The 7 Laws of Identity
From Microsoft’s Kim Cameron, by way of Brian Hayes, with collaborative input from a good chunk of the blogosphere, come the 7 laws that explain the successes and failures of digital identity systems. I’m including just the snippets below; there’s a lot more detail in the complete identity paper. Even though it was published in 2005 (a lifetime ago in Web terms), I think it’s still ripe for relevant discussion today.
- User Control and Consent
Technical identity systems must only reveal information identifying a user with the user’s consent.- Minimal Disclosure for a Constrained Use
The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.- Justifiable Parties
Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.- Directed Identity
A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.- Pluralism of Operators and Technologies
A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.- Human Integration
The universal identity metasystem must define the human user to be a component of the distributed system integrated through
unambiguous human-machine communication mechanisms offering protection against identity attacks.- Consistent Experience Across Contexts
The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.
Do you think these are still relevant? Overkill? Underkill?
What would you add and what would you take away?
October 25th, 2007 at 8:51 am
[…] Check it out! While looking through the blogosphere we stumbled on an interesting post today.Here’s a quick excerptFrom Microsoft s Kim Cameron , by way of Brian Hayes , with collaborative input from a good chunk of the blogosphere, come the 7 laws that explain the successes and failures of digital identity systems. I m including just the snippets below; there s a lot more detail in the complete identity paper . Even though it was published in 2005 (a lifetime ago in Web terms), I think it s still ripe for relevant discussion today. User Control and Consent Technical identity systems must only reveal […]
October 25th, 2007 at 6:53 pm
Michael Geist is the privacy chair at the University of Ottawa.
Quoting from his post “The International Data Protection and Privacy Commissioner’s conference brings together hundreds of privacy commissioners, government regulators, business leaders, and privacy advocates who spend three days grappling with emerging issues” AND IS “the most important global privacy conference on the calendar.”
The conference examined a number of “privacy audits of both public and private sector organizations, privacy impact assessments that are used to gauge the effect of new regulations and corporate initiatives, trust seals that include corporate compliance programs, and emphasis on global cooperation in a world where personal data slips effortlessly across borders.”
Geist points out that there’s always been two critical parts to privacy: 1) Notice and 2) Consent.
He says these are failing, not merely because of government surveillance, but because our rules and laws are slipping both in agencies and in the marketplace.
If Notice and Consent fail, we cannot build a privacy framework.
Link to Geist’s extensive site.