TORONTO - The onslaught of phishing and pharming scams and concerns about privacy are causing consumers to lose faith in e-commerce, Ontario’s privacy commissioner said
Speaking at the International Association of Privacy Professionals Conference, Ann Cavoukian threw her support behind the seven laws of identity developed by a Microsoft-led global community project, which are designed to protect consumer identities.
The Internet needs a privacy layer, Cavoukian said. When consumers encounter problems such as pharming or phishing, they sometimes check out, she said. “Online fraud is threatening e-commerce.” The seven laws, if widely adopted, should help prevent Web sites from being spoofed, she said.
Online surveillance is also threatening consumer confidence, Cavoukian said. Users feel they can’t minimize the use of their information by others. We need to make sure a privacy layer is added to Web 2.0 as it’s built, otherwise the Internet will become a vehicle for surveillance, she said.
Though the seven laws are what Cavoukian refers to as
privacy-enhancing technologies, the language of privacy was not explicit in them, she said. She partnered with Microsoft to bring privacy to the forefront.
The first law concerns user control and consent: “Technical identity systems must only reveal information identifying a user with the user’s consent.” Next is minimal disclosure for a constrained use: “The identity metasystem must disclose the least identifying information possible.” The third law is justifiable practice: “Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.” The other laws state:
• That a universal identity metasystem must support both omnidirectional identifiers for use by public entities and unidirectional identifiers for use by private entities.
• That a universal identity solution must enable the interoperation of multiple identity technologies run by multiple identity providers.
• That the identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms.
• That the unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.
The laws are designed to offer consumers the same type of privacy protection in the online world as they get in the physical world. In the physical world, it would be difficult to go into a fake bank branch, but spoofing a bank’s Web site online is a trivial matter, Cavoukian said. By building an identity management layer into the Internet, consumers could be sure of whom they’re dealing with.
Microsoft’s CardSpace, which was formerly known as InfoCard, will allow consumers to create their own identity card for such transactions as reading an online paper. They could also get other cards from trusted third-party organizations such as banks. The banks will verify that the payment has been made to a vendor and won’t transfer money unless the vendor is authenticated, which would curtail fraud, Cavoukian said.
“If you have one card for everything, kiss your privacy goodbye . . . The one card model – that’s the Big Brother model.”
The seven laws address a problem that the Internet’s creators didn’t envision, said Kim Cameron, Microsoft’s chief architect of identity and access. “When we built the Internet 25 years ago, we didn’t really know what we were doing . . . so the Internet technology has a big hole in it.”
CardSpace will be included in Windows Vista, which is due to be released next year. Some vendors have already come on board with the proposed new identity system, Cameron said, though he couldn’t name them.
Though Jerry Gaertner, a privacy expert, thinks the seven principles are a step in the right direction, he’s waiting to see how well they are implemented.
“I think the devil is always in the detail when it comes to effectiveness,” said Gaertner, senior vice-president at Soberman Tessis Inc. Some of the laws, for example, deal with interoperability, but Gaertner wonders how possible it is to bring every computer and every kind of e-commerce application in line with the principles. “If it can’t be done, there will be a hole, and security or privacy is only as strong as the strongest hole.”
The principles are also open to interpretation, Gaertner said. How do you decide what constitutes minimal disclosure and appropriate use? If vendors and consumers can’t agree on this, then these initiatives won’t succeed, he said.