CDT preps new authentication and ID policies

The Center for Democracy and Technology will introduce a 10-point set of authentication and identity management guidelines to the FTC next week

The CDT (Center for Democracy and Technology) offered a sneak peak at a new list of guidelines it will present to the FTC next week that are meant to help businesses and consumers balance issues of online privacy and authentication.

The IT policy watchdog group plans to update its existing set of recommendations for the creation and implementation of privacy programs and authentication systems at an event being hosted by the FTC in Washington, D.C. on April 23.

Ari Schwartz, deputy director of the nonprofit CDT, based in Washington, D.C., detailed the new proposals at the ongoing Authentication and Online Trust Alliance Summit 2007, being held here April 18-19.

"We've been working with the existing guidelines since 2003, we wanted to propose a new set of principles related specifically to identity, and we're focused on the growing number of authentication mechanisms tied to ID that are being developed," Schwartz said.

The expert promised that the new guidelines should help lawmakers and businesses approach the two issues of security and privacy individually yet remind organizations to keep both concepts in mind as they create their future authentication programs.

"We think it's important to note similarities between security and privacy as we feel they absolutely go hand in hand in this space," said Schwartz. "People are always talking about how security and privacy butt heads, but they're really the same thing in many instances; when we have breaches of IDs, this is obviously an extreme risk to both security and privacy."

The CDT's existing rules emphasize such issues as providing user controls for managing identities across different authentication systems, supporting multiple authentication systems for different types of online transactions, and providing notices to users about how their personal information is being used, shared, and stored.

The new recommendations include many of the same tenets but make more specific suggestions about how organizations should craft their own authentication systems to align practices with new data handling regulations and increased expectations for stronger data protection among consumers.

The guidelines, still in draft form, include requests for organizations to consider:

* Proportionality: to use only the necessary amount of data for identification and authentication purposes to limit the impact of potential breaches.

* Diversity and decentralization: to offer multiple types of authentication for different types of online transactions and for technology vendors to create a marketplace that supports the use of different systems.

* Individual control and choice: to allow end-users to choose which types of authentication they feel comfortable using for different transactions and to be able to keep some forms of personally identifiable data, such as Social Security numbers, from being required for most applications.

* Notice and consent: to better explain to end-users the exact details around every request for their sensitive information, including how the data will be stored, for how long, and with whom it might be shared.

* Limited use: to protect the reliability of different types of authentication systems by using multiple formats and lessening the impact of successful attacks on individual technologies.

* Onward transfer: to consider the potential impact of sharing even minor details of individuals' records, preventing criminals from piecing together user profiles based on bits of data that are made public.

* Privacy and security by design: to build security into all phases of authentication systems during development to eliminate vulnerabilities and other security problems.

* Security: to consider both the external and internal threats that could pose risks to sensitive information that is collected.

* Accountability: to have auditing processes in place that allow for rapid determination of the impact of potential breaches of data.

*Access data quality: to ensure that data that is collected and stored is correct and that users have the ability to change any mistakes to their information quickly and without a lot of hassle.

Schwartz said that the CDT felt compelled to update its regulations based on all the work that is currently ongoing within the public and private sectors aimed at stopping data breaches and providing increased security for both end users and the organizations they interact with online.

"We're seeing a lot of activity in this space for creating strong credentials for many reasons, including terrorism, online security, and billing purposes," he said. "As those efforts continue to grow, we knew there was a need for new policy, and we wanted to position these principles now, ahead of that work."