IGA, Trends, Industry

Privacy and the 7 Laws of Identity: Part 2

June 15, 2022

In part one of this series, we looked back at Microsoft veteran and identity changemaker Kim Cameron’s first three laws of identity: user control and consent, minimal disclosure for a constrained use, and justifiable parties’ digital identity. The purpose of these laws is to safeguard the internet and give users confidence in their interactions online—and there are four more to cover.

Two decades later, enterprise leaders can still apply Cameron’s framework to challenges commonly experienced in today’s business world. Ones that are only going to get trickier with the growth of artificial intelligence (AI) and the promise of decentralized internet, otherwise known as Web3. Here are the final four considerations for identity leaders, and how they can apply these foundational identity principals in the present.

4.) Directed Identity

The fourth law highlights the support for identifiers needed for both public and private entities. This is a key component of self-sovereign identity (SSI), an approach that gives individuals control of their digital identities and how they establish trust. Enabling public discovery where necessary, it also prevents the correlation of private records, protecting personally identifiable information that a user may not want to share broadly.

Both enterprise and consumer organizations need to be vigilant about keeping digital identities secure. This is a big tenet of GDPR—putting power back in the hands of individuals, who ultimately get to decide how and by whom their data is used. This will be an important area of focus as the conversation around blockchain technology and Web3 persists.

5.) Pluralism of Operators and Technologies

Having one way to express identity would certainly be easy, but it’s not realistic. Rather, different identity systems must exist in a ‘Metasystem.’ This entails having simple, agreed-upon protocols with a unified user experience (UX) that allows individuals and organizations to select appropriate identity providers and features. Essentially, we must all play by the same rules, but how we get there is dependent on other factors.  

For example, it may be appropriate to ask for a person’s social security number as an identifier when filling out government forms, but not on an ecommerce site. In a professional setting, identifiers can range from a password and a one-time code sent to someone’s mobile phone or a physical token. The identifier should be proportional to what the individual is trying to access. It shouldn’t be complicated, but it should be varied by case.

 6.) Human Integration

Cameron uses the example of the communication in from a plane’s cockpit to the control tower to explain the law of human integration. In this environment, people know what to expect from the intentional language used, and as such, can tell quickly when something has gone awry, and address is immediately. Unfortunately, digital identity is not so cut and dry.

Afterall, its why phishing attacks continue to be the most popular method for cyber criminals. People believe they’re interacting with a trusted source, and it’s why most breaches start on the inside. These tactics have been used since the ‘90s and are still happening today. To protect identities, businesses must achieve highly reliable communication between a system and its human users and test safeguards regularly.

7.) Consistent Experience Across Contexts

 The identity Metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. Essentially what this means is that different relying parties will require different kinds of digital identities—and within that context, users will be able to decide what identity to use.

As mentioned in the fifth law, these identifiers consist of a range of commonly accepted things, but will be different for public, personal, and professional use. In the enterprise, people will generally understand why certain safety measures are in place, but it’s the employer’s job to ensure that processes are streamlined and don’t hinder productivity. If there’s an expectation to follow identity protocols, they can’t be burdensome or people will find workarounds, compromising your business’ safety.

The Laws of Identity are nothing new, but years later, still capture all the components we need to be thinking about when it comes to privacy and digital identity. These foundations are all about finding the balance between trust and usability, which has proven to be a challenge today. All business leaders should be questioning how they’re integrating identity into their workflow, and how they stack up when it comes to Cameron’s laws.

Written By

Jackson Shaw

Take a Self-Guided Tour

Personalize your own on-demand demo to see how identity security built on ServiceNow works.

Take a Self-Guided TourGet a Demo