The Mailowl Scrolls

Social Networking seems to be at the opposite end of what the security and privacy advocates are fighting for. Site like LinkedIn, FaceBook and Tribes want you to give as much information about yourself as possible, including who your friends and contacts are, and to share that information on the site. Yes, “strangers” have to ask me to share my information with them; but the point is my all info is already out of my hands on a database at the website.

A personal problem I have is which site do I join and how many sites do I join? Some of my friends are bugging me to join them on LinkedIn while others are trying to convince me about the powers of FaceBook. Since these sites don’t talk to each other I’d have to join both to connect with all my contacts, share my personal information with both sites (remembering to keep both up to date) and hunt for my contacts on both.

There are 2 statements I want to make at this point. The first is that your customer-base is not exclusive and service providers should look to new mechanisms of storing customer data and setting up federated trusts; and secondly, users and service providers should become aware of the Laws of Identity and Identity 2.0 and what it means and provides them. Technology Evangelists should also take note and learn the Laws of Identity for use in their presentations. It’s catching on slower because it’s less flashy than the rest of Web 2.0 but I think it’s at least 5 times more important (Chilibean, if you’re reading this, this means you! J )

Let’s look at LinkedIn and FaceBook. Both are social networking sites helping people to manage their contact lists because those contacts can update their own details when changes occur. They both also provide the functionality for a member to browse their contact’s contact list and can ask to become acquainted with a new contact. In your contact list you can see the contact’s email address, telephone number, physical address and bio information like their birthday. With the facility for claims (claims are details in a profile such as username and email address) in technologies such as Windows CardSpace and OpenID, I can rather choose an Identity Provider I trust to store my information and then use a card or URL to tell these sites where to get my information. I can use the same card when I want to leave a comment on someone’s blog or post to a forum and I don’t need to create an account for each site I visit, I can just tell the site to get my details from my Identity Provider.

So what are the Laws of Identity? The Laws of Identity were written by Kim Cameron, the architect of Identity and Access at Microsoft, and they are a guideline for websites and technologies wanting to build digital identity into their framework and for users to judge the strength of an identity provider. There are 7 of them which are listed below and Kim goes into more detail behind each one on his Identity Blog.

1. User Control and Consent - Digital identity systems must only reveal information identifying a user with the user’s consent.
2. Limited Disclosure for Limited Use - The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.
3. The Law of Fewest Parties - Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.
   
4. Directed Identity - A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
5. Pluralism of Operators and Technologies - A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.
6. Human Integration - A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications.
7. Consistent Experience Across Contexts - A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies.

The Laws of Identity are not just applicable to the web. At the moment Kim is blogging about a sensitive issue (more here) happening in the UK around schools enforcing digital fingerprinting of all their students without consent of the student or parents (Law 1). You can read Kim’s blog or check out http://www.leavethemkidsalone.com to follow the story.

I would like to encourage you all to read up on Identity 2.0 and take the time to see what plug-ins are available for your blogging engine that enable CardSpace or OpenID with a view to implementing it on your site and helping to grow awareness that internet surfers details can be safe.