The red herring of data protection

OK. Just when I thought I was on top of Eric's new posting regimen, he has to publish this – not on ping, this time, but on cnet!

The numbers have been staggering: 145,000; 13.9 million; 40 million.

A picture named eric.jpg

I'm speaking, of course, about the recent rash of data loss–the innocuous term for millions of accounts containing personal data being exposed to the wrong eyes. Whether it's MasterCard, ChoicePoint, LexisNexis, Bank of America, Wachovia, Stanford University or the University of California at Berkeley, the rapid expansion of this problem is stunning.

The reasons for the data loss are all over the map, ranging from physical tapes lost in transit, to hackers, and even malicious insiders. And of course, there is always the ever-present bogey of bad network security practices.

We're told the solution is to embrace better network security, better encryption, better corporate safeguards and better “data protection.” Of course, all of these proffered solutions are a bit specious, since they're always accompanied by the corporate lawyer caveat: “We cannot guarantee that this won't happen again.”

This isn't really a question of data loss, data protection or data safeguarding. That, my friends, is a red herring.

All of this will ultimately result in some bloated piece of federal legislation around data privacy and protection that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really?

I don't think so.

This isn't really a question of data loss, data protection or data safeguarding. That, my friends, is a red herring. The real question is why corporations need to store all of this personal data in the first place. Why does my credit card company need to store my social security number? Why does Amazon need to store my credit card number? Why shouldn't every company store only what I tell them they can store? And why shouldn't the data that they store be as little as they possibly need to conduct business?


Possible future directions
Federated identity is an infrastructure that makes security follow the transaction. It does this by making the identity associated with the transaction “portable” across heterogeneous security domains. The identity metasystem is a newer concept, one that bubbled forth from community conversations around Kim Cameron's Web log.

In brief, the identity metasystem is a conceptual backplane that would allow individuals to have control over which attributes or claims are presented and stored about them. This could be anything from a birthday to a credit card number to a favorite color. What we're really talking about is a framework for individual control and presentation of identity data. Taken together, federated identity (the infrastructure) and the identity metasystem (the control and presentation) would give individuals control over their digital identity in ways that have so far eluded them.

When I buy something from Amazon, it asks for, receives and stores my credit card number. In a future of federated identity and the identity metasystem, I would grant permission to seek a one-time use of my credit card. This permission could be presented to my credit card company, which could then charge my account. Amazon would no longer have a need to store (or even see) my credit card number.

This future would be a lot closer to a web of electronic commerce that protected both customers and companies. We would have actually moved toward solving the problems around personal data. In the meantime, however, we'll still hear a lot about data protection, corporate safeguards and legislative initiatives.

biography
Eric Norlin is vice president of corporate marketing at Ping Identity, a company focused on identity management.

Published by

Kim Cameron

Work on identity.