Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.

Published byWesley Summers Modified over 8 years ago

Similar presentations

Presentation on theme: "Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The."— Presentation transcript:

1 Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The Next Frontier for International E-Commerce The Subject, Legal Issues, and Challenge for UNCITRAL Thomas J. Smedinghoff Wildman, Harrold, Allen & Dixon LLP Chicago

2 Wildman, Harrold, Allen & Dixon LLP. 2 Identity Management – A Foundational Issue Critical to... E-Commerce E-Signatures Convention on the Use of Electronic Communications in International Contracts Mobile Commerce Electronic Transferable Records Single Window All of these activities require addressing identity in some form

3 Wildman, Harrold, Allen & Dixon LLP. 3 Identity Management... “is a key element for the delivery of any e-services.” European Commission COM(2008) 798 final (28 Nov. 2008) “is a critical component of... national and global economic, governmental and social activities [which] rely more and more on the Internet.” OECD, The Role of Digital Identity Management in the Internet Economy, June 2009 “is critical to the health of the economy.” U.S. Draft National Strategy for Trusted Identities in Cyberspace., June 2010

4 Wildman, Harrold, Allen & Dixon LLP. 4 Agenda – Three Issues 1.The Subject – What is Identity management? 2.The legal issues 3.The challenge for UNCITRAL

5 Wildman, Harrold, Allen & Dixon LLP. 5 I. The Subject What Is Identity Management?

6 Wildman, Harrold, Allen & Dixon LLP. 6 Identity Management Is... An integrated system of business processes, policies, rules, procedures, and technical components to answer two fundamental questions: Who are you? (Identification) How can you prove it? (Authentication) Answering those questions is a prerequisite to most online commercial activity

7 Wildman, Harrold, Allen & Dixon LLP. 7 The Basic Problem Party A needs to know something about Party B, as a prerequisite to a commercial transaction; e.g., -- Age (bartender) Name (airport security agent) Credit history (lender) Right to access financial account (bank) Right to access patient medical records (hospital) The challenge is how to accomplish this online – So Party B can use a single electronic ID document with multiple parties And each Party A can rely on third party ID documents In a manner that is trusted by all

8 Wildman, Harrold, Allen & Dixon LLP. 8 “Identification” – Who Are You? Goal - Need to know something about a person (or device) -- To determine whether you want to do business with them, or To determine whether they meet your requirements, or To satisfy regulatory requirements, etc. Conduct a one-time Identity Proofing process to -- Verify identity “Attributes” about a person E.g., name, address, date of birth, employer, authority, credit rating, hair color, gender, medical condition, club membership, title, etc. Issue a “Credential” that evidences the attributes E.g., drivers license, passport, ATM card, UserID, digital certificate, smart card, etc.

9 Wildman, Harrold, Allen & Dixon LLP. 9 “Authentication” – How Can You Prove It (Online)? Goal – Determine whether a remote party claiming to be a previously identified person is in fact such person Process involves – Verifying or confirming the association of the remote person with a credential E.g., using a picture on a passport to associate it to a person E.g., using a password to associate a User ID to a person NOTE: Authentication of identity can occur numerous times

10 Wildman, Harrold, Allen & Dixon LLP. 10 Focus on Three Key “Roles” Subject (a/k/a “user,” “principal” or “customer”) The person that is identified and authenticated Uses identity Credential to engage in online transactions Identity Provider (a/k/a “credential service provider”) Responsible for Identity Proofing of Subject and issuing a Credential Responsible for validating Credentials for relying party Relying Party (a/k/a “service provider” or “vendor”) Uses identity Credentials to authenticate identity of Subject Relies on identity assertion to authorize access / approve transaction / accept signature / etc.

11 Wildman, Harrold, Allen & Dixon LLP. 11 Traditional Two-Party Approach Identity Provider & Relying Party Subject Customer Bank Employee Employer User ID and Password Note: The credential (the User ID) can be used ONLY with the Relying Party that issued it Non-Portable Identity Credential Credential = User ID

12 Wildman, Harrold, Allen & Dixon LLP. 12 Emerging Three-Party Approach: Federated Identity Management Identity Provider Relying Party Subject State DMV Bartender Relying Party Airport Security Agent Bank Verification Process? Note: The credential (the driver’s license) can be used with multiple Relying Parties Portable Identity Credential (Offline example) Driver’s License

13 Wildman, Harrold, Allen & Dixon LLP. 13 But There Are Many Open Questions Does the technology work? Was it properly implemented? Has the Identity Provider properly identified the Subject? What are the risks that someone else impersonated the Subject? What does the identity assertion mean? E.g., guarantee of identity vs. guarantee of process Does the Relying Party trust the Identity Provider? Does the Relying Party trust that the identity credential – Really came from the Identity Provider? Is still valid? Who is responsible if something goes wrong? Etc., etc.

14 Wildman, Harrold, Allen & Dixon LLP. 14 II. The Legal Issues

15 Wildman, Harrold, Allen & Dixon LLP. 15 Key Risks to the Participants Technology risk Process risk Performance risk Privacy / Data Protection risk Data security risk Liability risk Enforceability risk Regulatory compliance risk

16 Wildman, Harrold, Allen & Dixon LLP. 16 Making It Work Requires A “Trust Framework” Composed of: Operational Requirements Goals Ensure proper operation of the identity system Ensure that operation will protect accuracy, integrity, privacy and security of data Content Technical specifications, process standards, policies, procedures, performance obligations of the participants, etc. Legal Rules Goals Make Operational Requirements legally binding on the participants Define and govern the legal rights and responsibilities of the participants Content Existing legislative/regulatory rules Contractual obligations

17 Wildman, Harrold, Allen & Dixon LLP. 17 “Trust Frameworks”... Will typically be created by commercial entities Will vary with the purpose of the identity system Will be primarily based on private contracts Will seek to support participant trust in the identity system by: Imposing enforceable specifications, standards, and rules on all parties Adequately defining the rights and responsibilities of the parties Fairly allocating risk and responsibilities among the parties Providing legal certainty and predictability to the participants Complying with existing law Working cross-border

18 Wildman, Harrold, Allen & Dixon LLP. 18 Possible Approach to an Identity Trust Framework Identity service providers relying parties Subjects Trust Community (source of Trust Framework) Trust Framework Provider (Governing Entity -- Defines the Rules) dispute resolvers assessors & auditors Contract

19 Wildman, Harrold, Allen & Dixon LLP. 19 Common Legal Problems to Be Addressed By a Trust Framework Legal Uncertainty Lack of legal rules or lack of clarity re applicable legal rules Liability Risk Uncertainty over potential liability is key issue! Legal Compliance E.g., privacy law requirements Legal Barriers Some laws may adversely impact Identity systems; Can they be altered by agreement? Contract Enforceability How can we bind all participants (and affected non-parties) in an enforceable Trust Framework? Cross-Border Issues Regulatory law in one jurisdiction may differ from another

20 Wildman, Harrold, Allen & Dixon LLP. 20 III. The Challenge for UNCITRAL

21 Wildman, Harrold, Allen & Dixon LLP. 21 Status of Work to Date Operational Requirements Much work being done by many groups and governments Groups: Kantara Initiative, Open Identity Foundation, ITU, EURIM, STORK, OIX, WS-Federation, etc. Governmental: Australia, Belgium, Finland, EU, Germany, India, OECD, Scotland, Sweden, U.S., etc. Legal Rules Largely unaddressed! Some private (closed) identity systems such as IdenTrust, SAFE-BioPharma, CertiPath, etc. American Bar Association Identity Management Legal Task Force

22 Wildman, Harrold, Allen & Dixon LLP. 22 Need to Address Legal Issues There is a critical need to address the legal challenges of identity management necessary to facilitate international e-commerce In particular, little (if any) work is being done on the international / cross-border legal aspects of this foundational e-commerce issue

23 Wildman, Harrold, Allen & Dixon LLP. 23 For Example... “Business, technical and legal inter-operability are necessary for cross-sectoral and cross-jurisdictional transactions.” OECD Recommendation on Electronic Authentication, June 2007 “From an international policy perspective, a key challenge is to minimise regulatory complexity and turn regulatory obligations into an enabler rather than a barrier to interoperability across borders.” OECD, The Role of Digital Identity Management in the Internet Economy, June 2009 “Issues may also need to be addressed regarding the role of contractual obligations.” OECD, The Role of Digital Identity Management in the Internet Economy, June 2009

24 Wildman, Harrold, Allen & Dixon LLP. 24 UNCITRAL’s Role UNCITRAL is the organization in the best position to take on this critical task, since its mission is legal, international, and commercial Addressing identity management is a prerequisite for -- Electronic signatures Model Law on E-Commerce – Articles 7(1) and 9(2) Model Law on E-Signatures – Articles 2(a) and 9 Convention on the Use of Electronic Communications in International Contracts -- Article 9(3) Mobile commerce Electronic transferable records Single window

25 Wildman, Harrold, Allen & Dixon LLP. 25 Initial Focus Identifying the legal issues – both generally and internationally – particularly as they relate to the potential liability of participants, and the legal requirements for trust among the participants Identifying and addressing legal barriers to cross- border identity management Enabling a structure for the development of enforceable private cross-border Trust Frameworks

26 Wildman, Harrold, Allen & Dixon LLP. 26 Further Information Thomas J. Smedinghoff Wildman, Harrold, Allen & Dixon LLP 225 West Wacker Drive Chicago, Illinois 60606 312-201-2021 smedinghoff@wildman.com

Download ppt "Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The."

Similar presentations

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM(2012 238 final) {SWD(2012)

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM( final) {SWD(2012)
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
International forum on eNotarization and eApostilles The impact of e-technology on notarial acts: legal and technical possibilities and limits -relevance.

International forum on eNotarization and eApostilles The impact of e-technology on notarial acts: legal and technical possibilities and limits -relevance.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP What Is an Identity Trust.

Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP What Is an Identity Trust.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.

S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.
Digital ID and Authentication as a Platform Peter Watkins.

Digital ID and Authentication as a Platform Peter Watkins.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.

Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com © 2009 Wildman, Harrold, Allen & Dixon LLP. Identification and.

Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com © 2009 Wildman, Harrold, Allen & Dixon LLP. Identification and.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.

By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Similar presentations

Ads by Google