Identity Laws to Live

By John Pallatto  |  Posted 2005-05-10 Print this article Print

By"> At the top of the list is the requirement that the user control and give consent to the information disclosure. That means using a process that is convenient and simple enough to reassure users that they are in control of the identity management process and understand how much they need to disclose, Cameron said. Such processes are likely to succeed and endure because they earn the users trust, he said.
The second law states that there should be minimal disclosure of personal information for very limited and targeted use of personal information, according to Cameron.
Both users and information systems managers should consider breaches of identity information to be inevitable. As a result, the identity verification system that "discloses the least identifying information and best limits its use is the most stable long-term solution," he said. The reduced amount of information disclosed means there is less implied value, and therefore these systems present less of an attraction to identity thieves and a reduced risk of theft, he said. The third law states that identity systems must limit disclosure of personal information only to those that have a clearly justifiable need to know. The user must know whom the information is being shared with and must have a clear idea of how its going to be used. If personal information is going to be used for any purpose beyond identity verification, or to establish a business relationship with an individual, that must be disclosed to the user, he said. To read why corporate executives should pay attention to the effectiveness of their identity management systems, click here. Camerons seventh law says identity systems need to provide a consistent experience across multiple applications or line networks to make them easy and convenient. But they also have to be sensitive to users sense of integrity and privacy, he said. For example, a company might provide a standard log-in procedure for multiple corporate applications. But it will likely experience resistance from users if the same log-on provides access to their 401K retirement accounts, Cameron said, because users will feel that its more likely that their employer will gain access to their accounts and discover their investment choices, he said. "By following the laws of identity we can build an identity metasystem that can be very widely accepted and enduring," he said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

John Pallatto John Pallatto is's Managing Editor News/West Coast. He directs eWEEK's news coverage in Silicon Valley and throughout the West Coast region. He has more than 35 years of experience as a professional journalist, which began as a report with the Hartford Courant daily newspaper in Connecticut. He was also a member of the founding staff of PC Week in March 1984. Pallatto was PC Week's West Coast bureau chief, a senior editor at Ziff Davis' Internet Computing magazine and the West Coast bureau chief at Internet World magazine.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel