PASSPORT

Microsoft's eager offer to resolve the authentication challenge might sentence us to permanent purgatory

Alora! Federal legislation enacted in the US like the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act strictly mandate how personally identifiable information (PII) is collected and can be disseminated. That makes all of the personal, financial, and health-related information inside corporate firewalls today ground zero for many IT sites.

So it should come as no surprise that big law firms are gearing up to become experts with litigation practices that target privacy violations globally. PriceWaterhouse Coopers has already established an extensive risk management practice as year-end audits will mandate reconciliation with privacy legislation. Meanwhile, technology houses such as Oracle, TIBCO, EDS, and Merant are setting up practices focused on enterprise privacy management.

Given that hyper-charged PII environment, you can imagine the utter consternation of many when Mark Forman, associate director of information technology at the White House, who likes to call himself America's CIO, showed up in Seattle not to duck a flying salmon at Pike Place Fish Market, but as a featured speaker at Microsoft's Government Leaders Conference attended by representatives of 75 countries.

In between court appearances, Bill Gates appeared at the conference to offer Microsoft's services to those national governments that experience difficulties in developing authentication services on their own. Gates proposed that these governments consider using Microsoft's Passport service to verify the identity of visitors to their web sites. He also suggested that these governments use Microsoft's bCentral business web site to process business tax payments, handle address changes, and voter registration.

For many, this is just more evidence that Microsoft wants to own all personal online data starting at the browser and extending into e-business infrastructure with .NET. To this end, Microsoft is building the public relations campaign of the decade directed at both consumers and developers. Already, Microsoft touts that 200 million people have registered to use Passport. Immediately, this boosts Microsoft's web traffic and makes them more appealing to advertisers. In the longer term, it opens the opportunity to charge click-through fees for online sales executed using the service.

But the returns from being a consumer convenience tool are dwarfed by the possibilities that arise from becoming the verification service of choice for governments internationally. That's why Forman's attendance at the Microsoft event and confirmation that the government was even considering the use of Microsoft's Passport services for its "e-identification" initiative, which will authenticate people and businesses online at government web sites via Social Security, business-registration, and employer-identification numbers, set off  a Salmon day of Homeric proportions for a number of people.

In the United States alone, the costs of compliance to current privacy legislation is in the billions of dollars. The Gramm-Leach-Bliley Act mandates the way institutions deal with financial information via an "opt-out” scheme for the sharing of PII data with third-party affiliates. Despite the simplicity of the mechanism, it entails a massively complex permission management task. Current estimates peg the costs to come into compliance with the first stage of this act in excess of $25M for every financial institution.

What's more, the Health Insurance Portability and Accountability Act is far more restrictive than Gramm-Leach-Bliley. This “opt-in” federal legislation governs the use of personal health-related information by all health-care organizations. Patients must consent prior to the use of their PII data and can request audit reports detailing what information has been shared; which parties provided the information; and the dates when this occurred. The cost to health-care organizations of implementing this data management challenge supersedes the figures for financial institutions by huge multiples.

With this new Internet gold rush on, it's not too surprising that America's CIO made an attempt to quell the Passport uproar.  Forman noted that his team will also be meeting with the Liberty Alliance Project, which is a consortium of 33 companies led by Sun Microsystems and includes AOL Time Warner.

A stated goal of the Liberty Alliance is to provide a decentralized approach—"federated" is the terminology used by the Alliance—to user authentication while at the same time providing a universal, open standard for single sign-on via any device connected to the Internet. Adding the technical muscle to deliver on the Alliance's goals are the likes of American Express, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony, United Airlines, and Vodafone. 

But this begs the most important of all questions: Is the management of all of our PII data with government institutions something that we want to privatize? This makes the epic mishandling of airport security pale into utter insignificance. Already, legal experts are talking about billions of dollars of potential litigious actions against financial institutions and health-care organizations for the misuse of personally identifiable information.

Now consider what happens when a private organization starts vouching for the identity of individuals interacting with businesses and the government. In the eyes of those big law firms gearing up to target privacy violations with litigation, that private organization becomes liable for incidents of fraud and identity theft. Expect a plethora of class action suits resulting from the misuse of PII data for profit.

What this means is that any private institution taking on such a task will be immediately before Congress looking for special indemnification legislation.  So if America's CIO, who says his priority is to impose businesslike approaches for technology deployments, manages the government's store of PII data by internal of outsourced means, we'll all be paying dearly for the service. Just how dearly depends on how open our CIO is to new ideas.

One very serious alternative for the government is the Open Source Ping Digital Identity Infrastructure project. PingID provides a complete open framework for developers, enterprises, and service providers to deploy and embed secure digital identity services and functionality within applications, devices, or services. PingID is solidly grounded in the key technologies and protocols of the W3C including Public-Key Cryptography, XML Digital Signatures for expressing a digital signature over an arbitrary data stream, Encryption XML, XML Key Management Specification, Security Assertion Mark-up Language (SAML) and SOAP.

The Ping Digital Identity Infrastructure (DII) is designed to provide a comprehensive, end-to-end framework for entities to build and grow Digital Identities, establish relationships with other identities, and engage in business transactions with the world at large. Built on a peer-to-peer design, Ping DII will provide control and privacy to the individual, while allowing for trusted relationships with large service providers that offer enhanced services at a higher level. In this way, the Ping DII will be able to act on its own without the need for a particular authority or central service.

Whatever the course of action this PII data conundrum should take, one outcome is guaranteed: Technology and political maneuvering of the highest and lowest orders to continue for years to come.

Stay tuned next week, when Messagia CTO Sylvain Carle reports from the Open Source frontlines to detail what PingID portends for both developers and vendors.