The ability of Internet users to manage identity relationships with diverse organisations is a prerequisite to further development of e-commerce and efficient delivery of government services online. However a rising tide of information security threats, from “phishing” and “spoofing” attacks on the user, to large scale breaches of centralised repositories of identity information, suggests that new approaches are needed which can empower the individual to take more control of how their personal information is used online. For a number of years there has been growing interest in industry and research communities in the concept of "user-centric" identity management systems. Microsoft has proposed architectural principles ("7 Laws of Identity") to support convergence towards an inter-operable, secure, and privacy-enhancing "Identity Metasystem". This new concept presupposes that a single monolithic identity system for the Internet is neither practicable nor desirable. What are the implications for security and privacy of offering individuals greater transparency over how their data is used, and how can this best be achieved?
The 7 Laws of Identity
- User Control and Consent - Technical identity systems must only reveal information identifying a user with the user’s consent.
- Minimal Disclosure for a Constrained Use - The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.
- Justifiable Parties - Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
- Directed Identity - A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
- Pluralism of Operators and Technologies - A universal identity metasystem system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.
- Human Integration - The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.
- Consistent Experience Across Contexts - The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.