Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty to Authenticate

Smedinghoff, Thomas J.

doi:10.2139/ssrn.1471599

Download This Paper

Open PDF in Browser

Add Paper to My Library

Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty to Authenticate

36 Pages Posted: 12 Sep 2009 Last revised: 30 May 2024

See all articles by Thomas J. Smedinghoff

Thomas J. Smedinghoff

Law Office of Thomas J. Smedinghoff; OpenID Foundation

Date Written: August 21, 2009

Abstract

In an online environment, identifying and authenticating a person or entity that seeks remote access to a corporate system, that authors an electronic communication, or that signs an electronic document, is the domain of what has come to be called "identity management." It is essential to establishing the trust necessary to facilitate electronic transactions of all types, plays a key role in fighting identity fraud, and in many cases has become a legal obligation. Yet it is also a process that typically requires the disclosure, verification, storage, and communication of personal information, and thus, by its nature, raises significant legal, privacy and liability concerns, among others.

This paper outlines the basic concepts behind identity management and the developing concept of federated identity management, and identifies and examines some of the key legal risks that must be addressed to make it work. In particular, it:

• Explains the basic principles that underlie the concept of commercial identity management;
• Identifies the numerous legal issues raised by the use of identity management systems;
• Focuses on the privacy implications of the collection, verification, storage, communication, and disclosure of personal information in the context of identity management systems;
• Examines the role of identity management in addressing the legal and risk-based obligations to authenticate remote parties; and
• Evaluates the legal requirements applicable to all identity management systems, and how the operation of those systems raises issues of concern relating to the privacy and security of personal information

Keywords: identity management, federated identity management, IdM, law, legal, authenticate, authentication, privacy, liability, identity, identification, identity provider, identity proofing, relying party,

JEL Classification: K00, K10, K12, K19, K20, K29, K30, K33, K39, L86

Suggested Citation: Suggested Citation

Smedinghoff, Thomas J., Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty to Authenticate (August 21, 2009). Available at SSRN: https://ssrn.com/abstract=1471599 or http://dx.doi.org/10.2139/ssrn.1471599