Laws of Identity: A conversation with Kim Cameron, Part 1
In 2005, Kim Cameron penned his Seven Laws of Identity, outlining a hypothesis on how identity and privacy should work on the Internet. Today, with turmoil and hope on those fronts, Cameron sits down with ZDNet to talk about identity lawbreakers and policymakers, how he underestimated time, and the logic of adding the right to forget. (Companion story here).
ZDNet: What is the current state of identity today?
Cameron: I would say the state is as predicted, with periods of excessive infraction of the laws, and excellent initiatives by legal thinkers. What I see today is what I saw then only more so. These issues are still unsolved and the importance of solving them is clearer now to more people; a lot more people than it was in 2005. One of the things that has changed is you have policy makers and government thinkers that have become interested; they have realized the importance of all these questions. You have big initiatives in Europe and the U.S. around consumer protection, privacy and identity just as was predicted in the laws. And that government intervention is the result of people breaking the laws.
ZDNet: What do you know now that you didn't know in 2005?
Cameron: What I didn't understand when I wrote the laws was the time span for these things to happen is very long. We are talking about technology that basically will be around forever; it will always be here in some form. So these issues will become more and more significant, and the kinds of dynamics we are seeing, that we predicted through the laws, are going to become more extensive. People will start to realize the concrete consequences of information leakage.
ZDNet: The Laws of Identity predicted that government intervention in identity and privacy would increase, why is that happening now?
Cameron: There are many entities that routinely break various of these identity laws; they use universal identifiers, they collect information and use it for different purposes than were intended, they give it to parties that don't have rights to it, they do it without user control and consent. You can say that makes the Laws irrelevant. But what I predicted is that if you break those Laws there will be counter forces to correct for that. And I believe when we look at recent developments - government and policy initiatives that go in the direction of regulation - that is what is happening. Those developments are providing the counter force necessary to bring behavior in accordance with the laws. The amount of regulation will depend on how quickly entities (Google, Facebook, etc.) respond to the pressure.
ZDNet: Do we need regulation?
Cameron: It's not that I am calling for regulation. I am saying it is something people bring upon themselves really. And they bring it on themselves when they break the Laws of Identity.
ZDNet: You blogged about a letter a collection of state Attorney's General sent to Google about its recent privacy policy change. Why did you call out that letter specifically?
Cameron: The letter the state Attorneys Generalsent to Google would have been impossible when I wrote the Laws of Identity. A letter of that sophistication, about the technology issues, they understood it all. I think a lot of what is happening around identity and collection systems is not comprehendible at this point in time. When I talk to people about how some of these systems actually work they cannot believe it. These are big changes and it is very hard for many people to comprehend them. On the other hand, there are other people who do comprehend them that are involved in the legal and policy world and that is one reason they are very active right now. I don't think it is simple dynamics, it is a political mood, a set of social thinking that emerges and changes the legal framework over time.
ZDNet: Would you add anything to the laws in light of what is going on today?
Cameron: I think I would have made a stronger right to forget. I might have called out the right to be forgotten. There is this thing in Europe; information can be deleted after a period of time. The whole issue of how long information is kept is part of Law 3. I talk about collection of information for constrained use, but I don't specifically call out the need to delete it. I should write an amendment (chuckles). I might have an amendment around the need to phase out personal information over time. Even in North America, technology companies are aware of the fact that they should not keep all information forever. It becomes a potential liability.
ZDNet: Is there something you would omit if you were writing the laws today?
Cameron: In one of the laws, I argued that an individual's experience should be consistent across different sites. When I wrote the laws there was great agreement with most of them, but that one was not so universally accepted; mostly because there is a counter requirement which is the need for people to personalize and differentiate. And that was not adequately addressed in the way I wrote them. I think over the long term, there will be the emergence that makes identity much more automatic, and therefore, much more consistent across applications. And we are seeing efforts such as building identity into the browser in the W3C that is all positive. It is a difficult area. It will happen. But it is a lot harder than I initially thought.
ZDNet: Is there current industry work or standards that you think are pointed in the right direction, working toward the ideal of the Laws of Identity?
Cameron: I am encouraged by NSTIC (National Strategy for Trusted Identities in Cyberspace), and that it was based on privacy principles. I am encouraged by work on trust frameworks like OIX (Open Identity Exchange) and other efforts. There are good things happening with standards, such as OAuth. There is a lot of simplification of the technology. So we are making great progress that way.
Part II coming tomorrow: The IT perspective