maandag 15 december 2008

Behavior centric identity management

What's the problem with people knowing my identity attributes, my personal data? Okay, not all data are public, but why should I hide my identity? What personal data should I protect?

I have been thinking about this privacy thing a lot lately. Partly because we have to protect privacy stuff by law. But we protect all information, you might say that all privacy data are protected implicitly if we live by our security policy, right?

The reasoning behind my thoughts is that there are several initiatives to use authentication services like OpenID. And I hesitate. And you know, the problem is that I want to keep my behavior private. That's it, I don't mind third parties knowing me, or part of me, but what I do, that's my business. What I do may lead to some status change of my identity, and that may be publicly known, but my behavior is mine.

We have been exploring some identity aspects and perhaps that we will be able to classify security requirements based on identity aspects.
We learned about Identity DNA, fixed attributes, like name, sexe, date of birth, even Social Security Number. The data elements will (almost) never change. It is so fixed, that it is even public, so why protect the confidentiality aspect?
Next you might talk about Identity Status, information that will change. Like an address, phone number, relationships (even commercial relations, like "customer of", the data that is to be protected because of privacy laws?). Protecting confidentiality might not be needed for all identities by default, but it may be economic to do so.
And then there must be something like Identity Behavior. This must be the most sensitive part of identity data. This is the knowledge part. That's why voting machines are no go right now. That's why financial and medical information are valuable. I want to protect this information. I don't care about my identity DNA, can't change that, but the acts of my identity are personal. Publishing my identity status is my responsibility (I can move, or not, get a new job or not), it's public within the context of my identity, but what I do whit it is my business.

So much for now, perhaps this is way to academic. But at least I got it off my chest.

Community effort

I just like to point to the community project, that aims to be a research portal for information security professionals.
The project was started by a few Dutch enthusiasts, who (in vain) tried to use wikipedia for knowledge sharing. Due to the fact that a lot of knowledge was still in research phase, wikipedia could not host the items, so a new wiki was started.

ibpedia got its name form the ib abbreviation: Informatie Beveiliging, Information Security for those who are not familiar with the Dutch language. But, there's also a lot of content in English.

The content of ibpedia is published under a creative commons license, so free to share and add to. Don't hesitate to join the community.