Laws of Identity 2.0 (now privacy turbocharged)
Ann Cavoukian, the Privacy Commissioner of Ontario, has released an updated version of the "7 Laws of Identity". She calls them "privacy-embedded laws of identity". The original "7 laws" were developed by Kim Cameron, Microsoft's chief identity architect, and are regarded the lessons learned from the failure of Passport, the company's single sign-on service that nobody beyond MSN ever used. Cavoukian's new version is adding a more privacy-conscious twist to them. The old Law # 1 for example read:
User control and consent: Technical identity systems must only reveal information identifying a user with the user’s consent.The new Law #1 now states:
Personal control and consent: Technical identity systems must only reveal information identifying a user with the user’s consent. Personal control is fundamental to privacy, as is freedom of choice. Consent is pivotal to both.An interesting attempt by state regulators to engage the technology community. The accompanying white paper directly addresses the concerns a lot of privacy advocates have with the general idea of an identiy metasystem for the internet:
"Care must be taken that a universal, interoperable identity metasystem does not get distorted and become an infrastructure of universal surveillance."If the identity layer can be built and used in a way that will solve any of these dangers is not yet clear to me, but I am rather sceptical.
Other voices: The Globe & Mail has a very positive story about this - by an old friend of Kim Cameron. Stefan Brands from Credentica is also applauding the paper, and he shows where MS Cardspace does not (yet?) meet its expectations. But Ben Laurie (who's paper on identity as surveillance is a good sobering read) is annoyed by the "complete bullshit in the paper". And while Chris Linfoot warns that "something wacky's brewing over there in Ontario", Monique at SoMisguided writes ironically "We can go on blindly through the digital day, superman Microsoft is watching our back."