Moving from Organisation-Centred to User-Centred Privacy and Security

Athens.
The trust and security keynote at WebSci '09 is followed by a panel on the same topic, which starts with Kai Rannenberg. He begins by referencing the Internet of Things, and by way of example shows a prototype of a high-tech toilet (a washlet) that monitors the user's health condition on the basis of their, um, bodily products and reports such data to their doctor or other health authorities where necessary. Another key area of new Internet-based services is location-specific and builds on mobile devices to determine location, time, and identity of the user, and of course there is a wider range of datamining-based applications online.

In other words, we have more and more powerful applications covering almost any aspect of life; they are increasingly close to their users, and to what were previously considered to be the privilege of humans. Such advanced applications depend on networks and devices, changing environments,and more and more contextual information; user trust and confidence are crucial for their function, and a multilateral approach to security is therefore necessary.

So far, however, there is too little integration of multilateral service approaches, and great intransparency for users. There is a problematic me-too approach: any data that is used for providing a service must also be available to law enforcement. There is an enforced unification of identities, and we have only weak credentials that therefore need to 'call home' (all the time). Contrary to the offline situation (where documents such as passports operate as stand-alone entities needing no further verification, online there is often a need for an identity provider to be involved to verify the user's identity - and especially where only few such providers exist, those providers are in a position to amass substantial profile data tracking the user's every move across the Net.

There are two sides to the identity management coin. Classical ID management is driven by organisations, which aim to achieve a unified user identity, to ease administration and manage customer relations; their identity management systems simplify single sign-on and solve the problem of having multiple accounts. The user perspective is different, however: people live their lives in different roles (professional, private, etc.) and build up different identities for these purposes. Such differentiated identities help to protect the user's privacy (especially anonymity).

Addressing this in order to reduce the need to rely on centralised identity providers at every step requires policy decisions on part of the organisation which requires user authentication; it needs to determine what level of authentication is required for each transaction. This may empower users to better control their identity data flows, to select from a greater variety of identity authentication providers, and thereby to manage their identities. There is also a need to develop better identity framework architectures, of course. This will help minimise and decentralise user data, and/or centralise such data with users rather than providers, thus further empowering them.

Technorati : WebSci '09, identity, policy, privacy, security, trust
Del.icio.us : WebSci '09, identity, policy, privacy, security, trust