cearta.ie

the Irish for rights

The Laws of Identity

Image symbol via Kim Cameron's site.The Laws of Identity is the title of an intriguing project which proceeds from the starting point that the fact the internet was built without a way to know who and what you are connecting to not only limits what we can do with it but also exposes us to growing dangers. The fundamental aim of the enterprise was to construct a formal, and universal, means of dealing with identity online, which could be expressed in a series of Laws of Identity, and which would “define a unifying identity metasystem that can offer the Internet the identity layer it so obviously requires”. It is an ongoing process of online discussion, during which the laws have been put forward, trashed out, and fine-tuned. A recent summary of the outcome of this enterprise stated the following six basic laws:

People using computers should be in control of giving out information about themselves, just as they are in the physical world.

The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necesary.

It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.

We need choice in terms of who provides our identity information in different contexts.

The system must be built so we can understand how it works, make rational decisions and protect ourselves.

Devices through which we employ identity should offer people the same kinds of identity controls – just as car makers offer similar controls so we can all drive safely.

The driving force behind this development is Kim Cameron, Microsoft’s Chief Architect of Identity, a title I have always found very sinister, not only the “Architect of Identity” part (which sounds faintly Stalinist) but also the “Microsoft” part (I have absorbed the online world’s visceral distrust of the works of Redmond, Wash.). But Toby Stevens says on his blog that Kim is an “all round decent chap”. Rules like these can generate an online architecture for digital identity which can both greatly ease technical interoperability and have an important commercial advantage (in working out who can access what kind of information). But, much as I distrust Microsoft, I have to acknowledge that they can also be of great benefit to those whose view of privacy online is that individuals can control the flow of information rather than simply unwittingly leaking too much away as we drive porous vehicles along the information superhighway.

The first principle, therefore, that “people using computers should be in control of giving out information about themselves, just as they are in the physical world” strikes me as the only sensible starting point for this endeavour. The second is a necessary corollary of the first, that the “minimum information needed for the purpose at hand should be released, and only to those who need it” and that “details should be retained no longer than necessary”. These two principles are at the heart of data protection laws the world over, and it would be a matter of great reassurance if they were to be hardwired into the architecture of the internet. Moreover, the fourth principle seems me to embody a deeper commitment to privacy, allowing us “choice in terms of who provides our identity information in different contexts”. Of course, this is a commitment to the market, but the alternative is monopoly control, whether by a large private corporation or by a state organisation.

It is one thing to embody a commitment to control by the individual; it is quite another to ensure that this happens. If things are too difficult, complicated and time-consuming, people simply won’t engage with them. Hence, the fifth and sixth principles will prove crucial to the success of the enterprise: “the system must be built so we can understand how it works, make rational decisions and protect ourselves” (otherwise, we won’t work the system); and “devices through which we employ identity should offer people the same kinds of identity controls – just as car makers offer similar controls so we can all drive safely” (otherwise, we won’t be able to protect ourselves in the different vehicles we employ as we drive along the information superhighway). Finally, I could not agree more with the third principle:

It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.

These unintended consequences are not unforeseeable. Consider this. If I engage online with a government department which then loses a laptop or data key containing my data, if I have had to provide the department with my unique online identifier, then those who now have the laptop also have every element of my online identity. This principle should ensure that this does not happen. Indeed, in many ways it is the lynchpin of the others; if it were not there, then all the good inculcated by the others could be undone by in one fell swooop.

The Laws of Identity may be a matter of the code underlying the internet; they may even be a matter of economic advantage. But they are also an example of (computer) code begetting and embodying (legal) code, and vice versa (code as law, and law as code), and of the interdependence of the legal and technical architectures of cyberspace. And if they work – if they become, in Cameron’s metaphor, as basic to the way the architecture of the internet is understood as the law of gravity is to our understanding of the world around us, then they will go a long way to securing our privacy as well as our identity online.

One Response to “The Laws of Identity”

  1. […] internet moves from its chaotic beginnings to a mature element of everyday life, we need to develop mechanisms to allow us to trust our online […]

Leave a Reply

 

Welcome

Me in a hatHi there! Thanks for dropping by. I'm Eoin O'Dell, and this is my blog: Cearta.ie - the Irish for rights.

"Cearta" really is the Irish word for rights, so the title provides a good sense of the scope of this blog.

In general, I write here about private law, free speech, and cyber law; and, in particular, I write about Irish law and education policy.

Academic links
Academia.edu
ORCID

Subscribe

  • RSS Feed
  • RSS Feed
  • Subscribe via Email
  • Twitter
  • LinkedIn

Archives by month

Categories by topic

My recent tweets

Blogroll (or, really, a non-blogroll)

What I'd like for here is a simple widget that takes the list of feeds from my existing RSS reader and displays it here as a blogroll. Nothing fancy. I'd love a recommendation, if you have one.

I had built a blogroll here on my Google Reader RSS subscriptions. Google Reader produced a line of html for each RSS subscription category, each of which I pasted here. So I had a list of my subscriptions as my blogroll, organised by category, which updated whenever I edited Google Reader. Easy peasy. However, with the sad and unnecessary demise of that product, so also went this blogroll. Please take a moment to mourn Google Reader. If there's an RSS reader which provides a line of html for the list of subscriptions, or for each RSS subscription category as Google Reader did, I'd happily use that. So, as I've already begged, I'd love a recommendation, if you have one.

Meanwhile, please bear with me until I find a new RSS+Blogroll solution

Thanks,

Eoin.

Licence

Creative Commons License

This blog is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. I am happy for you to reuse and adapt my content, provided that you attribute it to me, and do not use it commercially. Thanks. Eoin

Credit where it’s due

The image in the banner above is a detail from a photograph of the front of Trinity College Dublin night taken by Melanie May.

Others whose technical advice and help have proven invaluable in keeping this show on the road include Dermot Frost, Karlin Lillington, Daithí Mac Síthigh, and Antoin Ó Lachtnáin.

Thanks to Blacknight for hosting.