Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Four scenarios for end user consent and involvement (20070807)
1. Choicepoint and the offline user
Kim Cameron of Microsoft brings up in a recent post on "Linkage with CardSpace in Auditing Mode" the example of the 2004 Choicepoint security breach. He wrote
The identity thieves were a 'relying party', and ChoicePoint was the 'identity provider'. The information was delivered using a backchannel connection with no users in the loop, ChoicePoint had mechanisms in place to vet the legitimacy of the the thieves, but these were not sufficient...What if the participation of the data subjects were required for the transactions to complete? This isn't so hard to imagine in the current period of wikipedia, Facebook and mass collaboration.
For online interaction (e.g., an individual applying for a credit card at a credit card issuing bank's web site) the InfoCard model might offer advantages; however, some of the difficulties of applying the InfoCard user interaction model to the more general ChoicePoint scenario are:
- the end user might not have a pre-existing relationship to the identity provider, or might not be aware of which brokerage is involved in the transaction,
- non-digital scenarios, e.g., the FTC complaint against ChoicePoint mentioned that one of the attackers was purporting to be an "apartment leasing subscriber", and it is rare in apartment leasing for the end user to have brought a trusted secure computing device with them to the apartment leasing office in order to rent an apartment,
- batch and non-real-time interactions, e.g., the apartment complex runs its credit checks outside of normal business hours, or
- the user is hiding, e.g. an article in the Washington Post stated one of the ChoicePoint attackers claimed
he needed sensitive personal information like Social Security numbers to track down targets of his collection agency
.
2. Why can't the end user see the claims?
Eric Norman responded to Kim Cameron's post that
Even if the IdP encrypts claims for the relying party, can the user inspect those claims for accuracy as they travel from IdP to RP? I.e. can the user also decrypt this traffic? After all, the user is entitled to see and verify what testimony is actually being provided by the IdP, Isn't he?
Eric is highlighting that currently in the CardSpace implementation the claims travel from the identity provider to the relying party within a token that is encrypted with the public key of the relying party. The identity selector doesn't hold the private key of the relying party, and so can't decrypt and view what is being said about them in this transaction. CardSpace identity providers offer the identity selector an alternative "Display Token", which I describe in the post "The current InfoCard display token", which is not cryptographically tied to the encrypted token. A concerned participant might wonder whether there would be scenarios in which the identity provider would be offering additional, conditional or contradictory information to the relying party than what it shows in the display token. As Eric suggests, it would be technically possible for the claims to be encrypted for both the relying party and the identity selector (if the end user had a public key pair): this is similar to encrypting an email message for multiple recipients in the Internet secure message syntax.
3. Consent for use of records in public health and research
BIOPATTERN is a European online health science project that plans
...to provide novel computational intelligent techniques for biopattern analysis and a pan-European integrated, intelligent analysis of an individual's bioprofile. Information from distributed databases will be made available, securely, over the Internet to provide on-line algorithms, libraries and processing facilities for such analysis.
Robert Matthews, visiting reader in science at Aston University and a member of Biopattern's ethics working party, writes in opinion article appearing in this week's New Scientist on "Consent is crucial to medical research" that requiring consent of the participants to have their data shared is being seen by portions of the medical and research community as unnecessary, a cost, or a hindrance to scientific research or public health management.
It's true that demanding explicit consent has had dire consequences on databases designed to probe specific diseases. Medical registries in Canada, Australia and Germany have all been weakened by this requirement, with most patients deciding, for whatever reason, not to give consent. Demanding consent can also lead to subtle biases in databases since certain groups, often the poor, are less likely to agree. This can lead to misleading inferences about the links between sociological class, for example, and diseases such as cancer.
He cites the example of the failure of deCODE Genetics to have a set of three databases built, which would contain and index the genetic data of all Icelanders for exploitation in drug development. This case is discussed further in "An analysis of the Icelandic Supreme Court judgement on the Health Sector Database Act" by Dr. Renate Gertz, Research Fellow, ahrc Centre, School of Law, University of Edinburgh. Dr Gertz wrote that
Informed consent was to be required for the genetic samples that were to be taken from the entire Icelandic population. However, in May 2000, the Icelandic Biobanks Act was adopted, a piece of legislation that could enable deCODE to negotiate access to clinical samples collected or archived at various institutions. This access would be without express consent of the original donors. If deCODE followed up on this, the company's assurance to secure informed consent from citizens donating samples would not be adhered to.
Dr. Gertz continues that
...instead of informing the population of Iceland about the Health Sector Database and all that it encompasses, and subsequently asking the citizens for consent to have their medical records entered into the database and to link this database with the genealogical and the genetic database, the Icelandic government adopted national legislation containing the provision of presumed consent. The justification provided by the Icelandic government for this use of presumed instead of informed consent is that the information is supposed to be non-identifiable and that Icelanders can opt out. Furthermore, the technophile character of the Icelandic population was mentioned and the assumption that people would act in the interest of the community.
A similar situation occured in a 2000 exclusive licensing relationship between the bioresearch company Autogen Ltd of Australia and the Government of Tonga. A 2002 article in the British Medical Journal "Proposed genetic database on Tongans opposed" quotes Lopeti Senituli, the Director of the Tonga Human Rights and Democracy Movement:
Autogen's statement on ethics emphasised prior informed consent of individual volunteers but remained mute on the traditional Tongan role of the extended family in decision making. "We want to also add the prior informed consent of the extended family . . . because what we are talking about is not only the genetic information from that one individual but the genetic material from that extended family," Mr Senituli said.
Furthermore, Mr. Matthews highlights the disconnect in position statements from UK organizations about when consent for use of health data should be necessary. In particular, he writes that In 2005, a poll conducted by the British Medical Association found that 77 per cent of people in the UK believe their explicit consent should be required even for the basic act of storing their health records on a national computer network
, and contrasts this finding with a seemingly contradictory 2006 report "Personal data for the public good: using health information in medical research" by the UK Academy of Medical Sciences, which suggested an "undue emphasis" on privacy and consent was a real cost to research organizations.
The Academy summarized the consent issues raised in their report as follows:
Policies that emphasise choice within health care, as within other aspects of modern life, focus on the value of individual autonomy. However, an emphasis on autonomy presents difficulties for activities such as medical research, which are performed for public, rather than individual, benefit. It could be maintained that a patient has the right to say 'use my data to treat me, but not to improve care for others'. Or, more starkly, 'use evidence from other people's data to treat me, but don't use my data to help them'. Many commentators have challenged this view, with some ethicists going further in arguing that, given the importance of biomedical research, there is a positive moral obligation for individuals to participate in certain contexts.
The Academy's report emphasised that research using personal health data has benefited the health of the public and greatly reduced the burden of disease. It also acknowledged that opportunities to use patient data to inform the design and evaluation of public health interventions are accompanied by important challenges concerning the individual's right to privacy, the sensitive nature of some health data and the importance of patients' trust in the confidentiality of their care. However, the report noted the absence of evidence about public and patient attitudes towards the use of health information in research, forcing regulatory and advisory bodies to make assumptions about what the public might and might not find acceptable. We strongly believe that, in this and other areas, policies should be informed by better research and empirical evidence on public attitudes and awareness.
The Academy's report argued that an undue emphasis on privacy and autonomy has created a conservative culture of research governance, in which regulatory bodies promote a policy of 'consent or anonymise' with regard to health data. The report explains that measures conducted under this policy have real and substantial costs for research in terms of financial and time resources and may compromise the reliability and generalisablity of research results, so delaying or preventing the acquisition of knowledge necessary to understand, prevent and treat disease. It called for a proportional approach in which individual interests are balanced against the risks involved and the importance of the research in question. Several recommendations were made, including the development of good practice guidance for research using personal data and greater public engagement around the purpose and value of such research.
4. End user expectations on data holders
Finally, in an August 1, 2007 story by Chris Hansen of Dateline on MSNBC: "Hot iPods: Is there a way to stop theves cold?"
If you own an iPod, you already know that when you first buy it, you plug it into your computer and register it with Apple. Apple files the iPod's serial number and requests personal information like your name and address. Then, each time you want to download or purchase a song online from iTunes, your computer communicates with a central database at Apple. If you buy a song, Apple requests credit card information. And it's because of all that identifying information that some consumers are convinced iPods can be tracked if they're lost or stolen. Since Apple is in the best position to track iPods, we called the company to see if it would work with us on a story that set out to answer whether a stolen iPod could be traced. Apple declined.
Theoretically, this information could be used to identify the recipient of a stolen iPod.
Police like detective Kenney imagine a crime-fighting scenario like this: If this iPod was reported stolen, the real owner could supply his name, address and the serial number of the device to authorities or to Apple. Then, if a thief tried connecting the stolen iPod, a central database could detect its serial number -- or other personal data embedded in that machine -- to immediately flag it as stolen. And if the thief supplied personal information when he tried buying songs from the iTunes database, or by answering other questions on-line, he could be located and arrested.
To test this theory without the involvement of Apple, the Dateline staff left apparently new-in-box iPods out to be stolen. These iPods were modified with a 'phishing attack' in their registration procedure:
What [the person who is registering a stolen iPod] won't know is that when they click 'I Agree' on a licensing agreement that appears on-screen, they'll be consenting to provide some of the same kind of information they provide Apple to Dateline....The information ranges everything from first name, last name to mobile phone number, home phone number, home address ... what your MySpace handle is. All sorts of things.
In their experiment, they were able to trace 12 of 20 iPods they had stolen. Some iPod owners felt that Apple should be involved in tracking their stolen iPods, such as Alain Ferry who set up the stolenipods.com site for discussion by other victims of iPod theft:
Hansen: Why should Apple be held accountable if somebody gets their iPod stolen?
Ferry: Oh, I'm not saying that they should be held accountable. I just want them to do more than they're doing.