Nov 7 2005, responsibility and privacy

The recent public comments by Brad Smith are a further indication of the maturing of the IT industry. In case you missed it, on November 3rd, in a speech delivered to the Congressional Internet Caucus, Brad Smith (senior vice president and general counsel for Microsoft), told members that “the time has come” for a strong national standard for privacy protection that will benefit consumers and set clear guidelines for businesses while still allowing commerce to flourish. Brad set out three reasons why he believed this to be necessary:

• an increasingly complex patchwork of state, federal and international laws related to data privacy and security
• the potential for consumer fears about identity theft and other online dangers to dampen online commerce (and I'd include "online government services" in that area too)
• the increasing consumer desire for more control over the collection and use of online and offline personal information

In the context of the wider issue of identity, identity theft, ID cards, privacy and security that we've been debating in this blog and elsewhere, ensuring we have a common approach and a model on which digital identity is based is something responsible technologists have been arguing for some time - witness the laws of identity for example. Brad also went on to comment:

“We’ve seen a spate of legislative activity in the aftermath of several highly publicised data breaches, but for consumers, the reality is still pretty daunting. They do not necessarily have a better experience and in many cases still do not clearly understand how companies are collecting, using and disclosing their personal information in the first place. We have to make this more transparent and manageable for consumers.”

Whilst of course the situation with regard to data protection and privacy is somewhat different in the UK (and indeed the wider EU), these issues are relevant to our discussions of the recently published  Transformational Government strategy. We know that the growth and professionalism of online security threats are beginning to impact confidence in the Internet as an information, research, communications and commerce resource. This will impact the drive for online public sector services as much as any others.

Citizens need a way to manage their profiles and activity online and the development of a reliable digital identity system is one part of addressing privacy challenges. Such systems need to have strong privacy protections and simultaneously provide much more citizen control online. Equally, we need to recognise the reality enshrined in the "7 laws" that no one provider or technology will dominate. Identity exists across multiple domains and the authentication information and personal information shared needs to be relevant to the domain and context in which it is used. For example, it is unlikely anyone would want to use a credit card for authenticating themselves when filing their tax returns to government. And in any case, to do so would involve a degree of data sharing between government and the financial industry that would break down the security and privacy domains that currently help ensure any breach of security is limited only to the identity domain in which it occurs.

These are interesting times for identity, security and privacy - and I welcome the increasingly public and responsible way in which the debate is now beginning to happen. It is long overdue.