Liberty Alliance, the 150-member association originally formed in 2001 to develop an open standard for federated network identity, created a working group in June 2005 to tackle identity theft.
Liberty’s Identity Theft Protection Group is co-chaired by Michael Barrett, president of the Liberty Alliance Management Board from 2002 to 2004 and vice-president Internet Strategy, American Express, and Alex Popowycz, member of the Liberty Alliance management board and vice-president, Fidelity Investments. More than 40 Liberty members are currently participating in the group’s activities which follow a cross-organizational approach to study the problem from all angles with the aim of developing a unified response in an open and vendor-neutral environment.
“The biggest problem is public perception and the potential for undermining public confidence in the Web,” says George Goodman, president of Liberty Alliance’s management board and director of the platform virtualization lab at Intel. “Most identity theft is still done by low-tech methods like dumpster diving, but every year that passes, a greater percentage of transactions are done online. Our members recognize they’re going to be in somebody’s crosshairs and they want to avoid that.”
Liberty Alliance says it is the first coalition to take a collective approach to combat identity theft. “We had members who stepped forward and said, we think Liberty Alliance has a way of looking at the problem in a way others maybe would not. Many of the companies involved are not technology geeks; they are the large adopting companies who actually have to worry about rolling out complex identity management systems,” says Goodman.
The group is designed to serve as a hub for the global effort against identity theft and will begin by collecting and analyzing information in order to understand the nature and scope of the problem. Timelines are still to be determined, but the first deliverables of the coalition will be case studies, attack vector documentation, and best practices that will show how Liberty Alliance proposes to address identity theft.
At the core of Liberty Alliance’s efforts is the notion of a federated approach to identity management. It is the antithesis of the centralized approach, which creates a single point of failure by putting a single, proprietary identity provider in a position to give away the keys to the kingdom if its security is breached. The federated approach allows many providers to create their own identification for individuals, who will then be linked within circles of trust to sister organizations. Attributes of an individual’s ID can be shared within a common technology and policy framework that protects that identity.
Goodman outlined the goals Liberty Alliance plans to achieve within a year. “We plan to go from where we are now to being able to show very clearly the areas where we’ve had policy engagements with other groups and with specific government bodies globally to help characterize the requirements needed to support the protection of identity. We want to be able to say, these are the requirements we’re feeding into the creation of technical specifications and business guidelines, which might expand the federated framework specifications.”
The coalition is also planning to determine if modifications to the framework will be needed to address particular industry requirements within financial services and other sectors, he says. Goodman also outlined the way two companies would establish a reciprocal relationship. If two companies wished to build a common identification system based on Liberty Alliance’s federated approach, both would need to implement products that are compliant with its technical standards.
The products will establish the way a user’s identity preferences will be mapped and handled, and the identity-sharing arrangement between the two companies will be defined by a legal agreement. The agreement would also include specifications for maintaining levels of security, and how the companies will audit one another to guarantee the agreed level of security. Company A would not convey all of a user’s identity information every time a transaction takes place with company B. Instead, a transient token that represents the user would be sent, so even if it is stolen it will be of no use to thieves.
The more companies join Liberty Alliance, the more likely it will become the de facto standard for creating circles of trust that will reassure consumers, says Goodman. “If we deal effectively with online transactions and the potential for theft via electronic means today, I think identity theft will be less of a problem over time. And if we don’t deal with it now, there’s a chance it’ll accelerate,” he says.