The red herring of data protection

Why do corporations need to store personal data anyway? The real cure to our data loss plague will be individuals taking control of their digital identities. Eric Norlin looks into a federated metasystem future.

The numbers lately have been staggering: 145,000; 13.9 million; 40 million. I'm speaking, of course, of the recent rash of "data loss" -- the innocuous term for "millions of accounts containing personal data being exposed to the wrong eyes." Whether it's MasterCard, ChoicePoint, LexisNexis, Bank of America, Wachovia, Stanford or the University of California at Berkeley, the expanse of this problem has quickly become stunning.

Set aside for a moment the debate about why, all of a sudden, we're hearing about all of this. Instead, focus on the reasons behind the data loss: physical tapes lost in transit, hackers, malicious insiders, bad network security practices. Notice that the reasons behind the loss are all over the map. We're told the solution is better network security, better encryption, better corporate safeguards, and better "data protection." Of course, all of these "solutions" are a bit specious, as they're always accompanied by the corporate lawyer caveat, "we cannot guarantee that this won't happen again."

All of this will ultimately result in some bloated piece of federal legislation around "data privacy and protection" that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really?

I don't think so.

In the end, this "data loss" problem isn't really about data loss, data protection or data safeguarding at all. That, my friends, is a red herring. The real question to be asked is: Why do all of these corporations need to store all of this personal data in the first place? Why does my credit card company need to store my social security number? Why does Amazon need to store my credit card number? Why shouldn't every company store only what I tell them they can store? And why shouldn't the data that they store be as little as they possibly need to conduct business?

Assuming that there's even a smidgen of validity in my line of questioning, the next question becomes how -- how do we go about making the possibility behind these questions a reality?

Enter two concepts: federated identity and the identity metasystem.

Much has been said or written about federated identity, but I'd like to ground federated identity in one simple statement: Federated identity is an infrastructure that makes security follow the transaction. It does this by making the identity associated with the transaction "portable" across heterogeneous security domains. In short, federated identity (whether it's SAML, Liberty Alliance or WS-Federation) is building the infrastructure necessary for identities to move around securely.

Identity metasystem is a newer concept -- one that has been developed out of what can only be called community conversations that have occurred around Kim Cameron's weblog. In short, the identity metasystem is a conceptual backplane that would allow the individual to have fine-grained control over which "attributes" or "claims" are presented and/or stored about him - where an "attribute" or "claim" could be anything from birthday to credit card number to favorite color. The identity metasystem is really a framework for individual control and presentation of identity data.

Taken together, federated identity (the infrastructure) and the identity metasystem (the control and presentation) present a fairly complete path by which the true problems of "data protection" can be addressed. These two pieces, taken together, would give individuals control over their digital identity in ways that they have not experienced to this date.

Today, as an end user, when I go to Amazon to make a purchase, they ask for, receive and store my credit card number. In a future of federated identity and the identity metasystem, I would go to Amazon to make a purchase and grant Amazon the permission to seek a one-time use of my credit card. This permission could be presented to my credit card company, who could then charge my account. Amazon would no longer have a need to store (or even see) my credit card number at all.

In a federated metasystem future, I could have control over which attributes are stored where. I could grant permission to companies to access attributes without storing (or, in some cases, even seeing) them. And I could decide which portions of my digital identity would be presented in which contexts.

In a federated metasystem future, we would have laid the necessary digital plumbing to make security follow each and every transaction -- and we would have done so by giving individuals control over the presentation of their identities.

In a federated metasystem future, we would be a lot closer to a web of electronic commerce that protected you, me and the companies we interact with.

In a federated metasystem future, we would have actually moved toward solving the problems around personal data. In the meantime, however, we'll hear a lot about "data protection," "corporate safeguards," and "legislative initiatives."

Eric Norlin

[Editor's Note: Eric Norlin has been involved in federated identity since he joined Ping Identity 19 days after Andre Durand founded it. Ping Identity has gone on to become a leader in federated identity and an early mover around the Identity Metasystem - demonstrating an open source Java version interoperating with Microsoft's InfoCard implementation at the May 2005 Digital ID World.]