TORONTO — The onslaught of phishing and pharming scams and concerns about privacy are causing consumers to lose faith in e-commerce, Ontario’s privacy commissioner said Wednesday.
Speaking at the International Association of Privacy Professionals Conference, Ann Cavoukian threw her support behind the seven laws of identity developed by a Microsoft-led global community project which are designed to protect consumer identities.
The Internet needs a privacy layer, Cavoukian said. When consumers encounter problems such as pharming or phishing, they sometimes check out, she said.
“Online fraud is threatening e-commerce,” she said. The seven laws, if widely adopted, should help prevent Web sites from being spoofed, she added.
Online surveillance is also threatening consumer confidence, Cavoukian said. Users feel they can’t minimize the use of their information by others. We need to make sure a privacy layer is added to Web 2.0 as it’s built, otherwise, the Internet will become a vehicle for surveillance, she said.
Though the seven laws are what Cavoukian refers to as privacy-enhancing technologies, the language of privacy was not explicit in them, she said. She partnered with Microsoft to bring privacy to the forefront.
The first law concerns user control and consent: “technical identity systems must only reveal information identifying a user with the user’s consent.” Next is minimal disclosure for a constrained use: “the identity metasystem must disclose the least identifying information possible.” The third law is justifiable practice — “identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.” The other laws state:
- That “a universal identity metasystem must support both ‘omnidirectional’ identifiers for use by public entities and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.”
- That “a universal identity solution must utilize and enable the interoperation of multiple identity technologies run by multiple identity providers.”
- Law six, human integration, states that “the identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.”
- The final law, consistent experience across contexts, says “the unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.”
Basically, the laws are designed to offer consumers the same type of privacy protection in the online world as they get in the physical world. In the physical world, it would be difficult to go into a fake bank branch, but spoofing a bank’s Web site online is a trivial matter, Cavoukian said.
By building an identity management layer into the Internet, consumers could be sure of whom they’re dealing with. Also, when someone goes into a library, they’re not required to show their credit cards or social insurance numbers to get a library book. A library card is good enough, and a coffee card that’s punched each time a coffee is purchased suffices in a coffee shop, she said. There is currently no antecedent to this online.
Microsoft’s CardSpace, which was formerly known as InfoCard, will allow consumers to create their own identity card for such transactions as reading an online paper. They could also get other cards from trusted third-party organizations such as banks that they could use to make purchases. The banks will verify that the payment has been made to a vendor and won’t transfer money unless the vendor is authenticated, which would curtail fraud, Cavoukian said.
Other vendors will be offering similar solutions.
Multiple cards for different purposes will help consumers keep their privacy safe, Cavoukian said. “If you have one card for everything, kiss your privacy goodbye…The one card model — that’s the Big Brother model.”
The seven laws address a problem that the Internet’s creators didn’t envision, said Kim Cameron, Microsoft’s chief architect of identity and access, who was also at the press conference.
“When we built the Internet 25 years ago, we didn’t really know what we were doing…so the Internet technology has a big hole in it.”
CardSpace will be included in Windows Vista, which is due to be released next year. Some vendors have already come on board with the proposed new identity system, Cameron said, though he couldn’t name them.
It’s in a vendor’s best interest to support the seven laws because they reduce fraud and loss and promote trust, said Peter Cullen, Microsoft’s chief privacy strategist in an interview.
Though Jerry Gaertner, a privacy expert, thinks the seven principles are a step in the right direction, he’s waiting to see how well they are implemented.
“I think the devil is always in the detail when it comes to effectiveness,” said Gaertner, senior vice-president at Soberman Tessis Inc. Some of the laws, for example, deal with interoperability, but Gaertner wonders how possible it is to bring every computer and every kind of e-commerce application in line with the principles.
“If it can’t be done, there will be a hole, and security or privacy is only as strong as the strongest hole.”
The principles are also open to interpretation, Gaertner said. How do you decide what constitutes minimal disclosure and appropriate use? If vendors and consumers can’t agree on this, then these initiatives won’t succeed, he said.