« A copyright toolkit for the education sector | Main | Tutorial at DC-2008 »

September 24, 2008

Laws of identity - the short version

Kim Cameron's laws of identity have attained a kind of "stone tablet" status in the identity world since their introduction in 2006 but the document in which they first appeared is not necessarily one that everyone is going to read. The appearance of a short version a while back, picking out the essential points of the original into six brief statements, might therefore be of interest - especially for those of you that prefer a "back of the fag packet" kind of approach (<cough>twitterers</cough>).

I repeat their new brevity in full here:

People using computers should be in control of giving out information about themselves, just as they are in the physical world.

The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necessary.

It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.

We need choice in terms of who provides our identity information in different contexts.

The system must be built so we can understand how it works, make rational decisions and protect ourselves.

Devices through which we employ identity should offer people the same kinds of identity controls - just as car makers offer similar controls so we can all drive safely.

Good stuff. These make a lot of sense to me. I have a very slight wording issue with the second one, which following on from the first (" people ... should be in control") might be better re-phrased in terms of our expectation of services (rather than as a direct command to the user). Something like:

Systems should only require the minimum information needed for the purpose at hand and that information should only be shared with those who need it. Details should be retained no longer than necessary.

The car analogy in the last point is interesting. When I drive a hire car I sometimes find myself wiping the windscreen when I really mean to indicate or flash the headlights but I never find myself hitting the brakes when I mean to hit the accelerator or reverse gear when I mean 5th gear. So, yes, the important things are consistent enough across different car manufacturers that we can drive safely whatever car we get into (even given fairly major differences like left vs. right-hand drive for example).

The usability and security of the identity system overall is similarly bound up in people's understanding of it and the consistency of the user-experience across different parts of the system. On that basis, I think the last two points of the six are quite tightly coupled. Without such an understanding, issues like phishing become much more of a potential threat. There is a slight danger that the last point will discourage innovation in the identity space but, on balance, I think that is a risk worth taking.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Laws of identity - the short version:


The comments to this entry are closed.



eFoundations is powered by TypePad