User-Centric Identity Comes to Washington: Heather West of the Center for Democracy and Technology
With the federal government piloting the use of third-party credentials to authenticate users at three websites, a basic question that needs to be addressed is the role of government should play to assure the issuers of the credentials - picked by citizens themselves - are providing legitimate services as promised.
"Users have a heightened expectation of privacy when they interact with the government online," Heather West, a policy analyst at the advocacy group Center for Democracy and Technology, said in an interview with GovInfoSecurity.com (transcript below). "The federal government has a history of privacy protective regulations online that keep them from collecting data about the people who frequent their websites and there is no reason that these new technologies should change that expectation of privacy. So it is very important that they build privacy into the final tools."
So, should third-party credentialing companies be regulated to assure proper privacy is built into those tools? Perhaps not, West says: "One of the problems with regulating this kind of interaction is that the technology changes so quickly."
In an interview with GovInfoSecurity.com, West explains:
- How user-centric identity works.
- Who are the major players.
- Why the government should not regulate user-centric identity.
West was interviewed by Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: What is a user-centric identity management system and how does it differ from conventional ways to identify individuals?
HEATHER WEST: Most of us are fairly familiar with offline identity; it's things like handing over your driver's license to show that you are in fact permitted to drive or permitted to buy something in a store. That is me saying, "I am Heather West. I can drive; the state told me so." But online, it is a lot harder to make that kind of assertion around your identity and typically it ends up being something like, "I am Mickey Mouse 33. You know me." But those identity systems are very rarely as protective of privacy and of user information as they could be.
We tend to prefer user-centric identity systems. They are user centric in that the user is at the center of the interaction and chooses where the information is sent and what information is used to identify them. It is also sometimes called directed identity.
So for instance, if I go to a website say, www.nih.gov, and one of these pilots and they ask me to sign in, I can choose an identity provider that I already have an existing relationship with and who already knows who I am and ask them to go ahead and tell NIH who I am, or simply that I have been there before and I have a certain set of preferences.
CHABROW: What is or who is an identity provider?
WEST: They are the people that handle my information in this case. They assert my identity on my behalf. That identity is really just some set of information, whether it is my name or my email address, or simply my favorite bookmarks or what state I live in, or who I work for. All are very useful claims about myself when I can assert them to a website in some authenticable way. And so that identity provider manages that information for me so that I don't have to go prove to each website who I am, what I do, where I live, that kind of thing.
CHABROW: And what are the advantages of this way of authenticating users?
WEST: There are a lot of advantages for everyone involved really. I as a user don't have to create new usernames and passwords for every website I go to. For example, if I wanted to go to a website online that I knew I was only going to go to once it is not worth setting up a profile for myself to say, you know here's my name, here's my address. Say it is for me ordering something online and they need to know my shipping address, everyone is familiar with going through all of these online forms and instead I could ask my identity provider to provide that information to the site if I trust my identity provider and I trust that site. So it is easier for the user.
It is also going to be easier for the sites that accept that authentication because they don't have to develop their own in house authentication systems and safeguard my data.
CHABROW: Do such identity providers exist already, or?
WEST: Oh yes. Believe it or not, millions and millions of people have these identities from identity providers. People like PayPal or Google or Facebook or LiveJournal, it is only a small, small fraction of those people using those identities across the web though.
CHABROW: Are you saying that PayPal, Google, Facebook are these identity providers or are they using?
WEST: They are all identity providers. So currently they are all implementing some set of standards, and there are a few out there for identity providers whether it is Open ID or InfoCard For example, there are a lot of websites that let me sign in using my Facebook account and that is useful for Facebook because they then can, you know, publish a story to my profile if I ask them to and it is another data point for them as well.
CHABROW: These identity providers will be services that already offer some other kind of service? This will be something ancillary to their business?
WEST: Typically yes. The existing identity providers and the ones that have signed on for this set of government pilots are ones that users already have relationships with. It won't be creating a new identity unless you want to.
CHABROW: Are there standards out there?
WEST: There are standards. As I mentioned there are a few kind of protocols around this; Open ID, Information Card are the ones that I am most familiar with, but they are certainly not the only ones out there. So they set a set of standards for how sites interact with each other and they are fairly open-ended, the user and the site have a lot of choices around how they implement that.
CHABROW: What gives you pause about the current system of user centric identity management?
WEST: Because of the way that the government is implementing these pilots, there is a lot of evolution going on in how these identity providers and how they are operating, how the relationships are managed. We are concerned about the privacy and security implications of using one identity provider to interact with websites all over the web and we want to make sure that the user is empowered to use their information to control their information to make this a boon for privacy.
CHABROW: You said you were concerned about one provider doing this; can you clarify what you mean?
WEST: Not that there is one provider so much as it is likely that ever user will choose one provider and that provider will manage relationships all over the web. The traditional web model, website had information about your interactions with that website only. But if I use one of these identity providers to manage my relationship with government websites, that identity provider will know ever government website that I go to because I have to authenticate through them, or I choose to authenticate through them, and that has privacy ramifications.
Now there are a lot of really good answers to this in about how to implement this very responsibly, but we are watching the policies evolve now.
CHABROW: Should the government regulate user centric identity management systems and should that regulation be just limited to what is done to its own sites, or should some regulation be broader?
WEST: One of the problems with regulating this kind of interaction is that the technology changes so quickly. For example, there is one kind of identity or authentication call PKI and the standards for that were regulated, but there is no way for that regulation to then evolve and change as quickly as the authentication technology is. We think that avoiding regulation and legislation is important if all of these players can play together responsibly.
CHABROW: So far, does the evidence suggest they are?
WEST: I think that they are all trying hard to develop responsible policies and safeguards as they move into this huge market in the U.S. government. They are going to discover that not acting responsibly will loose the trust of the consumers and really that is their most important asset.
CHABROW: So simply the marketplace will help regulate this?
WEST: That is our hope. It is our hope that it doesn't take some massive information breach to help consumers realize that this is important.
CHABROW: You had mentioned earlier a little concern about these businesses that offer to manage the identities, knowing where citizens go within government. Why is that any more of a concern in a sense of knowing where they are going than in the commercial world and what can be done if that is a problem to prevent that?
WEST: Users have a heightened expectation of privacy when they interact with the government online. The federal government has a history of privacy protective regulations online that keep them from collecting data about the people who frequent their websites and there is no reason that these new technologies should change that expectation of privacy. So it is very important that they build privacy into the final tools.