Friday, August 22, 2008

Principles of Identity

A few days ago, Microsoft's Kim Cameron re-issued his "Laws of Identity" in a "short version" that is easier to understand. Others, including Clayton Donley, and Dave Kearns have also commented.

Here is my look at Kim's laws. You'll find my own thoughts about identity principles in bold italics below.
People using computers should be in control of giving out information about themselves, just as they are in the physical world.
This is a really great principle. But in thinking about this, it is important to remember that there are multiple scenarios. In the real physical world we aren't always in direct control about information about our identities. There are valid reasons this happens. E.g. a courier receives a shipment order from a vendor to ship goods we ordered.

This issue is, did we have the ability to provide our consent. I would re-write the expression as:

People should be able to control or consent to the sharing of information about themselves.

Notice I didn't frame this as in the electronic world vs. physical world. I am also including situations where we are not directly involved in an exchange (such as between a merchant and courier).
The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necesary.
Ok. This is good stuff. But there is a lot going on here that may lead towards information systems challenges in the future. Let me give you an example. A "birthdate" is a pretty fundamental or "raw" piece of information. Because of this, we should restrict its use. Instead of using birthdate, let's use "predicates" that ask questions about individuals. One example might be, "Is Over 18?". The predicate eliminates the need for a raw birthdate, but it now implies more liability on the particular assertion.

There may also be different reasons for creating a predicate that imply different meanings. For example, is this person an "Adult?". In this case, we have the problem of defining how the question is answered. Is it the Identity Provider that dictates whether someone is an adult? Or do the relying parties define what they mean by "Adult"? Or, does it depend on the jurisdiction of the person involved?

Clearly there is a growing mapping problem that will be exposed as we move to minimized information and away from relatively simple raw data.

Without declaration by all parties, we will continue to have mapping and interpretation problems going forwards. I would therefore contend:

Parties exchanging information must be able to agree on definitions or be able to map between definitions of identity information exchanged.
It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.
This is of course a great principle. But the worst thing from a privacy perspective that I can think of is when organizations link information without the use of quality identifiers that uniquely identify us. How many people have been caught up in DHS security screenings simply because their name matches a "person of interest" or worse is only similar to someone else's name? The bigger problem by far is bad matching.

However, this is in general a very good principle. But when things are done with our consent (see above), then I wonder if this requirement disappears as an issue. What we want to do is minimize undue propagation of identifiers. I prefer Kim's original text which talks about directionality. It speaks more to the propagation issue.

So I believe the issue is not necessarily the use of identifiers. The privacy issue is inappropriate linking of identities.
We need choice in terms of who provides our identity information in different contexts.
Now I know where Kim was coming from when he wrote this. This was all about why services like MS Passport will not succeed. He was right. But the problem I have with this "law" is that it is unbalanced. Not only should users get a choice, but relying parties also get to choose from whom they will accept information. They have to be able to choose authoritative sources of information. These sources can choose to accept information directly from individuals (self-asserted), or they may choose to select third-parties they trust. An example of this is how stores choose different credit card and debit card providers. Not all store accept all cards. The online world won't different from the real world.

Relying parties need to able choose which assurance levels (quality) of information from particular authoritative sources are acceptable. This should be done in mind of the user's right to choose a provider and correspondingly, the identity provider's right to control the release of information given the user's consent preferences and their own business and liability concerns.
The system must be built so we can understand how it works, make rational decisions and protect ourselves.
I'm not so sure. I don't think people want to know how systems work. But I do agree with the principle. People should be able to make rational and informed decisions about the use of personal information whether directly or indirectly through consent preferences.
Devices through which we employ identity should offer people the same kinds of identity controls - just as car makers offer similar controls so we can all drive safely.
Consistency of experience is very important. There is a limit to what people can or want to learn. But I don't like the implication that Microsoft sales representatives make that MS has solved the problem with Cardspace. There are many more modes of communication and interaction that have yet to be covered. What happens on cell-phones. What happens when we are "offline"?

Many of these issues are already being worked on over at Come on over and check out the IGF Project. This is where we're building an API for application developers to access identity information using a broader set of principles.

No comments:

Post a Comment