I’m working on a project w/ Alix Rabin about Identity 2.0. Behind the cut is our proposal and bibliography. If anyone has any comments, let me know! Thanks!
Alice E. Marwick
Values Embedded in Communication Technologies
March 24, 2006
The Next Generation of Online Identity Management Systems
Implications for End-User Privacy
The search for a single-sign on identity management protocol (dubbed “Identity 2.0”) has become increasingly significant in the last two years. The need for identity management reform is evident, as users have problems dealing with multiple logins and passwords while the risks of spyware, phishing, and identity fraud increase. However, there is a risk in entrusting user information to a single system, considering issues of identity theft, privacy, data-mining and control of personal information. Currently, corporations, small businesses and open-source organizations are developing a variety of competing protocols, including InfoCard, SXip, CoSign, Passel, YADIS, IDX and LID. Each technology aims to create a single sign-on system that allows for complete aggregation of identity information. The entities behind these systems claim that Identity 2.0 will allow users to consolidate and manage their own data rather than storing personal information across multiple websites. Billed as a positive solution to the very real concerns of identity theft and privacy violations that have many users worried, it is very likely that one or more of these protocols will be widely adopted in the next several years. However, these proposed solutions differ in their goals, implementation strategies, and information handling methods, and we must consider the possibility that the system which ultimately “wins” the adoption battle may not be the most ethical, functional or usable. Since this protocol will have a great deal of influence over the implementation of the web in the decade to come, it is crucial that we analyze these items critically while they are in the pre-implementation stages.
Our project will evaluate a few of these second-generation online identity management systems, with particular focus on the ways in which each addresses the safeguarding of end-users’ privacy and control of personal information. We plan to analyze and compare solutions being proposed by the open source community, commercial enterprises, and partnerships between public and private entities. Beginning with an explanation of each proposed solution, we will look at the way each protocol handles personally identifiable information, the methods used to ensure individual privacy, and the priority given to user control.
Our concern is with the how the value of privacy is embodied in the various systems either currently available or in development. Privacy, both online and off, is an increasing concern in our culture. As more and more of our daily transactions are conducted on the web, the convenience we gain is offset by the significant loss of control over the right to privacy. Email, social networks, instant messaging, blogs, e-commerce sites, enterprise solutions, government networks and other online environments increasingly require users to provide identifying information in order to engage in the full range of site-specific functionality. At present, the individual user has very little leverage to protect her privacy or to negotiate with sites regarding information she is willing to provide. In opposition to personal privacy online are robust surveillance and data mining technologies that have both governmental and industry might driving their development. In order to undertake our research, we will operationalize “privacy” based on previous work around internet applications in order to create a measurable metric for analysis. We will explore some of the literature on the meaning of identity in cyberspace and the ever-increasing complexity of control over personal data in multiple online contexts and applications.
Possible theoretical frameworks to consider in exploring Identity 2.0 solutions include the political implications of different systems (e.g. what kinds of power relations do they embody?); the influence of social factors on particular designs and the behavioral imperatives that are imposed back onto the social sphere by these designs; and multidisciplinary approaches taken as part of an iterative process of values-driven design. The overall goal of this project is to provide a foundation for the formulation of an ethical understanding of online identity, particularly in regards to user agency in self-presentation, corporate access to personal information, and application transparency.
Papers and Articles
Aspinall, J., Clement, A & Viseu, A. (2004) “Situating Privacy Online.” Information, Communication & Society; 7(1): 92-114.
Analyzes online privacy in terms of individual user understanding of the concept. Uses ethnographic data to conclude that people think about internet privacy in different ways depending on the moment of interaction.
Berman, J. and Bruening, P. “Is Privacy Still Possible in the Twenty-first Century?,” Social Research, 68(1): 306-317. Accessed March 1, 2006 from http://www.cdt.org/publications/privacystill.shtml
Defines privacy, details current potential privacy threats, outlines the history of privacy law and considers technological developments that may facilitate privacy protections.
Cameron, K. (2005). “The Laws of Identity.” Identityblog.com. May 12, 2005. Accessed March 22, 2006 from http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf
Cameron works at Microsoft on the Infocard product, so his work is clearly biased. Nevertheless, this paper provides valuable insight into the industry perspective on the problem. Cameron discusses current problems in online identity, defines related terminology, and formulates “seven essential laws that explain the successes and failures of digital identity systems.”
Hamlin, K. (2005). “Identity 2.0 Gathering: Getting To the Promised Land.” O’Reilly Policy DevCenter, October 7, 2005. Accessed March 22, 2006 from http://www.oreillynet.com/pub/a/policy/2005/10/07/identity-workshop.html.
Notes from the O’Reilly workshop that became the Internet Identity Conference, where many of the current Identity 2.0 protocols are being analyzed and developed. Provides a general overview of the technological landscape and discusses some competing initiatives.
Margulis, S.T. (2003). “Privacy as a social issue and behavioral concept.” Journal of Social Issues. 59(2): 243-261.
Analyzes different definitions and theories of privacy, specifically in terms of privacy as a behavior and as a social/policy issue. Useful as a foundation for operationalizing privacy as an analytical concept.
Nabeth, Thierry. (2005). “Understanding the Identity Concept in the Context of Digital Social Environments.” CALT-FIDIS (Future of the Identity in the Information Society ) working paper, January 2005.
Discusses digital identity in a variety of different online environments, including email, virtual environments, blogs, wikis, instant messenger, online social networking, games, and reputation systems. An excellent overview of how identity operates given differing technologies, environments, and user needs.
Nowak, M. (2005). “One Login to Bind Them All.” Wired.com , August 1. Accessed March 1, 2006 from http://wired.com/news/privacy/0,1848,68329,00.html.
News article that explains the overall concept of Identity 2.0, identifies some of the proposed systems, and introduces some of the potential problems in the technology.
Rundle, M. & Laurie, B. (2005). “Safety and Security in a Networked World: Balancing Cyber-Rights and Responsibilities.” Oxford Internet Institute Conference, 8th-10th September 2005, Oxford, UK.
Begins with the idea that different parties (corporations, governments, individuals) might have different objectives with regards to the overall goals of cybersecurity. Rundle and Laurie use digital identity management as a way to analyze these differing goals, looking at international initiatives for identity management, technological initiatives for identity management, and identifying possible conflicts in interactions between the two. They close with recommendations for designing identity management systems that “prevent the abuse of power.”
Stahl, B.C. (2004). “Responsibility for information assurance and privacy: a problem of individual ethics?” Journal of Organizational and End User Computing. 16(3):59-77
Discusses why privacy and “information assurance” are issues of ethical concern, and complicates this relationship in terms of the individual user’s role in protecting his or her own privacy. Concludes that individuals cannot be held wholly responsible for individual privacy protections due to issues of power, knowledge, and intellectual capacity.
Suler, J.R. (2002). “Identity Management in Cyberspace.” Journal of Applied Psychoanalytic Studies, 4, 455- 460. Accessed March 1, 2006 from http://www.rider.edu/suler/psycyber/identitymanage.html
Takes a psychoanalytic approach to digital identity, focusing on the different mechanisms that come into play in determining how people manage their understanding of identity in online environments. Provides a five-point framework for analyzing how identity operates in differing contexts.
Turow, J. (2003). “Americans and Online Privacy: The System is Broken.” Report from the Annenberg Public Policy Center, University of Pennsylvania.
Results of an extensive survey that aimed to analyze American internet users’ understanding of online privacy. Found a great deal of misunderstanding and misinformation about privacy online, concluding that internet users frequently underestimate the amount of personal information that is being captured and tracked by online environments. Concludes that legislative action is needed to compel companies to disclose information-gathering practices and educate users on the implications of online privacy.
Watts, L & Reeves, A.J. (2004) Managing Projections of Identity in Technological Milieu. Workshop on ‘Representations of Digital Identity’, CSCW 2004, Chicago, USA.
Looks at computer-mediated communication and how people position their own social interactions in terms of the type of communication technology they are working with. Concludes that “CMC systems must be designed with support for the management of social identity, control over personal information and the provision of evidence about those involved in a discussion.”
Computer Professionals for Social Responsibility (CPSR)
Website has an extensive section on privacy and civil liberties, including subtopics on national identity schemes, participatory design, and ethics, plus lots of links to other sources, papers, and other resources.
Part of the Privacy Rights Clearinghouse website. Guide (“Rules of the Road”) to privacy in cyberspace. Includes good links to other organizations and related websites.
EPIC is a “public interest research center” focusing on issues of civil liberties with respect to privacy, the First Amendment, and constitutional law. Tracks privacy-related news, publishes policy papers and issues activist alerts.
Activist organization focusing on public-interest internet issues, including advocacy of nonprofit content production, public understanding of digital media, and the promotion of noncommercial information.
Activist organization that promotes “democracy and constitutional liberties” in technology policy and law. Publishes reports and articles on online privacy, including adware, internet censorship, and technology standards.