operational specifications of an identity trust framework define the requirements for the proper operation of the identity system, define the roles and operational responsibilities of the participants, and provide adequate assurance regarding the accuracy, integrity, privacy, and security of its processes and data.

The legal rules consist of both existing statutes and regulations and agreements between or among the participants. They regulate the content of the technical and operational specifications, make them legally binding on and enforceable against the participants, and define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system. They also clarify the legal risks parties assume by participating in the trust framework and provide remedies in the event of disputes among the parties, including methods of dispute resolution, enforcement mechanisms, termination rights, and measures of damages, penalties, and other forms of liability.

Addressing the privacy issues.