06/24/2013 -

A key issue at the heart of all transactions is the ability to know that a person on the other end of that transaction is who they claim to be. That's also key to security, for example, at checkpoints. A project called the Identity Proofing and Verification (IDPV) Standard Development Project, which is spearheaded by theNorth American Security Projects Organization (NASPO), is aimed at one aspect of that problem. And it was one focus of a conference held Friday by the ABA Home Security Law Institute.

According to an NASPO director's report, "The scope of this standard is to establish the minimum security requirements for security documents. These physical documents serve as evidence or proof of validity including, but not exclusive to: financial, identity, property title, conveyance of ownership, logistical transfers, authentication, chain of custody, certification of origin. Based upon risk analysis, these requirements shall establish the minimum security measures utilized for a class or type of security document."

Ted Sobel, the director of the DHS’s Office of State-Issued ID Support, and Washington, D.C. lawyers Matthew Hellman and Scott Boylan weighed in on the IDPV Standard Development Project. Sobel is a member of the group working on the IDPV standard.

The program will make it easier for organizations in both the public and private sectors to thoroughly verify an individual’s identity, Sobel said.

The program will provide a more comprehensive identification verification process, allowing organizations to confidently rely on third-party documents, such as a driver’s license, Sobel said.

“Having to rely on steps taken by other people to reveal a person’s identity has always been a critical part of how we do business,” Sobel said. “You have the government, academics and the private sector all involved.”

Sobel said the program establishes a four-step process for identifying an individual. First, an organization should select an identity assurance level – how much confidence is needed in the identity.

“At a very low level could be an identity used in an Internet chat room, where a false identity doesn’t have large consequences,” Sobel said. “The high end might be access to a nuclear power plant.”

An organization shouldn’t always choose the highest assurance level because it involves more time, money, and work – and risk of privacy invasion – to confirm someone’s identity, Sobel said.

The next step is recording the individual’s core information– his or her full name, birth date, and address. After that, the organization must verify the individual’s claims by collecting evidence that supports the information in the form of a government-issued ID, photos, or Social Security card, depending on the level of assurance the organization needs.

The last step is determining whether the individual’s records and evidence corroborate his or her claims, Sobel said.

“What we’re doing is determining how much confidence you have in that identity,” Sobel said. “Then you’d have a credential that would link these pieces together and combine all this information about the actual person. Then an organization can register an identity and do it in a way that is transparent so that another organization can use that information. It prevents a situation where every organization has to do the full range of activities and allows them to build off of a trusted framework.”

The IDPV has a list of what documents and information should be collected on an individual depending on the level of identity assurance. The higher the level, the more information is collected – which toes a fine line between confidence in a person’s identity and invasion of that person’s privacy, Sobel said.

Developers of IDPV have made sure that the program complies with Fair Information Practice Principles to make sure Fourth Amendment rights are not violated, Sobel said. For example, organizations must consider the sensitivity of identifying information and whether collecting it is absolutely necessary.

Hellman, a partner with Jenner & Block, said recent Supreme Court decisions that address personal identity and privacy have raised more questions about exactly what defines an individual’s identity, and where the line between identification and privacy violation lies. He cited Maryland v. King, where, in a 5-4 vote, the justices ruled that taking the DNA of an arrestee is the same as taking his or her fingerprints or photographs and does not violate the Fourth Amendment.

The decision was hotly contested and Supreme Court Justice Antonin Scalia issued “a strong dissent” calling the decision hogwash and a violation of the Fourth Amendment, Hellman said.

“It’s a legislative problem,” Hellman said. “We need to rethink how we understand privacy. It needs to be questioned now that so much information is unavoidably available. This is Washington, and the [Supreme] Court would like Congress to deal with this seriously. We have to start setting some lines that can be enforced by courts.” 

Photo from Flickr byliquene