Enviar pesquisa
Carregar
Nascio who areyoue-authbrief122104
•
0 gostou
•
324 visualizações
Hai Nguyen
Seguir
Tecnologia
Notícias e política
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 16
Baixar agora
Baixar para ler offline
Recomendados
Identity Theft and Society: What's in it for me?
Identity Theft and Society: What's in it for me?
Robert Bromwich
How To Prevent The World Wild Web Identity Crisis
How To Prevent The World Wild Web Identity Crisis
wieringa
Corporate role in protecting consumers from the risk of identity theft
Corporate role in protecting consumers from the risk of identity theft
IJCNCJournal
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for Business
Herring Consulting & Financial Group
Cyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation Gianino
-Gianino Gino Prieto -Dynamic Connector -Insurance Strategist
Identity Theft Presentation
Identity Theft Presentation
Randall Chesnutt
Identity Theft * Canada
Identity Theft * Canada
- Mark - Fullbright
Recomendados
Identity Theft and Society: What's in it for me?
Identity Theft and Society: What's in it for me?
Robert Bromwich
How To Prevent The World Wild Web Identity Crisis
How To Prevent The World Wild Web Identity Crisis
wieringa
Corporate role in protecting consumers from the risk of identity theft
Corporate role in protecting consumers from the risk of identity theft
IJCNCJournal
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for Business
Herring Consulting & Financial Group
Cyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation Gianino
-Gianino Gino Prieto -Dynamic Connector -Insurance Strategist
Identity Theft Presentation
Identity Theft Presentation
Randall Chesnutt
Identity Theft * Canada
Identity Theft * Canada
- Mark - Fullbright
Teen Identity Theft Presentation - Family Online Safety Institue
Teen Identity Theft Presentation - Family Online Safety Institue
MindMake - Parenting & Education
Id Theft Presentation
Id Theft Presentation
Lisa Sosebee
Risk Managers Presentation
Risk Managers Presentation
pat7777
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011
Kimberly Verska
security issue in e-commerce
security issue in e-commerce
Palavesa Krishnan
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
Bucacci Business Solutions
Identity Theft: How to Avoid It
Identity Theft: How to Avoid It
hewie
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theft
mherr_riskconsult
IST Presentation
IST Presentation
guest1d1ed5
Identity in the Internet Age
Identity in the Internet Age
Cartesian (formerly CSMG)
Identity Theft ppt
Identity Theft ppt
Angela Lawson
ASIS Phoenix February Presentation
ASIS Phoenix February Presentation
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
Idt
Idt
Springboard
What You Need to Know to Avoid Identity Theft
What You Need to Know to Avoid Identity Theft
- Mark - Fullbright
L1 - Illinois Case Study
L1 - Illinois Case Study
Nick Iandolo
GHC-2014-Lavanya
GHC-2014-Lavanya
Lavanya Lakshman
Privacy and the Government
Privacy and the Government
primeteacher32
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Hai Nguyen
Disable your internet access
Disable your internet access
SZI Technologies Pvt Ltd
Corp pres rrs_sm_130404
Corp pres rrs_sm_130404
MeghnaSahay
Indian market (3)
Indian market (3)
yogeshchander1985
Mais conteúdo relacionado
Mais procurados
Teen Identity Theft Presentation - Family Online Safety Institue
Teen Identity Theft Presentation - Family Online Safety Institue
MindMake - Parenting & Education
Id Theft Presentation
Id Theft Presentation
Lisa Sosebee
Risk Managers Presentation
Risk Managers Presentation
pat7777
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011
Kimberly Verska
security issue in e-commerce
security issue in e-commerce
Palavesa Krishnan
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
Bucacci Business Solutions
Identity Theft: How to Avoid It
Identity Theft: How to Avoid It
hewie
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theft
mherr_riskconsult
IST Presentation
IST Presentation
guest1d1ed5
Identity in the Internet Age
Identity in the Internet Age
Cartesian (formerly CSMG)
Identity Theft ppt
Identity Theft ppt
Angela Lawson
ASIS Phoenix February Presentation
ASIS Phoenix February Presentation
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
Idt
Idt
Springboard
What You Need to Know to Avoid Identity Theft
What You Need to Know to Avoid Identity Theft
- Mark - Fullbright
L1 - Illinois Case Study
L1 - Illinois Case Study
Nick Iandolo
GHC-2014-Lavanya
GHC-2014-Lavanya
Lavanya Lakshman
Mais procurados
(17)
Teen Identity Theft Presentation - Family Online Safety Institue
Teen Identity Theft Presentation - Family Online Safety Institue
Id Theft Presentation
Id Theft Presentation
Risk Managers Presentation
Risk Managers Presentation
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011
security issue in e-commerce
security issue in e-commerce
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
Identity Theft: How to Avoid It
Identity Theft: How to Avoid It
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theft
IST Presentation
IST Presentation
Identity in the Internet Age
Identity in the Internet Age
Identity Theft ppt
Identity Theft ppt
ASIS Phoenix February Presentation
ASIS Phoenix February Presentation
Idt
Idt
What You Need to Know to Avoid Identity Theft
What You Need to Know to Avoid Identity Theft
L1 - Illinois Case Study
L1 - Illinois Case Study
GHC-2014-Lavanya
GHC-2014-Lavanya
Destaque
Privacy and the Government
Privacy and the Government
primeteacher32
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Hai Nguyen
Disable your internet access
Disable your internet access
SZI Technologies Pvt Ltd
Corp pres rrs_sm_130404
Corp pres rrs_sm_130404
MeghnaSahay
Indian market (3)
Indian market (3)
yogeshchander1985
B com 2014 | Contenuti di prodotto: dall'engagement alla vendita_Giovanni Pol...
B com 2014 | Contenuti di prodotto: dall'engagement alla vendita_Giovanni Pol...
B com Expo | GL events Italia
Thornton e authentication guidance
Thornton e authentication guidance
Hai Nguyen
Datasheet two factor-authenticationx
Datasheet two factor-authenticationx
Hai Nguyen
B com 2013 | SEO: Search Experience Optimization. Quello che piace agli Utent...
B com 2013 | SEO: Search Experience Optimization. Quello che piace agli Utent...
B com Expo | GL events Italia
Performance Persistence by Harvard Business School
Performance Persistence by Harvard Business School
chaganomics
Iap2012 korea
Iap2012 korea
Hai Nguyen
Mystery
Mystery
harshita84
La Radio X D!!!
La Radio X D!!!
guestc14b21
Green procurement for IT Devices
Green procurement for IT Devices
Beroe Inc - Advantage Procurement
Kahn Help for ACT Math II
Kahn Help for ACT Math II
Jim Mathews
Man in-the-browser-in-depth-report
Man in-the-browser-in-depth-report
Hai Nguyen
Maternity Care Pathways Tool – a support to local workforce planning
Maternity Care Pathways Tool – a support to local workforce planning
C4WI
Amazing landings
Amazing landings
harshita84
Wat je kunt leren van een puppy
Wat je kunt leren van een puppy
Hedwig Schlötjes -Belle
Destaque
(19)
Privacy and the Government
Privacy and the Government
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Disable your internet access
Disable your internet access
Corp pres rrs_sm_130404
Corp pres rrs_sm_130404
Indian market (3)
Indian market (3)
B com 2014 | Contenuti di prodotto: dall'engagement alla vendita_Giovanni Pol...
B com 2014 | Contenuti di prodotto: dall'engagement alla vendita_Giovanni Pol...
Thornton e authentication guidance
Thornton e authentication guidance
Datasheet two factor-authenticationx
Datasheet two factor-authenticationx
B com 2013 | SEO: Search Experience Optimization. Quello che piace agli Utent...
B com 2013 | SEO: Search Experience Optimization. Quello che piace agli Utent...
Performance Persistence by Harvard Business School
Performance Persistence by Harvard Business School
Iap2012 korea
Iap2012 korea
Mystery
Mystery
La Radio X D!!!
La Radio X D!!!
Green procurement for IT Devices
Green procurement for IT Devices
Kahn Help for ACT Math II
Kahn Help for ACT Math II
Man in-the-browser-in-depth-report
Man in-the-browser-in-depth-report
Maternity Care Pathways Tool – a support to local workforce planning
Maternity Care Pathways Tool – a support to local workforce planning
Amazing landings
Amazing landings
Wat je kunt leren van een puppy
Wat je kunt leren van een puppy
Semelhante a Nascio who areyoue-authbrief122104
Govt authentication brief ca v
Govt authentication brief ca v
Mike Kuhn
M04 04
M04 04
Hai Nguyen
Presentation to T&P Forum Sep 2007
Presentation to T&P Forum Sep 2007
kumar641
Unlocking the Power of Identity Verification in India A Step Towards a Safer ...
Unlocking the Power of Identity Verification in India A Step Towards a Safer ...
rpacpc
Cupa pres a_2
Cupa pres a_2
Mohammad Yasar
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
digital identity 2.0: how technology is transforming behaviours and raising c...
digital identity 2.0: how technology is transforming behaviours and raising c...
Patrick McCormick
PKI IN Government Identity Management Systems
PKI IN Government Identity Management Systems
Arab Federation for Digital Economy
The Importance of Electronic Identities in the Digital Era
The Importance of Electronic Identities in the Digital Era
Drysign By Exela
An Introduction to Authentication for Applications
An Introduction to Authentication for Applications
Ubisecure
Data Con LA 2022 - Pre- recorded - Web3 and Decentralized Identity
Data Con LA 2022 - Pre- recorded - Web3 and Decentralized Identity
Data Con LA
PRJ.1578-Omidyar-Network-Digital-Identity-Issue-Analysis-Executive-Summary-v1...
PRJ.1578-Omidyar-Network-Digital-Identity-Issue-Analysis-Executive-Summary-v1...
Nick Norman
ESRA IRS Briefing 20150519
ESRA IRS Briefing 20150519
K6 Partners
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
EamonnORagh
Csd6059
Csd6059
Hai Nguyen
Online Identity Theft: Changing the Game
Online Identity Theft: Changing the Game
- Mark - Fullbright
A Government Framework to Address Identity, Trust and Security in e-Governmen...
A Government Framework to Address Identity, Trust and Security in e-Governmen...
Arab Federation for Digital Economy
Role of blockchain in enterprise kyc
Role of blockchain in enterprise kyc
adityakumar2080
Biometrics & Citizen Services
Biometrics & Citizen Services
Bahaa Abdulhadi
A Contextual Framework For Combating Identity Theft
A Contextual Framework For Combating Identity Theft
Martha Brown
Semelhante a Nascio who areyoue-authbrief122104
(20)
Govt authentication brief ca v
Govt authentication brief ca v
M04 04
M04 04
Presentation to T&P Forum Sep 2007
Presentation to T&P Forum Sep 2007
Unlocking the Power of Identity Verification in India A Step Towards a Safer ...
Unlocking the Power of Identity Verification in India A Step Towards a Safer ...
Cupa pres a_2
Cupa pres a_2
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
digital identity 2.0: how technology is transforming behaviours and raising c...
digital identity 2.0: how technology is transforming behaviours and raising c...
PKI IN Government Identity Management Systems
PKI IN Government Identity Management Systems
The Importance of Electronic Identities in the Digital Era
The Importance of Electronic Identities in the Digital Era
An Introduction to Authentication for Applications
An Introduction to Authentication for Applications
Data Con LA 2022 - Pre- recorded - Web3 and Decentralized Identity
Data Con LA 2022 - Pre- recorded - Web3 and Decentralized Identity
PRJ.1578-Omidyar-Network-Digital-Identity-Issue-Analysis-Executive-Summary-v1...
PRJ.1578-Omidyar-Network-Digital-Identity-Issue-Analysis-Executive-Summary-v1...
ESRA IRS Briefing 20150519
ESRA IRS Briefing 20150519
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
Csd6059
Csd6059
Online Identity Theft: Changing the Game
Online Identity Theft: Changing the Game
A Government Framework to Address Identity, Trust and Security in e-Governmen...
A Government Framework to Address Identity, Trust and Security in e-Governmen...
Role of blockchain in enterprise kyc
Role of blockchain in enterprise kyc
Biometrics & Citizen Services
Biometrics & Citizen Services
A Contextual Framework For Combating Identity Theft
A Contextual Framework For Combating Identity Theft
Mais de Hai Nguyen
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
Sms based otp
Sms based otp
Hai Nguyen
Session 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Hai Nguyen
Scc soft token datasheet
Scc soft token datasheet
Hai Nguyen
Rsa two factorauthentication
Rsa two factorauthentication
Hai Nguyen
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Hai Nguyen
Pg 2 fa_tech_brief
Pg 2 fa_tech_brief
Hai Nguyen
Ouch 201211 en
Ouch 201211 en
Hai Nguyen
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
Hai Nguyen
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
Hai Nguyen
Mobile authentication
Mobile authentication
Hai Nguyen
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
Hai Nguyen
Identity cues two factor data sheet
Identity cues two factor data sheet
Hai Nguyen
Hotpin datasheet
Hotpin datasheet
Hai Nguyen
Gambling
Gambling
Hai Nguyen
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
Hai Nguyen
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
Hai Nguyen
Citrix sb 0707-lowres
Citrix sb 0707-lowres
Hai Nguyen
Bi guardotp
Bi guardotp
Hai Nguyen
Mais de Hai Nguyen
(20)
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Sms based otp
Sms based otp
Session 7 e_raja_kailar
Session 7 e_raja_kailar
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Scc soft token datasheet
Scc soft token datasheet
Rsa two factorauthentication
Rsa two factorauthentication
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Pg 2 fa_tech_brief
Pg 2 fa_tech_brief
Ouch 201211 en
Ouch 201211 en
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
Mobile authentication
Mobile authentication
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
Identity cues two factor data sheet
Identity cues two factor data sheet
Hotpin datasheet
Hotpin datasheet
Gambling
Gambling
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
Citrix sb 0707-lowres
Citrix sb 0707-lowres
Bi guardotp
Bi guardotp
Último
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
apidays
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Último
(20)
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Nascio who areyoue-authbrief122104
1.
Copyright © NASCIO
2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications1 Section I: Privacy & E-Authentication—An Overview Privacy and Authentication in an Electronic World: Obtaining a hunting license. Renewing your driver’s license. Applying for government benefits. These are all government transactions that are increasingly being provided via electronic means, such as via the Internet. While the placement of these transactions online can reduce staffing and other overhead costs, they present state governments with the challenge of ensuring that individuals are who they claim to be. Within the context of electronic transactions, states have an increased authentication challenge, because the person the state is trying to authenticate is located remotely, as opposed to appearing in- person to transact business with the government. When authenticating individuals via electronic means (which is referred to as E-Authentication), states must be careful to meet citizens’ expectation that the state will protect individuals’ personal information, keeping it safe from unauthorized disclosure or use and reducing the risk of identity theft.2 In fact, the exchange of personal information that accompanies most authentication methods creates a possible tension with privacy concerns.3 While many states provide some protection for personal information via state open records laws that exempt personal information from wide or unwarranted public disclosure, properly implemented E-Authentication mechanisms can lead to enhanced privacy protections. Key points for states to understand in order to maintain privacy during the E- Authentication process include: o Properly assessing the risks to privacy that authentication may pose and choosing an authentication method that addresses that risk level o Raising the awareness of those you authenticate as to potential privacy issues o When possible, limiting the amount of personal information an individual must divulge for authentication purposes o Understanding the benefits and privacy risks involved in using a common identifier (such as a Social Security Number) across multiple government applications or linking citizens’ information across multiple state systems. A Note on the Purpose and Organization of this Brief: This Research Brief is intended to provide state CIOs with an overview of the privacy implications of E-Authentication. Note, though, that authentication is a complex topic, given its placement within the bigger picture of identity management, which involves not only authentication but also the creation of identities and credentials that are used in the Dec. 2004
2.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 2 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org authentication process. Inevitably, when addressing issues of authentication, overlap will occur with other related topics, such as credentialing or security. Where there are instances of overlap within this brief, please note that Appendix B contains an overview of identity management and may be of help in providing clarification. Although this brief does not provide an in-depth treatment of E-Authentication, Appendix A presents additional resources for those who would like to learn about E-Authentication in more detail. This Research Brief is organized as follows: o Section II provides some perspective on the business drivers that are moving E- Authentication forward. o Section III presents background on the government’s unique role in E- Authentication. o Section IV touches upon some key concepts surrounding E-Authentication that are vital to presenting an accurate picture of E-Authentication’s privacy implications. o Section V elaborates on the privacy implications of E-Authentication. o Section VI provides information about E-Authentication and privacy at the federal and state government levels. o Appendix A contains additional resources for learning more about authentication. o Appendix B explains more about the identity management life cycle and authentication’s role in that life cycle. o Appendix C is a checklist from the National Research Council on ways to lessen the privacy impact when designing or selecting an E-Authentication system. Why We Should Care about Privacy and E-Authentication: Tuesday, November 2, 2004—Election Day in the U.S. News outlets reported long lines at voting precincts and, the following day, news media outlets reported that an estimated 120 million people had cast votes.4 While many focused on the election results, an overlooked aspect of the election was the process by which poll workers made sure that each voter was who he or she claimed to be and only voted once. By presenting a photo ID, probably a driver’s license, voters proved who they were to poll workers and signed a register to ensure that they only voted once. Whether or not they consciously thought about it, voters anticipated that the poll workers would maintain the privacy of the personal information they divulged in order to prove their identities. Voters also cast their votes with privacy protections that included standing behind a curtain when voting. While authentication is frequently mentioned within the context of online citizen services, citizen confidence in the legitimacy of election results and the protection of our democracy are ensured, at least in part, by proper authentication processes at the election polls. A vital part of maintaining citizen confidence within this example is ensuring that the personal information that citizens divulge during the authentication process is kept private and not exposed to unauthorized individuals, such as identity thieves. Privacy also plays an overall role in maintaining citizens’ implicit expectation of the integrity of the voting process. For example, the Help America Vote Act of 2002 (HAVA), a recent piece of legislation intended to modernize federal elections, contains
3.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 3 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org provisions that attempt to preserve the privacy of voting in federal elections.5 Another indicator of privacy’s importance to voting integrity is the sometimes fervent outcry of those with concerns regarding e-voting and whether the privacy of votes can be maintained if cast electronically.6 Section II: The Business Drivers—Moving E-Authentication Forward What Is E-Authentication? E-Authentication allows the government (or a private sector entity) to verify with a certain level of confidence that the users are who they claim to be within the context of electronic, self-service transactions. E-Authentication methods can be relatively simple in nature. An example of a less complicated method is the use of passwords. More complicated methods involve encryption and other technologies, including the use of digital certificates, digital signatures, hardware tokens, smart cards, USB fobs, and biometrics, such as fingerprints or retina recognition technologies. The benefits of E-Authentication include: o Increasing the speed of transactions o Increasing partner participation and customer satisfaction o Improving record-keeping efficiency and data analysis opportunities o Increasing employee productivity and improving the quality of the final product o Reducing fraud through up-front authentication checks o Increasing the ability to authenticate an individual once for access to multiple transactions o Moving more information to the public o Supporting citizen trust in e-government o Improving security and the confidentiality of sensitive information. The costs of an E-Authentication system include its design, procurement, testing, deployment and long-term maintenance. 7 Overview of the Business Drivers: The business drivers that are moving E-Authentication forward include: o A sense of urgency arising out of the 9/11 terrorist attacks to improve security against the threat of terrorism o Increased instances of identity theft and fraud o Budget deficits requiring improved operational efficiencies o Increased emphasis on improved service and electronic delivery o Marketplace expectations driven by citizens’ experience in the private sector o Fraud reduction in government entitlement programs.
4.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 4 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org The Security-Related Drivers: With respect to security efforts arising out of the 9/11 terrorist attacks—“The 9/11 Commission Report” detailed how the terrorists collectively presented questionable identity documentation in the form of passports and visa applications and how the airport gate personnel authenticated those individuals based upon the identity documentation they presented in order to board the planes.8 Concerns with the integrity of identity documents were reiterated by provisions to secure identity documents, including birth certificates, driver’s licenses and Social Security Cards, in the bills that were recently passed by both houses of Congress to implement the 9/11 Commission’s recommendations.9 While these problems focus on the issuance of identity credentials, which involves the first phases of the broader identity management life cycle, facets of these business problems that states must address include questions revolving around policy, technology, and available funding.10 The Streamlining-Related Drivers: Tight budgetary times and increasing calls for improved state government services have led to states’ moving more citizen services online. While online services offer citizens 24x7 access to government services, they also facilitate the streamlining of those services by reducing staffing and other overhead costs incurred when providing citizens in-person services. Within the context of electronic transactions, E-Authentication provides a way for states to have sufficient confidence in those transactions. More specifically, it allows states to have confidence that they are issuing licenses to the right individuals; to properly manage citizen benefit applications and case files as well as employee benefits and pensions; and, to conduct business and contractual transactions with an increased level of ease. Moreover, included in the need for improved service and electronic delivery is the need for better cooperation across jurisdictional boundaries. In order for one state to authenticate an individual based upon an identity document issued by another state, the authenticating state needs to be sure the issuing state’s business processes are adequate to ensure the reliability and validity of the identity document. This is just one challenge associated with cross-boundary authentication efforts. The Fraud-Reduction Drivers: In order to protect taxpayer dollars from fraud and waste, state governments are looking to E-Authentication methods in order to reduce the amount of government benefits paid to individuals who are ineligible to receive them. E-Authentication can provide a way to increase the government’s confidence that it is providing benefits to the right individuals. For example, Connecticut uses a combination of digitally-scanned fingerprints, photos, and signatures to identify and also deter instances of welfare fraud. Although the state acknowledges that estimating the savings from the use of this authentication method is difficult, it did save the state $9 million in the first few years after implementation.11
5.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 5 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Section III: The Eye of the Storm--The Challenging Role of State Government Multiple Roles in Authentication:12 State governments have a unique role in authentication, whether conducted manually or online—they frequently create identities (for example, through issuing birth certificates), change identities (changing a name on a driver’s license), and end identities (ensuring that a deceased person’s birth certificate and driver’s license cannot be used by anyone else). In other instances, states play the role of a party relying upon an identification document or other means of authentication offered by an individual within the context of a transaction. Complicating Factors: The following factors that are unique to state governments can complicate states’ E- Authentication initiatives: o The typically mandatory nature of citizens’ transactions with government (whereas individuals’ interactions with the private sector are normally discretionary in nature) o The heterogeneous citizen marketplace, which can make it difficult for states to serve various market sectors electronically o The cradle-to-grave relationship governments tend to have with citizens that can be intermittent yet span a long period of years o Higher citizen expectations of government’s ability to protect the privacy and security of their personal information13 o Citizens’ generalized distrust of government’s ability to protect the privacy of their personal information14 o The lack of a strong identifier that can be used by multiple governmental organizations o The expense and complicated nature of implementing strong E-Authentication systems. While the task of E-Authentication may appear daunting for states, not all transactions require high levels of authentication. For example, if a user self-registers a user ID and password on a government webpage in order to customize that webpage, correctly identifying the individual is of little or no value. However, other transactions require higher levels of confidence because of the inherent risk or value of the transaction. An example would be if a beneficiary changes his or her address of record through a government website or if an agency employee uses a remote system that gives him or her access to potentially sensitive client information where the transaction occurs via the Internet.15
6.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 6 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Section IV: Key Concepts to Understand Before Addressing the Privacy of Authentication Processes Understand What You Are Trying To Authenticate: When considering an authentication method, states must understand which type of authentication they need. The three main types are: o Individual Authentication: With an understood level of confidence, linking an identifier to a specific individual (using a driver’s license to authenticate that an individual is the exact person he or she claims to be). o Identity Authentication: With an understood level of confidence, linking an identifier to an identity (verifying that a password is linked to an email address). It may not be possible to link the identity to a specific person. o Attribute Authentication: With an understood level of confidence, ensuring that an attribute applies to an individual (verifying that a person is an employee).16 Note that a stronger authentication method may be needed to authenticate an individual, as opposed to authenticating an attribute or an identity. Know Whether You Are Authenticating and/or Authorizing: States must distinguish the act of authentication (establishing a level of confidence in a claim made by an individual) and the act of authorization (establishing what an individual is permitted or restricted from doing).17 These concepts are often confused when policy is being debated. Understand the Risks: In assessing whether and what type of authentication methods may be needed, a state must examine the types of harm that are possible. Potential types of harm include: o Citizen inconvenience or distress or damage to a citizen’s standing or reputation o Financial loss for a citizen or agency liability o Harm to an agency’s programs or public interests o Unauthorized release of sensitive information (such as centrally-stored personal information that is used to authenticate individuals) o Personal safety o Civil or criminal violations. This risk analysis also includes considering the likelihood of whether a risk will occur.18 While the quantification of both the impact and the probability of risk for such analyses is ideal, a qualitative analysis may also be very informative for decision makers. Through examining both the impact and probability of a risk, state officials can make informed decisions about risk mitigation. The risks involved will play a vital role in determining the strength of the authentication that is needed. Understand the Range of Available Solutions:19 Authentication solutions and their enabling technologies can be categorized as authenticating upon the basis of (1) something you know, (2) something you have or (3) something you are. o Something You Know: Passwords and PINs are within this category. While cheap and relatively easy to implement, they pose inherent risks, because they can
7.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 7 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org be forgotten or compromised through social engineering (for example, an individual being coaxed to reveal his or her password) or spyware applications. The NRC Report recommends the education of password users and that system designers take “great care” to ensure the proper balance between usability and security.20 Password management should be addressed within a state’s security architecture. o Something You Have: Magnetic Stripe Cards, Secure Tokens, PKI (Public Key Infrastructure), Digital Certificates, RFID (Radio Frequency Identification) Chips, and Smart Cards are examples. More complex than the “something you know” technologies, these technologies generally contain information that can be used to authenticate a person. While these technologies vary in their resistance to alteration and forgery, they still can be compromised if lost or stolen or if the information they contain is accessed. “Something you know” authentication (a PIN) is often combined with “something you have” authentication (an ATM card) to provide multi-factor authentication. o Something You Are: These types of technologies authenticate a person based on behavioral or physiological characteristics. Examples are voice prints, fingerprints, facial recognition, iris scanning, keystroke dynamics, and even handwriting. False negatives and positives pose potential problems along with the fact that, once compromised, a biometric cannot readily be changed.21 Hand geometry or fingerprint authentication is often combined with “something you have” authentication, through a Smart Card, to authenticate users regarding physical access control. Section V: Privacy Implications of E-Authentication The Key to Achieving Authentication Success: When a state is evaluating whether and what kind of authentication system is needed, it is imperative for states to remember that privacy can be enhanced with the proper level of authentication. However, privacy can be compromised if a state implements authentication when it is not needed to achieve an appropriate level of security.22 The discussion below highlights some of the general privacy implications of E- Authentication. States are encouraged to perform a detailed risk analysis that takes into account privacy risks when considering an E-Authentication implementation.23 See Appendix C for a NRC Report checklist on lessening authentication privacy concerns. Notice: Ideally, citizens need to be aware that they are being authenticated and informed of any privacy implications that are associated with the authentication. Related to this is the difficulty or ease with which the citizen can proceed through the authentication system. The NRC Report cautions that citizens need a clear understanding of the security and privacy threats to an authentication system. Otherwise, they may behave in ways that undermine existing privacy protections.24 An overly burdensome authentication system also may lower citizens’ participation in the system, which, in turn, could lower the system’s anticipated benefits.25 Many citizens may not read or understand the implications of authentication schemes.
8.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 8 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Information Collection Limitation: To protect the privacy of personal information, many experts recommend that entities should not use individual authentication when attribute authentication will suffice. This recommendation minimizes the personal information collected from individuals. For example, individuals who want to go on a ride at the state fair may have to show that they satisfy the height requirement by standing against a measure of their height (attribute authentication), but do not need to present a photo ID as authentication to go on the ride (individual authentication). Secondary Uses and Linkages: The reliance on common identifiers, such as Social Security Numbers, across multiple state authentication systems and the linking of user information across systems can create privacy concerns, because, with each new use or linkage, there are more associated risks that could compromise the information’s privacy.26 The minimization of secondary uses and linkages of personal information collected via authentication is consistent with the Fair Information Practices. However, states must be careful to weigh those risks with the opportunities for operational efficiencies that are created through a shared identity management infrastructure that supports the common identity needs of government and private sector transactions. For example, an enterprise identity and access management service could provide self-registration, digital identity creation, password management and synchronization, and improved service delivery 24x7 for a wide-range of users who desire access to government information and/or systems. A thorough risk analysis can be of great assistance to states in balancing the privacy risks with the operational efficiencies that can be created by the aggregation and sharing of authentication information. Identity Credentials--A Word About Foundational Documents: Foundational documents, such as birth certificates and driver’s licenses, are created during the early phases of the identity management life cycle and are used to authenticate individuals in the later stages of that life cycle.27 However, foundational documents pose general concerns regarding their validity and reliability. This is particularly true when one state is relying upon another state’s foundational document (such as a birth certificate) in order to issue another identity document (for example, a driver’s license). The NRC Report recognizes this concern, because these types of documents, including passports and Social Security Cards, are issued “by a diverse set of entities that lack ongoing interest in the documents’ validity and reliability.” Hence, the NRC Report recommends that “birth certificates should not be relied upon as the sole base identity document. Supplemented with supporting evidence, birth certificates can be used when proof of citizenship is a requirement.”28 States should consider the validity and reliability of any foundational documents used to authenticate an individual. Section VI: Federal and State E-Authentication Efforts The Federal Level: At the federal level, the U.S. Office of Management and Budget (OMB) has issued guidance for federal agencies on E-Authentication. The guidance is technology-neutral and requires agencies to perform risk assessments regarding new or existing E-
9.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 9 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Authentication systems. Agencies then map the risks to assurance levels established in the guidance. The assurance levels provide agencies with guidance as to the confidence level provided by the authentication.29 Guidance from NIST (the National Institute of Standards and Technology) provides more specific technical guidance as to what types of processes and authentication methods must be in place at each assurance level.30 NASCIO will monitor any state impact that might devolve from these federal efforts. The U.S. General Services Administration (GSA) is the managing partner of the federal E-Authentication Initiative, which focuses on building the necessary infrastructure to support common, unified E-Authentication processes and systems for government-wide use.31 Currently, the initiative is focusing on E-Authentication within the context of the banking sector in order to provide banks with access to select federal information systems. GSA will work with other sectors, including states, in the future as it advances a federated model for E-Authentication. Other federal authentication-related efforts include the Federal Bridge Certification Authority (FBCA), which helps to support interoperability among various federal PKI efforts.32 Moreover, OMB has an effort underway via the Federal Identity Credentialing Committee to make policy recommendations on identity credentialing as a component of the broader federal Enterprise IT Architecture effort.33 The State Level: At the state level, government agencies generally opt for technology based on “what you know,” and typically use some form of password protection for low-risk authentication. Higher-end E-Authentication methods, such as PKI, are less frequently used, due to their complexity and expense to implement. One example is Washington State’s PKI infrastructure, which allows citizens and businesses to conduct online transactions.34 Some states also use a form of electronic signatures that allows users to digitally sign and transfer documents and gives them the same legal effect as written documents. However, even rarer at the state level is the use of biometric identifiers, such as facial recognition and iris scans. In part, concerns with false negatives and positives and the public perception of privacy encroachments with the use of biometrics appear to have slowed their adoption in the state government sector. While E-Authentication is critical to the expanded application and broader adoption of online government transactions, states must proceed with E-Authentication in a way that properly assesses and addresses the risks, including potential compromises to citizen privacy. In that way, states will ensure that they are providing the proper level of authentication, which will enhance individuals’ privacy protections.
10.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 10 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org What CIOs Need to Know o E-Authentication is critical to the availability of secure and privacy-protecting online transactions. o Key concepts in addressing the privacy risks of authentication include the following: • Choosing the right level of authentication can enhance privacy. • Authentication methods must be tailored to address privacy and other risks. A method that provides greater protection than what is needed can encroach on privacy, because personal information is involved in most authentication transactions. • CIOs must be proactive in conducting a thorough risk assessment (including privacy risks) and choose a technology that addresses the identified risks. o CIOs need to understand the policy issues that are critical in cross-boundary initiatives. Jurisdictions must agree to treat privacy concerns in a consistent manner. o E-Authentication is but one part of an overall identity management life cycle that deals with the creation and management of identities (see Appendix B for more on the identity management life cycle). o In addressing the privacy implications of E-Authentication, CIOs should involve not only individuals who deal with IT privacy policy issues but also those individuals who understand the technical aspects of E-Authentication. CIOs also should include business or program officials, who can understand the risk and reward trade-offs for their programs and particular group of users, as part of the risk analysis process.
11.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 11 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Appendix A: Need More Information on E- Authentication? References and Resources NASCIO Publications: For more information about NASCIO’s other privacy publications, including “Information Privacy: A Spotlight on Key Issues,” and “Think Before You Dig: The Privacy Implications of Data Mining and Aggregation,” please see our Privacy Committee Webpage at, <https://www.nascio.org/nascioCommittees/privacy/>. NASCIO’s Enterprise Architecture Development Toolkit, v 3.0, <http://www.nascio.org/publications/index.cfm#architecture>. Government Resources: “E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office of Management and Budget (OMB), M-04-04, December 16, 2003, <http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>. “Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology,” National Institute of Standards and Technology (NIST), June 2004, <http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf>. “Standards for Security Categorization of Federal Information and Information Systems,” NIST Federal Information Processing Standards Publication 199, December 2003, <http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf>. NIST Smartcard Research and Development Homepage, <http://smartcard.nist.gov/>. “Policy for a Common Identification Standard for Federal Employees and Contractors,” Homeland Security Presidential Directive, August 2004, <http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html>. Federal Bridge Certification Authority Website, <http://csrc.nist.gov/pki/fbca/welcome.html>. Federal Identity Credentialing Committee Website, <http://www.cio.gov/ficc/>. U.S. General Services Administration (GSA) E-Authentication Initiative Homepage, <http://www.cio.gov/eauthentication/>. Washington State Public Key Infrastructure (PKI), <http://techmall.dis.wa.gov/master_contracts/e_commerce/digital.asp>.
12.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 12 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Other Organizations: “e-Authentication Risk and Requirements Assessment: e-RA Tool Activity Guide,” Carnegie Mellon, Software Engineering Institute, May 2004 (updated), <http://www.cio.gov/eauthentication/era.htm >. “Identity Management: Are We All On the Same Page?” National Electronic Commerce Coordinating Council (NECCC), 2004 <http://www.ec3.org/Downloads/2004/identity_management.pdf>. “Enterprise Identity and Access Management: The Rights and Wrongs of Process, Privacy and Technology,” NECCC, 2003 <http://www.ec3.org/Downloads/2003/EnterpriseIdentity.pdf>. “Identity Infrastructure,” NECCC, 2003, <http://www.ec3.org/Downloads/2003/identity_infrastructure.pdf>. “Identity Management: A White Paper,” NECCC, 2002, <http://www.ec3.org/Downloads/2002/id_management.pdf>. “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>. “Understanding Electronic Signatures: The Key to E-Government,” Stephen H. Holden, IBM Center for the Business of Government’s E-Government Series, March 2004, <http://www.businessofgovernment.org/pdfs/Holden_report.pdf>.
13.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 13 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Appendix B: A Word About Identity Management While this Research Brief focuses on E-Authentication, that topic is only a part of the broader picture of the identity management life cycle, which embraces the full spectrum of how identities are created and used. The generic phases of the identity management life cycle are: o Phase 1: Identity proofing by a credentialing authority o Phase 2: Creation of an identity credential o Phase 3: Presentation of an identity credential to a relying party o Phase 4: Acceptance of a credential by a relying party.35 E-Authentication processes occur during Phases 3 and 4 of the identity management life cycle. For purposes of this Research Brief, the reader should assume that activities in Phases 1 and 2 of the life cycle have already taken place. We can use our example of the voting process at the beginning of this Research Brief in order to illustrate the identity management life cycle. o Phase 1: A voter completes a registration card, providing information such as a name and address, and submits the form back to the appropriate state voter registration agency. There may be verification processes that occur during this phase in order to verify the validity of the information that the voter provided to the voter registration agency. Since the voter will be required to present a form of photo identification at the polls on Election Day, Phase 1 also may include a voter’s application for a photo ID, most likely a driver’s license. In this phase, the state Department of Motor Vehicles (DMV) verifies that the individual is who he or she claims to be through methods that might include the presentation of a birth certificate. o Phase 2: During this phase, the state voter registration agency places the voter’s name on the roll of registered voters. This phase also entails the issuance of a photo ID to the individual by the state DMV. o Phase 3: This phase occurs when the voter arrives at the polls on Election Day and presents his or her photo ID to the poll registration worker. The voter’s identity must be authenticated before the voter is permitted to proceed into the voting booth. o Phase 4: The poll worker verifies that the name on the photo ID matches the name on the voter registration roll and that the face of the person on the photo ID matches the voter’s face. In this Research Brief, we examine the privacy implications that are associated with E- Authentication during Phases 3 and 4.
14.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 14 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Appendix C: NRC Checklist to Lessen Privacy Impact When Designing or Selecting an E-Authentication System The checklist below was formulated by the National Research Council (NRC) in its publication “Who Goes There? Authentication Through the Lens of Privacy.” You can find more about this publication at: <http://www.nap.edu/catalog/10656.html>. o Authenticate only for necessary, well-defined purposes o Minimize the scope of data collected o Minimize the retention intervals for data collected o Articulate what entities will have access to the collected data o Articulate what kinds of access to and use of the data will be allowed o Minimize the intrusiveness of the process o Overtly involve the individual to be authenticated in the process o Minimize the intimacy of the data collected o Ensure that the use of the system is audited and that the audit record is protected against modification and destruction o Provide means for individuals to check on and correct the information held about them that is used for authentication.36
15.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 15 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org Notes 1 The title of this Research Brief was inspired by The Who’s 1978 single “Who Are You?” 2 For more information about identity theft and the role of authentication as a solution, please see testimony from a hearing on identity theft by the House of Representatives, Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, entitled “Identity Theft: The Cause, Costs, Consequences, and Potential Solutions?” September 2004, <http://reform.house.gov/TIPRC/Hearings/EventSingle.aspx?EventID=1365>. 3 “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>. 4 “2004 Election Results,” CNN, November 3, 2004, <http://www.cnn.com/ELECTION/2004/pages/results/president/>. 5 For more information on HAVA, please see NASCIO’s April 2004 Briefing Paper on HAVA at: <https://www.nascio.org/nascioCommittees/privacy/HAVA04.pdf>. 6 Examples of voting privacy concerns are available on the website of the National Committee for Voting Integrity at: <http://www.votingintegrity.org/issues/Privacy.html>. 7 “E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office of Management and Budget (OMB), M-04-04, December 16, 2003, <http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>. 8 “The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States,” 2004, <http://www.gpoaccess.gov/911/>. Note that these and other similar concerns raised by the 9/11 Commission involve issues of identity management that are broader than the E-Authentication privacy issues that we discuss in this Research Brief. Please see Appendix A for additional resources, including white papers by NECCC (National Electronic Commerce Coordinating Council), on the wide array of issues associated with identity management. 9 “The Intelligence Reform and Terrorism Prevention Act of 2004,” §§7211-7214 (identity management provisions), <http://govt- aff.senate.gov/_files/IntelligenceReformconferencereportlegislativelanguage12704.pdf>. 10 For more about the identity management life cycle and authentication’s role in it, please see Appendix B. 11 “Digital Imaging Program Fact Sheet,” State of Connecticut, Department of Social Services, January 2004, <http://www.dss.state.ct.us/pubs/difacts.pdf>. 12 E-Authentication is a mere step within the broader context of the identity management life cycle that encompasses the creation and management of the various identities we use in transacting business with multiple entities on a daily basis. See Appendix B for a more detailed explanation of the identity management life cycle and E-Authentication’s role in it. 13 “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>. 14 Note that, according to a 2004 survey sponsored by Carnegie Mellon’s CIO Institute and the Ponemon Institute, 83% of the responding public said that data privacy was important or very important to them. However, many respondents had a high level of uncertainty about the government’s ability to use and collect personal information. For more information, please see, <http://cioi.web.cmu.edu/newsroom/press/20040209.jsp>. 15 “E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office of Management and Budget (OMB), M-04-04, December 16, 2003, <http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>. 16 “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>. 17 “E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office of Management and Budget (OMB), M-04-04, December 16, 2003, <http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>. 18 Ibid.
16.
Who Are You?
I Really Wanna Know: E-Authentication and its Privacy Implications 16 Copyright © NASCIO 2004 • All rights reserved 167 West Main St., Suite 600 • Lexington, KY 40507 P: (859) 514-9153 • F: (859) 514-9166 • E: nascio@amrinc.net • http://www.nascio.org 19 While the technologies used in E-Authentication may be complex in some instances, there are many resources available that treat in detail the privacy and security features of E-Authentication technologies such as PKI (Public Key Infrastructure), Digital Certificates, Digital Signatures, LDAP (Lightweight Directory Access Protocol), and RFID (Radio Frequency Identification). NASCIO recommends starting with the resources in Appendix A of this Research Brief. 20 “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>. 21 Ibid. 22 Ibid. 23 When considering the risks to privacy, it is helpful to examine the risks to privacy in light of the widely- used Fair Information Practices (FIPS). The FIPS include considering privacy as it relates to: (1) the collection of information (2) data quality (3) the purpose of information collection (4) uses (including secondary uses) of the information (5) notice to individuals of the collection of information (6) individual participation in the collection, use, assurance of accuracy, and correction of the information, and (7) enforcement and redress for individuals. For more about the FIPS, please see NASCIO’s “Information Privacy: A Spotlight on Key Issues.” It is available for free download to NASCIO members and for purchase by non-members at, <www.nascio.org>. 24 “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>. 25 “E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office of Management and Budget (OMB), M-04-04, December 16, 2003, <http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>. 26 Ibid. 27 For more about the identity management life cycle, please see Appendix B. 28 “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>. 29 “E-Authentication Guidance for Federal Agencies,” Executive Office of the President, Office of Management and Budget (OMB), M-04-04, December 16, 2003, <http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf>. 30 “Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology,” William E. Burr; Donna R. Dodson, and W. Timothy Polk, June 2004, <http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf>. 31 For more information, please see GSA’s E-Authentication website at, <http://www.cio.gov/eauthentication/>. 32 View the FBCA’s webpage at <http://csrc.nist.gov/pki/fbca/welcome.html>. 33 View the Federal Identity Credentialing Committee’s webpage at <http://www.cio.gov/ficc/>. 34 Unique to Washington State’s PKI is its ability to create “digital signatures” which can be applied to electronic forms. These digital signatures have the same force and effect under Washington law as a handwritten signature, and agencies are beginning to look to digitally-signed transactions as a way to minimize the use of paper and reduce transaction cycle time. For more information about Washington State’s PKI program, please contact Scott Bream, Washington State Department of Information Services, at scott@dis.wa.gov. 35 “The Identification Process Deconstructed,” J. Scott Lowry, Caradas, Inc., PowerPoint Presentation at NIST Smart Card Workshop, June 8-9, 2003, <http://csrc.nist.gov/card-technology/presentations/security- privacy/Lowry-Caradas-Identification-Process.pdf>. 36 “Who Goes There? Authentication Through the Lens of Privacy,” Stephen T. Kent and Lynette I. Millett, Editors, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, 2003, <http://www.nap.edu/catalog/10656.html>.
Baixar agora