Here is a seriously interesting paper that came out of the UK a year ago: “Empowering individuals to control their personal information”. It is a background paper presented to a conference on “Privacy by Design” which was all about providing a proactive approach to privacy protection. It was held on 26 November 2008 and hosted by the UK Information Commissioner’s Office in Manchester.
Nevertheless, this paper tells only part the story of ‘context specific authentication’. It leaves at least two unanswered questions:
- Authenticate what?
- Authenticate by whom?
For example, we have all heard of the three factors of authentication:
1. What you are
2. What you know
3. What you have
Now folks talk of two more:
4. Where you are
5. Who can vouch for you (or a claim you have made about yourself; often treated as the only form of trustworty authentication).
And I have just thought of a sixth:
6. Your past relationship with me (e.g. have you & I have interacted in the past in a predictable way)
The fifth, though, puts authentication based Identity Management into its place as merely one of many ways of deciding whether to trust, rather than as THE only way to trust. And none of the others necessarily involve trusting a third party to tell the truth and not to abuse any information collected as a result of providing the authentication.
Frankly, as the richness of the network increases, this list of 5 (or 6) will look pathetically small in one or two years time. Again, putting paid to thinking that the only way to decide whether to trust or not depends solely on a third party’s authentication of an identity claim.
The thoughts in the paper about repositories of trustworthy identity information are also worth reading: the paper considers some sort of trustworthy source, especially for dealing with government is inevitable (if not de facto in place already). But the paper also recognises that this is vastly different from relying on that trustworthy repository in all circumstances.
There are interesting links between this line of thinking and the concept of “identifiability” outlined in the paper on Engineering Privacy by Sarah Spiekermann and Lorrie Faith Cranor.
Constructing effective and efficient identity management that empowers individuals to control the personal information about them is a critical factor in an extremely wide ranging part of our lives: successful deployment of the National Broadband Network, Government 2.0, all the way through to electronic health information exchange.
Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information. He was also foundation President of the International Association of Privacy Professionals, Australia New Zealand, www.iappANZ.org.