Timothy Reiniger is an attorney specializing in information risk governance and privacy and an author of Virginia’s digital identity law that went into effect last year. He is the Director of the Digital Services Group at Richmond-based law firm FutureLaw, LLC as well as the Special Advisor on Digital Identity for the Commonwealth of Virginia.
Previous to his time at FutureLaw, Reiniger was the Executive Director of the National Notary Association, where he contributed a chapter on electronic notarization in George L. Paul Foundations of Digital Evidence (ABA, 2008). He has testified before the U.S. House Judiciary Committee, the California House and Senate Judiciary Committees, the Florida Senate Judiciary Committee, and the Hague Conference on Private International Law.
We sat down with Reiniger to ask him about his interest in digital identity and where the industry is headed.
What led you to be so passionate about digital identity?
As Executive Director of the National Notary Association from 2003 to 2009, I was exposed to the challenge of adapting the law of signatures and notarial identification practices to the online network-based economy. This Association vantage-point forced me to develop expertise in the legal and policy issues surrounding digital identity, including cross-border and cross-sector interoperability, information assurance requirements, and privacy implications. Digital identity is a global issue and a great challenge both for commerce and the delivery of e-government services.
Like notarial services, commercially-provided digital identity services is a new area operating in a very old business law environment. Identity trust framework operators, identity providers, and attribute providers all represent third—and even further removed—parties to a transaction while playing a pivotal role in the transaction’s enablement. Yet, there has been a lack of coordination of technology, policy and law resulting in a type of digital identity credential market failure. It is very exciting to be at the formative stage of laws and policies that will help foster a vibrant marketplace for private sector identity credential providers and identity trust framework operators.
What is wrong, legally, with the digital identity ecosystem today and how are you working to change that?
Since its inception in 2009, I have been actively working with the American Bar Association’s Federated Identity Management Legal Issues Task Force in examining the legal challenges to the development of a digital identity marketplace. Being the Chair of the identity proofing sub-committee, I became very familiar with the emerging best practices and possible legislative approaches. In the process, I learned of the groundbreaking programs being developed by ID.me, especially in addressing the identity portability and relying party acceptance challenges. These concepts go right to the heart of the legal barriers to federated identity management first recognized by the ABA Task Force and subsequently policy-makers in D.C. and the E.U.
We now know the major legal barriers to the advancement of a digital identity ecosystem are two-fold:
The complete absence of a legal framework, including basic statutory definitions of roles and responsibilities, and
Uncertainty around the allocation of liability amongst the participants.
Because of unpredictable liability, risks associated with the commercial digital identity credential are currently treated as uninsurable.
Last year, working with CertiPath and a consortium of identity providers, including ID.me, I had the pleasure of helping author and achieve passage of the Virginia digital identity law – the first of its kind in U.S. history.
The Virginia safe harbor law seeks to address these aforementioned legal barriers by creating a common legal foundation for the identity industry along the same lines as those found in the credit card and shipping. industries It is not designed to remove liability from identity providers, but to make liability predictable and manageable through codification in policy and procedural documentation, which will be made public by the trust framework provider in which the identity provider participates.
For the first time in an identity system in the United States, the Virginia law provides for tort and warranty liability that will enable relying parties and consumers to recover for economic losses. This law addresses the fear of identity providers and identity trust framework operators that relying party liability currently is so potentially unbounded and burdensome as to make online authentication services unduly risky to identity providers and, as a result, prohibitively expensive to consumers.
A digital identity credential provider market needs to be brought into existence.
How will making trusted credentials more portable help the private sector?
In the discussions in the Virginia legislature, one of the top questions was, “How will this benefit citizens and the business community?” Citizen-controlled identity based on a marketplace of strong, affordable, easy-to-use, and privacy-enhancing digital credentials will provide an essential foundation for fighting cybercriminals and identity thieves.
In 2009, the President’s Cyberspace Policy Review determined that trusted digital identities are necessary to improve cybersecurity. We know that trusted digital identities minimally require secure credentials and strong two-factor authentication. But the average person currently does not have easy and affordable access to such secure credentials. A digital identity credential provider market needs to be brought into existence.
In addition to traditional governmental identity providers, such as the DMV, the availability of insurable digital credentials opens the possibility of choosing trusted identity credentials from banks, social media, and, even faith-based institutions. And this marketplace will need identity credential and credential broker services, such as those provided by ID.me.
A federated identity management approach would make more sense from a fiscal, operational, and risk management perspective.
On the business side, there is virtually no company today that can ignore the potential for a major data breach. All companies that rely merely on user name and passwords for customer identification and authentication are very susceptible. But it is very costly to operate a customer-facing secure identity management system, and most companies are not in the business of identity management. Instead, for businesses, a federated identity management approach would make more sense from a fiscal, operational, and risk management perspective.
A vibrant market of trusted third-party identity providers, framework providers and identity proofers urgently is needed. And I think of ID.me as being involved in several of those roles, whether as an identity credential provider, an attribute provider, and as a broker of trusted identity, all of which are so needed right now to grow the digital identity marketspace. And with the clear definitions of liability limitations established by the new Virginia law, we now have the groundwork for the wide availability of cost-effective and easy-to-use consumer and business options for achieving the security benefits of multi-factor authentication.
The U.S. doesn’t have a national ID card in the payments world
What are your thoughts on digital drivers licenses?
In the physical world, we typically rely on government entities and employers to manage the identity credentialing process. DMVs, passport offices, and human resource departments are the norm. The digital world, though, is serviced almost exclusively through commercial entities, often at the behest of government entities that would see the privatization of the internet upheld.
What is interesting is the U.S. doesn’t have a national ID card in the payments world. There is no national credential, so there was no national strategy articulated around digital identity until the National Strategy for Trusted Identities in Cyberspace was formed in 2011. This strategy is based on the formation of a digital national ID card, but there needs to be a public-private partnership, a source for digital ID credentials.
And, the current U.S. federal policy is not to develop a national eID and, instead rely on the emergence of a vibrant public-private supported marketplace for digital identity credentials and identity attribute providers. At the state level, many are realizing that the most logical agency to serve as a source of authoritative attributes would be the DMVs, because drivers’ licenses have become a de facto identity credential in the physical world.
What is next for you and digital identity in 2016?
I think there could be some major developments both in the U.S. and worldwide very soon. We’re hearing increasing activity in the mobile phone market as operators have been looking at themselves as major players in identity space for a while. We’re hearing buzz about a major announcement this year to do with standards enabling tech interoperability between mobile phones and relying parties and taking advantage of identity providers—it could be a huge advancement for digital identity with a huge impact.
We’re hearing buzz about a major announcement this year
Based in part on the adoption of the Virginia law and new E.U. regulations, the American Bar Association, the World Bank, and the Open Identity Exchange recently convened an identity policy summit in Washington, DC to discuss ways to create a uniform international legal framework for cross-border recognition of digital identity credentials issued by both the private and public sectors. I was pleased to attend and learn of the growing interest in the Virginia safe harbor approach. And, citing the Virginia law, the countries of Austria, Poland, France, Italy and Belgium successfully lobbied the United Nations to initiate a formal study on the development of model identity legislation. In Virginia, we are excited to see immediate global policy ramifications from our digital identity law.
Tweet
The post Q&A: Director of the Digital Services Group at FutureLaw Tim Reiniger appeared first on Official ID.me Blog.