Empowering individuals to control their personal information

| December 11, 2009

Here is a seriously interesting paper that came out of the UK a year ago: Empowering individuals to control their personal information.  It is a background paper presented to a conference on Privacy by Design which was all about providing a proactive approach to privacy protection.  It was held on 26 November 2008 and hosted by the UK Information Commissioner’s Office in Manchester.

Nevertheless, this paper tells only part the story of ‘context specific authentication’.  It leaves at least two unanswered questions:

  • Authenticate what?
  • Authenticate by whom? 

For example, we have all heard of the three factors of authentication:

    1. What you are

    2. What you know

    3. What you have

 Now folks talk of two more:

    4. Where you are

    5. Who can vouch for you (or a claim you have made about yourself; often treated as the only form of trustworty authentication).

And I have just thought of a sixth:

    6.  Your past relationship with me (e.g. have you & I have interacted in the past in a predictable way) 

The fifth, though, puts authentication based Identity Management into its place as merely one of many ways of deciding whether to trust, rather than as THE only way to trust.  And none of the others necessarily involve trusting a third party to tell the truth and not to abuse any information collected as a result of providing the authentication.

Frankly, as the richness of the network increases, this list of 5 (or 6) will look pathetically small in one or two years time.  Again, putting paid to thinking that the only way to decide whether to trust or not depends solely on a third party’s authentication of an identity claim.

The thoughts in the paper about repositories of trustworthy identity information are also worth reading:  the paper considers some sort of trustworthy source, especially for dealing with government is inevitable (if not de facto in place already).  But the paper also recognises that this is vastly different from relying on that trustworthy repository in all circumstances.

There are interesting links between this line of thinking and the concept of “identifiability” outlined in the paper on Engineering Privacy by Sarah Spiekermann and Lorrie Faith Cranor.

Constructing effective and efficient identity management that empowers individuals to control the personal information about them is a critical factor in an extremely wide ranging part of our lives: successful deployment of the National Broadband Network, Government 2.0, all the way through to electronic health information exchange.


Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.  He was also foundation President of the International Association of Privacy Professionals, Australia New Zealand, www.iappANZ.org.



  1. Jacques Bus

    December 27, 2009 at 3:11 pm

    User centric ID management

    Malcolm Crompton made a comment on 11/12/2009 with the title "Empowering Individuals to control their personal information".

    The article he refers to is particularly interesting from the viewpoint of European Commission services that try to develop a large scale project for "A European common framework for eID management". This project focusses in particular on the infrastructure that is discussed in this paper and that would develop an infrastructure and platform for the variety of services, including Government Citizen Registration, that will be delivered and consumed on the Internet in the future.

    Important is the claim that there are many different ways for Identity and other Claims management and that we have to search the right mix, which ensures user-centricity when sensible, proper governance and economic viability and other factors relevant to privacy protecting claim management, that is user-controlled, usable, and (when needed) transparent and accountable.

    The example of user-controlled interoperability between social networks (transfer of user data from one to the other under full control of that user) is a point in case which can be applied for many communities which are represented on the Web.

    The issue on the six different points mentioned by Malcolm may in my view be mostly due to the confusing use in many of the papers in this area of the terms "identification", "claim management", "trust", security, trustworthiness, etc. in the field.

    The three factors of authentication are typically meant to prove that you communicate with the entity (person, organisation, agent) you think or wanted to communicate with. Once that is done in a way that gives sufficient trust, one might need all kind of assurances to be able to trust the other side for the transaction you intend to start. Indeed, it can be location, a report on reputation, or on past relationships, etc. It can also be age, sex, wealthiness, kindness, expertise or professionalism, etc.

    Trust can be used in the context of authentication, in the sense that you want to be able to trust the systems to handle the authentication data properly, ensure data security and integrity, does not allow tampering by users, etc.

    In the second phase trust relates to the plethora of information and tricks we use to satisfy ourselves that the contact is the one we want our transaction with. I fully agree with Malcolm that this will not be restricted to the 5 (or 6) mentioned. It will be left to the creativity of Web users to find "sensors" to create trust in the other party for the particular situation they are in, and to engineers to provide the tools and services for these users.

    But I am sure, that if we would be able to start as suggested in the paper, with an integrated variety of device-based and broker mediated services, with proper mechanism to use Government Registers, we will have made a major step forward in creating "trust in digital life".


  2. Piotr

    December 30, 2009 at 6:07 pm

    User centricty .. the missing part

    User-centric identity management.. the best we have yet incomplete as a story. I happened to participate in workshops where the documetn mentione dby Malcolm has been drafted. Malcolm and Jacques are correct observing that there are many more methods of asserting one’s identity than the classical IBM triad from 80’s of what you know, have and are. In fact, there may be almost unlimited numbers of primary, secondary, derivative etc. methods to assert one’s identity.

    User-centric approach seems to be a step forward, relieving us from the tyranny of providers’ needs for more and more authentication… or it seems to be. The truth is that it addresses only half of the problem. Consider: if I decide only to release my self-signed statement about myself, is it really enough? If I always use the strong government-sponsored credential, is it an overkill? My needs for privacy have to be balanced with providers’ needs of a reliability. The negotiation process ins necessary.


    Well, it is unlikely that I will be able to manage the process by myself. How could I know what is the sufficient level of authentication, what is a necessary amount of information tat I have to disclose? I am interested in disclosing the least amount possible, providers are interested in learning about me as much as they can, in a drive to minimize their risk. If left alone, the situation will return to ‘new normal’ – providers asking for everything that they can lay their hands on, and us hopelessly agreeing on it.



    What we need is a strong exchange, an identity brokerage, a mechanisms and an institution that defines and upholds standards in identification and authentication and assigns them to actual life situations. Such an institution, potentially working for an Information Commissioner (or some international equivalent), can really enable the new information ecosystem. Suddenly, the new potential role for a government (or inter-government) agency emerges: not to drive a particular identification and authentication scheme (such as identity cards), but to orchestrate the exchange of credentials.