Interview with Peter Cullen

Call today! 1 866 3 NYMITY

Interview with Peter Cullen

December 2006

Interviewee: Peter Cullen, Chief Privacy Strategist, Microsoft Corporation

Interviewer: Terry McQuay, President of Nymity

Subject: Microsoft’s creation of an overarching framework for handling digital identity

Nymity : What exactly does “digital identity” mean?

Cullen: A digital identity is how we identify ourselves online. Today, we can’t do much on the Internet without identifying ourselves. If you’re shopping online, you have to submit your name, your address, and a credit card number. Or, to get to your bank account or your frequent flier miles, you might have to submit a username, an account number, and a password. Every situation is different, so consumers are constantly making judgments about whether it’s safe to submit identifying information and whether a site is asking for more information than it really needs to identify users. A related issue is how difficult it is for users to know if they are safely connecting to a legitimate site. This is also a “digital identity” problem. Both of these issues are examples of the challenges of creating a secure identity system.

Nymity : How significant a problem is this for consumers?

Cullen: It’s a very real concern for consumers. The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do, and it exposes computer users to potential fraud. In short, the same technology that lets businesses and consumers access and share information online can also be used to violate users’ privacy. An example is phishing scams, in which a scammer sends out e-mail that appears to come from a legitimate organization, such as a bank, and the recipient is tricked into visiting a phony web site that asks for information such as credit card numbers or account passwords. Many of these scams are designed for the express purpose of defrauding the consumer or outright identity theft.

Nymity : How do these kinds of privacy infringements hurt businesses?

Cullen: Identity theft and misuse of personal information are eroding public trust in the Internet, potentially threatening the growth of e-commerce. Consumers concerned about scams are also becoming suspicious of legitimate companies. Ensuring adequate privacy policies and protection is absolutely crucial to building and maintaining customer trust. One study by Privacy & American Business found that more than 80 percent of consumers would stop doing business with a company if they heard that it misused customer information. In addition, concerns around online fraud are affecting computer users’ online behavior.

Nymity : So what’s the solution?

Cullen: Because online identity is handled in a variety of ways, using technologies from many different IT companies, it’s simply unrealistic to expect a single, secure identity management system to emerge. There is no single policy or product that can guarantee privacy of personal data. At Microsoft, we believe that the only effective approach is to create an overarching identity management framework that can connect many different identity systems. We call this framework the Identity Metasystem.

Nymity: Is the Identity Metasystem a product?

Cullen: No, it’s a set of protocols and standards that all identity systems can choose to follow, and if they do, they will be interoperable with other identity systems that comply with the Metasystem. It’s a way to advance compliance with universal principles of secure identity management and provide users with a consistent and safe way to securely manage digital identity.

Nymity: What are these principles?

Cullen: We call them The Seven Laws of Identity (http://www.identityblog.com/wp-content/resources/design_rationale.pdf). They are the seven essential ingredients of good online security and privacy in the digital identity context, and their importance has been proven again and again over the years. Systems that breach any of these laws tend to fail, both functionally and commercially.

Nymity: What do these laws say?

Cullen: I’ll give you a couple of examples. One law says that the user must be able to verify that the party requesting identity-related information is legitimate, and it must be clear to the user why that information is being requested. Another law says that identity systems should ask for only as much personally identifying information as they need in a given context, and they must limit use of that information to that context. For example, an identity system shouldn’t ask for your address and phone number simply because that information might prove useful at some future time.

Nymity: What does the Identity Metasystem mean in practice?

Cullen: Identity solutions from many different IT vendors will be able to recognize each other and publish their service requirements and capabilities. They’ll be able to interoperate, in other words. The Identity Metasystem uses existing vendor-neutral communication protocols, so any IT vendor can create Metasystem-compatible identity solutions.

Nymity: Is this better than having a single, trustworthy identity authority for the entire Internet?

Cullen: Centralized identity systems have inherent weaknesses and dangers. For example, when you have a central repository of users’ personal information or a central verifying authority, there’s a single point of failure. In addition, the amount of identity information you reveal should be based on context—for instance, bank ATM cards, government-issued ID cards, and frequent coffee buyer cards are all used in different contexts and therefore require different amounts of information about the cardholder and by extension often different cards and different identity providers.

Nymity: Does Microsoft have its own identity solution that conforms to the Identity Metasystem?

Cullen: We do. We have released a technology that’s a great example of the Laws of Identity at work. It’s called CardSpace, and it is an example of “Information Card” technology. It uses the metaphor of ID cards in a wallet to describe digital identities. A user can create any number of Information Cards, some with self-asserted information and others representing relationships the user has with identity providers such as banks or web sites. The system’s processing engine tells the user which cards will satisfy the information request to enable a given online transaction, and the user can decide whether to go ahead and select an applicable card to “show” to the requesting party.

Nymity: How is that more secure than existing identity systems?

Cullen: The Information Cards presented to the user in the Windows CardSpace software don’t contain any personal data. Rather, they are pointers to the providers of the identity information associated with the card. Those providers supply the information encoded by the card to the requesting party, under user consent. In the simplest case, a card might point to proof of the user’s age or gender. Or a card might point to information that identifies the user to her employer. A user can also create a card that points to personally identifying data stored locally on his own machine.

Nymity: When will the CardSpace technology be available?

Cullen: CardSpace was made available for download for Windows XP and Windows Server 2003 users on November 9, 2006. CardSpace will formally launch with Windows Vista, our latest client operating system, which will be broadly available on January 30, 2007 (and available to Business Users on November 30, 2006). In addition, the latest version of Microsoft’s web browser, Internet Explorer 7, supports the Information Card technology, and so does .NET Framework 3.0, our next-generation programming model. We’re already seeing third-party developers building Identity Metasystem solutions both for the Windows platform and other systems on which the Identity Metasystem protocols have been implemented.

Nymity: Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, has spoken favorably about the Identity Metasystem and is promoting the Laws of Identity as a privacy solution through a paper and a brochure. What impact could this initiative have on corporate Canada?

Cullen: We were honored to work on this project with Dr. Cavoukian, who, along with Microsoft and other IT companies, is endorsing global privacy laws and fair information practices. To ensure the integrity of the Internet, best business practices that ensure both security and trustworthy identity are needed. The Laws of Identity and the related Identity Metasystem, with their specific articulation of privacy protections, are a big step in that direction. According to Dr. Cavoukian, privacy-enhancement laws will help minimize the risk that one’s online identities and activities will be linked together. We believe adoption of these principles and the Identity Metasystem for digital identity efforts will help online businesses in Canada and around the world grow and prosper.