Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty to Authenticate

Abstract

In an online environment, identifying and authenticating a person or entity that seeks remote access to a corporate system, that authors an electronic communication, or that signs an electronic document, is the domain of what has come to be called management. It is essential to establishing the trust necessary to facilitate electronic transactions of all types, plays a key role in fighting identity fraud, and in many cases has become a legal obligation. Yet it is also a process that typically requires the disclosure, verification, storage, and communication of personal information, and thus, by its nature, raises significant legal, privacy and liability concerns, among others. This paper outlines the basic concepts behind identity management and the developing concept of federated identity management, and identifies and examines some of the key legal risks that must be addressed to make it work. In particular, it: • Explains the basic principles that underlie the concept of commercial identity management; • Identifies the numerous legal issues raised by the use of identity management systems; • Focuses on the privacy implications of the collection, verification, storage, communication, and disclosure of personal information in the context of identity management systems; • Examines the role of identity management in addressing the legal and risk-based obligations to authenticate remote parties; and • Evaluates the legal requirements applicable to all identity management systems, and how the operation of those systems raises issues of concern relating to the privacy and security of personal information