Despite the IdM hype, privacy and security remain uneasy bedfellows

The information security sub-specialisation of Digital Identity has spurred prodigious activity in the past decade, from academics, policy makers and IT vendors. We’ve seen new “Laws of Identity”, national identity strategies, numerous big industry consortia, many new technical standards for federating identities and exchanging interoperable “identity assertions”, and a flood of new products. All the while, enhanced privacy is held to be axiomatic in the new identity frameworks.

Yet despite all this, technologists’ views on privacy have been diverging, often dramatically. Data breaches by big information companies―whether accidental or slyly intended―seem to have only got worse. The responses of security professionals to cases like the collection of wifi data by Google Streetview cars have been muddle-headed, with many not seeing the problem at all. Social network operators like Facebook and Google have sought to re-cast societal norms, by banning nicknames and insisting that members use only their one “real” name. Facebook’s Mark Zuckerberg argues that those who use more than one name lack integrity.

Distressingly, at every level, security and privacy remain very uneasy bedfellows.

Technocrats give lip service to privacy. They skate over privacy principles, often presuming to know what privacy laws say without actually reading them. In their deeds and in their crazy talk, the Zuckerbergs and Schmidts of the world reveal grave misunderstandings about the topic. Of course it passes understanding that anyone listens to these guys on privacy when their multi-billion dollar fortunes are made on the back of pirating Personal Information.

And yet even well meaning technologists also seem to be on a different wavelength from privacy strategists. For instance, the architects of OpenID and grand plans like NSTIC try to deal with privacy and yet the claimed privacy benefits are problematic when looked at closely. Orthodox federated identity brings a host of privacy challenges that have not yet been properly canvassed (possibly because US privacy perspectives are especially “high tech” whereas in other jurisdictions, information privacy focuses on controlling the flow of personally identifiable information, which is often a surprisingly low tech business). I see immense privacy challenges in federated identity formulations, including:

  • Many Identity Providers will be start-ups. Or they’ll often be existing enterprises setting up new business units to strike out into brand new authentication markets. Either way, in a worryingly familiar replay of Big PKI in the 1990s, these players will be aggregating vast amounts of Personal Information, making them honey pots for organised crime, and lucrative corporate takeover targets.
  • Federated Identity transforms elegant time-honoured private bilateral transactions into complicated multi-lateral dealings, with excessive PI being collected where previously it was not needed.
  • The total amount of PI collected in the federated identity “metasystem” is larger than what is collected today. Not only will there be new registration databases at the new IdPs, but there will be many new multi-party audit trails tracking who we’ve been interacting with. It’s always important in privacy to consider proportionality: Is all this extra Collection really worthwhile? Are there not other ways to protect privacy that avoid the inherent risks of amassing so much new Personal Information?
  • The new privacy constructs are highly technical and artificial. For instance, “Verified Anonymity” services and many new age verification bureaus would work by collecting loads of PI at registration time (including Social Security numbers) only to hide it from Relying Parties at transaction time.

A re-think of security and privacy is urgently needed. Let’s recognise that digital identity is really a metaphor for the way we act in certain complex relationships. As such, “identity” is not an intrinsic characteristic at all but instead is an emergent property of the collection, use and disclosure of personal information in different contexts. It’s not the sort of stuff that demands fancy new theories, just a recognition that we deal with individuals in constrained ways in the real world, and we should continue to do so online. If we could just demystify digital identity a little, we should find it easier to marry information privacy and security.