Privacy and Identity debate gains more traction
A few nice things happened in the last weeks that make me hope the privacy and identity camps are converging. Maybe not on common positions yet, but in common discussion spaces at least:
First, Dick Hardt from Sxip Identity was in Germany and says:
Identity is a hot topic in Germany. The first European Identity Conference started today, and I am giving a keynote tomorrow morning. The Germans seem very sensitive to invasion of privacy (...).In a video interview the Elektrischer Reporter did with him, the latter raised some concerncs I had voiced the week before. Nice to see this is being picked up.
Then, Udo Neitzel and I went to Montreal to the Computers, Freedom and Privacy conference, where we spoke on two panels about privacy and identity, together with folks from the privacy world (Gus Hosein from Privacy International, Caspar Bowden from Microsoft) and the identity crowd (Paul Madsen from Liberty, Cristian Pacquin from Credentica). Kim Cameron from Microsoft was giving a keynote, and "Identity Woman" Kaliya Hamlin was actively taking part (she should have sat on at least one of the panels herself - Wired by the way calls her a "privacy activist"). We had interesting discussions on OpenID as "Baby SAML" or how Microsoft's moves towards OpenID and using Cardspace for federation will make their system even less privacy-enhancing. Kim seemed not convinced, but at least we got him thinking. More importantly, the old privacy and crypto gurus at CFP finally seem to understand that identity management is something they really, really should care about more.
Stefan Brands is again on the forefront of this development. He just published a new research paper that attempts to bridge the privacy and identity camps. This is from the conclusion:
Contrary to popular misbelief, identification and privacy are not opposite interests that need to be balanced. Advances in modern cryptography allow for the construction of compact user identifiers that combine all the benefits of noncertified self-generated identifiers with those of certified user identifiers while eliminating all of their respective drawbacks. It may be too much to ask that legislators, systems designers, and privacy activists intimately familiarize themselves with these modern technologies for user identification. However, it is important that they take note of their capabilities, in order to avoid stretching preconceived notions about identification and privacy that hold true in the physical world into the electronic world, where they no longer hold.