Privacy Law and Policy Reporter
Francis Vierboom | Galexia Consulting
This paper is the second part in a series of case studies on the privacy implications of distributed identity systems. The first part, published in 2004 10(9) PLPR, provided a general introduction to some of the issues raised by distributed identity systems and looked at a ‘brokered identity’ case study, the Reach system developed by the Irish Government. This part looks at one emerging standards that rely on a ‘federated identity’ model: the Liberty Alliance project. Part 3 will examine another, the WS-Federation and WS-Privacy specifications. These and other papers are available on the Galexia Consulting website at http://consult.galexia.com (General Editor)
Liberty Alliance – An example of federated identity
Liberty Alliance is an example of a federated identity solution, a type of distributed identity which relies on communities of trust. Other federated identity models include WS-Federation [see Part3 of this series] and smaller, sectoral initiatives.
Liberty Alliance is an open technical specification for sharing personal information through computer networks like the Internet. It is highly sophisticated and mainly useful to very large corporations and government organisations that conduct transactions online.
It employs the concept of federated identity where (the concept supposes) personal information remains in the hands of the original collector and is shared across a wide range of providers, rather than consolidated into a master database. The relationships between providers are regulated by private contract, and, of course, applicable privacy and data protection laws.
Liberty incorporates a number of thoughtful and effective measures with regard to technical aspects of privacy. However, it rightly asserts that it cannot enforce many policy aspects of privacy on its users.
A way of uniformly identifying users across the Internet has haunted the dreams of marketing directors and the nightmares of privacy advocates. However, for a long time the financial costs of such a system were prohibitive, given the marginal benefits.
Unsurprisingly, Microsoft, ever the long-term investor and innovator, was the first company to make a foray into such an identity system. Code-named ‘Hailstorm’ – already a fatal mistake – it proposed a vast Microsoft-controlled database where the user registered all their details once and could then browse the web seamlessly.
It was the momentum of both consumer and corporate opposition to the Hailstorm concept that gave birth to the ‘Liberty Alliance’ in September 2001 – a consortium of major companies spearheaded by Microsoft competitor Sun Microsystems. The group explicitly aimed to provide an alternative and more privacy-friendly system by creating a specification for managing a ‘federated network identity’.
Phase 1 of the Liberty Specification was released in July 2002, revised to version 1.1 in January 2003. It only dealt with the basic cross-site authentication feature of the system, allowing users to navigate among different sites without signing in to each with a password, and did not describe any system for exchanging personal information.
The Phase 2 draft was released in April 2003 and a revision in August 2003, outlining more significant Liberty features – the permission-based sharing of information. The final release of Phase 2 was published in November 2003.
The Liberty standard is in fact a series of standards and specifications. The current working document is the Liberty Alliance Phase 2 Final Specifications. Key aspects of the specifications are set out below.
Liberty Identity Federation Framework (ID-FF)
The Liberty Identity Federation Framework is the foundation of the Liberty Alliance protocol and provides functionality such as opt-in account linking and single sign-on capabilities. The Phase 2 revision of the ID-FF also incorporated:
• Affiliation: This enables a user to choose to federate with a group of affiliated sites, a critical need for portals and business-to-employee applications; and
• Anonymity: This enables a service to request certain user attributes without needing to know the user’s identity.
Liberty Identity Web Services Framework (ID-WSF)
The Liberty Identity Web Services Framework outlines the technical components necessary to build interoperable identity-based web services. Specific features include:
• Permissions-Based Attribute Sharing: This allows an organisation to offer users individualised services based on attributes and preferences that the user has chosen to share;
• Interaction Service: This allows an identity service to obtain permission from a user (or someone who owns a resource on behalf of that user) to allow them to share data with the requesting service;
• Security Profiles: This describes the profiles and requirements necessary to protect security and ensure the integrity and confidentiality of messages; and
• Extended Client Support: This enables hosting of Liberty-enabled identity-based services on devices without requiring HTTP servers. This is useful since most consumers do not run HTTP-servers on their PCs, and many networks do not support running HTTP-servers on consumer devices. This also reduces implementation costs in resource-constrained devices such as mobile phones.
Liberty Identity Service Interface Specifications (ID-SIS)
In Phase 2 and future phases of its specifications, the Liberty Alliance will be developing a collection of new specifications that offer companies a standard way to build interoperable identity-based services – the Liberty Identity Service Interface Specifications (ID-SIS). So far, these services include:
• ID-SIS-Personal Profile: This service defines a template for basic profile information, typically used in registration. It includes a standard set of attribute fields (name, legal identity, legal domicile, work address, email address) so organisations have a common language to speak to each other and offer interoperable services.
• ID-SIS-Employee Profile: This service defines a template for employee information, which, in additional to regular personal details, holds employment related information such as position and personal company history.
Technical privacy features
Liberty Alliance was founded as the pro-privacy alternative to Hailstorm/MS Passport, and despite the fact it is being developed and funded by markedly privacy-unfriendly types of organisations like credit card companies, telecoms and banks, it has devoted considerable effort to incorporating privacy protections into the specifications. Such features include:
• Digital signing of all Liberty messages using XMLDsig, which provides authentication, confidentiality, message integrity and non-repudiation. This means privacy-managed transactions can be audited with certainty;
• Anonymous and pseudonymous access capabilities;
• UsageDirective tags, which provide significant low-level privacy transaction management features of the Liberty protocol:
• A requestor can indicate the intended use of data to the provider;
• A provider can direct a requestor what it can use the data for;
• Alternatively, a provider can reply to a requestor with a UsageDirective that expresses acceptable practices before providing any data.
• The consent header tag, which is used to claim that a data subject has consented to a particular transaction;
• The Interaction Service specification, which enables service providers to contact a user directly to obtain consent or additional data for a particular transaction
The challenges for Liberty Alliance
The challenge for open-market online authentication systems like Liberty Alliance is that they have not yet reached the stage where they offer practical benefits and applications to consumers. A 2002 Gartner report5 found that people are generally distrustful of, and uninterested in, broad online authentication systems. Liberty members seem to hope that consumers will be attracted to federated identity because of problems with existing authentication systems:
“Fast-forward to the grown up and modern world. Pieces of their [consumers] identity are now scattered across an endless list of entities; banks, credit card companies, brokerage firms, insurance companies, national IDs, pension funds, medical providers, and the places where they work. The Internet has become one of the prime vehicles for business, community and personal interactions, and it is fragmenting this identity even further. Pieces of their identity are doled out across the many computer systems and networks used by employers, Internet Service Providers, bulletin boards, instant messaging applications, and online commerce and content providers. This all occurs with little coordination, interaction, or control on their part.
The result is a fairly high level of frustration for everyone involved. People have to repeatedly enter the same information within the workplace and in personal business dealings. The IT manager must provision dynamically changing accounts to reflect up-to-date roles and identities within the organization. The sales executive needs to reach the audience with the right identities to sell a product.”
Despite the picture painted by this passage from a Liberty document , the broad usage of Liberty in retail e-commerce seems some time away. Given consumer resistance and the expense of deployment, it may be some time before Liberty becomes a pervasive standard on the Internet.
The more viable – and less privacy intrusive – applications are for more discrete networks of users and providers, rather than large scale business-to-consumer applications. For example:
• Financial trading communities: A relatively small set of users who would benefit from consistent access to a variety of disparate market systems. The privacy implications are limited given that only limited personal information is needed, and the usability benefits are significant;
• Student and employee intranets: Large companies, universities and other education institutions often have a number of separate internal IT systems. Here the incentives for identity fraud, or privacy abuse by the controller, are low, and the benefits once again are significant. (In Australia, however, it is important to note the legal vacuum relating to employee privacy); and
• eGovernment: Although the risks of identity fraud are significant, governments are generally subject to a degree of privacy regulation and oversight, and the efficiency and cost savings from achieving interoperability between various government applications provide a genuine incentive to governments to be some of the first adopters of Liberty technology.
However it is large consumer corporations – credit card companies, technology vendors and private telecommunications providers, who are currently considering the future benefits of Liberty, and backing the Liberty Alliance:
“Deploying [single sign-on] functionality will drive additional requirements for attribute sharing in order for banks, insurance companies, brokers or others in the industry to deliver more personalized services to their users. Liberty’s first set of specifications and future work is playing an important role in this area.”
This vision of seamless web services for consumers is not so comforting to privacy advocates. Despite the protests to the contrary by Liberty Alliance backers, the fact is that wide deployments of any particular standard in online authentication and information sharing can raise potential privacy risks:
• Identity theft: By allowing a single authentication at, for example, a superannuation website to give a user access to insurance, banking and trading services, single sign-on systems increase both the vulnerability and incentive to identity thieves. The risk increases as the system spreads across broader e-commerce sectors; and
• Targeted marketing: As can be seen in the passage above, Liberty supporters openly anticipate trading in personal information with each other to profile their consumers.
Given that Liberty is a draft technical standard, and does not have any enforceable control over implementations, consumers will have to rely on existing privacy regulatory schemes and trust corporations to run their Liberty-enabled systems responsibly.
The future for Liberty Alliance
From a privacy perspective, Liberty Alliance is a vast improvement on the original Microsoft Passport concept of a centralised database. However, as discussed below, Liberty’s main competitor is now the WS-Federation specification of the web services suite being created by Microsoft and IBM.
Liberty has some significant advantages. The business-related aspects of the Liberty project are far more advanced than WS-Federation, reflecting the fact that Liberty is a business-led effort. However, Liberty has precious little time to establish itself as a working standard for identity federation before the release of the next Windows operating system. Codenamed ‘Longhorn’, it will include WS-Federation as part of its built-in web services protocol suite. There are no technical barriers to the two standards working alongside each other, but Liberty was founded directly against Microsoft and neither seems to have forgotten.
Liberty should recognise that the key to establishing identity federation is persuading consumers, not businesses. It must take some responsibility for providing comprehensive guidelines and promoting good privacy among its members. Its online tools will need to be supported by enforceable customer-protective policies and practices (of the organisations using those tools), for Liberty to be seen as offering a privacy-sensitive identity management solution. The success of Liberty’s concept of ‘federated network identity’ rests on its ability to ensure that information sharing does not run rampant over the interests of consumers.
Francis Vierboom is a consultant with Galexia Consulting
 See Galexia Consulting’s article Part Two See IBM Corporation, Microsoft Corporation, BEA Systems, Inc., RSA Security, Inc., Verisign, Inc, Web Services Federation Language (WS-Federation), July 2003, http://www-106.ibm.com/developerworks/library/ws-fed/; and A Joint Whitepaper from IBM Corporation and Microsoft Corporation, Federation of Identities in a Web Services World, Version 1.0, July 2003, http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-federation-strategy.asp.
 Liberty Alliance, Introduction to the Liberty Alliance Identity Architecture, Revision 1.0, March 2003, http://www.projectliberty.org/resources/whitepapers/LAP Identity Architecture Whitepaper Final. PDF, at p2.
 Liberty Alliance, Report Finds Liberty Alliance Standard Helps Financial Institutions Extend Trusted Relationships and Enable New Online Businesses, Press Release, 9 July 2003, <http://www.projectliberty.org/press/releases/2003-07-09.html>.
 For further discussion of Liberty and privacy see: Kaye, On Liberty and the Case for Anonymous Federation of Identity, RDS Strategies LLC September 2002, <http://www.rds.com/essays/20020904-liberty.html>; Loftesness, Jones, Critiquing a Liberty Alliance Critique, Glenbrook Partners, 2002, <http://www.glenbrook.com/opinions/liberty-critique.html>; and Migliore, Jupiter Raises Doubts About Passport, Liberty Alliance, Enterprise Systems, November 2001, <http://www.esj.com/news/article.asp?editorialsId=75