Ontario’s Information and Privacy Commissioner has expressed support for Microsoft’s user identification system dubbed CardSpace Identity Selector.
Microsoft Corp. plans to launch CardSpace as a Windows component embedded in the company’s Vista operating system (OS) expected to roll out in January.
At a press conference Wednesday, Commissioner Ann Cavoukian said Microsoft’s ID system far from compromising user privacy, would protect it. “This is the opposite of Big Brother, this system will prevent surveillance and tracking,” she said.
Cavoukian’s remark appears to be a strong signal that CardSpace has been thoroughly checked out, according to one Canadian e-commerce expert.
“This is a very strong endorsement,” noted Tim Richardson, professor of e-commerce, marketing and international business at the Seneca College and instructor at the University of Toronto.
Richardson noted that public officials do not usually openly endorse a product. “This is a clear indication that officials from Ottawa to the Silicon Valley have been involved in a very careful vetting process.”
Another analyst said the roll out of the system will be welcomed by the online industry. “Any product that focuses on identity management and addresses online fraud will be a good thing for the industry,” said Carmi Levy, senior research analyst at Info-Tech Research Group Ltd. in London, Ont.
Microsoft executives who flanked Cavoukian during the press conference, described CardSpace as an identity metasystem that allows a user to create multiple virtual ID cards. The system itself has been toughened against tampering and spoofing to protect the end user’s identity.
Kim Cameron, chief identity architect at Microsoft, said each virtual card created by the user will only contain the minimum amount of information that individual will need to divulge to carry out a transaction applicable to the card.
“The system allows users to create a palette of cards. Users can choose which card they want to use depending on the context of the transaction to be carried out.”
For instance, Cameron said, if a CardSpace user wants to buy something from an online store, he or she can use a virtual card tagged for credit card purchases. The cards do not contain any data such as social insurance numbers or credit card information that could be used for Internet fraud.
The virtual card will connect the online store to a bank’s system that will vouch for the user’s identity and inform the store if enough funds are available for the purchase, said Cameron.
CardSpace is just one version of the identity metasystem. Microsoft has been working with other companies to develop standards for such this identity management initiative. Many of these efforts were guided by the so-called Seven Laws of Identity formulated through a global dialogue among security and privacy experts led by Cameron.
Levy stated that a move to an identity metasystem would mean “a shift in structure and culture” which could present some difficulties.
Ironically, Microsoft’s own early stab at the technology, dubbed Passport Network did not conform with these laws and was criticized for featuring a single-sign-on system that store a user’s personal information centrally.
The key to the system is that user information does not reside in one location, according to Peter Cullen, chief privacy strategist for Microsoft.”Data about a person is spread out among various institutions. For instance banking information will be with the banks, while driving information will reside with the appropriate government agency.”
Cullen said identity credentials will not reside on a centralized online database but on a user’s own computer.
The system also reduces the amount of information disclosed. For instance, Cullen said. He said the system can be configured to prove a senior citizen is over 65 without requiring that person to reveal all of their other identity information.
Cavoukian said the identify metasystem builds privacy into the architecture of the Internet.
She said it would diminish surveillance and tracking of Internet use and personal information, while “[empowering] users to manage their own identity and decide which personal information they are willing to release.”
On several occasions the information and privacy commissioner had mentioned that businesses flouting privacy laws , as well as the prevalence of online fraud, identity theft and other Web-based scams, such as phishing, have eroded public trust in e-commerce.
She said people’s vital personal information is being bought, sold, stolen and traded online. Cavoukian rued that information already in the hands of online scammers or roaming around in cyberspace cannot be retrieved.
Cameron echoed this view. “Unfortunately, there’s no way to wipe that clean. But we can start to plug the leaks,” the Microsoft executive said.