Here's an email I received from John through my I-name account:<\/p>\n
I would have left a comment on the appropriate entry in your blog, but you've locked it down and so I can't \ud83d\ude41<\/p>\n
I have a quick question about InfoCards that I've been unable to find a clear answer to (no doubt due to my own lack of comprehension of the mountains of talk on this topic — although I'm not ignorant, I've been a software engineer for 25+ years, with a heavy focus on networking and cryptography), which is all the more pertinent with EquiFax's recent announcement of their own “card”.<\/p>\n
The problem is one of trust. None of the corporations in the ICF are ones that I consider trustworthy — and EquiFax perhaps least of all. So my question is — in a world where it's not possible to trust identity providers, how does the InfoCard scheme mitigate my risk in dealing with them? Specifically, the risk that my data will be misused by the providers?<\/p>\n
This is the single, biggest issue I have when it comes to the entire field of identity management, and my fear is that if these technologies actually do become implemented in a widespread way, they will become mandatory — much like they are to be able to comment on your blog — and people like me will end up being excluded from participating in the social cyberspace. I am already excluded from shopping at stores such as Safeway because I do not trust them enough to get an affinity card and am unwill to pay the outrageous markup they require if you don't.<\/p>\n
So, you can see how InfoCard (and similar schemes) terrify me. Even more than phishers. Please explain why I should not fear!<\/p>\n
Thank you for your time.<\/p>\n
There's a lot compressed into this note, and I'm not sure I can respond to all of it in\u00a0one go.\u00a0 Before getting to the substantive points, I\u00a0want to make it clear that the only reason\u00a0identityblog.com requires<\/em> people who leave a comment to use an\u00a0Information Card is\u00a0to give\u00a0them a feeling for one of the technologies I'm\u00a0writing about.\u00a0\u00a0To quote\u00a0Don Quixote: “The proof of the pudding is the eating.”\u00a0 But now on to the main attraction.\u00a0<\/p>\n It is\u00a0obvious,\u00a0and your reference to the members of the ICF illustrates this, that\u00a0every individual and organization\u00a0ultimately decides who or what to trust\u00a0for any given reason.\u00a0 Wanting to change this would be a non-starter.<\/p>\n It is also obvious that in our\u00a0society, if someone offers a service,\u00a0it is their right\u00a0to establish the terms under which they do so (even requiring identification of various sorts).<\/p>\n Yet to\u00a0achieve balance with the rights of others,\u00a0the legal systems of most countries also recognize\u00a0the need to limit this\u00a0right.\u00a0 One example would be\u00a0in\u00a0making it illegal to violate\u00a0basic human rights (for example, offering a service in a way that is discriminatory with respect to gender, race, etc).\u00a0<\/p>\n Information Cards don't change anything in this\u00a0equation.\u00a0 They\u00a0replicate\u00a0what happens today in the physical world.\u00a0 The identity selector is no different than a wallet.\u00a0 The Information Cards are the same as the cards you carry in your wallet.\u00a0 The act of presenting them is no different than the act of presenting a credit card or photo id.\u00a0 The decision of\u00a0a merchant to require some form of identification is unchanged in the\u00a0proposed model.<\/p>\n But\u00a0is it necessary to\u00a0convey identity in the digital world?<\/strong><\/p>\n Increasing population and density\u00a0in the digital world has led to the\u00a0embodiment\u00a0of greater material value there – a tendency\u00a0that will only become stronger.\u00a0 This\u00a0has\u00a0attracted more criminal activity and\u00a0if cyberspace\u00a0is denied any protective structure, this activity will become\u00a0disproportionately more pronounced as time goes on.\u00a0\u00a0If everything remains as it is, I don't find it very hard to\u00a0foresee an\u00a0Internet vulnerable enough to become almost useless.<\/p>\n Many people have come or are coming to the conclusion that these dynamics\u00a0make it necessary<\/strong> to be able to\u00a0determine<\/strong> who we are dealing with in the digital realm.\u00a0 I'm one of them.<\/p>\n However, many also jump to the conclusion that if\u00a0reliable identification is necessary\u00a0for protection in\u00a0some<\/strong> contexts, it is necessary in all<\/strong> contexts.\u00a0 I do not follow that reasoning.\u00a0<\/p>\n Some != All<\/strong><\/p>\n If\u00a0the “some == all” thinking predominates, one\u00a0is left with\u00a0a future where\u00a0people need to identify themselves to log onto the Internet, and their identity is automatically made available everywhere they go:\u00a0 ubiquitous identity in all contexts.<\/p>\n I think the threats to the Internet and to society are sufficiently strong that in the absence of an alternate vision and understanding of the relevant pitfalls, this notion of a singular “tracking key” is likely to be widely mandated.<\/p>\n This is as dangerous to the fabric and traditions of our society as the threats it attempts to counter.<\/em>\u00a0 It is a complete departure from the way things work in the physical world.<\/p>\n For example, we don't need to present identification to walk down the street in the physical world.\u00a0 We don't walk around with\u00a0our names or\u00a0religions stenciled\u00a0on our backs.\u00a0 We show ID when we go to a bank or government office and want to get into our resources.\u00a0 We don't show it when we buy a book.\u00a0 We show a credit card when we make a purchase.\u00a0 My goal is to get to the same point in the digital world.<\/p>\n