Privacy and the 7 Laws of Identity: Part 1

In 2005, the late Kim Cameron penned “The Laws of Identity.” The paper explored how to give internet users a deep sense of safety, privacy, and certainty about their interactions online. With the proliferation of web-based services and applications it was essential to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail. Nearly 20 years later, Cameron’s seven laws of identity are still applicable today.

 Published shortly after the dotcom bust and the introduction of social media, this paper came at a point of inflection for the Internet. Today, with the promise of Web3, a metaverse, and adjusting to a largely virtual working world, we’re living through a similar shift in history. For both points in time, digital identity is at the epicenter—and it’s worth remembering some tried and true lessons from the past.

 In part one of this article, we’ll explore the first three laws of identity and how enterprise IT leaders can apply them to their organizations today.

The first law states that “technical identity systems must only reveal information identifying a user with the user’s consent.” Essentially, this implies that systems should be designed to put the user in control—not only of the information they release, but also the convenience and simplicity of how it’s collected. Whether user decisions are made on a case-by-case basis, or they’ve opted into an automatic system, all these components are crucial.

 Let’s focus on the latter two tenets: convenience and simplicity. Nowhere is this more important than an enterprise setting. If security measures prevent people from gaining access to systems and applications that enable them to carry out everyday job functions, your identity strategy has failed. With the amount of context switching that takes place in modern, digital business, it’s crucial that people can access what they need, when they need it, without jumping through hoops. Otherwise, you can guarantee they’ll find workarounds that compromise security or won’t be able to function efficiently—both of which hurt the bottom line.

The second law focuses on the best practice of using the “least identifying information.” This refers to the information least likely to identify a given individual across multiple contexts. For example, it’s far less risky for an organization to acquire and store an employee’s company ID number than their driver’s license or social security number, which can uniquely identify them and expose more information.

In a perfect world, no one would have access to information or data they didn’t need. But we don’t live in a perfect world, and unfortunately, granting and removing access in an enterprise organization can take hours to weeks. This means past employees, or in some cases disgruntled employees, could have access to customer information, trade secrets, and other highly sensitive information. Beyond collecting least identifying information, enterprises should be sure they are appropriately granting and removing access in a timely way. Additionally, regular audits should be the norm to ensure protocols and safety measure are being met—for example, HIPAA and HITRUST regulations for healthcare-facing organizations.

The third law states that systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in an identity relationship. In recent history, laws like GDPR and the CCPA have cracked down on third-party data sharing to protect consumer’s information. But this is a bit more ambiguous in an enterprise environment. Especially when considering most businesses work with public cloud providers, open-source solutions, or other SaaS applications that rely on your data to perform.

 Weighing the precautions partners and service providers take when handling your organization’s data is of utmost importance. But managing multiple vendors and their data safety practices is no easy undertaking. This is one of the reasons we’re seeing businesses move from many best-of-suite solutions to platform solutions. For example, companies using ServiceNow will have access to their suite of products and integrations ranging from areas such as identity governance and GRC, to chatbots and software asset management. Your data is not shared beyond the trusted platform, and the easy integrations and familiar interfaces make it a safe and advantageous option for enterprises.

As the internet matures and business and consumer technologies evolve, identity and privacy will continue to be a moving target. However, by understanding the foundational laws of identity, we can better safeguard our personal and professional information and prepare for the challenges to come. But we’re only halfway there—my next post will explore the remaining four laws of identity and how businesses can apply them to bolster privacy and efficiency today.