Privacy and Identity – IGF workshop outcomes

From the Internet Governance Forum, via Ralf Bendrath's blog

The workshop on privacy and identity we held together with the LSE information systems group this morning sparked an interesting discussion.

Christian Möller gave some examples of how privacy is not only important in itself, but how it also is a necessary condition for freedom of expression.

Microsoft’ Jerry Fishenden presented their InfoCards concept and the “7 Laws of Identity” as one approach on how to handle user data based on different credentials. While most of the panelists agreed that this is a good basis for a start, and especially welcomed the company's recent efforts to make it more privay-friendly, Jan Schallaböck and Mary Rundle pointed at one major drawback: Once you have sent your personal information to a company – no matter if through InfoCards or another system – you can not control what happens with it afterwards.

Jan, who is with the data protection authority of the German land of Schleswig-Holstein, therefore presented the ideas, concepts and systems developed in the EU-funded Privacy and Identity Management in Europe (PRIME) project as an alternative.

Their model is that user data given to web service providers will have “sticky privacy policy” attached to it in the form of meta-data. This meta-data will move with the personal data and can help ensure that it is only used or tranferred in a way the user has agreed to.

Mary from NetDialogue suggested (having) a similar way as the Creative Commons license: Privacy Policies should be human readable, lawyer readable, and machine readable. The advantages would be that the users can better decide how they “licence” the use of their data to other parties. Mary even presented a very nice series of icons that symbolize different use policies.  This approach might be one way to address the failure or “myth of user empowerment”, as Ives Poullet called it.

Stephanie Perrin, research director at the Office of the Privacy Commissioner of Canada, finished by saying that the privacy community has to become much more involved in international technical standardization processes. As always, time was too short. Therefore, we will discuss a collaborative follow-up process later this evening.

Actually, the “sticky privacy policy” notion can be implemented by identity providers using version 1 of Cardspace – it doesn't limit the token types that can be exchanged.  A new type of token that includes metadata about use policy is a good example of why this flexibility is useful.  I support the idea.

Maybe Jan Schallaböck and Mary Rundle are aware of this, but are talking about the self-issued identity provider used to “bootstrap” Cardspace.  In v1.0, it does not have this kind of metadata built in to it. 

I look forward to collaborating with Mary and Jan to create the kinds of visual and metadata systems now being discussed.  I don't actually see PRIME as being “alternative” in any way to the work I've been doing – we have the same goals.


Feedback from Urs Gasser at Berkman

Here's some feedback on Rubinstein and Daemen's new Metasystem Privacy paper posted by Urs Gasser on his Law and Information blog.  Urs is an expert in cyber law associated with the Berkman Center at Harvard Law School.

Microsoft released a white paper entitled “The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity.” The excellent paper, authored by Microsoft’s Internet Policy Council Ira Rubinstein and Tom Daemen, senior attorney with Microsoft, and posted on Kim Cameron’s blog, is a must-read for everyone interested in user-centric ID management systems. (Disclosure: As you can take from the acknowledgments, I have commented on a draft version of the paper, based on my earlier observations on “Identity 2.0”-like initiatives.)

Among my main concerns – check here for other problem areas – has been Microsoft’s claim that the i-card model is “by design” in compliance with the unambiguous and informed consent requirement as set forth, for instance, by EU data protection law. I’ve argued that the “hardwired”-argument (obviously a variation on the theme “regulation by code”) might be sound if one focuses on a particular relationship between one user and one identify provider and/or one relying party – as the white paper does. However, at the aggregated level, the i-card model’s complexity – i.e. the network of informational relationships between one user and multiple ID providers and relying parties – increases dramatically. If we were serious about the informed consent requirement, so my argument goes, one would wish that the user could anticipate not only the consequences of consent vis-à-vis one ID provider, but would understand he interplay among all the components of the ID-system. Even in less complex informational environments, experience has shown that the making available of various privacy policies can’t be the answer to this problem – as the white paper seems to acknowledge.

In this regard, I particularly sympathize with the white paper’s footnote 23. It might indeed be a starting point for an answer to what we might call the “transparency challenge” to create “a system enabling web sites to represent privacy policies in a simple, iconic fashion analogous to food labels. This would allow consumers to see at a glance how a site’s practices compared to those of other Web sites using a small number of universally accepted visual icons that were both secure against spoofing and verified by a trusted third party.” (p. 19, FN 23.) Such a system could become particularly effective if the icons – machine-readable analogous to creative commons labels – would be integrated in search results and monitored by “Neighborhood campaigns” similar, for instance, to

Although Microsoft’s paper leaves some important issues unadressed, it seems plain to me that it takes the discussion on identity and privacy protections as code and policy an important step further – in a sensible and practical manner.

I agree with Urs when he talks about where we can go with visual icons representing the practices and policies of sites and identity providers.  Let's do it.

Just to be clear, I see Information Card technology as providing a platform for people to control their digital identity.  As a platform, it leaves people the freedom to put things of their choice onto that platform.

Let's make an analogy with some other technology – say plasma screens.  The technologists can produce a screen with fantastic resolution, but people can still use it to view blurry, distorted signals if they want to.  But once people see the crsytal clarity of high definition, they move away from the inferior uses.  Even so, there still might be artifacts that are important historically that they want to watch in spite of their resolution.

In the same way, people can use the Information Card technology to host identity providers with different characteristics.  It's a platform.  And my belief is that a high fidelity and transparent identity platform will lead to uses that respect our rights.  If this requires help from legislators and the policy community, that's just part of the process.  In other words, I don't think CardSpace is the magic bullet that solves all privacy problems.  But it is an important step forward to have a platform finally allowing them to be solved.

Once you let one party send information to another party, there is no way to prevent it – technically – from sending a correlating identifier.  As a morbid example, terrorists have been known to communicate by depositing and withdrawing money from bank accounts.  The changes in the account are linked to a codebook.  So any given information field can be used to communicate unrelated information.  

What you can do is prevent the platform itself from creating correlation handles or doing things without a user's knowledge.  You can use policy, legal frameworks and market forces so providers and consumers of identity are transparent about what they are doing. You can create technology that can help discover and prove breaches of transparency.  You can facilitate holding third parties to their promises.  And you can put in place social and legal protections of technology users, along the lines of the privacy-embedded laws of identity.

That's why I see the contributions of legal and policy experts as being just as fundamental as the contribution of technologists in solving identity problems.  In in the long term, the social issues may well be more important than the technical ones.  But the success of the technology is what will make it possible for people to understand and discuss those issues.

I advise following some of the thoughtful links to which Urs refers.


Proposed Eighth Law of Identity

Here is a compelling multi-media proposal by the legal department of Ontario's Privacy Commissioner for an Eighth Law of Identity:

Illustration of the eighth law of identity

Download full-size deposition here.

The “technology” version of the law appears on the left, and the policy-oriented version on the right.

Today's Internet is a Gourd's Paradise. It is only through user-centric pumpkin-to-machine authentication that we will be able to leverage the true weight of the gourd.

Today's Internet is a Gourd's Paradise. It is only through user-centric pumpkin-to-machine authentication that we will be able to leverage the true weight of the gourd. The synergistic combination of omnidirectional identifiers and correlation handles on a per-vegetable basis could be the sustainable architecture behind the meta-zucchini infrastructure.

Any metasystem needs to realize that pumpkins may vary in physical appearance, but their basic architecture is the same: stem, seeds and pulp represent the core of our constituent squash identity system.

We hope our commentary will stimulate oral interfacing across the vegosphere and among the “gourderati”.

That all lawyers could be so gainfully employed!