Responses to the first law…

Eric Norlin of Ping has responded to my First Law of Identity with “My running commentary on Kim's exposition“. As he says,

Kim's posting about the “laws of identity” — using a scenario i sent him to tease them out. So, in true redactive fashion, I thought it only right for me to post a running commentary on his laws (since I provided the original text ;-).

Other interesting people have contributed comments as well. So although I've only made it through to the first law, I can already see that doing this kind of thing using Weblogs is going to be really different than banging out an article in “the private space” of my office. And I think this is “way cool”…

Here is the First Law of Identity I put forward…

The “Owner Decides” Law of identity

Technical identity systems MUST only reveal information identifying a user with the user's consent.

On the content of the first law, Eric “absolutely agrees — kinda”:

An employer (like Kim's) maintains data about the user that they use to log the user onto various corporate applications that they run (i'd bet that kim did this today) — in that case, the employee has given implicit consent by collecting a paycheck and the employer is NOT encumbered with giving the user consent privileges. Bottom line: getting paid is consent.

But whoa there Eric… you go too fast, man.

Is it my employer who “logs me in” to various corporate applications? Not really. Instead, it is me who logs myself in to my employer's corporate network.

I also chose to give my employer my name, my address, my social security number and my educational background. In other words, there are a whole series of explicit actions here.

Every day, I choose to use my corporate identity through the admittedly incantational act of pressing control-alt-delete and entering a password. This is explicit consent, not implicit. The consent is in the logging in and the filling out of forms – not the getting paid.

I see more and more attention to explicit consent by my employer (which is Microsoft, for those just tuning in). Recently, when I registered for a new service offered through the corporate portal, I was asked to explicitly approve the collection of tracking information necessary to monitor and improve the level of service I received. So even though I had already logged in to its network, Microsoft explicitly asked me for further approval to collect additional information. I assume this was done because, as Eric would put it, my paycheck does not represent implicit consent for Microsoft to do whatever it wants with regard to my identity information.

I've actually had personal experience with the incorrect version of the first law that Eric has proposed. Back in the mid 1990’s, during my ZOOMIT days, we put a web “protocol head” on our VIA metadirectory. This created a personal web page for each user. Like many other technology companies, we believed in “eating our own dog food”, so we had a VIA microdirectory of our employees. Since I was a naturally public person, I thought (or perhaps “didn't think” is a better way of putting it) that everyone would just love to have a web page, and asked one of our writers to interview all our employees so we could set up an initial page for everyone. The idea was that they could then alter things as they saw fit, and we would be off to the races. In addition, we asked everyone for a photograph.

Talk about surprises… Within hours, a number of people let me know in a fairly assertive way that as much as they loved me, not to mention ZOOMIT and their paycheck, this was really going too far (especially the photo bit). And of course it was! So you can see I have a true nerd pedigree on this matter. And I've come a long way, baby! I haven't forgotten the lesson. It doesn't cost anybody anything to ask employees if they want their information to cross organizational boundaries – and be explicit about it – at least once.

In general I can't agree with Eric's contention that the first law of identity applies, as a fundamental principle, only to “consumer-facing scenarios”. I'm more accepting of what he says about control versus ownership:

Properly speaking, identity info is about control. The end user should be given *control* over their information — because there is a ton of identity information about me that I simply cannot, in any practical sense, *own*.

I was thinking of “owning” in the sense of “possessing” – in orther words, in the philosophical sense (I guess I'm allowed to say that, since Eric can say “redactive”). The trouble with the word “owning” is that it tends to be associated with our current economic superstructure. I don't mean that we *own* our identities in the same way we *own* a house in the suburbs… However we do possess an identity. But it's really hard to talk about a “possessor” without sounding like a David Cronenberg movie…

Anyway, I can go with the “Law of Control”. So let's call it that. I hope Eric will drop support for his proposed amendment. I think that as soon as we put in place an infrastructure embodying the Law of Control, it will trump inferior ad hoc practices which arose historically in corporate environments. And I think this forshadows the emerging approaches to compliance that are arising here and around the world.

Published by

Kim Cameron

Work on identity.