Business input to privacy & security frameworks that deliver: RSA, End to End Trust & the remarks of Microsoft’s Scott Charney

| March 3, 2010

In the last couple of blogs, "EC thinking on privacy definitely on the move…" and "Ahead of the Curve?…", I described renewed official interest in re-thinking privacy frameworks that have been around for some time. The re-think is becoming critical and unavoidable in light of the realities of the online world, new technologies and how people often want to use them.

But business has not been idle either. This includes joint initiatives between officials and leading businesses with an interest in ‘finding a better way’.

Next week, for example, I will be in Paris for a half day Roundtable on "30 Years After: The impact of the OECD Guidelines" and the following day a workshop called "Accountability Phase II – Paris Project". Both have strong business, regulator and NGO involvement. The first of these is an OECD initiative. The second is being convened by the Working Group on Data Protection Objectives for Accountable Organizations. The host is CNIL, the data protection regulator for France, while the Centre for Information Policy Leadership is the secretariat. 

Yet the story is not complete without noting some significant initiatives by individual companies.

Which leads me to the evolving thinking of Scott Charney on ‘End to End Trust’. He set out the initial basis for his thinking in a White Paper and spoke about it in depth at the RSA Conference 2009, and I wrote a blog about it at the time. It is interesting how thinking on the identity component of his ‘trusted stack’ has already evolved to recognize more explicitly that in person proofing is only one way of achieving trust at the human level, for example in the RISEPTIS paper discussed at the EC Trust in the Internet conference in early February.

Now Scott has taken his thinking further at the RSA Conference 2010. This year, he has put his emphasis on End to End Trust and cloud computing.  This is most welcome! As noted in another recent blog on "Cloud Computing Made Simple", trust and risk allocation look like being the missing links in cloud computing unless paid specific attention.

As Scott notes, while cloud computing brings both benefits and risks, understanding how it differs from computing today requires careful thought about what’s new, what’s the same, and how the computing model affects businesses and consumers. Scott points out that to address security and privacy in the cloud, we need:

  • Security and Privacy Fundamentals to be right
  • Technology Innovations constantly
  • Social, Economic, Political and IT Alignment

Addressing the last of these, Scott points out that the cloud will amplify the need for a lot more effort here. 

And the business contribution at this point? After noting the importance of robust identity solutions that respect individual privacy, he announced technology that makes a claims based identity metasystem possible. Specifically, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. He called on industry, developers and others who manage identity online to take advantage of this technology to provide solutions that work for the problems we have today with identity.

Kim Cameron, Mike Jones, Stefan Brands and others at Microsoft have been working hard for years to develop the thinking behind a claims based identity metasystem. They have shared their thinking widely and developed workable components such as Windows CardSpace and more recently, other aspects of the Geneva initiative

Others are working side by side to develop privacy respecting approaches to identity management, ranging from PrimeLifeIBM and the Eclipse Foundation to Identity Woman and many more. 

As Zhou En Lai is reputed to have said to Richard Nixon about the historical impact of the French Revolution, it may be "too early to tell", but I am very optimistic that we are beginning to get somewhere.


Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.  He was also foundation President of the International Association of Privacy Professionals, Australia New Zealand,