Does user-centric identity depend on personal DRM?
Submitted by doc on Fri, 01/13/2006 - 16:08.
Dave Kearns makes a good point about DRM: It's immoral in itself, because it can be used for good or bad purposes.
So far, almost all the discussion about DRM has been confined to digital rights management by large companies. We've said almost nothing, so far, about individuals. Here's what Dave says:
One of the better uses of DRM could be within the realm of user-centric Identity Management. After all, this movement is all about personal control of identity attributes. That is, people are in search of ways to not only control who gets initial access to reading those attributes but also what they do with that data after reading it. DRM is a technology which promises to deliver that benefit, if only those who most passionately support user-centric IdM would realize it.
I agree. However, I think "DRM" as a term now has a meaning it will be hard to stretch over individual use as well.
Though maybe we should try. Not sure. Meanwhile, we might consider using some other term that means "personal control of identity attributes" without borrowing a term that already means "producer control of consumer usage".
What do the rest of ya'll think?
London
When they gonna stop blow everything?
Maximo Park
Our Earthly Pleasures mp3 music download - Russian Literature, By The Monument, Girls Who Play Guitars...
WTF
These comments are like rubbish
Sometimes
Sometimes I can't understand...
I've got it
I've got it!
But other said
But other said that the judgement induces common sense, tertium non datur
But other said
But other said that the judgement induces common sense, tertium non datur
As one clever
As one clever person said the judgement transforms tragical hedonism.
Interesting
Interesting opinion. But IMHO it's just an opinion.
My experience
I have great experience in that. So I can understand...
No
Sorry. I'm not agree with you.
Personal Data Rights Management?
If the concept and technology(?) of DRM could be applied to the protection of identity - and more generally personal data -, if it would allow a data subject (as we say in Europe) to fix the terms and conditions for the use of his/her personal information, then it would be extremely appealing. This would be a true empowerment of citizens and consumers!
But has someone elaborated on how exactely the DRM technology could be applied to the protection of personal data? On what could the current (or to be developed) technology allow individuals to do when they provide personal information (e.g. prevent storage beyond a certain period of time, processing for secondary use)? In short, how could the DRM technology work for the benefit of individuals? it would help make a case for what we could call Personal Data Rights management.
Anne
words...
"Immoral" does not have the same meaning as "amoral".
But who enforces the control?
Right the first time on the immorality of DRM. DRM is immoral because it requires delegating your human moral responsibility for whether or not to copy a piece of information to a machine that is not capable of making that judgment.
DRM uses mechanically enforced rules to micromanage the copying of information. Some uses of information that are morally permitted, or even required, are not expressible as mechanically enforced rules.
A non-evil DRM system requires the construction of an artificial intelligence that passes a Turing Test on a moral level.
Invent a DRM system that can understand the Chiquita case...
http://www.salon.com/media/1998/07/08media.html and we'll talk.
Don Marti dmarti@zgp.org
Identity Rights Management
May I suggest two terms that fit? It seems that the discussion is focused on "Identity Rights Management" or "Digital Identity Rights Management." The question is who has rights to own, control or use an individual's Digital Identity or attributes of one's identity.
User-centric identity proponents may argue that Identity Rights belong exclusively to individuals, and that any institution's use of a Digital Identity should be limited to cases where an individual gives explicit permission for its use.
At the other extreme, Customer Relationship Management advocates may argue that any attribute of an individual's Digital Identity in the enterprise's possession can be used however the enterprise see's fit.
Identity Rights Management
"At the other extreme, Customer Relationship Management advocates may argue that any attribute of an individual's Digital Identity in the enterprise's possession can be used however the enterprise see's fit."
In a nutshell.
On the other hand, if they only get a one-time reference to you, which they can't pass on/sell/place in a plain text file called CopyMePlease.txt on an Internet-facing Windows 95 machine, then they can leverage as hard as they like, to no avail - You've nicked their fulcrum.
Identity theft will remain a problem until everyone starts to get serious about stopping it. In Britain, we get a heap of invitations to apply for credit cards every week. To make it all the easier, they fill out the form, as far as they are able, with our details. This means that "dumpster diving", as I believe Americans call it, is quite a good way of getting the information you need to cause all sorts of grief to both bank and customer, and also explains why large British supermarkets sell shredders. Does it strike anyone else as weird that we now need shredders in our homes? Make mine a cross-cut...
Ask yourself how much of your junk mail and/or spam originates from organisations who you have actually dealt with. The DRM concept could put a complete stop to that nonsense.
Cheers,
Roger.
Identity Rights Management
Sorry, but this was my first time on this site. Internet anonymity is one of my pet peeves, so I've logged on to indicate that I wrote the Identity Rights Management bit.
Mark Dixon
http://discoveringidentity.com
Individual DRM
I think DRM is just fine, with the emphasis on RIGHTS - It would be a good idea if people got the idea that non-corporeal property can not only be owned, but can be owned by everyone and anyone, even for (Gasp! Burn the heretic!) non-profit reasons.
The pigopolists are only thinking in one direction, but it's time they realised that widespread consumer usage of the same technology is not only reasonable, but is going to mess up some other shiboleths of which they're also very fond.
CRM systems are a particular hatred of mine, as they are a means by which corporates hold information about me which I don't want them to have, and then use this information to harass me by post, email, and telephone.
I want return to the old model where I give money to someone for a product or service and they supply the thing I've paid for. End of. Period. If I want to deal with them again, then I'll make that decision without their input, and particularly without their direct marketing. All they need to know about me is that I've paid, and I should be able to prevent them keeping any other information about me.
Let's be honest - Does anyone really want a "relationship" with a bank? Or a record company? Yeurgh...
Cheers,
Roger.
"What crime is it to rob a bank, compared to that of founding one?"
Bertold Brecht
Yes and No
I agree that DRM is an interesting approach to protecting personal information management in theory. Wouldn't it be great if I could wrap my credit card number in a magical DRM wrapper so that an online vendor could only use it once and could not store it in some database, waiting for crackers to copy it? I also agree that DRM as the term is understood today does not really apply to identity management. Maybe "privacy rights management" or something similar would be a better term.
But none of this matters, because we have no leverage over companies who would abuse our personal information and thus they would never adopt such DRM schemes, seeing large costs with no benefits.
--Wes Felter
(BTW, if something can be used for good or evil, it's amoral.)
DRM is fundamentally insecure, and thus innapropriate
DRM is fundamentally insecure. The physical access or ownership of a computer will always (ALWAYS!) trump any installed DRM. You can try to wrap it up with trusted layers, etc... but there will always be someone like DVD Jon ready to crack it.
It's insane that the credit card companies haven't implemented a secure means of giving someone a capability. You should be able to go to your card vendors site, and say that you want to authorize person X to take Y out of your account, perhaps on a reoccuring basis, until the capability is revoked. NOBODY should ever have to give out their credit card number, except as a username to the credit card company itself. (Even this should disappear if we get a working identity system in play)
The knowledge of some personal information and 20 digits can be trivially copied. It's not a secure way to distribute capabilities.
Wrapping this in a DRM layer is not going to make it any more secure in the long run. At some point it would have to be extracted, and at that point it can be copied.
DRM is not a solution for privacy issues, it's not a silver bullet. Identity is a big problem, and is going to need a lot of work to solve.
--Mike--
Recurrent payment instructions
Mike; the function you describe has been available for some time in the UK (though from banks, rather than credit card companies). Classically there are two modes: a 'Standing Order' is an instruction from the account holder that a fixed amount should be paid to a designated recipient at regular (usualy monthly) intervals for a defined period or untl further notice.
A 'Direct Debit' mandate implies a degree of trust in the recipient, because it allows the payee to specify how much money should be paid. It's usually used for variable (but auditable) charges such as utilities and phone bills.
Over-all, I have to say I agree with Doc on this one (pace the previous comment that it should be 'amoral' or 'morally neutral' rather than 'immoral' or 'morally undesirable'): even those of us who don't like the idea of 'commercial' DRM (i.e. global media publishers controlling whether I listen to *my* physical CD or *my* ripped mp3 of it) would generally favour a system where we could exercise equivalent control over our own identity data.
Recurrent payment instructions
Mike; the function you describe has been available for some time in the UK (though from banks, rather than credit card companies). Classically there are two modes: a 'Standing Order' is an instruction from the account holder that a fixed amount should be paid to a designated recipient at regular (usualy monthly) intervals for a defined period or untl further notice.
A 'Direct Debit' mandate implies a degree of trust in the recipient, because it allows the payee to specify how much money should be paid. It's usually used for variable (but auditable) charges such as utilities and phone bills.
Over-all, I have to say I agree with Doc on this one (pace the previous comment that it should be 'amoral' or 'morally neutral' rather than 'immoral' or 'morally undesirable'): even those of us who don't like the idea of 'commercial' DRM (i.e. global media publishers controlling whether I listen to *my* physical CD or *my* ripped mp3 of it) would generally favour a system where we could exercise equivalent control over our own identity data.
It's me...
Like Mark Dixon, I've logged in so as not to leave anonymous comments...
Greetings.
It was also great to see Wes' comment referring to SET. (Ah yes, I remember it well... ;^). As an IBMer at the time, a colleague and I were actually responsible for executing the first cross-border SET payment, as part of a demo/presentation at Visa UK. The guys actually running the demo installation in Denmark, though, didn't tell us, until after the demo, that we were the global guinea-pigs (!).
The big take-away from SET, for me, was that if you give technology vendors (no matter how well-meaning) exclusive responsibility for designing a system like that, you may well get something which is functionally way ahead of its time: you will probably also get something where the 'entry cost' of the technology is blithely assumed not to be a problem.
Solution? Make like the Liberty Alliance, and ensure the room is laced with a healthy dose of customer input whenever the techies are let loose. ;^)
Robin Wilton
blogs.sun.com/racingsnake
SET and InfoCard
As I recall, SET solved the problem of vendors seeing your credit card number, but it required client-side hardware so it failed. At one point digital checks were proposed (which I would much prefer to use than credit cards for online purchases), but they also required client-side changes. Microsof's InfoCard looks like it can provide a similar solution, but maybe it actually has a chance since MS's monopoly will force people to install the client-side software.
--Wes Felter
SET memories...
I think the lack of take-up was attributable to a lot more than the client-side requirements... including a feeling amongst some of the banks that they were, frankly, hanged if they were going to adopt something which some of them perceived as being foisted on them by the SET 'foursome'.
For instance, the hierarchy of CAs required to operate an SET architecture would, even today with the benefit of experience, look alarmingly over-the-top. There's an awful lot of the SET architecture which is right out of scope of what I understand Infocard to propose.