Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
1 Introduction and Overview The growth of technologies that ease surveillance, data collection, disclosure, aggregation, and distribution has diminished the ob- scurity and anonymity that are typical of everyday interactions. From phone systems that block the calling number on outgoing calls and simultaneously identify all incoming callers, to "loyalty" programs that collect data about individuals' purchasing habits,2 to the government's use of tracking and identification technologies in an increasingly broad range of environments, records of individuals' activities are now rou- tinely made and stored for future use. Technologies such as facial recog- nition and video cameras are being deployed in an attempt to identify and/or monitor individuals surreptitiously as they go about the most mundane of activities.3 Ubiquitous computing promises to put computa- 1''Pacific Bell Offers Privacy Manager,"RBOC Update 12~5) (new offering for per-call con- trol over incoming messages); Beth Whitehouse, "In Pursuit of Privacy: Phone Services Designed to Protect Can Also Be Extremely Frustrating," Newsday, March 26, 2001, p. B03 (problems arising from use of caller ID and call-blocking plans). 2See, generally, Marion Agnew, "CRM Plus Lots of Data Equals More Sales for Borders- Retail Convergence Aligns Web-based Marketing and Strategies with Those of Physical Stores," InformationWeek, May 7, 2001 (Borders' plan to merge online and off-line customer data and loyalty programs); Kelly Shermach, "Coalition Loyalty Programs: Finding Strength in Numbers," Card Marketing 5~3~:1 (benefits of shared data from joint marketing card prod- ucts). 3Lev Grossman, "Welcome to the Snooper Bowl: Big Brother Came to Super Sunday, Setting Off a New Debate About Privacy and Security in the Digital Age," Time, February 16
INTRODUCTION AND OVERVIEW 17 tional power everywhere by embedding it seamlessly and unobtrusively into homes, offices, and public spaces. The fully networked environment that ubiquitous computing is making possible raises complicated ques- tions about privacy and identification.4 What does it mean when data collection, processing, and surveillance and perhaps authentication and identification become the norm? In applications ranging from electronic commerce to electronic tax filing, to controlling entry to secured office buildings, to ensuring pay- ment, the need to verify identity and authorize access has driven the development of increasingly advanced authentication systems. These systems vary widely in complexity and scope of use: passwords in com- bination with electronic cookies are used for many electronic commerce applications, smart cards coupled with biometrics allow access to secured areas, and sophisticated public-key mechanisms are used to ensure the integrity of many financial transactions. While there are many authenti- cation technologies, virtually all of them involve the use of personal infor- mation and, In many cases, personally identifiable information, raising numerous privacy concerns. This report examines authentication technologies through the lens of privacy. It is aimed at a broad audience, from users (both end users and organizations) of authentication systems, to people concerned with pri- vacy broadly, to designers and implementers of authentication technolo- gies and systems, to policy makers. 12, 2001, p. 72 (the use of facial recognition technology by the Tampa Bay police department to search the 72,000 people in the crowd at Super Bowl XXXV); Ace Atkins, "Surveillance Tactic Faces Off with Privacy," Tampa Tribune, February 7, 2001, p. 1 (police might buy controversial new technology, tried out at the Super Bowl, that scans faces in public places; surveillance cameras take pictures of people in crowds and a computer compares numeric facial patterns to a databank of criminals); Katherine Shaver, "Armey Protests Cameras Sought on GW Parkway; Speed Deterrent Likened to Big Brother," Washington Post, May 9, 2001, p. B01 (the National Park Service tested a radar camera from August 1999 to February 2000 in two areas of the George Washington Memorial Parkway in the Washington, D.C., area, and House Majority Leader Richard Armey asked Department of the Interior Secre- tary Gale A. Norton to ban the cameras, calling them "a step toward a Big Brother surveil- lance stated; Richard Morin and Claudia Deane, "DNA Databases Casting a Wider Net, Washington Post, May 8, 2001, p. A21 (the national DNA database and the fact that all 50 states have passed some version of a DNA data-banking law); Ian Hopper, "New Docu- ments Disclose Extent of FBI's Web Surveillance," Sunday Gazette Mail, May 6, 2001, p. POD (the FBI's use of Internet eavesdropping using its controversial Carnivore system a set of software programs for monitoring Internet traffic [e-mails, Web pages, chat-room conversa- tions, and other signals] 13 times between October 1999 and August 2000 and a similar device, Etherpeek, another 11 times.) 4See CSTB's report Embedded, Everywhere: A Research Agenda for Networked Systems of Embedded Computers (Washington, D.C., National Academy Press, 2001), particularly Chap- ter 4, which discusses security and privacy in ubiquitous computing environments.
8 WHO GOES THERE? Notwithstanding considerable literature on privacy, the legal and so- cial meaning of the phrase "the right to privacy" is in flux. Rather than presenting an encyclopedic overview of the various technologies or an in- depth treatise on privacy, this report explores the intersection of privacy and authentication, which raises issues of identification, authorization, and security. This introductory chapter presents definitions and terminology that are used throughout the report. It introduces four overarching privacy concerns that illustrate how privacy and authentication can interact in ways that negatively affect privacy. It also provides a "day-in-the-life" scenario to motivate a discussion of authentication and privacy. Finally, there is a brief discussion of what this report does not do, along with an outline of the rest of the report. DEFINITIONS AND TERMINOLOGY Throughout this report, numerous interrelated concepts associated with authentication, identity, and privacy are discussed. Several of these concepts are briefly defined below for clarity. As noted in the committee's first report, IDs- Not That Easy, many of these concepts represent compli- cated, nuanced, and, in some instances, deeply philosophical topics.5 Note that while the definitions below refer to individuals, they should also be understood to apply, when appropriate, to nonhuman subjects such as organizations, identified computers, and other entities. Popular belief to the contrary, authentication does not necessarily prove that a particular individual is who he or she claims to be; instead, authentication is about obtaining a level of confidence in a claim. The concepts below are teased apart both to describe how the terms are used in this report and to highlight how ambiguous many of them remain. · An identifier points to an individual. An identifier could be a name, a serial number, or some other pointer to the entity being identi- fied. Examples of personal identifiers include personal names, Social Security numbers (SSNs), credit card numbers, and employee identifica- tion numbers. It is sometimes necessary to distinguish between identifi- ers and the things that they identify. In order to refer to an identifier in a way that distinguishes it from the thing that it identifies, the identifier is written in quotation marks (for example, "Joseph K." is an identifier- specifically, a personal name whereas Joseph K. is a person). 5Indeed, the committee has refined and evolved its core definitions since the publication of its earlier report IDs Not That Easy: Questions About Nationwide Identity Systems ~Wash- ington, D.C., National Academy Press, 2002~.
INTRODUCTION AND OVERVIEW 19 · An attribute is a property associated with an individual. Ex- amples of attributes include height, eye color, employer, and organiza- tional role. · Identification is the process of using claimed or observed at- tributes of an individual to infer who the individual is. Identification can be done without the individual's having to (or being given the oppor- tunity to) claim any identifier (for example, an unconscious patient in an emergency room might be identified without having to state his or her name). · Authentication is the process of establishing confidence in the truth of some claim. The claim could be any declarative statement for example, "This individual's name is 'Joseph K.,' " or "This child is more than 5 feet tall." Both identifiers and attributes can be authenticated, as the examples just cited demonstrate. - Individual authentication is the process of establishing an un- derstood level of confidence that an identifier refers to a specific individual. Individual authentication happens in two phases: (1) an identification phase, during which an identifier to be authenticated is selected in some way (often the identifier selected is the one claimed by the individual), and (2) an authentication phase, during which the required level of confidence is established (often by challenging the individual to produce one or more authen- ticators supporting the claim that the selected identifier refers to the individual). In the information security literature, individual authentication is sometimes referred to as "user authentication." In the biometrics literature, individual authentication of an identi- fier claimed by the individual is often called "verification." - Identity authentication is the process of establishing an under- stood level of confidence that an identifier refers to an identity. It may or may not be possible to link the authenticated identity to an individual. For example, verification of the password associated with a Hotmail account authenticates an identity (foo~example.com) that may not be possible to link to any specific individual. Identity authentication happens in two phases: (1) an identification phase, during which an identifier to be authenticated is selected in some way (often the identifier is selected by a claimant), and (2) an authentication phase, during which the required level of confi- dence is established (often by challenging the claimant to produce one or more authenticators supporting the claim that the selected identifier refers to the identity).
20 WHO GOES THERE? - Attribute authentication is the process of establishing an un- derstood level of confidence that an attribute applies to a specific individual. Attribute authentication happens in two phases: (1) an attribute selection phase, during which an attribute to be authenti- cated is selected in some way, and (2) an authentication phase, during which the required level of confidence is established, either by direct observation of the individual for the purpose of verifying the applicability of the attribute or by challenging the individual to produce one or more authenticators supporting the claim that the selected attribute refers to the individual. · An authenticator is evidence that is presented to support the authentication of a claim. It increases confidence in the truth of the claim. A receipt, for example, can act as an authenticator of a claim that an item was purchased at a specific store.6 A driver's license can act as an authenticator that a particular name (a form of identifier) refers to the individual who carries the license. Knowledge of a secret or the ability to display some distinctive physical characteristic such as a fingerprint can also serve as the authenticators of an individual's name. · Authorization is the process of deciding what an individual ought to be allowed to do. Authorization is distinct from authentication (which establishes what an individual "is" rather than what the indi- vidual "is allowed.") Authorization policies determine how authoriza- tion decisions are made. Authorization policies base decision making on a variety of factors, including subject identifiers (such as names) and subject attributes other than identifiers (such as employee status, credit rating, and so on). · The identity of X is the set of information about an individual X that is associated with that individual in a particular identity system Y. However, Y is not always named explicitly. An identity is not the same as an identifier so "Joseph K." is an identifier (specifically, a name), but Joseph K. is a person. It is not always easy to determine which individual an identifier refers to. For example, "George Bush, the president of the United States, who lives in Texas and who attended Yale" is an identifier that refers to two individuals. Identities also consist of more than just names so Richard Nixon was an individual, but his identity also in- cludes other facts, such as that he was president of the United States and that he resigned that office. Furthermore, identities contain statements that are not strictly facts a man who was stranded on a desert island in 6Confusion can arise when the same thing is used as both an authenticator and an identi- fier, as happens frequently with credit card numbers.
INTRODUCTION AND OVERVIEW 21 1971 and who believed in 1975 that Richard Nixon was still President would have his facts wrong but would not misidentify Nixon. Finally, people disagree about identities and about which individuals they refer to; if one believes newspaperman Bob Woodward, there was an indi- vidual who went by the code name "Deep Throat" during the Watergate investigation that led to Nixon's resignation, but different people have different opinions about who that individual is. · Security refers to a collection of safeguards that ensure the confi- dentiality of information, protect the integrity of information, ensure the availability of information, account for use of the system, and pro- tect the systems and/or networks used to process the information. Security is intended to ensure that a system resists attacks and tolerates failures. (See Chapter 4 for a more in-depth discussion of security and authentication.) · Privacy is a multifaceted term with many contextually depen- dent meanings. One aspect of the right to privacy is the right of an individual to decide for himself or herself when and on what terms his or her attributes should be revealed. (See Chapter 3 for some historical background on privacy and a brief exploration of current privacy law and policy in the United States.) AUTHENTICATION IN DAILY LIFE Individuals authenticate themselves to others and to information sys- tems in many different contexts. The identifiers and attributes that they authenticate vary, depending on the situation. Individuals may identify themselves as named users of computer systems, employees, frequent flyers, citizens, students, members of professional societies, licensed driv- ers, holders of credit cards, adults over the age of 18, and so on. There need not be any single identity associated with each person that is glo- bally unique and meaningful to all of the organizations and individuals with whom that person interacts. Thus, people often assert different identities under different circumstances. Finding 1.1: Most individuals maintain multiple identities as social and economic actors in society. To illustrate the myriad ways in which instances of identification and authentication arise in everyday life and to highlight some of the impor- tant issues associated with new systems, the committee hypothesized scenarios in the life of Joseph K. as he goes on a business trip. The italic sentences describe Joseph's actions; the indented paragraphs that follow
22 WHO GOES THERE? point out important associated issues. (Specific technologies are discussed in more detail later in the report.) Josephfirst dials in to his corporate networkfrom home and authenticates himself to a network access server. He does so by claiming to be an employee of CompuDigi Corporation, using a name and a smart card that is read by his computer. Successfully completing this authentication procedure authorizes Joseph to access the corporate network. All employees have the same basic access privileges for the network, so it might seem that there is no need to authenticate each employee independently by name for log-in purposes. However, by assigning each employee a unique log-in name, CompuDigi can track Toseph's log-in sessions separately from those of other employees, enabling audit, and it can more easily revoke Toseph's access if he leaves the company or if his smart card is lost or stolen. Joseph now accesses an airline Web site to book his flights, probably unaware that authentication of another sort is going on. The Web site employs Secure Sockets Layer (SSL), a security protocol, to provide confidentiality for data transmitted between Toseph's personal computer (PC) and the site. This prevents eavesdroppers on the path between the PC and the Web site from observing sensitive data. It also provides an implicit authentication of the Web site to Joseph. This authentication is based on the Internet name of the Web site, as contained in the uniform resource locator (URL) that Joseph implicitly selected from his list of commonly accessed Web sites. Joseph is generally unaware of this authentication process unless it fails and generates a warning message. The only indication to him that the process has succeeded is the appearance of a small padlock icon in the browser window (which he may not notice). Joseph now uses his airlinefrequent-flyer account number to identify himself and a personal identification number (PIN) to authenticate this identifier. The airline is not necessarily interested in Joseph's identity as an employee of CompuDigi but rather in his identity as a customer of the airline. Based on his frequent-flyer status, Joseph is able to request a seat with better legroom in the front section of the aircraft.
INTRODUCTION AND OVERVIEW 23 Joseph is authorized to upgrade his seat based on his frequent-flyer status (an attribute), which in turn is based on his travel history. (Ioseph's frequent-flyer number may remain constant with the airline for many years, but his status and hence his authorization to upgrade to a better seat will vary depending on how often he flies.) Thus, Joseph's frequent-flyer number (an identifier) is used as a key for a database that the airline uses to determine his status and hence his authorization. To payforhisilight, Joseph provides a credit card account number. Knowledge of the account number and expiration date serves to authenticate him as a cardholder. Using a credit card number and expiration date as authenticators is a relatively weak form of authentication, since the account number serves as the primary identifier as well. This credit card data might be stored on the Web server; or, it might be used only for the transaction at hand and not be stored on the Web server. If there were a way for Joseph to be sure that the Web server was not storing his credit card information, it might increase his trust in the system (assuming that he had been notified of this policy). An electronic ticket is issued for Joseph's flights. Next, he wishes to connect to the Web site of a hotel chain to book a room. This Web site supports a feature known as client certificates, a little- used facet of SSL that can be employed to automate the user- authentication process. When Joseph initially registered on the Web site as a frequent guest of the hotel chain, the site interacted with his browser in order to issue him a public key certificate (an electronic file containing information related to Joseph's interactions with this site; see Chapter 5 for more on public key cryptography, private keys, and certificates). This certificate contains an identifier that links to Toseph's account but is otherwise not meaningful. Thus, the certificate cannot be used by Joseph to authenticate himself to any other Web sites. During the initial certificate generation process, Joseph was prompted to provide a password to be used by his browser to protect the private key associated with the certificate. This single password could protect all of the private keys stored by Toseph's browser for use with all of the certificates issued by Web sites that Joseph visits. Such use of the password would simplify Toseph's life if he had many certificates, but few Web sites make use of client certificates, so in practice Joseph would gain only a small benefit from this feature. Note that in terms
24 WHO GOES THERE? of security, the private key becomes a proxy for the passwords and is thus no more secure than the combination of that password and the physical means used to protect the encrypted private key. When Joseph visits the hotel Web site (having registered and received a certificate earlier), his browser is queried by the Web site to send Joseph's certificate and to use the associated private key to verify foseph's frequent-guest account identifier. Joseph is prompted by the browser to enter the password to unlock his private keys, and he is logged in to the Web site. Again, it is Toseph's identity as a frequent client (rather than his name or other attributes) that is important. His status as a frequent guest entitles him to a free room upgrade. This is another example of authorization based on data associated with Toseph's identity in a specific context. In this context, Toseph elected to store credit card information as part of his profile with the hotel chain, so it is used automatically to guarantee his reservation in the event of a late arrival. If the Web site does not adequately protect the data that it stores, Toseph's credit card data may be inappropriately disclosed to others. The use of encryption to protect Toseph's data in transit to the site does not protect against this sort of security failure in any way. Joseph has also elected to store severalfrequent-flyer numbers in his hotel profile so that he can acquire "mileage" credit for his stay. With this action, Toseph has voluntarily elected to provide data to the hotel chain, enabling the hotel to link his (otherwise) independent hotel and airline identities. This provides the hotel marketing organization with an ability to market directly to Toseph on the basis of his travel patterns and preferences, as well as to offer amenities in a more customer-friendly fashion when Toseph stays at its hotels. It also provides an ability to sell Joseph's name, address, and possibly his e-mail address to other companies, based on the attributes in his frequent-traveler profile. Finally, Joseph logs in to a rental car Web site and arranges for a vehicle for his trip. Here, Joseph authenticates himself using his name and his frequent-renter account number; no explicit password or PIN is required. Toseph's profile at this Web site allows the rental car company to select automatically his favorite class of vehicle. Toseph has also provided a code that identifies him as an employee of CompuDigi, making him eligible for the special rates negotiated by CompuDigi
INTRODUCTION AND OVERVIEW 25 for its employees. This code is an attribute not specific to Joseph; it is used as a basis for authorizing all employees to make use of the corporate discount program. Toseph's profile includes credit card data as well as his driver's license data, both of which are required for rental car transactions. En route to the airport, Joseph makes use of an electronic toll tag lane, which allows him to avoid longer lines for drivers paying tolls with cash. The toll tag device, mounted on the windshield of Toseph's car, engages in an electronic (radio frequency (RF)) challenge/response authentication protocol with a responder at each toll plaza, authenticating the toll tag device to the toll collection system. This system authenticates the tag's number, which is linked to Toseph's account identity in the toll system database. In turn, this number is linked to Toseph's bank account, enabling automatic debit of his account for each toll transaction. The toll system may be concerned only with receiving payment of the toll, so it is the identification of the bank account that is of primary interest here.7 Joseph arrives at the airport and makes use of a kiosk to acquire his boarding pass. To authenticate himself, he swipes the same credit card that he used to purchase the airline ticket through a magnetic-stripe reader. In this case, possession of the credit card is viewed as authentication of identity. At the airport security checkpoint, Joseph must present his boarding pass and a government-issued photo identification (ID) for authentication. The name on the photo ID must match (either exactly or "closely") the name on the boarding pass, and the photo on the ID must be a good enough likeness to be acceptable to the security screening personnel. Upon arrival at his destination airport, Joseph proceeds to the rental car area, where his car is waiting in a spot at which his name is displayed. As he exits the rental car lot, Joseph is required to present his driver's license. While it may be possible to link the tag to a cash account that is not linked to the driver, in many cases such systems do make explicit the linkage between the account and the "presumed' driver.
26 WHO GOES THERE? This procedure is designed to authenticate Joseph as the individual who holds the online reservation and to whose credit card the rental will be charged. In principle, the process should also verify that Joseph holds a valid driver's license, a prerequisite for car rental. In contrast to the boarding-pass check at the airport, the rental agreement has more information about Joseph, including the name of the state that issued the driver's license and the license number. Such information is nominally part of this authentication process, providing more evidence that the person presenting the license to the electronic record is connected to a printed receipt. Also, note that while a passport would be an acceptable form of photo ID for use with the boarding pass (and would be required for international flights), it is not acceptable here, because there is a requirement for a credential that demonstrates authorization to drive and that establishes accountability of a particular individual for loss of or damage to the automobile. A driver's license accomplishes both goals, because it directly asserts authorization to drive and because it contains or can be used to obtain the driver's address. The rental car agency (depending on the state in which Joseph is renting) may have reserved the right to screen Toseph's driving record, which it may access electronically using his driver's license number. When Joseph arrives at his hotel, he presents a credit card at thefront desk. The hotel matches the name on the credit card against the room-reservation database to identify Joseph. Since the primary concern of the hotel is that it is compensated for the room rental, the presentation of a valid credit card (including verification that the credit card account is in good standing, not reported lost or stolen) is an acceptable form of authentication in this context.8 The credit card is itself authenticated on the basis of the information contained on the magnetic stripe on the back of the card and on the basis of the appearance of the card (for example, the appearance of a standard hologram as part of the card face). If a conflict occurs two individuals with the same name claim the same reservation at the same hotel on the same day additional identification credentials will be required to resolve the conflict. Note that hotels in countries other than the United States often are required to request the presentation of a passport and sometimes even retain the document until the guest checks out.
INTRODUCTION AND OVERVIEW 27 When Joseph arrives at the CompuDigi meeting site, he uses his employee badge to gain entrance to the building. Joseph presents the card to a reader, which requires him to enter a PIN, a procedure designed to prevent unauthorized use of the card if it is lost or stolen. Toseph's badge is a smart card, a credit-card-sized device that contains a processor, memory, and an input/output (I/O) interface. On this card is stored a public key certificate and corresponding private key. The card engages in a cryptographic challenge/response exchange with the building's physical security computer system to authenticate Joseph as a CompuDigi employee and to authorize him to enter the building. This scenario illustrates that Joseph has many identities, not just one. These different identities represent him in his interactions with different organizations, each of which identifies him in a distinct context. In many instances, there is no need for these distinct identities to be tightly linked to one another, although there are exceptions. Sometimes Joseph makes an explicit choice to create the linkage (for example, for perceived ben- efits); at other times the linkage is required by the context (for example, the connection of his driver's license and his driving record). To the extent that Joseph chooses, or is allowed, to maintain separate identities in his interactions with organizations, he increases his privacy, because he dis- closes to each organization only the information required for interactions with that organization. By maintaining separate and nonlinked identities, Joseph has some control over who gets which pieces of information about his activities, preferences, and lifestyle. Some of this control might be deliberate on Joseph's part, but some of it may have been the happenstance of a com- petitive market system in which linkages have not yet been fully unified across corporate and government databases. For Joseph to exercise pro- active control over the dissemination and use of personal information about himself, he must become aware of how and where that information is being collected, linked, and used. As activities within society become increasingly automated, it becomes harder and harder for anyone to make these informed decisions. Without informed, proactive control on Toseph's part, the various authentication events described in this scenario pose risks in terms of both security and privacy. The rest of this report elaborates on various authentication technologies and their relationship to privacy issues.
28 WHO GOES THERE? CURRENT TENSIONS The development, implementation, and broad deployment of authen- tication systems require us to think carefully about the role of identity and privacy in a free, open, and democratic society. Privacy, including control over the disclosure of one's identity and the ability to remain anonymous, is an essential ingredient of a functioning democracy. It is a precondition for the exercise of constitutionally protected freedoms, such as the freedom of association.9 It supports the robust exercise of the freedom of expression by, for example, creating psychological space for political dissent.l° It maintains social norms that protect human dignity and autonomy by enabling expressions of respect and intimacy and the establishment of boundaries between oneself and one's community.l1 9See National Association for the Advancement of Colored People v. Alabama Ex Rel. Patterson, Attorney General, 357 U.S. 449; 78 S. Ct. 1163 (1958~; 2 L. Ed. 2d 1488 (1958) (the Court held that the immunity from state scrutiny of membership lists was so related to the right of the members to associate freely with others as to come within the protection of the U.S. Consti- tution); Joseph McIntyre, Executor of Estate of Margaret McIntyre, Deceased, Petitioner v. Ohio Elections Commission, 514 U.S. 334; 115 S. Ct. 1511 (1995) (statute prohibiting the distribution of anonymous campaign literature violated the First Amendment, as it was not narrowly tailored to serve an overriding state interest; the statute indiscriminately outlawed a cat- egory of speech with no relationship to the danger sought to be prevented); Buckley v. American Constitutional Law Foundation; Taley v. California. Also, see the work that the Elec- tronic Privacy Information Center (EPIC) has done on anonymity, including an amicus brief in the Watchtower Bible v. Stratton case, arguing that "an ordinance requiring door-to- door petitioners to obtain a permit and identify themselves upon demand" implicates privacy as well as rights of anonymity, freedom of expression, and freedom of association. More information is available online at <http://www.epic.org/free_speech/watchtower.html>. 10See Martin H. Redish, "The Value of Free Speech," 130 U. Pa. L. Rev. 591, pp. 601-604 (1982) (free expression supports citizens' participation in decision making); Alexander Meiklejohn, Political Freedom: The Constitutional Powers of the People, New York, Oxford Uni- versity Press, 1965, pp. 3-89 (free expression provides citizens with access to information necessary to formulate opinions and make decisions); Rodney A. Smolla, Smolla and Nimmer on Freedom of Speech: A Treatise on the First Amendment, Clark Boardman Callaghan, 1994, §13.01 (by allowing disempowered groups to dissent, free expression provides stability); and Julie E. Cohen, "A Right to Read Anonymously: A Closer Look at 'Copyright Manage- ment' in Cyberspace," 28 Conn. L. Rev. 981 (1996) (arguing that reading is intimately con- nected with freedom of speech and thought and therefore the right to read anonymously should be an understood guarantee of the First Amendment). 1lRobert C. Post, "The Social Foundations of Privacy: Community and Self in the Com- mon Law Tort," 77 Calif. L. Rev. 957 (1989~. Post argues that the common law tort of invasion of privacy safeguards social norms "rules of civility" is based on the belief that personality and human dignity are injured when these rules of civility are broken. He concludes with an explanation of the role that the privacy tort plays in enabling individuals to receive and express respect, thereby enabling human dignity; in allowing individuals to receive and express intimacy, thereby enabling human autonomy; and in establishing obli-
INTRODUCTION AND OVERVIEW 29 If individuals fear unchecked scrutiny, they will be less likely to par- ticipate vigorously in the political process and in society in general.l2 If individuals are denied privacy by the government, corporations, and other individuals they are less able to explore ideas, formulate personal opinions, and express and act on these beliefs. At the same time, "pri- vacy" is sometimes used as a pretext for hiding illegal activities, and society has, at times, a legitimate interest in requiring authentication or identification, either for validating claims to rights and privileges or for holding individuals responsible for their actions. Today, when individual authentication is demanded (such as before boarding an airplane), the individual whose identity is to be authenti- cated is asked to participate in the process of proving who he or she is.l3 Authentication of identity generally (but not always; see Chapter 4) re- quires an affirmative act the individual must affirmatively introduce herself or knowingly produce a credential containing identity informa- tion. While a third party may at times provide information about an individual's identity (such as an adult verifying the identity of a child), such information is more often a tool for confirming the identity pre- sented by the individual being authenticated. Because authentication generally requires some affirmative act on the part of the individual, it is rare that an individual's identity is surreptitiously noted and recorded in the context of an authentication event. The decision about where to deploy authentication systems be it only where today verification of identity is already required or in a greater range of circumstances will shape society in both obvious and subtle ways. Even if the choice is made to implement authentication systems only where people today attempt to discern identity, the creation of reli- able, inexpensive systems will invite function creep the use of authenti- cation systems for other than their originally intended purposes unless action is taken to Prevent this from happening.l4 Thus, the privacy con- gations between community members, thereby defining the substance and boundaries of community life. Id. at p. 238; Bloustein, "Privacy As an Aspect of Human Dignity: An Answer to Dean Prosser," 39 N.Y.U. L. Rev. 962, pp. 1000-1007 (1964) (arguing that the privacy torts involve the same interest in preserving human dignity and individuality). 12See, generally, the numerous privacy statutes that prevent the reuse of information and limit governmental access because of social interest in promoting or protecting the underly- ing activities (for example, related to financial information and health care), many of which are discussed in Chapters 3 and 6. 13The criminal justice context is an exception in which the individual's identity may be determined without their active participation. 14An example of secondary use is that of reliance on the driver's license for proof of age in establishments that sell alcohol. In at least one establishment in Massachusetts, licenses are swiped through a machine and all of the information contained in the magnetic stripe
30 WHO GOES THERE? sequences of both the intended design and deployment and the unin- tended, secondary uses of authentication systems must be taken into con- sideration by vendors, users, policy makers, and the general public. FOUR OVERARCHING PRIVACY CONCERNS While authentication systems can be used to preserve or enhance privacy, there are many ways, as described above, in which an authenti- cation system, or even the act of authentication alone, can affect privacy; that is, privacy is involved as a consequence or corollary of authentica- tion. Before discussing the details of authentication technologies and their impact on privacy in later chapters, several categories of privacy risk are described below. While not applicable to all authentication systems, these categories broadly characterize the risks to personal privacy that authentication systems can create. · Covert identification. Some authentication systems make it possible to identify an individual without the individual's consent or even knowl- edge. Such systems deny the individual, and society, the opportunity to object to and to monitor the identification process. These technologies are particularly vulnerable to misuse because their use is hidden. · Excessive use of authentication technology. Cost and public sensitivity have historically checked the spread of authentication systems. At the same time that technological progress has reduced the cost of these sys- tems (along with the costs of data collection and processing generally), the public, owing to an increased sense of vulnerability and desire for security or simple familiarity, has become accustomed to demands for authentication. Together, these trends increase the likelihood that au- thentication systems will become more prevalent. Led by a mentality of "more is better," the public and private sectors have been quick to in- crease the collection of personal information where this process is sup- ported by cheaper, easier technology. · Excessive aggregation of personal information. The use of a single iden- tifier (such as the Social Security number) or a small number of identifiers creates the opportunity for more linking of previously separate reposito- ries of personal information. Today, different record keepers have differ- ent ways of identifying individuals (and in some cases of tying their identities to transaction histories). The many cards that people carry in their wallets reveal some of the multiple identities by which they are on the back is collected. "Swipe at Your Privacy," WHDH TV, June 4, 2002. Available online at <http: / / www.whdh. com / features / articles / specialreport / H3 7/ >.
INTRODUCTION AND OVERVIEW 31 known. The adoption of a single (or small number of) authentication systems across the public and private sector would greatly erode privacy by facilitating the linkage of records maintained by many disparate record keepers.~5 · Chilling effects. Wherever identity authentication is required, there is an opportunity for social control. In some instances such control is a laudable goal (such as in contexts that require high security and account- ability). But in other areas, there is a risk that new methods of social exclusion and vehicles for prejudicial social control will be created. For example, in a world in which a single identifier (for example, a Social Security number) is relied on by many public and private institutions, the organization in charge of issuing this identifier (the government, in this example) could interfere with a citizen's ability to engage in a wide range of legitimate private sector transactions by revoking the identifier; or, a thief could interfere with the same abilities by stealing the identifier and using it fraudulently. While there are risks to privacy with some authentication systems, it should be noted that there are situations in which authentication provides an important method of ensuring accountability and of protecting privacy. For example, when specific individuals are granted access to personal or proprietary information for limited purposes, authentication can play an important role in monitoring and enforcing adherence to relevant regula- tions and laws limiting individuals' access to these purposes. WHAT THIS REPORT DOES AND DOES NOT DO This report explores the concepts of authentication, identity, and pri- vacy. It examines various authentication technologies and describes their privacy implications. The report does not recommend specific technolo- gies for specific purposes, nor does it provide an explicit cost analysis such as might be provided by a consultant. Instead, the report discusses the various technologies and elaborates on the trade-offs with respect to privacy that each technology permits. As the remainder of the report makes clear, analyses of specific systems or proposed systems can pro- ceed only with an understanding of the context in which a system will be operating and an understanding of the goals that the system is trying to meet. This report provides a framework for these issues and the neces- sary vocabulary within which to consider them. resee this committee s first report, IDs Not That Easy: Questions About Nationwide Iden- tity Systems, Washington, D.C., National Academy Press, 2002, for a discussion of addi- tional questions and issues raised by large-scale, widely used identity systems.
32 WHO GOES THERE? This report seeks to identify ways in which authentication technolo- gies are directly and indirectly affecting privacy. It recognizes that both government and commercial parties do, under many circumstances, have a legitimate need to determine with whom they are dealing. It explores ways in which current authentication systems operate without adequate heed to personal privacy. The report recommends ways in which privacy interests might be better served without compromising the legitimate interests of commercial and government entities that employ authentica- tion technologies. Chapters 2 and 3 elaborate on the concepts of authentication and privacy to establish the framework for the discussion in the remainder of the report. Given the historical association of authentication with secu- rity, Chapter 4 describes security concerns that motivate authentication and then discusses how usability issues matter, both for security and privacy. Chapter 5 examines particular authentication technologies and describes some of the technological issues that arise. Chapter 6 outlines some of the unique challenges facing governments and government agen- cies with respect to authentication and privacy. Finally, Chapter 7 pre- sents a toolkit for thinking through the implications for privacy of the choices made with respect to how authentication systems are developed and deployed.