Maturity models for privacy and identity

Greetings and salutations to you all! ;-)

I just read an awesome post to Toby Stevens blog on his maturity model for privacy. Check it out at http://www.highwest.com/. I thought that I'd share my comment I posted to his blog. Kim Cameron's cross-post was equally enlightenting: http://www.identityblog.com/2005/08/19.html

Let me know what you think? I will take a stab at developing a maturity model for identity and cross-reference it to Toby's model. I'll post it to this blog for public comments, especially the likes of Toby, Kim, Doc, Kaliya, et al. Imho, the industry needs to have these two strands of DNA (identity and privacy) laid out in a map that is digestable and realizable by society, business and governments, without having any individual give up the right to own his/her respective identity and privacy to sensitive information - either dynamic or static, as described in my earlier post......

So on to my comment to Toby's post at http://radio.weblogs.com/0146815/2005/08/22.html

Toby,

Great work on putting together the maturity scale. I believe calling it a maturity model for privacy is important. Privacy translates into protecting against access (authorized or not) critical, sensitive information, either owned by a person or a company that describes either a person or a company. In thinking about identity and privacy over the last 6 years, I have concluded that privacy follows from authorization which in turn follows from authentication. Knowing that privacy has been compromised results from monitoring access and reporting against unauthorized viewing by anyone, either authenticated or not. Authentication relies upon the proper verification of alleged identity - prove to the privacy guard who you are so that your profile can be assessed as to whether or not you have the appropriate rights to access that critical, sensitive information.

Therefore, with my understanding of how to convert identity into access to privacy, I would suggest an addendum to your maturity model:

1. Data Protection
Place the data under the strongest, state of the art lock and key, coupled to an authorization engine that converts identity to a profile and policies to access the data.

2. Authentication
This is the complete process of proving identity. Using a set of identifier acqusition systems, the alleged user steps through a number of challenges to prove his/her identity which requires a percentage of accuracy that matches the level of protection required for the information to remain private, i.e., for certain eyes only for a certain amount of time. This process requires tight coupling to the authorization and reporting/auditing in order for the information owners to know who is accessing what, when, where, why, and how. Once identity is assured (to a certain sigma - from six sigma vernacular), the authenication approval leads to the next section, data sharing. Effective authentication requires a federated identity management ecosystem to exist, where "trust" can be shared among organizations. In turn, federated authentication follows from the trust among these organizations, first from the point of view of culture, working processes, and finally technology. However, where in federation does the concept of fail-safe lie wrt authentication. How deep does that trust go, and how deep is it "programmed" into an organization's policies?


3. Data Sharing
This process actions the authentication approval or credential to a set of policies that govern the privacy. Now the system knows exactly who is requesting access, data sharing leverages the authorization policies to see exactly what portion, if any, of the privacy can the authenticated user access, for how long, on what display/device, during which time intervals, and at what location These are equivalent to the concept of considerations in traditional digital rights management. Moreover, the policies should have a section that assesses whether authenticated user and/or their role have the "right" to retain a copy, for how long, on what device/display/format, where to store, etc. An important aspect of data sharing is this retention policy. For example, the biggest problem today in consumer privacy issues is that the consumer is not aware who or what organization has what portion of their critical and sensitive information, how accurate are those copies, etc. More importantly, there is no mechanism for the consumer to automatically delete the information from these distributed datastores. Data sharing is about control and storage, and aging of critical, sensitive information by and to authenticated users.

4. Data Rejection
Imho, data rejection is a sub-process of data sharing since it is one of the "commands" that result from assessing the access profile of the authenticated user against the sought after privacy information. Anonymity is truly impossible if authentication of users to access privacy is effective. There is no room for anonymity in privacy data access; however, there are some uses in data sharing, not necessarily privacy, that do not require any or some identity verification and validation, e.g., accessing news sites, accessing free-websites that are offering free access to some product or service, etc. The real question is, "Can anonymity be realized in an all-digital organization, society, government? What place does anonymity have on the Internet?"


Toby, I do hope this helps. I am quite interested in your feedback. I am posting my thoughts on digital identity and privacy on my blog entitled, "Names, traits, and trails" at http://robmarano.blogspot.com. I welcome an open discussion on this.

Best wishes on the EPG. Please let me know how I can be of assistance. I know quite a number of people that would be interested in this both in the UK and the US! I spent almost 8 years in the UK working in infrastructure management in the City...

I totally support your efforts in the need and public definition of a maturity model for privacy and identity. You have my support! I'll start to disseminate this at my monthly meetings on the topics in NYC. I run the NY Digital Identity MeetUp. More info at http://digitalid.meetup.com/3

I'd love to hear your feedback...

Thanks for the opportunity to post to your blog...

Warmest regards,
Rob
--
(I-Name) http://public.xdi.org/=Rob.Marano
++
++ The NY Digital Identity MeetUp Group http://digitalid.meetup.com/3
++

Solutions to the Digital Identity and Privacy Conundrum

Part 1 - Introduction to Static and Dynamic Identities

Since I began researching digital identity and the concept of digital privacy in 1999, I have always envisioned a flexible authentication system to be at the heart of every point of interaction online and offline; between people, between people and business, between people and government, and between business and government. The explosive growth of the personal computer and the Internet and, subsequently, Internet culture and commerce, has not allowed society to transpose normal human behavior and practices to the new, all pervasive medium.

During my tenure at PricewaterhouseCoopers (PwC), I ended each conference presentation on emerging technologies with the statement, "With technology there is neither a replacement for a smile nor a frown." What I was getting across to the audience had more to do to help transform technology into a viable replacement for physical human interaction than it did to temper the use of technology. Processes within a business or through a value network require humans to interact with one another to make critical decisions for continued success. Since the first barter many millennia ago, good and continuing business has always included physical recognition, eye-to-eye communication and a bond to complete the transaction. Without recognition, the entire process would never proceed. Therefore, recognition of and the subsequent authenticity of the person with whom you conduct business or any type of valued transaction or interaction becomes the cornerstone of the relationship. It establishes trustworthiness between the participants, and trust is built on continued successful interaction for both parties.

Standing in front of a person fulfills the recognition process, otherwise known in IT terms as "authentication." It is a necessary but not always sufficient requirement for interaction. As the value of interaction rises, so too do the methods of recognition, which becomes both a physical (biometric) and a knowledge challenge/response test. Authentication answers the question, "Is this person truly who they claim to be?" Name, physical presence and traits, distinguishing physical features, e.g., clothes, shoes, eyeglasses, jewelry, etc, serve as cursory markers as proof of identity. Society considers these traits as sufficient in informal, casual interaction.

However, other forms of identity are required to conduct more formal, value-based transactions, such as, citizenship, commerce (buy/sell/invest), travel, entertainment, healthcare, and participation in government programs, for example. Value translates into money, social order, or safety and security of life. In order to standardize these forms of identity, governments, organizations, and businesses have issued their own identity cards, which simply connect a signature and photograph or a uniquely distinguishing identifier (bar code) to the organization's branded token, or card; for example, birth certificate, marriage certificate, credit and debit cards, drivers license, passport, loyalty card, stadium ticket, health insurance cards, and Social Security card, respectively. Such identity cards can be defined as static, since they do not change in appearance. New ones are issued based upon a change in status of the service guaranteed by the card issuer. Moreover, these static identity cards almost always have time value associated with it, giving an expiration date, since the user's unique distinguishing trait may change over time.

As an aside, citizenship by birth is a tough identity to prove with the lack of standardized birth certificates, which is due to the varying formats and policies of each hospital in each county in each state across the country. Moreover, marriage certificates are an important source of identity in several areas, financial records, property ownership, benefactor association, drivers license, and passports. For example, if a woman changes her name legally before using her older passport during international travel, national borders have been known to accept the marriage certificate as a proof of name change. Is there any way the border agent can verify and validate the authenticity of the marriage certificate, especially when there are no standards among the thousands of municipalities in the country? The US Congress is poised to pass the REAL-ID Act of 2005, which requires states to surrender their regulatory rights over driver's licenses and birth certificates with no mention of marriage certificates and excludes applicability to illegal aliens.

Returning the concept of static identities, it's important to stress that this type of identity is given to a person upon entering or joining a group, organization, business, or state privilege like driving or marriage. Information on the actual use of services, what and when people buy, what they listen, watch, eat, and where they go and how frequently forms the second type of identity, called dynamic identity. As taken from the Merriam-Webster entry for privacy, "Freedom from unauthorized intrusion" or access defines privacy of one's own critical, sensitive, and personal information. It is common for people to share their static identity markers with credit card companies, government agencies, insurance companies, etc, in return for service. However, it becomes an issue of privacy to guard any sensitive information that defines their dynamic identity. This will be addressed in detail in an upcoming installment on this blog, for privacy and identity are two strands that make up the DNA which defines a person - names, traits, and trails (of dynamic information). Both static and dynamic identities serve as access keys to any type of value for every individual. The value can either be represented as goods or as services, both of which are bought, sold, or bartered.

The next installment will focus on how modern IT systems can be transformed to ensure trustworthy identity transaction across business to business, business to government, business to consumer, and consumer to government. I'll begin to detail how these technologies will help solve the problems and reduce costs to fraud and insecurity, extend trust over the Internet between people, and help to establish and solidify trust across the spectrum of merchants, consumers, and financial service providers, helping to unleash the next generation of Internet-based commerce. It is important to note that a recent Gartner report states online banking and ecommerce has taken a slight dip due to fears of identity theft and credit fraud.

In the new Internet order, consumers will be able to transpose their purchased content across any device of their choosing, for example, from watching a movie on the bus on a mobile device/cell phone to then transpose the movie directly to their TV upon arriving at home, with ease. With technologies deliver and assure digital identity authentication, mobile service providers can assure Hollywood that piracy would be a thing of the past because every copy of digital content will be associated to a valid, paying consumer. Moreover, consumers will be assured that their critical, sensitive information cannot be used in any type of fraud against them, since the power to control how, when, why to use their information will rest with them...