thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, March 05, 2008

Statement on "Identity Management and Reputation" for OECD Ministerial Meeting

The OECD is preparing a ministerial conference on "The Future of the Internet Economy" in Seoul in June. Civil Society groups have been working together for a few months in order to coordinate their input and activities. The executive summary (well, more a shortened version) of our joint statement has just been sent to the OECD secretariat. I happened to draft and revise the chapter on "Identity Management and Reputation", which is copied below. Comments and ideas are more than welcome and may end up in the long version, which will be finished in the next 2 weeks.

OECD Ministerial Meeting
Civil Society Background Paper, Version 1.0, March 5, 2008

EXECUTIVE SUMMARY

The Future of the Internet Economy
‘Fueling Creativity, Ensuring Consumer Protection and Building Confidence, and Benefitting from Convergence’

(...) 3.4 Identity Management and Reputation

The Internet is part of consumers’ and citizens' daily lives and shops, banks, insurance companies and governments expect consumers to contact them online for services, advice, information, online payments and online banking. In an environment of increasing online fraud and identity theft, identity management and authentication is closely linked to security, privacy and consumer confidence online. The challenges posed by effective identity management include ever increasing use of massive consumer database systems and their integration, user profiling, complex relationships between companies and subsidiaries, and cross-border data flows.

Systems for electronic identification and authentication have been in place in a number of countries for a few years now, and the experiences clearly show a strong link between privacy and identity. The failure of large-scale singlesign- on services in the nineties has shown that citizens and customers are only accepting identification technologies and services if they are sure their privacy is respected at the same time.

The 2006 OECD Guidance on Electronic Authentication includes two principles that are particularly important from the consumer perspective: the one of proportionality, and the right of privacy.

While this is a good first step, latest research in online identity management has shown that there are more issues that need to be addressed. Technological development has made significant steps recently that allow for greater security while maintaining individual anonymity. Such systems should be encouraged. Important elements include:

  • Minimal disclosure: Identity and authentication systems must only provide the information that is needed for the actual transaction. Instead of transferring individualized claims and ID-tokens, it is very often sufficient to transfer anonymous credentials or group credentials that only prove the individual has certain properties, e.g. belonging to a university or being an adult. The foundation for this principle is that full anonymity must be the default option, and single information bits are then added consciously and sparingly, according to the actual need. Regulation must ensure that user and citizen data is not collected if it is not needed. at all for the transaction or service in case.

  • Non-Linkability: Digital identifiers have to be constructed in a way that they are only relevant in the specific context they are generated for and can not be linked across contexts. and transactions (context sensitivity, directed identity). This will protect users from cross-site and cross-transaction profiling and at the same time significantly shield against identity theft. Identity systems must therefore allow the use of non-linkable and context-specific pseudonyms.

  • Non-Traceability: Increasingly, online authentication of individuals towards third parties like businesses or government agencies is done by identity providers. Identification systems that are based on this model must ensure that the identity provider can issue context-specific and non-linkable credentials, but can not at the same time trace and track the services the user has used.

  • User Control: All identifying information about an individual, especially if transferred in the context of authenticating towards a third party, must flow through the individual’s hands, and it must be readable by the individual. This concept of “user-centric identity” has already matured among technology developers and identity architects. This concept must become the basis for general identification and authentication systems in the public and private sector. As opposed to recent developments in ITU-T Focus Group on IdM, OECD should take a lead in encouraging this privacy-enhancing approach on the international level.

  • Application to Government-issued Identity Tokens: The above-mentioned principles are especially relevant when moving towards government-issued identity tokens. In the offline world, we can show an ID card or a drivers’ license without the issuing agency knowing about this. The same amount of privacy has to be built into online identity systems.

  • Persistence of Paper-Based Identification: Especially when dealing with egovernment services, legislation must ensure that citizens are not forced to use these and can still use paper-based documents as a valid and significant option.

  • Relationship Information Belongs to Both Parties: Social networking platforms and other services that enable the online management of relationships like friendships or relations to schoolmates and colleagues have to take into account that information about a relationship belongs to both parties. Therefore, services allowing users to describe, publish, process and transfer information about these relationships have to ensure this can only be done when both parties have agreed to it under the same conditions.
For these reasons, OECD member countries should:
  • actively engage in informing society and the public at large about the dimensions and possible problems of digital identity solutions.

  • implement the OECD Recommendation on Electronic Authentication.

  • encourage the development and deployment of identity management systems that fully adhere to the principles of user control and usercentricity.

  • encourage research and knowledge transfer about identity-solutions that incorporate the principles mentioned above.

  • investigate what kind of redress processes individuals should have at their disposal for information about them.

  • enact legislation that offers reasonable, effective and inexpensive means of redress for individuals whose reputation is endangered by automated and user-generated rating and reputation systems, or by the publication of information about them.
To vendors:

  • Companies who implement stronger authentication practices for online payment systems should not require consumers to accept more responsibility or liability (e.g. lesser chargeback rights) than is reasonable in the circumstances.
To developers:

  • Designers of authentication and ID management systems, as well as businesses, who require consumers to use particular systems, should be held liable for losses incurred as a result of deficiencies of, or failures in their systems.

4 Comments:

Anonymous Anonymous said...

Your reference non-likeability should be non-linkability

5/3/08 22:05

 
Blogger Ralf Bendrath said...

Ooops. Thanks, have corrected it.

5/3/08 22:39

 
Anonymous Anonymous said...

Excellent draft. I'm coming more from the data protection side, that's why I see two additional points which will be imho increasingly important in the future: Storage/archiving of data (how long?, "sustainable" format) and the possibility that private/commercial stored data will be demanded by police and other authorities.

7/3/08 15:34

 
Blogger Ralf Bendrath said...

@ gebsn: The points you mention are not specific to identity management. There are other chapters in the 84-page statement that cover these more general aspects of privacy and data protection. By the way: I also come from the data protection side. ;-)

7/3/08 17:09

 

Post a Comment

<< Home