{"id":182,"date":"2006-10-30T04:23:33","date_gmt":"2006-10-30T08:23:33","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/ugasser\/2006\/10\/30\/must-read-microsoft-wp-on-privacy-com"},"modified":"2006-12-10T05:11:26","modified_gmt":"2006-12-10T09:11:26","slug":"must-read-microsoft-wp-on-privacy-compliant-id-metasystem","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/ugasser\/2006\/10\/30\/must-read-microsoft-wp-on-privacy-compliant-id-metasystem\/","title":{"rendered":"Must-Read: Microsoft WP on Privacy-Compliant ID Metasystem"},"content":{"rendered":"

Microsoft released a white paper entitled \u201cThe Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity.\u201d<\/a> The excellent paper, authored by Microsoft\u2019s Internet Policy Council Ira Rubinstein and Tom Daemen, senior attorney with Microsoft, and posted on Kim Cameron\u2019s blog<\/a>, is a must-read for everyone interested in user-centric ID management systems. (Disclosure: As you can take from the acknowledgments, I have commented on a draft version of the paper, based on my earlier observations<\/a> on \u201cIdentity 2.0\u201d-like initiatives.)<\/p>\n

Among my main concerns \u2013 check here<\/a> for other problem areas – has been Microsoft\u2019s claim that the i-card model is \u201cby design\u201d in compliance with the unambiguous and informed consent requirement as set forth, for instance, by EU data protection law. I\u2019ve argued that the \u201chardwired\u201d-argument (obviously a variation on the theme \u201cregulation by code\u201d) might be sound if one focuses on a particular relationship between one user and one identify provider and\/or one relying party \u2013 as the white paper does. However, at the aggregated level, the i-card model\u2019s complexity \u2013 i.e. the network of informational relationships between one user and multiple ID providers and relying parties \u2013 increases dramatically. If we were serious about the informed consent requirement, so my argument, one would wish that the user could anticipate not only the consequences of consent vis-\u00e0-vis one ID provider, but would understand he interplay among all the components of the ID-system. Even in less complex informational environments, experience has shown that the making available of various privacy policies can\u2019t be the answer to this problem – as the white paper seems to acknowledge.<\/p>\n

In this regard, I particularly sympathize with the white paper<\/a>\u2019s footnote 23. It might indeed be a starting point for an answer to what we might call the \u201ctransparency challenge\u201d to create \u201ca system enabling web sites to represent privacy policies in a simple, iconic fashion analogous to food labels. This would allow consumers to see at a glance how a site\u2019s practices compared to those of other Web sites using a small number of universally accepted visual icons that were both secure against spoofing and verified by a trusted third party.\u201d (p. 19, FN 23.) Such a system could become particularly effective if the icons \u2013 machine-readable analogous to creative commons labels \u2013 would be integrated in search results and monitored by \u201cNeighborhood campaigns\u201d similar, for instance, to Stopbadware.com<\/a>.<\/p>\n

Although Microsoft’s paper leaves some important issues<\/a> unadressed, it seems plain to me that it takes the discussion on identity and privacy protections as code and policy an important step further \u2013 in a sensible and practical manner.<\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft released a white paper entitled \u201cThe Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity.\u201d The excellent paper, authored by Microsoft\u2019s Internet Policy Council Ira Rubinstein and Tom Daemen, senior attorney with Microsoft, and posted on Kim Cameron\u2019s blog, is a must-read for everyone interested in user-centric ID management systems. (Disclosure: […]<\/p>\n","protected":false},"author":202,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1172,279],"tags":[],"class_list":["post-182","post","type-post","status-publish","format-standard","hentry","category-eid","category-privacy"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/posts\/182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/users\/202"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/comments?post=182"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/posts\/182\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/media?parent=182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/categories?post=182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/ugasser\/wp-json\/wp\/v2\/tags?post=182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}