Whitepaper outlines identity issues for federal website users

The federal government is in the process of launching a series of pilot programs that will use a third party to store and authenticate the data of federal Web site users.

The Center for Democracy and Technology recently released a whitepaper outlining some possible issues -- and best practices -- for the federal government.

Heather West is a policy analyst at CDT and said this issue is increasingly important for the federal government in terms of how it deals with the public, and how it deals with internal issues, as well.

"The government has been working on effective ways to authenticate their own employees and their contractors for a long time, and these government pilots are really just progress into how they're going to then work with the public."

The whitepaper discusses user-centric identity in detail, which is defined as a user controlling the information about him or her that is sent to a Web site.

West said the biggest issue with user centric identification systems has to do with privacy, and many are still trying to figure out how to deal with it.

"Identity is, by definition, a collection of personal information about you and at CDT, we believe that user centric identity let's individuals take control of their personal information -- and, because their at the center of this interaction between an identity provider and a service provider, they have so much more choice in terms of privacy. We think that user centric identity has great promise in making online interactions more privacy protective."

There are currently a few pilot programs going on right now that the federal government is taking note of. West said many of the agencies participating are working with third parties in the private sector to learn best practices.

OpenID is one example of a program that the federal government hopes will get members of the public comfortable with the government use of user-centric identification systems.

"Whether or not people know that they have that OpenID, when they go to a federal Web site and realize that they can use their gmail account or their PayPal account among others that are active in this pilot, it's going to be a lot easier than creating a new user name and password for every .Gov site."

One might wonder now where the onus of security lies. West said that, currently, there the burden lies with the identity providers, such as OpenID, though that's not all.

This, she added, is one of the reasons why CDT wrote the whitepaper in the first place.

"It's not well-defined right now where that onus is and who is responsible and who has what obligations within this system. It's not clear, and I think, as these pilots move forward, they need to make it very clear [about] the responsibilities that each of these three parties has in these systems."

Security and privacy issues are even more important because of the nature of identity providers themselves. West warned that the providers are becoming targets of identity thieves more and more.

"That is one of the reasons that these identity providers really have to pay a lot of attention and build privacy and security into their systems as they move forward. And, as [providers] are overseeing the identity providers as part of what they're calling 'trust framworks', their responsibility is going to be making sure that these are really enforceable agreements and security is a priority."

West said, right now, CDT is watching and learning about how trust frameworks are governing themselves, which will help both the federal government and identity providers in the future.

"We're really hoping that these systems stay user centric, and that the user is a large part trust framework policy and identity provider policy. We're also hoping that we can build strong trusted relationships through these strong agreements between the three parties in identity systems."