If private corporations are to issue identity credentials there will need to be some type of legislation passed spelling out the liability issues, says Tom Smedinghoff, a partner at the law firm of Wildman Harrold and chairman of the American Bar Association Task Force exploring the legal issues around identification.
Corporations will want to know what the liability will be if a credential is issued to an individual claiming to be someone else. This is a huge issue for organizations and before anyone steps to the plate to begin issuing credentials legislation will have to be passed. “There is no case law addressing the liability of an identity provider,” Smedinghoff says.
There are 951 words in the rest of this article …
Library Access Required
Library subscribers have access to the full archives of more than 10,000 original news items and feature articles published by AVISIAN’s suite of ID technology publications (ContactlessNews.com, CR80News.com, DigitalIDNews.com, FIPS201.com, NFCNews.com, RFIDNews.org, SecureIDNews.com, and ThirdFactor.com).
For just $49, you receive unlimited password-protected access to content on all of AVISIAN’s sites for an entire year. Your subscription helps fund the continued creation of independent, insightful content. Find out more.
Sign in as a Subscriber
If you are already a subscriber, you may sign in now. Enter your Email Address and Password and click Sign In.
If you have forgotten your password, enter just your Email Address, and click Send Password.
Experience shows that liability for the consequences of misidentification in federated identity systems is intractable. Left to their own devices, federated identity players have to date been unable to craft their own liability arrangements. But I don't think that legislators will have an easier time, because the liability problems are more fundamental than most commentators and technologists realise.
The entire identity ecosystem paradigm (yes, paradigm) is premised on the intuition that when Alice has gone to all the trouble of establishing her identity with a bank or government agency or e-store, she should be able to leverage that identity so that other service providers can strike up a fresh relationship with her. But in practice, this dream is impossible to achieve without all sorts of constraints.
The trouble is that what we think of as Alice's "identity" is really a specific relationship that she has with a particular provider. The rules by which she is conventionally identified vary from provider to provider (because each has its own business needs). Establishing a common set of rules is one of the insurmountable challenges in federated id. Firstly, it is logically impossible to set rules for unforseen applications and relying parties. And so federated "identities" come with fine print that constrain what applications a user is allowed to use their identity in (it's a lot like Big PKI all over again). This not only limits the usefulness of what we hoped would be universal identities, but it leads to a bigger practical problem. Once we agree on a set of uniform identification rules, sufficient for at least a nice big set of applications, it turns out that none of the existing "identity providers" will actually be following those rules already. They will all have to modify their registration procedures to align with the federayion's rules. This is very costly; banks in particular don't readily change their KYC rules. There is great risk too in investing in these changes, for the business model for making money from federated identities is still unproven. And so Alice's extant "identity" is not in fact useful for very much at all beyond its original context. The starting intuition that Alice's existing identity is useable in other contexts is wrong. Utterly, fundamentally wrong.
Another way of looking at the problem, that leads to the same conclusion, is to consider how identity providers manage their risk. Currently, banks/agencies/stores issue "identities" to their customers as part of a relationship which is usually governed by explicit Ts&Cs. For instance, banking customers are usually forbidden from using their Internet banking OTP tokens to authenticate themselves to any other services (I have seen at least one Australian federated id scheme collapse because re-writing and re-executing these agreements is too hard). The good thing about the oft-derided identity silos is that they allow issuers to manage risk by tightly defining the context in which their customers use their "identities". When we try to break open the silos, and turn banks into "identity providers", we compromise their ability to manage their risk. The ultimate promise of federated identity is that the customer will be able to use their bank-issued identity in all manner of other applications, over which the bank has no control. This is a promise that banks are not able to keep, unless they put in place prohibitive fine print.
We need to be very careful about legislating in this arena. The reason why banks and other candidate identity issuers have found federation easier said than done is that circumscribing liability for misidentification in unforseen applications is very very hard. In my view it might be logiically impossible. Legislators will not be able to escape this logic.
Cheers,
Stephen Wilson, Lockstep, Australia.