Nascio who areyoue-authbrief122104
Published on: Mar 3, 2016
Transcripts - Nascio who areyoue-authbrief122104
Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.orgWho Are You? I Really Wanna Know: E-Authenticationand its Privacy Implications1Section I: Privacy & E-Authentication—An OverviewPrivacy and Authentication in an Electronic World:Obtaining a hunting license. Renewing your driver’s license. Applying for governmentbenefits. These are all government transactions that are increasingly being provided viaelectronic means, such as via the Internet. While the placement of these transactionsonline can reduce staffing and other overhead costs, they present state governments withthe challenge of ensuring that individuals are who they claim to be. Within the context ofelectronic transactions, states have an increased authentication challenge, because theperson the state is trying to authenticate is located remotely, as opposed to appearing in-person to transact business with the government. When authenticating individuals viaelectronic means (which is referred to as E-Authentication), states must be careful tomeet citizens’ expectation that the state will protect individuals’ personal information,keeping it safe from unauthorized disclosure or use and reducing the risk of identitytheft.2In fact, the exchange of personal information that accompanies mostauthentication methods creates a possible tension with privacy concerns.3While manystates provide some protection for personal information via state open records laws thatexempt personal information from wide or unwarranted public disclosure, properlyimplemented E-Authentication mechanisms can lead to enhanced privacy protections.Key points for states to understand in order to maintain privacy during the E-Authentication process include:o Properly assessing the risks to privacy that authentication may pose and choosingan authentication method that addresses that risk levelo Raising the awareness of those you authenticate as to potential privacy issueso When possible, limiting the amount of personal information an individual mustdivulge for authentication purposeso Understanding the benefits and privacy risks involved in using a commonidentifier (such as a Social Security Number) across multiple governmentapplications or linking citizens’ information across multiple state systems.A Note on the Purpose and Organization of this Brief:This Research Brief is intended to provide state CIOs with an overview of the privacyimplications of E-Authentication. Note, though, that authentication is a complex topic,given its placement within the bigger picture of identity management, which involves notonly authentication but also the creation of identities and credentials that are used in theDec. 2004
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 2Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: firstname.lastname@example.org • http://www.nascio.orgauthentication process. Inevitably, when addressing issues of authentication, overlap willoccur with other related topics, such as credentialing or security. Where there areinstances of overlap within this brief, please note that Appendix B contains an overviewof identity management and may be of help in providing clarification. Although thisbrief does not provide an in-depth treatment of E-Authentication, Appendix A presentsadditional resources for those who would like to learn about E-Authentication in moredetail.This Research Brief is organized as follows:o Section II provides some perspective on the business drivers that are moving E-Authentication forward.o Section III presents background on the government’s unique role in E-Authentication.o Section IV touches upon some key concepts surrounding E-Authentication thatare vital to presenting an accurate picture of E-Authentication’s privacyimplications.o Section V elaborates on the privacy implications of E-Authentication.o Section VI provides information about E-Authentication and privacy at thefederal and state government levels.o Appendix A contains additional resources for learning more about authentication.o Appendix B explains more about the identity management life cycle andauthentication’s role in that life cycle.o Appendix C is a checklist from the National Research Council on ways to lessenthe privacy impact when designing or selecting an E-Authentication system.Why We Should Care about Privacy and E-Authentication: Tuesday, November 2,2004—Election Day in the U.S. News outlets reported long lines at voting precincts and,the following day, news media outlets reported that an estimated 120 million people hadcast votes.4While many focused on the election results, an overlooked aspect of theelection was the process by which poll workers made sure that each voter was who he orshe claimed to be and only voted once. By presenting a photo ID, probably a driver’slicense, voters proved who they were to poll workers and signed a register to ensure thatthey only voted once. Whether or not they consciously thought about it, votersanticipated that the poll workers would maintain the privacy of the personalinformation they divulged in order to prove their identities. Voters also cast their voteswith privacy protections that included standing behind a curtain when voting.While authentication is frequently mentioned within the context of online citizenservices, citizen confidence in the legitimacy of election results and the protection of ourdemocracy are ensured, at least in part, by proper authentication processes at the electionpolls. A vital part of maintaining citizen confidence within this example is ensuringthat the personal information that citizens divulge during the authentication process iskept private and not exposed to unauthorized individuals, such as identity thieves.Privacy also plays an overall role in maintaining citizens’ implicit expectation of theintegrity of the voting process. For example, the Help America Vote Act of 2002(HAVA), a recent piece of legislation intended to modernize federal elections, contains
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 3Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.orgprovisions that attempt to preserve the privacy of voting in federal elections.5Anotherindicator of privacy’s importance to voting integrity is the sometimes fervent outcry ofthose with concerns regarding e-voting and whether the privacy of votes can bemaintained if cast electronically.6Section II: The Business Drivers—Moving E-AuthenticationForwardWhat Is E-Authentication?E-Authentication allows the government (or a private sector entity) to verify with acertain level of confidence that the users are who they claim to be within the context ofelectronic, self-service transactions.E-Authentication methods can be relatively simple in nature. An example of a lesscomplicated method is the use of passwords. More complicated methods involveencryption and other technologies, including the use of digital certificates, digitalsignatures, hardware tokens, smart cards, USB fobs, and biometrics, such as fingerprintsor retina recognition technologies.The benefits of E-Authentication include:o Increasing the speed of transactionso Increasing partner participation and customer satisfactiono Improving record-keeping efficiency and data analysis opportunitieso Increasing employee productivity and improving the quality of the final producto Reducing fraud through up-front authentication checkso Increasing the ability to authenticate an individual once for access to multipletransactionso Moving more information to the publico Supporting citizen trust in e-governmento Improving security and the confidentiality of sensitive information.The costs of an E-Authentication system include its design, procurement, testing,deployment and long-term maintenance. 7Overview of the Business Drivers:The business drivers that are moving E-Authentication forward include:o A sense of urgency arising out of the 9/11 terrorist attacks to improve securityagainst the threat of terrorismo Increased instances of identity theft and fraudo Budget deficits requiring improved operational efficiencieso Increased emphasis on improved service and electronic deliveryo Marketplace expectations driven by citizens’ experience in the private sectoro Fraud reduction in government entitlement programs.
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 4Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: firstname.lastname@example.org • http://www.nascio.orgThe Security-Related Drivers:With respect to security efforts arising out of the 9/11 terrorist attacks—“The 9/11Commission Report” detailed how the terrorists collectively presented questionableidentity documentation in the form of passports and visa applications and how the airportgate personnel authenticated those individuals based upon the identity documentationthey presented in order to board the planes.8Concerns with the integrity of identitydocuments were reiterated by provisions to secure identity documents, including birthcertificates, driver’s licenses and Social Security Cards, in the bills that were recentlypassed by both houses of Congress to implement the 9/11 Commission’srecommendations.9While these problems focus on the issuance of identity credentials,which involves the first phases of the broader identity management life cycle, facets ofthese business problems that states must address include questions revolving aroundpolicy, technology, and available funding.10The Streamlining-Related Drivers:Tight budgetary times and increasing calls for improved state government services haveled to states’ moving more citizen services online. While online services offer citizens24x7 access to government services, they also facilitate the streamlining of those servicesby reducing staffing and other overhead costs incurred when providing citizens in-personservices. Within the context of electronic transactions, E-Authentication provides a wayfor states to have sufficient confidence in those transactions. More specifically, it allowsstates to have confidence that they are issuing licenses to the right individuals; to properlymanage citizen benefit applications and case files as well as employee benefits andpensions; and, to conduct business and contractual transactions with an increased level ofease.Moreover, included in the need for improved service and electronic delivery is the needfor better cooperation across jurisdictional boundaries. In order for one state toauthenticate an individual based upon an identity document issued by another state, theauthenticating state needs to be sure the issuing state’s business processes are adequate toensure the reliability and validity of the identity document. This is just one challengeassociated with cross-boundary authentication efforts.The Fraud-Reduction Drivers:In order to protect taxpayer dollars from fraud and waste, state governments are lookingto E-Authentication methods in order to reduce the amount of government benefits paidto individuals who are ineligible to receive them. E-Authentication can provide a way toincrease the government’s confidence that it is providing benefits to the right individuals.For example, Connecticut uses a combination of digitally-scanned fingerprints, photos,and signatures to identify and also deter instances of welfare fraud. Although the stateacknowledges that estimating the savings from the use of this authentication method isdifficult, it did save the state $9 million in the first few years after implementation.11
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 5Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.orgSection III: The Eye of the Storm--The Challenging Role of StateGovernmentMultiple Roles in Authentication:12State governments have a unique role in authentication, whether conducted manually oronline—they frequently create identities (for example, through issuing birth certificates),change identities (changing a name on a driver’s license), and end identities (ensuringthat a deceased person’s birth certificate and driver’s license cannot be used by anyoneelse). In other instances, states play the role of a party relying upon an identificationdocument or other means of authentication offered by an individual within the context ofa transaction.Complicating Factors:The following factors that are unique to state governments can complicate states’ E-Authentication initiatives:o The typically mandatory nature of citizens’ transactions with government(whereas individuals’ interactions with the private sector are normallydiscretionary in nature)o The heterogeneous citizen marketplace, which can make it difficult for states toserve various market sectors electronicallyo The cradle-to-grave relationship governments tend to have with citizens that canbe intermittent yet span a long period of yearso Higher citizen expectations of government’s ability to protect the privacy andsecurity of their personal information13o Citizens’ generalized distrust of government’s ability to protect the privacy oftheir personal information14o The lack of a strong identifier that can be used by multiple governmentalorganizationso The expense and complicated nature of implementing strong E-Authenticationsystems.While the task of E-Authentication may appear daunting for states, not all transactionsrequire high levels of authentication. For example, if a user self-registers a user ID andpassword on a government webpage in order to customize that webpage, correctlyidentifying the individual is of little or no value. However, other transactions requirehigher levels of confidence because of the inherent risk or value of the transaction. Anexample would be if a beneficiary changes his or her address of record through agovernment website or if an agency employee uses a remote system that gives him or heraccess to potentially sensitive client information where the transaction occurs via theInternet.15
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 6Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: firstname.lastname@example.org • http://www.nascio.orgSection IV: Key Concepts to Understand Before Addressing thePrivacy of Authentication ProcessesUnderstand What You Are Trying To Authenticate: When considering anauthentication method, states must understand which type of authentication they need.The three main types are:o Individual Authentication: With an understood level of confidence, linking anidentifier to a specific individual (using a driver’s license to authenticate that anindividual is the exact person he or she claims to be).o Identity Authentication: With an understood level of confidence, linking anidentifier to an identity (verifying that a password is linked to an email address).It may not be possible to link the identity to a specific person.o Attribute Authentication: With an understood level of confidence, ensuring thatan attribute applies to an individual (verifying that a person is an employee).16Note that a stronger authentication method may be needed to authenticate an individual,as opposed to authenticating an attribute or an identity.Know Whether You Are Authenticating and/or Authorizing:States must distinguish the act of authentication (establishing a level of confidence in aclaim made by an individual) and the act of authorization (establishing what an individualis permitted or restricted from doing).17These concepts are often confused when policyis being debated.Understand the Risks:In assessing whether and what type of authentication methods may be needed, a statemust examine the types of harm that are possible. Potential types of harm include:o Citizen inconvenience or distress or damage to a citizen’s standing or reputationo Financial loss for a citizen or agency liabilityo Harm to an agency’s programs or public interestso Unauthorized release of sensitive information (such as centrally-stored personalinformation that is used to authenticate individuals)o Personal safetyo Civil or criminal violations.This risk analysis also includes considering the likelihood of whether a risk will occur.18While the quantification of both the impact and the probability of risk for such analyses isideal, a qualitative analysis may also be very informative for decision makers. Throughexamining both the impact and probability of a risk, state officials can make informeddecisions about risk mitigation. The risks involved will play a vital role in determiningthe strength of the authentication that is needed.Understand the Range of Available Solutions:19Authentication solutions and their enabling technologies can be categorized asauthenticating upon the basis of (1) something you know, (2) something you have or (3)something you are.o Something You Know: Passwords and PINs are within this category. Whilecheap and relatively easy to implement, they pose inherent risks, because they can
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 7Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.orgbe forgotten or compromised through social engineering (for example, anindividual being coaxed to reveal his or her password) or spyware applications.The NRC Report recommends the education of password users and that systemdesigners take “great care” to ensure the proper balance between usability andsecurity.20Password management should be addressed within a state’s securityarchitecture.o Something You Have: Magnetic Stripe Cards, Secure Tokens, PKI (Public KeyInfrastructure), Digital Certificates, RFID (Radio Frequency Identification) Chips,and Smart Cards are examples. More complex than the “something you know”technologies, these technologies generally contain information that can be used toauthenticate a person. While these technologies vary in their resistance toalteration and forgery, they still can be compromised if lost or stolen or if theinformation they contain is accessed. “Something you know” authentication (aPIN) is often combined with “something you have” authentication (an ATM card)to provide multi-factor authentication.o Something You Are: These types of technologies authenticate a person based onbehavioral or physiological characteristics. Examples are voice prints,fingerprints, facial recognition, iris scanning, keystroke dynamics, and evenhandwriting. False negatives and positives pose potential problems along with thefact that, once compromised, a biometric cannot readily be changed.21Handgeometry or fingerprint authentication is often combined with “something youhave” authentication, through a Smart Card, to authenticate users regardingphysical access control.Section V: Privacy Implications of E-AuthenticationThe Key to Achieving Authentication Success:When a state is evaluating whether and what kind of authentication system is needed, it isimperative for states to remember that privacy can be enhanced with the proper level ofauthentication. However, privacy can be compromised if a state implementsauthentication when it is not needed to achieve an appropriate level of security.22Thediscussion below highlights some of the general privacy implications of E-Authentication. States are encouraged to perform a detailed risk analysis that takes intoaccount privacy risks when considering an E-Authentication implementation.23SeeAppendix C for a NRC Report checklist on lessening authentication privacy concerns.Notice:Ideally, citizens need to be aware that they are being authenticated and informed of anyprivacy implications that are associated with the authentication. Related to this is thedifficulty or ease with which the citizen can proceed through the authentication system.The NRC Report cautions that citizens need a clear understanding of the security andprivacy threats to an authentication system. Otherwise, they may behave in ways thatundermine existing privacy protections.24An overly burdensome authentication systemalso may lower citizens’ participation in the system, which, in turn, could lower thesystem’s anticipated benefits.25Many citizens may not read or understand theimplications of authentication schemes.
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 8Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: firstname.lastname@example.org • http://www.nascio.orgInformation Collection Limitation:To protect the privacy of personal information, many experts recommend that entitiesshould not use individual authentication when attribute authentication will suffice. Thisrecommendation minimizes the personal information collected from individuals. Forexample, individuals who want to go on a ride at the state fair may have to show that theysatisfy the height requirement by standing against a measure of their height (attributeauthentication), but do not need to present a photo ID as authentication to go on the ride(individual authentication).Secondary Uses and Linkages:The reliance on common identifiers, such as Social Security Numbers, across multiplestate authentication systems and the linking of user information across systems can createprivacy concerns, because, with each new use or linkage, there are more associated risksthat could compromise the information’s privacy.26The minimization of secondary usesand linkages of personal information collected via authentication is consistent with theFair Information Practices. However, states must be careful to weigh those risks with theopportunities for operational efficiencies that are created through a shared identitymanagement infrastructure that supports the common identity needs of government andprivate sector transactions. For example, an enterprise identity and access managementservice could provide self-registration, digital identity creation, password managementand synchronization, and improved service delivery 24x7 for a wide-range of users whodesire access to government information and/or systems. A thorough risk analysis can beof great assistance to states in balancing the privacy risks with the operational efficienciesthat can be created by the aggregation and sharing of authentication information.Identity Credentials--A Word About Foundational Documents:Foundational documents, such as birth certificates and driver’s licenses, are createdduring the early phases of the identity management life cycle and are used to authenticateindividuals in the later stages of that life cycle.27However, foundational documents posegeneral concerns regarding their validity and reliability. This is particularly true whenone state is relying upon another state’s foundational document (such as a birthcertificate) in order to issue another identity document (for example, a driver’s license).The NRC Report recognizes this concern, because these types of documents, includingpassports and Social Security Cards, are issued “by a diverse set of entities that lackongoing interest in the documents’ validity and reliability.” Hence, the NRC Reportrecommends that “birth certificates should not be relied upon as the sole base identitydocument. Supplemented with supporting evidence, birth certificates can be used whenproof of citizenship is a requirement.”28States should consider the validity and reliabilityof any foundational documents used to authenticate an individual.Section VI: Federal and State E-Authentication EffortsThe Federal Level:At the federal level, the U.S. Office of Management and Budget (OMB) has issuedguidance for federal agencies on E-Authentication. The guidance is technology-neutraland requires agencies to perform risk assessments regarding new or existing E-
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 9Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.orgAuthentication systems. Agencies then map the risks to assurance levels established inthe guidance. The assurance levels provide agencies with guidance as to the confidencelevel provided by the authentication.29Guidance from NIST (the National Institute ofStandards and Technology) provides more specific technical guidance as to what types ofprocesses and authentication methods must be in place at each assurance level.30NASCIO will monitor any state impact that might devolve from these federal efforts.The U.S. General Services Administration (GSA) is the managing partner of the federalE-Authentication Initiative, which focuses on building the necessary infrastructure tosupport common, unified E-Authentication processes and systems for government-wideuse.31Currently, the initiative is focusing on E-Authentication within the context of thebanking sector in order to provide banks with access to select federal informationsystems. GSA will work with other sectors, including states, in the future as it advancesa federated model for E-Authentication.Other federal authentication-related efforts include the Federal Bridge CertificationAuthority (FBCA), which helps to support interoperability among various federal PKIefforts.32Moreover, OMB has an effort underway via the Federal Identity CredentialingCommittee to make policy recommendations on identity credentialing as a component ofthe broader federal Enterprise IT Architecture effort.33The State Level:At the state level, government agencies generally opt for technology based on “what youknow,” and typically use some form of password protection for low-risk authentication.Higher-end E-Authentication methods, such as PKI, are less frequently used, due to theircomplexity and expense to implement. One example is Washington State’s PKIinfrastructure, which allows citizens and businesses to conduct online transactions.34Some states also use a form of electronic signatures that allows users to digitally sign andtransfer documents and gives them the same legal effect as written documents. However,even rarer at the state level is the use of biometric identifiers, such as facial recognitionand iris scans. In part, concerns with false negatives and positives and the publicperception of privacy encroachments with the use of biometrics appear to have slowedtheir adoption in the state government sector.While E-Authentication is critical to the expanded application and broader adoption ofonline government transactions, states must proceed with E-Authentication in a way thatproperly assesses and addresses the risks, including potential compromises to citizenprivacy. In that way, states will ensure that they are providing the proper level ofauthentication, which will enhance individuals’ privacy protections.
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 11Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: firstname.lastname@example.org • http://www.nascio.orgAppendix A: Need More Information on E-Authentication? References and ResourcesNASCIO Publications:For more information about NASCIO’s other privacy publications, including“Information Privacy: A Spotlight on Key Issues,” and “Think Before You Dig: ThePrivacy Implications of Data Mining and Aggregation,” please see our PrivacyCommittee Webpage at, <https://www.nascio.org/nascioCommittees/privacy/>.NASCIO’s Enterprise Architecture Development Toolkit, v 3.0,<http://www.nascio.org/publications/index.cfm#architecture>.Government Resources:“E-Authentication Guidance for Federal Agencies,” Executive Office of the President,Office of Management and Budget (OMB), M-04-04, December 16, 2003,<http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>.“Electronic Authentication Guideline: Recommendations of the National Institute ofStandards and Technology,” National Institute of Standards and Technology (NIST),June 2004, <http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf>.“Standards for Security Categorization of Federal Information and Information Systems,”NIST Federal Information Processing Standards Publication 199, December 2003,<http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf>.NIST Smartcard Research and Development Homepage, <http://smartcard.nist.gov/>.“Policy for a Common Identification Standard for Federal Employees and Contractors,”Homeland Security Presidential Directive, August 2004,<http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html>.Federal Bridge Certification Authority Website,<http://csrc.nist.gov/pki/fbca/welcome.html>.Federal Identity Credentialing Committee Website, <http://www.cio.gov/ficc/>.U.S. General Services Administration (GSA) E-Authentication Initiative Homepage,<http://www.cio.gov/eauthentication/>.Washington State Public Key Infrastructure (PKI),<http://techmall.dis.wa.gov/master_contracts/e_commerce/digital.asp>.
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 12Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.orgOther Organizations:“e-Authentication Risk and Requirements Assessment: e-RA Tool Activity Guide,”Carnegie Mellon, Software Engineering Institute, May 2004 (updated),<http://www.cio.gov/eauthentication/era.htm >.“Identity Management: Are We All On the Same Page?” National Electronic CommerceCoordinating Council (NECCC), 2004<http://www.ec3.org/Downloads/2004/identity_management.pdf>.“Enterprise Identity and Access Management: The Rights and Wrongs of Process,Privacy and Technology,” NECCC, 2003<http://www.ec3.org/Downloads/2003/EnterpriseIdentity.pdf>.“Identity Infrastructure,” NECCC, 2003,<http://www.ec3.org/Downloads/2003/identity_infrastructure.pdf>.“Identity Management: A White Paper,” NECCC, 2002,<http://www.ec3.org/Downloads/2002/id_management.pdf>.“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent andLynette I. Millett, Editors, Committee on Authentication Technologies and Their PrivacyImplications, National Research Council, 2003,<http://www.nap.edu/catalog/10656.html>.“Understanding Electronic Signatures: The Key to E-Government,” Stephen H. Holden,IBM Center for the Business of Government’s E-Government Series, March 2004,<http://www.businessofgovernment.org/pdfs/Holden_report.pdf>.
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 13Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: firstname.lastname@example.org • http://www.nascio.orgAppendix B: A Word About Identity ManagementWhile this Research Brief focuses on E-Authentication, that topic is only a part of thebroader picture of the identity management life cycle, which embraces the full spectrumof how identities are created and used. The generic phases of the identity managementlife cycle are:o Phase 1: Identity proofing by a credentialing authorityo Phase 2: Creation of an identity credentialo Phase 3: Presentation of an identity credential to a relying partyo Phase 4: Acceptance of a credential by a relying party.35E-Authentication processes occur during Phases 3 and 4 of the identity management lifecycle. For purposes of this Research Brief, the reader should assume that activities inPhases 1 and 2 of the life cycle have already taken place.We can use our example of the voting process at the beginning of this Research Brief inorder to illustrate the identity management life cycle.o Phase 1: A voter completes a registration card, providing information such as aname and address, and submits the form back to the appropriate state voterregistration agency. There may be verification processes that occur during thisphase in order to verify the validity of the information that the voter provided tothe voter registration agency. Since the voter will be required to present a form ofphoto identification at the polls on Election Day, Phase 1 also may include avoter’s application for a photo ID, most likely a driver’s license. In this phase, thestate Department of Motor Vehicles (DMV) verifies that the individual is who heor she claims to be through methods that might include the presentation of a birthcertificate.o Phase 2: During this phase, the state voter registration agency places the voter’sname on the roll of registered voters. This phase also entails the issuance of aphoto ID to the individual by the state DMV.o Phase 3: This phase occurs when the voter arrives at the polls on Election Dayand presents his or her photo ID to the poll registration worker. The voter’sidentity must be authenticated before the voter is permitted to proceed into thevoting booth.o Phase 4: The poll worker verifies that the name on the photo ID matches thename on the voter registration roll and that the face of the person on the photo IDmatches the voter’s face.In this Research Brief, we examine the privacy implications that are associated with E-Authentication during Phases 3 and 4.
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 14Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.orgAppendix C: NRC Checklist to Lessen Privacy ImpactWhen Designing or Selecting an E-AuthenticationSystemThe checklist below was formulated by the National Research Council (NRC) in itspublication “Who Goes There? Authentication Through the Lens of Privacy.” You canfind more about this publication at: <http://www.nap.edu/catalog/10656.html>.o Authenticate only for necessary, well-defined purposeso Minimize the scope of data collectedo Minimize the retention intervals for data collectedo Articulate what entities will have access to the collected datao Articulate what kinds of access to and use of the data will be allowedo Minimize the intrusiveness of the processo Overtly involve the individual to be authenticated in the processo Minimize the intimacy of the data collectedo Ensure that the use of the system is audited and that the audit record is protectedagainst modification and destructiono Provide means for individuals to check on and correct the information held aboutthem that is used for authentication.36
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 15Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: firstname.lastname@example.org • http://www.nascio.orgNotes1The title of this Research Brief was inspired by The Who’s 1978 single “Who Are You?”2For more information about identity theft and the role of authentication as a solution, please see testimonyfrom a hearing on identity theft by the House of Representatives, Committee on Government Reform,Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, entitled“Identity Theft: The Cause, Costs, Consequences, and Potential Solutions?” September 2004,<http://reform.house.gov/TIPRC/Hearings/EventSingle.aspx?EventID=1365>.3“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett,Editors, Committee on Authentication Technologies and Their Privacy Implications, National ResearchCouncil, 2003, <http://www.nap.edu/catalog/10656.html>.4“2004 Election Results,” CNN, November 3, 2004,<http://www.cnn.com/ELECTION/2004/pages/results/president/>.5For more information on HAVA, please see NASCIO’s April 2004 Briefing Paper on HAVA at:<https://www.nascio.org/nascioCommittees/privacy/HAVA04.pdf>.6Examples of voting privacy concerns are available on the website of the National Committee for VotingIntegrity at: <http://www.votingintegrity.org/issues/Privacy.html>.7“E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office ofManagement and Budget (OMB), M-04-04, December 16, 2003,<http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>.8“The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon theUnited States,” 2004, <http://www.gpoaccess.gov/911/>. Note that these and other similar concerns raisedby the 9/11 Commission involve issues of identity management that are broader than the E-Authenticationprivacy issues that we discuss in this Research Brief. Please see Appendix A for additional resources,including white papers by NECCC (National Electronic Commerce Coordinating Council), on the widearray of issues associated with identity management.9“The Intelligence Reform and Terrorism Prevention Act of 2004,” §§7211-7214 (identity managementprovisions), <http://govt-aff.senate.gov/_files/IntelligenceReformconferencereportlegislativelanguage12704.pdf>.10For more about the identity management life cycle and authentication’s role in it, please see Appendix B.11“Digital Imaging Program Fact Sheet,” State of Connecticut, Department of Social Services, January2004, <http://www.dss.state.ct.us/pubs/difacts.pdf>.12E-Authentication is a mere step within the broader context of the identity management life cycle thatencompasses the creation and management of the various identities we use in transacting business withmultiple entities on a daily basis. See Appendix B for a more detailed explanation of the identitymanagement life cycle and E-Authentication’s role in it.13“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I.Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, NationalResearch Council, 2003, <http://www.nap.edu/catalog/10656.html>.14Note that, according to a 2004 survey sponsored by Carnegie Mellon’s CIO Institute and the PonemonInstitute, 83% of the responding public said that data privacy was important or very important to them.However, many respondents had a high level of uncertainty about the government’s ability to use andcollect personal information. For more information, please see,<http://cioi.web.cmu.edu/newsroom/press/20040209.jsp>.15“E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office ofManagement and Budget (OMB), M-04-04, December 16, 2003,<http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>.16“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett,Editors, Committee on Authentication Technologies and Their Privacy Implications, National ResearchCouncil, 2003, <http://www.nap.edu/catalog/10656.html>.17“E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office ofManagement and Budget (OMB), M-04-04, December 16, 2003,<http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>.18Ibid.
Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications 16Copyright © NASCIO 2004 • All rights reserved167 West Main St., Suite 600 • Lexington, KY 40507P: (859) 514-9153 • F: (859) 514-9166 • E: email@example.com • http://www.nascio.org19While the technologies used in E-Authentication may be complex in some instances, there are manyresources available that treat in detail the privacy and security features of E-Authentication technologiessuch as PKI (Public Key Infrastructure), Digital Certificates, Digital Signatures, LDAP (LightweightDirectory Access Protocol), and RFID (Radio Frequency Identification). NASCIO recommends startingwith the resources in Appendix A of this Research Brief.20“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett,Editors, Committee on Authentication Technologies and Their Privacy Implications, National ResearchCouncil, 2003, <http://www.nap.edu/catalog/10656.html>.21Ibid.22Ibid.23When considering the risks to privacy, it is helpful to examine the risks to privacy in light of the widely-used Fair Information Practices (FIPS). The FIPS include considering privacy as it relates to: (1) thecollection of information (2) data quality (3) the purpose of information collection (4) uses (includingsecondary uses) of the information (5) notice to individuals of the collection of information (6) individualparticipation in the collection, use, assurance of accuracy, and correction of the information, and (7)enforcement and redress for individuals. For more about the FIPS, please see NASCIO’s “InformationPrivacy: A Spotlight on Key Issues.” It is available for free download to NASCIO members and forpurchase by non-members at, <www.nascio.org>.24“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett,Editors, Committee on Authentication Technologies and Their Privacy Implications, National ResearchCouncil, 2003, <http://www.nap.edu/catalog/10656.html>.25“E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office ofManagement and Budget (OMB), M-04-04, December 16, 2003,<http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>.26Ibid.27For more about the identity management life cycle, please see Appendix B.28“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett,Editors, Committee on Authentication Technologies and Their Privacy Implications, National ResearchCouncil, 2003, <http://www.nap.edu/catalog/10656.html>.29“E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office ofManagement and Budget (OMB), M-04-04, December 16, 2003,<http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>.30“Electronic Authentication Guideline: Recommendations of the National Institute of Standards andTechnology,” William E. Burr; Donna R. Dodson, and W. Timothy Polk, June 2004,<http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf>.31For more information, please see GSA’s E-Authentication website at,<http://www.cio.gov/eauthentication/>.32View the FBCA’s webpage at <http://csrc.nist.gov/pki/fbca/welcome.html>.33View the Federal Identity Credentialing Committee’s webpage at <http://www.cio.gov/ficc/>.34Unique to Washington State’s PKI is its ability to create “digital signatures” which can be applied toelectronic forms. These digital signatures have the same force and effect under Washington law as ahandwritten signature, and agencies are beginning to look to digitally-signed transactions as a way tominimize the use of paper and reduce transaction cycle time. For more information about WashingtonState’s PKI program, please contact Scott Bream, Washington State Department of Information Services, firstname.lastname@example.org“The Identification Process Deconstructed,” J. Scott Lowry, Caradas, Inc., PowerPoint Presentation atNIST Smart Card Workshop, June 8-9, 2003, <http://csrc.nist.gov/card-technology/presentations/security-privacy/Lowry-Caradas-Identification-Process.pdf>.36“Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett,Editors, Committee on Authentication Technologies and Their Privacy Implications, National ResearchCouncil, 2003, <http://www.nap.edu/catalog/10656.html>.