As a person whose only “agenda” is making sure I retain choice and privacy (choice of privacy, right to and of deniability of assumed identify as preferred, etc), the things any “identity service” must provide to garner my interest/business are below outlined.
Choice/Privacy Requirements – Things I would ask any “identity service” to agree to EXPLICITLY:
- That my legal name and related personal details (e.g., address, email, phone, et al) are not shared, sold, or otherwise released without my explicit permission (to be requested on a PER INSTANCE basis),
- That my online activities are not shared, sold, or otherwise released excepting as non-identifying aggregate information, ever,
- That the provider is both (a) assuming legal responsibility for and (b) agreeing to be legally liable for any theft, misuse, or release of the information comprised by (1) and (2) as above outlined,
- That, should I so request, any and all information stored or tracked about me and my activity online by the provider will be:
- provided to me in a format that is readable by common desktop application(s),
- removed from their systems (including any back-ups or other archives) upon request to cancel/close/delete my account,
- That I will be notified of any and all requests for my information or data relating to my activities by third parties, regardless their affiliation,
- That any such inquiry as outlined in (5) which does not rise from a legitimate agent of law enforcement or government OR which is not accompanied by legal warrant must require my explicit permission to be fulfilled AND that any rejection or witholding of my permission will be attended in full by the provider, without exception.
Identity Requirements – In addition to the above, the following features and functionality would be requisite to receiving and sustaining my business as an identity server/service:
- That I be allowed to engage anonymously or pseudonymously alias my identity as I may see fit and that this preference will be both (a) maintained and (b) protected across all activities in which I so choose to use either,
- That, under no circumstance, will my anonymous activity or my pseudonymous identity or activities be revealed without my explicit consent, unless under circumstances and through means outlined in (5) and (6), above,
- That any provider offering these services both monitor and advise/track/warn me when any circumstance by which inadvertant revelation of my information is possible or likely and provide me with graceful recovery and exit from the circumstance/situation introducing it,
- That any provider offer a suite of tools for both browsing and email use that incorporates the protections above outlined,
- That you vet any participating recipient (e.g., online retailer, product/service provider, et al) and manage their agreement to the above outlined choice/privacy requirements AND their support the identity requirements (where not interfering with the purchase/payment validation process) throughout their systems OR clearly notify me if/when they do not prior to allowing me to conduct business with them.
Mind you, I know what a tall order this is; I also know that groups like NSTIC, Google, etc are not looking at this through a consumer’s lens. If I’m going to give so much private and personal information to anyone outside a courtroom or a government office, I damn well intend that whomever takes it will explicitly commit to be as aggressively vigilant and protective of it as I am.
Anyone who cannot or will not be so or do so, frankly, neither deserves nor gets my trust.
So tell me, potential Identity Service Provider — can you do this? Will you do this?
Looking forward to your reply,
Bonnie L. Nadri