Tal Zarsky (University of Haifa - Faculty of Law) & Norberto Nuno Gomes de Andrade (European University Institute - Law Department; UC Berkeley Law School, Berkeley Center for Law & Technology) have posted Regulating Electronic Identity Intermediaries: The 'Soft eID' Conundrum (Ohio State Law Journal, Vol. 74, No. 6, 2013) on SSRN. Here is the abstract:
Online intermediation platforms, such as Facebook and Amazon, are traditionally defined by their roles in enabling the publication, sharing and distribution of information, as well as the purchase of products and services. Nonetheless, these platforms have assumed an additional role, which has yet to be fully discussed and acknowledged: the role of identity intermediation. This new function can be defined as the process of creating, authenticating, verifying and guiding stable identities used for interacting in the digital realm. This Article explains and demonstrates this role, along with the disputes and tensions it generates. It further discusses a set of specific legal rules, duties and responsibilities for regulating identity intermediaries.
After a brief introduction (Part I), The Article (in Part II) provides the background and terminology for understanding the role of identity intermediaries in the digital age. It notes the recent rise of “soft eID” intermediaries. These are defined as entities which provide for identity intermediation, yet do so incidentally, remotely and in a lightly regulated environment. Part III moves to further address soft eID intermediation, distinguishing between intermediations which rely upon the use of “Real Names” and “Stable Pseudonyms” — each category employing a different set of technologies and verification methods, and generating unique benefits and concerns.
Part IV explores the benefits and risks associated with soft eIDs. Identity intermediation secures economic benefits, protects personality and identity interests, enhances autonomy and promotes free speech. Yet it also raises security and privacy concerns, as soft eIDs might be hacked, used for impersonation or identity misrepresentation. In addition, identity intermediaries may also abuse their power by terminating accounts or limiting their interoperability and mobility.
Seeking the proper legal regime, Part V briefly examines related regulatory frameworks for identity intermediation, namely the EU Electronic Signature (eSig) Directive and its future developments under the current revision process, and the US National Strategy for Trusted Identities in Cyberspace (NSTIC). On the basis of this analysis, Part VI provides recommendations for legal responses, examining a variety of policy moves specific to soft eID intermediaries, such as requiring mandatory approval, setting up a voluntary accreditation system and assigning tort liability. After generally discarding the first two options, the Article closely examines whether and how tort liability should normatively be assigned to these identity intermediaries. Finally, this Part examines the role law should take in curbing the intermediaries’ excessive ability to impede on the individual’s identity interests.