Legal Obstacles Delaying Federated Identity Management

The challenge of identifying and authenticating users has plagued businesses and government agencies for some time. A legal framework can minimize risk.

1 2 Page 2
Page 2 of 2

There are, of course, many ways to accomplish the foregoing, ranging from relatively simple user ID and password systems to very complex public key infrastructures. But in all cases there are some very basic questions that need to be asked, all of which raise potentially significant legal issues.

Identification Process First and foremost, what is the process that the identity provider uses to establish the identity of the subject? That process is critical to the reliability of an identity assertion. For example, does the identity provider do an in-person interview of the subject and examine multiple government-issued photo identification documents, or does it simply rely on the subject's self-asserted claims made over the Internet? And what mechanisms are in place to ensure that the identity provider has actually complied with that process? For example, is there a requirement for an external audit?

Personal Information What are the rules that govern the privacy and security of the personal information about the subject that is collected by the identity provider? Since the subject must provide the identity provider with certain personal information to establish his or her identity, the protection of that information becomes critical. Likewise, if the identity provider will be communicating some of that information to a relying party as part of an identity assertion, the subject needs to know what rights the relying party has to use and further communicate, and what obligations it has to protect, that information.

Scope of Assertion What is the scope of the identity assertion? For example, does an assertion that someone is "Bill Gates" mean that this person is Bill Gates of Microsoft, Bill Gates of Peoria, Illinois, or some other random person with that name? Does it mean that this person has a bank account in the name of Bill Gates? Or does it simply mean that this person claims to be Bill Gates? The answer to this type of question will have a significant impact on the willingness of the relying party to proceed with different types of transactions on the basis of the identity assertion. And it will also affect the liability of the identity provider in the event the assertion is incorrect.

Use of Assertion What type of transaction is appropriate for use of the identity assertion? The level of identity checking required to make an identity assertion for accessing the control processes of a nuclear reactor is presumably much greater than the identity verification necessary to justify access to the local garden club website. The identity provider will want to limit the scope of the use of an identity assertion.

Liability The potential liability of the each of the parties is also important to consider. Specifically, what is the liability of the subject for providing false identity information, or for failing to protect the password or key necessary to initiate an identity assertion? What is the liability of the identity provider for failing to follow proper identification procedures that result in an incorrect identity assertion? What is the liability of the relying party for trusting a fraudulent assertion (e.g., in the case of identity theft), especially in a case where it could have determined that the assertion was false?

There are a variety of possible approaches to developing a legal infrastructure to address questions like these. They include enacting legislation or regulations (such as those we see in some other countries), establishing a set of private system rules that all parties contractually agree to (such as used by funds transfer systems and in the credit card industry), establishing public standards that parties publicly agree to and are audited against as a condition of participating (as in the case of Extended Validation SSL certificates), entering into a series of one-on-one contractual relationships (such as the federal government has been doing with selected identity providers), and relying on public disclosures of practices (such as with the traditional PKI approach). Each of these approaches has positive and negative attributes.

Without some type of a legal framework to address these issues, however, a federated identity model will likely not scale. At least in the case of economically significant transactions, the risks to each of the parties of such unresolved issues are simply too great to justify reliance on the federated process. These questions, and others like them, are the legal land mines that stand in the way of a viable federated identity management infrastructure.

Thomas J. Smedinghoff is a partner in the privacy, data security and information law practice at the law firm of Wildman Harrold in Chicago.


Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Download CIO's Winter 2021 digital issue: Supercharging IT innovation