Identity Laws to Live
By"> At the top of the list is the requirement that the user control and give consent to the information disclosure. That means using a process that is convenient and simple enough to reassure users that they are in control of the identity management process and understand how much they need to disclose, Cameron said. Such processes are likely to succeed and endure because they earn the users trust, he said.The second law states that there should be minimal disclosure of personal information for very limited and targeted use of personal information, according to Cameron.Both users and information systems managers should consider breaches of identity information to be inevitable. As a result, the identity verification system that "discloses the least identifying information and best limits its use is the most stable long-term solution," he said. The reduced amount of information disclosed means there is less implied value, and therefore these systems present less of an attraction to identity thieves and a reduced risk of theft, he said. The third law states that identity systems must limit disclosure of personal information only to those that have a clearly justifiable need to know. The user must know whom the information is being shared with and must have a clear idea of how its going to be used. If personal information is going to be used for any purpose beyond identity verification, or to establish a business relationship with an individual, that must be disclosed to the user, he said. To read why corporate executives should pay attention to the effectiveness of their identity management systems, click here. Camerons seventh law says identity systems need to provide a consistent experience across multiple applications or line networks to make them easy and convenient. But they also have to be sensitive to users sense of integrity and privacy, he said. For example, a company might provide a standard log-in procedure for multiple corporate applications. But it will likely experience resistance from users if the same log-on provides access to their 401K retirement accounts, Cameron said, because users will feel that its more likely that their employer will gain access to their accounts and discover their investment choices, he said. "By following the laws of identity we can build an identity metasystem that can be very widely accepted and enduring," he said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.