1 / 69

Privacy and Access in Georgia E-Government: Digital Identity Emily Frye Associate Director for Law and Economics Crit

Critical Infrastructure Protection Project (CIPP). The Critical Infrastructure Protection Project seeks to fully integrate the disciplines of law, policy, and technology for enhancing the security of cyber networks and economic processes supporting the nation's critical infrastructures. . Agenda.

africa
Download Presentation

Privacy and Access in Georgia E-Government: Digital Identity Emily Frye Associate Director for Law and Economics Crit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Privacy and Access in Georgia E-Government: Digital Identity Emily Frye Associate Director for Law and Economics Critical Infrastructure Protection Project July 23th, 2003

    2. Critical Infrastructure Protection Project (CIPP) The Critical Infrastructure Protection Project seeks to fully integrate the disciplines of law, policy, and technology for enhancing the security of cyber networks and economic processes supporting the nation’s critical infrastructures.

    3. Agenda Session One: Background and Development Session Two: The Law of Digital Identity Session Three: Managing Digital Identity: The Path Forward

    4. What Is Digital Identity? Is it … Your name? Your name and email address? Your name and password? Your name and Social Security Number? Your SSN and height/weight/eye color/hair? Your name and bank account number? Your bank account number and PIN? Your name and X-rays of last year’s broken foot? Audience poll methodAudience poll method

    5. Hypothesis: What Is Digital Identity? Digital Identity has no single legal definition Digital Identity is characterized by three elements. D.I. is: A set of pieces of information about a person That is needed to conduct a particular transaction; and Is not fixed, but varies according to the requirements of the transaction.

    6. Digital Identity Hypothesis In general, the more complex the transaction, the more information required to satisfy the identity requirements of the transaction “In general, informal or lower value transactions will require less stringent assurance levels. Higher value or legally significant transactions will require more stringent assurance levels.” (GSA E-Authentication Policy Draft, July 11, 2003)

    7. Digital Identity: Two Paradigms Defensive: Impersonation/Theft: The Digital Identity is the “victim” of a crime Offensive: Authentication: The Digital Identity is a user’s tool for participating in a digital transaction (in this case, e-government)

    8. Paradigm One: Digital Identity as Victim State of Law on Digital Identity as Victim: Computer Fraud and Abuse Act Privacy Act HIPAA Gramm-Leach-Bliley State law California (enacted) ? federal (proposed) Discuss the relationship of digital identity law to privacy law; the relationship between privacy law and security lawDiscuss the relationship of digital identity law to privacy law; the relationship between privacy law and security law

    9. Computer Fraud and Abuse Act 18 U.S.C. § 1030 et seq. Particularly helpful to government entities Basic message: Anyone who accesses a computer without authorization or exceeds their designated access and obtains sensitive information (financial), government information, or commercial information shall be punished by imprisonment and fines.

    10. The Privacy Act of 1974 5 U.S.C. § 552A No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would fall under one of a number of specified permitted types of disclosure, including To protect the individual For court purposes For law enforcement purposes

    11. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191 Goals: increase access to healthcare during job transitions; enhance privacy of providing electronic healthcare Special protection accorded to “individually identifiable electronic health information” – sometimes called “PHI” (Personal Health Information) PHI includes: “individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form.” Sec. 164.501. Sec. 164.501.

    12. Privacy Regulations, Security Regulations, and Administrative Regulations All transactions must comply with specific code/transaction sets Are you a “covered entity”? Civil and criminal liability Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health care providers, insurance companies, and healthcare information clearinghousesHealth care providers, insurance companies, and healthcare information clearinghouses

    13. Also called The Financial Modernization Act of 1999 Applies to financial institutions requires that financial institutions protect information collected about individuals The privacy notice must be a clear, conspicuous, and accurate statement of the company's privacy practices Potential for Director and Officer liability for inadequate supervision/oversight of digital/network security Gramm-Leach-Bliley

    14. State Laws California Identity Theft Law, effective July 1, 2003 AB 1386-Peace/CHAPTER 915, Stats of 2002 “Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

    15. California State Law: Identity Theft First legislative definition of “digital identity” (e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

    16. Proposed: H.R. 2617, The Consumer Identity and Information Security Act of 2003 Sponsored by John Shadegg (R-AZ)/introduced 6-26-03 Restrictions on use or transmission of SSNs, requiring that if they are to be transmitted on the Internet, the site must have a secure connection and/or encrypt the information Can only print the last 5 digits of any credit card number Affirmative duty on credit/debit card issuers to verify identities when a consumer asks for a new card or password within 30 days of changing address Mandates that FTC establish reporting procedures for violations of these provisions California State Law: Federal Offspring

    17. California State Law: Federal Offspring Proposed: H.R. 2622, The Fair and Accurate Credit Transactions Act of 2003 Sponsored by Spencer Bachus (R-AL)/introduced 6/26/03 Like H.R. 2617, this bill places an affirmative duty on credit and debit card issuers to identify anyone requesting a new card within 30 days of changing addresses Also restricts the electronic printing of credit card numbers on receipts, this time to 4 digits

    18. California State Law: Federal Offspring Focuses more on the long-term effects of identity theft, as well as prevention. For example, it mandates that a consumer reporting agency will define the rights of victims, and that the banking agencies establish “red flag” guidelines to identify patterns of identity theft. Stipulates that if a consumer is a victim of credit card or identity theft, the suspicious activity will be blocked or redacted from his credit report Also provides for a consumer complaint coordination mechanism

    19. California State Law: Federal Offspring Proposed: H.R. 2633, Identity Theft and Information Blackout Act of 2002 Sponsored by Rahm Emmanuel (D-IL)/Introduced 6-26-03 Unlike the other two bills, this piece of legislation places restrictions on federal agencies’ use and display of social security numbers Prohibits the sale of SSNs by both federal and private entities Prevents federal agencies from printing SSNs on benefit checks Requires state DMVs to cease using SSNs as driver’s license numbers.

    20. California State Law: Federal Offspring For the private sector: display of SSNs requires explicit consent, and the refusal to do business without receipt of an SSN constitutes unfair business practices A brief final section of the bill places restrictions on the use and transmission of medical information (think HIPAA)

    21. Session Two

    22. Session Two: The Law of E-Authentication Recall Two Paradigms of Digital Identity: Impersonation/Theft (Session One) versus E-Authentication (Session Two) E-Authentication Generally Electronic/Digital Signatures

    23. E-Authentication Leading Document: E-Authentication Policy for Federal Agencies Issued July 11, 2003 by General Services Administration Comment period ends August 11, 2003 Establishes four levels of authentication Discuss basic process for Federal Regulation - Importance of Fed. Rule: because will probably set precedent for state rulesDiscuss basic process for Federal Regulation - Importance of Fed. Rule: because will probably set precedent for state rules

    24. GSA E-Authentication Policy What is e-authentication? The process of establishing confidence in both identities and attributes after being electronically presented to an information system. Individual authentication is the process of establishing an understood level of confidence that an identifier refers to a specific individual. Attribute authentication is the process of establishing an understood level of confidence that an attribute applies to a specific individual. Discuss history of levels of authentication; early Verisign marketDiscuss history of levels of authentication; early Verisign market

    25. GSA E-Authentication Policy “Agencies providing e-government services need to determine how certain they need to be in the identity of an individual and identify the risks inherent in a particular transaction” The GSA policy maps identified risks to specific assurance levels

    26. GSA E-Authentication Policy The Four Levels of Assurance: Minimal Low Substantial High

    27. GSA E-Authentication Policy Level One: Minimal Assurance Consequence of error might result in at most— Minimal inconvenience to any party; and No financial loss to any party; and Minimal distress being caused to any party; and Minimal damage to any party's standing or reputation; and No risk of harm to agency programs or other public interests; and No risk of civil or criminal violations; and No release of personal, U.S. government sensitive, or commercially sensitive data to unauthorized parties; No risk to any party's personal safety.

    28. GSA E-Authentication Policy When would you use Level One/Minimal assurance? Example One. A user presents a self registered user ID or password to the United States Department of Education web page, which allows customization of a Web site to create a ``My.ED.gov'' page. There are some possible risks associated with this situation; for example, a third party who gained unauthorized access to such a user ID and password might be able to draw inferences about the user's business interests or plans or the user's personal situation based on the types of information in which the user has an interest. Unless the website is subject to a high degree of customization, however, these risks are probably very minimal.

    29. GSA E-Authentication Policy Level One, Example Two. A user participates in an online discussion on the whitehouse.gov website. Assuming that the forum is not one that addresses sensitive or private information, there are no obvious risks associated with this situation.

    30. GSA E-Authentication Policy Level Two: Low Assurance Level 2 is appropriate for transactions in which it is sufficient that, on the balance of probabilities, there is confidence in the asserted electronic identity of the transacting party. In particular, an authentication error of a user's identity at level 2 might result in– Minor inconvenience to any party; or Minor financial loss to any party; or Minor damage to any party's standing or reputation; or Minor distress being caused to any party; or If the keyword to Level One is “minimal,” then the keyword for Level Two is “minor.”If the keyword to Level One is “minimal,” then the keyword for Level Two is “minor.”

    31. GSA E-Authentication Policy Level Two is appropriate when error would result in (continued) Minor risk of harm to agency programs or other public interests; or A risk of civil or criminal violations of a nature that would not ordinarily be subject to agency enforcement efforts; or A minor release of personal, or commercially sensitive data to unauthorized parties; and No release of U.S. government sensitive data to unauthorized parties; and No risk to any party's personal safety.

    32. GSA E-Authentication Policy When would you use Level Two/Low Assurance? A user engages in online learning on the Gov Online Learning Center at golearn.gov. There is a need for authentication such that the user is recognized by the training service and be connected to the appropriate place in the course or given relevant assignment grades, when training affects compensation or promotion. The only risk associated with this transaction is that a third party will gain access to grading information, causing harm to the privacy interests or reputation of the student. If the agency determines, in the context of the particular program, that any such harm will be minor, the transaction is level 2.

    33. GSA E-Authentication Policy Level Two, Example Two: A user accesses their Social Security retirement account information online.

    34. GSA E-Authentication Policy Level Three: Substantial Assurance Level Three is appropriate for transactions that are official in nature, and for which there is a need for high confidence in the asserted electronic identity of the transacting party. In particular, an authentication error of a user's identity at level 3 might result in– Significant inconvenience to any party; or Significant financial loss to any party; or Significant damage to any party's standing or reputation; or Significant distress being caused to any party; or

    35. GSA E-Authentication Policy Level Three, cont’d: Significant harm to agency programs or other public interests; or A risk of civil or criminal violations that may be subject to agency enforcement efforts; or A significant release of personal, U.S. government sensitive, or commercially sensitive data to unauthorized parties; and No risk to any party's personal safety.

    36. GSA E-Authentication Policy When would you use Level Three/Substantial Assurance? Example One. A patent attorney company reports and updates data on- line with the Patent and Trademark Office that would be of great value as competitive intelligence. Example Two. A major contractor or supplier maintains an account with a General Services Administration Contracting Officer for a large government procurement involving significant government expenditures.

    37. GSA E-Authentication Policy Level Three, Example Three: A First Responder accesses a disaster management reporting website to report an incident and to share incident operational information, and to coordinate incident response activities.

    38. GSA E-Authentication Policy Level Four: High Assurance Level 4 is appropriate for transactions that are official in nature for which there is a need for very high confidence in the asserted electronic identity of the transacting party. In particular, an authentication error of a user's identity at level 4 might result in– Considerable inconvenience to any party; or Considerable financial loss to any party; or Considerable damage to any party's standing or reputation; or Considerable distress being caused to any party; or Again, what’s the watchword? Here, it’s “considerable.”Again, what’s the watchword? Here, it’s “considerable.”

    39. GSA E-Authentication Policy Level Four/High assurance is appropriate when error would result in: Considerable harm to agency programs or other public interests; or A risk of civil or criminal violations that are of special importance to the agency enforcement program; or A damaging release of extensive personal, U.S. government sensitive, or commercially sensitive data to third parties; or A risk to any party's personal safety.

    40. GSA E-Authentication Policy When would you use Level Four/High Assurance? Example One. A State or local law enforcement official accesses a law enforcement database containing information about the criminal records of individuals. Unauthorized access would violate the legal privacy rights of individuals or compromise investigations.

    41. GSA E-Authentication Policy Level Four, Example Two. A VA pharmacist dispenses a controlled drug. He/She would need full assurance that a qualified doctor had signed the prescription. In this case, the pharmacist's actions on the transaction carries criminal liability that the prescription was the correct drug(s), in the correct quantity, and that the prescription was validated before filling the prescription.

    42. GSA E-Authentication Policy Additional discussion of legal/law enforcement issues: Department of Justice's Guide for Federal Agencies on Implementing Electronic Processes (found at http://www.cybercrime.gov/ecommerce.html#GFA , November 2000). Additional discussion of privacy implications: Report of the National Research Council ``Who Goes There? Authentication Through the Lens of Privacy'' (found at: http://www.nap.edu/books/0309088968/html/, March 31, 2003).

    43. GSA E-Authentication Policy Other Issues Addressed by the Policy: Anonymous credentials Privacy Act evaluations Third-party credentialers Federal Bridge Certification Authority

    44. GSA E-Authentication Policy Anonymous credentials may be appropriate when it is not necessary that authentication be associated with a known personal identity (as opposed to identity authentication). In some cases, it may be desirable to preserve the anonymity of individuals and it may be sufficient for the purposes of an application to authenticate that– The user is a member of a group; and/or The user is the same individual who supplied or created information in the first place; and/or A particular user is entitled to use a particular pseudonym. These anonymous credentials will have limited application. Anonymous credentials can be used up until level 3.

    45. GSA E-Authentication Policy Privacy Act evaluations are required for federal agencies. This means: Agencies must consider the requirements for managing security in the collection and storage of information associated with the process of validating a user's identity. The following information is captured in most e-authentication processes: Information regarding the individuals/ businesses/ governments using the E-Gov service. Electronic user credentials. Transaction information associated with user authentication, including credential validation method. Audit Log/Security information. Some of this information includes personal information as defined by the Privacy Act, and systems that use the information are considered systems of records that must meet all requirements of the Privacy Act and the E-Government Act.

    46. GSA E-Authentication Policy Privacy Act evaluation – plan for compliance: Data collected and stored during the authentication process should only be accessible routinely to systems administrators and to auditors. As required by the Privacy Act, access to the system of records must be provided to registered users to allow them to see and/or change personal information about them maintained in the system of records. Discuss EU privacy provisions and US move toward harmonizationDiscuss EU privacy provisions and US move toward harmonization

    47. GSA E-Authentication Policy Third-party credentialers and Federal Bridge Certification Authority segue to next topic: Digital and Electronic Signatures

    48. GSA E-Authentication Policy Third-party Credentialers/Credential Service Providers: Credential Service Providers (CSPs) are organizations, both governmental and non-governmental, that issue and in some cases may maintain electronic credentials. CSPs will also need to be assessed to determine the e-authentication level to which their credentials pertain. For example, if a CSP follows all process/technology requirements for authentication level 3, a user may use a credential provided by the CSP to authenticate himself for a transaction requiring authentication levels 1, 2, or 3. Think “PAG”

    49. GSA E-Authentication Policy Federal Bridge Certification Authority Federal Bridge levels will be mapped to the assurance levels described in this document. Since these assurance levels take into account a wide range of authentication solutions, the levels described in this guidance differ from the levels established by the Federal Bridge Certification Authority (FBCA) Certificate Policy. For example, levels 1 and 2 in this e-authentication policy are primarily reserved for non-cryptographic authentication solutions not covered by the FBCA. However, it is likely that some public key infrastructure (PKI) solutions and the FBCA Rudimentary Certificate Policy will map to level 1 or level 2. The FBCA Basic Certificate Policies and the FBCA Medium Certificate Policies will fall in level 3, while FBCA High Certificate Policy will fall into level 4.

    50. Public Key Infrastructure (PKI) Asymmetric cryptography employs Digital “Certificates” Issued by CSPs* To authenticate parties to, and support the legal validity of, Digital transactions. *in the traditional PKI model Do mini-tutorial on whiteboardDo mini-tutorial on whiteboard

    51. PKI and the Federal Bridge What does PKI have to do with the Federal Bridge Certification Authority? Agencies and their trading partners conduct business using digital authentication/digital certificates But not all digital certificates are created equal Discuss weaknesses of PKI: all depends on deployment Higher authentication obtained through physical RA verification modelDiscuss weaknesses of PKI: all depends on deployment Higher authentication obtained through physical RA verification model

    52. Other Legal Options: Electronic Signatures Just as not all PKI-based signatures offer the same assurance, not all legally binding signatures are “digital signatures.” What are “electronic signatures”? Electronic signatures include all legally valid methods of authenticating an act or transaction Digital signatures/PKI are only one subset of electronic signatures Discuss case in MA where judge upheld email name typed as sigDiscuss case in MA where judge upheld email name typed as sig

    53. Electronic Signatures E-SIGN: Electronic Signatures in Global and National Commerce Act President Clinton/June 30, 2000 History of emerging, disharmonious state law led to need for national standard

    54. E-SIGN’s National Impact Technology-neutral standard for legally binding authentication: the legal effect, validity, or enforceability of [a] contract, agreement, or record shall not be denied-- (1) on the ground that the contract, agreement, or record is not in writing if the contract, agreement, or record is an electronic record; or (2) on the ground that the contract, agreement, or record is not signed or is not affirmed by a signature if the contract, agreement, or record is signed or affirmed by an electronic signature.

    55. E-SIGN’s National Impact Caveats, caveats: if a statute, regulation, or other rule of law requires that a record be provided or made available to a consumer in writing, that requirement shall be satisfied by an electronic record if-- (i) the consumer has affirmatively consented, by means of a consent that is conspicuous and visually separate from other terms, to the provision or availability (whichever is required) of such record (or identified groups of records that include such record) as an electronic record, and has not withdrawn such consent;

    56. E-SIGN’s National Impact Caveats, caveats: (ii) prior to consenting, the consumer is provided with a statement of the hardware and software requirements for access to and retention of electronic records; and (iii) the consumer affirmatively acknowledges, by means of an acknowledgement that is conspicuous and visually separate from other terms, that-- (I) the consumer has an obligation to notify the provider of electronic records of any change in the consumer's electronic mail address or other location to which the electronic records may be provided; and (II) if the consumer withdraws consent, the consumer has the obligation to notify the provider to notify the provider of electronic records of the electronic mail address or other location to which the records may be provided; and

    57. E-SIGN’s National Impact Caveats, caveats (of primary interest to this audience): (B) the record is capable of review, retention, and printing by the recipient if accessed using the hardware and software specified

    58. International Law: Points to Note EU, Japan, Malaysia, other trading partners: The digital signature has a presumption of validity “Qualified” and “non-qualified” signatures for evidentiary purposes Impact on U.S.: Internationally operating entities or high-value-transaction entities move toward digital signatures Be aware of the licensed certificate authority issue

    59. Session Three

    60. Session Three: Management Standards and the Path Forward

    61. From Law and Theory to Your Organization Critical Asset Inventory Risk Assessment Transaction Need Inventory Privacy Impact Assessment Storage Models

    62. Critical Asset Inventory Start with the big picture. Survey your organization’s computer systems to Identify critical services Identify critical storage repositories

    63. Risk Assessment for State E- Government What is the potential for malicious hacking or a cyberterrorist attack, and in what capacity? What are the implications of interdependencies with other infrastructures? What needs to be done to secure data and systems from viruses, hackers and potential “cyber terrorism” threats? E-Commerce, technology enablers, security of information What are the specific dangers faced by state government online?

    64. The Quantification of E-Risks: The Risk-Management Cost Continuum Information Security is a challenge for regulators, forInsureds and for insurers. How does the regulator, senior management and the underwriter assess information security? The risks are real, the risks are multidimensional and the universe of unknown and potentially unknowable risks is rapidly expanding. It is clear that technology tools alone are not the answer. No insurer or insured e will be 100% secure from the diversity of threats. However, this creates a very real and exciting opportunity for the insurance industry. As underwriters we are, after all, in the business of providing solutions to the risk management needs of our customers. The underwriting process will focus on the identification of e-risks, the quantification of e-risks and the development of risk transfer solutions that will focus on the infrequent, unexpected and catastrophic e-business loss exposures of our Insureds. Our underwriting risk assessment will focus on identifying the cost of risk threshold where it is more efficient for the insured to transfer the potential monetary exposure to a third party insurer relative to the Insured’s threshold to absorb loss in combination with their costs to secure the enterprise and avoid the exposures altogether.Information Security is a challenge for regulators, forInsureds and for insurers. How does the regulator, senior management and the underwriter assess information security? The risks are real, the risks are multidimensional and the universe of unknown and potentially unknowable risks is rapidly expanding. It is clear that technology tools alone are not the answer. No insurer or insured e will be 100% secure from the diversity of threats. However, this creates a very real and exciting opportunity for the insurance industry. As underwriters we are, after all, in the business of providing solutions to the risk management needs of our customers. The underwriting process will focus on the identification of e-risks, the quantification of e-risks and the development of risk transfer solutions that will focus on the infrequent, unexpected and catastrophic e-business loss exposures of our Insureds. Our underwriting risk assessment will focus on identifying the cost of risk threshold where it is more efficient for the insured to transfer the potential monetary exposure to a third party insurer relative to the Insured’s threshold to absorb loss in combination with their costs to secure the enterprise and avoid the exposures altogether.

    65. Transaction Need Inventory Identify transaction types to be conducted digitally. To what level of assurance does my transaction map (for each transaction type)? Determine implementation technology based on the e- authentication technical guidance (does not yet exist). (After the assurance level has been determined, the agency should refer to the e-authentication technical guidance for the process requirements corresponding to that level.) After the technical solution is chosen, a final validation should be conducted to confirm that the required assurance level of the end-to-end user to agency process has been operationally achieved. Validate that the performance of the authentication process itself actually meets the identity assurance requirements for the transaction as part of required security procedures (e.g., certification and accreditation).

    66. Privacy Impact Assessment Per applicable federal and state guidelines; reference above discussion

    67. Storage Models Charles Dollar’s session for more technical information Emily Frye’s article for discussion of the legal/economic theory behind storage models for signatures (“Legal Issues in Documenting E-Commerce Transactions,” by Emily Frye, in Information Management magazine October 2001; Vol. 35, No. 4)

    68. Storage Models Electronically authenticated records can be stored in two ways: Recreation theory Validate-and-bind theory Challenge of audit trails Information Security Committee Law of Evidence/Sedona/Cohasset Discuss the storage modelsDiscuss the storage models

    69. For further information… “Legal Issues in Documenting E-Commerce Transactions,” by Emily Frye, in Information Management magazine October 2001; Vol. 35, No. 4 The PKI Assessment Guidelines, online at http://www.abanet.org/scitech/ec/isc/pag/pag.html

    70. Thank You Emily Frye Associate Director for Law and Economics Critical Infrastructure Protection Project National Center for Technology and Law, George Mason University School of Law ffrye@gmu.edu 703-993-4170 www.techcenter.gmu.edu

More Related