|
Items in cart [0] |
Questions? Call 888-624-8373 |
PAPERBACK + PDF PAPERBACK PDF BOOK PDF CHAPTERS Free Resources |
||||||||||||||||
|
||||||||||||||||
|
|
|||||||||||||||
| ||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||
| Copyright © 2009. National Academy of Sciences. All rights reserved. Terms of Use and Privacy Statement |
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 16
1
Introduction and Overview
The growth of technologies that ease surveillance, data collection,
disclosure, aggregation, and distribution has diminished the ob-
scurity and anonymity that are typical of everyday interactions.
From phone systems that block the calling number on outgoing calls and
simultaneously identify all incoming callers, to "loyalty" programs that
collect data about individuals' purchasing habits,2 to the government's
use of tracking and identification technologies in an increasingly broad
range of environments, records of individuals' activities are now rou-
tinely made and stored for future use. Technologies such as facial recog-
nition and video cameras are being deployed in an attempt to identify
and/or monitor individuals surreptitiously as they go about the most
mundane of activities.3 Ubiquitous computing promises to put computa-
1''Pacific Bell Offers Privacy Manager,"RBOC Update 12~5) (new offering for per-call con-
trol over incoming messages); Beth Whitehouse, "In Pursuit of Privacy: Phone Services
Designed to Protect Can Also Be Extremely Frustrating," Newsday, March 26, 2001, p. B03
(problems arising from use of caller ID and call-blocking plans).
2See, generally, Marion Agnew, "CRM Plus Lots of Data Equals More Sales for Borders-
Retail Convergence Aligns Web-based Marketing and Strategies with Those of Physical
Stores," InformationWeek, May 7, 2001 (Borders' plan to merge online and off-line customer
data and loyalty programs); Kelly Shermach, "Coalition Loyalty Programs: Finding Strength
in Numbers," Card Marketing 5~3~:1 (benefits of shared data from joint marketing card prod-
ucts).
3Lev Grossman, "Welcome to the Snooper Bowl: Big Brother Came to Super Sunday,
Setting Off a New Debate About Privacy and Security in the Digital Age," Time, February
16
OCR for page 17
INTRODUCTION AND OVERVIEW
17
tional power everywhere by embedding it seamlessly and unobtrusively
into homes, offices, and public spaces. The fully networked environment
that ubiquitous computing is making possible raises complicated ques-
tions about privacy and identification.4 What does it mean when data
collection, processing, and surveillance and perhaps authentication and
identification become the norm?
In applications ranging from electronic commerce to electronic tax
filing, to controlling entry to secured office buildings, to ensuring pay-
ment, the need to verify identity and authorize access has driven the
development of increasingly advanced authentication systems. These
systems vary widely in complexity and scope of use: passwords in com-
bination with electronic cookies are used for many electronic commerce
applications, smart cards coupled with biometrics allow access to secured
areas, and sophisticated public-key mechanisms are used to ensure the
integrity of many financial transactions. While there are many authenti-
cation technologies, virtually all of them involve the use of personal infor-
mation and, In many cases, personally identifiable information, raising
numerous privacy concerns.
This report examines authentication technologies through the lens of
privacy. It is aimed at a broad audience, from users (both end users and
organizations) of authentication systems, to people concerned with pri-
vacy broadly, to designers and implementers of authentication technolo-
gies and systems, to policy makers.
12, 2001, p. 72 (the use of facial recognition technology by the Tampa Bay police department
to search the 72,000 people in the crowd at Super Bowl XXXV); Ace Atkins, "Surveillance
Tactic Faces Off with Privacy," Tampa Tribune, February 7, 2001, p. 1 (police might buy
controversial new technology, tried out at the Super Bowl, that scans faces in public places;
surveillance cameras take pictures of people in crowds and a computer compares numeric
facial patterns to a databank of criminals); Katherine Shaver, "Armey Protests Cameras
Sought on GW Parkway; Speed Deterrent Likened to Big Brother," Washington Post, May 9,
2001, p. B01 (the National Park Service tested a radar camera from August 1999 to February
2000 in two areas of the George Washington Memorial Parkway in the Washington, D.C.,
area, and House Majority Leader Richard Armey asked Department of the Interior Secre-
tary Gale A. Norton to ban the cameras, calling them "a step toward a Big Brother surveil-
lance stated; Richard Morin and Claudia Deane, "DNA Databases Casting a Wider Net,
Washington Post, May 8, 2001, p. A21 (the national DNA database and the fact that all 50
states have passed some version of a DNA data-banking law); Ian Hopper, "New Docu-
ments Disclose Extent of FBI's Web Surveillance," Sunday Gazette Mail, May 6, 2001, p. POD
(the FBI's use of Internet eavesdropping using its controversial Carnivore system a set of
software programs for monitoring Internet traffic [e-mails, Web pages, chat-room conversa-
tions, and other signals] 13 times between October 1999 and August 2000 and a similar
device, Etherpeek, another 11 times.)
4See CSTB's report Embedded, Everywhere: A Research Agenda for Networked Systems of
Embedded Computers (Washington, D.C., National Academy Press, 2001), particularly Chap-
ter 4, which discusses security and privacy in ubiquitous computing environments.
OCR for page 18
8
WHO GOES THERE?
Notwithstanding considerable literature on privacy, the legal and so-
cial meaning of the phrase "the right to privacy" is in flux. Rather than
presenting an encyclopedic overview of the various technologies or an in-
depth treatise on privacy, this report explores the intersection of privacy
and authentication, which raises issues of identification, authorization,
and security.
This introductory chapter presents definitions and terminology that
are used throughout the report. It introduces four overarching privacy
concerns that illustrate how privacy and authentication can interact in
ways that negatively affect privacy. It also provides a "day-in-the-life"
scenario to motivate a discussion of authentication and privacy. Finally,
there is a brief discussion of what this report does not do, along with an
outline of the rest of the report.
DEFINITIONS AND TERMINOLOGY
Throughout this report, numerous interrelated concepts associated
with authentication, identity, and privacy are discussed. Several of these
concepts are briefly defined below for clarity. As noted in the committee's
first report, IDs- Not That Easy, many of these concepts represent compli-
cated, nuanced, and, in some instances, deeply philosophical topics.5
Note that while the definitions below refer to individuals, they should
also be understood to apply, when appropriate, to nonhuman subjects
such as organizations, identified computers, and other entities. Popular
belief to the contrary, authentication does not necessarily prove that a
particular individual is who he or she claims to be; instead, authentication
is about obtaining a level of confidence in a claim. The concepts below are
teased apart both to describe how the terms are used in this report and to
highlight how ambiguous many of them remain.
· An identifier points to an individual. An identifier could be a
name, a serial number, or some other pointer to the entity being identi-
fied. Examples of personal identifiers include personal names, Social
Security numbers (SSNs), credit card numbers, and employee identifica-
tion numbers. It is sometimes necessary to distinguish between identifi-
ers and the things that they identify. In order to refer to an identifier in a
way that distinguishes it from the thing that it identifies, the identifier is
written in quotation marks (for example, "Joseph K." is an identifier-
specifically, a personal name whereas Joseph K. is a person).
5Indeed, the committee has refined and evolved its core definitions since the publication
of its earlier report IDs Not That Easy: Questions About Nationwide Identity Systems ~Wash-
ington, D.C., National Academy Press, 2002~.
OCR for page 19
INTRODUCTION AND OVERVIEW
19
· An attribute is a property associated with an individual. Ex-
amples of attributes include height, eye color, employer, and organiza-
tional role.
· Identification is the process of using claimed or observed at-
tributes of an individual to infer who the individual is. Identification
can be done without the individual's having to (or being given the oppor-
tunity to) claim any identifier (for example, an unconscious patient in an
emergency room might be identified without having to state his or her
name).
· Authentication is the process of establishing confidence in the
truth of some claim. The claim could be any declarative statement for
example, "This individual's name is 'Joseph K.,' " or "This child is more
than 5 feet tall." Both identifiers and attributes can be authenticated, as
the examples just cited demonstrate.
- Individual authentication is the process of establishing an un-
derstood level of confidence that an identifier refers to a specific
individual. Individual authentication happens in two phases:
(1) an identification phase, during which an identifier to be
authenticated is selected in some way (often the identifier selected
is the one claimed by the individual), and (2) an authentication
phase, during which the required level of confidence is established
(often by challenging the individual to produce one or more authen-
ticators supporting the claim that the selected identifier refers to
the individual). In the information security literature, individual
authentication is sometimes referred to as "user authentication."
In the biometrics literature, individual authentication of an identi-
fier claimed by the individual is often called "verification."
- Identity authentication is the process of establishing an under-
stood level of confidence that an identifier refers to an identity. It
may or may not be possible to link the authenticated identity to an
individual. For example, verification of the password associated
with a Hotmail account authenticates an identity (foo~example.com)
that may not be possible to link to any specific individual. Identity
authentication happens in two phases: (1) an identification phase,
during which an identifier to be authenticated is selected in some
way (often the identifier is selected by a claimant), and (2) an
authentication phase, during which the required level of confi-
dence is established (often by challenging the claimant to produce
one or more authenticators supporting the claim that the selected
identifier refers to the identity).
OCR for page 20
20
WHO GOES THERE?
- Attribute authentication is the process of establishing an un-
derstood level of confidence that an attribute applies to a specific
individual. Attribute authentication happens in two phases: (1) an
attribute selection phase, during which an attribute to be authenti-
cated is selected in some way, and (2) an authentication phase,
during which the required level of confidence is established, either
by direct observation of the individual for the purpose of verifying
the applicability of the attribute or by challenging the individual to
produce one or more authenticators supporting the claim that the
selected attribute refers to the individual.
· An authenticator is evidence that is presented to support the
authentication of a claim. It increases confidence in the truth of the
claim. A receipt, for example, can act as an authenticator of a claim that
an item was purchased at a specific store.6 A driver's license can act as an
authenticator that a particular name (a form of identifier) refers to the
individual who carries the license. Knowledge of a secret or the ability to
display some distinctive physical characteristic such as a fingerprint can
also serve as the authenticators of an individual's name.
· Authorization is the process of deciding what an individual
ought to be allowed to do. Authorization is distinct from authentication
(which establishes what an individual "is" rather than what the indi-
vidual "is allowed.") Authorization policies determine how authoriza-
tion decisions are made. Authorization policies base decision making on
a variety of factors, including subject identifiers (such as names) and
subject attributes other than identifiers (such as employee status, credit
rating, and so on).
· The identity of X is the set of information about an individual X
that is associated with that individual in a particular identity system Y.
However, Y is not always named explicitly. An identity is not the same
as an identifier so "Joseph K." is an identifier (specifically, a name), but
Joseph K. is a person. It is not always easy to determine which individual
an identifier refers to. For example, "George Bush, the president of the
United States, who lives in Texas and who attended Yale" is an identifier
that refers to two individuals. Identities also consist of more than just
names so Richard Nixon was an individual, but his identity also in-
cludes other facts, such as that he was president of the United States and
that he resigned that office. Furthermore, identities contain statements
that are not strictly facts a man who was stranded on a desert island in
6Confusion can arise when the same thing is used as both an authenticator and an identi-
fier, as happens frequently with credit card numbers.
OCR for page 21
INTRODUCTION AND OVERVIEW
21
1971 and who believed in 1975 that Richard Nixon was still President
would have his facts wrong but would not misidentify Nixon. Finally,
people disagree about identities and about which individuals they refer
to; if one believes newspaperman Bob Woodward, there was an indi-
vidual who went by the code name "Deep Throat" during the Watergate
investigation that led to Nixon's resignation, but different people have
different opinions about who that individual is.
· Security refers to a collection of safeguards that ensure the confi-
dentiality of information, protect the integrity of information, ensure
the availability of information, account for use of the system, and pro-
tect the systems and/or networks used to process the information.
Security is intended to ensure that a system resists attacks and tolerates
failures. (See Chapter 4 for a more in-depth discussion of security and
authentication.)
· Privacy is a multifaceted term with many contextually depen-
dent meanings. One aspect of the right to privacy is the right of an
individual to decide for himself or herself when and on what terms his
or her attributes should be revealed. (See Chapter 3 for some historical
background on privacy and a brief exploration of current privacy law and
policy in the United States.)
AUTHENTICATION IN DAILY LIFE
Individuals authenticate themselves to others and to information sys-
tems in many different contexts. The identifiers and attributes that they
authenticate vary, depending on the situation. Individuals may identify
themselves as named users of computer systems, employees, frequent
flyers, citizens, students, members of professional societies, licensed driv-
ers, holders of credit cards, adults over the age of 18, and so on. There
need not be any single identity associated with each person that is glo-
bally unique and meaningful to all of the organizations and individuals
with whom that person interacts. Thus, people often assert different
identities under different circumstances.
Finding 1.1: Most individuals maintain multiple identities as
social and economic actors in society.
To illustrate the myriad ways in which instances of identification and
authentication arise in everyday life and to highlight some of the impor-
tant issues associated with new systems, the committee hypothesized
scenarios in the life of Joseph K. as he goes on a business trip. The italic
sentences describe Joseph's actions; the indented paragraphs that follow
OCR for page 22
22
WHO GOES THERE?
point out important associated issues. (Specific technologies are discussed
in more detail later in the report.)
Josephfirst dials in to his corporate networkfrom home and authenticates himself to
a network access server. He does so by claiming to be an employee of CompuDigi
Corporation, using a name and a smart card that is read by his computer.
Successfully completing this authentication procedure authorizes
Joseph to access the corporate network. All employees have the same
basic access privileges for the network, so it might seem that there is
no need to authenticate each employee independently by name for
log-in purposes. However, by assigning each employee a unique
log-in name, CompuDigi can track Toseph's log-in sessions separately
from those of other employees, enabling audit, and it can more easily
revoke Toseph's access if he leaves the company or if his smart card is
lost or stolen.
Joseph now accesses an airline Web site to book his flights, probably unaware that
authentication of another sort is going on.
The Web site employs Secure Sockets Layer (SSL), a security protocol,
to provide confidentiality for data transmitted between Toseph's
personal computer (PC) and the site. This prevents eavesdroppers
on the path between the PC and the Web site from observing sensitive
data. It also provides an implicit authentication of the Web site to
Joseph. This authentication is based on the Internet name of the Web
site, as contained in the uniform resource locator (URL) that Joseph
implicitly selected from his list of commonly accessed Web sites.
Joseph is generally unaware of this authentication process unless it fails and
generates a warning message. The only indication to him that the process has
succeeded is the appearance of a small padlock icon in the browser window (which
he may not notice). Joseph now uses his airlinefrequent-flyer account number to
identify himself and a personal identification number (PIN) to authenticate this
identifier.
The airline is not necessarily interested in Joseph's identity as an
employee of CompuDigi but rather in his identity as a customer of
the airline.
Based on his frequent-flyer status, Joseph is able to request a seat with better
legroom in the front section of the aircraft.
OCR for page 23
INTRODUCTION AND OVERVIEW
23
Joseph is authorized to upgrade his seat based on his frequent-flyer
status (an attribute), which in turn is based on his travel history.
(Ioseph's frequent-flyer number may remain constant with the airline
for many years, but his status and hence his authorization to upgrade
to a better seat will vary depending on how often he flies.) Thus,
Joseph's frequent-flyer number (an identifier) is used as a key for a
database that the airline uses to determine his status and hence his
authorization.
To payforhisilight, Joseph provides a credit card account number. Knowledge of
the account number and expiration date serves to authenticate him as a
cardholder.
Using a credit card number and expiration date as authenticators is a
relatively weak form of authentication, since the account number
serves as the primary identifier as well. This credit card data might
be stored on the Web server; or, it might be used only for the
transaction at hand and not be stored on the Web server. If there
were a way for Joseph to be sure that the Web server was not storing
his credit card information, it might increase his trust in the system
(assuming that he had been notified of this policy).
An electronic ticket is issued for Joseph's flights. Next, he wishes to connect to
the Web site of a hotel chain to book a room.
This Web site supports a feature known as client certificates, a little-
used facet of SSL that can be employed to automate the user-
authentication process. When Joseph initially registered on the Web
site as a frequent guest of the hotel chain, the site interacted with his
browser in order to issue him a public key certificate (an electronic file
containing information related to Joseph's interactions with this site;
see Chapter 5 for more on public key cryptography, private keys, and
certificates). This certificate contains an identifier that links to Toseph's
account but is otherwise not meaningful. Thus, the certificate cannot
be used by Joseph to authenticate himself to any other Web sites.
During the initial certificate generation process, Joseph was prompted
to provide a password to be used by his browser to protect the private
key associated with the certificate. This single password could protect
all of the private keys stored by Toseph's browser for use with all of the
certificates issued by Web sites that Joseph visits. Such use of the
password would simplify Toseph's life if he had many certificates, but
few Web sites make use of client certificates, so in practice Joseph
would gain only a small benefit from this feature. Note that in terms
OCR for page 24
24
WHO GOES THERE?
of security, the private key becomes a proxy for the passwords and
is thus no more secure than the combination of that password and
the physical means used to protect the encrypted private key.
When Joseph visits the hotel Web site (having registered and received a certificate
earlier), his browser is queried by the Web site to send Joseph's certificate and to
use the associated private key to verify foseph's frequent-guest account identifier.
Joseph is prompted by the browser to enter the password to unlock his private
keys, and he is logged in to the Web site.
Again, it is Toseph's identity as a frequent client (rather than his name
or other attributes) that is important. His status as a frequent guest
entitles him to a free room upgrade. This is another example of
authorization based on data associated with Toseph's identity in a
specific context. In this context, Toseph elected to store credit card
information as part of his profile with the hotel chain, so it is used
automatically to guarantee his reservation in the event of a late
arrival. If the Web site does not adequately protect the data that it
stores, Toseph's credit card data may be inappropriately disclosed to
others. The use of encryption to protect Toseph's data in transit to the
site does not protect against this sort of security failure in any way.
Joseph has also elected to store severalfrequent-flyer numbers in his hotel profile
so that he can acquire "mileage" credit for his stay.
With this action, Toseph has voluntarily elected to provide data to the
hotel chain, enabling the hotel to link his (otherwise) independent
hotel and airline identities. This provides the hotel marketing
organization with an ability to market directly to Toseph on the basis
of his travel patterns and preferences, as well as to offer amenities in
a more customer-friendly fashion when Toseph stays at its hotels. It
also provides an ability to sell Joseph's name, address, and possibly
his e-mail address to other companies, based on the attributes in his
frequent-traveler profile.
Finally, Joseph logs in to a rental car Web site and arranges for a vehicle for his
trip. Here, Joseph authenticates himself using his name and his frequent-renter
account number; no explicit password or PIN is required.
Toseph's profile at this Web site allows the rental car company to
select automatically his favorite class of vehicle. Toseph has also
provided a code that identifies him as an employee of CompuDigi,
making him eligible for the special rates negotiated by CompuDigi
OCR for page 25
INTRODUCTION AND OVERVIEW
25
for its employees. This code is an attribute not specific to Joseph; it is
used as a basis for authorizing all employees to make use of the
corporate discount program. Toseph's profile includes credit card
data as well as his driver's license data, both of which are required
for rental car transactions.
En route to the airport, Joseph makes use of an electronic toll tag lane, which
allows him to avoid longer lines for drivers paying tolls with cash.
The toll tag device, mounted on the windshield of Toseph's car,
engages in an electronic (radio frequency (RF)) challenge/response
authentication protocol with a responder at each toll plaza,
authenticating the toll tag device to the toll collection system. This
system authenticates the tag's number, which is linked to Toseph's
account identity in the toll system database. In turn, this number is
linked to Toseph's bank account, enabling automatic debit of his
account for each toll transaction. The toll system may be concerned
only with receiving payment of the toll, so it is the identification of
the bank account that is of primary interest here.7
Joseph arrives at the airport and makes use of a kiosk to acquire his boarding pass.
To authenticate himself, he swipes the same credit card that he used to purchase
the airline ticket through a magnetic-stripe reader.
In this case, possession of the credit card is viewed as authentication
of identity.
At the airport security checkpoint, Joseph must present his boarding pass and a
government-issued photo identification (ID) for authentication.
The name on the photo ID must match (either exactly or "closely")
the name on the boarding pass, and the photo on the ID must be a
good enough likeness to be acceptable to the security screening
personnel.
Upon arrival at his destination airport, Joseph proceeds to the rental car area,
where his car is waiting in a spot at which his name is displayed. As he exits the
rental car lot, Joseph is required to present his driver's license.
While it may be possible to link the tag to a cash account that is not linked to the driver,
in many cases such systems do make explicit the linkage between the account and the
"presumed' driver.
OCR for page 26
26
WHO GOES THERE?
This procedure is designed to authenticate Joseph as the individual
who holds the online reservation and to whose credit card the rental
will be charged. In principle, the process should also verify that
Joseph holds a valid driver's license, a prerequisite for car rental. In
contrast to the boarding-pass check at the airport, the rental
agreement has more information about Joseph, including the name
of the state that issued the driver's license and the license number.
Such information is nominally part of this authentication process,
providing more evidence that the person presenting the license to the
electronic record is connected to a printed receipt. Also, note that
while a passport would be an acceptable form of photo ID for use
with the boarding pass (and would be required for international
flights), it is not acceptable here, because there is a requirement for a
credential that demonstrates authorization to drive and that
establishes accountability of a particular individual for loss of or
damage to the automobile. A driver's license accomplishes both
goals, because it directly asserts authorization to drive and because it
contains or can be used to obtain the driver's address. The rental car
agency (depending on the state in which Joseph is renting) may have
reserved the right to screen Toseph's driving record, which it may
access electronically using his driver's license number.
When Joseph arrives at his hotel, he presents a credit card at thefront desk. The
hotel matches the name on the credit card against the room-reservation database
to identify Joseph.
Since the primary concern of the hotel is that it is compensated for
the room rental, the presentation of a valid credit card (including
verification that the credit card account is in good standing, not
reported lost or stolen) is an acceptable form of authentication in this
context.8 The credit card is itself authenticated on the basis of the
information contained on the magnetic stripe on the back of the card
and on the basis of the appearance of the card (for example, the
appearance of a standard hologram as part of the card face). If a
conflict occurs two individuals with the same name claim the same
reservation at the same hotel on the same day additional
identification credentials will be required to resolve the conflict.
Note that hotels in countries other than the United States often are required to request
the presentation of a passport and sometimes even retain the document until the guest
checks out.
OCR for page 27
INTRODUCTION AND OVERVIEW
27
When Joseph arrives at the CompuDigi meeting site, he uses his employee badge
to gain entrance to the building. Joseph presents the card to a reader, which
requires him to enter a PIN, a procedure designed to prevent unauthorized use of
the card if it is lost or stolen.
Toseph's badge is a smart card, a credit-card-sized device that
contains a processor, memory, and an input/output (I/O) interface.
On this card is stored a public key certificate and corresponding
private key. The card engages in a cryptographic challenge/response
exchange with the building's physical security computer system to
authenticate Joseph as a CompuDigi employee and to authorize him
to enter the building.
This scenario illustrates that Joseph has many identities, not just one.
These different identities represent him in his interactions with different
organizations, each of which identifies him in a distinct context. In many
instances, there is no need for these distinct identities to be tightly linked
to one another, although there are exceptions. Sometimes Joseph makes
an explicit choice to create the linkage (for example, for perceived ben-
efits); at other times the linkage is required by the context (for example,
the connection of his driver's license and his driving record). To the extent
that Joseph chooses, or is allowed, to maintain separate identities in his
interactions with organizations, he increases his privacy, because he dis-
closes to each organization only the information required for interactions
with that organization.
By maintaining separate and nonlinked identities, Joseph has some
control over who gets which pieces of information about his activities,
preferences, and lifestyle. Some of this control might be deliberate on
Joseph's part, but some of it may have been the happenstance of a com-
petitive market system in which linkages have not yet been fully unified
across corporate and government databases. For Joseph to exercise pro-
active control over the dissemination and use of personal information
about himself, he must become aware of how and where that information
is being collected, linked, and used. As activities within society become
increasingly automated, it becomes harder and harder for anyone to make
these informed decisions.
Without informed, proactive control on Toseph's part, the various
authentication events described in this scenario pose risks in terms of
both security and privacy. The rest of this report elaborates on various
authentication technologies and their relationship to privacy issues.
OCR for page 28
28
WHO GOES THERE?
CURRENT TENSIONS
The development, implementation, and broad deployment of authen-
tication systems require us to think carefully about the role of identity
and privacy in a free, open, and democratic society. Privacy, including
control over the disclosure of one's identity and the ability to remain
anonymous, is an essential ingredient of a functioning democracy. It is a
precondition for the exercise of constitutionally protected freedoms, such
as the freedom of association.9 It supports the robust exercise of the
freedom of expression by, for example, creating psychological space for
political dissent.l° It maintains social norms that protect human dignity
and autonomy by enabling expressions of respect and intimacy and the
establishment of boundaries between oneself and one's community.l1
9See National Association for the Advancement of Colored People v. Alabama Ex Rel. Patterson,
Attorney General, 357 U.S. 449; 78 S. Ct. 1163 (1958~; 2 L. Ed. 2d 1488 (1958) (the Court held
that the immunity from state scrutiny of membership lists was so related to the right of the
members to associate freely with others as to come within the protection of the U.S. Consti-
tution); Joseph McIntyre, Executor of Estate of Margaret McIntyre, Deceased, Petitioner v. Ohio
Elections Commission, 514 U.S. 334; 115 S. Ct. 1511 (1995) (statute prohibiting the distribution
of anonymous campaign literature violated the First Amendment, as it was not narrowly
tailored to serve an overriding state interest; the statute indiscriminately outlawed a cat-
egory of speech with no relationship to the danger sought to be prevented); Buckley v.
American Constitutional Law Foundation; Taley v. California. Also, see the work that the Elec-
tronic Privacy Information Center (EPIC) has done on anonymity, including an amicus
brief in the Watchtower Bible v. Stratton case, arguing that "an ordinance requiring door-to-
door petitioners to obtain a permit and identify themselves upon demand" implicates privacy
as well as rights of anonymity, freedom of expression, and freedom of association. More
information is available online at .
10See Martin H. Redish, "The Value of Free Speech," 130 U. Pa. L. Rev. 591, pp. 601-604
(1982) (free expression supports citizens' participation in decision making); Alexander
Meiklejohn, Political Freedom: The Constitutional Powers of the People, New York, Oxford Uni-
versity Press, 1965, pp. 3-89 (free expression provides citizens with access to information
necessary to formulate opinions and make decisions); Rodney A. Smolla, Smolla and Nimmer
on Freedom of Speech: A Treatise on the First Amendment, Clark Boardman Callaghan, 1994,
§13.01[3] (by allowing disempowered groups to dissent, free expression provides stability);
and Julie E. Cohen, "A Right to Read Anonymously: A Closer Look at 'Copyright Manage-
ment' in Cyberspace," 28 Conn. L. Rev. 981 (1996) (arguing that reading is intimately con-
nected with freedom of speech and thought and therefore the right to read anonymously
should be an understood guarantee of the First Amendment).
1lRobert C. Post, "The Social Foundations of Privacy: Community and Self in the Com-
mon Law Tort," 77 Calif. L. Rev. 957 (1989~. Post argues that the common law tort of
invasion of privacy safeguards social norms "rules of civility" is based on the belief that
personality and human dignity are injured when these rules of civility are broken. He
concludes with an explanation of the role that the privacy tort plays in enabling individuals
to receive and express respect, thereby enabling human dignity; in allowing individuals to
receive and express intimacy, thereby enabling human autonomy; and in establishing obli-
OCR for page 29
INTRODUCTION AND OVERVIEW
29
If individuals fear unchecked scrutiny, they will be less likely to par-
ticipate vigorously in the political process and in society in general.l2 If
individuals are denied privacy by the government, corporations, and
other individuals they are less able to explore ideas, formulate personal
opinions, and express and act on these beliefs. At the same time, "pri-
vacy" is sometimes used as a pretext for hiding illegal activities, and
society has, at times, a legitimate interest in requiring authentication or
identification, either for validating claims to rights and privileges or for
holding individuals responsible for their actions.
Today, when individual authentication is demanded (such as before
boarding an airplane), the individual whose identity is to be authenti-
cated is asked to participate in the process of proving who he or she is.l3
Authentication of identity generally (but not always; see Chapter 4) re-
quires an affirmative act the individual must affirmatively introduce
herself or knowingly produce a credential containing identity informa-
tion. While a third party may at times provide information about an
individual's identity (such as an adult verifying the identity of a child),
such information is more often a tool for confirming the identity pre-
sented by the individual being authenticated. Because authentication
generally requires some affirmative act on the part of the individual, it is
rare that an individual's identity is surreptitiously noted and recorded in
the context of an authentication event.
The decision about where to deploy authentication systems be it
only where today verification of identity is already required or in a greater
range of circumstances will shape society in both obvious and subtle
ways. Even if the choice is made to implement authentication systems
only where people today attempt to discern identity, the creation of reli-
able, inexpensive systems will invite function creep the use of authenti-
cation systems for other than their originally intended purposes unless
action is taken to Prevent this from happening.l4 Thus, the privacy con-
gations between community members, thereby defining the substance and boundaries of
community life. Id. at p. 238; Bloustein, "Privacy As an Aspect of Human Dignity: An
Answer to Dean Prosser," 39 N.Y.U. L. Rev. 962, pp. 1000-1007 (1964) (arguing that the
privacy torts involve the same interest in preserving human dignity and individuality).
12See, generally, the numerous privacy statutes that prevent the reuse of information and
limit governmental access because of social interest in promoting or protecting the underly-
ing activities (for example, related to financial information and health care), many of which
are discussed in Chapters 3 and 6.
13The criminal justice context is an exception in which the individual's identity may be
determined without their active participation.
14An example of secondary use is that of reliance on the driver's license for proof of age
in establishments that sell alcohol. In at least one establishment in Massachusetts, licenses
are swiped through a machine and all of the information contained in the magnetic stripe
OCR for page 30
30
WHO GOES THERE?
sequences of both the intended design and deployment and the unin-
tended, secondary uses of authentication systems must be taken into con-
sideration by vendors, users, policy makers, and the general public.
FOUR OVERARCHING PRIVACY CONCERNS
While authentication systems can be used to preserve or enhance
privacy, there are many ways, as described above, in which an authenti-
cation system, or even the act of authentication alone, can affect privacy;
that is, privacy is involved as a consequence or corollary of authentica-
tion. Before discussing the details of authentication technologies and
their impact on privacy in later chapters, several categories of privacy risk
are described below. While not applicable to all authentication systems,
these categories broadly characterize the risks to personal privacy that
authentication systems can create.
· Covert identification. Some authentication systems make it possible
to identify an individual without the individual's consent or even knowl-
edge. Such systems deny the individual, and society, the opportunity to
object to and to monitor the identification process. These technologies are
particularly vulnerable to misuse because their use is hidden.
· Excessive use of authentication technology. Cost and public sensitivity
have historically checked the spread of authentication systems. At the
same time that technological progress has reduced the cost of these sys-
tems (along with the costs of data collection and processing generally),
the public, owing to an increased sense of vulnerability and desire for
security or simple familiarity, has become accustomed to demands for
authentication. Together, these trends increase the likelihood that au-
thentication systems will become more prevalent. Led by a mentality of
"more is better," the public and private sectors have been quick to in-
crease the collection of personal information where this process is sup-
ported by cheaper, easier technology.
· Excessive aggregation of personal information. The use of a single iden-
tifier (such as the Social Security number) or a small number of identifiers
creates the opportunity for more linking of previously separate reposito-
ries of personal information. Today, different record keepers have differ-
ent ways of identifying individuals (and in some cases of tying their
identities to transaction histories). The many cards that people carry in
their wallets reveal some of the multiple identities by which they are
on the back is collected. "Swipe at Your Privacy," WHDH TV, June 4, 2002. Available
online at .
OCR for page 31
INTRODUCTION AND OVERVIEW
31
known. The adoption of a single (or small number of) authentication
systems across the public and private sector would greatly erode privacy
by facilitating the linkage of records maintained by many disparate record
keepers.~5
· Chilling effects. Wherever identity authentication is required, there
is an opportunity for social control. In some instances such control is a
laudable goal (such as in contexts that require high security and account-
ability). But in other areas, there is a risk that new methods of social
exclusion and vehicles for prejudicial social control will be created. For
example, in a world in which a single identifier (for example, a Social
Security number) is relied on by many public and private institutions, the
organization in charge of issuing this identifier (the government, in this
example) could interfere with a citizen's ability to engage in a wide range
of legitimate private sector transactions by revoking the identifier; or, a
thief could interfere with the same abilities by stealing the identifier and
using it fraudulently.
While there are risks to privacy with some authentication systems, it
should be noted that there are situations in which authentication provides
an important method of ensuring accountability and of protecting privacy.
For example, when specific individuals are granted access to personal or
proprietary information for limited purposes, authentication can play an
important role in monitoring and enforcing adherence to relevant regula-
tions and laws limiting individuals' access to these purposes.
WHAT THIS REPORT DOES AND DOES NOT DO
This report explores the concepts of authentication, identity, and pri-
vacy. It examines various authentication technologies and describes their
privacy implications. The report does not recommend specific technolo-
gies for specific purposes, nor does it provide an explicit cost analysis
such as might be provided by a consultant. Instead, the report discusses
the various technologies and elaborates on the trade-offs with respect to
privacy that each technology permits. As the remainder of the report
makes clear, analyses of specific systems or proposed systems can pro-
ceed only with an understanding of the context in which a system will be
operating and an understanding of the goals that the system is trying to
meet. This report provides a framework for these issues and the neces-
sary vocabulary within which to consider them.
resee this committee s first report, IDs Not That Easy: Questions About Nationwide Iden-
tity Systems, Washington, D.C., National Academy Press, 2002, for a discussion of addi-
tional questions and issues raised by large-scale, widely used identity systems.
OCR for page 32
32
WHO GOES THERE?
This report seeks to identify ways in which authentication technolo-
gies are directly and indirectly affecting privacy. It recognizes that both
government and commercial parties do, under many circumstances, have
a legitimate need to determine with whom they are dealing. It explores
ways in which current authentication systems operate without adequate
heed to personal privacy. The report recommends ways in which privacy
interests might be better served without compromising the legitimate
interests of commercial and government entities that employ authentica-
tion technologies.
Chapters 2 and 3 elaborate on the concepts of authentication and
privacy to establish the framework for the discussion in the remainder of
the report. Given the historical association of authentication with secu-
rity, Chapter 4 describes security concerns that motivate authentication
and then discusses how usability issues matter, both for security and
privacy. Chapter 5 examines particular authentication technologies and
describes some of the technological issues that arise. Chapter 6 outlines
some of the unique challenges facing governments and government agen-
cies with respect to authentication and privacy. Finally, Chapter 7 pre-
sents a toolkit for thinking through the implications for privacy of the
choices made with respect to how authentication systems are developed
and deployed.
Representative terms from entire chapter:
authentication technologies
