thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Tuesday, May 15, 2007

CardSpace's Privacy Problems - now confirmed at OECD

Ben Laurie reports this interesting exchange of opinions on how Cardspace is breaking the (privacy-enhancing) "Laws of Identity", developed by Microsoft's Cardspace architect Kim Cameron:
At this OECD workshop on identity management, Fred Carter, of the Office of the Information and Privacy Commissioner, Ontario, spoke on “Functional Requirements for Privacy Enhancing Systems”. At one point he listed privacy protecting identity management systems, which he broadly defined as those following Kim’s seven laws. The list was short, just PRIME and Credentica … note the absence of CardSpace. So, I just had to ask: “does this mean that you believe CardSpace does not obey the seven laws?”. His reply? “Yes”. Chris Bunio, a Senior Architect for Microsoft, was present. He did not dispute the claim.
More detailed explanations are in Ben's new paper on selective disclosure.

I would add: While Cardspace, if implemented in a specific way, can be privacy-enhancing (much better than the Liberty stuff), the recent moves towards convergence with OpenID will weaken the privacy features of the system. And it will make the normal users think that one ID system is just like the other, so they can directly pick the totally privacy-unfriendly OpenID, which gets much more and broader attention at the moment.


Post a Comment

<< Home