 |
Questions? Call 888-624-8373 |
|
PDF CHAPTERS
your price: $3.40
select
|
|
|
|
|
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 138
6
Authentication, Privacy, and the
Roles of Government
Government institutions play multiple roles in the area where au-
thentication technologies intersect with privacy concerns. Not
only do all levels of government (state, federal, and local) use
authentication systems, but the technologies are employed within and
across government institutions at each level as well. Furthermore, gov-
ernment plays multiple roles in the authentication process. As a relying
party, government uses authentication technologies for electronic gov-
ernment applications and for physical and systems security applications.
Given the size of its workforce and its user base, government is a signifi-
cant user of these technologies. The government's role in the authentica-
tion process (as regulator, issuer, and relying party) is important, since so
many forms of authentication or identification rely on some form of gov-
ernment-issued identity or identifier.
It is not surprising, therefore, that government organizations have
conflicting and supporting roles in authentication. As an example, the
Social Security Administration (SSA) fills all three roles simultaneously.
The Social Security number (SSN) was designed by SSA for its own use in
recording earnings. For its intended purpose, in conjunction with other
SSA business processes and controls, the SSN's security level meets the
SSA's requirements. In this case, the SSA is both the issuing and the
relying party, so the incentives for risk mitigation are properly aligned.
When the parties that issue and rely on an identifier are different, the
incentives for risk mitigation are not necessarily aligned. For instance,
138
OCR for page 139
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
139
secondary uses of the SSN have proliferated, beginning with their use by
the Eternal Revenue Service (IRS) and state taxation agencies, and now
extending to many private sector organizations such as credit reporting
agencies. There is an inherent conflict between me higher confidence levels
desired by me relying party and the extra cost imposed on the issuer to
meet this confidence level. For example, it is probably neither reasonable
nor cost-effective for me SSA to change its SSN issuance and maintenance
processes In order to help me private sector manage business risk around
creditworthiness just because most credit bureaus use SSNs as unique iden-
tifiers for credit history. An examination of the various roles that govern-
ment fills In authentication processes and privacy protection, anchored by
specific examples, helps to explain this complexity.
The issuance of IDs illustrates how different levels of government
interact with the public through specific programs for sometimes unique
reasons. The principle of federalism the division (and in some cases
overlap) of government responsibilities among federal, state, and local
government,] designed into the U.S. constitutional form of government-
helps to explain why it is important not to view the government role in
any area as monolithic.
By design, as protected by public law and policy, government activi-
ties are assumed to be fair, impartial, and immune from commercial ma-
nipulation.2 This legal and policy context for the government manage-
ment of information and related technology makes government use of
these technologies a special case and certainly different from their use by
the private sector. Individuals who are citizens of or permanent residents
in the United States also have a unique relationship with government
agencies. Sometimes by choice, and in many instances by compulsion,
citizens and residents are both participants in governance and users of
government goods and services. For instance, citizens may choose to
comment on proposed changes in information-reporting requirements
1One insightful definition of federalism and its complexity comes from Woodrow Wil-
son: "To make town, city, county, state, and federal government live with a like strength
and an equally assured healthfulness, keeping each unquestionably its own master and yet
making all interdependent and cooperative, combining independence and mutual helpful-
ness." See Woodrow Wilson, "The Study of Administration," Political Science Quarterly
2Qune 1887~:197-222, quoted in Dell S. Wright, "A Century of Intergovernmental Adminis-
trative State: Wilson's Federalism, New Deal Intergovernmental Relations, and Contempo-
rary Intergovernmental Management," A Centennial History of the American Administrative
State, Ralph Clark Chandler, ed. New York, N.Y., The Free Press, 1987, p. 220.
2Charles Goodsell. The Case for Bureaucracy, 3rd ed. New York, N.Y., Seven Bridges
Press, 1994.
OCR for page 140
40
WHO GOES THERE?
such as the questions on census forms. Alternatively, some relationships
with government are straightforward and contractual, just as with a busi-
ness. For example, when it is time to repay student loans, beneficiaries
have a legal obligation to return the money that they borrowed from the
government with interest.
Unlike private sector organizations, though, public agencies cannot
choose their customers. Public law and regulation instead of business
plans dictate whether an individual is a beneficiary or a regulated entity.
While private sector organizations may only want an individual's busi-
ness under certain conditions (for example, one can only get a mortgage
or a credit card upon meeting certain eligibility criteria), most citizens
interact with government organizations from cradle to grave. From the
recording of birth to the issuance of death certificates and annually in
between for some government programs citizens' interaction with gov-
ernment is virtually inescapable.
Finding 6.1: Many agencies at different levels of government
have multiple, and sometimes conflicting, roles in electronic
authentication. They can be regulators of private sector behav-
ior, issuers of identity documents or identifiers, and also rely-
ing parties for service delivery.
REGULATOR OF PRIVATE SECTOR AND PUBLIC AGENCY
BEHAVIORS AND PROCESSES
The government acts as a regulator of multiple sectors, including
health and medical services, financial services, and education. For this
analysis, these regulatory activities are put in three groups: (1) govern-
ment-wide law and policy that are focused internally on the activities of
federal agencies in a particular domain (for example, privacy, electronic
government, or computer security); (2) program- or agency-specific law
and policy that apply to specific types of transactions but may cut across
a number of government agency and private sector organization bound-
aries for transactions such as federally funded health care or higher edu-
cation; and (3) public law or policy intended to regulate the information
management activities of the private sector broadly or more specifically
in certain areas such as financial services. This section summarizes some
of this public law and government policy and concludes by identifying
some pending legislation that is relevant to privacy and authentication.
OCR for page 141
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
Government-wide Law and Policy
Privacy Act and Computer Matching Act
141
A recent Government Accounting Office (GAO) reports refers to the
Privacy Act of 1974 (5 U.S.C. Sec. 552a)4 as the "primary [U.S.] law regu-
lating the federal government's collection and maintenance of personal
information." Generally speaking, the Privacy Act aimed at balancing the
federal government's need to maintain information about individuals
with the rights of individuals to be protected against unwanted invasions
of their privacy. The act attempts to regulate the collection, maintenance,
use, and dissemination of personal information by federal government
agencies. As one source summarizes, the act provides privacy protection
in three ways:
1. It sustains some traditional major privacy principles. For example,
an agency shall maintain no record describing how any individual exer-
cises rights guaranteed by the First Amendment unless expressly autho-
rized by statute or by the individual about whom the record is main-
tained or unless pertinent to and within the scope of an authorized law
enforcement activity.
2. It provides an individual who is a citizen of the United States, or an
alien lawfully admitted for permanent residence, with access and emen-
dation arrangements for records maintained on him or her by most, but
not all, federal agencies. General exemptions in this regard are provided
for systems of records maintained by the Central Intelligence Agency and
federal criminal law enforcement agencies.
3. The act embodies a number of principles of fair information prac-
tice. For example, it sets certain conditions concerning the disclosure of
personally identifiable information; prescribes requirements for the ac-
counting of certain disclosures of such information; requires agencies to
"collect information to the greatest extent practicable directly from the
subject individual when the information may result in adverse determi-
nations about an individual's rights, benefits, and privileges under Fed-
eral programs"; requires agencies to specify their authority and purposes
for collecting personally identifiable information from an individual; re-
quires agencies to "maintain all records which are used by the agency in
3Government Accounting Office ~GAO'. Internet Privacy: Agencies' Efforts to Implement
OMB's Privacy Policy [GGD-00-lgl]. Washington, D.C., GAO, September 2000. Available
online at .
4The full text of the act itself is available online at .
OCR for page 142
42
WHO GOES THERE?
making any determination about any individual with such accuracy, rel-
evance, timeliness, and completeness as is reasonably necessary to assure
fairness to Me individual in Me determination"; and provides civil and
criminal enforcement arrangements.5
However, passed in great haste during the final week of Me 93rd
Congress, Me "Act's imprecise language, limited legislative history, and
somewhat outdated regulatory guidelines have rendered it a difficult stat-
ute to decipher and apply."6
One major complicating factor in the implementation and regulation
of Privacy Act provisions has been the "lack of specific mechanisms for
oversight."7 Indeed, some have cited the absence of a central agency for
Me oversight and coordination of the nation's privacy matters as a major
reason for the ineffectiveness of American privacy laws in general.8 In
comparison, several other nations have dedicated whole departments and
appointed high-level officials to oversee Weir privacy matters.
The Computer Matching and Privacy Protection Act of 1988 (PL 100-
503) amended Me Privacy Act of 1974 by adding new provisions regulat-
ing the federal government's use of computer matching the computer-
ized comparison of information about individuals, usually for Me purpose
of determining the eligibility of those individuals for benefits. The main
provisions of the act include the following:
· Give individuals an opportunity to receive notice of computer
matching and to contest information before having a benefit denied or
terminated;
· Require that federal agencies engaged in matching activities estab-
lish data protection boards to oversee matching activities;
· Require federal agencies to verify the findings of computer match-
5Text for these three items is adapted from Harold c. Relyea, The Privacy Act: Emerging
Issues and Related Legislation, Congressional Research service tCRS' Report RL30824, Wash-
ington, D.C., CRS, Library of congress, September 2000.
6Department of Justice. "Overview of the Privacy Act of 1974~, Introductions, 2000.
Available online at .
7Charles R. Booz. "Electronic Records and the Right to Privacy: At the core. Informa-
tion Management Journal 35 `3~: 18.
8see David H. Flaherty, "The Need for an American Privacy Protection commission,
Government Information Quarterly 1~3~1984~:235-258. In later work, he also observes that
design of the system and policy choices are crucial to privacy protection. see, for example,
'~Privacy Impact Assessments: An Essential Tool For Data Protection," presentation to a
plenary session ''New Technologies, security and Freedom,, at the 22nd Annual Meeting of
Privacy and Data Protection Officials held in Venice, Italy, September 27-30, 2000. Available
online at .
OCR for page 143
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
143
ing programs before suspending, denying, or otherwise "adversely" af-
fecting an individual's benefits; and
· Require agencies to negotiate written agreements with other agen-
cies participating in the matching programs.
An amendment to the act that was passed in 1990 somewhat altered
the original act's due process provisions. Specifically, the amendment
changed some of the details regarding subject notification of adverse find-
ings and gave data protection boards the ability to waive independent
verification of information under certain circumstances.
In December 2000, the Office of Management and Budget (OMB) is-
sued a memorandum reminding federal agencies of the act's require-
ments.9 lo According to the memorandum, as "government increasingly
moves to electronic collection and dissemination of data, under the Gov-
ernment Paperwork Elimination Act and other programs, opportunities
to share data across agencies will likely increase." Therefore, "agencies
must pay close attention to handling responsibly their own data and the
data they share with or receive from other agencies."
Computer Security Act and Recent Amendments
The Computer Security Act of 1987 (PL 100-235) addressed the im-
portance of ensuring and improving the security and privacy of sensitive
information in federal computer systems. The act required that the Na-
tional Institute of Standards and Technology (formerly the National Bu-
reau of Standards) develop standards and guidelines for computer sys-
tems to control loss and unauthorized modification or disclosure of
sensitive information and to prevent computer-related fraud and misuse.
The act also required that operators of federal computer systems, includ-
ing both federal agencies and their contractors, establish security plans.ll
Additionally, the law stipulated that agency plans for protecting sensitive
information and systems be cost-effective, and most important, it estab-
lished a standard for risk mitigation. Specifically, the law says that fed-
eral agencies must "establish a plan for the security and privacy of each
Federal computer system identified by that agency pursuant to subsec-
tion (a) that is commensurate with the risk and magnitude or the harm
9Office of Management and Budget (OMB). "Guidance on Inter-Agency Sharing of Per-
sonal Data Protecting Personal Privacy," M-01-05, December 20. Available online at
.
This and related activities at OMB were part of the context that led to this study.
For the full text of the act, see .
OCR for page 144
44
WHO GOES THERE?
resulting from the loss, misuse, or unauthorized access to or modification
of the information contained in such system."
Government Paperwork Elimination Act
Part of the impetus for federal agencies to move quickly toward elec-
tronic government (and therefore authentication, to an extent) is public
law. Enacted in 1998, the Government Paperwork Elimination Act
(GPEA)12 both requires federal agencies to move from paper-based to
electronic transactions with the public and provides some of the enablers
necessary to make such a transition. It also amplifies federal privacy
protections regarding sensitive data collected during the electronic au-
thentication process.
Following on the tradition of the Paperwork Reduction Act (PRA)13
of 1995, one of the goals of GPEA is to minimize the burden imposed on
the public by federal paperwork requirements. More specifically, though,
the goal of both the PRA and GPEA is for federal agencies to minimize the
information-collection burden on the public, regardless of whether the
collection instrument is a paper form, an electronic transaction, or a phone
survey.l4 GPEA recognizes the benefits to both federal agencies and the
public of moving from paper-based to electronic transactions, including
reduced error rates, lower processing costs, and improved customer satis-
faction. As a result, GPEA required agencies by the end of Fiscal Year
2003 to provide for the electronic maintenance, submission, or transaction
of information as a substitute for paper where practicable. Additionally,
the law stipulates that agencies use and accept electronic signatures in
this process.
GPEA goes so far as to define the term "electronic signature" and to
legitimate the legal force of such signatures in the scope of public interac-
tions with federal agencies.l5 In doing so, federal law and policy help to
clear up what has historically been the subject of some debate among
federal agencies about what is legally sufficient to "sign" a transaction
with a member of the public. Section 1709~1) of GPEA reads:
The term "electronic signature" means a method of signing an electronic
message that (A) identifies and authenticates a particular person as the
Government Paperwork Elimination Act of 1998 (PL 105-277, Div. C, tit XVII).
Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35~.
14For background on the goals of GPEA, see Senate Report 105-355, and for background
on the PRA and GPEA, see OMB, "Procedures and Guidance; Implementation of the
GPEA," Federal Register, May 2, 2000.
15For more on electronic signatures, see the discussion of the Electronic Signatures in
Global and National Commerce Act (E-SIGN) of 2000 later in this chapter.
OCR for page 145
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
source of the electronic message; and (B) indicates such person's ap-
proval of the information contained in the electronic message.
145
It is important to note as well what the definition does not do, which
is to specify the technologies or policies that an agency might use to
comply with this definition. The OMB implementation guidance to fed-
eral agencies cites examples of appropriate technologies shared secrets
such as PINs and passwords, digitized signatures or biometrics such as
fingerprints, and cryptographic digital signatures such as those used in
PKIs.l6 The OMB guidance does, though, suggest an analytical frame-
work for an agency to use to help determine the risk inherent in the
transaction it hopes to automate and which authentication technology
might most appropriately mitigate that risk.
GPEA also cleared up what might otherwise have been a contentious
debate among federal agency general counsel offices throughout Wash-
ington, D.C., by addressing directly the enforceability of electronic signa-
tures. For transactions involving electronic records submitted or main-
tained consistent with the policy enabled by GPEA and using electronic
signatures in accordance with the same policy, neither the electronic
record nor the signature is to be denied legal effect just because it is
electronic instead of paper. Both Congress and the OMB state that the
intent is to prevent agencies or the public from reverting to paper instead
of electronic transactions and signatures because of concerns that any
subsequent prosecution in a benefits fraud case, for instance might be
thrown out of court.
One other provision of the law pertinent to the topic of this study
relates to the protection of information collected in the course of provid-
ing electronic signatures services. Consistent with the fair information
practices (described in Chapter 3 of this report) and the Privacy Act,
GPEA requires that information gathered from the public to facilitate
electronic signatures services be disclosed only for that purpose.
Agency- or Program-Specific Law and Policies
Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) of 1974 (20
U.S.C. § 1232g; 34 CFR Part 99) is a federal law designed to protect the
privacy of a student's education records. The law applies to all schools
that receive funds under an applicable program of the U.S. Department of
16See the Web site .
OCR for page 146
46
WHO GOES THERE?
Education. FERPA gives parents certain rights with respect to their
children's education records (for example, the right to inspect and review
all of the student's education records maintained by the school and the
right to request that a school correct records believed to be inaccurate or
misleading). These rights transfer to the student, or former student, who
has reached the age of 18 or is attending any school beyond the high
school level.
Under the law, schools must also have written permission from the
parent or eligible student before releasing any information from a
student's record. Schools may disclose, with notification, directory-type
information, such as a student's name, address, telephone number, date
and place of birth, and so on.l7 As schools move toward authentication
technologies such as PKI, issues arise as to how FERPA applies.l8
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA),l9
or PL 104-191, was passed by Congress and became law in 1996. Its
purpose was, among other things, to improve the continuity of health
insurance coverage and the efficiency in health care delivery by mandat-
ing standards for electronic data interchanges and to protect the confiden-
tiality and security of health information. Title I of HIPAA deals with
health insurance access, portability, and renewability (for example, when
a worker loses or changes his or her job), while Title II of the act contains
what are referred to as the act's administrative simplification provisions.
These provisions fall roughly into three categories: transactions and code
set standards,20 privacy standard,21 and security standard.22 The privacy
standard, along with the security standard, provides rules for legal con-
trols over patients' medical records.
17The full text of the act is available online at .
18EDUCAUSE, an organization that promotes information technology in higher educa-
tion, has looked at this and related issues in its initiative PKI for Networked Higher Educa-
tion. See the Web site for more in-
formation.
19The full text of the act is available online at .
20Health Insurance Reform: Standards for Electronic Transactions. 45 CFR Parts 160 and
162. Federal Register: August 17, 2000 (Volume 65, Number 160), pp. 50312-50372.
21Standards for Privacy of Individually Identifiable Health Information. 45 CFR Parts
160 through 164. Federal Register: December 28, 2000 (Volume 65, Number 250), pp. 82461-
82510.
22Security and Electronic Signature Standards: Proposed Rule. 45 CFR Part 142. Federal
Register: August 12,1998 (Volume 63, Number 155), pp. 4324143280.
OCR for page 147
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
147
The process for creating these standards, or rules, has been fairly
complicated. Indeed, according to the Department of Health and Human
Services (HHS), the process is a "deliberate [one] designed to achieve
consensus within HHS and across other Federal departments."23 How-
ever, in general, once a proposed rule has made its way through several
federal groups (such as the HHS Data Council's Committee on Health
Data Standards, advisers to the secretary of HHS, and the OMB), the
proposal is published and comments from the public are solicited. These
comments, which are also open to public view, are then "analyzed and
considered in the development of the final rules."24
HIPAA is aimed at all organizations that store, process, or transmit
electronic health care information through which an individual might be
identified. Accordingly, the act applies to virtually all health care organi-
zations, including among others health plans (insurers), health care
clearinghouses, health care providers (including health maintenance or-
ganizations, hospitals, clinics, physician group practices, and single-phy-
sician offices), billing agencies, and universities.
HIPAA also provides for serious civil and criminal penalties for fail-
ure to comply with the rules. For example, the penalties include fines of
up to $25,000 for multiple violations of the same rule in one year, as well
as fines of up to $250,000 and up to 10 years' imprisonment for knowingly
misusing individually identifiable health information.
The privacy rule formally defines "protected health information,"
which includes individual patient information such as name, Social Se-
curity number, address, and so on; and clinical information such as
disease, treatment, drugs, test results, and so on. It permits disclosure
of this information for necessary treatment, payment, and operations
(TPO) functions. For all other uses, especially for fund-raising and mar-
keting functions, explicit authorization from the patient is required.
(There are exceptions, such as for military patients and for clinical re-
search, which is largely governed by the informed consent rule.) If
information is provided to an organization not covered by HIPAA for
TPO functions (such as a bill collection agency), the rule requires ex-
plicit business associate (and possibly chain of trust) agreements that
make the recipients responsible for HIPAA-specified privacy and secu-
rity rules.
The original privacy rule issued in December 2000 required collecting
and tracking of a consent form signed by all patients that explained the
privacy practices of the institution providing care. Subsequently, a techni-
23From the Web site .
24Ibid.
OCR for page 148
48
WHO GOES THERE?
cat correction proposed in lanuary 200125 removed the consent form re-
quirement and replaced it with a privacy notice that does not require a
patient's signature. Several basic rights for patients are provided in the
privacy rule: the right to access their records, the right to emend those
records, and the right to see what disclosures of their information have
been made. Institutions are required to employ a privacy officer, who
provides services related to the privacy rights of patients.
Fundamental to the privacy rule are the "minimum necessary" and
"need to know" principles. Based on these principles, the rule requires
institutions to develop and implement policies and procedures to define
formal role-based or user-based access authorization rules, and the secu-
rity rule requires assurance that these policies and procedures are being
followed. Additionally, a common and uniform sanctions policy is re-
quired for addressing privacy and security policy violations. Patient pri-
vacy has always been important in care institutions; the HIPAA privacy
rule formalizes the concept in a legal framework with significant penal-
ties for noncompliance.
There are several complexities in meeting HIPAA regulations. If in-
formation-access rules are incorrectly defined, the care process could be
adversely affected, an obviously unacceptable trade-off. The roles of care
providers in an organization are fluid: nurses working in shifts or filling
in, on-call consultants rotating on a weekly basis, medical students on
monthly rotations, multiple physicians in consulting or specialty roles,
and so on. Practically, it is very difficult to assign roles to a fine access
granularity and to implement such a system in mostly vendor-supported
and heterogeneous clinical application environments without raising the
risks to proper health care.
Managing authorizations and tracking privacy notices are operational
changes for institutions, but centrally tracking all disclosures for review
by the patient if requested is a difficult and costly problem in large insti-
tutions. In the context of an academic medical center, for example, HIPAA
remains vague in addressing the matter of information collected for and
by clinical trial and other kinds of research. Open questions about educa-
tional rounds and HIPAA were addressed in the latest rule making, and
there are other questions that may be clarified, but only later. The privacy
rule was required to be adopted by April 14, 2003, but it is likely that there
will be a gradual culture change in care environments toward better pri-
vacy protection.
25Standards for Privacy of Individually Identifiable Health Information; Proposed Rule.
45 CFR Parts 160 through 164. Federal Register: March 27, 2002 (Volume 67, Number 59),
pp. 14775-14815.
OCR for page 168
68
WHO GOES THERE?
ity) are necessarily relative: They can only be as trustworthy (in the best
case) as something else. The hope is that this trust chain is firmly an-
chored by a statement acknowledged as true in the real world. It is
unfortunate that all too many people (including those who should know
better) have a tendency to trust as accurate anything that the computer
says, even in situations where they would not trust a paper document.
The ability to generate fraudulent identity documents on a small scale
tends to have a minor impact on the overall system. However, in a digital
world, the compromise of secret information for example, of a signing
key or other methods of accessing the document-issuing system could
open the way to massive issuance or use of fraudulent identity docu-
ments. The compromise of back-end systems today is already a problem
for the last two categories of threats (compromising information and
modifying records). One has to consider the difference in speed of propa-
gation of security breaches. Electronic issuance of identity certificates can
go orders of magnitude faster than the issuance of paper-based identity
certificates.
Finding 6.3: Many of the foundational identification documents
used to establish individual user identity are very poor from a
security perspective, often as a result of having been generated
by a diverse set of issuers that may lack an ongoing interest in
ensuring the documents' validity and reliability. Birth certifi-
cates are especially poor as base identity documents, because
they cannot be readily tied to an individual.
Finding 6.4: Scale is a major factor in the implications of au-
thentication for privacy and identity theft. The bulk compro-
mise of private information (which is more likely to occur when
such information is accessible online) or the compromise of a
widely relied on document-issuing system can lead to massive
issuance or use of fraudulent identity documents. The result
would adversely affect individual privacy and private- and pub-
lic-sector processes.
Recommendation 6.2: Organizations that maintain online-ac-
cessible databases containing information used to authenticate
large numbers of users should employ high-quality informa-
tion security measures to protect that information. Wherever
possible, authentication servers should employ mechanisms
that do not require the storage of secrets.
OCR for page 169
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
GOVERNMENT AS RELYING PARTY FOR
AUTHENTICATION SERVICES
169
Government, in addition to issuing identity documents, is also a rely-
ing party (that is, it makes payments, allows access to records, and distrib-
utes benefits electronically based on claims made by users) for authenti-
cation systems to administer public programs at all levels (federal, state,
and local). In fact, the government faces some unique challenges as a
relying party, owing to its large size and multifaceted nature. It should be
noted that government revenues and expenditures are an order of magni-
tude larger than those of the largest private corporations in the United
States. The government's customer base is everything from an individual
citizen to neighborhood nonprofit organizations to large, multinational
corporations. In some cases, the interactions between government and
varied customers are for the same purpose for example, paying income
taxes. In other cases, the interactions are very different for example,
military procurements tend to come from government contractors, not
from private citizens.
Additionally, the functions of government are spread among a multi-
tude of federal, state, county, and local agencies. Government units are
organized by function (health and welfare, defense, education, public
works, and so on), regardless of how people might interact with them.
For example, a small businessperson such as a farmer probably has inter-
actions and transactions with several agencies within the federal govern-
ment the Department of Agriculture, the Internal Revenue Service, the
Department of Labor, and perhaps the Small Business Administration.
At the state level, state tax, labor, and agriculture agencies may have their
own set of reporting requirements and benefits but may also pass along
some programs funded by the federal government.
There is a belief, held mainly by information technology and public
administration professionals, that applications of technology through e-
government could reorient public organizations, causing them to become
more responsive to the needs of users.58 As discussed earlier, GPEA is
driving federal agencies to move information and transactions to the
Internet. For many public sector organizations, though, the move to e-
government was already under way before the enactment of GPEA gave
statutory impetus to federal agency efforts. Through the Office of Man-
58For some selected visions of e-government, see the National Association of Chief Information
Officers, online at ;
Council for Excellence in Government, online at ; or OMB e-government strat-
egy, online at .
OCR for page 170
70
WHO GOES THERE?
agement and Budget, the federal government has identified 24 e-govern-
ment projects that might offer a variety of electronic services between
government and citizens, government and business, and government and
government (that is, between federal, state, and local governments), and
several administrative efforts that are for internal use in federal agen-
cies.59 For the most part, the task force that recommended this list to
OMB found that these efforts had been under way for some time and
predated GPEA.
Cutting through the organizational complexity, though, requires a
degree of consistency in policy, management, and technology that is rarely
found in the paper-based world. Many government agencies, most nota-
bly some leading federal agencies, are investing heavily in PKI as the
means to deploy an electronic authentication system that will work uni-
versally for users of government programs.
The next three subsections describe ways in which the government
has tried to authenticate citizens in different contexts. The first is a
detailed discussion of a program Access Certificates for Electronic Ser-
vices (ACES) that the federal government had endorsed as a way to
authenticate users across a variety of program and organizational lines,
the second describes the Internal Revenue Service's electronic tax filing
programs, and the third describes the Social Security Administration's
attempt at remote authentication for access to earnings and benefits state-
ments. Brief concluding remarks follow.
Access Certificates for Electronic Services
ACES is a program instituted by the GSA. The program's primary
purpose is to provide a PKI to facilitate secure online citizen transactions
with government agencies.60 Under ACES, a user acquires a public key
certificate by interacting with one of a small number of selected, commer-
cial CAs. These CAs commit to certification policies and procedures con-
sistent with a model established by GSA for this purpose. This procedure
is intended to ensure uniform quality of user authentication and status
checking for federal agencies that act as relying parties that is, that accept
these certificates to identify users.
The user employs a certificate issued by an ACES-approved CA and
the corresponding private key when engaging in transactions with par-
ticipating government agencies. Federal agencies developing PKI-enabled
59see the Web site for a more detailed de-
scription of these 24 initiatives.
60The General services Administration is a federal management agency that sets policy
in areas related to federal procurement, real estate, and information resources.
OCR for page 171
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
171
applications are encouraged to take advantage of the Certificate Authen-
tication Module (CAM) a GSA-supplied and Mitretek-developed soft-
ware to verify an ACES certificate prior to use. The CAM is designed to
perform the requisite certificate validation checks, relieving application
developers of the need to implement this complex PKI software. The
CAM always verifies the revocation status of an ACES certificate by con-
tacting an Online Certificate Status Protocol (OCSP) server operated by
the CA that issued the certificate. (The rationale for adopting this specific
revocation-status-checking mechanism is described later.)
To acquire a certificate, a user provides a CA with some personal
information to verify the user's claimed identity. The standards for this
verification are established by GSA and thus are uniform for all of the
CAs providing the service (within the procedural security limits that these
CAs enforce). The form of identity established through this interaction is
a name.
The identification provided by this type of interaction generally will
not be sufficient to identify the user uniquely to a government agency,
since many users may share the same name for example, John Smith.
Thus, ACES certificates generally will be ambiguous relative to the ID
requirements for any government agency. An agency may identify a user
on the basis of both a name and an SSN or other parameters (for example,
home address, age, birth date, and so on.) Thus, when the user contacts an
agency for the first time with his or her ACES certificate, the user will
need to provide this other information to an agency server to establish the
correspondence with the user's record in the agency database. If this is
the user's first contact of any form with the agency, the agency will need
to verify the supplied information as, for example, the SSA does by con-
sulting with other government records. This procedure needs to be re-
peated by the user when he or she initially contacts an agency. Each
agency must then find a means for binding the ACES certificate to the
user identity in that agency's database for example, on the basis of the
CA name and serial number of the certificate or a hash of the public key
from the certificate. (The CA name and serial number are unique to the
user, but they will change whenever the user renews the certificate, be-
cause a new serial number must be assigned to every certificate issued by
the CA, even if the user merely renews the certificate. This procedure
suggests that users may have to reauthenticate themselves periodically to
each agency when the user's certificate expires, using whatever means the
agency employed to effect the initial binding between an ACES certificate
and its records. If the hash of the public key of the certificate is employed,
similar problems arise whenever the user changes his or her key pair.)
Under the terms of the ACES program, neither the user nor the gov-
ernment pays the CA for issuing an ACES certificate. Instead, every time
OCR for page 172
72
WHO GOES THERE?
an individual uses a certificate in a transaction with a government agency,
the agency pays. The government agency pays the issuing CA for the
revocation status check (via OCSP, usually invoked by the CAM), thus
providing the financial motivation for CAs to issue these certificates.
ACES avoids the need for government agencies to make up-front invest-
ments in establishing a PKI to support this sort of e-government service.
It also avoids the need for these agencies to act as CAs. Instead, the
agencies pay for the PKI on a sort of installment basis, indefinitely. (This
arrangement is analogous in many ways to the government allowing a
private company to build a toll road and then collect the tolls, forever.)
It has been suggested that ACES is an appropriate way to enable
citizen e-government because the technical aspects of CA operation ex-
ceed the capabilities of most government agencies. However, since the
certificates issued by the CAs are not sufficient to identify individuals
uniquely relative to agency database records, each agency ultimately acts
as a registration authority (RA) when it establishes the correspondence
between the certificate holder and the database records. The RA function,
while less technical than that of the CA, is usually the most security-
critical procedure of CA operation, so agencies have not avoided the need
to participate in PKI management as a result of ACES. Arguably, the
agencies have databases that are ideal for identifying their users to the
granularity required to ensure authorized access to records and to effect
authenticated transactions. Thus, the use of commercial CAs to issue user
certificates does not relieve government agencies of the burden of per-
forming this security-critical function. It is true that CA operation does
require specialized technical capabilities, and the ACES program avoids
the need for agencies to acquire these capabilities. However, it is not clear
that an agency with the IT resources needed to create and operate PKI-
enabled applications could not also operate a CA for the users that it
serves by means of these applications.
The Internal Revenue Service Electronic Tax Filing
The IRS has been working to increase the volume of the electronic
filing of individual tax returns since the program began in the late 1980s.
While IRS e-file has been described as a pioneer program in electronic
government, it is interesting to note that for many years the IRS required
that electronically filed returns be accompanied by paper signature docu-
ments. Only since 1999 has the IRS begun to make the e-file program a
totally paperless process, including electronic authentication, for some
selected taxpayers.
Fortunately for the IRS, there is public law and policy that supports
electronic authentication. The basic requirement in the Internal Revenue
OCR for page 173
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
173
Code is that tax returns be signed. However, the law does not specify
what constitutes a signing and, in fact, Treasury regulations give the IRS
commissioner broad discretion to determine what constitutes a signing.
Additionally, the IRS Reform and Restructuring Act of 1998 (PL 105-206)
speaks directly to the issue of electronic signatures and provides that they
are criminally and civilly equivalent to paper signatures.
There is only one direct channel for the public to e-file with the IRS.
Through the Telefile program, the IRS "invites" taxpayers to participate
by getting a specially designed tax package. Invitations go to taxpayers
on the basis of expected eligibility (as a 1040EZ filer, with income less
than $50,000, or as a single filer with no dependents). The package in-
cludes instructions for how to file using a Touch-Tone phone and a cus-
tomer service number (CSN), which is a four-digit PIN. IRS relies on the
CSN used by the taxpayer to sign the return, but that does not authenti-
cate the transaction, since the CSN is not a unique identifier. The IRS
authenticates the transaction by comparing data elements the CSN, date
of birth, taxpayer identification number (generally an SSN), and a name
presented by the taxpayer to those same data elements maintained in
IRS databases.
What makes authentication for IRS e-file somewhat challenging is the
role of intermediaries between the IRS and the taxpayer. In addition to
the direct provision of service through Telefile, the IRS relies extensively
on intermediaries to deliver its electronic filing products to the public.
Generally, over half the individual tax returns filed with the IRS are pre-
pared by tax preparers such as commercial services, certified public ac-
countants, and enrolled agents. Tax preparers do an even larger percent-
age of the returns prepared for e-file, a program that emerged out of a
partnership between the IRS and HER Block. A subset of preparers,
authorized e-file providers, are authorized to e-file individual tax returns
for their clients. The authorization, in this case, refers to the fact that the
IRS regulates the preparers that can e-file in some detail.
Prior to 1999, the only way for a taxpayer to sign a return filed through
a preparer was to fill out a paper signature document, called a jurat,
which the preparer also had to sign and then send to the IRS within 48
hours of the IRS accepting the return electronically. The requirement for
the preparer to file the jurat with the IRS is contained in IRS Revenue
Procedures governing the behaviors of authorized e-file providers, which
also require them to exercise due diligence in verifying the identity of
taxpayers by requesting forms of identification to help validate claimed
identity. Similarly, the taxpayer who used personal computer or Web-
based tax preparation software prior to 1999 had to complete a jurat and
send it to the IRS after the return was acknowledged as accepted. (As a
OCR for page 174
74
WHO GOES THERE?
side note, the return can only be transmitted to the IRS through a third-
party transmitter authorized by the IRS.)
Beginning in 1999, the IRS built on experience of the Telefile program
to issue e-file customer numbers (ECNs) to those individuals who had
filed their returns using Web-based or personal computer tax preparation
software the previous year. Much as with Telefile, these selected taxpay-
ers got a sealed postcard that explained program eligibility and contained
one CSN (two for joint filers).
As part of a parallel pilot in 1999, those taxpayers using an authorized
e-file provider could avoid the use of a jurat. In the presence of the
preparer, taxpayers would select their own PIN(s), to be used to sign the
return. IRS Revenue Procedures required that the taxpayers physically
enter their self-selected PINs on the preparer's keyboard. As part of the
signing process, the preparer and taxpayers also record the PIN(s) and
other data from the return on a worksheet that both the preparer and
taxpayers retain.
In both of the 1999 electronic signature efforts, much as with Telefile,
the IRS used the PIN-like four-digit number (for example, CSN, ECN,
self-selected PIN) to sign the returns. This procedure meets the legal
requirement for a return to be signed. Used in combination with other
data presented by the taxpayers, the IRS is able to authenticate the trans-
action to ensure that the taxpayer is who he or she claims to be. The need
for such authentication results from the use of a four-digit PIN that is not
a unique identifier. Additionally, authentication beyond the signing of
the return is necessary because of the business risks associated with re-
fund fraud. The IRS refers to the need for "revenue protection.''61 Since
the initial offering in 1999 and 2000, the IRS has evolved its electronic
authentication efforts for taxpayers filing from home using the Web, tax
preparation software and/or the services of a tax preparer. The primary
difference now is that the IRS no longer mails out the ECN to home filers
and instead allows taxpayers to self-select a PIN for signing purposes.
Additionally, the signing is bound to the transaction by the taxpayers
providing information from the previous year's tax return like Adjusted
Gross Income (AGI) so the IRS can validate claimed identity of the tax-
payer beyond name, address, and taxpayer identification number.
61Given that over 70 percent of individual tax returns result in a refund and that there is
a history of individuals trying to defraud the government by seeking refunds they are not
entitled to, this is a significant business risk. It is interesting to note that the shift from
paper-based to electronic signing altered the IRS's ability to prevent some refund fraud.
For instance, the use of the CSN in the case of Telefile and the ECN in the first 2 years of
that effort, in conjunction with other identifying data, provides an extra check up-front that
is not possible with paper-based signings.
OCR for page 175
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
The Social Security Administration and PEBES
175
One of the more infamous cases of privacy involving authentication
colliding with e-government capabilities comes from the SSA's Online
PEBES initiative.62 In 1997, the SSA had to bring down its otherwise-
successful Web-based capability allowing individuals to request and ulti-
mately receive a Personal Earnings and Benefits Estimate Statement
(PEBES) over the Web. The SSA took this action after a USA Today article
and subsequent stories in other national news outlets raised concerns
about the how the SSA authorized the release of a PEBES to an individual
electronically (described below). Although PEBES provided dramatically
improved service through reduced cycle times and cost per transaction,
SSA yielded to congressional pressure and suspended the service owing
to the public outcry resulting from the national media coverage.
Historically, SSA had provided PEBES to those who made a request
over the phone or by mail if the requester produced three identifiers
(SSN, date of birth, and name), without validating if the requester was
really the person related to that record. For instance, it was quite possible
that a wife could have provided the requested information and obtained
her husband's PEBES using that business rule. Using this process, SSA
filled literally millions of requests per year for PEBES by mail and over
the phone.
To improve service and reduce the workload of the shrinking SSA
staff, the organization launched an effort to fulfill requests for PEBES
through a self-service application over the Web. Initially the SSA pro-
vided partial electronic service, taking the request electronically but re-
verting to paper by mailing the report to the address provided in the
request. Over time, and after considering the results of pilot testing and
some risk analyses, the SSA launched the fully interactive version by
which the PEBES was delivered back to the requester electronically. As
an acknowledgment that moving this kind of transaction (even just the
PEBES request portion) to the Web might entail more risk, the SSA added
more data elements to the identifiers used in the knowledge-based au-
thentication that had been used for the previous 25 years. The Web-based
self-service application would now require the requester to provide place
of birth and mother's maiden name in addition to the three elements
listed above.
62Zachary Tumin. "Social Security on the Web: The Case of the Online PEBES." Strategic
Computing ~ Telecommunications in the Public Sector. Boston, John F. Kennedy School of
Government, Harvard University, 1998.
OCR for page 176
76
WHO GOES THERE?
The fully interactive PEBES was up for approximately 1 month before
the press depicted the offering as "social insecurity." The concern ex-
pressed by the press and by several senators who wrote to the commis-
sioner of the SSA soon after the story broke was that the data elements
used in the knowledge-based authentication system might well be known
to people other than the owner of the data (and of the related PEBES
report). More than even disgruntled spouses (or ax-spouses), close friends
or other individuals who might be able to assemble the required data
elements could gain access to the PEBES that they were not entitled to.63
The three examples ACES, the IRS and electronic tax filing, and the
SSA and PEBES illustrate the complexity of authentication and security
requirements and privacy. The IRS and the SSA have different threat
models and different security and privacy requirements, demonstrating
once again that monolithic solutions, even at the federal level, are un-
likely to be satisfactory.
NATIONWIDE IDENTITY SYSTEMS
The federal government is not the only government body that plays a
role in authentication and privacy considerations. It is through local
governments that most individuals acquire identification documents.
State governments also play a key part in individual authentication for
example, in the issuance of driver's licenses by state departments of mo-
tor vehicles (DMVs). The committee's first report, IDs Not That Easy,64
examined the concept of a nationwide identity system, raising numerous
policy and technological questions that would need to be answered if
such a system were to be put into place. In such a hypothetical system,
government would likely fill all three roles: regulator, issuing party, and
relying party.
As noted in IDs Not That Easy, state driver's licenses already consti-
tute a large-scale (nationwide and, in some cases, international) system of
identification and authentication. Earlier in this report, it was noted that
secondary use of state driver's licenses and state IDs raises significant
privacy and security concerns. Recognizing the ease with which such
documents can be fraudulently reproduced or obtained, there have been
proposals to strengthen driver's licenses. The American Association of
63For SSA's own analysis of PEBES, see "Privacy and Customer Service in the Electronic
Age: Report to Our Customers," available online at .
64Computer Science and Telecommunications Board, National Research Council. IDs-
Not That Easy: Questions About Nationwide Identity Systems. Washington, D.C., National Acad-
emy Press, 2002.
OCR for page 177
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT
177
Motor Vehicle Administrators is in the process of developing and propos-
ing standards to do that.65 They include provisions for the use of biomet-
rics to tie a driver to his or her license; some states already require finger-
prints. As with any system that uses biometrics, however, care must be
taken to mitigate threats against the resulting database.
Finding 6.5: State-issued driver's licenses are a de facto nation-
wide identity system. They are widely accepted for transac-
tions that require a form of government-issued photo ID.
Finding 6.6: Nationwide identity systems by definition create a
widespread and widely used form of identification, which
could easily result in inappropriate linkages among nominally
independent databases. While it may be possible to create a
nationwide identity system that would address some privacy
and security concerns, the challenges of doing so are daunting.
Recommendation 6.3: If biometrics are used to uniquely iden-
tify license holders and to prevent duplicate issuance, care must
be taken to prevent exploitation of the resulting centralized
database and any samples gathered.
Recommendation 6.4: New proposals for improved driver's li-
cense systems should be subject to the analysis presented in
this report by the National Research Council's Committee on
Authentication Technologies and Their Privacy Implications
and in the earlier (2002) report by the same committee: IDs-
Not That Easy: Questions About Nationwide Identity Systems.
CONCLUDING REMARKS
Government organizations, especially federal agencies, must live
with a plethora of legal and policy demands and guidelines in the area of
authentication and privacy, as well as provide accountability and submit
to oversight. While citizens demand ease of use, they also expect security
and privacy protection for the information that in many cases they are
required to provide to the government. Reconciling this tension is a
continuing challenge for any institution, but especially for the govern-
ment, owing to its unique role and requirements. This report emphasizes
the need to avoid authentication or identification when mere authoriza-
65More information is available online at .
OCR for page 178
78
WHO GOES THERE?
lion will suffice. In the case of government, respecting the legitimate
function of anonymity is even more crucial. Given the often obligatory
relationship between citizen and government, allowing anonymity and
therefore increased privacy protection when possible not only increases
efficiency (by avoiding the need to employ complicated authentication
machinery before a transaction) but also enables the many advantages of
privacy protection described in Chapter 3. (A simple example in which
authentication is not required for interaction with the government is the
downloading of tax forms. The identity of the person downloading cer-
tain forms does not need to be verified before the forms are made avail-
able. The same holds true for many public records.)
Finding 6.7: Preserving the ability of citizens to interact anony-
mously with other citizens, with business, and with the govern-
ment is important because it avoids the unnecessary accumula-
tion of identification data that could deter free speech and inhibit
legitimate access to public records.
E-government is a driver for authentication and privacy solutions
that place greater emphasis on government as a relying party than as an
issuer of ID documents. Systems that depend on a common identifier in
government are subject to the privacy risks associated with the potential
for inappropriate data aggregation and (inadvertent or deliberate) infor-
mation sharing in ways that the individual providing the information did
not expect. Care must be taken to adhere to the principles in the Privacy
Act of 1974 and the privacy principles described in Chapter 3 of this
report.
Finding 6.8: Interagency and intergovernmental authentication
solutions that rely on a common identifier create a fundamental
tension with the privacy principles enshrined in the Privacy
Act of 1974, given the risks associated with data aggregation
and sharing.
Finally, while this chapter emphasizes many of the unique constraints
under which government must operate, government is not immune to the
challenges faced by the private sector when developing authentication
systems, many of which are touched on in the preceding chapters. Threat
models must be understood before proceeding, and the goals of any au-
thentication system should be well articulated.
Representative terms from entire chapter:
electronic signatures
Items in cart [0]
