A recent post by Paul Madsen (Stuck on Band-Aids, 'cause Band-Aids ...) highlights an “extreme” (and curious) case where user consent and user control is required to deal with “personal information”. Without going for these extreme situations … more control is indeed required on “personal data” collected and stored by organisations.
Today a lot of emphasis is on “front-end” issues i.e. how to convey personal attributes and information (for example via InfoCard or OpenId references or Liberty Alliance ID-FF mechanisms) from an entity to another, how to smoothly enable SSO, etc. All important aspects, of course, but … there is much less “interest” on what happens afterwards, i.e. once identity information has been extracted from various “credentials/tokens” and stored in standard enterprise data repositories … Enterprise Identity Management solutions focus primarily on identity provisioning and lifecycle management, “identity information” storage and their usage for authentication and access control. Identities are often stolen or misused, people’s preferences are not kept into account, privacy is violated. Privacy management and enforcement is still a green field.
Users (data subjects) should be enabled (upfront) to express their consent on how their data should be used, for stated purposes: these preferences (and related policies) should be considered as an integral part of users’ personal data i.e. they should really “stick” with data. Data can be moved around, within an organisation, copied and disclosed to third parties. Policies and preferences should follow …
The “sticky policy” problem is currently overlooked … Of course, dealing with all these issues is a matter of business and risk/cost management, good practices, definition of suitable processes and “Identity Controls” (from which “enforcement” mechanisms can be derived). Identity auditing and compliance checking can help to do the rest… No doubt this is a pragmatic way to go for, but it leaves me with the feeling that all this is done with “ad-hoc” approaches, based on good will and understanding of issues - whilst more systematic approaches and solutions are required …
I am not saying we should go for the “extreme approach” proposed sometimes ago (Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services) but I believe something “in the middle” is required to enable the management and enforcement of (privacy) policies and make progress in terms of accountability and (privacy) compliance.
No comments:
Post a Comment