Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Who Goes There? Authentication Through the Lens of Privacy Committee on Authentication Technologies and Their Privacy Implications Computer Science and Telecommunications Board Division on Engineering and Physical Sciences NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES Stephen T. Kent and Lynette 1. Millett, Editors THE NATIONAL ACADEMIES PRESS Washington, D.C. www.nap.edu
THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee re- sponsible for the report were chosen for their special competences and with re- gard for appropriate balance. This study was supported by Office of Naval Research Grant Number N00014-00-1- 0855, National Science Foundation Grant Number ANI-0090219, General Services Administration Purchase Order Number GSOOCOOAM00228, Social Security Ad- ministration Purchase Order Number 0440-01-50677, and Federal Chief Informa- tion Officers Council Award Number GSOOCOOAM00228. The Vadasz Family Foundation gave supplemental funding. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authoress and do not necessarily reflect the views of the organizations or agencies that provided support for the project. International Standard Book Number 0-309-08896-8 (Book) International Standard Book Number 0-309-52654-X (PDF) Cover designed by Jennifer M. Bishop. Additional copies of this report are available from the National Academies Press, 500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu. Copyright 2003 by the National Academy of Sciences. All rights reserved. Printed in the United States of America
THE NATIONAL ACADEMIES Advisers to the Nation on Science, Engineering, and Medicine The National Academy of Sciences is a private, nonprofit, self-perpetuating soci- ety of distinguished scholars engaged in scientific and engineering research, dedi- cated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its mem- bers, sharing with the National Academy of Sciences the responsibility for advis- ing the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sci- ences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal gov- ernment. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in pro- viding services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chair and vice chair, respectively, of the National Research Council. www. nationa l-academies.org
PRE-PUBLICATION VERSION SUBJECT TO FURTHER EDITORIAL CORRECTION 96 97 Page intentional;ly left blank 98 6 3/20/2003 P-4
COMMITTEE ON AUTHENTICATION TECHNOLOGIES AND THEIR PRIVACY IMPLICATIONS STEPHEN T. KENT, BBN Technologies, Chair MICHAEL ANGELO, Compaq Computer Corporation STEVEN BELLOVIN, AT&T Labs Research BOB BLAKLEY, IBM Tivoli Software DREW DEAN, SRI International BARBARA FOX, Microsoft Corporation STEPHEN H. HOLDEN, University of Maryland, Baltimore DEIRDRE MULLIGAN, University of California, Berkeley rUDITH S. OLSON, University of Michigan rOE PATO, HP Labs Cambridge RADIA PERLMAN, Sun Microsystems PRISCILLA M. REGAN, George Mason University rEFFREY SCHILLER, Massachusetts Institute of Technology SOUMITRA SENGUPTA, Columbia University TAMES L. WAYMAN, San rose State University DANIEL J. WEITZNER, Massachusetts Institute of Technology Staff LYNETTE I. MILLETT, Study Director and Program Officer rENNIFER M. BISHOP, Senior Project Assistant (beginning October 2001) SUZANNE OSSA, Senior Project Assistant (through September 2001) v
PRE-PUBLICATION VERSION SUBJECT TO FURTHER EDITORIAL CORRE CTION 124 125 26DAV ID D. CLARK Massachusetts Institute of Technology, Chair 127ERIC BENHAMOU,3Com Corporation 128DAV ID BORTH, Motorola Labs 129JOHNM. CIOFFI, Stanford University MEL AINE COHEN, University of Utah 3 TW. BR UCE CROFT, Univ. of Massachusetts, Amherst 132THOMAS E. DARCIE, AT&T Labs Research 133JOSE PH FARRELL, University of California, Berkeley 34JOAN FEI GENBAUM, Yale University 135WENDY KELLOGG, IBM T.J. Watson Research Center 136HECTOR GARCIA-MOLINA, Stanford University 137B UTLER LAMPSON (emeritus), Microsoft Corporation 138DAV ID LIDDLE, U.S. Venture Partners 139TOM M. MITCHELL, Carnegie Mellon University ID A. PATTERSON, University of California, Berkeley Y (HANK) PERRITT, Illinois Institute of Technology IEL PIKE, Classic Communications COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD ., 3/20/2003 P-6 140DAV 141HENR 142DAN 143FRED B . SCHNEIDER, Cornell University 144ERIC SCHMIDT, Google, Inc. 145BU RTON SMITH, Cray Inc. 146LE E S. SPROULL, New York University 147WILL IAM STEAD, Vanderbilt University 148JE ANNETTE M. WING, Carnegie Mellon University 149 150 15 iMARJOR Y S. BLUMENTHAL, Director 152HERB ERT S. LIN, Senior Scientist 153ALAN S. INOllYE, Senior Program Officer 54JON E ISENBERG, Senior Program Officer 55LYNETT E I. MILLETT, Program Officer 56C YNTHIA A. PATTERSON, Program Officer 57STE VEN WOO, Dissemination Officer 58JANET BRISCOE, Administrative Officer 159RENEE HAWKINS, Financial Associate 160DAVI D PADGHAM, Research Associate ~ 61KR ISTEN BATCH, Research Ass ociate 162PHIL HILLIARD, Research Associate 63MARGA RET HUYNH, Senior Project Assistant 64DAV ID DRAKE, Senior Project Assistant 65JANICE SABUDA, Senior Project Assistant 66JE NNIFER M. BISHOP, Senior Project Assistant 67BR AND YE WILLIAMS, Staff Assistant 168 169_ 170 17INOTE: F or more information on CSTB, see its Web site at <http://www.cstb.org>; write to 172C STB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20418; call at (202) 173334 -2605; or e-mail the CSTB at cstb~nas.edu.
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD DAVID D. CLARK, Massachusetts Institute of Technology, Chair ERIC BENHAMOU, 3Com Corporation ELAINE COHEN, University of Utah THOMAS E. DARCIE, University of Victoria MARK E. DEAN, IBM Thomas I. Watson Research Center rOSEPH FARRELL, University of California, Berkeley rOAN FEIGENBAUM, Yale University HECTOR GARCIA-MOLINA, Stanford University RANDY H. KATZ, University of California, Berkeley WENDY A. KELLOGG, IBM Thomas I. Watson Research Center SARA KIESLER, Carnegie Mellon University BUTLER W. LAMPSON, Microsoft Corporation, CSTB member emeritus DAVID LIDDLE, U.S. Venture Partners TERESA H. MENG, Stanford University TOM M. MITCHELL, Carnegie Mellon University DANIEL PIKE, GCI Cable and Entertainment ERIC SCHMIDT, Google Inc. FRED B. SCHNEIDER, Cornell University BURTON SMITH, Cray Inc. WILLIAM STEAD, Vanderbilt University ANDREW I. VITERBI, Viterbi Group, LLC rEANNETTE M. WING, Carnegie Mellon University ALAN S. INOUYE, Interim Executive Director rON EISENBERG, Interim Assistant Director KRISTEN BATCH, Research Associate rENNIFER M. BISHOP, Senior Project Assistant rANET BRISCOE, Administrative Officer DAVID DRAKE, Senior Project Assistant RENEE HAWKINS, Financial Associate PHIL HILLIARD, Research Associate MARGARET MARSH HUYNH, Senior Project Assistant HERBERT S. LIN, Senior Scientist LYNETTE I. MILLETT, Program Officer DAVID PADGHAM, Research Associate CYNTHIA A. PATTERSON, Program Officer rANICE SABUDA, Senior Project Assistant . . v''
BRANDYE WILLIAMS, Staff Assistant STEVEN WOO, Dissemination Officer For more information on CSTB, see its Web site at <http: / / www.cstb.org>, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20418; call at (202) 334-2605; or e-mail the CSTB at cstb~nas.edu. . . . v'''
Preface The broadening use of the Internet implies that, more and more, people are communicating and sharing information with strang- ers. The result is growth in different kinds of demand to authenti- cate system users, and the different motivations for requiring authentica- tion imply different trade-offs in evaluating technical and nontechnical options. Motivations range from those related to system security (for example, the ability to access critical systems or medical records) to those related to business development (for example, the ability to use "free" Web-based resources or to have access to elements of electronic com- merce). The key questions surrounding these issues relate to what data about a person are shared, how they are shared (including whether overtly and cooperatively as well as by what technique), why they are shared (fitting the purpose to the nature and amount of data), and how the data are protected. Concerns that arise about adverse impacts on personal privacy from particular approaches to authentication may reflect judgments about the rationale (e.g., how much information about a person is really needed to authorize access to a particular system) as well as concern about the soundness of the technical and procedural steps taken to protect the per- sonal information gathered in the process of authentication. Those con- cerns are heightened by the growing ease of aggregation of information collected from multiple sources (so-called data matching), the observed tendency to collect information without an individual's knowledge, and 1 ~
PREFACE Xl i sectors as banking/finance and health). One original committee member, David Solo of Citigroup, was unable to continue his participation in the project because of unforeseen time constraints. PROCESS Empanelled during the winter of 2000, the committee met seven times between March 2001 and August 2002 to plan its course of action, receive testimony from relevant experts, deliberate on its findings, and draft its final report. It continued its work between meetings and into the fall and end of 2002 by electronic communications. During the course of its study, the committee took briefings from information and authentication tech- nology researchers and developers in industry and universities and from leaders in government agencies involved in the development and deploy- ment of authentication technologies. It also heard from privacy and con- sumer protection experts and representatives from various sectors of in- dustry that use authentication technologies for business processes and e-commerce. The committee also went to VeriSign in California for a site visit. (See Appendix B for a complete list of briefers to the committee.) More than half of the committee's meetings were held and most of this report was written after the events of September 11, 2001. At its October 2001 meeting, the committee decided, with CSTB's encourage- ment, to develop a short report addressing the concept of nationwide identity systems a topic that has received much media and policy atten- tion since the terrorist attacks. Given that many of the committee's dis- cussions and briefings were closely related to issues of identity and iden- tification, the committee was well positioned to comment in a timely fashion on the topic. Supplemental funding for that activity was pro- vided by the Vadasz Family Foundation. That report was released in April 2002 and is available from the National Academies Press. ACKNOWLEDGMENTS As with any project of this magnitude, thanks are due to the many individuals who contributed to the work of the committee. The commit- tee thanks those who came to various meetings to provide briefings and Warwick Ford for arranging the site visit at VeriSign in January. Thanks are also due to those who sponsored the study: the National Science Foun- ~Computer Science and Telecommunications Board, National Research Council. IDs- Not That Easy: Questions About Nationwide Identity Systems. Washington, D.C., National Acad- emy Press, 2002.
X11 PREFACE cation (George Strawn and Aubrey Bush), the Office of Naval Research (Andre van Tilborg), the General Services Administration (Mary Mitchell), the Federal Chief Information Officers Council (Keith Thurston and Roger Baker), and the Social Security Administration (Sara Hamer and Tony Trenkle). We are grateful to Peter Swire for commissioning the project, to Richard Guida and Denise Silverberg for helping to muster support through the FPKI Steering Committee, and to Kathi Webb of Rand for providing early access to its biometrics study project. Finally, the committee thanks David D. Clark, chair of the CSTB, and Marjory S. Blumenthal, CSTB's director when this study was being car- ried out, for valuable insights. The committee also thanks the following members of the CSTB staff for their contributions. lanes Briscoe provided crucial administrative support, especially with the October 2001 work- shop. Suzanne Ossa was the initial senior project assistant for this project. lennifer Bishop took over as senior project assistant and provided signifi- cant help with report preparation and editing; she also designed the cov- ers of both this report and the earlier committee report and developed many of the diagrams. David Padgham provided background research and descriptions of various pieces of legislation. Wendy Edwards, an intern with CSTB in the summer of 2002, also provided some background research. Steven I. Marcus made an editorial pass through an earlier draft of the report, and Dorothy Sawicki and Liz Fikre made significant edito- rial contributions in preparation for publishing. Special thanks are due to Lynette I. Millett, the study director for this project. She worked very closely with the chair and other committee members, transforming their inputs into a coherent report that attempts to explain a complex topic in an understandable fashion. Stephen T. Kent, Chair Committee on Authentication Technologies and Their Privacy Implications
Acknowledgment of Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council's Re- port Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and respon- siveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report: Ross Anderson, University of Cambridge, Scott Charney, Microsoft, Carl Ellison, Intel Corporation, Joel S. Engel, JSE Consulting, Michael Froomkin, University of Miami School of Law, John D. Halamka, Harvard Medical School, Jerry Kang, University of California, Los Angeles, Sally Katzen, Independent Consultant, Deborah T. Mayhew, Deborah T. Mayhew and Associates, Jeffrey Naughton, University of Wisconsin-Madison, Marek Rejman-Greene, BTexaCT Technologies, and Barbara Simons, IBM. . . . x'''
xIv ACKNOWLEDGMENT OF REVIEWERS Although the reviewers listed above have provided many construc- tive comments and suggestions, they were not asked to endorse the con- clusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Mildred S. Dresselhaus and Randall Davis, both at the Massachusetts Institute of Technology. Appointed by the National Research Council, they were responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.
Contents EXECUTIVE SUMMARY 1 INTRODUCTION AND OVERVIEW Definitions and Terminology, 18 Authentication in Daily Life, 21 Current Tensions, 28 Four Overarching Privacy Concerns, 30 What This Report Does and Does Not Do, 31 2 AUTHENTICATION IN THE ABSTRACT What Is Authentication and Why Is It Done?, 33 Three Parties to Authentication, 36 Authenticating to Authorize, 37 Authenticating to Hold Accountable, 38 What Do We Authenticate?, 41 Identifiers, 42 Attributes, 43 Statements, 44 How Do We Authenticate?, 45 Authenticating Physical Identity, 47 Authenticating Psychological Identity, 47 Authenticating Possession of an Artifact, 49 xv 1 16 33
xv! Identification, 50 The Relationship Between Authentication and Identification, 51 3 PRIVACY CHALLENGES IN AUTHENTICATION SYSTEMS Privacy Impact of the Decision to Authenticate, 56 Access Control and Information Systems, 57 The Legal Foundations of Privacy, 62 Constitutional Roots of Privacy, 63 The Common Law Roots of Privacy Law, 68 Statutory Privacy Protections, 69 Information Privacy and Fair Information Practices, 71 Privacy of Communications, 75 Concluding Remarks, 78 4 SECURITY AND USABILITY Threat Models, 81 Threats, 81 Dealing with Threats, 84 Authentication and People User-Centered Design, 86 Lessons from User-Centered Design, 87 Lessons from Cognitive and Social Psychology, 90 Factors Behind the Technology Choice, 95 Systems and Secondary Use, 97 Concluding Remarks, 101 5 AUTHENTICATION TECHNOLOGIES CONTENTS 80 104 Technological Flavors of Authentication, 104 Basic Types of Authentication Mechanisms, 106 Something You Know, 107 Something You Have, 110 Something You Are, 120 Multifactor Authentication, 123 Centralized Versus Decentralized Authentication Systems, 125 Security Considerations for Individual Authentication Technologies, 132 Cost Considerations for Individual Authentication Technologies, 135 Concluding Remarks, 136
CONTENTS 6 AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT Regulator of Private Sector and Public Agency Behaviors and Processes, 140 Government-wide Law and Policy, 141 Agency- or Program-Specific Law and Policies, 145 Regulation of Private Sector Information Management Activity, 149 Policy Activity in the Early 2000s, 151 Summary, 155 Government as Issuer of Identity Documents, 155 The Tangled Web of Government-Issued Identity Documents, 162 Threats to Foundational Documents, 165 Government as Relying Party for Authentication Services, 169 Access Certificates for Electronic Services, 170 The Internal Revenue Service Electronic Tax Filing, 172 The Social Security Administration and PEBES, 175 Nationwide Identity Systems, 176 Concluding Remarks, 177 7 A TOOLKIT FOR PRIVACY IN THE CONTEXT OF AUTHENTICATION Privacy-Impact Toolkit, 181 Attribute Choice, 182 Identifier Selection, 186 Identity Selection, 189 The Authentication Phase, 190 Concluding Remarks, 192 APPENDIXES A Biographies of Committee Members and Staff B Briefers to the Study Committee C Some Key Concepts What Is CSTB? . . XVII 138 179 197 207 209 213