The Problem with Privacy

by Graham Williamson | ASM | Mar-Apr 2010

In the second of a series of three articles on identity management, Graham Williamson looks at privacy, regulation, and the rights and responsibilities of those handling personal data.

Two things happened in January which highlighted the difficulty we as citizens have with a corporate culture that pays lip-service to protecting individuals’ sensitive data, and is often in breach of privacy legislation.

The first occurred as I planned for an outing to the Lyric Theatre in Brisbane for a performance of Le Grand Cirque. I was pleasantly surprised by the Qtix website which displayed the seating arrangements for the selected performance and let me select the seats I wanted to purchase. But when I was asked for my name and address, I could see no reason why they needed that information in order to sell me a ticket, so I entered “Mickey Mouse” who lived in “Somewhere USA”. The next screen worked well as I paid for my tickets by credit card (fully secured with a digital certificate).

On a subsequent screen I realised that they were going to send me the tickets in the mail; after such a good online experience they resorted to Australia Post to fulfil the transaction! I duly clicked on the button to change my address so that I could enter my post box number, and the session crashed. I had to call Qtix the following day and confess to being Mickey Mouse.

The other illustrative event happened at the Suncorp Bank in Robina. I was making a withdrawal of cash and was told that for any withdrawals over $2,000, their procedure was to take a copy of a driver’s licence and staple it to the withdrawal slip. I explained that this was against the law, but that did not matter – it was branch policy and the branch manager was out at the time, so if I wanted the money I had to oblige.

It took three weeks of emails and phone calls but I finally got a letter from Suncorp saying that a directive had been sent to the branches to instruct them to cease this practice.

So where does privacy fit into identity management?

The problem with privacy is that it is intensely personal; a wide range of perceptions exist regarding what is considered acceptable and what is clearly a violation of privacy. Some people have little concern about the information they will readily provide when applying for a product or service; others will rarely divulge anything more than is absolutely necessary. Mistrust of organisations, including government agencies that collect personal information, fuels privacy concerns.

Stories are legion about hospitals that inadvertently release sensitive patient information or banks that discard client records with banking details still visible. It is not surprising, therefore, that as the use of online services has increased in recent years, so too has concern about privacy. In a number of areas, privacy advocates have arisen with the express mandate to safeguard the public’s privacy. Indeed, civil libertarians often cite privacy concerns in seeking either to stop the deployment of an online service or to severely restrict how a service may collect and use personal data.

Partly in response to such concerns, the attention to privacy protection by online service providers has improved significantly over the past few years, with notable improvement in the protection of private details about their clientele.

Most internet sites now include a privacy statement advising why they are collecting identity information and what they might do with those details. It is unfortunate that so few users bother to read these statements and that even fewer refuse to partake of the service when they disagree with the potential use of their data.

Privacy rules
Although often decried as onerous by organisations that collect personal information, the rules associated with protection of privacy are really quite simple and understandable. All states and territories have regulations in place that are binding on government bodies and legislation that is mandatory for corporations.

While there are minor variations in privacy regulation from state to state, there are generally 10 principles to be adhered to in the collection and use of private data:

  • Collection of data – only data that is required for the provision of the requested product or service should be collected by an organisation. It is not permissible to collect data that ‘might be’ useful at some point in the future.
  • Use and disclosure of data – an organisation may use personal data only for the express purpose for which the data has been collected; no other use is permitted. It is not permissible to share the data with any other person or organisation without the permission of the person who provided the information.
  • Security of collected data – all collected data must be adequately protected to ensure no other person or entity can access it. Safeguards must be in place to protect the collected data from inadvertent release.
  • Maintaining quality of data – mechanisms must be put in place to maintain the quality of the data and to refresh it periodically. A typical timeframe for personal information is three years. After this time, the data is of little use and, if not refreshed, must be destroyed.
  • Access to and transparency of data – the person whose identity data is being stored must be given the opportunity to view the collected data and correct it if need be. A mechanism to allow this access must be instituted.
  • Use of identifiers – an organisation must not use another entity’s identifier. Bank account numbers can be used only by the bank that issued them, a medical insurance patient number can be used only by the insurance scheme, and a driver’s licence number can be used only by the driver licensing board within the jurisdiction in which the licence is issued.
  • Aggregation and anonymity – unless specifically required, personal information about individuals is to be aggregated to form collective data in which each individual’s identity is not discernible. For instance, if birth date is requested for demographic analysis, only counts of persons within the various ranges can be maintained; the individual data records must be destroyed.
  • Anonymity – consumers of online products or services must be given the option of maintaining anonymity unless it is expressly required that they identify themselves. (Online service providers widely abuse this principle, maintaining that they need to know the identification of users. The large number of entries for ‘Mickey Mouse’ in service provider databases belies this contention.)
  • Sharing of data – the collector of private data is expressly forbidden from sharing that data with another person or entity.
  • Sensitive data consent – collection of sensitive data must be accompanied by the express consent of the subject to the collection of the data.

So what’s a company to do?

One way in which an organisation can protect itself from running afoul of privacy regulation is to engage the services of a trusted third party. Although this motivation is by no means the main reason to use these services, use of a trusted third party does free a company from the restrictions on collection and storage of personal data; this burden is transferred to the third party.

The main reason for using a trusted third party is to avoid the cost of collecting and verifying personal data. If a trusted organisation has already validated the identities of a company’s customer base, the company can ‘piggy-back’ on that activity and avoid the cost of performing the same checks and having to maintain each person’s identity record.

Using a trusted third party also lets a company answer the question, ‘How are we going to trust that the generic attributes provided by a person are true?’. Although organisations have complete control over their specific identifiers (e.g., bank account number, payroll identifier, registered plan number), they have no control over the generic attributes (e.g., name, address). Other than viewing a birth certificate to verify a person’s name or looking at a property title to verify an address, a company has no way of knowing whether the data a customer provides is accurate. Trusted third parties do this work as part of their service and attest to the data’s accuracy.

An inherent component of the definition of an identity is the need to anchor each identity in a trusted identifier. While most organisations that establish and maintain identity records don’t want to go to the trouble of verifying source documents, they are keen to piggy-back on the processes of those that have. Drivers’ licences are often used to validate a person’s identity specifically because the government department that regulates motor transport sights a birth or marriage certificate before issuing a driver’s licence.

However, even though an organisation might rely on a piece of validated data when establishing its identity record, storing such an identifier in its data repository may well be a breach of privacy legislation. For instance, a DVD rental company might well ask to see your driver’s licence to validate your name and address before renting you a DVD. But if it uses your licence number as its record identifier, it is likely to have broken the law in many countries. Identifiers are typically owned by the organisations that generate them.

As discussed above, relying on the identification process of another organisation is seminal to the management of digital identities. In the digital world, it is easy to share identity information and rely on someone else who has done the hard work. An industry has arisen around this concept.

Companies such as Thawte and VeriSign will undertake a basic verification of a person’s identity and issue a digital certificate certifying that the person’s identity is accurate and current. People can apply for these certificates, and once they have satisfied the requisite ‘evidence of identity’, they are issued a certificate. This certificate can then be provided to other organisations as ‘proof’ of identity.

Provided the other organisations ‘trust’ the issuing authority, they will rely on the certificate as attestation to the identity. A trusted third party follows an evidence of identity (EoI) process to validate an identity. A trusted third party must publish its EoI process to enable relying parties to determine whether the process is sufficient for their purposes.

For example, a common EoI process in Australia is the 100-point check used by many banks. Under this process, a set of ‘breeder’ documents is defined and, in combination, deemed satisfactory for the verification of an identity. Each document is assigned a number of points. For instance, a driver’s licence might be 40 points, and a credit card bill might be 20 points. When documents totalling 100 points have been seen, the person’s identity has been verified.

Conclusion

We in Australia have been lax in the assertion of our rights. In Europe there have been strict laws on privacy of personal data for over 20 years. In the US there are strict disclosure laws when a security breach happens. Here we gladly give our date of birth to anyone who phones us, purporting to be from our bank.

As individuals we are responsible for our own identities. We must dispose of anything with identifying data carefully, we must not let our credit cards out of our sight when we pay for purchases, and we certainly must not type our credit card details into an unprotected website. But maybe we should go further and request those companies and government agencies that collect personal data show us the information they are keeping on us and require them to correct it or delete it.

Companies, too, have got to become a whole lot smarter. Most organisations do not have adequate governance over the collection, protection and destruction of personally sensitive data. It is highly probable that we’ll see company directors held criminally liable for the divulgence of sensitive data on their staff, business partners or customers in the foreseeable future. Good governance over identity management in an organisation is not just a good idea – it’s the law.

This is an extract from the book Identity Management – A Primer, co-authored by Graham Williamson.
Identity Management – A Primer is available for purchase through www.amazon.com

Article Added: 20/04/2010

« Back