As this Joy of Tech cartoon demonstrates, PRISM seems to have solved that problem for us. All that’s left to do is slap a RESTful Web Service on that data source. Should it be SAML or SCIM?
This is pretty much the epitome of “It’s funny because it’s true”. The way that “metadata” can be used to build up a useful, fairly accurate picture of a person was the subject of a vigorous twitter debate between myself, Paul Madsen and Dave Kearns. And while Paul’s choice of example was interesting, to say the least, it does effectively illustrate how you can start to use additional metadata (like time of night the calls were made, the location of both callers at the times they made the calls, number of times their locations crossed, etc) to build up a remarkably accurate (and incriminating) picture of a person.
And that’s why I have repeatedly stated that this so called metadata isn’t meta at all; it is in the strictest sense, data, and should therefore be given all the protections due it. And not just because the implications for human rights, privacy and political abuse are huge (though that really should be enough). We have to remember that this data actually has an important role to play in securing our online interactions. It is this very kind of data that we’re hoping can be leveraged to move the identity game forward from authentication towards recognition. IAM technologies in the area of identity verification and risk-based security will utilize environmental information gathered from transaction context as additional factors in various recognition process. And an identity lifecycle management solution like our own SCUID Lifecycle is looking to provide a much better experience to end-users as well as their organizations by leveraging this data for a smarter identity management solution.
So if this data is getting collected and abused in the manner that has been outlined, then it threatens the legitimacy of these processes as part of our online security fabric. This case also brings up the need for us as identity professionals to clearly define the rules on how end-users are informed by employers, organizations and online services about the gathering and use of their data. As the cloud, BYOD, BYOA(pp) and other initiatives cause identity tech to become more meshed with a persons everyday life, the boundaries could blur faster than we can keep up, and it’s imperative on us to get ahead of the curve on this one. And not hide behind a lengthy ToS that no one reads or an employment contract with a lot of legalese. One thing is for sure – it’s gonna make for some interesting initiatives and conversations (BTW, next chance to have a debate on this with me will be at the upcoming Cloud Identity Summit, but more on that in an upcoming post).
[Cross-posted to the Identropy blog]