In his June 2018 webinar as part of the SSIMeetup group, Danial Hardman presents an interesting take on digital identity, calling it multi-dimensional and manifesting itself in three separate planes along three separate axes – Relationships, Data or attributes and Agents or Proxies.
Agents or Proxies axis
These are the devices, software and services that represent me when I use the Internet, they are effectively acting as my agent or proxy. It is in this category that the proposed digital wallet sits, as it’s purpose is to negotiate identity-related transactions and connections on my behalf. Consider eBay, for example, which represents me to the seller and the seller to me, handling necessary financial transactions to an acceptable level of security; there is no direct connection between the seller and I.
Attributes or Data axis
Facebook, for example, gathers information about its users, which it uses for a number of commercial purposes, some beneficial to the user and some beneficial to Facebook. In the current federated identity model Facebook can act as a trusted identity provider by using my authentication data to allow me to sign on to other sites. On the other hand the Cambridge Analytica scandal shows us that Facebook gathers and uses all sorts of other data relating to us for commercial purposes. They are clearly not impartial or independent intermediaries in these transactions and it is questionable the level of trust we should have in them. One could argue that the true home of a social network should be along the relationships axis.
We are not allowed to take our relationships with us when we opt to extract our personal data from Facebook and other social network providers and store it elsewhere; we are obliged to close down our account. This renders the extracted data useless for maintaining relationships and reinforces the lock-in to provider services. This situation is much like the early days of online banking when the hassle of moving from one bank to another was out of proportion to the benefits achieved; with Open Banking this is no longer the case.
Who knows what about me?
Currently, this question is impossible to answer. In the future I expect my Personal Online Datastore (POD) and digital wallet to keep track of the personal data that I have chosen to share with those I have established personal or commercial relationships.
When they were breached it took Equifax many weeks to disclose the fact and many more to establish what information had been compromised and even longer for them to get round and notify everyone that their information had been stolen. No one knows where that data is now but some commentators suspect that the proximity of the breach to other major data breaches and the fact that this data has not appeared on the dark web suggest that it has been saved in a huge Chines data lake and is being used to support espionage operations against the West.
Knowing who knows what about me is a critical factor in the maintenance of the privacy and security of personal data.
Which agent or proxy can represent me?
Answering this question is, theoretically, a little simpler that knowing who has my data, in that I have a relationship with my agent or proxy and should be able to control the release of personal data. This may not always be the case as the context of the representation is critical. My solicitor may represent me in court but I wouldn’t expect her to speak on my behalf when arranging a holiday. I would expect my doctor to share relevant medical information with a hospital but I’m a little bit more wary if they are seeking to share the same information with big pharma, without the necessary anonymisation controls in place.
Which agent can share what about me?
I don’t expect eBay to share my credit card details with the seller, I don’t expect commercial organisations to share my phone number and address with partner organisations and I certainly do not want metadata from my social media interactions to be shared with advertisers so that they can personalise the adverts I see online.
Greater granularity, detailed configuration and improved contextual analysis is required to maintain continuous control over the sharing of personal information by agents or proxies on my behalf.