NYT: Securing Very Important Data, Your Own

The New York Times, ran an interesting piece on October 7, called
"Securing
Very Important Data, Your Own
" by Denise Caruso. Denise gives
some excellent coverage of how increasingly our personal information or
"virtual identities" is being used by web service providers. She gives
some great examples of how social service providers like Basecamp are
interconnecting services with other services like Facebook. The article
goes on to talk about how governments and vendors are now moving to
pass legislation and develop frameworks such as
IGF.

In response, they are
coming up with new protocols and frameworks for
collecting, using and governing identity data. Given that virtually all
businesses today collect and use these kinds of data, they aim to shift
the status quo in ways that could help companies both improve their
reputations with customers and avoid the mounting legal liabilities
that now face companies that lose control of customer
data.


Mike Neuenschwander
of The Burton Group, posits an interesting idea to even legal balance
between corporations and individuals....

"We're in a situation where business holds all the cards,"
said Mike Neuenschwander, vice president and research director of
identity and privacy strategies at the Burton Group, a technology
research and advisory service based in Midvale, Utah. "Businesses put
the deal in front of the consumer, they control the playing field and
the consumer doesn't have any say in how the deal plays
out."


One way to change this, he said, is to make people more
like organizations.


To this end, Mr. Neuenschwander and his
colleagues have floated the intriguing concept of the L.L.P.: the
Limited Liability Persona. This persona would be a legally recognized
virtual person in which users could "invest" the financial or identity
resources of their choosing.


Once their individual personas are
created, consumers would be able to use them as their legal "alter
ego," even in financial transactions. "My L.L.P. would have its own
mailing address, its own tax ID number, and that's the information I'd
give when I'm online," Mr. Neuenschwander said. Other benefits include
the ability for "personas" to limit their financial exposure in ways
that individuals
cannot.


The proposal by
Mike Neuenschwander and his colleagues including Bob
Blakley
at the Burton Group is an intriguing one, but the
idea of the L.L.P. does not remove the need for precisely stated
restrictions and obligations between parties or corporate entities. Any
time someone reframes a concept I always hope for an observation that
might serve to simplify the implementation of computing systems. In
this case, while the Limited
Liability Persona
(LLP) raises some innovative questions from
a legal perspective and may provide end-users additional rights, it
does not change the impact or responsibilities for enterprises -- what
does the web site plan to do with personal data and how has it been
used since received? What procedures and protocols does the site use to
secure personal data? Is personal data persisted on servers or copied
to laptops? What other business systems or partners will have access? 
Is personal data archived after a fixed time period? These are examples
of the types of policy questions that the Identity Governance Framework
(IGF) addresses using an open and standards-based format.

For
a real-life example, consider the Payment Card
Industry
initiative  where the risk created by identity data
is mitigated by requiring additional controls. Once customer credit
card numbers began to be stolen from merchants, the credit card
industry mandated compliance with a set of identity management
requirements, including restrictions on how cardholder data  should be
managed. Those merchants who do not meet these requirements will be
charged higher-fees as their banks are required to make VISA/AMEX/MC
additional payments. Some recent controversy around this is reported in
the Associated
Press
.

A more foundational explanation is
found in "Information
Accountability
" by Daniel Weitzner et al, who advocate for
adoption of an "information accountability and appropriate use" model
for privacy. This work, from researchers at MIT and W3C, argues that
privacy is closely linked to accountability, and that establishing
accountability mechanisms for entities that handle personal data
provides an appropriate privacy model for the
web.

Comments?

Phil Hunt and
Prateek Mishra

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

bocadmin_ww

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today