… is much more difficult than learning and doing things right in the first place. One of my aspirations for 2008 is to promote the unlearning of bad habits in the area of digital identity.

The missing identity layer of the internet has led people to a digital behaviour completely different from the physical world. Even though proper identity management is now becoming available, it may take years to circumvent what has become normal practice in the digital domain during the past 5-10 years.

In the physical world you typically build trust with your friends over time, gradually sharing more and more personal information.

When you are shopping for a specific piece of commodity, your are only concerned with the quality of the item relative to the amount payed. And the shop basically cares about optimizing its overall profit from its encounter with you. So the discussion will be about your needs, the products ability to satisfy these, and ultimately the price and payment terms.

A few days ago I got some comments on Net-Safe from a guy running a local internet community. His suggested to me that it might be better to position the new identity management technology as a tool to provide shops with more (accurate) information, while relying on more subtle validation of participants in C2C communities.

In my opinion it would be a fatal mistake to use the new technology to extend current practices rather than to challenge and circumvent them.

Let us take the shopping case. Why should the shop know my name, age, and address? Rather than just asking for information related to my specific product preference and some unique token to recognize me on return? The payment transfer industry has already adressed part of the problem by letting dedicated payment processors handle the payment card details, well consealed form the merchant.

Hence I regard it a major challenge for the evolving identity management industry to collaborate with the transportation industry and others to offer a similar level of privacy for the transfer of the invoice and the goods. This is primarily a behavioral rather than a technical challenge. Following this path consumers will eventually be able to accumulate and leverage their personal (incl. commercial) information for effective vendor relation management (VRM).

Currently most community sites – including the one being run by the person triggering this post – are asking new users for personal details such as name, birthday, gender, and zipcode. If filled in correctly this information allows any company with proper resources to uniquely establish the identity of the person. As the information is not validated, however, it also allows people to invent virtual identities which do not relate to any real person.

This practice is not only beneficial for various types of criminals, but a totally unnecessary risk for all users providing correct information. Their information is freely open to misuse by the site owner and anyone else who lawfully or not gets access to the data. Identifiers such as email-addresses and user names further assists the criminals in aggregating user data from more sources.

I can think of several valid reasons for a community site to gather information about its users:

• To promote accountability in the way users interact with each other on the site
• To allow users to regain access to the site after loosing their login details
• To provide potential advertisers with general user demographics
• To let users release information or delegate authority to other users.

But what is then the purpose for a community site to maintain a database where only part of the records point to real persons? While the remaining records are useless for any of the purposes above? It may not only be a bad idea! At least in Denmark it is a direct violation of the personal privacy act which expressly requires appropriate validation and updating of such information (see §5, sect. 4).

So for community sites the basic lesson to be learned is: Don’t ask for any information that you do not presently need and do not intend to validate.

Both community sites and upcoming identity providers (IDP) should develop their sites and technologies in a way that support the release of information on a fine grained need to know basis. With the emerging single signon and authorization protocols the 4 objectives above may be realized while keeping users in charge of their information and comfortable in their interaction with other users.

The alternative – continuing and developing todays community site practices – seems to me a scary vision for the future of identity theft