Ms. Von Harrison
General Services Administration
Office of Electronic Government and Technology (MEI)
Washington, DC 20405
Filed electronically at: egov.taskforce@gsa.gov

Comments on E-Authentication Policy for Federal Agencies 68 Fed. Reg. 133 (July 11, 2003).

Summary

GSA's guidance is a good first step toward creating a usable framework for government agencies. The proposed guidance reflects careful consideration and reflection on important privacy and security issues by the federal government's policy makers. The terminology in the document is consistent and useful for agencies and the public at large, and the assurance levels are generally understandable and adequate for the suggested purposes. In particular, GSA and OMB deserve praise for attention to the important role that anonymity and pseudonymity must play in authentication systems designed for many first and second level transactions.

However, while we realize that many of the important details for agency decision making are under development by the National Institute for Standards and Technology (NIST), the Center for Democracy and Technology (CDT) would like to see this Guidance better emphasize:

• the importance of a diversity of services in government authentication, and within assurance levels, even as the government move to streamline authentication;
• transactions or programs that do not necessitate authentication; and
• privacy concerns in newer technologies, perhaps through updated Government Paperwork Elimination Act (GPEA) implementation guidance.

We commend your continued leadership on the difficult authentication issues and look forward to working with you in the CDT led Authentication Privacy Principles Working Group.

Introduction

Authentication plays a critical role in the delivery of online government services. Yet in many cases identity, or even the less intrusive attribute authentication, may not be necessary at all. At the same time, separating authentication functions (the process of establishing truth in a claim) from authorization (the process of deciding what an individual ought to be allowed to do) is often a difficult task, because the two are so intertwined in transactions today. Because of the complexities involved, basic assurance levels may play a critical role in helping agencies to make privacy and security decisions when purchasing and implementing authentication systems.

At the same time, government authentication systems - and the creation of assurance levels particularly - raise broad consumer concerns about privacy and government identifiers. Specifically, CDT has four related concerns for E-Authentication in federal E-government policy:

1. Privacy - Because identity is often used (and overused) in authenticating individuals, privacy is a major concern. As many have argued, the existing guidance on the Privacy Act is not adequate to protect privacy within the federal government.[1] Today, privacy is often ensured only by the inefficiencies created as databases of personal information are held by multiple agencies undertaking similar tasks. As authentication processes are streamlined, these accidental barriers will not and should not be used as the primary means to protect privacy in the future. We are working with the Authentication Privacy Principles Working Group - a broad group of authentication service companies, consumer-facing companies, public interest groups, academics and government representatives led by CDT- to develop guidance for government services and consumer initiated transactions. We have attached the Interim Report of the Working Group to this document.
2. Diversity of Services - A diversity of authentication services is critically important from a privacy perspective because it prevents the creation of a single form of authentication able to track a user across a broad variety of transactions. Diversity also prevents a single point of attack protecting the overall security of systems. In order to maintain diversity, authentication services will have to be built through open standards. As a key leader in the authentication arena, the federal government should not be developing, procuring or encouraging incompatible systems or proprietary systems not based on open standards.
3. Opportunity for Anonymity - Most individual transactions with the federal government do not require identity. For example, a visitor entering search terms into a government Web site's search engine need not be personally identified. Anonymity will help to build trust in online systems, a key component to success according to recent studies.[2] Anonymity can also ensure that information that is not necessary for the transaction is not used for another purpose in the future. Anonymity can come either through authentication technologies that do not collect personal information or simply by not using authentication at all when it is not needed.
4. Overuse and Misuse of Authentication Credentials and Identity Information -As agencies streamline authentication processes, there will be a natural tendency to want to accept the strongest level of authentication for all transactions to protect systems. Yet, overuse of even the strongest authentication credentials or identity information creates greater privacy risks by linking personal information to transactions than is needed and will serve to weaken its effectiveness. A major goal of e-government policy should be that agencies get the only the information they need at the time that they need it.

Terminology

The terminology used in authentication guidance is very important. Too often, documents on authentication have utilized competing or conflicting terminology. We are pleased to see that this document is using the National Research Council's definitions, which are the most complete and detailed definitions that we have seen to date.

Assurance Levels

The main policy guidance in the document is the descriptions and determinations of assurance levels and how the process should be implemented.

The four proscribed levels seem to be a reasonable breakdown of assurance in the abstract. In particular, GSA's statement in Section 2.2 How to Determine an Assurance Level business practice owners should seek to use the minimum assurance level that meets their risk requirements gives agencies important advice. This, backed by the important statement that it may be desirable to preserve the anonymity of individuals gives agencies a very real opportunity to select the type of authentication that fits a particular transaction.

However, we note that GSA neglected to provide agencies with the very real option that authentication may not be necessary at all for many transactions. For example, in many comment periods there is no need to authenticate the email address of a commenter, and in some cases, such as a rulemaking on domestic violence issues, allowing individuals to submit anonymous comments with no authentication is an important step to building trust in an open process. We hope that GSA will consider revising this guidance on risk assessments to include more details on how agencies decide whether authentication is necessary even before determining the assurance level.

One other major concern is that, in setting levels of authentication, GSA may be accidentally encouraging the overuse and misuse of authentication credentials and identity information by suggesting that an authentication process created for one purpose can be used for another within the same level. It is also likely that agencies will tend to use the same authentication service within an assurance level to ensure compliance. A diversity of authentication services within levels will be important to help reach a goal of getting agencies only the authentication information they need at the time that they need it. Therefore, GSA will play an important role in actively fostering a diversity of services within levels to prevent identity and credential information from being overused even within assurance levels.

CDT does realize that, in practice, it will be more difficult to make determinations than a few bullets or short examples can offer. We look forward to the NIST guidance. We hope that it will detail how a risk assessment is completed and how agencies make determinations about what levels in complex situations and will better detail how agencies can avoid the overuse and misuse of authentication credentials and identity information in the process of complying with this guidance.

Technologies

GPEA, which goes into effect in October 2003, was passed in 1999 and had its Guidance drafted and finalized in the ensuing year. The GPEA guidance is a well-drafted and essential policy document. However, it is slowly becoming outdated. It focuses specifically on passwords, smart cards, digitized signatures, biometrics and cryptographic controls, such as digital signatures. Today, it seems likely that these will not be the only forms of authentication in a wireless and broadband world. Knowledge based authentication - such as shared secrets (repetition of a fact that the authenticator and authenticated both know but others probably do not) - and Radio Frequency Identifiers (a technology that bounces or transmits a unique signal, such as EZ-Pass) are more commonly suggested as authentication solutions today then they were when the law was passed four years ago. It will be important for a policy document to stay current with the most recent technology. Perhaps this can be done in future GPEA guidance or perhaps the NIST standards will go into this detail and receive periodic updates.

Authentication Privacy Principles for Government Services

As mentioned above, CDT has led a cooperative working group effort between industry and public interest to develop a set of Authentication Privacy Principles. The interim report (attached) of the working group was released at the May Federal Trade Commission forum on privacy enhancing technologies for consumers. The working group is now broken into two subgroups: one focused on case examples for consumer initiated transaction and one on government services, which also includes government participants from the federal and state levels. David Temoshok of GSA and Jeanette Thorton of OMB have been important participants in this subgroup. We would like to publicly thank GSA and OMB for their leadership on privacy issues in authentication policy. We hope that when the final document is released, GSA can embrace these principles as best practices.

In particular, two important principles raised in the Interim Draft Authentication Privacy Principles are not yet reflected in documentation on government-wide authentication policy.

The first principle, Provide User Control, requires informed consent of individuals for authentication and subsequent uses to help provide individuals with an understanding of how their information is used. This is a difficult principle for the federal government, which provides services that no one else will or can. However, it can be accomplished by giving citizens and other users of government more information and choices than they currently have today.

The second principle, Support a Diversity of Services, would require a marketplace for authentication within the federal government to ensure that a single identifier does not become used for a broad variety of purposes. To this end, a federated approach to authentication services within the government will be crucial. While government representatives have supported this idea publicly and it is consistent with the levels approach in this document, a plan for diversifying services within the government in order to strengthen authentication and protect privacy will be essential.

Thank you for the opportunity to submit comments on this important issue. We look forward to working with you in the future to promote the public interest in new government authentication services.

Respectfully submitted,

Ari Schwartz
Associate Director

Alan Davidson
Associate Director

Center for Democracy and Technology
1634 Eye Street, N.W., Suite 1100
Washington, D.C. 20006
(202) 637-9800
http://www.cdt.org

Notes

1. For example, see most recently, GAO "Privacy Act: OMB Leadership Needed to Improve Agency Compliance". Also, see CDT's House subcommittee testimony from 2000 Ñ http://www.cdt.org/testimony/000412schwartz.shtml.

2. Including the Council for Excellence and Government's 2003 study ÒThe New e-Government Equation: Ease, Engagement, Privacy and ProtectionÓ

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy