We all are familiar with external (and sometimes also internal) websites which require us to pick or define security questions and to provide answer to these questions. What is your mother's maiden name? Which is your favourite sports team? Which is the color you like most? And so on... These questions are sometimes used as additional means for authentication, for example by PayPal. More frequently they are used for password resets.
These days, when working with my colleagues Sachar Paulus and Sebastian Rohr on a comprehensive piece on strong authentication which will be published soon, we discussed the privacy aspects of all these (more or less strong) authentication approaches - and struggled... The answers on all the typical questions are privacy-relevant data. They unveil some important knowledge about the user. The more questions, the more knowledge. You could argue that this isn't that sensitive information - but first of all, it is personal data and second, this depends on the questions.
But have you ever seen something around privacy-related disclaimers, buttons to accept the privacy policies of the organization or something like that around these questions? I can't remember that. That leads to the assumption that probably few people ever have thought about the privacy aspect of these questions - which means that the relevant compliance regulations just have been ignored.
From our perspective, organizations should check where they use such questions and whether they are in sync with the compliance regulations they have to meet. Otherwise such a simple mechanism might become a real issue from the legal perspective.
The website for the European Identity Conference 2011, to be held May 2011 in Munich, is online now.