Cameron's Laws of Identity foreshadowed today's identity, privacy quagmire

In 2005, industry luminary Kim Cameron penned his Seven Laws of Identity, outlining a hypothesis on how identity and privacy work on the Internet. Today, everything is going as perceived seven years ago, and it's not all bad.
Written by John Fontana, Contributor

The pot that is identity and privacy is getting a vigorous stir these days from the likes of Facebook, Google, Apple, the European Union, the U.S. government, state attorneys general, legal groups, privacy advocates and corporate hiring managers.

It's not at all a surprise to Kim Cameron, who galvanized the industry in 2005 when he authored his "Seven Laws of Identity," a set of scientific hypotheses for an Internet identity layer to protect trust and foster among end-users a sense of safety and privacy.

Cameron's laws are being broken today with an increasing regularity and enthusiasm that gives him reassurance he was on the mark when he wrote them seven years ago.

The reassurance comes from the fact that the counter forces he predicted in 2005 are now taking up positions, including law and policy makers in Europe and the U.S., who are questioning how data collectors handle identity and privacy.

In a one-on-one, question-and-answer session (full transcript here) with ZDNet, Cameron, now a distinguished engineer working on identity at Microsoft, talked about how his laws hold up in today's light, how they provide perspective, and how they may provide guidance to many of the current concerns around user identity, access controls and privacy.

The document detailed definitions of success (or failure) of digital identity systems, and the laws included User Control and Consent: "...Digital identity systems must only reveal information identifying a user with the user's consent..." and Justifiable Parties: "...Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship ..."

In the concluding paragraphs of the document, written with in-put from a wide swath of industry luminaries, technologists and game changers, Cameron warned those building identity systems to obey the laws or face results "similar to what would happen if civil engineers were to flaunt the law of gravity."

In 2012, Cameron says he sees now what he saw in 2005 only now some people, thankfully, understand the gravity of the current situation.

"You have big initiatives in Europe and the U.S. around consumer protection, privacy and identity just as was predicted in the laws. And government intervention is the result of people breaking the laws," said Cameron. "It's not that I am calling for regulation. I am saying people bring it on themselves when they break the laws of identity. Regulation will depend on how quickly entities with questionable practices respond to the pressure."

Last week, that pressure was evident. Facebook put on hold plans to change its privacy policies, and lawmakers came out with proposals to protect citizens from employers seeking their Facebook passwords.

And Cameron adds it is not just breaking the laws, such as using universal identifiers or collecting information and using it for unintended purposes, but the excessive nature of the violations, such as recent stories of employers asking job prospects for their Facebook log-in credentials (violates Laws 1, 2,3).

"Issues are still unsolved but the importance of solving them is clearer now to more people; a lot more people than it was in 2005," he said.

Cameron points to a letter state Attorneys General sent to Google questioning the search giant's new privacy policies that went into effect March 1.

"The letter the state Attorneys Generalsent to Google would have been impossible when I wrote the Laws of Identity," Cameron said. He noted such level of understanding did not exist in 2005. "A letter of that sophistication, about the technology issues, they understood it all."

He is also encouraged by the Obama administration's National Strategy for Trusted Identities in Cyberspace, an effort to create an "identity ecosystem."

"I am encouraged that it is based on privacy principles," he said.

But enlightenment is not universal. Cameron says it's clear most people today don't grasp the complexity and consequences of distributed identity. "These are big changes and it is very hard for many people to comprehend them. "

He says today's public churn around identity and privacy signals change is under foot, but he can't predict a timetable. "What I didn't understand when I wrote the laws was the time span for these things to happen is very long."

Looking forward, he does predict that today's developments foreshadow milestone-type changes for companies in terms of identity and access management technology - most notably moving to the cloud.

"I see 10 years from now people will subscribe to identity management like they subscribe to telephone service today," said Cameron. Cost and a 10-fold reduction in complexity will create a general global identity service, he says.

As far as the general population understanding all the consequences around their digital persona, he thinks the younger generation will see the light first.

"Even though we say they don't care about privacy, once they get asked about their Facebook account in a few interviews that will answer their ‘so what' questions. They are the martyr generation."

Editorial standards