Christopher Brown’s Blog

Sponsored by the Oxford Internet Institute (OII - http://www.oii.ox.ac.uk/) this 2-day event (2/3 April 2009) combined presentations and group sessions to discuss a legal and policy framework for Identity Management.

Thanks to the wonders of Twitter I was also able to follow the Tweets for the Libraries of the Future Debate (http://www.jisc.ac.uk/whatwedo/campaigns/librariesofthefuture.aspx) on the first day by following the tag #lotf09, whilst also contributing to the IDM event (#oii-idm).

As the title suggests this was not a technical conference but one that wanted to look at the drivers for creating a legal and policy framework when dealing with identity management. It would seem that this is something that is not thought about before technical solutions are created and because of this it is preventing the uptake of these technologies.

The morning of the first day comprised of various presentations. The first talk dealt with managing risks and how organisations can act as digital Gods issuing an ID, understanding what you are doing with it and cancelling it when they choose. The point was also made that regulators are spending too much time helping the bad guys when they should be helping the good guys first. An interesting point from the second talk was that trust is related to culture and where you live in the world. Our digital life is moving to globalisation (aren’t we there already?) and we have fragmented authorisation and authentication systems. We used to know where jurisdiction was and the culture when things were kept local. This has become extremely complex as we have become more global. The idea that we all live peacefully in a global village is just not going to happen.

The idea of globalisation occurred in other talks as well. We need international policies and not just national ones. However, we need to start small and build outwards rather than trying to conquer the world in one go. Establishing a convention that other nations could sign up to should mirror the way passports became worldwide. Passports never existed until someone decided they were a good idea. They were introduced, other nations adopted them and they became global.

Some of the later talks dealt with issues like whether we can have separate public and private identities. Do we just have one identity but many personas? Should we even use the term “identity”? I wanted to know who had the most to gain from having a legal and policy framework. Is it the individual or the organisation/institution? Who benefits the most? Is it required so that organisations can manage risk? To get it to work it needs to benefit both sides. It even comes down to culture again. For example, if you trust your government (Sweden was used as an example) you are more likely to trust them to set basic rules regarding identity. How many other governments can be trusted in the same way?

Another presentation mentioned that it’s mainly the legal types that worry about legal frameworks and privacy issues. More people are moving towards a user-centric view and looking at what they can do now with their identity credentials.

After group sessions and discussions the workshop wrapped up with the conclusion that there is a need for a policy and legal framework that should support an infrastructure. It’s in an organisation’s interests to have some form of control but we need a means of redress if things go wrong. It was suggested that there should be a follow on workshop to discuss these issues further.