The Identity and Privacy debate reminds me of an old engineer-and-mathematician
joke.

It
seems that an engineer woke up to see a small fire burning in the corner of
his bedroom. He grabbed his fire extinguisher, emptied it on the base of the
flame, observed that the fire was out, breathed a sigh of relief, and went back
to sleep.

A mathematician awoke in a similar situation. Seeing the small fire in the
corner of his room, he carefully considered the fire, contemplated the fire
extinguisher, make some lengthy calculations and proofs, and proclaimed "Aha!"
Then, realizing that mathematics has no practical application, he went back
to sleep.

Most frequently in life and business, we settle for solutions that provide
comfortably practical answers — maybe not as academically pure as our mathematician,
but also not as brutally forceful as our engineer.

At the Catalyst Conference, Bob
Blakley, Chief Scientist for Security and Privacy at IBM, argued that Identity
and Privacy are incompatible. He reasoned that truth in identity information
requires that a measure of personal privacy be forfeited. Conversely, if one
wants to preserve his privacy, he must not be forced to reveal the truth about
his identity. Bob put it this way: "Privacy is the ability to lie about
yourself and get away with it."

So, what has this to do with fire, engineers and mathematicians?

If we take the purely mathematical approach (by the way, Bob’s presentation
was entitled "The Logic of Identity") , we may never built workable
systems. One could argue that since the ideal is unattainable, we shouldn’t
try.

If we take the brute force engineering approach, we would require all people
to forfeit Identity Privacy rights, issue National Identity Cards, tattoo personal
ID numbers on everyone’s foreheads
and proceed to implement secure, efficient online systems.

I fear that too often, politicians tend to favor brute-force methods while
academics favor theoretical approaches. In reality, enterprises and the Internet
needs solutions that just work.

Like most cases, the answer probably lies in the practical middle road. Most
people will probably be content with giving up a little privacy to make online
systems easier to use and reasonably secure. We do it now in the physical world.
We offer up bits of personal information to get drivers licenses or credit cards.
We’re willing to share personal information to get a loan or register a new
car. If we care to travel internationally, we use passports. Even though we
might argue that giving up personal information is a privacy compromise and
security risk, we do it out of practical necessity.

This seems consistent with Mike
Neuenschwander‘s observation at Catalyst that we can achieve security only
at the cost of reducing privacy and efficiency. Jamie
Lewis stated that the desire for privacy both enables and inhibits IdM.
The need for privacy fuels demand for systems to securely and privately manage
identities, but this very need holds people back because the ideal solution
is not yet available.

We haven’t achieved the correct balance yet. As awareness of online privacy
and identity become widespread, the demand for government regulations and correct
business practices increases. In his Catalyst speech, Scott
Blackmer highlighted a Harris-Westin survey published in June 2005 claiming
"59% of people say current laws and business practices to protect privacy
are inadequate." Jamie Lewis states that "The Internet lacks sufficient
identity and security infrastructure" to meet privacy and security demands.

Theoretically, the move toward User-Centric Identity Management looks interesting
as a way for individuals to manage their own balance between privacy and Identity. However,
from a practical viewpoint, I wonder whether enough people will take the time
and initiative to take control of their own identities, even if the technology
infrastructure evolves to allow it.

Most of my work is done where the rubber
hits the road in Identity Management deployments. Down in the trenches,
we are all about practical, implementable, reliable systems. I’ll be interested
to see how real-life solutions emerge to solve the tension between Privacy and
Identity. Will the solutions be brute force, more purely academic, or, as I
predict, of the more practical, compromise variety?

Tag: Identity

Privacy: "a:the quality or state of being apart from company or observation:
SECLUSION b:freedom from unauthorized intrusion <one’s right to privacy>"

In his Network World article today,

Dave Kearns drew attention to a blog by
Timothy Grayson
reviewing a new Canadian court ruling "that inclusion of marketing materials
in a statement to a client/customer constitutes ‘secondary marketing’ and is
a privacy breach." Wow! So my bank’s stuffing an advertising flier inside
the envelope that delivers my bank statement is an attack on my privacy? I hadn’t
thought of it that way. I suppose I’ve considered the flier to be a waste of
paper and ink as I threw it in the garbage without glancing at what it said,
but I hadn’t considered that my privacy was being compromised.

Somehow,
this made me think of high school math class. In the hippie culture of the 1960’s,
it was popular to advocate a "tune in, drop out" culture. My high
school math teacher, Mr. Kissler, teetered on the edge of that philosophy. During
one "math class" he told of a young runaway girl he befriended. She
was convinced that she wanted to drop out of normal society and live off the
land – at least until Mr. Kissler demonstrated how to kill, skin and butcher
cuddly bunny rabbits for food.
Now doesn’t that make you want to sell your house and move to the rain forest?

My advice for someone who doesn’t want to endure the bloody reality of animals
being killed for food — don’t expect to live off the land. Advice for people
who don’t want fliers in their bank statements? Change banks or stuff your money
in a mattress. Drop out of connected society.

I find it interesting that the first of

Merriam-Webster’s definitions of privacy
suggests "Seclusion" as a synonym for "Privacy." To the
extent one chooses seclusion from society as a lifestyle and becomes cut off
from interaction with other humans and institutions, he or she can achieve true
privacy. For centures, hermits have withdrawn from society and lived in caves.

Become a virtual hermit if you wish. But please don’t expect complete freedom
from unauthorized intrusion (the second definition) if you choose to receive
bank statements, use the Internet or function as a non-hermit in the

Participation Age. Throw those pesky instrusive fliers in the trash and get on with life.

Tag: Identity

Sara Gates made an interesting observation during a panel discussion at the recent
Catalyst Conference. She said she didn’t use seat belts until the government
mandated seat belt use. She compared this to enterprises delaying good business
practices (such as Identity Management) until government regulations forced
compliance. Others on the panel, including Prakash Ramamurthy of Oracle and

Frank Auger of Novell, quickly agreed.

Perhaps we can look at it another way, with all due respect to people like
Sara who delayed seat belt use:

Enlighted
business leaders choose good business practices because of inherent advantages
in cost containment, efficiency and revenue generation, just like enlighted
drivers use seat belts because of inherent safety benefits. We often call such
enlighted leaders "bellwethers" or "early adopters." Mediocre business leaders follow
their lead only when forced to by external market pressures or, as Sara suggests,
by government edict.

Government
leaders, in all their benevolent wisdom, attempt to compensate for poor performance
by creating regulations to protect citizens from themselves and from poor business
practices. Therefore, the prevalence of recent government regulations like the
Sarbanes-Oxley act are the direct result of poor business leadership, just like
seat belt laws are the result of citizen apathy towards safety.

Can we therefore thank the apathetic and mediocre for the recent growth in the Identity Management market?

Tag: Identity