Thursday, July 21, 2005

Allons enfants!

Sun's Robin Wilton is blogging from the Liberty Alliance meeting in Chicago and today posted about a workshop on Identity Theft he attended. After stating that he "was pleasantly surprised at how much momentum there is behind the ID Theft initiative," he mentions one part of a possible solution broached by the group:

"It seems clear, even after a day of mostly US-oriented discussion, that ‘Data Controllers‘ are vital in both theory and practice. In theory, because defining the responsibilities of a data controller looks like the best way to start setting our a clear and comprehensive range of ID Theft guidelines; in practice, because there is already a body of expertise and experience (most notably across Europe) about how the data controller role can be executed to good effect."

To my friends at the Liberty Alliance: HAVE YOU NOT BEEN LISTENING?

A major theme at last week's Catalyst Conference, attended by many Liberty Alliance members, was the rise of user-centric identity: each user as the controller of their own data.

Most identity theft is accomplished through old-fashioned fraud or new-fashioned dumpster-diving followed by authentication fraud. It's just a modern twist on the old bunko, a con game with a wider range of victims. Putting users in control of their own data, and needing to approve and verify it's dispersal, could cut a majority of this fraud. Making lending and credit-granting institutions verify their applicants through authoritative sources with the consent of the user could wipe out most of the rest of this fraud.

Institutions seem powerless to prevent the fraud from happening. Or are simply reluctant to take the steps necessary. Users have a much bigger stake. Empower them to protect themselves. LID, Sxip and other user-centric identity schemes are not, as yet, fully-baked but they are showing the way.

User-centric identity is an idea whose time has come, it's time that the corporate world recognized it.

This is something that struck me the other day when writing about something else. I'm currently working on an Identity Management and Roles Based Access system for a University in the UK, and one of the key concepts we're implementing (besides IdM and RBAC of course) is the concept of 'self service'. This makes life interesting because suddenly every data store in the University (and we've counted more than 25 systems so far but we know there's more) could conceivably be an authoritative data store when it comes to personal information. (developing the architectural framework for this is fun too :) )

We want people to be able to change their details in the online contact directory - if they've authenticated of course - and then we want that changed information provisioned back to the core data stores (which then provisions the same information back to the contact directory on the next refresh, of course).

We're providing a framework for personal identity, we're controlling in very strongly, and then we're letting anyone change (almost) anything about themselves - because we believe that the best way to ensure someone's details are correct is to allow them to manage them themselves.

Everyone still has to provide unchangeable personal data - you can't avoid this in a University, or in the corporate world either -but we want to make it as open as possible whislt also controlling it as tightly as possible.

Ideally we'll be able to allow each person to also control the visible set of attributes held about them in our core Identity directory, attributes which are used for federated identity purposes (Shibboleth-style, not Liberty style - we're not sharing any authentication information with anyone...)
Doc, have some comments for you on my blog.

For UOS TOM ... what makes you think the information they self-service provide is accurate? As Bob Blakely pointed out to us all, people lie. They're incented to do so in some cases, dis-incented in others. I'm sure that for a university, the majority tell the truth (otherwise can't register for class, etc.), but that's not always the case.
Eric -

Self-service doesn't necessarily mean sxelf-verified or self-authenticated. And what Bob Blakely said was that "privacy" was the right to lie about our identity.
For both Eric and Dave: Yes, I agree with you both on the subject of self-service. The point in this instance is not to verify the information that is entered, but to pass the responsibility for the authenticity of the information to the user.

Some information cannot be changed (such as the actual central ID, or their employee number, or their student number, or their network login - all of this is strongly tied together), the only information we will allow to be changed is that which is most often requested to be changed.

And any decision on the part of the staff member/student to enter incorrect information will not affect the IdM system as a whole, nor will it impact on the provision of basic services - the greatest impact it is likely to have is a detrimental one to the person who entered the incorrect information.

So if a staff member wants to enter incorrect contact information (like someone else's phone number), they're quite welcome to - They're only harming themselves :)
hmmm. w.r.t. the remark attributed to Bob Blakley: I don't think "privacy" is the right to lie about one's identity, unless you define lying in strict evidential terms (i.e. not to lie is to tell the truth, the whole truth and nothing but the truth). In that sense, privacy is the right to divulge only selected aspects of one's identity (i.e. to say only true things, but not necssarily all true things, about oneself).
No, Bob definitely meant lie as in tell an untruth: privacy means there's no way for the person being told to verify the truth or falsehood of your statement.
Just to clarify, what I actually said was "privacy is the ABILITY to lie about yourself and get away with it". Every time I have said this, I have STRICTLY forbidden the audience to misquote me by saying "privacy is the RIGHT to lie about yourself". For what it's worth...
Bob, of course, knows best what he said - and, on checking my notes, he did indeed say "ability". The moral is that one should consult one's notes first.
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]