[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Authentication and Identity Disclosure

Authentication is the process of verifying a claim that is being made regarding an identity, an attribute pertaining to an identity (e.g., "this person is a citizen of the United States"), or a set of attributes. Traditionally, the greatest demand for secure authentication solutions has come from enterprises looking to meet their own intra-organizational security needs, as well as from government organizations in contexts where national security interests are believed to be at stake. In recent years, the demand for (and the adoption of) secure authentication solutions has been sharply on the rise in all kinds of other contexts that directly affect the privacy of individuals on a scale unimaginable two decades ago. Much of this is driven by the growing popularity of the Internet and mobile communication networks, as well as by the rapid increase in PCs and information appliances such as Web-enabled mobile phones and handheld computers.

As new authentication architectures are being developed (through de jure, de facto, and technical standards) and adopted for an ever-growing number of applications, the privacy of individuals is being eroded at an unprecedented pace, often with little or no justification at all. New electronic communication and transaction mechanisms automatically capture and record identities in central computer systems without individuals even being aware of it. As more and more personal information is collected and recorded on central systems, policies and traditional security safeguards to prevent against leakage and abuse are rapidly becoming ineffective.

Much of this explosive tension between the (perceived or real) need for authentication on the one hand and privacy demands on the other can be attributed to a widespread misbelief: namely, that identification is the same as authentication, and that privacy and authentication are opposite goals. This misbelief is perpetuated by all kinds of influential standards organizations. The International Standard Organization[159] (ISO), for example, defines authentication as "the provision of assurance of the claimed identity of an entity," and the Internet Engineering Task Force[160] (IETF) defines authentication as "[t]he process of verifying an identity claimed by or for a system entity." Likewise, at the political level, authentication and identity are often mistakenly equated.

The actual fact of the matter is that authentication is a much broader notion than identification. In many contexts, authentication does not require identification. Indeed, organizations are often not interested in the identity per se of the person they are dealing with, but only in the confirmation of previous contacts of that person, the affiliation of the person to a group, the authenticity of personal data of the person, the entitlements or privileges of the person, and so on. For example, to authenticate whether a user is permitted to purchase alcohol, all that needs to be authenticated is that the user is at least 21 years of age. In this example, identification of the person would only serve as an indirect means to accomplish the authentication that is of actual interest ("over 21 years of age").

In the "old" world, individuals could easily gain access to services without disclosing their identity, either by showing the right privileges or entitlements or by providing service providers with "context-specific" identifiers, such as employee numbers or a health insurance number. While such identifiers serve to identify users, they only do so within specific spheres of activity; organizations cannot use them to cross-profile users across spheres of activity.

Unfortunately, today's most widespread authentication technologies (such as passwords, biometrics, Kerberos, and PKI) all fundamentally cause inescapable identification through identifiers that are globally unique. These identity-based authentication technologies were invented many decades ago, when open networks were hardly existent, let alone organizations seeking to securely share personal information over such networks. Consequently, the only privacy protection that the designers of traditional authentication techniques had in mind was protection against wire-tappers and other unauthorized outsiders. Traditional authentication technologies are not appropriate to address the growing authentication needs in this day and age, however, since they enable organizations to track and cross-profile users on the basis of globally unique identifiers (such as cryptographic keys) that are inescapably assigned to them.

An equally worrisome trend is the centralization of authentication powers from different organizations into a single trusted organization that acts on behalf of all its constituent organizations. In its original Passport architecture[161] for example, Microsoft relied on the centralization of all data collected from Web site visitors in order to provide authentication services on behalf of a rapidly increasing number of Web sites. Microsoft abandoned this architecture following privacy complaints from consumer groups and EU officials,[162] as well as a lack of adoption from service providers who were highly reluctant to entrust Microsoft with their customer data.

The "federated" authentication architecture promoted by the Liberty Alliance[163] (an industry alliance of some 160 key industry players in a wide range of sectors, led by a number of major companies who were unwilling to delegate their autonomy to Microsoft in the original Passport initiative) leaves personal data at the organizations that collect it, and allows for multiple "circles of trust" to co-exist. However, even this architecture does nothing to improve the privacy of users: the authentication power (and therefore the access control power) remains centralized. Specifically, whenever a service provider deals with a user, it queries in real time the central "identity provider" in its circle of trust; the identity provider simply returns an authentication assertion as to the validity of the identity claim of the access requestor, which the service provider then uses in its own authorization process. Even though users may be "pseudonymous" towards service providers (in Liberty Alliance the identity provider assigns different user names to the same user, one per service provider), they are certainly not vis-à-vis the most powerful parties in this architecture: the identity providers. Within each circle of trust, the identity provider can track, trace and link in real time all interactions between users and organizations. The identity provider can even impersonate users and falsely deny them access everywhere.

While such centralized authentication approaches may meet the needs of large enterprises that want to do employee-related and supplier-related identity management across their own internal branches, beyond this restricted context the approach rapidly becomes highly problematic with regard to privacy. It may even be in conflict with privacy legislation. If adopted on a government-wide scale, the implications of these privacy-invasive architectures would certainly be unprecedented.

In an electronic world, if at the technical level (by analyzing the electronic data flow) everything is inescapably identifiable through globally unique identifiers, privacy legislation becomes virtually meaningless; how can one force organizations not to collect identifiable information when they cannot prevent it from being delivered to them? The only way out of the seeming conflict between authentication and privacy is to resort to authentication technologies that technically separate the notion of authentication from that of identification. Two decades of research in cryptography have demonstrated that secure authentication and privacy are not trade-offs, but that they are in fact mutually reinforcing when implemented properly. Using techniques that are rooted in modern cryptography, such as Digital Credentials,[164] it is entirely feasible to do secure authentication without necessarily requiring identification. For instance, role-based authentication can be implemented in such a manner that the access requestor cannot be identified.

More generally, technological measures can be used to improve the reliability of authentication while respecting consumer privacy. Privacy-preserving authentication techniques allow each party involved in the electronic processing and forwarding of privacy-sensitive information to securely retain fine-grained control over the information, even as the information is electronically transmitted beyond corporate firewalls and across arbitrary organizational domains. At no point in the chain of electronic information transfer from one party to the next will any party be able to learn more than precisely that which its sender expressly allows.

International research efforts are currently underway to create authentication systems that preserve anonymity, and include the development of new privacy enhancing technologies for use in such schemes.[165] These privacy-enhancing technologies allow for the separation of authentication and identification and are being deployed in response to security vulnerabilities. Such technologies may plug in to identity metasystems, such as Microsoft's CardSpace.[166] While the default settings of CardSpace do not currently meet recognized standards for privacy preservation,[167] this model should be studied in detail when considering authenticating technologies.[168]

In June 2007, the OECD Council adopted a Recommendation encouraging Member countries to establish compatible, technology-neutral approaches to facilitate cross-border authentication. The Guidance sets out the context and importance of electronic authentication for electronic commerce, electronic government and many other social interactions. It provides a number of foundation and operational principles that constitute a common denominator for cross-jurisdictional interoperability. According to the OECD, ectronic authentication is an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorized access or identity theft. Electronic authentication is therefore essential for establishing accountability online.[169]

Each time when implementing a new authentication measure for an existing or new transaction mechanism, it is imperative that designers and adopters analyze how much personally identifiable information really needs to be disclosed for the purposes of authentication. Assuming the information disclosure is found to be necessary and proportionate with respect to the nature of the transaction, they should then seek to implement security needs using authentication technologies that protect privacy, instead of resorting to approaches based on inescapable identification.

[159] Glossary of IT Security Terminology, SC 27 Standing Document 6 (SC 27 N 2776), March 31, 2002.
[160] Internet Security Glossary, RFC 2828, IETF Network Working Group, May 2000. See <http://www.ietf.org/rfc/rfc2828.txt>.

[161] More information available at <http://www.epic.org/privacy/consumer/microsoft/passport.html>.
[162] Id.

[163] More information available at <http://www.epic.org/privacy/authentication/projectliberty.html>.

[164] Stefan Brands, "Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy," MIT Press, August 2000, with a foreword by Prof. Ronald L. Rivest. See <http://www.credentica.com/the_mit_pressbook.html>.

[165] See, e.g., Carlisle Adams, "Delegation and Proxy Services in Digital Credential Environments," Presented at the 7th Annual Privacy and Security Workshop, "Your Identity Please: Identity Theft and Identity Management in the 21st Century," November 2, 2006, available at <http://www.idtrail.org/files/cacrwkshpdigcred02nov06.pdf>; Stefan Brands, "Non-Intrusive Cross-Domain Digital Identity Management," Presented at Proceedings of the 3rd Annual PKI R&D Workshop, April 2004, available at <http://www.idtrail.org/files/cross_domain_identity.pdf>; David Chaum, "Secret-Ballot Receipts: True Voter-Verifiable Elections," Presented at ITL Seminar Series, "Secret-Ballot Receipts: True Voter-Verifiable Elections," National Institute of Standards & Technology, May 19, 2004; Paul Van Oorschot & S. Stubblebine, "Countering Identity Theft through Digital Uniqueness, Location Cross-Checking, and Funneling," Financial Cryptography & Data Security (2005), available at <http://www.scs.carleton.ca/~paulv/papers/pvoss6-1.pdf>.
[166] See Windows CardSPace, <http://cardspace.netfx3.com/>; see also OpenCard, <http://www.opencard.org/>.
[167] Stefan Brands, "User Centric Identity: Boon or Worst Nightmare to Privacy?," Identity Corner, November 17, 2006, available at <http://www.idcorner.org/?p=142>.
[168] See generally, National Research Council, "Who Goes There? Authentication through the Lens of Privacy" (National Academies 2003).

[169] OECD Recommendation on Electronic Authentication and Guidance for Electronic Authentication, available at <http://www.oecd.org/document/7/0,3343,en_2649_34223_38909639_1_1_1_1,00.html>.