Separation Anxiety

States and the federal government struggle with disconnecting credentials from the concept of identity.

by / October 5, 2007 0

We all remember those early college years; bar-hopping the nights away and eating at restaurants of questionable repute at 3:30 a.m. Your pass into the three, four or five bars on the itinerary was your driver's license. It was the only credential you could offer bartenders and bouncers to prove you were of legal drinking age.

Over the course of any given day, this scenario is re-enacted at grocery stores, banks, gas stations or restaurants, though with an important caveat - at these businesses, you produce your driver's license to prove your identity so business transactions can be completed.

Somehow, the lowly driver's license - meant originally to prove only that the holder can legally operate a motor vehicle - took on completely different purposes. It's now the one card you use to prove your identity and as a credential to access certain places or buy certain things.

It's a long-recognized problem, but absent any real crisis to act as a motivating force, policymakers adopted a laissez-faire attitude and focused their attention elsewhere.

Unfortunately 9/11 forced the problem into the spotlight. The driver's license, in particular, fell under intense scrutiny because many of the terrorists falsified drivers' licenses to board the jetliners used in the attacks.

Policymakers hurriedly dropped the "What, me worry?" stance and duly issued legislation, the Real ID Act, to drastically alter how states issue drivers' licenses. Even before Real ID, the Bush administration issued a series of directives targeting homeland security, one of which, Homeland Security Presidential Directive-12 (HSPD-12), completely changed how the federal government issues credentials to government employees and contractors.

Critics, however, say government-led efforts seek to solve the wrong problem because the "solutions" are based on a misunderstanding of the concept of identity. Some critics also contend that, to succeed, wide-ranging identity management initiatives must be public-private partnerships instead of government-mandated programs.

 

Uncle Sam's ID Card
Since 2004, the federal government has struggled with its own identity and credentialing issue, HSPD-12. The directive is the federal government's strategy to eliminate variations in the quality and security of identification systems used to control access to federal facilities that could be potential terrorist targets, according to the directive.

"It is the policy of the United States to enhance security, increase government efficiency, reduce identity fraud and protect personal privacy by establishing a mandatory, governmentwide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors, including contractor employees," the directive states.

When articulated in wonk-speak, HSPD-12 seems almost easy. In the real world, however, HSPD-12 mandates the creation of a single identification card for approximately 4 million federal employees that can be used to access any federal building, facility and computer system - not an easy row to hoe.

One significant problem is the existence of more than a dozen agency-specific systems for issuing badges and credentials, systems that maintain data on those badges and credentials in separate data records, said David Temoshok, director of identity policy and management for the Office of Governmentwide Policy in the General Services Administration.

"What the presidential directive did on the broadest scale possible was to require that those individual systems be interoperable," Temoshok explained, "that the cards have the capability to be read in different readers in different agencies, to have data exchange across systems, and data validation to allow authentication across agencies to occur."

To make this happen, agency CIOs, human resources managers and physical security personnel must jointly create standard processes that integrate access to physical facilities and information systems. Because the cards contain personally identifying information about federal employees, agency privacy officers will also be heavily involved.

"HSPD-12 really has mandated a cultural change to

ensure that those different organizations work collectively on this implementation in very short time frames and under very key milestone dates in order to implement systems that, across those organizations and across the board, meet our control and implementation requirements," said Temoshok.

Though HSPD-12 specifically targets federal employees, standardizing the way federal agencies collect personally identifiable information from those employees and encode that information into HSPD-12-compliant identity cards might impact everyday U.S. citizens.

Various communities, including state and local governments, first responders, the health-care industry and international organizations, have expressed interest in the Federal Information Processing Standard 201 (FIPS 201), Temoshok said.

Officially titled Personal Identity Verification of Federal Employees and Contractors, FIPS 201 was created by the National Institute of Standards and Technology (NIST) as the federal government's standard for personal identity verification (PIV) based on secure and reliable forms of identification credentials.

FIPS 201 also addresses requirements for initial identity proofing, infrastructures to support interoperability of identity credentials, and accreditation of organizations and processes issuing PIV credentials, according to NIST.

"This is not a national ID card, but it is a national identity standard for the federal government that we can point to," Temoshok said. "Across those groups, we've seen great interest in adopting those standards and potentially implementing solutions that can interoperate with the deployments we're putting into place across the federal government.

"We had hoped for that," he continued. "We're very pleased and surprised to see that level of interest, and even across those diverse communities."

 

Defaulting to Identity
Despite the rush to fortify the driver's license and federal credentials, detractors suggest that the policymakers' approach solves the wrong problem. The issue isn't the security of either document, said Jim Harper, director of information policy studies at the Cato Institute. He said the real problem is a misunderstanding of the identity concept.

"The first mistake is that a lot of people are assuming that identity is a single, uniform thing - that each of us has one, and it starts with us when we're born and it ceases when we die," Harper said. "That's just not the case, and the people who actually work on these problems recognize that."

A person has many identities, he said. The identity shared with family differs from the identity shared with a financial services provider, which may not be the identity shared with the IRS, which is separate from the identity shared with a librarian, he said.

Harper, a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and author of Identity Crisis: How Identification Is Overused and Misunderstood, said he and former Utah CIO Phil Windley arrived at the same conclusion.

"He expressed it very well [in his book, Digital Identity]," Harper said. "An identity is a relationship. There isn't just one relationship you have with the government, and that defines every other relationship you have. So the idea that we'd have an identity system structured as a government-created identity system is equally inaccurate."

This mindset is what caused the driver's-license-as-credential problem in the first place, he said, and America is still locked into the idea that there's a simple way to create a single, uniform identification system.

It's a holdover from days gone by, he explained, when so many transactions used to happen face-to-face and proving your identity was crucial to carrying out those sorts of transactions.

Harper said he sees two tracks developing in the struggle to alter identity management: One track is the government-backed, card-based identification, such as Real ID. The other is the private-sector backed, digital identity management track, such as Microsoft's CardSpace, which lets users manage their portfolio of

digital identities and is part of the new Vista operating system, and a multitude of applications built by software companies to identify and credential people.

"There are technologists building interesting key fobs and cards that will sort of cross over between digital identity and the card-based identity we're familiar with," he continued. "Right now, these two different areas are operating on two separate tracks, and they're not really talking to one another."

Harper predicted three possible outcomes, two of which will generate lots of bad PR: First, government ID systems will dominate and citizens will be forced to carry some type of federally issued or designed ID to function in society, leading to the potential invasion of privacy and erosion of civil liberties.

Second, government ID systems could wither on the vine despite significant public-sector investments, potentially wasting tens of millions of dollars.

"The one that makes the most sense is for the government and the people developing systems in the private sector to start to work together so private entities accept credentials that meet government standards and governments will accept them - and government entities, just like today, would issue credentials that private entities accept," Harper said. "An important part of all that is to use credentials that are nonidentifying, when they can be used."

 

In the Clear
Harper cited the Clear program as an example of how such a partnership can work.

Clear is the brainchild of journalist and media mogul Steven Brill, who founded a Verified Identity Pass (Verified ID) in 2003. The company started enrolling members in Clear's pilot at the Orlando, Fla., International Airport in mid-2005.

Joining the Clear program requires a visit to the company's Web site to submit basic biographic information, including name, address, previous addresses and Social Security number. The next phase requires an in-person appointment at a ClearSpace Enrollment Station, found at participating airports, or one of the company's recently created mobile enrollment stations.

At this visit, a person submits a photograph and biometric information - iris images and 10 fingerprints - and presents two pieces of U.S.-government-issued identification from a preapproved list. Verified ID sends the applicant's enrollment information to the Transportation Security Administration (TSA) for a security-threat assessment. The TSA simply approves or denies the applicant without divulging assessment details to the company.

If an applicant is approved, he or she receives a Clear Card in two to four weeks, and can use it to bypass typical airport security procedures at any of at least seven participating airports, including the Orlando Airport and New York's John F. Kennedy International Airport.

Verified ID announced it had enrolled 48,000 travelers in the Clear program as of June 5, 2007. Public interest in the program seems strong, given the steady growth of applicants since 2005, but despite interest in what Verified ID calls the "voluntary identity credentialing industry," the public sector must do its part.

The TSA's Registered Traveler (RT) program is the government's part of the expedited security screening equation. Created in conjunction with private industry, the RT program is designed to be market-driven. The TSA acts as facilitator by setting program standards, conducting security-threat assessments, performing physical screening of passengers at TSA checkpoints, and providing certain forms of oversight for private-sector program participants.

Private-sector firms, like Verified ID, assume responsibility for enrollment, verification and related services.

 

Need to Know
Perhaps the Clear Card's most attractive aspect is what it doesn't do.

The card is a credential that tells TSA staff the cardholder passed the TSA's security-threat assessment process and is authorized to use ClearLanes to bypass some aspects of airport security. The card does not reveal the cardholder's identity to TSA staff,

effectively separating the person's identity from the physical credential.

Verified ID manages the card independently of any government control. The company tapped Lockheed Martin Corp. to manage the technology and information systems that support the card.

"You get all the security without the surveillance," Harper explained of the Clear program. "Those kinds of things are really the direction we need to go - where you have a variety of credentialing systems that are competitive so that you get cost control, convenience and competition over privacy. You get actual privacy."

By creating a market for credentialing, Harper said, consumers get a choice in the matter, adding that before rolling out the Clear Card, Verified ID conducted focus group meetings to ask consumers what they wanted from such a card and what would make them want to pay the $99.95 annual fee.

Consumers expressed cost, convenience and privacy as their chief concerns about the Clear Card, Harper said, and Verified ID designed its systems with those three issues in mind - in stark contrast to the way the Real ID Act creates a de facto national identity-card system.

"[A mass identification system] is as likely to distract you from the real problem as to help you find the real problem," Harper said. "None of this is easy to fix, so easy sort of broad brushstrokes like IDing everybody are probably going to be wrong."

Harper predicts Real ID will fail, though that failure may take some time to play out.

"Once it fails, we'll go back and start again on something else," he said. "Hopefully there will be better information on what we can do, and that's where some of the emerging digital-identity management systems coming out of the private sector will help to educate the next round of government identity policy."

 

Red Flags
Personal identity frameworks (PIFs) serve as evolutionary building blocks that help facilitate easy registration and single sign-on for a variety of online transactions, though predominantly in low-risk contexts, explained Gregg Kreizman, a research director at Gartner.

"We all interact, increasingly online, in a variety of contexts, such as government to citizen, government to business, business to consumer or business to business, and in different verticals within these broad categories, such as education, health, finance or social networks," he said.

Each context has its own risk profiles and therefore, each will have different expectations/requirements for ensuring individuals are who they claim to be.

Government will play a role in private-sector initiatives, such as Microsoft's CardSpace - by supplying information that would appear in PIFs - but involving government in the creation of PIFs will not solve the ID problem, he said.

PIFs are predominantly about the end-user experience.

"If I use CardSpace as my identity selector, I will have a common user interface to access multiple services in different contexts," Kreizman explained. "However, I will still need to have different identity providers - government, health care, finance - depending on context and associated risk profile."

Government is an appropriate source of identity proofing in some contexts, Kreizman said, though telecommunications companies may be in another context and credit bureaus may function as an appropriate source of identity proofing in yet another context.

PIFs provide convenience and a promise of privacy protection, Kreizman said, because PIFs provide ways for service providers to request identity attribute data for registration and provide ways for users to allow or deny access to that data.

"However, PIFs by themselves provide no guarantees that service or identity providers will protect that data from breaches or nefarious uses," he cautioned. "So, who do you want to be your identity

provider for all contexts?"

Government should be involved in work on PIFs, Kreizman said, though a full-fledged partnership may be impossible.

"Governments are one type of source for identity proof, and they are also identity consumers," Kreizman said. "We need government-issued IDs for nonelectronic purposes. We could also use government as a source of identity proofing truth for online transactions. But we don't always want that."

 

Finding Privacy
Some observers caution that the need for security is running roughshod over personal privacy rights.

The federal government alone is juggling six identity card initiatives, said Jim Dempsey, policy director at the Center for Democracy and Technology, and the CDT is alarmed at the proliferation of identity cards created in a policy vacuum.

"The biggest problem is that we have no policy framework for collection, use, storage and exchange of identification information," Dempsey said. "The United States has no comprehensive privacy law."

What exists now is a smattering of sundry privacy protections, he said, noting that Americans possess a constitutional right to privacy, but that right was largely defined in the pre-Internet age. Various statutory privacy protections exist, he said, but those protections target specific sectors, such as financial institutions or hospitals, and are riddled with exceptions.

The CDT has been trying to get the message through, he said but so far, Congress is somewhat mired in the sectoral approach of the past. That approach is, in part, the byproduct of legislative committees being created to examine laws targeted at specific sectors, such as a banking committee or a judiciary committee.

Larger issues also complicate the question of identity and privacy, however. Walking down the street used to be an unidentifiable activity unless someone actually knew you, he observed, the constitutional rule that a person has no privacy when it comes to what he or she does in public doesn't have very broad consequences when what that person did was not identifiable.

"There's a huge amount of activity going on in the proliferation of video cameras, and ultimately we're going to have increasing integration of facial recognition software in those camera systems," Dempsey cautioned. "We are really entering a very different world," he said, adding that there's no clear sense of a system for gathering, applying, storing and sharing identity information or personally identifiable information.

"The rules we've had in the past were based upon the assumption that there was a certain amount of friction in the system," he said. "They were also based upon the assumption that it was hard to link data across databases, as well as a series of other assumptions. Increasingly those assumptions are being blown apart, really, by changes in technology."

Shane Peterson Associate Editor