Privacy Law and Policy Reporter
Distributed identity — Part 1
Chris Connolly, Ian Booth, Prashanti Ravindra, Peter van Dijk and Francis Vierboom GALEXIA CONSULTING
This article is the first part in a two part series on distributed identity. Both are modified versions of articles that appear on the Galexia Consulting website at <http://consult.galexia.com>.
This part provides a general introduction to some of the issues raised by distributed identity systems and looks at a ‘brokered identity’ case study, the Reach system developed by the Irish Government.
The second part of this series, to be published in the next issue of PLPR, looks at two emerging standards that rely on a ‘federated identity’ model. One is the Liberty Alliance project, a consortium of companies and government agencies developing an open standard specifically for identity transactions. The other is the framework of standards being developed by Microsoft and IBM for web services, especially the WS-Federation specification and the anticipated WS-Privacy specification — Associate Editor.
Distributed identity schemes are identification and authentication systems which may operate as alternatives to centralised national identification schemes. They include the concepts of federated identity and brokered identity.
Distributed identity is being considered as a privacy positive alternative to national identification schemes, such as the failed Australia Card proposal and the failed proposal to merge government databases in Ontario, Canada.
Although distributed identity may be a reasonable alternative to centralised national identification schemes, distributed identity is not necessarily a privacy positive initiative in its own right. The level of privacy intrusion depends on numerous technical factors and the effective management of privacy issues during design, implementation and the active life of distributed identity systems.
Defining distributed identity
Distributed identity involves the exchange of identity information across one or more trusted domains (either within a single organisation or between different organisations) in such a way that the information is maintained at its original source.
To manage authentication and verification, distributed identity systems may utilise either:
• a ‘web of trust’ (federated identity); or
• a ‘trusted third party’ (brokered identity).
Where it is necessary for users to gain access to multiple applications provided by multiple organisations, distributed identity allows single sign-on by passing through user authentication and authorisation credentials.
In a recent document by Hewlett-Packard looking at federated network systems, such a network is described as:
A networked world in which individuals and businesses can more easily interact with one another, while respecting the privacy and security of shared identity information.
Often, a common feature of distributed identity systems is that users are provided with an opportunity to exercise some control over the type and amount of information disclosed to different organisations for different applications.
Trends and drivers in identity management
The need for identity management systems, including distributed identity solutions, is being driven by several trends. The motivation for the wider acceptance and use of these systems comes from a variety of sources within both the public and the private sector.
The uptake of eGovernment will involve, as a key prerequisite, the co-ordination and facilitation of the development of a trusted and secure online environment for delivery of government services to both individuals and businesses. However, government agencies appear to remain uncertain of the availability, cost effectiveness and inter-operability of technologies, tools and standards for identifying and authenticating online customers. Consequently, this is holding back the rollout of more complex or sensitive eGovernment services and transactions, thereby delaying more widespread benefits of eGovernment.
Electronic authentication is qualitatively different for the public versus the private sector because of government’s unique relationship with citizens:
(a) many of the transactions are mandatory;
(b) agencies cannot choose to serve only selected market segments;
(c) relationships between government and citizens are sometimes ‘cradle to grave’, but characterised by intermittent contacts, which creates challenges for technical authentication solutions; and
(d) individuals may have higher expectations for government agencies than for other organisations with regard to protecting the security and privacy of personal data.
In Australia, Commonwealth government agencies are working with the National Office for the Information Economy (NOIE) to develop an identification and authentication framework which can accommodate various agencies’ business processes while providing common standards and rules.
There is also a strong international interest in eGovernment initiatives.
Businesses are investigating the use of identity management systems to provide services more efficiently. Costs can be reduced by sharing authentication and verification credentials across a wider range of organisations — rather than creating stand alone authentication systems for each organisation and/or application. Identity management systems may enable multiple subsidiary e-business transactions to be streamlined and simplified.
Key issues in identity management
Identity management systems do not exist in a policy vacuum. The context and setting for identity management solutions have a direct impact on design and implementation.
All identity management solutions, whether centralised or distributed, need to address the following key issues.
Addressing these key issues at the design stage of identity management systems has significant benefits over attempting to manage these issues post-implementation. Management of these issues in distributed identity models is essential, and it should not be assumed that distributed identity models will ‘automatically’ be more effective at addressing these issues than centralised identity models.
Models for eAuthentication
The strength of the authentication method employed in any system should be commensurate with the value of the resources (information or material) being protected.
Evidence of Identity
Sufficient levels of trust and confidence must be generated in the accuracy and validity of information which is presented as original evidence of identity.
Many of the foundational identification documents used to establish individual user identity are very poor from a security perspective, often as a result of being generated by a diverse set of issuers that may also lack an ongoing interest in ensuring the document’s validity and reliability.
Sufficient records must be retained to assist in future investigations or inquiries. The validity and accuracy of such records must be balanced against privacy interests.
Appropriate privacy controls must be provided within the solution, including the ability to provide anonymity where necessary. Privacy controls need to go beyond simple compliance with national and international privacy laws. They also need to meet the privacy expectations of consumers.
Identity fraud and identity theft
Identity management systems need to limit opportunities for common identity fraud (one off fraud which usually relies on the adoption of another person’s identity for a single transaction) and provide adequate prevention against identity theft (more sophisticated fraud where a false identity is assumed for the purposes of opening accounts, obtaining multiple goods and services and so on).
Identity and authentication system users also wish to ensure that they are properly protected by the law. The allocation of legal liability for unauthorised transactions must be determined for each solution.
Brokered identity case study — Reach
Reach is an example of brokered identity — a form of distributed identity management which relies on the services of a trusted third party to manage authentication and identity on behalf of consumers.
Reach is an agency established by the Irish Government in 1999 to develop a strategy for the integration of public services and to develop and implement a framework for eGovernment. In May 2000 Reach was commissioned by the Irish Government to develop the Public Services Broker (PSB). Since then, Reach has focused on defining and implementing the architecture and principles underlying the operation of the PSB. Reach’s mission statement is:
... to radically improve the quality of service to personal and business customers of Government and to develop and deploy the Public Services Broker to help agencies achieve that improvement. In particular Reach is to develop and implement an integrated set of processes, systems and procedures to provide a standard means of access to public services, to be known as the Public Services Broker.
This electronic broker will act as a helper or assistant between customers and public service agencies. It will be developed by Reach and then subsequently be operated by a separate agency. The PSB is not intended to act as a representative or advocate for government agencies.
As part of its work with the PSB, the Reach project is developing standards and legislation that will deal with issues of interoperability, internet security and privacy. Reach’s roles and objectives fall into three key areas:
• standards and operational policies;
• co-ordination and leadership; and
• implementation and delivery of infrastructure and systems.
Reach aims to provide a one stop service for public service customers, enabling them to access related services at a single point of contact and to give their information, and prove their identity, once only, instead of having to go through the same procedure separately for each related service. To improve services in this way, internal business processes need to be integrated. Data sharing is a key to facilitating the seamless delivery of public services — it promotes customer service and efficiency and reduces the need to call for physical documents.
However, there is also the requirement of meeting customers’ expectations that data is kept securely and that their privacy is respected. In response to this, the Reach model seeks to balance the need for the availability of data to public service agencies while ensuring a high level of privacy and respect for data protection principles.
Reach is implemented as an element of the Irish Government’s broader eGovernment strategy which aims to ensure quality of service to people dealing with government agencies and improvements in administrative efficiencies. Reach is also responsible for ensuring that the development of electronic Government in Ireland is done in the context of European Union initiatives. This involves complying with the eEurope Action Plan which sets the eGovernment strategy in the wider European context and places certain eGovernment development obligations on Ireland.
Description of Reach
Public Services Broker
The PSB is the central component of Ireland’s eGovernment strategy. It provides a common access point for eGovernment services, identity management and access control, common interface standards, procedures and supporting services with the necessary infrastructure to make access to eGovernment services as straightforward and secure as possible. The PSB aims to improve delivery of services to the public through traditional means (in person and on the phone) and the new self-service electronic channel.
The PSB model involves an integrated approach on three levels:
• a single access point to related services (integration across agencies, services and transactions);
• updated data available in real time and data available for repeat transactions (integration across time); and
• the same data and experience available across the three main access channels — counter, telephone and the internet (integration across channels).
The PSB model is based on a hub architecture. Hubs at central, sectoral or local levels are used to exchange data to support common services at the appropriate level and sectoral data stores can be supported by central authentication and security services. This means that data captured once can be reused by other agencies and on other occasions. One element of proposed privacy protection is to enable consumers to know, and exercise control over, how their personal information is used.
The PSB is not a single application, rather it can be viewed as:
• a portal;
• a user access management system;
• a set of PSB user services;
• a set of PSB management services; and
• an integration framework — a set of components and tools that will be used to integrate the above services and to PSB-enable government services.
The complexity of the PSB and its role in the provision of eGovernment services is represented in the diagram below.
Terms of reference
Reach has the following terms of reference.
• Develop the framework for delivering integrated public services to individual customers and businesses in Ireland.
• Develop and implement the framework for electronic delivery of public services — the ‘eGovernment’ and Information Society agendas.
• Co-ordinate the eGovernment program across the Public Service.
The following points summarise the mandate of Reach.
• Develop and implement an integrated set of processes, systems, and procedures to provide a standard means of access to public services, to be known as the PSB. This will be done in consultation with public service delivery agencies and customers.
• Develop the existing Public Services Card as the customer’s secure key to accessing public services.
• Promote the use of the Personal Public Service Number (PPSN) — formerly the RSI Number — by the public and by authorised public service agencies.
Reach’s legal framework
Reach was established by government decision in 1999 and its mandate extended, again by government decision, in 2000 to develop the PSB.
Reach grew out of the Integrated Social Services Strategy adopted by the Government in 1996 that recommended the integration of public services, increased sharing of data and the extension of the use of the RSI Number across the public service in the interest of improving customer service.
The legal framework for the sharing and use of essential personal data is set out in a number of Irish Acts: Data Protection Act 1988, Social Welfare Acts 1998, 1999 and 2000, Social Welfare (Miscellaneous Provisions) Act 2002 and the Health (Provision of Information) Act 1997.
The Minister for Social, Community and Family Affairs, whose department is responsible for the issue of personal public service numbers and the public services card, reports to Government on the progress of the Reach initiative.
Reach’s Inter-Agency Messaging Service
Reach developed the Inter-Agency Messaging Service (IAMS) to support the electronic exchange of customer data among agencies in the public service. The IAMS will initially allow the exchange of birth registration data between the General Register Office (GRO) and the Department of Social and Family Affairs’ Client Identity Services Section, and between the GRO and the Central Statistics Office. This service will eventually be extended to support the capture and dissemination of death and marriages notification data among a wider range of agencies.
Privacy issues in Reach
In terms of privacy protection on a legal level, Reach initiatives are being created within the framework of the Data Protection Act and the Freedom of Information Act. The provisions of the Social Welfare Acts also contain safeguards for the protection of the individual’s right to privacy. Pivotal to the initiative is that users will have control over their personal information — they are given discretion over disclosure of their personal information to government bodies. Furthermore, the PSB is independent of public service agencies, acting as both an ‘agent for customers and a shop front for the public service’.
In terms of the practical mechanisms used to protect privacy, the PPSN serves as the customer’s unique key which will help the development of personalised services and minimise the risks of error and inaccuracies in personal records. The customer will be able to deposit personal data with the PSB, and later choose to release it to a public service agency when applying for a service. This does not mean, however, that a personal profile is going to be built on every person in the country. Only the minimum data required for a particular transaction would be viewable by the staff member assisting the customer. The PSB would give the individual customer as much control as possible over the release of personal data from their personal data stores. All accesses to personal data will be recorded and staff will be unable to view personal profiles unless the customer grants permission by keying in a PIN or password.
A key issue for Reach (and brokered identity in general) is ensuring that the community has a sufficient level of trust in the identity broker. This trust can be difficult to achieve, especially in communities where the government and private sector have a history of privacy intrusion and privacy abuse. In Ireland, the Reach initiative has attempted to win community trust through adoption of the following measures.
• Legislation Legislation already exists on the collection and storage of personal information. In addition, the creation and use of PPSNs and Public Service Cards is vested by law in the Minister for Social Community and Family Affairs.
• Transparency To ensure people understand how personal data will be kept secure, the rules and procedures for collection and release of personal information will be published.
• Oversight Additionally, compliance with those published procedures and legislation is further subject to scrutiny by a number of statutory holders, namely the Comptroller and Auditor General, the Ombudsman and Information Commissioner and the Data Protection Commissioner.
• Choice The Public Services Card (a smart card containing the PPSN and other necessary personal identifiers) will not be a national identity card. It is designed to meet the needs of people to identify themselves when using public services. The new card does not have to have a photograph, date of birth or any other personal data. It could, for example, be like an ATM card, which when used with a PIN sufficiently identifies the person to draw down cash from ATM machines or carry out banking instructions. The key principle to be adopted is that customers choose the additional features that can be added to their basic card.
The Reach model aims to give consumers customised options for limiting the use of their data.
The Irish Government, through Reach, has worked hard to design a privacy friendly brokered identity system. Reach’s underlying philosophy of giving the consumer control over their personal information has enabled them to develop an effective ‘one stop shop’ model of eGovernment that is founded on consumer rather than government control of information.
However, there are some hurdles that Reach are yet to overcome. First, the implementation of the PSB is severely behind schedule; and second it appears that the public are yet to overcome privacy fears about the internet.
The majority of Irish people (56 per cent) feel that ‘if you use the internet your privacy is threatened’. This could have important ramifications for the PSB and other eGovernment initiatives. Despite Reach’s priority of consumer data control, these efforts could be rendered ineffective if the public cannot be inspired to use the services once they have been developed.
The future for Reach
Once fully implemented the Reach initiative could, subject to appropriate privacy protection, alter the way most people interact with and use government services. The one stop shop model will provide administrative efficiencies for both the public and public service providers.
These benefits may include:
• connected services will enable customers to access more than one service through a single access point;
• personalised services that are founded on the individual needs of the customer and their preferences;
• choice and convenience so that customers will be able to choose the time and place which best suits them;
• reduction in repeat form filling and provision of basic personal data; and
• simplification of access to services and information by allowing self-service over the internet.
The Irish Government hopes that the focus on privacy protection in implementing this initiative ensures that these benefits will be achieved with negligible privacy intrusion. Other jurisdictions will be monitoring the Reach and the PSB implementations to assess their effectiveness and possible use in their own development of eGovernment services. l
Chris Connolly, Ian Booth, Prashanti Ravindra, Peter van Dijk and Francis Vierboom are consultants with Galexia Consulting.
. Clarke R Just Another Piece of Plastic for your Wallet: The ‘Australia Card’ Scheme June 1987 <www.anu.edu.au/people/Roger.Clarke/ DV/OzCard.html>.
. BIS Shrapnel, October 2002, unpublished:
The Provincial Government of Ontario abandoned its plans to implement the multi-application smart card. The initiative that was recognised as the most far-reaching multi-application implementation in the world. It appears to have been abandoned for four principal reasons:
• Lack of internal co-operation and agreement between government departments;
• Powerful public opposition from Canada’s Federal Privacy Commissioner;
• Financial models proved untenable; and
• Poor management and lack of transparency.
. This definition has been adapted from Pato J and Rouault J Identity Management: The Drive to Federation Hewlett-Packard Development Company, August 2003, <http:// devresource.hp.com/drc/technical_white_papers/IdentityMgmt_Federation. pdf>.
. As above p 5.
. Committee on Authentication Technologies and their Privacy Implications Who goes there? Authentication through the lens of privacy National Research Council of the National Academes April 2003 (pre-publication version) at Section 6.2.
. Refer to National Office for the Information Economy Submission to the Joint Committee of Public Accounts and Audit Inquiry into the Management and Integrity of Electronic Information in the Commonwealth March 2003 <www.aph.gov.au/house/committee/jpaa/electronic_info/submissions/sub20.pdf>; and Management Advisory Committee Government Use of Information and Communications Technology — ITAG Authentication Working Group sub-committee report — Appendix 5 — Authentication of external clients Working Group Australian Public Service Commission, October 2002, <www.apsc.gov.au/mac /technology.pdf>.
. Refer to Accenture eGovernment Leadership: Engaging the Customer April 2003 <www.accenture.com/ xd/xd.asp?it=enweb&xd=industries\gov ernment\gove_capa_egov.xml>.
. Above note 5 at Recommendation 2.1 and 4.1.
. Above note 5 at Section 6.3.
. Statement of Strategy 2003-2005, Department of Social and Family Affairs 2002 <http://portal.welfare.ie/ publications/allpubs/strats/ss0305.pdf>.
. For more information about Reach’s goals, objectives and actions see Department of Social and Family Affairs Statement of Strategy 2003-2005 p 68. Information about Ireland’s eGovernment Agenda is on pp 40-2.
. See <www.reach.ie/about/what_is/ standards.htm> for more information.
. See <www.reach.ie/about/what_is/ coordination.htm> for more information.
. See <www.reach.ie/about/what_is/ implementation.htm> for more information.
. <www.reach.ie/about/why_now/ eGovernment.htm>.
. Commission of the European Communities eEurope 2005: An information society for all June 2002 <http://europa.eu.int/information_society/eeurope/2005/all_about/action_plan/index_en.htm >.
. Reachservices Public Services Broker Phase 1 Requirements Statement July 2002, <www.reach.ie/psb1/ Requirements_Statement.pdf>.
. Irish Internet Association ‘Ireland’s eGovernment — Reach Services’ New Perspectives November 2002, <http://newperspectives.iia.ie/ e_article000109297.cfm>.
. Above note 18.
. Reach Terms of Reference May 2002, <www.reach.ie/archive.htm>.
. As above.
 <www.bailii.org/ie/legis/num_ act/dpa1988168/>.
. <www.bailii.org/ie/legis/num_ act/swa1998137/>.
. <www.bailii.org/ie/legis/num_ act/1999/1999-3.html>.
. <www.bailii.org/ie/legis/num_ act/swa2000137/>.
. <www.bailii.org/ie/legis/num_ act/2002/2002-8.html>.
. <www.bailii.org/ie/legis/num_ act/hoia1997339/>.
. Above note 23.
. <www.bailii.org/ie/legis/num_ act/foia1997222/s1.html>.
. Above notes 24-26.
. Department of Social, Community and Family Affairs Establishment of National Framework for Integration of Public Services — ‘Reach’ August 1999, <www.cidb.ie/Live.nsf/0/4b45f6c7db 25df87802567e6004dbf21?OpenDocu ment>.
. Department of the Taoiseach Data Protection with the Public Service Broker <www.taoiseach.gov.ie/ viewitem.asp?id=388&lang=ENG>.
. <www.reach.ie/about/achieve/ privacy.htm>.
. ‘Data Protection Essential for eGovernment plan’ Irish Times 9 September 2001 <www.cidb.ie/live. nsf/0/41b883a289b58c4880256b17005399e0?OpenDocument&ExpandSection=7>. See also <www.reach.ie/faqs.htm>, which notes the privacy protective features of the PSB scheme.
. Data Protection Commissioner Privacy Fears on the Increase, warns Data Protection Commissioner News Release 13 January 2003 <www.dataprivacy.ie/7nr130103.htm>.
. Refer to McDonald ‘Privacy concerns balloon in Ireland’ ElectricNews.net 16 January 2003 <www.enn.ie/news.html?code= 8894120>.