| TD: IDEF Anonymity

IDEF Anonymity, v1.0

Specifies requirements in accordance with Identity Ecosystem Framework (IDEF) requirement PRIVACY-12: ANONYMITY.

Assessment Steps (3)

1 Appropriate Support for Anonymous and Pseudonymous Transactions (AppropriateSupportforAnonymousandPseudonymousTransactions) Does the entity utilize identity systems and processes that enable transactions to be anonymous, anonymous with validated attributes, or pseudonymous, where those types of transactions are required by law or otherwise feasible? Indicate "Not Applicable" (N/A) if the entity is prohibited from supporting anonymous or pseudonymous transactions, or if supporting such transactions is infeasible for the entity, by law or otherwise. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
2 Risk Mitigation Against Third-Party Collection of Personal Information from Transactions (RiskMitigationAgainstThird-PartyCollectionofPersonalInformationfromTransactions) If the entity employs third-party service providers or intermediaries to execute transactions, does the entity mitigate the risk of those third-parties collecting user personal information from those transactions? Indicate "Not Applicable" (N/A) if the entity does not employ third-party service providers or intermediaries to execute transactions. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
3 Appropriate Limitations on Credential Requests During Transactions (AppropriateLimitationsonCredentialRequestsDuringTransactions) Does the entity request individuals' credentials only when necessary for the transaction, and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction? Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.

Conformance Criteria (1)

Anonymity Wherever feasible, entities MUST utilize identity systems and processes that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, or where appropriate, uniquely identified. Where applicable to such transactions, entities employing service providers or intermediaries MUST mitigate the risk of those third-parties collecting user personal information. Organizations MUST request individuals' credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction. Citation IDEF Page 20

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://artifacts.trustmarkinitiative.org/lib/tds/idef-anonymity/1.0/

Publication Date

2018-10-01

Issuing Organization

Trustmark Initiative (https://trustmarkinitiative.org/) View Contact

Trustmark Support

help@trustmarkinitiative.org

555-555-5555

No Mailing Address

Keywords

IDEF, Account, Anonymity, Choice, Identifier, Privacy

Issuance Criteria

not no(AppropriateSupportforAnonymousandPseudonymousTransactions) and not no(RiskMitigationAgainstThird-PartyCollectionofPersonalInformationfromTransactions) and yes(AppropriateLimitationsonCredentialRequestsDuringTransactions)

Target Recipient

Entities that want to participate in the Identity Ecosystem and demonstrate satisfaction of baseline identity service requirements and best practices such as those defined by the Identity Ecosystem Framework (IDEF) 1.0.

Legal Notice

This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

IDEF	Identity Ecosystem Steering Group. Identity Ecosystem Framework (IDEF) Baseline Functional Requirements v1.0 with Supplemental Guidance. Approved on 15 Oct 2015. https://www.idesg.org/portals/0/documents/core/IDEF-Baseline-Requirement-v1.0-with-Supplemental-Guidance_MOD.pdf.

Terms (8)

Term Name	Abbreviations	Definition
Anonymous		An interaction designed such that the data collected is not sufficient to infer the identity of the user involved nor is such data sufficient to permit an entity to associate multiple interactions with a user or to determine patterns of behavior with a user.
Entity		Any organization providing identity services.
Identifier		A number or other non-attribute designation designed to specify an individual or set of individuals in a system.
Identity Ecosystem Framework	IDEF	The overarching set of policies, best practices and standards that serve as the policy foundation for the Identity Ecosystem.
Identity Ecosystem Steering Group	IDESG	A voluntary, public-private partnership dedicated to developing an Identity Ecosystem Framework (IDEF) and services to better online digital identity. The IDESG looks to advance the Identity Ecosystem called for in the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Personal Information		Broadly means any information about or linked to a user that is collected, used, transmitted, or stored in or by digital identity management functions.
Pseudonymous		An interaction designed such that the data collected is not sufficient to allow the entity to infer the user involved but which does permit an entity to associate multiple interactions with the user's claimed identity.
User		In usability statements, refers to an individual human being. This does not include machines, algorithms, or other non-human agents or actors. Equivalents and related terms may include: user- centric, user-centered, human-centered, end user, individual user, user-friendly. In security statements, may refer either to an individual natural person, or to an entity such as a company or agency: Various security requirements may confer opportunities, rights or remedies on a party or account which is served by a cybersecurity function, whether that account relates to a single human or to an organization.

Also available as XML or JSON