Identity--key to the future
Have you read Robert Ludlum's book The Bourne Identity? Perhaps you have seen the film starring Chris Cooper. You may know the plot - an amnesiac is rescued at sea; nearly dead he carries bullets in his back and a bank account number implanted in his hip. He is the victim of identity theft.
It couldn't happen to you, could it?
According to the Identity Theft Resource Center it is estimated that 700,000 to 1.1 million people became victims of this crime in 2001. A Florida Grand Jury estimated that the average identity theft crime costs the business community about $17,000 per victim. That implies a loss of over $11 billion in 2001. On average, victims spend 175+ hours and $1,000 in out-of-pocket expenses to clear their names.
Identity theft can also happen on a more mundane level which we might refer to as identity exploitation. For example how much spam mail do you receive? If you are like me you are inundated. How often do you receive mail that claims that you have opted in, when you know you didn't. How often are you "required" to divulge information which you consider irrelevant to the current transaction, which you know is going to be used for marketing purposes over which you have no control?
A Lou Harris poll found that 94% of Americans think personal information is vulnerable to misuse; nearly 90% of individuals are concerned about threats to their privacy and 78% have refused to provide data to a business because they believe the question was too personal. Their fears are not unfounded. More than ever, the information explosion has led to the expansion of activity that feeds on the inability of consumers to control who has access to sensitive information and how it is safeguarded.
Requirements for identity
Within the software industry, there is a huge effort taking place right now that is focused on establishing new models for managing identity. Most readers will be familiar with the identity wars fought last year, with Microsoft making some tactical errors in its approach to personal data management and the formation of the Liberty Alliance project, which aims to provide open standards around identity management. The reason for this flurry of activity is that identity is at the center of the networked world that is slowly emerging under the umbrella of Web services. So getting a model that works is of paramount importance.
However, it is becoming clear that the question of how we identify ourselves is not as simple as might be presumed at first sight. For example, the software industry and the major e-commerce retailers are strongly favoring single sign-on, as a key to identity management. Further they are assuming that federation of identity will be widely accepted because there are standards and policies on data sharing and privacy.
Supplier vs. consumer needs
To date the Liberty Alliance has been positioned as a white knight, seizing the baton from the forces of darkness, and establishing standards around identity for us all that protect our interests. However, these assumptions need to be examined very carefully because they look suspiciously like a supplier's view of the world. Not surprisingly, because in the case of Liberty Alliance, it is an alliance of suppliers, and consumers are not represented at all.
As a consumer, I would like to have choice. For example, I don't see single sign-on as a major issue; I might just regard it as a major threat because I don't regard all my sign-ons as having equal security status, and I don't think it makes sense to bring them all under one type of process.
The perceived wisdom today seems to be that single sign-on is what users want and need, and that collaborations between suppliers in federated networks will provide users with integrated product offerings that simplify transactional interactions. But we suggest that the software industry in its entirety is at serious risk of making some major errors of judgment on the real requirement. For example:
- Why do all my requirements for identification need the same level of protection?
- Why do I need to be identified for every transaction? Sometimes the best security is no security at all!
- What if my identity is stolen?
Need to expose the real requirements
Whilst the Bourne Identity story might be a rather colorful illustration of the issues, whether it's theft or exploitation of identity, it's a very real problem for everyone in both their roles as architect/designer and network user. The concern we have is that right now standards and infrastructures are being laid down without proper consideration of the real user requirement.
The consumer's perspective is very different to the supplier's. The supplier wants to have maximum information (hopefully managed with sensible privacy safeguards) whereas the consumer wants the maximum privacy and minimum disclosure. The solutions being developed assume "standardization", where one size fits all, whereas an optimal solution would be situation-specific.
We suggest that the real user requirement is for privacy, flexibility and particularly choice in the level of risk they are prepared to enter into. Real privacy would allow the user to have control over the expiry date of information they are making available to a supplier. Real flexibility would allow the user to have multiple authentication mechanisms with varying levels of guarantee, and for suppliers to request and rely on mechanisms appropriate to the transaction. But right now these requirements are being overridden in the interests of efficient, standardized commercial arrangements. And whilst the networked world sometimes seems a long way off, it's really only just round the corner, and it's your identity and privacy that's at risk.
Call to action
Read our report (link below) on establishing requirements for identity and then let us have your feedback on how you want to see the basic models evolved in order to establish identity and privacy standards that protect both supplier and consumer interests. We will evolve the models to reflect the input and republish. Feedback please to:
CBDI REPORT -
Establishing requirements for identity
In our Best Practice Report this month we challenge some of the basic assumptions being made in federated identity specifications and systems and provide a framework for users to assess the value and relevance of the various initiatives currently in process. We examine this problem from the ground up and look at the fundamental nature of identity and related data, and illustrate the requirement with some simple but powerful class models of the identity domain. Establishing Requirements for Identity, a CBDI Report available to Silver and Gold members at:
Recent related CBDI Special Report
Component-based security for Web services
In this report Richard Veryard and Aidan Ward analyze Web services security from this perspective of maintaining an intelligent and dynamic response. This report is available for online and immediate purchase. Note there are now special offers for all members. See: http://www.cbdiforum.com/ecommerce/reports.php3
Copyright CBDi Forum Limited 2002. The CBDi Forum is an analysis firm and think tank, providing insight on component and web service technologies, processes and practices for the software industry and its customers. To register for the weekly newswire click here.
For more information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.
- Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.