Differences in legal framework, payment and logistics solutions are important barriers to crossborder trade in Europe. At an FDIH conference last October  Susanne Czech, secretary general of the European Distance Selling Organisation EMOTA stated that it may take 10-20 years to completely harmonize the legal framework. An analysis shows that the lack of harmonization results in serious distrust in crossborder trade among citizens.

One way to overcome the slow convergence of the countries legal frameworks is to add a voluntary agreement layer to level out the national differences. You may think of it as the legal equivalent to the IT-professionals JAVA Virtual Machine. It was suggested that this approach could be marketed through the implementation of a European Trust Mark to supplement the national trustmarks already implemented in several countries.

While such trustmarks are valuable as marketing vehicles to promote the use of best practices, they are of little value in widespread markets where effective reputation systems are not in place. If a traditional local shop violates best practices it will soon be judged by its customers and face the need for a costly move to another location. Currently even national trustmarks fail to provide merchants with a similar incentive to abide by the rules associated with the trustmark.

The problem will remain as long as trustmarks are based on bilateral agreements between individual merchants and the organisation representing the trustmark. A recent ruling from the Danish National Court shows that a merchants use of trustmarks do not have any legal impact on the relation between the merchant and the customers visiting his website. In the actual case the merchants use of the trustmark was both unauthorized (no agreement signed) and expressly disapproved by the organisation owning the trustmark.

This is where the upcoming identity providers will play an important role. In a previous entry I have mentioned Vendor Relation Management, which aims at placing vendors and customers on an even playing field. The relationship starts when the customer registers with the IDP. By managing and documenting this agreement process, the IDP may ensure that the mutual agreement between vendor and customer contains appropriate obligations for both parties as well as clearly defined sanctions and procedures for dispute resolution. Therefore it is important for entrants in this field to establish relations to consumer and trade organisations and/or develop federation terms which are aligned with existing “best practices”.

In a dynamic marketplace vendors may change their terms from moment to moment. Hence, without instantly recording any page visited, it can be difficult for a customer to proove which particular version of the terms he was exposed to. The above ruling also shows that such logging is the responsibility of the site visitor rather than the merchant. Just as payment transaction companies like Paypal and DIBS now act as trusted intermediaries with respect to the payment transfer, we will see identity providers filling the need for third party management and documentation of the various elements of any purchase and other agreements entered between the two parties.

Documented agreements is also a prerequisite for serious reputation management. So there is definitely some catching up to do for Internet Identity Management while the efforts to establish an open interoperable reputation management framework take shape.

… is much more difficult than learning and doing things right in the first place. One of my aspirations for 2008 is to promote the unlearning of bad habits in the area of digital identity.

The missing identity layer of the internet has led people to a digital behaviour completely different from the physical world. Even though proper identity management is now becoming available, it may take years to circumvent what has become normal practice in the digital domain during the past 5-10 years.

In the physical world you typically build trust with your friends over time, gradually sharing more and more personal information.

When you are shopping for a specific piece of commodity, your are only concerned with the quality of the item relative to the amount payed. And the shop basically cares about optimizing its overall profit from its encounter with you. So the discussion will be about your needs, the products ability to satisfy these, and ultimately the price and payment terms.

A few days ago I got some comments on Net-Safe from a guy running a local internet community. His suggested to me that it might be better to position the new identity management technology as a tool to provide shops with more (accurate) information, while relying on more subtle validation of participants in C2C communities.

In my opinion it would be a fatal mistake to use the new technology to extend current practices rather than to challenge and circumvent them.

Let us take the shopping case. Why should the shop know my name, age, and address? Rather than just asking for information related to my specific product preference and some unique token to recognize me on return? The payment transfer industry has already adressed part of the problem by letting dedicated payment processors handle the payment card details, well consealed form the merchant.

Hence I regard it a major challenge for the evolving identity management industry to collaborate with the transportation industry and others to offer a similar level of privacy for the transfer of the invoice and the goods. This is primarily a behavioral rather than a technical challenge. Following this path consumers will eventually be able to accumulate and leverage their personal (incl. commercial) information for effective vendor relation management (VRM).

Currently most community sites – including the one being run by the person triggering this post – are asking new users for personal details such as name, birthday, gender, and zipcode. If filled in correctly this information allows any company with proper resources to uniquely establish the identity of the person. As the information is not validated, however, it also allows people to invent virtual identities which do not relate to any real person.

This practice is not only beneficial for various types of criminals, but a totally unnecessary risk for all users providing correct information. Their information is freely open to misuse by the site owner and anyone else who lawfully or not gets access to the data. Identifiers such as email-addresses and user names further assists the criminals in aggregating user data from more sources.

I can think of several valid reasons for a community site to gather information about its users:

• To promote accountability in the way users interact with each other on the site
• To allow users to regain access to the site after loosing their login details
• To provide potential advertisers with general user demographics
• To let users release information or delegate authority to other users.

But what is then the purpose for a community site to maintain a database where only part of the records point to real persons? While the remaining records are useless for any of the purposes above? It may not only be a bad idea! At least in Denmark it is a direct violation of the personal privacy act which expressly requires appropriate validation and updating of such information (see §5, sect. 4).

So for community sites the basic lesson to be learned is: Don’t ask for any information that you do not presently need and do not intend to validate.

Both community sites and upcoming identity providers (IDP) should develop their sites and technologies in a way that support the release of information on a fine grained need to know basis. With the emerging single signon and authorization protocols the 4 objectives above may be realized while keeping users in charge of their information and comfortable in their interaction with other users.

The alternative – continuing and developing todays community site practices – seems to me a scary vision for the future of identity theft