I believe that Privacy Management is another important area that will shape the future of Identity Management. Too many misuses of personal data, unauthorized disclosures, identity thefts, etc. are happening today because of poor security and weak privacy management practices. Reputation and brand of enterprises and people’s lives are heavily impacted and undermined.
Privacy management, at the very core, is about handling, disclosing and managing personal data, user profiles and identities in a way that is consistent with people’s expectations, laws, legislation and enterprises’ guidelines.
From an enterprise perspective, privacy management is still mainly addressed by means of human processes and best-effort approaches that are costly and prone to mistakes. Very little automation is currently available and poor integration with current identity management solutions. I believe that more automation is required to cover the following aspects:
Operational aspects: this involves dealing with privacy-aware access control policies (i.e. how to access personal data based on stated purposes, consent, security constraints, etc.) and obligations policies (dictating expectations and duties on data retention, deletion, data transformation, notifications, etc.);
Compliance aspects: how to demonstrate that enterprise processes and identity management solutions are compliant with best practices, guidelines and policies, report on compliance and spot violations. This links to a previous post of mine on Identity Assurance (http://h20325.www2.hp.com/blogs/mcm/archive/2007/03/27/2876.html).
Key requirements include automation, scalability and easiness of integration with current identity management solutions and enterprise applications/services. This area is open to innovation and R&D contributions.
From a user perspective, privacy management solutions are required to help people to better handle their personal data, control their data disclosures and their interactions with organizations. Key requirements are effectiveness in achieving this, simplicity and usability. In particular I believe that work on reputation and trust management can provide a different angle and approach to achieve this, rather than just checking/matching for privacy properties – as done in P3P-based (and related) approaches.
A key role can also be played by future generation of “Identity-Capable Devices” (see current work in Liberty Alliance – Advanced Client Technologies) that can help and assist end-users when interacting with other parties, by assessing the overall interaction context and compliance to built-in policies.
At HP Labs we have been working for a while in the privacy management area. You might be interested in having a look at some of our current results and related technical reports (http://www.hpl.hp.com/personal/mcm/Documents/Documents.htm). Much more work is required…
You might also find some interesting material about work going on in the privacy management space in the EU PRIME project (https://www.prime-project.eu/).
No comments:
Post a Comment