At the dawn of the internet, user privacy was not a concern. The internet consisted of a few bulletin boards, chat groups and static web pages. Most of the public was not using the internet, very little personal information was being exchanged, and it was seldom attached to a real person’s identity. From those early beginnings the internet has grown into a world filled with people communicating, doing business, playing, and working together. But in many ways it is a world without law. People are allowed to wander the streets with masks and lurk in shadows saying and doing uncharacteristic things because of their anonymity. User identity need not be certain and can be loosely connected to the identity of their earth bound counterpart, and corporations are given unfettered use of a user’s personal information once it has been provided.
Yet despite the apparent lack of laws around identity, privacy, and security, there are incentives to be recognized for sharing personal information. Online communities and tools have sprung up across the internet to facilitate real-world interactions. Classified as cloud computing applications, these communities and tools include online banking, web email, Facebook, and photo sharing. A recent survey by Pew Internet and American Life Project found that 69% of online American users input data about their personal lives into these cloud computing applications. What is unique about cloud computing applications is that this information is stored remotely on servers across the internet. Users see only one interface to these web applications, but the backend technology is not centralized. Because of the amount of data and analysis, one cloud application could chop up and spread a users person information across thousands of computers throughout the world.
The questions now become, how much protection should a user’s information receive, and how should this level of protection be guaranteed? Certainly the existing privacy laws of the jurisdiction play a central role, but there are also a number of other considerations. Technology continues to change how people and corporations interact with one another and what information is necessary to facilitate this interaction. There has been a shift in attitude with the younger generation of internet users who are not as concerned about their personal information as evidenced by the popularity of Facebook and MySpace. The internet is borderless such that a Canadian corporation could store a user’s information on data centers in India or China to take advantage of cheap resources. Information can easily be copied and stored giving it a perpetual lifespan. Also, large multinational companies, which retain much of this personal information, are the predominant providers of these cloud applications and do so for profit.
Perhaps a better way to view the issues is by looking at the competing interests. They include: 1) a user’s right to privacy and ability to control what personal information is provided to who and for how long, 2) the corporation’s need to use this information to provide service as well as generate a profit, 3) a government’s ability to violate the privacy rights of one citizen for the protection of many and 4) the technological limits of a decentralized internet system to implement a cross-internet identity and access management system.
Over the next couple of months I will be discussing this topic in detail and exploring the various issues and stakeholder interests. As well, this blog series will look at some of the internet identity and access management technologies that are currently being developed. Please stay tuned.