Seems like an amazing 10,000 people have now looked at Scoble's Channel 9 Interview with me on Identity. I say amazing because we at identityblog.com pride ourselves on being, after all, the hair on the end of the long long tail…
In comments to this piece about the interview, Alex Krupp really came down hard on Greg Hughes assertion that he is trying “…to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.” He says,
This is the exact reason why bank security is so bad, because instead of focusing on securing the transaction they are focusing on securing the person who makes the transaction, which is impossible.
All you need to know is that the person who put the money in is taking it out for savings, and their name/company for checking. If they are worried about personal information being stolen then the battle is already lost, because they shouldn't need personal information to begin with.
It's true that once everyone has nice strong keys associated with their accounts, a lot of things get a lot easier. And I look to InfoCards as a way to finally get “nice strong keys” into the hands of customers.
But I don't think this makes the problem of protection of personal information go away. Bank databases contain vast amounts of sensitive personal information already. In fact I look at all of my banking data as sensitive personal data. As the banks make services more accessible through the Internet, I think it is both commendable and necessary for people like Greg to think very hard about how to protect the associated personal information – and isolate the people who are going after it.
Anyway, later, Alex comes back to add:
I watched the entire video, very interesting stuff. I will have to check out Solove's book.
I think your example of going into starbucks and having the option to broadcast pieces of identity is very good. Personally though, I think the cellphone is a poor medium for this. Cell batteries drain fast because of their phone use, it is large and bulky, and it is very insecure because it has to be able to take calls, install games and ringtones, browse the web, use bluetooth, etc. If you put your identity on a normal cellphone it would be a suboptimal experience, especially if hacked.
Instead imagine this: a ‘presence pen’ that gives you a digital identity in the physical world. It has the form factor of a pen and can broadcast selected bits of identity to who you tell it. You set these options on your computer before you leave your house. It can fit in a shirt pocket, and the battery lasts for 2+ weeks since it only needs to use bluetooth. You can't message friends on it, but you can toggle through preset away messages and send presence pokes to your friends. Sell it for 50 bucks, and for an extra 25 you can get built in GPS. A one line LCD displays all necessary data and you can toggle everything through two or three buttons.
Just an idea I've been working on. 🙂
In another comment, Tom Gordon says,
I had a quiet giggle at Robert's [Scobles…] totally irony-free comment, ‘I want to be able to store my personal details on Windows where I know it's secure’ 🙂
Overall I enjoyed the interview (and yes, I did watch all of it).
I had some thoughts about transience of identity information as well – it's all well and good if we have strong personal identity providers, but what if we want to move? Does the old provider retain data (on backup tapes, in archives, by legislative requirement) or should we be claiming the right not only to strong personal identity, but strong control over who is allowed to store, record and *keep* our personal data?
Personally I'd be eminently happy if my own personal identity provider's systems crashed and they couldn't restore my information – it means I still have control over what is stored about me…
The same goes for being able to choose my own personal identity provider, and I'd like to be able to share a secret with organisations where we both trust that a particular provider knows who I am, so I can authenticate myself with my chosen identity provider, and the company I'm dealing with takes it on trust that I am who I am, because my identity provider asserts I am who I am, rather than me doing it directly.
Which lets me do business without giving over any personal information at all. I posted these thoughts in slightly expanded form here.
I'm sitting on the edge of my seat, waiting to see the cool things people are going to build into InfoCards.