A Single Identity but multiple facets

Posted on February 3, 2011


Anyone who has been online for any period of time will resonate with the reality that online identities are a complex issue, and on a more practical level a nightmare to manage and moderate.

Who out there actually knows what data they have disclosed to whom and who is retaining and leveraging their data for gain?

This issue is not helped by the self-servicing architectures of certain online services and systems that attempt through poor interoperability to lock users into a single environment – Apple iTunes, Microsoft Live, Google, as well as devices that deny flexibility such as:

· Windows Mobile 7 – Unusable without a Windows Live ID to use the device, then locked into that ID, requiring complete re-set to change ID’s.

· Apple iPhone – Constrains users to a single Apple ID.

· Google OS (beta) – Unusable without a Google Account to login with, then locked into that account.

Amongst less well known scenarios.

The reality is that a single online identity is not a practical approach. I detailed issues with the new Windows Mobile 7 in my blog at the end of last year ‘Windows Mobile 7 or is it Version 1.5?’ . Users have multiple facets to their lives; the simplest example possibly being a work and a private context. This separation for many is material for practical and privacy reasons but almost as importantly sanity!

The ever progressive mobile workforce agenda has encroached more and more on home life that to maintain a clear demarcation is even more important today than it ever was for the sustenance of family/private existence. To be able to use a single device or piece of software and present oneself in a business or private capacity without mixing the two is a fundamental necessity in modern life where so much interaction occurs in the digital dimension. After all many of us are likely to change jobs and or even careers, less likely to change our private lives, so re-setting a work profile without impacting a private profile is crucial.

Expanding the thesis beyond an individual’s work and private domains the issue has resonance at an increasingly granular level when considered at an interactive level. Each interaction has at least two parties and as with the real world it is not always desirable to share certain information, or even relevant. For example I do not need to disclose certain private information such as date of birth or even my name when making a purchase on the high-street. So why should individuals be forced to do so online? Furthermore in most interactions online there are more parties involved and worryingly not all those parties may be visible or declared in the interaction, for example advertising trackers and sub-contracted third party service entities that may get full insight into an exchange.

It is on this backdrop that the EU’s ‘Digital Agenda Theme 4; Objective 4.2 – Towards a single European electronic Identification and authentication area’ is tasking the bureaucracy with the establishment of a single EU Digital Identity is fundamentally flawed.

There are well established solutions and regulations in place, integrated and supported by all the leading Operating Systems and recognised by service providers, that can support a more user friendly and user controlled digital identity. These established assets need to be reviewed and harmonised, any gaps filled, and collated into a working scheme that can then be given teeth through regulation.

Instead of re-inventing the wheel the EU needs to slipstream these solutions. This will:

1. Accelerate a resolution to the technical challenging task of Digital Identities.

2. Respect the individual’s right to manage and control their own identity in the digital domain.

The second point noted above demanding the establishment of certain operational principles that need to encompass controls and measures amongst others along the following lines:

a) That of minimal disclosure – Only the minimum information required material to an interaction should be obligatory.

b) Regulatory and or Legislatory obligations – The test basis against which data is qualified to be ‘material’ to an interaction.

c) Tombstoning – Disclosed data would expire and be obliged to be deleted automatically in line with retention periods set in accordance with b) above.

d) Data Retention Extension – In the absence of a defined retention period set by any legislative or regulatory obligation data is to be delete after 12 months unless an ‘Opt-in’ is obtained.

e) Opt-In – The default condition pertaining to all requests for data that are not material to an interaction or subject to an obligatory retention period according to b) above.

f) Cooling off Period – Point e) above would be subject to a mail back confirmation7 days after any data submission which if NOT acknowledge by the data owner data would lead to an automatic defaulting to a 12 month retention and then deletion policy.

g) Accountability – Organisations or individuals capturing data online to maintain an audited infrastructure compliant to Payment Card Industry Standards ( or in the absence of PCI, its replacement) to incorporate:

a. A Trustmark displayed on the home page or software based service dialogue prompt.

b. Trustmark accompanied by a unique registration code linked to a central Compliance Database.

c. Annual compliance audit.

d. Failure at audit:

i. incurring automatic fixed penalty fines

ii. immediate suspension of any services pending resolution.

iii. Failures logged against the compliance database for transparency.

h) Value Exchange – Voluntary disclosure of information for a value exchange (including ‘Free’ service provision) to be subject to annual renewals. Expiration of which without explicit Opt-In renewal obliging the data retainer to immediately deletion that individuals data from their systems.

These are by no means exhaustive in detail or in themselves but start to help shape the thinking as to what the future of a consistent Digital Identity context could look like. One that respects and protects the individual and puts the individual in control and reduces the attack surface and risk of data compromise.

In so doing the attitudes of online corporations may be encouraged to shift from the aggressive and controlling stance that many take today to a new online world of respect. By placing the control back in the hands of the individual within a secure context.