If private corporations are to issue identity credentials there will need to be some type of legislation passed spelling out the liability issues, says Tom Smedinghoff, a partner at the law firm of Wildman Harrold and chairman of the American Bar Association Task Force exploring the legal issues around identification.
Corporations will want to know what the liability will be if a credential is issued to an individual claiming to be someone else. This is a huge issue for organizations and before anyone steps to the plate to begin issuing credentials legislation will have to be passed. “There is no case law addressing the liability of an identity provider,” Smedinghoff says.
More than a decade ago Smedinghoff worked with the American Banker’s Association to produce a report on the liability of identity providers. “We looked at all kinds of legal theories and came up with a 200-page report,” he says.
Looking at existing issuance models provides possible scenarios. If the credential is issued by the state or federal government there will be no liability because there are already laws in place eliminating government liability for issuing an ID to the wrong individual.
There is also the credit card model that puts the liability for fraudulent purchases on the bank and merchant. Laws governing credit card use have been on the books for more than two decades and were relatively easy to come up with because the technology and systems had been around for so long, Smedinghoff says.
This isn’t the case in the ID management space and it will have to be clarified through federal legislation. It won’t be easy, says Smedinghoff, adding, “in the ID management space we are looking ahead and anticipating what the problems will be and developing rules that are appropriate … that’s a tougher job.”
Ultimately the liability may depend on the legal theory that’s used along with the jurisdiction, Smedinghoff says. “If you look at it from a tort perspective whether or not the ID provider is liable depends on fault,” he says. “If you look at the same perspective from warranty law, fault is irrelevant.”
No matter the legal theory or the jurisdiction, clarification will be necessary before organizations decide to jump into the credentialing business. “Businesses need some certainly on the legal risk,” Smedingnhoff says, “and that’s where legislation could help.”
ID vetting standards first step to online ID
Groups tackling proofing challenges
Creating an identity ecosystem is the plan for the National Strategy for Trusted Identities in Cyberspace. This ecosystem would give individuals privacy while also enhancing security.
This would involve some type of credential, be it a software or hardware solution, but how do we make sure that credential is issued to the correct person?
This issue is alluded to in the strategy but not fully explored. There are thousands of different types of birth certificates in circulation and states having different standards for driver license issuance. This makes it essential that a standard for ID proofing and vetting be developed, officials say.
A National Security Council spokesperson says the identity vetting and proofing aspects of the national strategy have not been formally assigned, but the American National Standards Institute (ANSI) and the North American Security Products Organization (NASPO) are working on the effort.
ANSI and NASPO held a kick off meeting in July to start the process of creating a standard to verify identity, said Graham Whitehead, director of auditing at NASPO, during a session at the Interagency Advisory Board meeting in July. The goal, he says, is to have a standard in place by March 2012.
Dan Combs, CEO at the eCitizen Foundation, attended the ANSI meeting. He says it was about defining the issues and setting an agenda. Another meeting is scheduled for the fall but further details have not been released.
Combs has been working on identity related matters for almost a decade in both the private and public sector. “For good or ill it’s a vitally important issue,” he says. “Historically we haven’t done it well and now we’re trying to catch up and come up with a not bad solution.”
The best solution might be to create a system that uses public records and gets to a zero point, Combs says. By zero point he means the issuer is not be able to find anything that states the individual isn’t anyone other than who they claim to be. “I check the information and now we know that we don’t have anything that says he isn’t who he claims to be,” he says.
The National Notary Association has also been looking into identity vetting and proofing, says Timothy Reiniger, an attorney in the digital service group at FutureLaw who has worked with the organization. Reiniger has also been working with the American Bar Association to crate a legal framework for ID vetting and proofing.
Reiniger says notaries could potentially assist with the ID vetting and proofing. But much like state driver license issuance, certification for notaries is dependent on the state. “States regulate notaries which means there are 50 different standards,” he says.
Only about a dozen states require any type of education to be a notary and only a handful perform any type of criminal background check, Reiniger says. Before notaries could be used to issue digital certificates or other types of credentials this would have to change and ID standards would have to be put in place for these new trusted agents.
Some notaries have already gone through additional training and are working with digital credential providers, Reiniger says. SAFE Bio Pharma and Exostar are utilizing these trusted agents to perform identity proofing before issuing credentials.
There are around 2,000 of these agents around the country, he says. They go to an applicant’s home and gather all the necessary documentation, Reiniger says. These documents are then sent to the organization where the documents are validated.
Reiniger notes that the task the notary performs is much different than the organization issuing the credential. The identity proofing is conducted by the notary when he gathers the documents, but the actual ID vetting is done by the organization when the documents are validated.
It’s possible that states and private organizations could partner to issue credentials, Reiniger says. The notaries, enabled by the state, could perform the proofing and vetting and the state could issue the credential.