Criteria for Evaluating the Privacy Protection Level of Identity Management Services

Identity management is the one of Web services that manages the digital identity and the personally identifiable information of the user who subscribed for various Web services in Internet. It was developed to provide user with an easy way to use and manage various user´s digital identities that were provided from each Web service. If the user subscribes to an identity management service, the user can access the other Web sites affiliated with the identity management service and use their Web services by using the identity issued by the identity management service. And the user can manage the user´s personally identifiable information distributed among various Web sites in an integrated way through this service. However, if the identity provider, which provides this identity management service, discloses the user´s identity and personal identifiable information, identity theft can happen throughout the entire affiliated web sites. As a result, the privacy protection level of the identity provider, that is, the level of protection for personally identifiable information, is the critical factor of successful identity management service. Therefore, identity provider should provide an easy way to the internal or external auditor of them for assessing the privacy protection level. This paper describes privacy threats for each identity life cycle, such as identity provision, propagation, use and maintain, and destruction, and proposes the criteria that evaluate the privacy protection level provided by the identity provider as a countermeasure against these threats. The internal or external auditor can use the criteria described in this paper, as a way of assessing the privacy protection level of identity provider.