Virginia first state to enact digital identity law
26 March, 2015
category: Digital ID, Government
Q: How would it enable digital identity adoption?
NIGRINY: Every time a user creates an account, selects a user name or self generates a password, that website or application provider is taking on an unnecessary risk through the use of such weak identity mechanisms.
Strong online identity credentials like those used in the federal government are initially more expensive than a simple password. But if the user is able to use that strong identity credential everywhere, then it’s really no different than a fee you might pay for your credit card.
If online application providers adopted systems based on properly validated identity credentials, it would be far safer and less expensive. We believe commercial organizations will be the most common providers of online identities. Those providers must be able to rely on a consistent legal environment in order to adequately predict what the risk is going to be. Without it, fewer providers are going to be able to play in the market, which naturally results in higher cost to the consumer. So this bill does a lot to help with improving liability allocation and hopefully will drive to a lower overall cost.
Q: Does this legislation actually provide immunity to identity service providers?
NIGRINY: The answer is no, but it’s a qualified no.
The first thing to understand is that almost all the legal situations that people are familiar with in their normal business or consumer life are bilateral contracts where there are just two parties, be they individuals or companies. But the proposed identity bill seeks to resolve this ambiguity introduced through third party reliance on identity credentials.
REINIGER: The common law as it exists does not accommodate this type of third-party identity system. What this bill does, however, is say that:
If an identity provider or trust framework operator issues a credential in a manner that’s not in compliance with the state minimum standard or a separate private contract or the standards/rules/policies of the identity framework in which the parties operate, there will be liability.
If a credential is issued in compliance, there could only be liability if the identity provider is grossly negligent or it’s a wantonly willful act of misconduct.
The bill distinguishes issuance versus misuse. It expressly says that an identity provider or an identity trust framework operator shall not be liable for misuse of an identity credential by the credential holder or any other person who misuses the credential. An identity provider can only control the issuance process.
This bill does formally recognize the trustmark for the first time in this country and provides for a warranty. The identity provider using a trustmark is warranting that it has issued the credential in compliance with the state standards and the rules/policies of its trust framework.
Q: Why does the bill focus on identity trust frameworks and their trustmarks?
NIGRINY: Merchants don’t have a direct relationship with, or even knowledge of, every bank that might represent a credit card that a patron will present at their store. They trust the secure clearinghouse relationship that was established by Visa, MasterCard, AmEx or whomever. Trust framework providers handle certification and the continuous vetting of the credit card providers.
In identity, we see the potential for large numbers of identity providers at various levels of assurance in the online identity marketplace. Unless a trust framework exists to help us aggregate all those providers, these websites and e-commerce portals and supplier portals – which I’m calling relying parties – will not be able to adequately understand what rules any given identity provider was issuing under or if that issuer is even still trustworthy.
So the Commonwealth of Virginia, under the Secretary of Technology, is going to review and endorse trust frameworks that meet their requirements, and there’s going to be an official Virginia government listing.
How does an identity credential prove that it’s part of that community? That’s where trustmarks come in. A trust framework operator can provide a digital token to certified members that enable the identity provider to prove that they are a member in good standing and they’re following the rules of the framework they fall under.
Q: What was the catalyst behind drawing up this bill?
REINIGER: There have been so many data breaches that the Virginia legislators are now using this bill as a consumer protection bill. They’re realizing that consumers need better protection than a simple username and password; they need to have access in an affordable way to third party credentials. They get now why we need to incentivize a private market of third-party credential providers and identity proofers.