Who are you?

ViewAfter getting solidly depressed about bottled water (link)I decided to calm down again and I did it in the most boring way possible, by reviewing my finances. 2 hours later I was building spreadsheets simulating where I would like to be financially by 2018. But I was stuck. I was trying to do an online pension review and I had lost my user, password and security token. I called the company and they managed to sort it out.  But they could have said: “We don’t know you. Don’t darken our doors again” and kept my money. Because everything was online I had no redress and no proof that I had an account there. Of course there are back-ups and printed document exchanges and other safety mechanisms, but I must admit even as a data specialist I was worried about my nest egg.

ViewThe whole chain of events lead me to have a think about how I would like things to work for me. So I started drawing up a process and a way on how I would like to control my information in regards to anyone and any platform I am dealing with. And here is the first output:

a) A person should control who sees what about them at any time.

b) no data should be stored about a person inside another system

c) information is collated from prime sources at the point of need

d) all personall data exchanges are encrypted

e) Auditing of transaction with a user is resolved at run-time

f) identities last at least as long as the person, even if the identity is no longer active

g) the level of information provided is retained on the users discretion and is not auditable by the identity provider

h) all identity requests including user ids and passwords are resolved against an identity server

i) all identity requests are audited and resolved or declined by the identity owner either via a rule or via an individual action

j) electronic identity information services are to be protected by law (global)

In essence the above is is manifesto of good practices around personal identity management. The obvious people to have a look at this and run with it have unfortunately failed already. ViewSocial Networking sites have no impunity under the law, since they are mixing content with identity information. You chat, vote, blog and comment freely and all this content is legally available to organisations like the police when pursuing a probable criminal offender.

More neutral organisations like Google, ViewYahoo and Microsoft treat identity separately but in the competitive world they like to follow the principle: “I accept any identity token, as long as it is mine. But others can choose to accept mine” which in essence make the whole principle pointless. Further more e-mail addresses do not make an identity as most of us who have 6 or seven e-mail addresses can attest to.

That leaves us with neutral Identity resolution frameworks like OpenID, i-cards, the Higgins Project and similar stuff. All of these technologies seek to provide users with a way to control their identity, data, and relationships without dependence on any one vendor or service provider. And non of them do due to the background they all face – the real world.View

In short there is simply no commercial interest in divesting power back to the individual as long as we dish it out like free stuff. How many of us question if the insurance company needs our birthday, or would the birth year suffice.

So where does that leave the individual. In my view it needs governmental bodies at global level to come together and sign off on a basic human right to retain your information, and then deliver a global framework on which to do it, and the right of any individual to refuse to provide identity information in any other form than this framework. But how likely is that to happen.

In a landmark discussion on identity in 2005 the public was treated to a rather classical view of identity, one that shows how far academia, technologists and governments are away from truly tackling Identity. Rather than ascribe the need for an individual to control one’s data, the need of the state is placed as the paramount requirement owner for identity resolution.  It misses the true point of ownership and the service a government should provide for the individual.

With the trust relationship gone and the complexity of identity management still unresolved you will have to continue typing in your name and address to get anything done. My first step to regaining control is to give myself a middle name or double barreled name to follow my identity through the systems. By adding the suppliers name as a middle name I know where and how my identity was used. I already came down on Apple for misusing my information. I am not stopping short of taking anyone to court in this area.

But ultimately this is not about vigilante style behaviour. this is about setting up a framework that lets people take control.


Any good ideas are welcome :)

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>