Because it is important for individuals to maintain control over their private identity information, it is necessary to understand where the individual fits in the general identity system structure.Â There are generally three parties to an identity system:
Identity system providers: Entities that proof information, enroll individuals, and issue identity credentials.Â For example, governments provide identities to citizens through passports or visas.
Identity system members: The people who must use identity information to obtain privileges.Â For example, an individual uses the ID badge issued by an employer to enter a secure facility.
Identity system users: Organizations that rely on identities and credentials (banks, law enforcement, retailers).Â For example, an employer uses a personâ€™s driverâ€™s license or passport as proof of identity for a job application.Â
As we can see, the individual is indeed at the center of the identity system â€“ or maybe more aptly put â€“ stuck in the middle.Â With identity system providers responsible for collecting, verifying, and storing identity information, and identity system users clamoring to get access to this data, itâ€™s no wonder that individuals get nervous about their identity information.Â So what to do? Â Well, some of the main concerns that we all have regarding identity systems can be addressed by incorporating robust and auditable policies, practices and processes into our identity systems.Â The following are some guidelines to use when creating an identity system:
Â·Â Â Â Â Â Â Â Â Consent. Â Establish identity systems that enforce a policy of consent when transferring identity information.Â Identity systems should only reveal information identifying a person with the personâ€™s consent.Â The information should be limited to the information that is necessary to complete the transaction.
Â·Â Â Â Â Â Â Â Â Transparency.Â An individual should be able to â€œseeâ€ how identity information is being used.Â Although individuals may not be authorized to modify transaction information, both they and the entity they are interacting with are best served if the information is visible to them.Â Visible information creates a higher level of trust between the individual and the entity and also creates a feedback security loop to help individuals police the use of their identity information.Â (For example, credit card companies allow their customers to access a list of monthly transactions.Â Fraudulent credit card transactions are often reported by the customer.)
Â·Â Â Â Â Â Â Â Â Privacy and security. Â Incorporate privacy and security features as fundamental and pervasive elements of the identity system.
Â·Â Â Â Â Â Â Â Â Interoperability.Â Make the identity system interoperable, so that the individual can use the identity information broadly.
Â·Â Â Â Â Â Â Â Â Biometrics.Â Use biometrics as an integral part of the identity system, so that a person is physically associated with the identity information and the identity credential.
Â·Â Â Â Â Â Â Â Â Ease of use.Â Adopt ease of use as a primary design principle.Â The user experience should be simple and consistent.Â Automating transactions to reduce time and complexity is an important consideration.
When our governments consider the hazards and benefits of societyâ€™s adoption of a new technology protecting our identities, legislating against its use instead of making illegal its misuse will inevitably â€œthrow the baby out with the bath water,â€ depriving society of the technologyâ€™s benefits.