| Search |
| Navigation |
| Syndicate |
|
| User login |
identity
When we empower users to control their identities, do those empowered to release personal information on behalf of a user have a responsibility to ensure the user understands what they're releasing?
I don't know. I do know that most computer interfaces continue to baffle users. Users seem just to want to click to make the dialog box go away. Dialog boxes mean something has happened. How do we train a user to be careful before releasing information?
From a legal standpoint, does a user truly consent to the release of data if the user didn't understand what they were releasing? What would be the standard for determining what a user knew or should have known?
If you're not following the digital identity space, you're really missing out. Things are absolutely hopping. In fact, given my limited window to watch, I have a very difficult time keeping up.
Microsoft's InfoCard standard is taking off. And because Microsoft has shared the specification, lots of people are working with it. Novell's Higgins Project is doing a lot. Other projects, such as Firefox extensions, are similarly doing good work. The goal of much of this work is to allow users to control the release of their information online, and also to know what information it is that they're releasing.
OpenID, the bastion of user-centric identity is very hot. Integration with InfoCards is underway. User-centric identity systems allow a user to specify what their identity looks like and to control where it lives.
Finally, there's a large community of companies built up around this space. There's been a need for these technologies for a long time, and they're finally starting to see the light of day.
This is just a high level overview of some of the very hot issues I've been following. I'm sure I'll be writing more about these issues in the future.
On the first day of Legal Ethics last semester, my professor asked us, "If a friend came to you asking for help finding a lawyer, what would you tell them?" It was a good question, largely because I've already faced it, and my answer was typically, "I don't really know," followed by some of the standards, such as Martindale-Hubbell, the local bar association, yellow pages, etc. In other words, I wasn't much help, and it was unclear that those resources were going to be much help, either.
With that (and visions of advertising revenue) in mind, a hotly discussed site called Avvo has recently sprung up. They've harvested data from numerous public sources to provide a directory and public rating system for lawyers. They're correlating data on disciplinary actions, as well. Lawyers, often technophobes and protective of what content is out there about them, have been... displeased. Not surprisingly, there's already been a lawsuit filed.
How does this become an issue of online (digital) identity? Much of the dismay centers around the process required to claim your own profile, specifically, that it requires handing Avvo a credit card. Of course, we know that credit cards are horrible identifiers. Courts have routinely rejected the concept (see, for instance, Reno v. ACLU, Ashcroft v. ACLU, and the excellent findings of fact in ACLU v. Gonzalez, 478 F.Supp.2d 775.) And so, what do we do?
This is an excellent example of where a verified identity scheme, whether OpenID, InfoCard, or some other sufficiently robust scheme could be used. Under current OpenID specs, it might not be possible to actually assert sufficient information to properly verify you are an attorney on the Avvo site. However, combined with a service such as Jyte, maybe it would. That's really where something like InfoCard (or other, verified, federated identity capable of asserting attributed in a reasonable, user-centric way) could come into play, allowing a person to select a verified InfoCard that properly asserted the person as the lawyer presented on the Avvo site.
In the meantime, Avvo is yet another site collecting a set of its own user credentials, credit card information, and attempting steps at connecting real-world people with cyberspace fictions.
Daniel Solove comments on USA Today article about financial institutions culling from public records databases to arrive at identifying facts, rather than using Social Security Numbers:
Concurring Opinions: Verifying Identity: From One Foolish Way to Another:
The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you -- after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people's backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.
Anyone who has had someone else's information in a credit reports know that matching records, even when there is a solid, government-issued identifier, seems impossible on the scale that's required for the credit agencies. These public records databases often work with pieces of data that aren't tied to a unique identifier like a SSN. Imagine the torture of trying to get access to your money -- or get a new credit card -- when your financial institution is using data that is, often at best, tenuously matched.
'Supercerts' Aim to Highlight Legit Web Sites:
Over the past couple of years, dozens of companies have rolled out technologies designed to help computer users and companies better spot 'phishing' scams -- Web sites that try to trick people into giving away financial and personal data. But what about helping users tell for certain that when their browser tells them that they are at, say, BankofAmerica.com, that they're really at the bank's official Web site and not at some scam site?That's precisely the aim of CA/Browserforum, a security effort by the major Web browser makers and certificate authorities, or companies who sell and issue Web site security certificates.
Today, pretty much any Web site owner can plunk down between $150 to $400 and purchase a secure sockets layer (SSL) certificate, a technology designed not only to protect the integrity of data submitted by customers but also to give visitors a modicum of assurance that the site takes their security seriously. By clicking on the little padlock icon in the browser that accompanies all SSL certified sites, visitors also can gain more assurances that the SSL holder is a legitimate company and that it at least has been vetted by a certification authority to some degree.
It wasn't too long ago, I was having a discussion with someone about this topic. The first time I tried to purchase a server certificate (from VeriSign), it was actually a labor-intensive process. I was working for Instinctive Technology (the makers of eRoom, bought by Documentum, who in turn was bought by EMC) and we had maybe 20 employees at the time. VeriSign rejected the application initially, because they couldn't verify that we existed. I had to come up with a D&B number, and I had to have a letter from an officer on company letterhead stating who we were and that the company was indeed requesting the certificate. Finally, I had to make several phone calls to finally get the thing processed. In the end, I was left pretty convinced that they knew who I was.
Obviously, that process wasn't going to work on a larger scale, and things became something of a joke. Now, certificates do little more then authenticate that someone presumably legitimate signed the data contained in the certificate. So, with this proposal, I guess we're taking some queues from the past. Imagine; people might actually have to get involved in an effort to prove identity.
The Cato Institute wonders if, especially in the "Live Free or Die" state, perhaps Real ID didn't have some impact on yesterday's election results:
Cato-at-liberty » REAL ID and a Sweep for Democrats in New Hampshire:
There are many explanations for the strong result Democrats got in the election yesterday. Focusing on New Hampshire, there is a neat correlation between support for the REAL ID Act and defeat at the polls yesterday.
Jeb Bradley was one of “several Washington officials . . . urging state senators to support Real ID” when the state legislature was considering a bill to reject it. He was defeated by Carol Shea-Porter, a surprise victor who enjoyed little help from national Democrats. Here’s Shea-Porter speaking at an anti-REAL-ID rally.
Representing the Second District, Charlie Bass was an original co-sponsor of the REAL ID Act, and he touted that fact on his Web site. His replacement is Paul Hodes. Hodes is not a full-throated critic of REAL ID, but he did tell AP, “I do not favor creating a new central federal database using the permanent images of these documents. . . . A piece of paper is not the solution to securing our borders from terrorism. We need to better coordinate our existing law enforcement databases and watch lists.”
New Hampshire resisted Real ID for a long time, until Congress offered to pay them off, and the state legislature caved. That was unfortunate, because a state holdout was going to be a good challenge to the practicality and legality of the act.
Now, perhaps the best hope for some sanity to return is for the Democrats to repeal the Real ID nonsense and bring some sensibility back to reliable identification. The U.S. Government should, presumably, be working to strengthen and protect identity. It shouldn't be working to weaken it.
Is there any better evidence that the Real ID Act was poorly conceived and given too little consideration than the fact that the deadline for state implementation is less than 18 months away from the time the draft standards will be released?
FCW.com - Real ID draft regs due by year's end:
By the end of the year, the Homeland Security Department will issue draft regulations specifying how states should implement mandatory federal standards for driver's licenses. But several states have already gotten started.
According to the statute, the states will have until May 11, 2008, to implement the requirements that "the National Governors Association and the National Conference of State Legislatures stated . . . will cost $11 billion over five years to comply with the law, which will reduce efficiencies and increase wait times." In other words, the Department of Homeland Security has taken longer to develop a draft of the regulations than the states will have to implement this multi-billion dollar fiasco.
A better piece of legislation aimed at this problem could have preserved privacy, made implementation easier for the states, and laid out a more realistic timeline for implementation. Instead, we got the Real ID Act.
I've made my feelings about the Real ID Act of 2005 pretty clear, I think. Without question, it gives the appearance of greater security without any real increase in it. What does it do?
- It requires governments to collect even more personal information than most states currently collect from those who desire a driver's license or identification card.
- It obliterates many of the protections of the Drivers Privacy Protection Act along with the information privacy legislation of states that offer more protection.
- It forces states to keep vast amounts of personal information in accessible electronic databases.
- It forces states to open their driver records to all other states.
But there are a lot of things it doesn't do. Here are some humorous things that came from my Technorati feed just over this weekend:
So in May of 2008, we are going to be issued a National ID card. It is going to replace your driver's license, or state id, or whatever you have. They are going to be issued by the federal government and you are going to need it to work, get a social security card, get any government programs, etc. It is going to do the same things your drivers license does. Execpt its a little more specific. It will have your finger print, or RETINA scan on it. Thats right. Everyone in the United States will have your finger print on file. Or your retina scan. And this isn't some weird movie thing. Its actually happening. Its called the Real ID Act. Its to fight bad guys. Google Real ID Act. Its freakin scary. My biggest concern or issue with it is the finger print deal.
This is so very wrong. It won't replace "whatever you have." It won't just "be issued." It's not going to be issued by the federal government. It won't be required to get a social security card (or number) because you'll need one before you can get a Real ID-compliant license or identification card. It will do just what your current driver's license does, because it's simply a new license, issued under compliance with the Real ID regulations, which haven't even been publicly released yet.
It's unlikely that it will have a fingerprint, and you can almost be assured it won't have any retinal signatures on it. Fingerprinting is not required by the act, though it's not clear what the DHS will do. Someone needs not to relay on her "cool ass friend Andy who likes to keep me up to date on the odd going ons in the world." Andy doesn't know what he's talking about.
But they get nuttier.
blog.myspace.com/thevillage88:
Real ID Act which requires that, by 2008, all states need to conform to a national ID standard which will hook everybody up to a centralized computer database called the "Total Information Awareness System" backed by DARPA. The ID will include "machine-readable technology", most likely RFID(Radio Frequency Identification), and will require four proofs of identification to obtain. They say that this will not be - by definition - a national ID card because it is entirely voluntary. Sounds good enough until you dig a little deeper and find out that anyone who lives in a state that does not conform to the Real ID, will essentially not exist to the US government. That's right. You cannot get a license to drive a car or board an airplane ride a train, enter federal buildings, national parks, and so on.
Certainly, there's probably good reason to believe that TIA never died. There's also very good reason to believe that one of the great benefits of forcing the electronic opening of all state driver databases is that it would benefit a TIA-like system. That said, the Real ID Act certainly doesn't require that all of that be done by 2008. The card is voluntary for states, supposedly, because states won't have to issue Real ID-compliant licenses or identification cards. Those without Real ID cards won't be able to use their non-compliant IDs to access federal facilities. I don't believe that means national parks, largely because I've never had my license checked to enter a park.
You can certainly get a license to drive. And can probably even board a train.
It's not at all clear that states may realistically opt-out of Real ID compliance. After all, their citizens would be severely hampered. Or, at least, they'd all have to have passports for dealing with the federal government.
Oz ID card database racked by identity fraud claims | The Register:
There were 790 security breaches at government agency Centrepoint involving 600 staff. Staff were found to have inappropriately accessed databases containing citizens' information. The databases are part of a massive federal Government smart card project which will link medical, welfare, tax and other personal data on Australia's 17m citizens.
Hard to believe, isn't it?
Now, imagine a federal government database of (potentially) smart card data including all of your driving records, automobile ownership, medical restrictions, and maybe profession. Only, this would would contain information on nearly 300 million citizens. What's more, security wouldn't be centrally managed, there would be more than 50 security teams in each state, each with their own AAA schemes, and each with full access to the contents of the other states' databases.
Do you think some employees might take some risk to get at that information?
Do you think some creative attackers might?
That may be what the Real ID Act of 2005 is bringing us.
Oh, right. It wouldn't. In absolutely no way would rigid, privacy-invading identification card standards prevent a known person from boarding a plane carrying liquid explosives. Or non-liquid explosives. Or weapons of any type, except maybe a shiv whittled from a non-Real ID-compliant identification card.
The base problem is that Real ID did nothing to ensure that the cardholder is the person identified by the card, yet it gives great credence to a cardholder.
| Browse archives | ||||||||||||||||||||||||||||||||||||||||||
|
| IP/Tech Blawgs |
| Other Blawgs |
| Friends |
| USF Law Blawgs |