1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. ekyc-ida
  4. Issues

Embedded liability implications in the framework?

Issue #1188 resolved
Stephane Mouy created an issue

I am a bit concerned that the framework has embedded liability implications for OPs – meaning that OPs are viewed or understood to ‘guarantee’ the trustworthiness of claims and therefore triggering recourse in the event that, for any reason, they happen not to be true. This may possibly be a desirable outcome in some situations, but I believe not for the overwhelming majority of use cases.  

To take an example, I suspect very few financial institutions will readily agree to ‘commit’ to any statement regarding the level of assurance of any data communicated – why should they if potential liability is attached to this?

The main reason for my concern is threefold:

  • One is that the terminology used leads to that conclusion: for example, Ops ‘attest’ to certain factual elements (‘attest’ means ‘to affirm to be true or genuine’) towards ‘Relying parties’, so that these can ‘rely’ on those elements. Claims are ‘verified’ but since the only known party involved is the OP, the logical conclusion must be that they are so verified by the OP.

  • In addition, the contemplated choice of trust frameworks only offers limited, if any, relief in this respect. For example, stating that a claim is verified pursuant to say German (or for that matter any other national) AML regulations is of extremely limited assistance to the OP vis a vis the RP in the (very unfortunate) event where the claims happens to be untrue – how in practice is this going to help the OP get off the hook?;

  • Last but not least, as I understand it, there is no separate contractual arrangement between the OP and the RP that could include tailored liability provisions. I am not suggesting you should have these in place – this would hugely complicate deployment processes – but it means that in the event of litigation, all that could be looked at the OpenID Connect specifications we are now discussing.

I completely agree that the framework should be neutral when it comes to liability implications. At the same time, if one is talking about ‘Verified Claims’ about natural persons ‘in compliance with certain laws’, one should acknowledge that liability implications are bound to be considered – this is inherent to the purpose of a framework where relying parties can ‘rely’ on crucial datasets provided by other parties - especially when RPs are insisting on LoAs higher than Low or data more robust than self-declaratory information. In short, it is unrealistic, even delusional, to view this as a non-issue. There is no escape from it.  

Maybe the way forward could be to offer a menu of liability options, ranging from ‘full recourse to the OP’ (not popular with OPs) to ‘transmitted AS IS’ (meaning no recourse whatsoever to the OP, but not great for RPs) and ‘subject to separate liability agreement’ (better but very cumbersome to put in place).

Another possibility would be to consider a specific ‘mid-range’ situation, such as for example a Substantial LoA eIDAS Eid, where the dataset is viewed as robust but certainly not fool-proof, therefore leaving scope for false negatives. (Incidentally, this is the threshold identity proofing level for AML regulations in many countries, including France). We could then consider what is expected – and not expected – from the OP for those, and model the RP recourse accordingly.

Your views on this would be appreciated.

Comments (9)

  3. Stephane Mouy reporter

    Thanks for pointing out the Edwards Wildman white paper on identity systems liability, which I was not aware of. However, if anything, the paper confirms the liability implications primarily arising from general tort law principles that are applicable in the absence of specific contractual arrangements or identity-specific regulations.

    I still fail to see how OPs expected to assert identity & KYC claims that are meant to be relied upon by third parties would not be concerned about liability implications and extremely reluctant to incur a potentially open-ended liability in respect of these. The problem is compounded by the fact that, as per tort law principles, the governing law is the law where the damage occurs, in practice the various laws of the RPs, not the law of the OP.

    The concern was identified by the eIDAS regulation that contains specific liability provisions and insurance requirements for Trust services, but are unfortunately not applicable here (unless possibly if OPs happen to be trust services providers). As stated by the EW paper, the neatest way to deal with this would be to insert contractual liability provisions but this creates significant implementation problems.

    I appreciate the temptation is to say : ‘’this is just a set of technical specs and participants are advised to consider their legal position before using it” but questions will no doubt be asked about this and I fear the message will be understood as ‘there is a legal issue but we do not know how to solve it’…

  5. Torsten Lodderstedt

    I just proof read -10 before publication and would suggest the following changes to soften the language:

    • “This extension is intended to be used to verify the identity of a natural person in compliance with a certain law.“ - compliance with a certain law is just an example, other examples are fraud prevention or risk management. I suggest to add a list of examples, which includes legal/regulatory obligations.
    • We could replace “attest” with “assert” throughout the spec.

    What do you think?

  10. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
resolved
Component
Assurance
Milestone
Votes
0
Watchers
5
Jira Software: the preferred issue tracker for Bitbucket. Join the team!