Identity Management Privacy and Identity Management

When developing an identity management system, designers must consider the system’s purpose and particular privacy needs. A set of guidelines and advice can help them make these determinations.

Marit Hansen reating and managing individual identities example, “collect Independent is a central challenge of the digital age. As as little informa- Centre for identity management systems—defined here tion from individuals as possible” might seem like a Privacy as programs or frameworks that administer rule that could help protect the privacy of participants Protection Cthe collection, authentication, or use of identity and in an identity management system. Although this Schleswig- information linked to identity—are implemented in approach’s simplicity is appealing, in practice, the re- Holstein, both the public and private sectors, individuals are lationship between identity management and privacy Germany required to identify themselves with increasing fre- is nuanced, and what might seem intuitive might not quency. Traditional identity management systems are always apply. Designers must evaluate how a particu- Ari Schwartz run by organizations that control all mechanisms for lar identity management system protects privacy in and Alissa authentication (establishing confidence in an identity context—that is, accounting for the system’s purposes, Cooper claim’s truth) and authorization (deciding what an participants, and potential abuses. Center for individual should be allowed to do), as well as any With regard to minimizing data collection, consider Democracy behind-the-scenes profiling or scoring of individuals. an identity-risk-analysis system as an example. Identity- and Recent work has looked toward more user-centric risk analysis involves determining the probability that Technology models that attempt to put individuals in charge of an individual engaged in a particular transaction is using when, where, how, and to whom they disclose their a stolen or forged identity. To make this determination, personal information. you’d want to gather as much information as possible Identity management technologies can help realize about the individual involved so you can compare the the potential of the digital age, whether by making transaction to the individual’s history or profile. If the e-commerce exchanges more seamless, tying together credit card involved in the transaction is suddenly being information on multiple devices, combating fraud, or used to make purchases in countries where it’s never enabling yet unimagined services. However, the digi- been used before, for example, someone might be using tization of information—by facilitating the collection, the individual’s identity fraudulently. storage, and sharing of large amounts of data—can Although gathering and maintaining a rich pro- exacerbate privacy risks inherent in identity manage- file of an individual and his or her transactions might ment systems. seem antithetical to privacy interests, in this case it might actually help protect the individual’s privacy by Privacy in context raising a red flag about suspected identity theft. So, System designers with limited exposure to the concepts although less data collection can often mean more pri- of identity and privacy might be tempted to apply blan- vacy, in this case the opposite might be true. ket privacy rules to identity management systems to The importance of understanding and accommo- address the privacy risks that those systems create. For dating the context in which an identity management

38 Published by the IEEE Computer Society ■ 1540-7993/08/$25.00 © 2008 IEEE ■ IEEE Security & Privacy Identity Management

system will be used extends beyond considerations for priate, with the individual’s knowledge or consent. the amount of data collected. The “less data collected • Data quality. Personal data should be relevant to the equals more privacy” idea also fails to account for the purposes for which it’s collected and used. It should type and sensitivity of the identity information in- be accurate, complete, and timely. volved. An identity management system that collects • Finality. The use and disclosure of personal data and stores a person’s single fingerprint can be more in- should be limited. Personal data should be used only vasive than a system that stores a person’s entire credit for the purposes specified at the time of collection history. Likewise, a small amount of identity infor- and shouldn’t be otherwise disclosed without the mation that’s shared with numerous parties or isn’t consent of the individual or other legal authority. properly secured might put an individual’s privacy at • Security. Personal data should be protected by rea- greater risk than a large amount of information that’s sonable security safeguards against such risks as loss, properly secured and accessed only by authorized par- unauthorized access, destruction, use, modification, ties. These nuances ultimately point to the need to and disclosure. evaluate identity management systems with respect to • Accountability. The keepers of personal data should privacy in context. be accountable for complying with fair informa- tion practices. Privacy guidance There is no shortage of principles and guidelines for These principles are the logical starting point for any- establishing and maintaining privacy in identity man- one designing an identity management system. Be- agement systems. Determining how to apply them to cause the FIPs were developed before the dawn of the a particular identity management system requires a digital age, however, they might be inadequate for solid understanding of the environment in which the many new environments that require identity man- system operates and of the risks and benefits that the agement. In the new digital environment, massive data system must balance. collection is inexpensive and efficient, databases are seamlessly networked together, and the data collected Fair Information Practice Principles goes beyond traditional notions of personal data. In Designing and choosing a privacy-protective iden- the face of these changes, designers of cutting-edge tity management system requires a solid grounding ­identity management systems and technologies might in foundational privacy principles. The most widely find three additional principles helpful: accepted set of such principles is the Fair Information Practice principles (FIPs), which were first developed • Diversity and decentralization. Enrollment and authen- in the 1970s and have been adapted by many gov- tication options in identity management systems ernment agencies, public interest groups, and pri- should function like keys on a key ring, letting in- vate companies around the world (see www.cdt.org/ dividuals choose the appropriate key for a specific privacy/guide/bsic/fips.html). The Organization for need. Designers should resist centralizing identity Economic Cooperation and Development (OECD), information or using a single credential for multiple for example, has issued a set of guidelines based on purposes. If linking several identity management the FIPs that focus on privacy as personal data flows systems and databases together proves necessary, de- between its 30 member countries.1 signers should implement appropriate safeguards to These principles apply broadly to the collection limit the associated privacy and security risks. and use of personal data in the traditional sense— • Proportionality. The amount, type, and sensitivity names, addresses, government-issued identifiers, and of identity information collected and stored by an so on. Insofar as identity management systems are identity management system should be consistent concerned, the seven FIPs are highly instructive: with and proportional to the system’s purpose. Some systems might require greater amounts of • Openness. The existence of systems containing per- data or more sensitive data than others, but each sonal data should be publicly known, along with a system should match its information collection lim- description of the system’s main purposes and uses of its to its goals. the personal data in the system. • Privacy by design. Privacy considerations should be • Individual participation. Individuals should have a right incorporated into the identity management system to view all information that’s collected about them. from the outset of the design process. Consider- They should also be able to correct or remove data ations include safeguards for the physical system that isn’t timely, accurate, relevant, or complete. components as well as policies and procedures that • Collection limitation. Limits to the collection of per- guide the system’s implementation. Incorporating sonal data should exist. Personal data should be these considerations at the beginning will save time collected by lawful and fair means and, where appro- and effort in the long run.

www.computer.org/security/ ■ IEEE Security & Privacy 39 Identity Management

Often, not all the principles will apply to a given and help enterprises with privacy-compliant data proc­ system equally. System designers should consider each essing. The EU’s Sixth Framework Program funds principle and how to maximize it within a given sys- Prime, which is acknowledged as a flagship for privacy tem, but might conclude that it’s more appropriate to technology development by the European Commis- focus on some principles while downplaying others. sion.5 Some of the concepts discussed in the following section are based on Prime’s work. Regulations and guidelines worldwide Identity management system designers must also re- US. With the rapid advances in information technol- spect the privacy laws and regulations within their ogy beginning in the 1990s, the US Congress came jurisdictions. In some areas of the world, such as Eu- under increasing pressure to establish regulations to rope, a strong legal framework has provided fertile protect information privacy. The resulting laws have ground for privacy guidance and tools that go beyond followed a largely sectoral approach, with distinct the FIPs. The following subsections describe the legal regulations for many kinds of consumer data, but no frameworks in Europe, the US, and Canada, along overarching framework to secure consumer privacy with other notable privacy initiatives in those areas. across the board. Today, the US has separate privacy laws for medical information (the Health Insurance European Union. In 1995, the EU developed harmo- Portability and Accountability Act), financial infor- nized data-protection legislation to be applied across mation (the Gramm-Leach-Bliley Act), data related all 27 EU member states.2 The harmonization aimed to children (the Children’s Online Privacy Protection to remove potential obstacles to cross-border flows of Act), and a slew of others. personal data and to ensure a high level of protec- For identity system designers, this patchwork of tion within the EU. Unlike the US’s more sectoral regulations provides little baseline guidance for build- approach, the European Data Protection Directive ing privacy-protective systems. Designers will likely forms an overarching privacy regulation that all data find standards such as the OECD principles or the Eu- controllers within the EU must adhere to. ropean framework more helpful in building privacy The EU Data Protection Directive doesn’t permit protections into their systems, although they’ll have processing personal data at all, except when a specific to consider US law for systems involving data covered legal basis explicitly allows it or when the individu- by any of the myriad US regulations. als concerned consented prior to the data processing. Generally speaking, the FIPs apply in the legal context Canada. Canada has what the US lacks—a baseline of Europe, in particular the paradigms of transparen- privacy law governing the use of personal data. cy, individual participation, and legitimate purpose. The Canadian regime is roughly equivalent to the EU data-protection law also stresses the commonly EU regime. accepted principle of data minimization, limiting the Identity system designers will likely find work collection and processing of personal data to the ex- by Ann Cavoukian, Ontario’s Information Privacy tent necessary for the given purpose. Commissioner, to be helpful in understanding the In Europe, identity management systems must Canadian view of privacy. Her 2005 paper, “7 Laws of comply with the law, so in theory they fulfill the Identity: The Case for Privacy-Embedded Laws in the principles we’ve described. With the conversion to Digital Age,”6 gives a unique interpretation of an ear- digital processing and storage of personal data in lier paper by Microsoft’s Kim Cameron, “The Laws identity management solutions, designers could im- of Identity.”7 Cameron’s laws of identity describe the plement the law’s transparency requirements directly basis for a “unifying identity metasystem” that can be in the system technology. Similarly, the new crop of applied to identity on the Internet. Cavoukian’s work user-controlled identity management systems can teases out the privacy implications intertwined in this help users maintain and exercise their privacy rights new vision for digital identity. by technologically implementing legal obligations and even enhancing user privacy by going beyond Building blocks for privacy what the law requires. and identity management In this spirit, a wide range of industry, academic, In the digital world, two core informational privacy and governmental organizations from across the EU concerns are: have joined forces through the Privacy and Identity Management for Europe (Prime) project to develop • Observability. The possibility that others (potential working prototypes of privacy-enhancing identity observers) will gain information. Observers might management systems. (Early work in privacy-enhanc- include the parties communicating (for example, ing techniques appears elsewhere.3,4) These solutions two people emailing back and forth), the service support users’ sovereignty over their private spheres providers facilitating the communication (for ex-

40 IEEE Security & Privacy ■ March/April 2008 Identity Management

Table 1. Different parties’ sufficient knowledge in an online shopping scenario.

Name/identifier Purchased goods Shipping address Financial information Vendor Pseudonym 1 + Delivery service Pseudonym 2 + Payment service Pseudonym 3 +

ample, email or Internet service providers), and globally unique identifiers (strings pointing to indi- eavesdroppers (for example, attackers sniffing email viduals) and instead limiting the identifiers’ scope to content or Internet traffic). the necessary domain. Using different pseudonyms in • Linkability. The potential to link between data and different contexts could prevent undesired context- an individual as well as potential links between dif- spanning linkage and profiling by third parties. ferent data sets that can be tied together for fur- Existing workflows could be “delinked” by sepa- ther analysis. Controlling linkability involves both rating domains that don’t necessarily need to be linked. maintaining separate contexts so observers can’t In some cases, specific service providers who are re- accumulate sensitive data and being cautious when sponsible for only a subset of tasks could perform this identity information is requested to keep track of separation. An obvious example is an online shopping information disclosure. scenario in which a company selling goods uses a pay- ment service and a delivery service. Table 1 divides How much (or little) observability and linkability are this scenario into three subprocesses that the different desirable in a specific situation depends on its context parties can perform, thereby separating knowledge as well as on the perspectives of the parties involved. of the buyer’s information. The subprocesses relating For some services, information is disclosed with to the same purchase case must communicate status the express purpose of making it observable—on information to each other, but not the buyer’s per- social networks, for example. But even in such situ- sonal data, as long as everything runs smoothly. The ations, designers can tailor observability in a fine- Liberty Alliance project, which is developing specifi- grained way (for example, letting users control which cations for federated identity and identity-based Web of their friends can see certain information on their services, proposes a similar separation.10 social network profiles). This means, for example, that the delivery service As for linkability, consider a social networking site would have to know the shipping address, but not the that lets users set up multiple profiles. These profiles’ goods to ship. Of course the three processes aren’t ful- linkability should be a key concern for the site design- ly independent—a link must exist between the pur- ers—profiles could be publicly linked, linked only chase, the payment, and the delivery; and delinking on the site’s back end, or not linked at all. The social only works if the services involved agree not to share network’s users might have different preferences from information. Still, this link could be realized under those of the site itself. For example, they might want the control of the user who, for example, might send to keep their work and personal profiles unlinked, all data encrypted for the appropriate recipients. How- whereas the site might view the creation of combined ever, in the traditional world, the shipping address profiles as richer targets for marketing or other pur- and the financial account information would typically poses. However the social network is designed, link- contain the user’s real name. Still, the purchase itself ability should be a core consideration. doesn’t necessarily require a real name—today’s on- Several mechanisms and tools for identity manage- line auction platforms commonly use pseudonymous ment systems can help designers control observability accounts, and almost everyone has made cash pur- and linkability. Whichever mechanisms a designer chases at a bakery or bookstore where real identities uses, they must be implemented in an easily under- are unimportant. In fact, the use of pseudonyms in standable and user-friendly way. The Prime project’s transactions is generally legally permissible as long as white paper demonstrates and illustrates these con- it doesn’t harm others. cepts for user-controlled identity management.8 The separation of workflows is already in common practice in cases in which the use of personal data is Separating workflows heavily regulated (for example, only particular parties Incorporating linkability control into the design of an can process medical data under the US HIPAA regu- identity management system should entail a separa- lations). But the practice is also useful when applied to tion of contexts (which is in line with Helen Nissen- online identity management systems and other forms baum’s concept of “privacy as contextual integrity”).9 of data collection that aren’t necessarily subject to A designer could do this by, for example, preventing strict legal rules in all jurisdictions.

www.computer.org/security/ ■ IEEE Security & Privacy 41 Identity Management

goal should be to manage all possible identifiers that Person pseudonym might enable linkage, including the identifiers that correspond to the data trails in the digital world that most users aren’t even aware of. Role pseudonym Relationship pseudonym Decreasing context-spanning Private credentials linkability Private credentials (also called minimal disclosure Role-relationship pseudonym tokens) let individuals prove their authorization (for example, that they’re over 18 years old) without re- vealing information that might identify them.12,13 In Transaction pseudonym the encryption context, these private credentials de- rive from a certificate issued on different pseudonyms Figure 1. Pseudonyms according to their usage. Person pseudonyms of the same person. Equipped with special crypto- are typically used as substitutes for real names in many contexts. Role graphic software, users can create multiple private pseudonyms are used with respect to a person’s current role, such as certificates from a single master certificate that a cre- a customer or patient. Relationship pseudonyms are used with respect dential provider has issued. These private certificates to specific communication partners. Buying goods in two different are linkable neither to each other nor to the issuance bookshops, for example, would result in different relationship pseudonyms, interaction in which the master certificate was ob- regardless of whether the books belong to the private or professional tained, and the credential issuer is rarely involved context. Role-relationship pseudonyms combine the role and relationship when the derived private certificates are used. Pri- pseudonyms and differ by role and communication partner.11 vate credentials ensure users’ accountability without giving away their privacy, as long as they behave ac- cording to the agreed-upon rules. Victims of misuse Choosing appropriate pseudonyms can revoke the user’s anonymity with the credential From a technological perspective, all individual provider’s help. identifiers—except for real names—can be regarded Other types of private credentials exist. E-coins, as pseudonyms, even if they belong to hardware or for example, use credential providers that don’t keep software in the individual’s possession. This can en- identity information. Although these credentials can’t compass IP addresses, cookie identifiers, hardware guarantee accountability, they can detect or even or software serial numbers, RFID tags, or other bit prevent misuse (for example, double-spending) in strings that are related to a person and might identify some cases. individuals within a certain scope. Three main questions are relevant when discussing Privacy policies pseudonyms’ privacy properties: Organizations are familiar with displaying their pri- vacy policies on their Web sites. But providing pri- • Who knows (or can find out) a person’s pseudonym? vacy policies that users truly understand and that • How strong is the link between the pseudonym and serve as rules for automated data processing within a specific individual? That is, does the individual the organization continues to be a challenge. Privacy possess the pseudonym uniquely and securely, or policies are often the baseline for informed consent, can different people consecutively or even simulta- which is needed before the organization can pro- neously act under the same pseudonym? cess users’ identity information. In theory, machine- • How much information can be gathered by link- ­readable privacy policies (standardized in Platform for ing data disclosed under the same pseudonym (that Privacy Preferences format, for example), should be is, the content of a pseudonymous profile)? In other a good way to match against (or possibly negotiate words, is the pseudonym used in a context-spanning with) configured preferences on the user’s side. The or context-specific way, thus providing more or less semantics of privacy policies need further internation- information to be linked? al harmonization, and organizations need incentives to implement machine-readable policies. Currently, Figure 1 shows how pseudonyms might vary in aiding the lack of implementation makes the noble goal of or restricting linkability. greater transparency through the use of these polices For all situations, designers can tailor pseudonyms an unlikely outcome. according to the required properties. For users, proper The same is true for making privacy policies more pseudonym handling in the online world to separate accessible and understandable as we move into a world contexts isn’t always trivial; user-controlled identity of ubiquitous connectivity, tiny mobile devices, and management systems should provide more effective similar technological advances. Graphical (or even mechanisms for achieving separation. In principle, the multimedia) expressions of privacy policy content,

42 IEEE Security & Privacy ■ March/April 2008 Identity Management

(a) (b)

Figure 2. Snippets from proposed icon sets for expressing privacy policies. (a) Matthias Mehldau developed a set of pictograms for data-privacy declarations (see the full icon set at http://asset.netzpolitik.org/wp-upload/data-privacy-icons-v01.pdf). (b) Mary Rundle proposed a set of “Creative Commons-like icons” (see her presentation on data- and identity-protection tools at http://identityproject. lse.ac.uk/mary.pdf). such as simple and recognizable icons, can spare people of what identity information has been disclosed to from having to read lengthy texts in legal jargon. Fig- whom and under what conditions. The stored data ure 2 presents two example privacy policy icon sets. also includes information from the privacy policies of services requesting the data. Users can review Sticky policies this information later to understand what exactly Are users sold down the river after releasing their they’ve consented to. The Data Track doesn’t only identity information? Not necessarily. Current data- provide transparency (clear visibility) for users, but processing systems usually can’t guarantee the bind- also lets them later ask data controllers whether they ing between the data collection’s purpose and the really treated the data as promised. In Europe, this data’s actual uses. However, researchers have proposed would mean exercising users’ privacy rights to ac- ­leveraging cryptography and other mechanisms to cess, rectify, or erase data and would let them pos- “stick” policies to data, similar to how digital rights sibly withdraw consent. In addition, the Data Track management (DRM) tries to stick copyright policies helps users choose the appropriate pseudonym and to content.14,15 These “sticky policies” together with password for a particular context, keeping them data-management systems can guarantee privacy- separate unless otherwise desired. compliant processing by enforcing the rules on how Another aspect of transparency is information on the data may be processed even after the information current security vulnerabilities or reported privacy- has been disclosed and left the user’s control. related misuses. The Prime project has proposed security and privacy RSS feeds to alert users of po- Transparency tools tential risks or misuse. These RSS feeds could get the What do others know about me? Knowing the an- information from Computer Emergency Response swer to this question is a prerequisite for maintain- Teams (CERTs), but also from companies that must ing privacy. History functions such as the Prime act according to security breach notification laws, as project’s Data Track store all relevant informa- required in many US states and planned in the up- tion from online transactions, including a record coming revision of the EU ePrivacy Directive.

www.computer.org/security/ ■ IEEE Security & Privacy 43 Identity Management

Usable system design system, whether they’re likely to occur daily or are Users should be able to control their private spheres highly unlikely to occur, is fundamental to protect- in an identity management system. Otherwise, they ing privacy in the system. Threat-analysis tools in the might blindly trust the system and unwittingly re- IT security field, such as attack trees, are well-known among experts, yet underused in identity manage- Systems can accomplish many goals ment settings.16 These tools are suitable for identify- ing privacy risks. without using an identity component at all, Discourage unnecessary linkages dramatically lessening the time and effort In a networked world, the urge to link identity man- agement systems and databases together will always required to safeguard privacy. exist. Linking together disparate identity data might improve convenience, efficiency, and even security lease more identity information than they intended. (in cases such as fraud detection, in which linking in- User interfaces must provide all necessary information formation can help detect and deter fraudulent activ- without overwhelming users, a particularly tricky task ity). System designers should choose components that in the complex field of privacy regulation. Because let them easily erect strong safeguards to ensure that few users configure their IT systems, the systems’ unnecessary linkages—between databases, communi- default privacy settings are critical. A single univer- cations channels, and personnel—don’t occur. These sal default setting won’t suit all individuals, so users safeguards should be built in during an identity man- should be able to configure identity management sys- agement system’s design phase. tems according to a trusted party’s recommendations, For example, in the earlier online shopping scen­ such as a privacy commissioner, a consumer protec- ario, you could design the database of identity infor- tion organization, or simply a skilled peer. Existing mation controlled by the delivery service to only store usability research can help inform the construction of shipping information and pseudonyms. Although this these mechanisms. doesn’t prevent later linkages to other identity in- formation, the fact that you’d need a new database Advice for practitioners schema to add this information later might discourage These building blocks are in different stages of devel- linkages down the line. opment within a wide range of initiatives and prod- ucts. Even when choosing among available identity Implement security during design management products and services, system designers Data security products have been in use for decades face an array of choices and interoperability scenarios and should be one of the most straightforward features for software, hardware, and the protocols that define for designers to include. A comprehensive security interactions within a system. We’ve developed some plan should be developed from the outset to ensure advice to help designers navigate the landscape of that encryption, automatic deletion of identity infor- these choices. mation, network security processes, physical security safeguards, and the like are inherent to the system. Determine whether identity is necessary The first consideration should always be whether Adopt trust-enhancing measures you need an identity management system to solve Even the most secure identity management systems the problem at hand. Systems can accomplish many must gain user trust. Many simple mechanisms are goals without using an identity component at all, dra- available to help enhance trust in the system and matically lessening the time and effort required to make users more comfortable. In accordance with safeguard privacy. System designers shouldn’t assume the FIP openness principle, providing a clear, simple, that adding an identification element to a system will layered privacy policy will provide the baseline infor- make it more robust. The advantages of collecting mation that users need to evaluate the system. Offer- and using identity information should be weighed ing users a way to give feedback about the system and against the need—and possibly legal requirements— responding to that feedback in a timely and helpful to protect privacy. manner will help build user confidence. Users should be able to easily access, correct, and in some cases de- Identify risks lete information about themselves, and there should Developers of all kinds of systems commonly plan be a structured procedure for challenging conclu- only for regular workflows and processes, with- sions drawn from that information. System design- out considering the possibility of failure or attack. ers should also consider applying for a privacy seal or Understanding all risks to an identity management publishing the results of a third-party privacy audit.

44 IEEE Security & Privacy ■ March/April 2008 Identity Management

All of these measures will help build user trust and 9. H. Nissenbaum, “Privacy as Contextual Integrity,” acceptance of the system. Washington Law Rev., vol. 79, no. 1, 2004, pp. 119–157. 10. S. Clauß and M. Köhntopp, “Identity Management and its Support of Multilateral Security, Computer Networks, he urge to identify individuals will only grow as vol. 37, no. 2, 2001, pp. 205–219. T new technological advances make identification 11. A. Pfitzmann and M. Hansen, “Anonymity, Unlinkabil- easier and more cost effective. Perhaps the greatest ity, Undetectability, Unobservability, Pseudonymity, challenge is to make privacy considerations an in- and Identity Management—A Consolidated Proposal herent part of the design process. Although they’re for Terminology,” ver. 0.31, 15 Feb. 2008; http://dud. frequently considered mutually exclusive, privacy, inf.tu-dresden.de/Anon_Terminology.shtml. efficiency, and security often go hand-in-hand when 12. J. Camenisch and A. Lysyanskaya, “Efficient Nontrans- they’re considered from the outset. ferable Anonymous Multishow Credential System with We’ve explored an array of privacy principles, tools, Optional Anonymity Revocation,” research report RZ and tips for identity management system designers 3295, no. 93341, IBM Research, Nov. 2000. looking to build privacy-protective systems. By deter- 13. S.A. Brands, Rethinking Public Key Infrastructures and mining which of these is appropriate for a particular Digital Certificates, MIT Press, 2000. system and grounding the system in a solid privacy 14. G. Karjoth, M. Schunter, and M. Waidner, “Platform framework, system designers will be on their way for Enterprise Privacy Practices: Privacy-Enabled toward safeguarding privacy as they tackle the ever- Management of Customer Data,” Proc. 2nd Workshop ­increasing push toward individual identification. Privacy Enhancing Technologies (PET 2002), LNCS 2482, Springer, 2002, pp. 69–84. References 15. M. Casassa Mont, S. Pearson, and P. Bramhall, Towards 1. Organization for Economic Cooperation and Develop- Accountable Management of Identity and Privacy: Sticky Poli- ment, OECD Guidelines on the Protection of Privacy and cies and Enforceable Tracing Services, tech. report, Trusted Transborder Flows of Personal Data, 1980; www.oecd.org/ Systems Laboratory, HP Laboratories Bristol, HPL- document/18/0,3343,en_2649_34255_1815186_1_1 2003-49, 2003; www.hpl.hp.com/techreports/2003/ _1_1,00.html. HPL-2003-49.pdf. 2. European Commission, EU Data Protection Direc- 16. B. Schneier, Beyond Fear: Thinking Sensibly about Security tive 95/46/EC, Oct. 1995; http://ec.europa.eu/justice in an Uncertain World, Springer, 2004. _home/fsj/privacy/law/index_en.htm. 3. D. Chaum, “Security Without Identification: Transac- Marit Hansen is deputy privacy commissioner of Land tion Systems to Make Big Brother Obsolete,” Comm. Schleswig-Holstein, Germany and head of the Privacy-En- ACM, vol. 28, no. 10, Oct. 1985, pp. 1030–1044. hancing Technology (PET) department at the Independent 4. B. Pfitzmann, M. Waidner, and A. Pfitzmann, “Se- Centre for Privacy Protection. Her research interests include cure and Anonymous Electronic Commerce: Provid- identity management, anonymity, pseudonymity, transpar- ing Legal Certainty in Open Digital Systems without ency, and end-user empowerment. Hanson has a diploma in Compromising Anonymity,” IBM research report RZ computer science from the University of Kiel, Germany. She’s 3232, no. 93278, IBM Research Division, Zurich, a member of the ACM and Gesellschaft für Informatik, where May 2000. she serves as chair of the Special Interest Group on PETs. Con- 5. Commission of the European Communities, Comm. tact her at [email protected]. from the Commission to the European Parliament and the Council on Promoting Data Protection by Privacy Enhancing Ari Schwartz is vice president and chief operating officer of Technologies (PETs), COM(2007) 228 final, May 2007; the Center for Democracy and Technology. His research in- http://eur-lex.europa.eu/LexUriServ/site/en/com/ terests include online privacy, increasing individual control 2007/com2007_0228en01.pdf. over personal information, and access to government infor- 6. A. Cavoukian, “7 Laws of Identity: The Case for mation. Shwartz has a bachelor’s degree in sociology from ­Privacy-Embedded Laws of Identity in the Digi- Brandeis University. He’s a member of the Harvard Berkman tal Age,” Office of the Information and Privacy Center’s Stopbadware project Advisory Board and the State ­Commissioner/Ontario, Oct. 2006; www.ipc.on.ca/ of Ohio Privacy Advisory Committee. Contact him at ari@ images/Resources/up-7laws_whitepaper.pdf. cdt.org. 7. K. Cameron, “The Laws of Identity,” Microsoft Corp., May 2005; www.identityblog.com/?page_id=352. Alissa Cooper is the chief computer scientist at the Center 8. R. Leenes, J. Schallaböck, and M. Hansen, eds., “Pri- for Democracy and Technology. Her research interests include vacy and Identity Management for Europe,” Prime online privacy and security, Internet neutrality, and digital whitepaper, ver. 2, June 2007; www.prime-project.eu/ copyright. Cooper has a master’s degree in computer science prime_products/whitepaper. from Stanford University. Contact her at [email protected].

www.computer.org/security/ ■ IEEE Security & Privacy 45 $29 New Lower Subscription Price!

S&P is the premier magazine for security professionals. Every issue is packed with Subscribe to our tutorials, best practices, and magazine today expert commentary on: for only $29— our lowest price ever! • attack trends You’ll receive 6 issues of today’s • cybercrime leading-edge, peer-reviewed software development information. • security policies • mobile and Ask us how wireless issues you can get this great deal on IEEE Security & Privacy magazine! • digital rights management • and much more.

Subscribe at www.computer.org/services/nonmem/spbnr