A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Authentication Privacy Principles Working Group Releases Interim Report
(2) Key Elements of the Authentication Privacy Principles
(3) Background on Authentication and Privacy
(4) Future Work of the Authentication Privacy Principles Working Group
"Authentication" can be a buzzword meaning different things to different people. "Identity authentication" systems are intended to make it easier to authenticate individuals online and facilitate the sharing of personal information. These systems are being developed to address problems ranging from consumer convenience to identity theft to homeland security. While identity authentication may indeed help solve vexing online problems, it also raises numerous, unresolved issues of privacy, security and governance.
Privacy is especially important. Privacy is a crucial component of trust, and without user trust, the new systems will simply not find a market or public acceptance. Many of the key players creating authentication tools understand the importance of trust and have embraced the idea of building privacy into authentication technologies.
Over the past seven months, CDT, several other consumer groups, and privacy experts have engaged in a dialogue with many of the leading vendors of authentication technologies to develop a consensus set of privacy principles to guide the development of authentication systems for consumer-initiated transactions and government services.
Tomorrow, May 14, at the Federal Trade Commission's workshop on "Technologies for Protecting Personal Information: The Consumer Experience," the Authentication Privacy Principles Working Group convened by CDT will release an Interim Report setting forth six consensus principles for the development, procurement and use of authentication technologies.
The Privacy Principles being released by the Working Group state that authentication systems for consumer-initiated transactions and government services should:
The full Interim Report of the Working Group including details about these principles can be found at http://www.cdt.org/privacy/authentication/030513interim.pdf and http://www.cdt.org/privacy/authentication/030513interim.shtml
The following companies and organizations participated in the Working Group's efforts to develop the Authentication Privacy Principles and are encouraging their consideration in the development, procurement and use of authentication technologies: Center for Democracy and Technology; Consumer Action; Corporate Privacy Group; eBay; Hewlett-Packard; Intel; Liberty Alliance; Microsoft; NeuStar; TRUSTe; and VeriSign.
New technologies for authentication have the potential to make online transactions more seamless, tie together information on multiple devices, enable new services, and take us closer to a pervasive computing society. However, many authentication systems will collect and share personally-identifiable information, creating privacy and security risks. To mitigate these risks, it is essential that authentication systems be designed to support effective privacy practices and offer individuals greater control over their personal information.
The release of Microsoft XP and its expanded use of the Passport authentication system, along with the release of the Liberty Alliance 2.0 specification, have intensified the focus on authentication technologies and the questions they raise about privacy and security.
In the Summer of 2001, a number of privacy and consumer groups filed a complaint at the Federal Trade Commission (FTC) challenging Microsoft's marketing and use of the Passport technology. The complaint led to a consent agreement between the Commission and Microsoft, under which Microsoft agreed to build a privacy and security program for Passport to be monitored by the FTC.
The Microsoft/FTC Consent Agreement can be found at -- http://www.ftc.gov/os/2002/08/microsoftana.htm
The European Union Working Group on Data Protection also came to an agreement with Microsoft to make changes to Passport to help protect the privacy of users. The agreement included a report about the privacy implications of Passport and online authentication generally.
The EU report can be found at -- http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp68_en.pdf
A group of companies called the Liberty Alliance has designed its own standard for digital authentication and information exchange. This group released the 2.0 version of its specification in April. It includes rules for the sharing of attribute information, including a basic language for information about individuals. While the specification itself has few privacy or security rules, the Liberty Alliance also released a detailed set of privacy and security guidelines, which are consistent with the Authentication Privacy Principles being released by the Working Group.
The Liberty Alliance Privacy and Security Guidelines can be found at -- http://www.projectliberty.org/specs/draft-lib-arch-security-privacy-v1.0-05.pdf
Another area of privacy concern is the development of authentication systems for e-government services. Many e-government projects intend to develop and or utilize authentication systems. However, this raises not only concerns about the use of personal information similar to those arising in the commercial context but also concerns about the creation of a centralized government identity system or card.
The National Research Council recently released an excellent report on privacy and authentication. This report, entitled "Who Goes There? Authentication Through the Lens of Privacy," is available at http://www7.nationalacademies.org/cstb/pub_authentication.html
While a main focus of many authentication technologies has been their use on the Internet, these same technologies can be employed offline, utilizing smart cards and/or biometric identifiers (such as fingerprints or iris scans) to help identify individuals in the real world. Therefore, the NRC report and the Authentication Privacy Principles being issued by the Working Group focus on authentication both online and offline.
The Authentication Privacy Principles are intended to serve as guidance for companies now developing authentication systems. The goal is to encourage developers to build privacy and security protections into authentication technologies to use in consumer-initiated transactions and government services. The principles will also serve as a marketplace guide for individuals and companies deciding which authentication system to implement or adopt.
In the coming months, the Working Group will develop its final report, expected to be a more detailed document that will explain how the Privacy Principles would work in day-to-day transactions. Separate sections will describe how the principles apply to the two areas of consumer-initiated transactions and government services, with explanatory scenarios. The Working Group is not considering the separate question of authorization and security applications that may utilize credentials created in the authentication process. Also in a separate effort, CDT is creating a working group to develop privacy guidance for the related but distinct questions that arise from the sharing and use of personal information for data mining or pattern analysis.
The Working Group appreciates input and support from all interested parties in its ongoing process. Organizations, companies and individuals interested in learning more about the Authentication Privacy Principles or the Working Group process can email appwginterest@cdt.org.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_9.10.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 9.10 Copyright 2003 Center for Democracy and Technology
