"Who Am I and Who Says So?" Privacy and Consumer Issues in Authentication

by Sarah Wilford


How do you prove you are who you say you are? How do you know that someone is legitimate in his or her dealings with you? It is difficult enough to verify someone's identity in the tangible world with forgery, impersonation and credit card fraud to name just a few of the potential problems of authentication. The world of cyberspace has even more difficulties of identification and verification due to its remote and electronic nature. Basically, you just never know who you are dealing with or if the goods or services you are attempting to buy even exist. This is why the 'digital signature' and other authentication systems are being developed in order to alleviate the problems of identity. Identity is however, not only important between individuals and organizations and from person to person, but also to promote trust in Internet companies and verify their legitimacy.

Whilst the need for verification to promote e-commerce is relatively clear, the needs of business and governments in verifying identity must be carefully considered in the light of individual privacy and the increasing requirement that individuals reveal more and more details about their personal lives. Are we in danger of becoming so transparent to the data banks that the privacy of the individual is only to be found inside one's own skull? The amount of unique data that will be required to verify identity will need to be carefully protected to ensure that such potentially sensitive personal information does not enter into the public domain.

The act of signing a document to guarantee its legitimacy is made less useful in the light of fears of tampering and hacking particularly when transactions are made electronically. The use of cryptography and keysigning is perhaps one way that verification of identity can be assured, but the recent moves attempting to limit its use or at least to control it, means that privacy and civil liberties may be undermined at every juncture.

As consumers, we need to be assured that our credit card details do not go astray, and that only those documents with our authorization and verification will be acted upon. The idea that someone may use our identity for their own means, or that third parties may access sensitive information is of concern to many, thus making the use of authentication and security more vital.

The problems associated with authentication are not just related to the verification of identity but also involve greater public policy issues, which includes the amount and kind of data required to confirm the identity of someone. The use and access to such data is also an issue of major importance. This is due to its potential for abuse by organizations seeking to maximize profits by using the data for marketing purposes. Therefore the confirmation of individual identity becomes an emotive issue which requires much debate and setting of boundaries of implementation and the need to identify the potential use made of information, beyond its initial purpose.


Under the moderation of Deirdre Mulligan from the Center for Democracy, Margot Freeman Saunders, Managing Attorney for the National Consumer Law Center, Carl Ellison of Intel, Phil Hester, Vice-President for Systems and Technology at IBM and David Flaherty from the University of Victoria, discussed the hot topic of authentication and electronic commerce. Discussed in detail, was the problem of verification of identity for medical records. It was identified that trust and reputation are key points in the use of verification. The potential for abuse of key data by certification registration registers was also considered along with the responsibility of the producers of authentication technologies to ensure its security.

Moving forward, the need for clear understanding, not only by academics, but by all members of society was stressed in order that trust in Certification Organizations and the security of the data banks they maintain is assured. The problem of names was also discussed in that there is a problem of identification where individuals of similar or the same name are identified. This is particularly evident within online communities, which have many thousand or even millions of potential participants.

Perhaps one of the most difficult areas to be resolved is how to square the circle between the need for authentication and the desire to maintain the privacy of the individual. This was seen as an area in need of much further research to overcome.