As anyone in the identity industry knows, more lies between America and Europe that just an ocean. In fact, when it comes to privacy and data protection, a wide gulf separates the old and new worlds.
Germany in particular is often perceived as hidebound, not to say paranoid, when it comes to companies collecting personal data about their customers. People are signing up by the thousands to have their houses deleted from Google StreetView, with the mass-circulation “Bild Zeitung” running panic-inducing headlines like “StreetView snoops private data” and warning their readers about“Google’s next attack: Now they’re using bikes to film us!” The German minister of consumer affairs, Ilse Aigner, has publicly urged her fellow citizens to follow her example and cancel their Facebook accounts.
Most Americans I know simply shake their heads and grumble about “unhinged eurocrats run amok”. But unfortunately, it isn’t that simple. For better or worse, American companies need to realize that these are genuine concerns by genuine people. And no matter how lackadaisical US consumers may be when it comes to handing out personal information, the reality is that Europeans are not.
“But isn’t that what Safe Harbor is all about?”, one American identity expert (who shall remain nameless) exclaimed recently when I asked him how he thinks the problem should be addressed. True – but apparently, safe harbors in the US are anything but. That at least is what the so-called “Duesseldorf Circle”, a group of data privacy officials from all German states, stated in a report released last April. They accuse US companies of cheating on the agreement which was reached way back in 2000 between the United States and the EU. Read the rest of this entry »
Unfortunately, it also never forgives, as witnessed by the case of Stacy Snyder, a 25 year-old former student at Millersville University School of Education in Pennsylvania, who wanted to become a teacher. Until the day she went to a party and had her picture taken drinking from a plastic beaker and wearing a pirate hat.
The picture found its way onto MySpace, where it was seen by a professor who thought it decidedly unfunny. In fact, he was so incensed that he informed the school authorities who refused to grant the young woman the diploma she had earned, stating that her conduct was “unprofessional” and that she had, albeit indirectly, encouraged young people to drink. Stacy went to court, arguing that the school had infringed on her right of free speech under the First Amendment, but a federal judge threw her case out.
All this happened back in 2007, but it is quoted at length in Viktor Mayer-Schonberger’s book „Delete: The Virtue of Forgetting in the Digital Age“, and it provides an extreme example of how rash behavior can come back to haunt you in the Digital Age. The author pontificates at length about the need for parents to teach their kids to behave responsibly when online (as if the cyber kids are going to listen to old fuddy-duddies like us).
However, the book becomes more interesting when Mayer-Schonberger starts to talk about the basic right to informational self-determination, quoting human rights activists who are calling for legislators to force social networks like Facebook and MySpace to give their users the ability to delete things that they put online or that contain personal information about them. According to a study by the University of California, Berkley, 88 percent of Americans between 18 and 22 support such demands. 62 percent would like someone to force online operators to reveal what information about them they have stored.
Another idea Mayer-Schonberger discusses is the concept of a “digital expiration date”; a technical system that would automatically erase personal data after a certain time. He doesn’t go into any detail about just how long this digital half-life period should be, but assumes that the experts will sort out the details.
Of course, he realizes just how tricky the proposition would be. Even if lawmakers in individual countries were to pass legislation like that, nothing much would happen if web site owners moved their servers across the border. And while the European Union in their impenetrable bureaucratic wisdom might conceivably concoct such a scheme, would the U.S. follow suit, given the huge cultural differences on both sides of the Atlantic on privacy issues?
Besides, the whole idea goes against the Zeitgeist, as expressed by Facebook founder Mark Zuckerberg in an interview with TechCrunch, in which he defends the decision to switch the default settings on Facebook profiles to “public”, stating that Facebook was simply reflecting the changes in society. “We decided that these would be the social norms now and we just went for it”, Zuckerberg said.
So is the age of privacy really over? Will we just have to get used to walking around naked, like the king in his new clothes in the children’s’ fairytale? Or should we all be out there in the streets protesting and demanding better protection of our personal data? I guess that is a decision everyone will have to make for themselves. However, as a society, I think we need to think deeply about some of these questions, since we appear to be standing at an important crossroads. Decisions we take (or avoid) now will almost certainly come back to haunt us, like Stacy Snyder’s photograph.
Mayer-Schonberg raises an interesting point here when he talks about forgetting as a function in society that keeps the entire structure from flying apart. At least it gives the individual who have fulfilled their so-called “debt to society” a reasonably chance of proving that he or she has truly changed and can now be relied on to behave in a responsible way. In its latest edition, the “Economist” thumps the United States for being the country with the highest rate of incarceration in the world (“Why America locks too many people up”). No other rich country, the editorial sarcastically remarks, is nearly as punitive as the Land of the Free.
Combine these vindictive tendencies with the Internet as a perpetual pillory and you have a nightmare scenario that not even the staunchest friend of online openness and unlimited freedom of speech and information can really want. We need systems that can forgive – and forget.
Adobe is a company everybody likes. Okay, with the possible exception of Steve Jobs, that is. But really: Adobe is probably the largest vendor in the IT industry that doesn’t compete head-on with any of the other giants. In fact, cooperation seems to be somehow bred into their genes, which is why the Adobe managers I met with recently in Paris seemed to be exceptionally nice.
But that may change.
Take Sydney Sloan, Director, Adobe’s director of product marketing & operations who is a typical charming Canadian (except that she’s an expat from the States) and whom I must thank for a wonderful new acronym, “CEM”, which stands for “Customer Experience Management”, which is what people at Adobe are very excited about right now. The Paris meeting featured lots of customer cases where companies used tools like Flash, Flex and Air to build standard business applications that offer a compelling “feely/touchy” type of user experience in contrast with the usual drab, utilitarian kind of GUI that make most business apps about as exciting as a bowl of Wheetabix.
Impuls, a major German insurance agency, showcased a rather neat online sales application called “Live Agent Meeting” which enables a company rep to walk the customer through the process of signing up for a new insurance contract online. The client can even “sign” the contract by typing in a password that he or she gets by “scratching” the appropriate field, much like they would a lottery ticket. Digital signage it ain’t, but hey, if it works (in certain restricted use cases), then don’t fix it!
Bureau Veritas, a Belgian certification, auditing and testing specialist that was founded back in 1828 to provide shipping underwriters up-to-date information on vessels and crews, demonstrated a well-designed field reporting system based on the Adobe LifeCycle product that transfers their entire workflow to the web.
France Telecom (or “Orange”, as they now call themselves) showed a set of widgets and apps based mainly on Flash and Air aimed transforming the customer experience and thus the image of the company from stogy telephone operator to cool media trendsetter (witness “Voxcards”, a new Facebook app that enables users to festoon their friends’ or their own walls with talking postcards; “Its silly, it’s totally useless, and its running like hell”, said France Telecom’s Patrick Chanso.
While all this was fun to watch and talk about, it wasn’t exactly daring to go where none have gone before. In fact, most of these business applications are simply standard functionality with a snazzy frontend. And that, it seems, it the whole point. “The Internet is moving from content to content built around applications”, said Steve van Herck, VP of EMEA Sales, and Adobe wants to be at the head of that parade.
Which could prove to be a big problem. Adobe, after all, has always been the proverbial Nice Guy; a rather peripheral company that provides neat tools beloved by creative types, but hardly the stuff which real, red-blooded businesspeople want to deal with every day. Adobe is simply not seen as a serious rival by the other IT firms.
But now Adobe is blowing the charge to enter the market for business applications, which may very well prove a wake-up call for giant corporations with which Adobe hitherto enjoyed some very cozy relationships indeed. The Adobe Reader, after all, runs on almost every computer in the world, and Flash enjoys a de facto monopoly – 70% of web games and 75% of web videos run on Flash, boasts Ricky Liversidge, Adobe’s Flash guru who was in Paris to talk about the company’s latest release, Flash 10.x.
Of course, not everyone loves Adobe. There’s Steve Jobs, for instance, who really hates Flash which he considers unsafe, unreliable and – sin of sins! – “proprietary” (as fine a case of the pot calling the kettle black as I ever heard). But at least until now, Apple is the only major IT company on record to fling down the gauntlet.
Existing for decades in a virtually non-confrontational biotope, Adobe may have to develop some calluses if it wants to go up against the Big Boys of business software. That won’t be easy, though. “Competition simply isn’t part of our corporate DNA”, Sydney Sloan told me in the taxi on the way to the airport. Maybe Adobe should consider some genetic modifications.
Adobe’s mission statement may be to “revolutionize how the world engages with ideas and information”, but they are also in the process of changing the way they are seen by the competition. In that case, learning to fight may be a survival skill that many in the company have yet to master.
One of the best-held secrets in the German credit card industry was inadvertently revealed last night at an informal press dinner hosted by Bayern Card Services, an acquirer jointly operated by Bayerische Landesbank and the Bavarian community-owned savings and loan banks (“Sparkassen”). Asked just how much money banks were losing from credit card fraud, Monika Kummer, head of risk management for BCS, blurted out a figure of between 0.2 and 0.3 percent of total card turnover. When pushed for further details, she clamed up, but the genie was already out of the bottle.
After that, the math was simple. BCS handles the card business for about 70 percent of the 438 Sparkassen in Germany and reported total revenues of 16 billion Euros last year, so its member banks pocketed roughly 36 million Euros in fees.
Yeah, that’s peanuts for a banking group that does more than a trillion Euros turnover.
But wait! Most of those 36 million goes to the retailers, who pay anywhere from 3 to 6 percent to the issuing bank. Take off the various fees charged by middlemen such as BCS, and only about 1.2 percent actually remain as bank revenue. So 0.2 percent of the total turns out to be about one-fifth of the money banks earn from their credit card business. Peanuts indeed!
And things could get even worse for the banks if the European Union follow through on its threats to impose strict controls of the so-called interchange fees that banks charge whenever a cardholder purchases something in a foreign country. In Europe, where the next border is never more than an hour’s drive away, people can run up substantial interchange fees, and banks rely on them to boost the gross.
In December 2007, the EU forced Mastercard to submit a new pricing model for its interchange business. In March 2008, it was Visa’s turn when the European Commission opened anti-trust proceedings which could carry a hefty fine.
Finally, in April 2009, Mastercard agreed to temporarily reduce its interchange fees by a significant margin pending a final decision by the European High Court. In return, the Commission promised not to open further proceedings. Whatever the outcome of these legal maneuverings, banks must brace themselves for painfull losses. But just how big will they be? Shall we say one percent? If so, then most banks will soon be bleeding money from their credit card business.
In Germany, where most people carry Maestro debit cards around with them, credit cards are still a rarity. In fact, only about 14 percent of all consumers actually own one. That averages out to about 0.6 cards per bank customer, about one-sixteenth of the U.S.
On the other hand, the banking industry strongly believes that the number of credit cards in German wallets will grow enormously in the next few years, so the potential losses will increase, too. Unless, that is, someone comes up with a way to reduce identity theft.
And BCS appears to have a few cards (pardon the pun!) up its sleeves. Monika Kummer reported that BCS is currently testing a system that will automatically send a text message to the cardholder’s mobile phone every time he or she makes a purchase exceeding a stipulated amount. In theory, the cardholder could then immediately ring up their bank and report a fraudulent transaction.
Another neat idea BCS is working on involved allowing customers to block payments from certain countries. If you never plan to travel to Kazakhstan anyway, anyone using your card there would have to be Borat or one of his henchmen, wouldn’t they?
Well, now that we know the dirty little secret about credit cards it becomes clear why banks are so eager to increase consumer awareness on the issue of identity theft. As long as only few Germans actually own and use a credit card, their level of concern will remain low. But if the banks are right and credit cards are on their way to the mass market, things will change. And the sooner the better, I say.
Who’s pulling the cart on data protection? At least in Germany, that has traditionally been government’s role, and that has made the German regulatory environment one of the fiercest in the world for foreign enterprises and organizations. U.S. companies in particular are often reluctant to engage in the German market for fear of running afoul of the strict laws, but the same actually goes for the EU as a whole. Witness Amazon Web Services decision to build two separate clouds, one (based in Dublin) for Europe and another for the rest of the world.
So it may come as a surprise to hear a voice raised in Germany demanding a whole new deal on data protection. Sven Gábor Jánszky is the founder of 2B Ahead, a think tank based in Halle, a backwoods town in the wilds of former East Germany. Presumably that gives him enough time to think deeply about serious issues such as Digital Identity.
His solution may sound simple – let business take care of it – but it isn’t. And especially coming from someone in the typically paternalistic Old Europe, it’s downright seditious.
And what is even more surprising was that ARD, the largest German TV station, gave Mr. Jánszky a spot on its prime time “Tagesthemen” news show to voice his opinion. “We need to reinvent data protection”, he told an audience of millions of German watchers, “and business, especially the IT business, needs to take the lead.”
How often do identity gurus in the U.S. get to air their views on “60 minutes”?
Anyway, Jánszky thinks that the concept of the state protecting people’s privacy is so 20th century. “They want to share their personal information”, he believes, and it’s the job of business to help them do it in a controlled fashion. He thinks it’s high time the industry takes the lead in creating a system that will allow everyone to distribute personal information freely, but retain a final say in where it goes and how it’s used. For starters, he says, companies should provide users full disclosure on what data about them they have stored. This would be a first step towards establishing a trust relationship, and that is something any company should be interested in. Trust leads to loyalty, and that means return customers and more moola in the till.
The role of government, Jánszky says, is simple: Stop trying to build walls around the consumer and instead focus on passing laws that enable companies to use personal information, provided they do so in a responsible way and with the full content and oversight of the consumer.
This may not sound exactly new to some within the identity community. But then, has anybody been on national TV lately to espouse their views? The Germans may be behind (or ahead, depending on your point of view) in terms of draconian privacy laws, but at least they have a public discussion going. Wonder where it will finally lead…
I was talking recently with Joerg Mauz, the CIO of a small German company called Ansmann AG that makes batteries and chargers for laptops and mobile phones. They may be tiny by some standards, but they have a big global footprint, and their 300 people are distributed around the globe from Shanghai to Macau to Stockholm and soon the U.S. as well. I asked him whether he thought Identity Management was a big issue for small companies like his, and he laughed. “They don’t know what it is”, he said, and then added: “Even though they may be doing it themselves already.”
Ansmann is a good case in point: They had been using software provided by Sun Microsystems for years, and their license included the Identity Manager product – but they neither knew nor cared. “We sort of started doing IdM by accident”, he told me.
But when Joerg Mauz decided he needed to start doing e-provisioning to handle the influx of new people in his fast-growing company, and seeing as how his boss wasn’t going to give him any additional budget anytime soon, he took another look at Identity Manager and decided he could get what he wanted more or less for free. All he had to do was ask his system house, Kogit in Darmstadt, to write a few lines of additional code (it eventually paid them for 35 man days), and suddenly he had a neat little workflow that could handle logical and physical assets, anything from mail accounts to company badges, laptops and company cars.
He still doesn’t see himself as doing Identity Management. And if his story is any proof, then IdM vendors and providers would do good to stop trying to sell them something they don’t really understand and doesn’t terribly interested them in the first place.
Instead, they should focus on solving the problems people really have. And they may go under completely different monikers. That applies especially to the German “Mittelstand”, the thousands of small and medium-sized companies that make up the backbone of the German economy.
How many terrorists work for your company? Dunno? Well, see you in jail, pal!
I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.”
It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or organizations that endanger national security or the “peaceful coexistence of peoples” in any way – like for instance paying them a salary. Failure to comply with this law carries heavy fines; up to 5 years in jail for the CEO, for instance.
On the other hand, European data privacy laws prohibit routine scanning of personal data without due cause. So if nobody has done anything suspicious lately, running their names past the UN or EU lists is probably illegal in many countries.
Of course, tell that to the families after some nut explodes a vest of dynamite in your company canteen and slaughters a few of your employees.
So yes, companies have to screen their own people, but when exactly? On hiring? What if the employee has a change of heart two or three years later and signs up for the Muslim Brotherhood? Does that mean you have to scan periodically, maybe once or twice a year? And if you live in a country like Germany where the works committee has a big say in these matters, how do you ever hope to convince them?
According to Schultze-Melling, there are loads of even more mundane problems to consider. For instance, Osama Bin Laden would hardly use his real name when joining your company, and probably not even one of the score or so aka’s he is also listed under in the UN list, but would chose an entirely new name instead. How about different spellings? After all, for an Arab speaker, Ahmed Gamdi, Ahmad Al Gamdi, Ahmet Gamdi, and Ahmed Al-gamdi could very well be one and the same guy. There are more than 32 spelling for Lybia’s Colonel Gaddafi (or Qadhafi, Kadafi, Gadhafi, Qaddafi, etc.). Are you legally required to check them all?
As ist that wasn’t bad enough, you can try telling it the cops who come to arrest your boss because one of your employees gave to the local chapter of the Holy Land Foundation which funds Hamas or the National Development Front in India that finances Al-Qaeda. The UN and the EU, not to mention the US Department, publish lists of organizations they consider to be affiliates or fund raisers for international terrorists. Unfortunately, hardly any new employee mentions this in his hiring questionnaire, so what should you do? Periodically ask all your people whether they have joined a terrorist organization lately? Maybe hand them the list and ask them to make appropriate check marks. And what if they refuse — do you fire them? Anyway, answering in the affirmative could constitute an act of self-incrimination, so requiring it would itself be illegal in most civilized countries.
Until now, most HR departments have dealt with these questions in the handiest possible way – by ignoring them. Out of about 20 companies represented at the IAPP meeting, among them a few on the Fortune 100 list, only two raised their hands when I asked who has ever conducted a scan for terrorist suspects within their organizations.
My feeling is that this illustrates the legislative confusion surrounding identity and privacy on the governmental level, but it also points out some tough questions that need to be answered by identity pros before we can hope to achieve anything like a balanced approach to the legitimate concerns of citizens, employees and consumers about how authorities and employers handle their personal data on the one hand, and the requirements of businesses, bureaucracies and, yes, terrorism fighters on the other.
Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls.
I thought my latest guest, Tom Stewart, CFO of MultiFactor Authentication out of Irvine, CA, would be thrilled, but it turns out he spent two years working for Intel in Munich, so he’s been there and done that. Which is okay, because it gave us more time to get down to basics about his company’s strategy and products.
Tom is in the business of making security tokens obsolete. I know you’re going to hate this if you just gave a pile to RSA or Verisign, but MultiFactor believes that hardware-based strong authentication is poised to go the way of the dodo.
Of course, software tokens have been around for quite awhile, but they are often considered to be weaker than hardware tokens, or else they require some fancy PKI architecture to make them safe enough for serious corporate use.
Well, think again, Tom says. His “SecureAuth” system sits inside the firewall and handles full bidirectional X.509 authentication for apps and other systems without any tokens or PKI infrastructure and, more importantly, at a fraction of the cost. The system used to connect the client with your company network is proprietary, but it uses SAML or any other system you want to use to connect to outside applications or SaaS providers. Just how they do it and whether it really works the way they say it does is beside the point here, but readers are invited to visit their website at www.multifa.com for a free online demo and as much nerdy prose as you can stomach. (Tom is a marketing guy, but he is apparently surrounded by a team of true, dyed-in-the-wool techies.)
Personally, my attention perked up when Tom began to describe the way SecureAuth acts as a kind of gatekeeper for Active Directory (in 90 percent of cases, he says) or any other directory service you happen to be running.
This seems especially exciting to me when you consider it in terms of Cloud Computing, where we are seeing a rash of new cloud-based identity services. Bob Blakley of Burton described what he calls the “ability to build a virtual identity provider using a multitude of different services”. At the Catalyst Conference in San Diego a few weeks ago, he expressed his surprise that, unlike what everyone was expecting, providing identity services for the Cloud wasn’t turning out to be “this big monolithic thing”. Instead, the market is building a set of small specialty firms that handle identity tasks and offer discrete billable units that companies can put together. Ping, for instance, integrates PingConnect with Google Apps so a user’s Google ID can be used for single sign-on across some 60 online services.
Sourcing your identity management may appear to make good business sense, but does it really? After all, companies are sourcing just about everything else related to their IT. But Tom believes, and I agree, that identity management is the last thing you want to see going out the door. “As long as you control the directory, you control everything”, he maintains. Letting external service providers make changes or allowing them to make copies of your directory, which some do, is simply asking for big trouble.
My feeling, and it’s nothing more than that, is that companies will be very cautious in moving towards the cloud, choosing a step-by-step approach rather than taking the sudden plunge. As much as small and medium-sized enterprises would love to say goodbye to their IT and concentrate on their core business, they should draw the line at their directory, be it active or otherwise.
In fact, you could probably make a case for keeping only your directory and sourcing everything else, but then what is the poor CIO to do? Anyway, directory services might actually prove to be the Last Man Standing as corporate IT gradually disappears into Cloud-cuckoo-land.
More than 250.000 people have watched “ethical hacker” Chris Paget cruising the streets of San Francisco gathering RFID data from the new U.S. PASS cards and “enhanced” chipped drivers licenses. All it took him about $250 for a scanner and an antenna, as well as a piece of software he downloaded from the Internet. The new “e-passports” are now mandatory for U.S. citizens entering the United States from Canada, Mexico, Bermuda and the Caribbean, though conventional passports will be accepted as long as they are valid. Paget was able to read and clone the information of the chips within minutes. While only tag numbers were intercepted, not the personal data on the chip, this is enough to identify and track individuals, which brings us a step closer to my favorite nightmare scenario: As I leave the airport in, say, Tunis or Cairo on my way to a nice sunny vacation I am picked up and followed by jihadists bent on killing any American capitalist swine they can find.
This may not be news to most of us, but what struck me was a comment by Gigi Zenk, a spokeswoman for the Washington state Department of Licensing, quoted in today’s edition of the “International Herald Tribune”, who believes that “Americans aren’t that concerned about RFID” in a time when “tracking an individual is much easier through a cellphone.”
Is this simply a brainless bureaucrat talking twaddle, or is she being cynical? Then again, maybe she has a point: If people did care a lot about “little brother”, as the global surveillance web is now being referred to, wouldn’t they do something about it? Like switch off their mobiles?There have been rpeorts of German tax dodgers being caught because they said they were at home when in fact their phones were in the offices of a bank in Zurich.
In Germany, supposedly a country obsessed with privacy concerns and boasting the strictest data protection laws on the planet, a law calling for issuing RFID-enabled passports passed with hardly a murmur, and they are now gearing up to issue each and every one of their 80-some million citizens a mandatory personal ID card that will also carry a chip.
Maybe cynicism does help. How about this: If everybody is naked, nobody will be bothered by nakedness. Just blend in with the crowd. Implant an RFID chip in every forehead. There’s safety in numbers, after all. Or then again, maybe not…
The Personal Data Eco-System (diagram by Iain Henderson and Drummond Reed)
Another reason I really love Twitter: It takes you places you might never have found on your own. Take a recent post by xmlgrrl, a.k.a. Eve Maler of Sun Microsystems, a terse pointer to a posting by Iain Henderson of Mydex on rightsideup.net entitled “The Personal Data Eco-System” which provides by far the best theoretical overview that I, at least, have seen on the true nature and function of personal data.
The text is an abstract of a session Ian and his pal Drummond Reed of Concordance, who is also a trustee of identitycommons, held at a recent West Coast VRM Workshop and which is also intended as an introduction to the Kantara workgroup where they hope to explore these scenarios more deeply. The focus of the piece is on what Iain and Drummond describe as “Personal Data Stores”, a slightly confusing term for a kind of data warehouse in which to store all the personal data available about me (or you) so that it can be used for anything from paying a credit card bill to scheduling a doctor’s appointment or even planning a home move.
But where it gets really exciting is when the two start to discuss what kind of data there is about me (or you) , what the relationship is between the different kinds of data and how they interact. Basically, they divide all personal data into five categories:
My Data (information about me that I, and only I, own and control)
Your Data (information about me that someone else – e.g. an organization or the government – owns and controls)
Our Data (information about me that is accessible to both me and them, e.g. buyer and seller)
Their Data (information about me that is owned and sold by third parties such as a credit card company)
Everybody’s Data (information about me that is in the public domain, e.g. my postal address or an electoral roll)
Iain and Reed have created the absolutely fascinating flower-like Venn diagram pictured above explaining how and where these separate sorts of data intersect to create what they describe as a “Basic Identifier Set” in the middle. This for them is the “core personal identity data and they believe it will enable a working “personal identity eco-system” for providing services and ensuring transactions sometime in the future, with the individual functioning as the “un-knowing point of integration” of data about themselves.
They describe in detail the various dynamic flows of data between the different categories, such as from My Data to Your Data where individuals provide information about themselves under certain conditions (think the “tick boxes” on web forms indicating whether I want to receive your newsletter if I buy your product) or from Your Data to Their Data as an organization shares information about me with another organization, something which can happen legally (as in identity federation) or illegally (then it’s called identity theft).
I find the Henderson/Reed Diagram an extremely illuminating intellectual achievement since it illustrates the huge complexity involved in addressing issues of identity, both digital and analog. I’m not so sure whether I agree with Iain’s conclusion and forecast that over time (“in 10 years”) some 80% of customer management processes will be driven from a “My Data” perspective. He argues that the rush for user-generated content, as well as economic reasons, will cause organizations to move to a user-controlled model of identity management.
Well, I’ve been around long enough to know you can multiply a given prognosis involving a ten-year timeframe by a factor of between two and ten and still wind up way out in left field. But I do think they are right in assuming that there is a business case for moving towards user-controlled identity. Whether it will be, as they suggest, that allowing a vendor to mine my Personal Data Store for my consumer habits, and especially my buying intentions, will be incentive enough, or whether the prevalent model will be a simple upfront deal – give me your personal information and I will give you a rebate or cash in hand – I don’t know, but until we find out it might be a good idea to contenplate the wonderfully symmetric flower petals of the identity eco-system diagram and ponder it’s implications.
