When I presented the Laws of Identity at the DIDW conference, someone asked how we would “enforce the laws”. I tried to explain that the laws are not what Bob Blakley calls “desiderata” – things that we would like to see. They are the objective characteristics of an enduring identity system at Internet scale.
Timothy Grayson of Recursive Progress has written very eloquently about how CardSystems has served as his teacher in this regard:
A while back, I took aim at The Laws of Identity with a critique that missed the mark, I'm sure, because I opted (well, truly, I had no choice) not to evaluate it with through the lens of a technologist. One of my comments in regard to Law 2: Minimal Disclosure for a Constrained Use was:
I think that minimal disclosure for a constrained use is essential for privacy and user control, which, presumably, is what drives Law no. 2. The statement, “There is no longer the possibility of collecting and keeping information ‘just in case’ . . .” [emphasis mine] is, however desirable and logical an outcome of a need-to-know minimal distribution of information, not part of technical mechanics. It is, as everyone doubtlessly knows, a matter of policy and practice. Somewhere I read not all that long ago that two of the non-obvious forces that are driving the creation of massive directories and databases — about people — are that (a) thanks to computing capability it's easy to accumulate rich records over time and (b) thanks to cheap storage there's no disincentive to keep accumulating information. These together with the underlying belief that “information is power” and all the other marketing and security-driven forces for creation of directories may be a little bit more than the principle of minimal disclosure can overcome, methinks.
Today, MSNBC (among others) is carrying a story about data mishandling by a credit card processing firm in Atlanta (Processing firm: Credit card data mishandled – Consumer Security). This situation speaks to digital identity generally, and at least from one angle to Law 2. Here's the money quote to support my earlier statement:
He [John Perry, chief executive of Atlanta-based CardSystems Solutions Inc., which was hacked] said the data was being stored for “research purposes” to determine why some transactions had registered as unauthorized or uncompleted. “We should not have been doing that,” Perry said in Monday's editions of The New York Times.
Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.
“CardSystems provides services and is supposed to pass that information on to the banks and not keep it,” Joshua Peirez, a MasterCard official, told the Times. “They were keeping it.”
Oops. Broken law. Technology — architecture or otherwise — may or may not have been able to avoid it.