Privacy czar pushing for better ID protection

Anne Cavoukian's remarkable speech to the International Association of Privacy Professionals is available here  in MP3 (total time: 23 minutes) .  

It's a ground-breaking speech.  It defines a new intersection between the privacy community and those of us who've been working in the blogosphere to understand and advance identity. 

It represents a substantial widening of the discussion we've been having in these pages. 

Dr. Cavoukian and her team have come up with a version of the Laws of Identity that teases out the privacy implications and articulates them with reference to the privacy discourse that has emerged over the last decade. 

I'll be publishing Anne's version so everyone can ponder the implications.

Here's how the CTV national televison network described Anne's initiative:

Ontario's information and privacy commissioner says she supports a new global online identity system to protect consumers.

Dr. Anne Cavoukian said there are currently few ways for online consumers to tell the good guys from the bad guys.

“The existing identity infrastructure of the Internet is no longer sustainable,” she said. “Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise.”

The solution lies in the global online identity system based on seven “privacy-embedded” laws, she said.

“The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud,” said the release.

As a result, people are subject to new crimes like “phishing,” in which people are fooled into sending key information to what they think is a trustworthy business, but is actually an identity theft criminal.

The seven laws would create an “identity layer” for the Internet that would guard against such acts.

The “laws,” or principles, are:

  1. Personal control and consent
  2. Minimal disclosure for limited use: data minimization
  3. Justifiable parties: “need to know” access
  4. Directed identity: Protection and accountability
  5. Pluralism of operators and technologies: minimize surveillance
  6. The human face: Understanding is key
  7. Consistent experience across contexts: Enhanced user empowerment and control

The benefit of law 1 would be that an Internet user would store their identity credentials rather than in a centralized online database.

Law 2 would help by minimizing the amount of information given out for a given transaction — and that only the right information be given.

“In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one's age?” Cavoukian said.

These laws grew out of a global, blog-based dialogue amongst security and privacy experts, she said.

With the next generation of Web-based services (“Web 2.0”) emerging, more identity credentials and more trust will be required to make it work, she said.

Microsoft — proprietor of the Windows operating system, the fundamental software that allows a computer to run — is obviously a major player in personal computing security.

Cavoukian said Microsoft's next-generation operating system, called Vista, has some features that will help protect identity.

Vista, which is set for release in January, will introduce a technology called Cardspace. The system will use “infocards,” which will allow websites to verify a customer's identity without receiving or keeping personal or financial information.

Banks could function as middlemen in online purchases, sending payment confirmation to a retailer without sending the person's credit card number.

There would also be different infocards for different applications, much as people have different cards in real life for different purposes.

At a news conference on Wednesday, Kim Cameron, Microsoft's chief identity architect, said Cardspace is a start. He also said it can't just be a Microsoft thing.

“It has to work across Microsoft, Linux, Apple, every possible permutation and combination. It has to work on computers, it has to work on cellphones so it's really a very all embracing thing.”

Some companies have agreed to start accepting infocards, but Cameron wouldn't name the firms.

Both Cameron and Peter Cullen, Microsoft's chief privacy strategist, said another advantage of this coming system is it will allow users to avoid “password fatigue.”

Currently, people need to pick a user name and password when they register at an Internet website.

Because it's difficult to remember a large number of passwords, some use the same password for all websites, which creates a security risk.


Published by

Kim Cameron

Work on identity.

4 thoughts on “Privacy czar pushing for better ID protection”

  1. Pingback: Kevin W. Hammond
  2. Isn't it interesting to notice that the first non-internet public acknowledgement of Kim's 7-Lwas work has come from a fellow-Canuck! Yayy Canada!!!

    It will be very interesting to watch for policy decisions from the privacy commissioner to see what impact the 7-laws will have in her day-to-day job, because as I understand it (having not finished reading the article yet) this is really just a whitepaper static a position and ideas, and not Ontario Government policy…

    Here's where I'll post my take on it as I finish reading through

  3. additional follow-up to my previous comment is posted on .my blog. I would basically like to see Dr. Cavoukian (or another who is familiar with FIP) identify whether the FIP is fully repreented by the 7-laws in the Metasystem or whether the Privacy-Embedded 7 Laws miss significant parts of the FIP

Comments are closed.