The Office of the Ontario Privacy Commissioner has long been a world leader in privacy advocacy, displaying a remarkable ability to anticipate the privacy impact of cutting-edge technologies. Given its track record, the attention being lavished on the release of a new document on identity management is much deserved as it merits wide reading. The Seven Laws of Identity builds on work being done by Microsoft designed to allow Internet users to better manage their online "identities" by limiting the disclosure of personal information ("data minimization"), using better authentication practices, and building in user consent and controls. In recent news reports, the Office has touted the virtues of its Seven Laws of Identity approach, with claims that it will help solve Internet ills such as phishing, pharming, and spam.
As I read the coverage and white paper, I am left somewhat uncomfortable. Part of the discomfort may stem from placing too much reliance on new technologies as a saviour – the Office has previously pointed to P3P, better privacy practices, and email encryption as providing similar benefits only to be left disappointed. The discomfort may also arise from the overbroad claims about the ability for identity management to address spam and spyware. As far as I can tell, it only holds the potential to render spyware less effective once it has reached users' inboxes, but does little to address the broader spam problem. Moroever, we have heard in the past about technological solutions (email authentication anyone) that hold the key to the spyware problem only to have those solutions become mired in proprietary battles.
More troubling is the close connection with Microsoft as the release and accompanying press coverage at times feels like an infomercial for the software giant. The Ontario Privacy Commissioner's Office has worked with Microsoft in the past, however, this intiative goes to great lengths to extoll not only the Seven Laws, but also the company itself. The White Paper devotes nearly three pages to Microsoft's much-criticized Passport program and its CardSpace identity management feature that will be included in Vista, its forthcoming operating system upgrade.
The Office's seemingly unqualified embrace of Microsoft strikes me as a mistake for several reasons. First, there are other companies developing similar solutions and they should be granted equal airtime. Second, the CardSpace feature includes a significant DRM component. When combined with the Vista licensing terms that prohibit circumvention, users are entrusting both their privacy and total computer experience to Microsoft (see Wendy Seltzer's review of the implications of the Vista terms and how that trust is being repaid). Third, while it is good to see privacy commissioner offices in Canada working with the business community, they must take care to maintain sufficient distance to be advocates for privacy, not for particular companies and their products. There is a fine line between co-operating and becoming co-opted and there is reason to believe that this initiative falls on the wrong side of the line.