Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- D4.1: Structured account of approaches on interoperability.
- D4.2: Set of requirements for interoperability of Identity Management Systems.
- D4.4: Survey on Citizen's trust in ID systems and authorities.
- D4.5: A Survey on Citizen’s trust in ID systems and authorities.
- D4.6: Draft best practice guidelines.
- D4.7: Review and classification for a FIDIS identity management model.
- D4.8: Creating the method to incorporate FIDIS research for generic application.
- D4.9: An application of the management method to interoperability within e-Health.
- D4.10: Specification of a portal for interoperability of identity management systems.
- D4.11: eHealth identity management in several types of welfare states in Europe.
- Profiling.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
 |
Foreword PROTECTING IDENTITIES AND INHERENT INTEROPERABILITY PROBLEMS |
 |
Protecting identities and inherent interoperability problems
Sandra Steinbrecher, TUD
In this section we deal with the problem that any definition of identity and identity attributes and their management or administration by organizational measures alludes to the topic of protecting a person’s privacy. This inherent problem raises the question of interoperability of identity and identification concepts because interoperable concepts often need more personal data than stand-alone concepts would need.
From the perspective of technical data protection identity is any subset of attributes which uniquely characterizes a specific individual within any set of individuals. So there is no such thing as ‘the identity’, but rather several of them. Further, each identity of a person comprises many partial identities of which each one represents the person in a specific context or role as shown in the example of .
Figure : Example of partial identities
Digital identity denotes attribution of properties to a person, which are immediately operationally accessible by technical means.”PfKo_04]. This means a digital partial identity within a given system consists of a set of attributes maintained within the system.
Identification systems try to identify such digital partial identities in order to grant them certain rights, especially access to certain technical services or systems. If a person claims to have a specific digital partial identity, some of their attributes have to be verified by the identification system. As we have seen in other FIDIS deliverables, the attributes usable for identification systems can be classified into the following identification attributes:
something the person possesses (e.g., smart card),
something the person is (biometry) or
something the person knows (e.g., password).
Identity management means managing the various digital partial identities that
a user has,
is assigned by others,
can create himself or herself.
There are various views as to what identity management means in detail and how it can be technically realised. A more detailed classification of existing digital IMS is made in FIDIS Work Package 3.
Identity management needs multidisciplinary interoperability with reliable identification systems. Using the TFI model, a user has to have an informal notion as who and how he wants to interact with under given circumstances, choose formally the corresponding partial identity and use its technical representation within an identity management system in order to grant him rights. Technical education systems (potentially integrated into IMS) can help the user in the informal process of taking a partial identity and lead him to the point of formally choosing it by demonstrating him several alternatives for partial identities and showing him the potential consequences of using him.
Interoperable identification and IMS have to take into account that, because of the first and the last identification attributes’ transferability, they are not able to guarantee the correct identification of a specific person’s partial identity. If only these transferable identification attributes are used, an identity management system allows one person to manage another’s partial identities if the other person transferred the corresponding identification attributes to her. Only the second identification attribute type makes it possible to identify a partial identity of a specific person but it may reveal a larger subset of a person’s digital identity, because these identification attributes typically lie at the intersection of different partial identities (see ). If the same attribute is used as identification attribute not only for one partial identity, but for several, such as the e-Government partial identity (including , tax status, income, birthday, birthplace, name, address) and the travel partial identity (included in , driving licence, credit rating, foreign languages) and the attribute is unambiguous for all users in both databases, an straightforward comparison of the two databases leads to larger partial identity that becomes known to the providers of these databases. Note this may not only happen for biometric attributes but also for other identification attributes, yet can easily be prevented by an appropriate system design, although it becomes more difficult for the second type of identification attributes.
Privacy-enhancing identity management is driven by the right of informational self-determination and tries to enable users to enforce this right in the digital world. It gives them the power to create and handle digital partial identities corresponding to their informal notion in the TFI model and according to the privacy interests they have. This means that they should, for example, be able to determine how linkable to each other their partial identities might become for interactors and possible attackers. Privacy-enhancing IMS need interoperability with identification systems on all network layers in the sense that they use just the attributes needed and known for a certain partial identity, but no more, implementing thereby the least-privilege-principle: collecting only as much data as is needed for identification and use. This has the disadvantage that the usability might decrease if users have to identify themselves explicitly under a certain partial identity whenever they want to change their partial identity. If a user has identified himself under a large set of attributes assorted to him (e.g., the ones assorted to the e-Government and travel partial identities in figure 7) to one application (e.g., in this case an e-Government application) he would not need to identify himself against another application (e.g. in this case a travel agency) if the two applications collaborate regarding identification (Single Sign-On applications).
A privacy-enhancing identity management system consists of elements from both partners in any communication, and typically the user-server scenario is considered on a technical level. The identity management tool on the user side controls a person’s communication to the outside world. For identification, the identification attributes necessary to identify a respective partial identity with a communication partner are transferred. An identification system verifies this partial identity for a communication partner with the help of part of the identity and identification system. The architecture of privacy-enhancing IMS is shown in .
Figure : Architecture of privacy-enhancing identity management system
Interoperability of identity and IMS helps users to identify themselves for several applications with only one Single Sign-On. Typically in current applications this is done on the server side which federates an identified partial identity to other servers where the respective partial identity wants to be identified. This leads to a reduction in the number of digital partial identities and a concomitant increase in the single partial identities.
A Single Sign-On in the user’s trusted environment is possible. In a database on the user side a variety of identification attributes associated with digital partial identities can be stored. While a user identifies herself against her trusted user device with an identification attribute representing a large digital partial identity, the database transfers to other servers only the minimum identification attributes of the partial identity needed in the context of this server.
In the case of the first and last identification attributes, interoperability between appropriate systems can be designed very easily, but whenever attributes are requested to identify a user, the different servers can collaborate and identify a larger partial identity of the respective person than the one every server could using only the information it has stored. Here interoperability becomes a threat to privacy.
But transferring identification attributes to other persons means giving these other persons access to all the attributes of this partial identity within a technical system, and hopefully many service applications will be satisfied with transferable identification attributes - given all the difficulties biometrics currently still faces.
This section summarised the issues arising in the technical and formal approach on interoperable identity and IMS. We also addressed the informal level dealing with the self-determination people have to interact with others or systems or allowing these systems to use personal data in an interoperable way with other systems. As outlined, this is not only a question of technical interoperability between systems or concepts but also of the formal notion of identity and partial identity that is or will become established in different application areas. Both a top-down and a bottom-up-approach (regarding the TFI model) alone, seem unsatisfactory therefore we argue that privacy-enhancing technologies need to be approached from both bottom and top in order to reach a consensus.
| |
   |
|
| 7 / 15 |
