Internet identity faces crisis

Ontario’s privacy chief has warned that the Internet’s identity framework is coming apart at the seams and won’t be able to contain the explosive growth of interactive Web 2.0 applications.

Ann Cavoukian, Ontario’s information and privacy commissioner, presented her argument at an international conference in Toronto last month, hosted by the IAPP (International Association of Privacy Professionals).

Cavoukian’s paper, entitled Seven Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, pushes for an overhaul of the Internet’s identity management system by embedding stricter privacy policies into the existing architecture.

Cavoukian says the Internet’s identity infrastructure is no longer sustainable in the face of spam, phishing and other online fraud.

“Consumer fears are growing and consumer confidence is dropping as a result of online fraud,” she says.

Her Privacy-Embedded Laws of Identity is an outline of what she believes should be done to develop a universal identity authentication and authorization system.

“What’s needed are improved user control, data minimization techniques, privacy protection and stronger security,” says Cavoukian. “The future of security revolves around identity.” Cavoukian argues in her paper that online fraud is threatening to cripple e-commerce.

She says more verifiable identity credentials and much greater mutual trust are required to support the new iteration of the Internet, or Web 2.0, with its intelligent and interactive Web services.

“Identity systems that are consistent with the Privacy-Embedded Laws of Identity will help consumers verify the identity of legitimate organizations before they decide to continue with an online transaction. This should lead to a dramatic reduction in online fraud and deceptive e-mails,” says Cavoukian.

One method to help strengthen the protection of increasingly vulnerable online users is the identity metasystem, she adds.

“The genius of the metasystem is that it seeks to allow interoperability with minimal disruption or modification,” says Cavoukian. “Supporters of Seven Laws and the identity metasystem call this the Identity Big Bang.”

Cavoukian describes the emergence of this identity metasystem as a profound development. “There has never been a more strategic time to ensure that privacy interests are built into the new architecture of identity.”

The commissioner emphasizes that possible solutions are complex, and that further education and awareness are both necessary to address these issues. “Improved methods of site and user authentication should be adopted.”

Cavoukian’s paper aims to identify a clear correlation between the internationally accepted Seven Laws of Identity, developed by Microsoft’s Kim Cameron, and how each law can be directly linked to established privacy principles.

“The Seven Laws empower the users to manage digital identities and personal information online,” says Cavoukian. “Many of the large technology developers and even critics of Microsoft have already signed on to the concept.”

In keeping with the Seven Laws of Identity, Microsoft has developed a “digital wallet” technology that the company hopes will create a more secure method of information exchange.

The technology is consistent with the universally accepted identity metasystem, allowing consumers to minimize their information exposure, and helping retailers to better protect consumer data.

In her keynote address, Cavoukian lauded Cameron’s Seven Laws of Identity as technologically necessary principles of identity management and expressed her support for Microsoft’s user identification system, dubbed CardSpace Identity Selector.

Microsoft Corp. plans to launch CardSpace as a Windows component embedded in the company’s Vista operating system.

CardSpace will allow a user to create multiple virtual ID cards. Each virtual card created by the user will contain only the minimum information that an individual would need to divulge to complete an online transaction applicable to the card.

“The system allows users to create a palette of cards. Users can choose which card they want to use depending on the context of the transaction to be carried out,” explains Cameron, chief identity architect for Microsoft.

The key to the system is that user information does not reside in one location, according to Peter Cullen, chief privacy strategist for Microsoft. “Data about a person is spread out among various institutions. For instance, banking information will be with the banks, while driving information will reside with the appropriate government agency.”

Cavoukian says the identity metasystem diminishes the surveillance and tracking of Internet use and personal information.