The Internet, like an elephant, never forgets.

Unfortunately, it also never forgives, as witnessed by the case of Stacy Snyder, a 25 year-old former student at Millersville University School of Education in Pennsylvania, who wanted to become a teacher. Until the day she went to a party and had her picture taken drinking from a plastic beaker and wearing a pirate hat.

The picture found its way onto MySpace, where it was seen by a professor who thought it decidedly unfunny. In fact, he was so incensed that he informed the school authorities who refused to grant the young woman the diploma she had earned, stating that her conduct was “unprofessional” and that she had, albeit indirectly, encouraged young people to drink. Stacy went to court, arguing that the school had infringed on her right of free speech under the First Amendment, but a federal judge threw her case out.

All this happened back in 2007, but it is quoted at length in Viktor Mayer-Schonberger’s book „Delete: The Virtue of Forgetting in the Digital Age“, and it provides an extreme example of how rash behavior can come back to haunt you in the Digital Age. The author pontificates at length about the need for parents to teach their kids to behave responsibly when online (as if the cyber kids are going to listen to old fuddy-duddies like us).

However, the book becomes more interesting when Mayer-Schonberger starts to talk about the basic right to informational self-determination, quoting human rights activists who are calling for legislators to force social networks like Facebook and MySpace to give their users the ability to delete things that they put online or that contain personal information about them. According to a study by the University of California, Berkley, 88 percent of Americans between 18 and 22 support such demands. 62 percent would like someone to force online operators to reveal what information about them they have stored.

Another idea Mayer-Schonberger discusses is the concept of a “digital expiration date”; a technical system that would automatically erase personal data after a certain time. He doesn’t go into any detail about just how long this digital half-life period should be, but assumes that the experts will sort out the details.

Of course, he realizes just how tricky the proposition would be. Even if lawmakers in individual countries were to pass legislation like that, nothing much would happen if web site owners moved their servers across the border. And while the European Union in their impenetrable bureaucratic wisdom might conceivably concoct such a scheme, would the U.S. follow suit, given the huge cultural differences on both sides of the Atlantic on privacy issues?

Besides, the whole idea goes against the Zeitgeist, as expressed by Facebook founder Mark Zuckerberg in an interview with TechCrunch, in which he defends the decision to switch the default settings on Facebook profiles to “public”, stating that Facebook was simply reflecting the changes in society. “We decided that these would be the social norms now and we just went for it”, Zuckerberg said.

So is the age of privacy really over? Will we just have to get used to walking around naked, like the king in his new clothes in the children’s’ fairytale? Or should we all be out there in the streets protesting and demanding better protection of our personal data? I guess that is a decision everyone will have to make for themselves. However, as a society, I think we need to think deeply about some of these questions, since we appear to be standing at an important crossroads. Decisions we take (or avoid) now will almost certainly come back to haunt us, like Stacy Snyder’s photograph.

Mayer-Schonberg raises an interesting point here when he talks about forgetting as a function in society that keeps the entire structure from flying apart. At least it gives the individual who have fulfilled their so-called “debt to society” a reasonably chance of proving that he or she has truly changed and can now be relied on to behave in a responsible way. In its latest edition, the “Economist” thumps the United States for being the country with the highest rate of incarceration in the world (“Why America locks too many people up”). No other rich country, the editorial sarcastically remarks, is nearly as punitive as the Land of the Free.

Combine these vindictive tendencies with the Internet as a perpetual pillory and you have a nightmare scenario that not even the staunchest friend of online openness and unlimited freedom of speech and information can really want. We need systems that can forgive – and forget.

Who’s pulling the cart on data protection? At least in Germany, that has traditionally been government’s role, and that has made the German regulatory environment one of the fiercest in the world for foreign enterprises and organizations. U.S. companies in particular are often reluctant to engage in the German market for fear of running afoul of the strict laws, but the same actually goes for the EU as a whole. Witness Amazon Web Services decision to build two separate clouds, one (based in Dublin) for Europe and another for the rest of the world.

So it may come as a surprise to hear a voice raised in Germany demanding a whole new deal on data protection. Sven Gábor Jánszky is the founder of 2B Ahead, a think tank based in Halle, a backwoods town in the wilds of former East Germany. Presumably that gives him enough time to think deeply about serious issues such as Digital Identity.

His solution may sound simple – let business take care of it – but it isn’t. And especially coming from someone in the typically paternalistic Old Europe, it’s downright seditious.

And what is even more surprising was that ARD, the largest German TV station, gave Mr. Jánszky a spot on its prime time “Tagesthemen” news show to voice his opinion. “We need to reinvent data protection”, he told an audience of millions of German watchers, “and business, especially the IT business, needs to take the lead.”

How often do identity gurus in the U.S. get to air their views on “60 minutes”?

Anyway, Jánszky thinks that the concept of the state protecting people’s privacy is so 20th century. “They want to share their personal information”, he believes, and it’s the job of business to help them do it in a controlled fashion. He thinks it’s high time the industry takes the lead in creating a system that will allow everyone to distribute personal information freely, but retain a final say in where it goes and how it’s used. For starters, he says, companies should provide users full disclosure on what data about them they have stored. This would be a first step towards establishing a trust relationship, and that is something any company should be interested in. Trust leads to loyalty, and that means return customers and more moola in the till.

The role of government, Jánszky says, is simple: Stop trying to build walls around the consumer and instead focus on passing laws that enable companies to use personal information, provided they do so in a responsible way and with the full content and oversight of the consumer.

This may not sound exactly new to some within the identity community. But then, has anybody been on national TV lately to espouse their views? The Germans may be behind (or ahead, depending on your point of view) in terms of draconian privacy laws, but at least they have a public discussion going. Wonder where it will finally lead…

How many terrorists work for your company? Dunno? Well, see you in jail, pal!

I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.”

It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or organizations that endanger national security or the “peaceful coexistence of peoples” in any way – like for instance paying them a salary. Failure to comply with this law carries heavy fines; up to 5 years in jail for the CEO, for instance.

On the other hand, European data privacy laws prohibit routine scanning of personal data without due cause. So if nobody has done anything suspicious lately, running their names past the UN or EU lists is probably illegal in many countries.

Of course, tell that to the families after some nut explodes a vest of dynamite in your company canteen and slaughters a few of your employees.

So yes, companies have to screen their own people, but when exactly? On hiring? What if the employee has a change of heart two or three years later and signs up for the Muslim Brotherhood? Does that mean you have to scan periodically, maybe once or twice a year? And if you live in a country like Germany where the works committee has a big say in these matters, how do you ever hope to convince them?

According to Schultze-Melling, there are loads of even more mundane problems to consider. For instance, Osama Bin Laden would hardly use his real name when joining your company, and probably not even one of the score or so aka’s he is also listed under in the UN list, but would chose an entirely new name instead. How about different spellings? After all, for an Arab speaker, Ahmed Gamdi, Ahmad Al Gamdi, Ahmet Gamdi, and Ahmed Al-gamdi could very well be one and the same guy. There are more than 32 spelling for Lybia’s Colonel Gaddafi (or Qadhafi, Kadafi, Gadhafi, Qaddafi, etc.). Are you legally required to check them all?

As ist that wasn’t bad enough, you can try telling it the cops who come to arrest your boss because one of your employees gave to the local chapter of the Holy Land Foundation which funds Hamas or the National Development Front in India that finances Al-Qaeda. The UN and the EU, not to mention the US Department, publish lists of organizations they consider to be affiliates or fund raisers for international terrorists. Unfortunately, hardly any new employee mentions this in his hiring questionnaire, so what should you do? Periodically ask all your people whether they have joined a terrorist organization lately? Maybe hand them the list and ask them to make appropriate check marks. And what if they refuse — do you fire them? Anyway, answering in the affirmative could constitute an act of self-incrimination, so requiring it would itself be illegal in most civilized countries.

Until now, most HR departments have dealt with these questions in the handiest possible way – by ignoring them. Out of about 20 companies represented at the IAPP meeting, among them a few on the Fortune 100 list, only two raised their hands when I asked who has ever conducted a scan for terrorist suspects within their organizations.

My feeling is that this illustrates the legislative confusion surrounding identity and privacy on the governmental level, but it also points out some tough questions that need to be answered by identity pros before we can hope to achieve anything like a balanced approach to the legitimate concerns of citizens, employees and consumers about how authorities and employers handle their personal data on the one hand, and the requirements of businesses, bureaucracies and, yes, terrorism fighters on the other.

The Personal Data Eco-System (diagram by Iain Henderson and Drummond Reed)

Another reason I really love Twitter: It takes you places you might never have found on your own. Take a recent post by xmlgrrl, a.k.a. Eve Maler of Sun Microsystems, a terse pointer to a posting by Iain Henderson of Mydex on rightsideup.net entitled “The Personal Data Eco-System” which provides by far the best theoretical overview that I, at least, have seen on the true nature and function of personal data.

The text is an abstract of a session Ian and his pal Drummond Reed of Concordance, who is also a trustee of identitycommons, held at a recent West Coast VRM Workshop and which is also intended as an introduction to the Kantara workgroup where they hope to explore these scenarios more deeply. The focus of the piece is on what Iain and Drummond describe as “Personal Data Stores”, a slightly confusing term for a kind of data warehouse in which to store all the personal data available about me (or you) so that it can be used for anything from paying a credit card bill to scheduling a doctor’s appointment or even planning a home move.

But where it gets really exciting is when the two start to discuss what kind of data there is about me (or you) , what the relationship is between the different kinds of data and how they interact. Basically, they divide all personal data into five categories:

• My Data (information about me that I, and only I, own and control)
• Your Data (information about me that someone else – e.g. an organization or the government – owns and controls)
• Our Data (information about me that is accessible to both me and them, e.g. buyer and seller)
• Their Data (information about me that is owned and sold by third parties such as a credit card company)
• Everybody’s Data (information about me that is in the public domain, e.g. my postal address or an electoral roll)

Iain and Reed have created the absolutely fascinating flower-like Venn diagram pictured above explaining how and where these separate sorts of data intersect to create what they describe as a “Basic Identifier Set” in the middle. This for them is the “core personal identity data and they believe it will enable a working “personal identity eco-system” for providing services and ensuring transactions sometime in the future, with the individual functioning as the “un-knowing point of integration” of data about themselves.

They describe in detail the various dynamic flows of data between the different categories, such as from My Data to Your Data where individuals provide information about themselves under certain conditions (think the “tick boxes” on web forms indicating whether I want to receive your newsletter if I buy your product) or from Your Data to Their Data as an organization shares information about me with another organization, something which can happen legally (as in identity federation) or illegally (then it’s called identity theft).

I find the Henderson/Reed Diagram an extremely illuminating intellectual achievement since it illustrates the huge complexity involved in addressing issues of identity, both digital and analog. I’m not so sure whether I agree with Iain’s conclusion and forecast that over time (“in 10 years”) some 80% of customer management processes will be driven from a “My Data” perspective. He argues that the rush for user-generated content, as well as economic reasons, will cause organizations to move to a user-controlled model of identity management.

Well, I’ve been around long enough to know you can multiply a given prognosis involving a ten-year timeframe by a factor of between two and ten and still wind up way out in left field. But I do think they are right in assuming that there is a business case for moving towards user-controlled identity. Whether it will be, as they suggest, that allowing a vendor to mine my Personal Data Store for my consumer habits, and especially my buying intentions, will be incentive enough, or whether the prevalent model will be a simple upfront deal – give me your personal information and I will give you a rebate or cash in hand – I don’t know, but until we find out it might be a good idea to contenplate the wonderfully symmetric flower petals of the identity eco-system diagram and ponder it’s implications.

In early 2008, I asked my colleagues at Kuppinger Cole + Partner for leave of absence in order to take a “Sabbatical”, a kind of timeout. No, not because of burnout or anything dramatic like that, but rather because distance tends to sharpen your perspective, and I was worried that I was getting too wound up in the nitty-gritty of Identity Management as a specialized field.

As a more or less non-technical person, I had begun to believe that the issues addressed by this industry are much wider than many of us seem to realize. And in order to truly appreciate what is going on I felt I needed to take a step back.

In “Through the Looking-Glass”, Lewis Caroll describes a world on the other side of the mirror which closely resembles our own, but is subtly different.”How would you like to live in Looking-glass House?”, little Alice asks her kitten. While it appears to look just like the world on this side, “it may be quite different on beyond”, she speculates.

Read the rest of this entry »