• Speaking
  • Downloads
  • About Talking Identity
  • About Me

Does ‘User-Centric’ also mean ‘User-Burdened’?

  • Posted on:September 2, 2008
  • Posted in:Personal Identity Management, User-Centric Identity
  • Posted by:Nishant Kaushik
1

Dave Kearns recently took on the topic of how user-centric and enterprise-centric identity could possibly co-exist in his articles for the Network World Identity Management Newsletter. In his first post, he discussed what the difference between the two is -  the need in the Enterprise scenario to have all identity-related transactions tied together from an audit perspective, contrasted with the need in the User-Centric (or personal) scenario to have no ability to tie together the various transactions a person can enter into. In his follow-up post, he discussed how the two, given these diametrically opposite requirements, could co-exist.

Multiple_Personas Dave postulates that the solution is based in the idea of Digital Personas. If I am reading his thesis correctly, he basically says that a person (an entity) can keep his online transactions un-linkable by using different personas (as represented by different information cards) that are kept separate and distinct at the source (namely the user and his IdP). In this way, common identifiers are avoided (not sure about that, since the most common identifier – an email address – is likely the same across most, if not all, of your personas), and so correlation reports cannot be built that harvest and mine data.

While Dave is clearly working with the constraint of what is possible today (both on a technological and legal footing), I think this solution puts too much of a burden on the end-user, since this requires the user to maintain multiple personas across the various applications he interacts with. In other words, even if the persona I want to present (PII attributes, credit cards, etc) to two different applications is exactly the same, I would need to create two different personas (in effect duplicates) if I want to make sure that there is no linkability. One can see the potential for persona explosion.

This is like saying that a user (who is extremely paranoid and wants no one building a consumer profile by looking at his purchase history) should maintain a different credit card (in effect tens or a few hundred) for every merchant he interacts with. That is comletely impractical. But just like there is no recourse today for consumers in this arena (the SSN, home address information, etc that every credit card record has enables complete linking, and results in the massive databases that telemarketers thrive and live on), it seems that there are no legal and technological solutions enabling the consumer to use the same persona while guaranteeing non-linkability. It’s an interesting problem that I think needs to be addressed by the identity community, because if it isn’t, linking of our online identities will happen (whether we want it or not), because the burden of maintaining multiple personas is just too much work, and user habits will prevail (just like it does in the matter of username-passwords).

Be Sociable, Share!

Tags: Digital PersonaEnterprise IdentityInformation CardsPersonal Identity ManagementUser-Centric Identity
  • http://www.azigo.com TCarroll

    I suppose the extent of the burden on the user really depends on what PII they need to give to each system in order to accomplish their goals. In an on-line shopping scenario, you need to provide real payment credentials, and a real shipping address (or at least some kind of proxys that will get the job done), so there is limited ability for a user to easily keep that kind of transaction completely non-correlatable. On the other hand, many on-line transactions require only proving a) you’re not a bot, and b) you are the same person you were last time. Systems based on Information Card technology, such as Microsoft’s CardSpace, Parity Communication’s Azigo and Novell’s Digital Me all include the capablity to automatically generate strong site-specific login credentials from a single Information Card, as well as the ablity to easily create multiple Information Cards to support different personas. Add in a disposable email service, and it becomes very easy for a user to maintain this kind of lightweight on-line account in a completely non-correlatable way.

Recent Posts

The Conundrum of 2FA meets the Enigma that is PAM
"It's a mystery. Broken into a jigsaw puzzle. Wrapped in a conun...
The Dilemma of the OAuth Token Collector
'Tis the season to be hacked, I guess. Twitter joined a bunch of...
Why 2013 will be 'The Year of the SCUID'
I'm just now coming back to earth from the high I've been on sin...
The IDaaS Powered World
Last week I was in Colorado for the Defrag and Blur conferences....
What Happens When Telco's Declare SMS 'Unsafe'?
If you've been following Authentication related discussions, you...

Recent Comments

Bob Pinheiro on
The Conundrum of 2FA meets the Enigma that is PAM
8 weeks ago

NishantKaushik on
The IDaaS Powered World
8 weeks ago

Nikolaj Ivancic on
The IDaaS Powered World
16 weeks ago

on
The Dilemma of the OAuth Token Collector
18 weeks ago

on
The Dilemma of the OAuth Token Collector
18 weeks ago

Tags

Application-Centric IdM Burton Catalyst Conference Cloud Computing Cloud Identity Model Facebook Federated Provisioning Identity Governance Identity Governance Framework Identity in Social Networking Identity Management Identity Services IGF OpenID Oracle Identity Management Oracle Identity Manager Oracle OpenWorld Oracle_IDM Password Management Personal Identity Management Privacy Provisioning Risk Management Role Management Service-Oriented Security User-Centric Identity

Connect

Twitter Follow @NishantK

LinkedIn Connect on LinkedIn

Slideshare View Nishant's Presentations

About Me nishantkaushik.com

Categories

  • Ask Dr. K (11)
  • Identity Services (36)
  • Identropy IDaaS (2)
  • Insight IdM (124)
  • Oracle Identity Management (61)
  • Personal Identity Management (32)
  • The Cloud Identity Series (17)
  • Tips & Techniques (4)
  • User-Centric Identity (24)

Archives

  • ► 2013 (3)
    • April (1)
    • February (1)
    • January (1)
  • ► 2012 (13)
    • November (2)
    • August (3)
    • July (2)
    • June (2)
    • May (1)
    • February (3)
  • ► 2011 (29)
    • December (1)
    • November (1)
    • October (1)
    • September (2)
    • August (3)
    • July (4)
    • June (5)
    • May (3)
    • April (4)
    • February (2)
    • January (3)
  • ► 2010 (33)
    • December (1)
    • October (1)
    • September (4)
    • August (5)
    • July (6)
    • June (4)
    • May (3)
    • April (2)
    • March (3)
    • February (2)
    • January (2)
  • ► 2009 (24)
    • December (1)
    • November (1)
    • October (3)
    • September (3)
    • August (4)
    • July (2)
    • June (2)
    • May (3)
    • April (1)
    • February (2)
    • January (2)
  • ► 2008 (44)
    • December (1)
    • October (4)
    • September (4)
    • August (8)
    • July (11)
    • June (4)
    • May (2)
    • April (2)
    • March (3)
    • February (3)
    • January (2)
  • ► 2007 (56)
    • December (3)
    • November (5)
    • October (6)
    • September (5)
    • August (8)
    • July (5)
    • June (9)
    • May (3)
    • April (2)
    • March (5)
    • February (5)
  • ► 2006 (33)
    • December (4)
    • November (2)
    • October (6)
    • September (1)
    • August (2)
    • July (3)
    • June (5)
    • May (3)
    • April (2)
    • March (5)

Disclaimer

Talking Identity is my exploration of the world of Identity Management. The views expressed on this blog are my own and do not necessarily reflect the views of Identropy (doesn't mean I'm not trying hard to mold them in my own image).

Copyright © 2005-2013 Nishant Kaushik. All Rights Reserved.