Identity Assurance Costs

From IDESG Wiki
Jump to: navigation, search

Full Title

The cost of providing assurance of a person's identity online is growing as more people are demanding more control of their digital lives.

Value Proposition

The value of Identity Assurance is dependant primarily on the damage that can occur if mistakes are made.

  • National security has always been a leader in assuring the people are who they say they are for obvious reasons.
  • In Healthcare not only are lives lost, but the paperwork required for recovery when patient records are lost is very large.
  • In Finance the integrity of the money supply as well as the costs of illegal activity in drugs and stolen goods is huge.

For Healthcare and Finance, the costs of Identity Assurance are only a few dollars, but that is still large compared the the cost of maintaining a user database for marketing reasons, which is typically much less. So while the cost of assurance is substantially less that the value received, it is still a line item that accountants try to minimize.

Context

  • Over the years attacks against user's online identifiers has become the industry known as Identity Theft.
  • Increasing awareness of the need for privacy online has lead to mandates for all holders of user private information to be more careful of what the user now considers to be high value information about themselves.
  • Enterprises with valuable secrets or access to dangerous materials have solved access problems by focusing on the people that have access to valuable or dangerous assets. They assure that the people and known and act swiftly when breaches are uncovered.
  • The same techniques have been offered to the general public, but none of the industrial grade security measures have been acceptable to the population. The one exception has been the introduction of chip cards to financial transactions and even that has been resisted for years.
  • Identity chip cards are slowly spreading in some nations and for passports and other travel documents, but adoption has recently slowed.
  • Nothing that has been accomplished to date has improved the perception or the reality of a user's sense of privacy.

Problems

  • Privacy was first considered a legal right in a law journal article titled “The Right to Privacy” by Warren and Brandeis 1890 that defined the right to be let alone.
  • Legislation in the past dozen years has lead to an explosion of court cases based primarily on compensating victims for breaches to those laws.
  • Now most "privacy experts" are lawyers and most emphasis has been on adjudicating or avoiding tort actions.
  • Two areas of daily life have government mandated requirements for identity assurance:
  1. Financial, where anti-money laundering laws have lead banks to impose "know your customer" (KYC) policies.
  2. Medical, where a mismatch between patients and the medical records have led to injury and death.

Solutions

  • Government standards for identity assurance started with their own internal security needs and only lately spread to consumers.
    • The result has been to fall back to collecting user attributes until some threshold had been met.
    • While federation between enterprises has allows assurance of employees to be leveraged across enterprises, that has not been applied in the consumer space.
    • In all cases, collecting and verifying significant user attributes is an expensive proposition for a commercial transaction.
  • The OpenID Connect for Identity Assurance 1.0 has mechanised the collection of user attributes to meet the needs of the European Banks. It lowers the cost to the banks, but does nothing to reduce the cost to the user's privacy. If the collection of data is to meet the requirements of other EU laws, like anti-money laundering, that collection is exempted from GDPR regulations. Lawyers have already assembled to justify this approach.
  • A different approach is to share the costs of data collection and verification by reuse of the identity proofing process among all participating relying parties. This typically calls for some sort of federation to create terms and conditions of participation. In cases like medical such federation is mandated for other reasons, and so is a more natural and privacy preserving process that having each relying party perform their own identity assurance process. A Distributed Assurance Specification is under development at Kantara to realize such an approach.

References

  • An article from the US National Institute of Health called Medical Error Prevention reported that medical errors cost approximately $20 billion a year. It is not clear how much of that is attributable to identification problems and patient matching, but several identification problems are called out as a fix that would be effective in cost reduction.
  • In the Economics of Identity the OIX in the UK estimated cost of Identity Assurance for companies and consumers at over $4 Billion per year in the UK.