The CDT (Center for Democracy and Technology) offered a sneak peak at a new list of guidelines it will present to the FTC next week that are meant to help businesses and consumers balance issues of online privacy and authentication.
The IT policy watchdog group plans to update its existing set of recommendations for the creation and implementation of privacy programs and authentication systems at an event being hosted by the FTC in Washington, D.C. on April 23.
Ari Schwartz, deputy director of the nonprofit CDT, based in Washington, D.C., detailed the new proposals at the ongoing Authentication and Online Trust Alliance Summit 2007, being held here April 18-19.
"We've been working with the existing guidelines since 2003, we wanted to propose a new set of principles related specifically to identity, and we're focused on the growing number of authentication mechanisms tied to ID that are being developed," Schwartz said.
The expert promised that the new guidelines should help lawmakers and businesses approach the two issues of security and privacy individually yet remind organizations to keep both concepts in mind as they create their future authentication programs.
"We think it's important to note similarities between security and privacy as we feel they absolutely go hand in hand in this space," said Schwartz. "People are always talking about how security and privacy butt heads, but they're really the same thing in many instances; when we have breaches of IDs, this is obviously an extreme risk to both security and privacy."
The CDT's existing rules emphasize such issues as providing user controls for managing identities across different authentication systems, supporting multiple authentication systems for different types of online transactions, and providing notices to users about how their personal information is being used, shared, and stored.
The new recommendations include many of the same tenets but make more specific suggestions about how organizations should craft their own authentication systems to align practices with new data handling regulations and increased expectations for stronger data protection among consumers.
The guidelines, still in draft form, include requests for organizations to consider:
* Proportionality: to use only the necessary amount of data for identification and authentication purposes to limit the impact of potential breaches.
* Diversity and decentralization: to offer multiple types of authentication for different types of online transactions and for technology vendors to create a marketplace that supports the use of different systems.
* Individual control and choice: to allow end-users to choose which types of authentication they feel comfortable using for different transactions and to be able to keep some forms of personally identifiable data, such as Social Security numbers, from being required for most applications.
* Notice and consent: to better explain to end-users the exact details around every request for their sensitive information, including how the data will be stored, for how long, and with whom it might be shared.
* Limited use: to protect the reliability of different types of authentication systems by using multiple formats and lessening the impact of successful attacks on individual technologies.