More online trust? Collect less data

Businesses harvest more customer information than needed in clumsy efforts to foster online trust, leading to more opportunities for data theft, says Microsoft exec.

SAN FRANCISCO--Businesses are asking for too much personal information from their customers in efforts to create an online "trusted environment" for interaction, and more importantly, e-commerce.

The practice gives rise to more opportunities for cybercriminals to get their hands on users' information through Trojans, spam mail and other malware, noted Stefan Brands, principal architect of Microsoft's identity and access group, in an interview with ZDNet Asia Wednesday. He was speaking on the sidelines of the RSA Conference.

"Trust in the digital space is a tough concept to grapple with, which is why I am advocating for minimal disclosure technology when it comes to verifying identity and authenticating transactions online," he said. "This way, even if things go wrong and information gets stolen, the consequences will be limited, and users can trust the online environment more."

Brands added: "Similarly, if information for, say, a bank account is stolen by cybercriminals, the consequence is limited to just that specific account and it will not result in other losses."

Brands is also the co-creator of the U-Prove technology, which was mentioned by Scott Charney, Microsoft's corporate vice president for Trustworthy Computing, during his keynote speech earlier this week. The software giant bought over Brand's company, Credentica, and appointed him to his current position in March 2008.

Microsoft is currently working with the German government and the Fraunhofer Institute for Open Communication Systems on an interoperability prototype project integrating U-Prove technology with the electronic ID cards that will be issued to all German citizens in November this year, Charney mentioned in his speech.

At the moment, U-Prove is in the form of a downloadable software, Brands revealed, but based on industry feedback and enterprise needs, this technology can be adapted to other form factors. He also pointed out that parts of the U-Prove intellectual property have been released by Microsoft in order to "create an ecosystem community" that will support the growth and adoption of the authentication software.

Creating need-to-know Web
The problem of establishing and verifying a trustworthy identity online can be attributed to Web users--who are invariably strangers in this realm--having to use proxies to determine trust between each other, said Arshad Noor, founder and CEO of StrongAuth, a company that specializes in identity management and compliance workflow management products and services.

A panelist in an RSA Conference session Wednesday titled "Electronic identity: Who are you...and when does it matter?", Noor stated that identity will be "the most important factor in information security" in the near future.

However, the current format of having "standard ID verification" using a set of uniform data fields such as one's date of birth, nationality and gender, among others, will not be feasible in the digital space.

"The components and criteria for verification changes with each online transaction", and organizations should only ask for specific information that will authenticate the individual to transact in this arena, he explained, reinforcing the perspective put forth by Microsoft's Brands.

Ultimately, the issue is not whether having a digital ID is important or not, but how businesses and organizations set up their systems for verifying, authenticating and authorizing the various transactions users conduct online, said Noor.

Kevin Kwang of ZDNet Asia reported from the RSA Conference in San Francisco.