Discussions about identity and privacy are often treated as some sorts of theoretical debates. At least by so called “ordinary user” on the Internet. If we will think about adoption rate for technologies like OpenID or CardSpace we can get an impression that also people who are designing and developing web pages are not concerned about it in a great way. But sometimes life shows that these are real problems … and not only in Internet but also in our day to day life.
During last Christmas we had in our house little family gathering – first time we spent Christmas time together with mine and my fiancé family. As it often is at such occasions we were chatting at random topics – one of them was new agreement with mobile carrier which my father was about to sign … and he resigned.
Reason for resignation was that they have requested him to provide his bank statement for last 3 months to prove that he is capable to pay bills (we have some sort of such stupid regulations here 🙁 ). My dad asked them “What for?” and they were not able to provide any reasonable answer to this simple question.
So … why they need this information at all? And do they really need it???
Of course I know what the reason was – they wanted to confirm that my dad is capable to pay his mobile phone bills by looking at his account balance. But do they really need entire bank account statement to know in which store he has used his card and what did he bought? No … they just need simple information if his account balance was positive and if he is able to cover bills to specific amount.
And now (at least in my opinion) we are coming to place where reality meets claim based identity and everything what is related to it. If we will think about this case in these terms this is perfect case for claim usage – my dad should be able to provide mobile carrier with claims managed by his Bank which will allow mobile provide to confirm his ability to cover the bills. And I think that from pure technology point of view we have proven and working solutions in this area. Problem is in their acceptance and usage.
When I was thinking about this situation Laws of Identity comes to my mind. I was thinking about this case as about example how 2’nd of those laws was broken “Minimal Disclosure for a Constrained Use”, which in short version is as follows:
The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necessary.
In this case information requested was way over what was really needed and we have no guarantee who will process those data and how long it will be retained.
And this was example where theoretical discussion about identity and its protection showed to be really practical. And maybe my dad was not fully aware of it but he acted right to protect his privacy :).