‘As individuals, we should be interested BOTH in solutions based on “privacy through obscurity” and solutions based on “privacy through accountability” — and technology has a role to play in both approaches.’
I think this is a very important point, (although I'll return to the use of the phrase “privacy through obscurity” in a subsequent post).
‘A digital identity system (or metasystem) can facilitate an individual’s technical control over the distribution of sensitive identity attributes (SSN / SIN, national ID number, credit card account, etc.), limiting the number and kind of entities that receive this information – this is privacy through obscurity.
‘Link contracts such as Drummond describes can add a layer of technical and legal accountability for those that are provided the information, by tracking and imposing conditions on how it is used and with whom it is shared — privacy through accountability.
‘One condition that can be imposed by law or contract is not to repurpose the data or share it with third parties without notice and consent, which can further limit the dispersal of information that is particularly useful in correlation attacks.
‘Correlation techniques will still exist, of course, and we’ll never get complete control over all combinations of identifying information that can be collected with little cost or effort. That’s not necessarily bad; correlation technology offers benefits as well as risks. Government agencies use correlation techniques to track down deadbeat dads and potential terrorists; employers and lenders rely on such techniques to avoid hiring fraudsters or extending credit to people who are bad credit risks. Marketers and political parties using correlation techniques are satisfied with probable rather than certain identification, because they just want to pitch their products or candidates at likely prospects, and they don’t pose much of a risk to individuals beyond annoyance.’
I'm not sure I buy the idea that because governments and police – under the guidance of the courts – should be able to do something, anyone else should as well. And I think a potential employer or lender should obtain my consent before sharing the information I supply with others for verification or correlation. (In doing this, the uses made of this information should be controlled and revealed.) Such a regime would be just as effective in preventing the hiring of a fraudster as today's roughshod measures, but would give people a greater degree and sense of control.
‘From an identity management standpoint, we should probably focus on correlation “attacks” – deliberate efforts to piece together personally identifiable information for criminal purposes, such as fraud, money laundering, stalking, or gaining unauthorized access to protected buildings and computer systems. Can a digital identity system make it harder to perpetrate correlation attacks? As a society, for example, perhaps we should make more of an effort to give individuals the option of obscuring data revealing their physical address or current location (because they have an abusive ex-spouse, for example, or they work in an abortion clinic, or somebody has pronounced a fatwa against them). And government agencies and commercial enterprises could make many correlation attacks irrelevant by requiring identifying information that is not so easy to collect as, for instance, an SSN, birthdate, and mother’s maiden name, when issuing an ID or approving a transaction.
‘Both government and business are under pressure today to adopt and rely on “stronger” forms of identification, ID that cannot so easily be obtained or mimicked by fraudulent practices such as correlation attacks, phishing, and social engineering. As Stefan says, stronger ID credentials carry their own security risks, and we should point those out and take them into account in designing digital ID systems. As these stronger forms of official and financial ID are deployed, it will be increasingly important to control how they are used, legally and contractually. Look at all the jurisdictions passing laws on the use of Social Security Numbers today, for example – they will be even more anxious to regulate the use of a super-ID. And individuals will need to know when they are asked for this ID what their technical and contractual options are (if any) for controlling its use and dissemination. Techniques such as link contracts may be very useful in this regard, to provide accountability beyond the areas controlled by regulation.’
I presume Scott is thinking of link contracts as being examples of legal mechanisms constraining the use of information (often called use policy).
Scott has posted his presentation to Catalyst as a fully expounded document called Privacy and Information Management.