Who Goes There? Authentication Through the Lens of Privacy (2003) / Chapter Skim
Currently Skimming:
3 Privacy Challenges in Authentication Systems
3 Privacy Challenges in Authentication Systems
Pages 55-79
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 55... ...
While authentication systems can undermine privacy in these ways, they can also be used in privacy-enhancing or privacy-preserving ways, 55
|
From page 56... ...
identity that may or may not be linked to an individual (identity authentication) ; or, an attribute that applies to a specific individual (attribute authentication)
|
From page 57... ...
This general examination of authentication systems and the personal information practices that result from such systems harks back to the several general privacy risks created or increased by authentication systems, as described in Chapter 1 of this report: covert identification, excessive use of authentication technology, excessive aggregation of personal information, and chilling effects. Given this categorization of privacy risks, an examination of relevant privacy interests will provide a better understanding of the foundations and contours of such interests, the values they protect, and the challenges that authentication technologies pose to privacy interests.
|
From page 58... ...
Similarly, libraries and bookstores generally do not exert control over who enters the premises or what materials they access, but they do exert control over 4For a detailed look at the technological underpinnings of the Internet, see computer science and Telecommunications Board, National Research Council, The Internet's Coming of Age, Washington, D.C., National Academy Press, 2001. Jonathan zittrain.
|
From page 59... ...
The reduction in costs has escalated the data collection and retention associated with authentication events. Increased data collection and retention exacerbate the privacy consequences of authentication events.
|
From page 60... ...
Available online at |
From page 61... ...
The increasing use of the Internet and other networked systems to support access to information, deliver services, and communicate raises questions about the access-control policies governing these interactions and their impact on individual privacy. Similarly, the use of information systems and networking to control access to and movement in physical spaces and to support attribute- and identity-based service and sales decisions off-line raises questions about the authentication systems that support these interactions and their privacy implications.
|
From page 62... ...
A highly mediated environment of networked systems requires system owners to choose between attribute authentication and identity authentication. This choice and the decisions about retention, reuse, and disclosure that flow from it influence the degree of privacy that individuals using the system enjoy.
|
From page 63... ...
Supreme Court to be implicit in other amendments. For example, the Fourth Amendment prohibition against unreasonable searches and seizures and the Fifth Amendment prohibition of compelled self-incrimination explicJournal January 1968~: 475493; Judith Jarvis Thompson, "The Right to Privacy," Philosophy and Public Affairs 4 (summer 1975~: 303; James Rachels, "Why Privacy Is Important," Philosophy and Public Affairs 4 (summer 1975~: 323-333; William M
|
From page 64... ...
The Supreme Court has interpreted the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments as providing protection for different aspects of personal privacy. Although it is important to note that constitutional claims arise only in cases in which some state action interferes with privacy, the values represented by these constitutional claims resonate broadly throughout society.
|
From page 65... ...
This protection has generally been viewed as secondary to the broader protection of the Fourth Amendment. Fourth Amendment Roots of Privacy Law The Fourth Amendment to the U.S.
|
From page 66... ...
In recent years the list of crimes has grown. In addition, the statutory protections for electronic communications such as e-mail do not directly parallel those established for voice communications in the wake of Supreme Court rulings, not to mention that the effects of the USA PATRIOT Act of 2001 (Public Law 107-56, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001)
|
From page 67... ...
. Although the latter situations would not be covered by the Fifth Amendment, the Court indicated that the Sixth Amendment protection of counsel, the Fourth Amendment protection against unreasonable searches and seizures, and the due process clause23 would provide protection against the state's overreaching in such situations.
|
From page 68... ...
The Common Law Roots of Privacy Law As mentioned above, constitutional privacy protections limit state action; they do not protect against intrusion by private individuals or entities. Historically, tort law has provided protection for some aspects of personal privacy.
|
From page 69... ...
Finally, statutes that address both market failures and narrow constitutional interpretations have most often resulted from advances in technology that cause civil libertarians and industry to push for new privacy protections against the expansion of governmental and private sector authority to collect and use private information.
|
From page 70... ...
§ 3401; Electronic Communications Privacy Act of 1986,18 U.S.C. § 2510 (1995~; Communications Assistance and Law Enforcement Act of 1994, PL 103414,108 Stat.
|
From page 71... ...
A1though the practices cited in the HEW code have been broadly accepted, slightly different iterations of fair information practices have been offered by different bodies.4l42 Because of the broad recognition accorded the 39In 1976, in United States v. Miller, the supreme court held that individuals had no constitutionally protected privacy interest in checks held by a bank.
|
From page 72... ...
Although these early online privacy study commissions advocated a fairly detailed list of fair information practices, by 2000 the various iterations of fair information practices for online privacy discussed by the Federal Trade Commission and others largely focus on four: notice, choice, access, and security. Efforts to articulate more clearly the essence of information privacy were not limited to the United States.
|
From page 73... ...
PRIVACY CHALLENGES IN AUTHENTICATION SYSTEMS TABLE 3.1 Fair Information Principles and Practices 73 Principle Practice/Meaning Collection limitation Data quality Purpose specification Use limitation (restriction on secondary uses) Security Openness /notice Individual participation Accountability Collect the minimum amount of information that is needed for the relationship or transaction at issueBy lawful and fair means.
|
From page 74... ...
The Advisory Committee on Online Access and Security recognized that security likewise is contextual, that costs and inconveniences affect the level of security that administrators are willing to set and users are willing to bear, and that the establishment of a security system should begin with a risk assessment. The committee outlined five options for achieving security and recommended a solution including these three principles: (1)
|
From page 75... ...
At the same time, lawmakers and courts have recognized that along with protecting the privacy of communications, laws also need to provide for law enforcement access to confidential information where necessary, consistent with basic Fourth Amendment protections. Debates over the appropriate balance between individual privacy interests and law enforcement power revolve around the proposition that increasingly powerful technologies demand increasingly strong privacy protections.
|
From page 76... ...
, wireless phones, and other devices complement and in some cases replace telephone communications, the United States as a nation has generally recognized the need to create privacy protections similar to those established for voice communications by the Supreme Court.45 From telegraph to telephone, wireline phone to cell phone, e-mail to the World Wide Web, users of the major new communication technologies have acquired privacy protections for their communications. Thus far in the history of electronic communications, policy makers, commercial providers, and even those in the field of law enforcement have come to agree that new technologies demand privacy protections,46 both out of faithfulness to basic constitutional values and to assure the commercial viability and acceptance of the latest communications technologies.
|
From page 77... ...
Available online at |
From page 78... ...
As with other advances, in order to speed adoption, policy makers, industry, law enforcement, and privacy advocates should identify the privacy-sensitive features of these technologies and develop appropriate protections. Finding 3.1: Authentication can affect decisional privacy, information privacy, communications privacy, and bodily integrity privacy interests.
|
From page 79... ...
PRIVACY CHALLENGES IN AUTHENTICATION SYSTEMS · Minimize the intimacy of the data collected; · Ensure that the use of the system is audited and that the audit record is protected against modification and destruction; and · Provide means for individuals to check on and correct the information held about them that is used for authentication.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.