thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Sunday, December 03, 2006

The Politics of "Identity Governance"

Oracle has announced the "Identity Governance Framework", a set of draft standards for sharing and controlling personally identifiable information across different systems and applications. It is a back-end complement to data input and authentication front-ends like Microsoft's Infocards/CardSpace, the Liberty Alliance's Identity and Web Services Federation (ID-WSF),'s Higgins Trust Framework, OASIS' Service Provisioning Markup Language (SPML) and Security Assurance Markup Language (SAML), or older standards for transmitting user data in web connections like the W3C's Platform for Privacy Preferences Protocol (P3P). While the latter provide a unified platform for collecting and transmitting identifiable data to a web service provider, back-end systems are needed to ensure that the data is not flowing freely once the user has given it away and it has entered the corporate data warehouse. Similar approaches are the Enterprise Privacy Authorization Language (EPAL) or IBM's approach to have a "sticky" privacy policy that is attached to the user data and moves with it. Similar ideas that are more privacy-friendly and even minimize the collection and transmission of personal data in the first place are currently being developed in the EU-funded PRIME project.

Oracle has taken an application-centered perspective here, consistent with its general strategy for application-centered identity management. From the press release:
The IGF provides a standard mechanism for organizations to establish "contracts" between their applications and sources of identity data.
As a political scientist, I was surprised by the use of the word "governance" in this context (and because the abbreviation IGF is also used for the new UN Internet Governance Forum in which I am involved). But Oracle is right with the wording: Like all governance processes and frameworks, there are many options and decisions to be made, and that is where politics comes into play. You can exemplify this on several levels. Let me just take the Identity Governance Framework as an example:


In the good old days, the social value to be safeguarded was called "privacy". Then came computers, and the ugly word "data protection" took over. The semantic move was subtile, but worked to some extent: It was about protecting the data (i.e. the computers on which they reside), not the privacy of the persons the data was about. After the rise of the Internet, it started to be called "privacy and identity management". The idea of protecting data or persons got lost and replaced by "management". Instead, "identity" was introduced, which also includes an idea of control: The users have to authenticate themselves. Nowadays, it is mostly called just "identity management", and the idea of privacy has to be re-introduced as a kind of add-on, like in the "privacy-embedded laws of identity".

So, it sounds like the discourse of identity has won over the discourse on privacy. By introducing the term "governance", Oracle makes it clearer again that it is not just a corporate process, as "identity management" sounds like, but includes externally set values and goals.

An interesting development. It is still unclear to me how "privacy" could systematically be inserted into this on the semantic level, as it would be one of many theoretically possible goals of the governance of identity. On the other hand, "governance" here just means enforcement of data-usage policies inside the corporation. In political science, "governance" has a far wider meaning, including public laws, private-public partnerships, standards, private contracts, education, publicity and so on. The Identity Governance Framework in this perspective is just enabling the operational implementation of values set in the larger network of institutions that deal with the governance of personal information - privacy governance, that is.

Of course, reality is much more complex, and there are always competing discourses, side-branches and so on. But this big picture with little complexity should do for the moment, if we look at the private sector perspective on it. I also did not attempt a Foucault-inspired discourse analysis, which would much more focus on the governmentality of the modern buraucracy that rose and developed together with the practices and laws of identity management from the 15th century on. (My former colleague Christoph Engemann is currently finishing a book about the latter, and I am looking forward to getting it as soon as possible.)


The background for Oracle's move was the growing pressure by governments and the EU on corporations to limit access to data and its flow across enterprise units and to partners. Oracle refers to this in their press release:
Organizations today are struggling to balance the need to meet regulatory mandates and secure personal information while maintaining streamlined business processes. (...) With the IGF, organizations can more easily determine and control how identity information - including Personally Identifiable Information, access entitlements and personal attributes - is used, stored, and propagated across diverse systems, helping ensure the information is easily auditable and not abused, compromised or misplaced.
Some people tend to praise the recent moves by large IT companies to better protect the privacy of customer and user data. But they largely build the technical infrastructures that implement these protections. The original incentive for this is external, and it is coming from public institutions and laws: The EU privacy directives, the Safe Harbor agreement, US auditing regulations like Sarbanes-Oxley, and others. This reminds us that over the excitement about new technological approaches towards privacy and identity protection, we should not forget the enduring importance of public policy - and in the end, the state and its regulatory agencies.


There are many options for how to make a set of technological definitions a standard. It can be mandated by the state (hierarchical governance), it can be selected at the marketplace (decentralized governance), or it can be defined by a committee like the W3C or the IETF (horizontal governance). Sometimes we find hybrid forms, e.g. when two or more committees compete at the market. Identity management is currently a living laboratory for these hybrid forms. The Identity Governance Framework was developed by Oracle in their attempt to integrate identity management products they had acquired from other companies. The first drafts will be further developed now with Sun, Novell, CA, Ping Identity, Layer 7, and Securent. Sun is the most interesting player here, because it has been the main driver behind the Liberty Alliance that developed an open identity federation standard (as a reaction to Microsoft's centralized Passport project). So we have a club or an alliance that is competing with other players.

As the next step, Oracle plans to submit the IGF drafts to a standards body. Which one will this be? Sun of course is pushing towards the Liberty Alliance. Other options may be OASIS,, or the W3C. Oracle is also pressing for speed, as they made clear:
Our goal is to take this into a standards organization as quickly as possible to get the (intellectual property) stuff figured out, and not sit around and waste a lot of time and energy.
This focus on speed is understandable, because the Identity Governance Framework has to catch up with older developments like EPAL or IBM's sticky policy. But it could backfire. Important players like IBM, Microsoft or SAP are not on board yet, and they will be needed if this is to become a widely-used standard. If the IGF alliance moves too fast, its standard will only be applied in a part of the general market for enterprise-wide identity management. Inclusiveness and speed are conflicting goals here, as can be learned from the general theory of standardization processes and their institutional design. Speed can only be useful if you are the first mover and have enough market power. The choice of the standards body to which the final IGF drafts will be submitted will have an impact on how widely the technology is accepted as well as on the speed at wich it is agreed upon.

Maybe Oracle is just trying to secure its market share and aiming at a fragmented market, with the Identity Governance Framework driven by Oracle, Novell and Sun getting one part, IBM with its Tivoli Privacy Manager another one, and SAP with its own technologies as the third major one. I'd love to know where Microsoft fits into the picture here.


Post a Comment

<< Home