Burton Group Identity Blog

Blogger: Kevin Kampman

In the Friday, February 29, 2008 USA Today article “Prognosis is bright for Google’s health records plan” identifying Google’s intent to build an online medical records database, some controversy about the privacy and potential misuse of patient records was cited. In particular, the potential for misuse of these records for background or hiring purposes was identified. The statement “But those are human actions. They have nothing to do with the technology.” was attributed to Dr. Molly Coye, Google advisor and CEO of non-profit HealthTech.

This is similar to, if not the same perspective as “Guns don’t kill, people do”. Thankfully, there is plenty of gun safety education, regulation and control as to who shouldn’t or should have weapons. Even so, madmen and crazies kill. People still suffer and die, and their families and society pay. Manufacturers and retailers profit.

With health records available in a readily accessible format and medium, the opportunity for compromise is not just a people problem. If a prospective employer or business entity wants to vet your records, you may be denied employment or access to some service just by refusing to grant them access. The collection and analysis of health information is big business, and access to the statistics may be just as detrimental as access to your records alone. This situation must be balanced by industry accountability and regulation, as well as explicit liabilities borne by those who misappropriate or use the information for illegitimate purposes. As recent financial compromises have shown, there is also a serious risk of insider misuse of private information.

You might think this comparison is off the mark, but the privacy and control of health care records is a critical issue, and turning over control of personal information to a profit-seeking entity without significant, if not bulletproof, individual protections must not be taken lightly. Wasn’t HIPAA supposed to accomplish this? I think it’s time for a real sanity check of what we are considering here. Before the bullet leaves the barrel…

Blogger: Mark Diodati

Today, Microsoft announced its acquisition of Credentica, a consumer authentication technology company.  Like Arcot and TriCipher, its executive team holds patents on some interesting cryptographic techniques, which are embedded in the company’s U-Prove technology.  The technology relies heavily upon PKI.  If you are interested in the protocols, you can retrieve the “U-Prove SDK Overview” and a corresponding Power Point presentation here.

I have yet to speak to Microsoft and Credentica (this is likely to happen in the next few days), and my understanding will likely change once that happens.  Within the U-Prove environment, there are three parties: the issuer (AKA credential or identity provider), the user, and the verifier (AKA the service provider).  After a user successful authentication, the issuer provides the user with a credential – the ID Token.  The ID Token can be short- or long- lived.  The ID Token is signed by the issuer (similar to an X.509 certificate), and the user subsequently presents ID Token to the Verifier. 

The user authenticates to the verifier when presenting the ID Token by sending along a nonce (that is, a random number) that is encrypted with the user’s private key.  The verifier can validate that the ID Token originated from the user in possession of the private key (yes, Virginia, the U-Prove technology appears to require that the user possess a private key). 

One important distinction exists when compared to X.509 authentication.  Before presenting the ID Token, the user can control which attributes in the ID Token are revealed to the verifier, which provides some privacy controls. 

The technology also appears to provide man-in-the-middle mitigation, digital signature capabilities, and supports stronger authentication (e.g., a smart card) by the user to the issuer.

The U-Prove protocol also appears to work nicely with SAML, while providing the user control over information presented to the verifier (AKA service provider).  The issuer (AKA identity provider) provides the ID Token credential to the user.  The ID Token contains user attributes, which are signed by the issuer.  The user has control over which attributes are disclosed to the verifier because the user builds the SAML assertion from the desired attributes.  The user signs the assertion, and then presents it to the verifier.

Why did Microsoft acquire Credentica?  The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace managed cards (i.e., those cards issued by an identity provider) that is consistent with Kim’s Laws of Identity .  The authentication mechanism we’re talking about is between the identity provider (AKA issuer in Credentica-speak) and the user, not the user and the service provider (AKA verifier in Credentica-speak).  My colleague Bob Blakley is our resident CardSpace expert; I learned most of what I know about the technology from him.  If you are a Burton Group IdPS customer and are interested in CardSpace, his recent document “The Information Card Landscape” is a good read.
 
The aforementioned Credentica white paper (published in April of 2007) provides references these benefits.

“ID Tokens are the only practical technology by means of which the Windows CardSpace identity selector can fully comply with the “laws of identity” defined by its chief architect, Kim Cameron. Cameron has confirmed that standard digital certificates break the fourth law of identity In addition, the second and third laws of identity cannot be fully met using standard certificate technology.”

It appears that the Credentica technology is more protocol than product, which is beneficial to Microsoft.  Microsoft will have fewer pre-acquisition customers to support.  Also, Microsoft should have an easier time integrating the U-Prove technology into CardSpace.  Microsoft appears to have at least one integration challenge because the U-Prove SDK appears to be Java-based, and requires the Java runtime environment on the user’s client.

Blogger: Gerry Gebel

Over at the Privacy Law blog, I found a post about the troubles Life is good finds itself in because it “collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies.” This incident reminds me of what I've said about web site privacy policies for a long time. Typical privacy policies have two sections: the first section expresses the sincere concern of the internet property when handling your personal data and they share at least some of their intended uses of your data. The second part of the policy then goes on to say exactly how the internet property is going to violate your privacy by evaluating traffic patterns, sharing data with partners, etc.

Of course, as long as we insist on overloading simple e-commerce transactions with personal data, then bad things will happen. No amount of encryption or other security practices can provide the internet property with 100% assurance that the sensitive data it is now custodian for will never be abused or fall into the wrong hands. A regular litany of data spills reminds us of the increased risk a merchant takes on when it must manage excess personal data. The data model currently used for e-commerce (and even in bricks and mortar sites) is straining under pressure from all sides. Visa and others behind the PCI standard are enforcing higher fines for non-compliance, as noted by Mark Mac Auly. The National Retail Federation, an industry organization, pushed back in an open letter to Visa and MasterCard. In dispute are the rules of what credit card data elements should be stored and for how long, among other issues. One of the primary purposes for storing credit card and customer data is to settle potential transaction disputes. The situation illustrates the tension between credit card companies, banks, and merchants regarding the collection, use, and archiving of transaction data.

My colleague, Bob Blakley, has blogged here about the identity oracle concept - a potential ingredient to a solution for today's personal data collection maladies. He also commented on the Life is good incident here. Bob's emphasis on the importance of intermediaries and agents for transactions makes a lot of sense. Consumers register with trusted agents, whose business depends on the protection of sensitive and private information. Retailers benefit if they can rely on intermediaries to reduce transaction risk - the retailer only receives payment approval codes for example, instead of credit card number, expiration date, CVV code, etc. The equation works if the cost of the intermediary services is less than what the merchant could lose as a result of a data spill plus the cost spent in implementing security controls. Sounds like there is a business model in there somewhere.

Getting back to my earlier point - it's not the privacy policy that is at issue. It's the data collection policy that must be examined - especially as it relates to transaction metadata. Now is the time to think about new data models that are better suited to 21st century commerce.

Blogger: Kevin Kampman

Last year, there was an initiative launched by the American National Standards Institute (ANSI) and the Better Business Bureau (BBB) to examine ways to prevent identity theft. Last month, I attended a plenary session of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) to learn how this effort was progressing. I was also interested to learn how the needs of consumers are being addressed.

The goal of the IDSP is to develop an inventory of existing standards related to identity. This work has been divided into three areas: Issuance, Exchange, and Maintenance and Management. The attendees came from a variety of communities, including government and standards bodies, financial and credit services, professional services, the software industry, and others.

The inventory of standards and regulations related to identity is impressive. Without diving into details, there are many we know on a regular basis, such as HIPAA and GLB. Many others are more obscure and limited to a particular domain. One would think that with the extensive list of controls, identity would be well understood and articulated.

However, the devil is in the details. For example, some of the regulations, like REAL ID, are mired in political challenges between the state and federal governments. Others, like HSPD-12, are limited to the federal government.

Many identity issues live on the fringes, for example, where no birth certificate was issued, or when someone migrates to the US from another country. Particular vulnerability areas were also identified, such as the exploitation of children by parents or guardians, theft of military or elderly identities, assumption of identities from the deceased, and so on.

Other identity issues stare us directly in the face. I recently spoke with a business intelligence analyst on a cross-country flight. He was quite concerned about how information about our affinity, debit, and credit purchases are aggregated and sold to other parties for unrelated purposes, such as insurance eligibility. The implication is that if you buy a carton of cigarettes or a bottle of liquor, this information will be used without your knowledge to provide or deny coverage, or to identify the rate you’ll pay.

This exchange of so-called personal information may not be covered by privacy regulations and represents an ethical challenge that most people don’t consider, much less care about (until it is used to their disadvantage). Standards that force people to opt-in, rather than to opt-out of this information sharing are sorely lacking, as are the ethical guidelines about what information should be shared for what purpose.

The work being accomplished by the IDSP will go a long way towards exposing what is, and isn’t in place to regulate the use of identity information. The latter will most likely be exposed by unfortunate experiences, tested in the courts, and addressed by the state and federal governments. It would be a significant benefit to everyone if the efforts of the IDSP expose these gaps and inconsistencies and make mitigation recommendations to commercial and government interests.

Blogger: Kevin Kampman

Last week, I received a request from one of our Burton Group consultants for help in identifying where data breaches had occurred. When he saw the list, his response was unprintable. In another comment about data breaches, University of Colorado student Carrie Roll indicates that exploitation of this information is a disaster in waiting: "If anybody thinks their information hasn't been stolen yet, then they're pretty naive. Your information is gone, and it's just a matter of time until someone decides to use it."

This dismal outlook is closer to the truth than we want to admit. Industry has played fast and loose with identity information, and now we are all paying the price. Using common identity information for trustworthy business transactions is becoming more and more difficult, since much of the information has either been compromised or is available for a price from identity aggregators. Just doing a phone number lookup on the Internet introduces you to sources of identity information that may know more about you than you know yourself (see “The End of Secrecy”) . Not to mention the inconvenience and personal hardship that identity thefts create for those who have been compromised. Without identity attributes, we’ll soon find ourselves in a situation where interpersonal relationships are the only viable mechanism to assert that someone is who they say they are.

Businesses, educational institutions, and others have only themselves to thank for this morass. Early in my IT career (last century, enough said) I learned that Social Security numbers (SSN) weren’t unique and “not for identification” purposes. All you have to do is read the bottom of the card, which apparently, no one does. This issue is especially relevant for multi-national firms, since not every government has an identifier for their citizens. However, I quickly discovered that SSN was the common attribute for identity purposes in both North American commerce and education. So, on we went, blindly and full of faith that this would work forever. We didn’t realize that attributes were only protected to the extent that the systems that used them are secured. Although many attributes aren’t “private”, their publication or exposure lessens their value as a means to uniquely identify someone, or to assert their intent to enter into some form of relationship. 

Today, the security of individual attributes like SSN and even attributes in combination are increasingly suspect. Financial institutions are leveraging information that only the individual asserts to know (unverified in many cases) for challenge/response identification purposes. Their usefulness becomes less viable as they are used in more and more cases, and eventually subject to compromise. Since biometrics represent just another attribute, the chance that someone will compromise these is just as likely as any other information. Just a matter of time.

The pool of identity attributes is much like any other natural resource, something to be protected and preserved. As this pool diminishes, we’ll lament their passing and the perils and inconvenience their absence creates. The creation of new identity attributes will be costly, in terms of their integration with systems that consume them and the retrofitting of legacy applications. Not to mention the inconvenience to individuals. This makes the case for disciplined protection handing of personal information, risk management, and the assumption of liability for those who disclose and misuse it (see Bob Blakley’s post on the identity oracle). It also makes the case for identity services, so that the information is handled in a more controlled and manageable environment. Otherwise, we’ll be counting on birthmarks and the word of our neighbors when it comes to identity assertions.