Data Retention and Privacy
My previous post on distributed identity raised another thought, especially about the way Gamespy deal with personally identifiable information (thankfully I never registered my credit card details with them!)
By requiring organisations to record data and information for a lengthy period of time seems to be at odds with a desire for privacy. For example, I really do not want any association with Gamespy, so I requested that all my details be removed from their systems (a request they refused). I can see where a company may not be able to remove details stored on backup systems or stored data tapes, but why can't they delete or remove my details from live systems?
Of course, this issue only really came about because Gamespy was bought by IGN, who them promptly re-enabled my disabled account, allowing access to it again. I only found out by accident that my account had been re-enabled - and I could have theoretically been held responsible for misuse of an account I thought had been deleted.
I can now see the need for trusted identity providers to provide a service where personal information is kept live, but is never stored except for immediate backup purposes, where the nightly backup overwrites the previous night's backup.
I'm sure there's lots of good reasons to keep backups for long periods of time, but frankly I'm worried that my personal details (and credit card details, and home address) could be stored by a company long after I've ceased doing business with them, and that could potentially be used by someone else.
I would much rather my personal identity provider could wipe out my details on request. Maintaining the live data in a system like this would also encourage people to ensure the information is kept up to date.
I'm not even terribly worried about my identity provider's system's crashing or being wiped, since that serves a good purpose anyway in destroying any data about me, giving me the opportunity to correct, update or change the data as and when I need.
But there'd be no audit trail, no way of tracing changes to the account, no way of seeing who made the changes, the first few of which I like a lot, the last of which is a challenge for the service provider.
I've just watched a video interview
with Kim Cameron
, identity architect at Microsoft. I've been reading his blog for a while (as you can see I have it linked on the right), following the discussion surrounding identity, identity systems, protocols and so on.
There's been a lot of discussion about ensuring that identity remains with the individual, whilst at the same time seemingly tying the source of identity to a device. Robert Scoble, the interviewer, at one point (without a single trace of irony) remarks that he'd like to 'store his personal identity information on Windows, where he knows it will be secure'.
A lot of the examples given revolve around storing identity profiles on a portable device (such as a mobile phone) and handing out different identities for different purposes as and when.
My immediate thought (well, not immediate as it's something I've been cogitating over for a long time now) is why does there need to be a personal relationship between the identity provider and the identity requester in the first place?
Current thinking, especially around federated identity, is that each organisation you do business with needs to hold some information about you, such as a username, password, credit card details, whatever. There are notable exceptions to this, such as the nascent PingID
, however my favourite is one espoused by Internet2, and being adopted by higher education - Shibboleth
In essence the idea behind Shibboleth is that the organisation you are dealing with never knows who you are, or anything about you, except that which you release from a trusted identity store. The difference between this model and Microsoft's Infocards or the Liberty Alliance
is that these schemes rely on sharing identity information between trusted sources - the federation part - so that your details are available directly to the organisation you are dealing with, whereas Shibboleth allows the individual to specify which identity source to use, which then only replies with specific, limited, non-personally identifying information.
In this scheme I can go to Amazon, attempt to buy something, and instead of logging in to Amazon, I would log in to my own selected trusted identity source (one that Amazon also trusts), which would then tell Amazon 'yes, I know who this person is'. I can then go about my shopping, select what I want, and when it comes time to pay, I can use the same system to select which payment provider to use, again without Amazon ever having to know who I am, having to record any information about me, or store my credit card details in their own servers.
The main reason for this type of system (called the WAYF - Where Are You From - system in Shibboleth) is that it lets me retain one (and only one) copy of personal data, and lets me select how much information to reveal (or how much not to reveal), or even to not reveal any information at all except a confirmation.
Think about it for a moment. If you've ever bought anything online, how many times and to how many different organisations have you given your credit card details? How many of these organisations also have your address so they can deliver your items to you? And how many of these also require you to log in? And have you set a reminder question so you can recover your password? Have you used the same question anywhere else?
Of course you can request your personal information be deleted, although some companies (Gamespy
for one) point blank refuse to delete personal information or user accounts, and will only 'disable' the account. (I'm not entirely sure where this leaves issues of liability should the account details be hacked and/or stolen. Someone want to clarify for me?)
Personally I would rather select an identity provider that I trust (and that would delete my details on request) to provide attributed confirmation to remote sites than have to log in directly.