Identity Assurance Costs

From IDESG Wiki
Jump to navigation Jump to search

Full Title

The cost of providing assurance of a person's identity online is growing as more people are demanding more control.

Context

  • Over the years attacks against user's online identifiers has become the industry known as Identity Theft.
  • Increasing awareness of the need for privacy online has lead to mandates for all holders of user private information to be more careful of what the user now considers to be high value information about themselves.
  • Enterprises with valuable secrets or access to dangerous materials have solved access problems by focusing on the people that have access to valuable or dangerous assets. They assure that the people and known and act swiftly when breaches are uncovered.
  • The same techniques have been offered to the general public, but none of the industrial grade security measures have been acceptable to the population. The one exception has been the introduction of chip cards to financial transactions and even that has been resisted for years.
  • Identity chip cards are slowly spreading in some nations and for passports and other travel documents, but adoption has recently slowed.
  • Nothing that has been accomplished to date has improved the perception or the reality of a user's sense of privacy.

Problems

  • Privacy was first considered a legal right in a law journal article titled “The Right to Privacy” by Warren and Brandeis 1890 that defined the right to be let alone.
  • Legislation in the past dozen years has lead to an explosion of court cases based primarily on compensating victims for breaches to those laws.
  • Now most "privacy experts" are lawyers and most emphasis has been on adjudicating or avoiding tort actions.
  • Two areas of daily life have government mandated requirements for identity assurance:
  1. Financial, where anti-money laundering laws have lead banks to impose "know your customer" (KYC) policies.
  2. Medical, where a mismatch between patients and the medical records have lead to injury and death.

Solutions

  • Government standards for identity assurance started with their own internal security needs and only lately spread to consumers.
    • The result has been to fall back to collecting user attributes until some threshold had been met.
    • While federation between enterprises has allows assurance of employees to be leveraged across enterprises, that has not been applied in the consumer space.
    • In all cases, collecting and verifying significant user attributes is an expensive proposition for a commercial transaction.
  • The OpenID Connect for Identity Assurance 1.0 has mechanised the collection of user attributes to meet the needs of the European Banks. It lowers the cost to the banks, but does nothing to reduce the cost to the user's privacy. If the collection of data is meet the requirements of other EU laws, like anti-money laundering, that collection is exempted from GDPR regulations.
  • A different approach is to share the costs of data collection and verification by reuse of the identify proofing process among all participating relying parties. This typically calls for some sort of federation to create terms an conditions of participation. In cases like medical such federation is mandated for other reasons, and so is a more natural and privacy preserving process that having each relying party perform their own identity assurance process. A Distributed Assurance Specification is under development at Kantara to realizes such an approach.

References