According to BBC news, UK Chancellor Alistair Darling has admitted “loss” of 25m records by UK Revenue and Customs. 2 disks containing personal information including names, birth dates, National Insurance Numbers and bank account details of 25 million people, essentially of all families resident in the UK with at least one child under 16. He added, that there has been no evidence that this data has fallen into the hands of bad guys, but adviced those 25 million people to watch their bank accounts.

Translated from political into real world language, this means that those disks have indeed fallen into wrong hands, and that most probably some identity theft and fraud activity is already going on.

I don´t know much about how UK public services are dealing with IT governance, with compliance issues and wether they are aware of the risks related with large collections of identity information. But I assume that it is not so different to the situation over here in Germany, where governmental institutions

• are absolutely resistant against any external IT related expert advice
• have little or no internal expertise in that field
• always insist on having access to any kind of data collection, even if it does not make any sense and even if they do not have the manpower to extract identity  information from that data

Sad enough but true – governments themselves are amongst the biggest threats to modern civilization.

On this year´s Digital ID World in San Francisco, Doc Searls held a keynote on Vendor Relationship Management (VRM), a concept he has been contributing to as a Harvard (Berkman Center) fellow. According to Doc, VRM is the inverse of Customer Relationship Management (CRM) and provides methods and tools for individuals to deal with customers.

VRM being still quite early in it´s evolution, definately is extremely interesting, as it is one of the first initiatives to look into what can be done on top of User Centric Identity, besides decentralized authentication and some kind of Web-SSO. VRM puts customers into the lead position, and thus improves the relationship between demand and supply.

In the VRM mailing list, which is very interesting to listen to, there has been some discussion around the question, who actually owns identity related information. I posted the following contribution:

Information cannot be owned

I would like to point to the fact that information cannot be owned, because it is not kind of an object which may be attributed to a subject by law (which itself is information as well). There is a very good publication about the ownership of information from Jean Nicolas Druey: http://cyber.law.harvard.edu/home/uploads/339/Druey.pdf .

So, talking about the persistence and flow of identity information between parties and through market places, we should not try to think, that we can own that information. If I understand the VRM discussion and the concept of user centric identity right, it is about creating a more balanced position between parties taking part in whatever market place, where some kind of “rules layer” on top of the information layer gives me the power to influence it´s flow. I´m not the owner of my doctor´s diagnosis, even if it concerns me. But I may have some rights influencing the distribution of this diagnosis, because it affects me. We need a home for these rights, instead of trying to own information.

VRM, how I understand it, is about creating kind of a rules metasystem above or beyond the walled gardens we currently have.

Ariel Gordon and Aude Pichelin from France Telecom (FT) yesterday announced at the 6th Digital ID World in San Francisco release of an OpenID service to their 40 million subscribers. Congratulations to the OpenID community for this big success. It is not surprising that it is FT with it´s Orange brand being the first company running an internet scale OpenID service. On the one hand, it´s a smart company. They strongly contributed to the emergence of the SAML standard and pushed IBM into the Liberty Alliance some 3 years ago. On the other hand, if there is any industry which can make a business out of running OpenID services, it´s the telcos, because they are wired right through to our purses.

But OpenID was only a smaller part of FT´s advanced identity management strategy, which consumed less than 3% of their total project budget and therefore shouldn´t have been too difficult to give it a go. The rest of the budget went into something I would call the foundation of the future (post-UMTS) telco business modell, converging management of identities for voice and non-voice services through wireline and wireless and using the SAML v2 standard to open up the whole infrastructure for plug & play style partnership business.

Telcos on their own haven´t been too good in creating services needed or otherwise attractive enough to be broadly used, since they invented SMS. So they need partners taking care for this in order to survive.

Being more and more reduced to an IP tunnel provider, telcos at least should try to make the most out of it in offering a powerful infrastructure for mobile and wireline services. FT have done their homework in an obviously excellent way, clearly focussing on the improvement of the user experience through simplifying sign-on within their SAML based converged infrastructure. They pull authentication information from the DSL and appliance level, add available user information and use these to provide reliable identities even without forcing them through login and account creation processes.

Ariel described, that during downtimes of their identity system with users being forced to sign on manually, online service sales drop by 50%. Even if this does not necessarily mean, that they have doubled sales, because part of those 50% would just return after the service is back up, there seems to be space for a pretty quick return on investment and revenue growth.

I have invited Aude, Ariel and Hervé, the latter on being technically responsible, to come to Munich for next years European Identity Conference and talk about latest developments.