Galexia

  Research

Article - Risk management in electronic commerce (April 2004)


[ Galexia Dots ]

Related Galexia services and solutions

  • Identity Management and Authentication - Strategic Consulting. Read more »
  • Specialised Legal and Regulatory Consulting. Read more »
  • Issues Management: Public and Stakeholder Consultations. Read more »
  • Strategic Privacy Consulting. Read more »
  • Privacy Management Lifecycle: Our Privacy Products and Services. Read more »

Introduction

This presentation examines the question: How can risks be understood and managed within large-scale electronic commerce systems? The paper focuses on two areas of risk:

Identity management

We argue that new forms of identity management - in the form of distributed identity - can address and manage many risks within their technical design. Such systems can restore trust and confidence in identity management systems amongst the wider community.

Distributed identity schemes are identification and authentication systems which may operate as alternatives to centralised, ‘single database’ identification schemes. They include the concepts of federated identity and identity broking.

Privacy management

Electronic commerce strategies must include consideration of options that address privacy risks. The current trend is to build privacy protection into technical designs. However, these designs can be complemented by effective ongoing privacy management, including use of the following tools.

  • Privacy Impact Assessment (PIA)
  • Privacy Management Strategy (PMS)
  • Ongoing Privacy Oversight

Identity management

The two core approaches to identity management are centralised systems (such as national ID cards) and distributed identity systems (such as federated identity and brokered identity). Distributed identity is being considered as a privacy positive alternative to national identification schemes, such as the failed Australia Card proposal[1] and the failed proposal to merge Government databases in Ontario, Canada.

Trends and drivers in identity management

The need for identity management systems, including distributed identity solutions, is being driven by several trends. The motivation for the wider acceptance and use of these systems comes from a variety of sources within both the public and the private sector.

Government trends

The uptake of eGovernment will involve, as a key prerequisite, the coordination and facilitation of the development of a trusted and secure online environment for delivery of government services, to both individuals and businesses. However, government agencies appear to remain uncertain of the availability, cost-effectiveness and inter-operability of technologies, tools and standards for identifying and authenticating online customers. Consequently, this is holding back the rollout of more complex or sensitive eGovernment services and transactions, thereby delaying more widespread benefits of eGovernment.

In Australia, Commonwealth government agencies are working to develop an identification and authentication framework which can accommodate various agencies’ business processes while providing common standards and rules.[2] There is also a strong international interest in eGovernment initiatives.[3]

Business trends

Businesses are investigating the use of identity management systems to provide services more efficiently. Costs can be reduced by sharing authentication and verification credentials across a wider range of organisations - rather than creating stand-alone authentication systems for each organisation and/or application. Identity management systems may enable multiple-subsidiary e-business transactions to be streamlined and simplified.

Key issues in identity management

Identity management systems do not exist in a policy vacuum. The context and setting for identity management solutions should have a direct impact on design and implementation; addressing these key issues at the design stage of identity management systems has significant benefits over attempting to manage these issues post-implementation.

Models for eAuthentication

The strength of the authentication method employed in any system should be commensurate with the value of the resources (information or material) being protected.[4]

Evidence of Identity (EOI)

Sufficient levels of trust and confidence must be generated in the accuracy and validity of information which is presented as original evidence of identity.

‘Many of the foundational identification documents used to establish identity are very poor from a security perspective, often as a result of being generated by a diverse set of issuers that may also lack an ongoing interest in ensuring the document’s validity and reliability.’[5]
Data retention

Sufficient records must be retained to assist in future investigations or inquiries. The validity and accuracy of such records must be balanced against privacy interests.

Privacy

Appropriate privacy controls must be provided within the solution, including the ability to provide anonymity where necessary. Privacy controls need to go beyond simple compliance with national and international privacy laws. They also need to meet the privacy expectations of consumers.

Identity fraud and identity theft

Identity management systems need to limit opportunities for common identity fraud (one off fraud which usually relies on the adoption of another person’s identity for a single transaction) and provide adequate prevention against identity theft (more sophisticated fraud where a false identity is assumed for the purposes of opening accounts, obtaining multiple goods and services etc.).

Legal liability

Identity and authentication system users also wish to ensure that they are properly protected by the law. The allocation of legal liability for unauthorised transactions must be determined for each solution.

Distributed Identity

Distributed identity involves the exchange of identity information across one or more trusted domains (either within a single organisation or between different organisations) in such a way that the information is maintained at its original source.[6]

To manage authentication and verification, distributed identity systems may utilise either:

  • a ‘web of trust’ (federated identity), or
  • a ‘trusted third party’ (brokered identity).

Where it is necessary for users to gain access to multiple applications provided by multiple organisations, distributed identity allows single sign-on by passing through user authentication and authorisation credentials.

Although distributed identity may be a reasonable alternative to centralised schemes, distributed identity is not necessarily a privacy positive initiative in its own right. The level of privacy intrusion depends on numerous technical factors and the effective management of privacy issues during design, implementation and the active life of distributed identity systems.

Federated identity

Federated identity is a type of distributed identity which relies on communities of trust. Examples of federated identity models include Liberty Alliance,[7] WS-Federation,[8] Microsoft .NET Passport[9] and smaller, sectoral initiatives.

The concept of federated identity is that personal information remains in the hands of the original collector and is shared across a wide range of providers, instead of consolidated into a master database. The relationships between providers are regulated by private contract, and, of course, applicable privacy and data protection laws.

Liberty Alliance

Liberty Alliance is an open technical specification for sharing personal information through computer networks like the Internet. It is highly sophisticated and mainly useful to very large corporations and government organisations that conduct transactions online.

Liberty incorporates a number of thoughtful and effective measures with regard to technical aspects of privacy, such as anonymity options and consent markers. However, it rightly asserts that it cannot enforce many policy aspects of privacy on its users.

The broad usage of Liberty in retail e-commerce seems some time away, given consumer resistance[10] and the expense of deployment. The more viable - and less privacy intrusive - applications are for more discrete networks of users and providers, rather than large scale business-to-consumer applications. For example:

  • Financial trading communities
    A relatively small set of users who would benefit from consistent access to a variety of disparate market systems. The privacy implications are limited given that only limited personal information is needed, and the usability benefits are significant;
  • Student and employee intranets
    Large companies, universities and other education institutions often have a number of separate internal IT systems. Here the incentives for identity fraud, or privacy abuse by the controller, are low, and the benefits once again are significant. (In Australia, however, it is important to note the legal vacuum relating to employee privacy); and
  • eGovernment
    Although the risks of identity fraud are significant, governments are generally subject to a degree of privacy regulation and oversight, and the efficiency and cost savings from achieving interoperability between various government applications provide a genuine incentive to governments to be some of the first adopters of Liberty technology.

However it is large consumer corporations - credit card companies, technology vendors and private telecommunications providers, who are currently considering the future benefits of Liberty, and backing the Liberty Alliance:

‘Deploying [single sign-on] functionality will drive additional requirements for attribute sharing in order for banks, insurance companies, brokers or others in the industry to deliver more personalized services to their users. Liberty’s first set of specifications and future work is playing an important role in this area.’[11]

This vision of seamless web services for consumers is not so comforting to privacy advocates. Despite the protests to the contrary by Liberty Alliance backers, the fact is that wide deployments of any particular standard in online authentication and information sharing can raise potential privacy risks.

Given that Liberty is a draft technical standard, and does not have any enforceable control over implementations, consumers will have to rely on existing privacy regulatory schemes and trust corporations to run their Liberty-enabled systems responsibly.

Liberty Alliance must now take further responsibility for providing comprehensive guidelines and promoting good privacy among its members.[12] Its online tools will need to be supported by enforceable customer-protective policies and practices (of the organisations using those tools), for Liberty to be seen as offering a privacy-sensitive identity management solution. The success of Liberty’s concept of ‘federated network identity’ rests on its ability to ensure that information sharing does not run rampant over the interests of consumers.

WS-Federation

In April 2002, IBM and Microsoft jointly published the white paper Security in a Web Services World,[13] dubbed the ‘roadmap’ of a secure web services framework, together with its founding WS-Security specification. The roadmap set out a body of protocols that would use XML[14] messages as a standard way for computers to communicate service requests to each other - the web services model. Several of those protocols have now been published, forming the WS framework. For now, the WS framework provides an advanced security infrastructure for integrating enterprise IT systems. Eventually it aims to provide security for a new generation of distributed applications for both consumers and businesses.

WS is, at best, a skeleton distributed identity system. The nature and content of the information exchanged is not dealt with by the WS specifications. Only WS-Federation and WS-Privacy really contemplate the identity federation applications of the WS system. But WS provides a highly advanced ‘infrastructure’ necessary for such information exchange.

WS-Federation[15] brings together these standards to describe a ‘federated’ web services model, and details the use of identifiers and pseudonyms across service providers and requestors. It also considers the types of transactions that could occur and some of the privacy precautions applied to a federated system.

WS-Privacy is not yet published but it is described in the roadmap document. It may use other WS specifications such as WS-Security (for basic security), WS-Policy (as a structured way to ask privacy questions) and WS-Trust (as a way to manage privacy across several transactions) to provide for privacy controls in web services networks. Systems can use WS-Privacy to make assertions about their privacy practices - for example, they can promise not to pass the data on to any third parties.

The next release of Microsoft Windows will incorporate the WS framework. However, for the immediate future, WS is faced with the classical paradox of distributed computing open standards; they only become useful when everyone has them. Accentuating this paradox for IBM and Microsoft is the fact that the WS project is more abstract than other sector initiatives like Liberty Alliance[16] or Microsoft Passport. In most cases there is no instant gratification from integrating IT systems with WS like there is from integrating identities and customer profiles using Liberty or Microsoft Passport. Rather, the web services concept is a new way of using distributed systems. WS is only a means, not an end. However it is conceivably a means to many powerful ends. Implementations of WS can simplify and automate many varied business transactions.

Brokered identity

Brokered identity is a form of distributed identity management which relies on the services of a trusted third party to manage authentication and identity on behalf of consumers.[17]

Reach[18] is an example of brokered identity. Reach is an agency established by the Irish Government in 1999 to develop a strategy for the integration of public services and to develop and implement a framework for eGovernment. In May 2000 Reach was commissioned by the Irish Government to develop the Public Services Broker (PSB). This electronic broker will act as a helper or assistant between customers and Public Service Agencies. It will be developed by Reach and then subsequently be operated by a separate agency.

The Public Services Broker model is based on a hub architecture. Hubs at central, sectoral or local levels are used to exchange data to support common services at the appropriate level and sectoral data stores can be supported by central authentication and security services. This means that data captured once can be reused by other agencies and on other occasions.

A key issue for Reach (and brokered identity in general) is ensuring that the community has a sufficient level of trust in the identity broker. This trust can be difficult to achieve, especially in communities where the government and private sector have a history of privacy intrusion and privacy abuse. In Ireland, the Reach initiative has attempted to win community trust through adoption of the following measures:

  • Legislation
    Legislation already exists on the collection and storage of personal information. In addition, the creation and use of PPS Numbers and Public Service Cards is vested by law in the Minister for Social Community and Family Affairs;
  • Transparency
    To ensure people understand how personal data will be kept secure, the rules and procedures for collection and release of personal information will be published;
  • Oversight
    Additionally, compliance with those published procedures and legislation is further subject to scrutiny by a number of statutory holders, namely the Comptroller and Auditor General, the Ombudsman and Information Commissioner and the Data Protection Commissioner; and
  • Choice
    The Public Services Card (a smart card containing the PPSN and other necessary personal identifiers) will not be a national identity card. It is designed to meet the needs of people to identify themselves when using public services. The key principle to be adopted is that customers choose the additional features that can be added to their basic card.[19]

The Irish government, through Reach, has worked hard to design a privacy friendly brokered identity system. Reach’s underlying philosophy of giving the consumer control over their personal information has enabled them to develop an effective ‘one stop shop’ model of eGovernment that is founded on consumer rather than government control of information.

Once fully implemented the Reach initiative could, subject to appropriate privacy protection, alter the way most people interact with and use government services. The one-stop shop model will provide administrative efficiencies for both the public and public service providers.

Privacy management

Electronic commerce strategies must include consideration of options that address privacy risks. The current trend is to build privacy protection into technical designs. However, these designs can be complemented by effective ongoing privacy management, including use of the following tools.

Privacy Impact Assessment (PIA)

A Privacy Impact Assessment identifies privacy issues in specific sectors or applications. A PIA process is particularly useful in implementations of new technology or new processes. By using the PIA tool at the design stage organisations can avoid privacy errors and the costs of rectification at later stages.

Privacy Management Strategy (PMS)

A Privacy Management Strategy is used to develop and implement a risk management strategy and practical action plan.[20] Each privacy issue is allocated a response and action is delegated to individuals or organisations. The PMS includes a compliance timetable. An important part of the development of a Privacy Management Strategy is the conduct of public and stakeholder consultations. These consultations are often as important as ensuring technical compliance. Effective consultation can help identify and manage key privacy risks.

Ongoing Privacy Oversight

Ongoing privacy oversight can be delivered by the establishment of a privacy oversight committee. This tool is used to develop a governance structure to oversee privacy issues arising throughout the life of the implementation. Some privacy issues may not be ascertained at the design stage so reviews and audits under the direction of an oversight committee are often necessary.[21]

The broad functions of a privacy oversight committee can include making recommendations on new training initiatives, changes to documentation, changes to policies and procedures and changes to systems and design. A typical privacy management committee will have:

  • An independent chair and a balanced membership;
  • Ability to make recommendations to the Board;
  • Appropriate resources; and
  • Access to complaints statistics, details, audit reports and other relevant data.

Chris Connolly and Peter van Dijk,
Galexia



[ Galexia Dots ]


[1] Roger Clarke, Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme, June 1987 <http://www.anu.edu.au/people/Roger.Clarke/DV/OzCard.html>.

[2] Refer to:
- Submission to the Joint Committee of Public Accounts and Audit Inquiry into the Management and Integrity of Electronic Information in the Commonwealth, National Office for the Information Economy, March 2003, <http://www.aph.gov.au/house/committee/jpaa/electronic_info/submissions/sub20.pdf>; and
- Management Advisory Committee, Government Use of Information and Communications Technology - ITAG Authentication Working Group sub-committee report - Appendix 5 - Authentication of external clients Working Group, Australian Public Service Commission, October 2002, <http://www.apsc.gov.au/mac/technology.pdf>.

[3] Refer to:
- eGovernment Leadership: Engaging the Customer, Accenture, April 2003, <http://www.accenture.com/xd/xd.asp?it=enweb&xd=industries\government\gove_capa_egov.xml>.

[4] The National Academies; Division on Engineering and Physical Sciences; Computer Science and Telecommunications Board, Committee on Authentication Technologies and Their Privacy Implications, Who Goes There?: Authentication Through the Lens of Privacy, (20 March 2003) at Recommendation 2.1 and 4.1, <http://www7.nationalacademies.org/cstb/pub_nationwideidentity.html>.

[5] Ibid at Section 6.3.

[6] This definition has been adapted from Pato, J, and Rouault, J, Identity Management: The Drive to Federation, Hewlett-Packard Development Company, August 2003, <http://devresource.hp.com/drc/technical_white_papers/IdentityMgmt_Federation.pdf>.

[7] <http://www.projectliberty.org>.

[8] See IBM Corporation, Microsoft Corporation, BEA Systems, Inc., RSA Security, Inc., Verisign, Inc, Web Services Federation Language (WS-Federation), July 2003, <http://www-106.ibm.com/developerworks/library/ws-fed/>; and A Joint Whitepaper from IBM Corporation and Microsoft Corporation, Federation of Identities in a Web Services World, Version 1.0, July 2003, <http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-federation-strategy.asp>.

[9] Note: this is quite different from Microsoft Passport.

[10] Wilcox J, ‘Study: Customers wary of online IDs’, CNet News, 26 April 2002, <http://news.com.com/2100-1001-892808.html>.

[11] Liberty Alliance, Report Finds Liberty Alliance Standard Helps Financial Institutions Extend Trusted Relationships and Enable New Online Businesses, Press Release, 9 July 2003, <http://www.projectliberty.org/liberty/news_events/press_releases/report_finds_liberty_alliance_standard_helps_financial_institutions_extend_trusted_relationships_and_enable_new_online_businesses>.

[12] For further discussion of Liberty and privacy see: Kaye, On Liberty and the Case for Anonymous Federation of Identity, RDS Strategies LLC September 2002, <http://www.rds.com/essays/20020904-liberty.html>; Loftesness, Jones, Critiquing a Liberty Alliance Critique, Glenbrook Partners, 2002, <http://www.glenbrook.com/opinions/liberty-critique.html>; and Migliore, Jupiter Raises Doubts About Passport, Liberty Alliance, Enterprise Systems, November 2001, <http://www.esj.com/news/article.asp?editorialsId=75>.

[13] IBM Corporation and Microsoft Corporation, Security in a Web Services World, April 2002, <http://www-106.ibm.com/developerworks/webservices/library/ws-secmap/>.

[14] Extensible Markup Language (XML): <http://www.w3.org/XML/>

[15] WS-Federation: <http://www-106.ibm.com/developerworks/library/ws-fed/>.

[16] The Liberty Alliance Project: <http://www.projectliberty.org/>.

[17] Hewlett Packard are also developing a Brokered identity product - Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services, Marco Casassa Mont, Siani Pearson, Pete Bramhall Trusted Systems Laboratory HP Laboratories Bristol HPL-2003-49 March 19th , 2003* < http://www.hpl.hp.com/techreports/2003/HPL-2003-49.pdf >

[18] <http://www.reach.ie>.

[19] <http://www.reach.ie/faqs.htm>.

[20] For an example of a Privacy Management Strategy see the Queensland Transport PMS for the New Queensland Driver Licence:
<http://www.transport.qld.gov.au/qt/LTASinfo.nsf/index/new_driver_licence>

[21] For example, Telstra had a Privacy Audit Panel for five years (1995-2000). The Panel was initially a legislative requirement and involved reporting to the Minister and the regulator. However, Telstra decided to keep the Panel in operation following de-regulation because they found it was a very useful tool in identifying privacy concerns.