Day: April 21, 2005

The Liberty Alliance has published a paper called “Circles of Trust: The Implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation” which is available for download here.

The paper was edited by Stephen Deadman and compiled by a very knowledgable panel of contributors including Luc Mathan, Christine Varney, Jeff Hodges, Paul Madsen, Joe Alhadeff, Piper Cole, and Stephanie Manning. It goes well beyond the Privacy and Security Best Practices paper released in 2003.

The paper situates the problems of privacy and data protection that arise when customer data is shared within the context of various European legal and normative initiatives (the thinking will be equally instructive to North Americans). At times I had the feeling the report raised almost as many questions as it answers – and that this was likely intentional. The legal complexities of this style of federation are significant, and they must all be considered.

The paper is a clarifying step forward for all of us who are working on federation solutions and deployments, whether they are based on Liberty profiles or other comparable technologies.

Now, perhaps I am just a man with a hammer who sees everything in the world as a nail, but the paper reinforced my thinking that the more our systems are built to guarantee that the user is the conscious agent of information release (rather than having this done on his behalf), the better privacy is served, and the simpler our lives become from a legal and policy point of view.

Stefan Brands has pubished a Primer on User Identification which can be downloaded here. It is a good introduction to Stefan's thinking and research – very stimulating work.

I know there are people who hear about a metasystem proposal and think, “Can't we just stick with TOKEN-X and have done with it?” And I understand that as a human reaction. But I urge people to look at systems like Stefan's- and the other innovative systems coming from other “identity innovator” colleagues. These systems are being built today. Each of them has characteristics that are ideally suited to various contexts. Let's make sure, as we build an identity infrastructure encompassing a few billion computers, that it will support these innovative ideas.

Privacy International just posted the list of winners of the U.S. Big Brother Awards.

Of course there were many potential candidates, but the prize for Most Invasive Proposal or Project went to an initiative I have previously called out as a blockbuster. I'm talking about the “Brittan Elementary School RFID tagging of students” project, which broke a whopping four laws of identity in one go (user control and consent, minimal information, fewest parties, and directional identity). The sfgate.com story is here and my commentary on the project's demise is here. There was apparently stiff competiton.

The Privacy International press release reads:

The judges selected Brittan Elementary School for the award. Citing the principal of the school who enjoyed the idea of spying on all students’ whereabouts “because it would streamline the taking of attendance, giving teachers a few minutes more each day to teach and boost accuracy, no small matter given that California school funding is based on how many children attend class each day.” Parents of students reacted negatively and organized campaigns against the scheme. The Big Brother Award will be delivered personally to the principal by concerned parents.

Privacy International also issued a special Lifetime Menace Award to Choicepoint.