Government Technology - October 2007 - (Page 36)

threat assessment process and is authorized to use ClearLanes to bypass some aspects of airport security. The card does not reveal the cardholder’s identity to TSA staff, effectively separating the person’s identity from the physical credential. Verified ID manages the card independently of any government control. The company tapped Lockheed Martin Corp. to manage the technology and information systems that support the card. “You get all the security without the surveillance,” Harper explained of the Clear program. “Those kinds of things are really the direction we need to go — where you have a variety of credentialing systems that are competitive so that you get cost control, convenience and competition over privacy. You get actual privacy.” the private sector will help to educate the next round of government identity policy.” purposes. We could also use government as a source of identity proofing truth for online transactions. But we don’t always want that.” Red Flags Personal identity frameworks (PIFs) serve as evolutionary building blocks that help facilitate easy registration and single sign-on for a variety of online transactions, though predominantly in low-risk contexts, explained Gregg Kreizman, a research director at Gartner. “We all interact, increasingly online, in a variety of contexts, such as government to citizen, government to business, business to consumer or business to business, and in different verticals within these broad categories, such as education, health, finance or social networks,” he said. Each context has its own risk profiles and therefore, each will have different expectations/requirements for ensuring individuals are who they claim to be. Government will play a role in privatesector initiatives, such as Microsoft’s CardSpace — by supplying information that would appear in PIFs — but involving government in the creation of PIFs will not solve the ID problem, he said. PIFs are predominantly about the enduser experience. “If I use CardSpace as my identity selector, I will have a common user interface to access multiple services in different contexts,” Kreizman explained. “However, I will still need to have different identity providers — government, health care, finance — depending on context and associated risk profile.” Government is an appropriate source of identity proofing in some contexts, Kreizman said, though telecommunications companies may be in another context and credit bureaus may function as an appropriate source of identity proofing in yet another context. PIFs provide convenience and a promise of privacy protection, Kreizman said, because PIFs provide ways for service providers to request identity attribute data for registration and provide ways for users to allow or deny access to that data. “However, PIFs by themselves provide no guarantees that service or identity providers will protect that data from breaches or nefarious uses,” he cautioned. “So, who do you want to be your identity provider for all contexts?” Government should be involved in work on PIFs, Kreizman said, though a full-fledged partnership may be impossible. “Governments are one type of source for identity proof, and they are also identity consumers,” Kreizman said. “We need government-issued IDs for nonelectronic Finding Privacy Some observers caution that the need for security is running roughshod over personal privacy rights. The federal government alone is juggling six identity card initiatives, said Jim Dempsey, policy director at the Center for Democracy and Technology, and the CDT is alarmed at the proliferation of identity cards created in a policy vacuum. “The biggest problem is that we have no policy framework for collection, use, storage and exchange of identification information,” Dempsey said. “The United States has no comprehensive privacy law.” What exists now is a smattering of sundry privacy protections, he said, noting that Americans possess a constitutional right to privacy, but that right was largely defined in the preInternet age. Various statutory privacy protections exist, he said, but those protections target specific sectors, such as financial institutions or hospitals, and are riddled with exceptions. The CDT has been trying to get the message through, he said but so far, Congress is somewhat mired in the sectoral approach of the past. That approach is, in part, the byproduct of legislative committees being created to examine laws targeted at specific sectors, such as a banking committee or a judiciary committee. Larger issues also complicate the question of identity and privacy, however. Walking down the street used to be an unidentifiable activity unless someone actually knew you, he observed, the constitutional rule that a person has no privacy when it comes to what he or she does in public doesn’t have very broad consequences when what that person did was not identifiable. “There’s a huge amount of activity going on in the proliferation of video cameras, and ultimately we’re going to have increasing integration of facial recognition software in those camera systems,” Dempsey cautioned. “We are really entering a very different world,” he said, adding that there’s no clear sense of a system for gathering, applying, storing and sharing identity information or personally identifiable information. “The rules we’ve had in the past were based upon the assumption that there was a certain amount of friction in the system,” he said. “They were also based upon the assumption that it was hard to link data across databases, as well as a series of other assumptions. Increasingly those assumptions are being blown apart, really, by changes in technology.” Jim Dempsey policy director, Center for Democracy and Technology OCT_07 By creating a market for credentialing, Harper said, consumers get a choice in the matter, adding that before rolling out the Clear Card, Verified ID conducted focus group meetings to ask consumers what they wanted from such a card and what would make them want to pay the $99.95 annual fee. Consumers expressed cost, convenience and privacy as their chief concerns about the Clear Card, Harper said, and Verified ID designed its systems with those three issues in mind — in stark contrast to the way the Real ID Act creates a de facto national identity-card system. “[A mass identification system] is as likely to distract you from the real problem as to help you find the real problem,” Harper said. “None of this is easy to fix, so easy sort of broad brushstrokes like IDing everybody are probably going to be wrong.” Harper predicts Real ID will fail, though that failure may take some time to play out. “Once it fails, we’ll go back and start again on something else,” he said. “Hopefully there will be better information on what we can do, and that’s where some of the emerging digitalidentity management systems coming out of 36 http://www.govtech.com

Table of Contents Feed for the Digital Edition of Government Technology - October 2007

Contents Point of View Big Picture The Last Mile GT Spectrum Letters How It Works Cerf on the Net Way Back Machine Separation Anxiety Let's Roll Rising to the Challenge Wednesday Afternoon Fever Parking Possibilities Products Signal: Noise

Government Technology - October 2007

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.