As I have been thinking and researching issues related to what the Army calls “Personally Identifying Information” (PII). We have mandatory training that tells us we must protect the PII of ourselves and our co-workers, we have policies that also relate to what PII we should allow on a federal website. I have also been coming to my own conclusions. I think our laws and policy are far behind our technology, and how we deal with identity and privacy is one of the issues that are over due for updates, if not being completely rebuilt from the ground up.
The primary questions are:
- What changes are needed by law and policy? This issue, of course, is beyond our reach – it is a needs both national and international governmental attention, but we must stay aware of the rules and where they may be going in the future.
- How does current policy impact what we want to accomplish for the Army Sustainability Community? What do we need to know if we build something in the near future?
I do think that the larger issue of identity is one that can’t be left to the market to decide. After looking at the terms of service and privacy policies in a few places, I see that when people are using the sites for things like social networking, many times their information, the networks they identify, and sometimes even the images and other data they display are all now under the control of the site. Also, if the site is sold to another company, that information and data go along with it. It is no wonder they are free to use, since this information people freely provide is so valuable to so many companies – and formerly only obtainable using private investigators. In this blog by the creator CEO of Facebook, we can see this is a delicate trade off for which there is no clear answer. How do we get the benefits of social networking without the loss of control of our PII or other risks to ourselves and the Army?
Security functions served by proper identity:
- Authentication – when you get information, can you be assured that the source is valid?
- Authorization – does a given person have the rights or permissions to do given things?
- Non-repudiation – if someone does something, is there a way to ensure that they cannot later deny it?
- Confidentiality – is information only being released to those for whom it is intended or appropriate?
I certainly don’t have the answers. I will likely be updating this blog as I learn more. When I look for information, I find things like this, which provide some good suggestions on how to limit what we tell about ourselves.
Kim Cameron's Seven Laws of Identity (click for full size)
Kim Cameron provides some interesting ideas in his “Laws of Identity” website. It is beyond where I want to go, but at this point, I am happy to see people are thinking seriously about this issue.
[...] August 2009 by sustainapedia What timing – yesterday I was pondering privacy and social networks and my editorial position was that policy and law need [...]