Written by My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online.
. The author of the Times article, Denise Caruso quotes Drummond Reed as well:
The myth is that companies have to know all this information about you in order to do business with you … [b]ut from a liability perspective, the less I know about my customers the better.
Or, as Forum friend and former editor of Wired UK John Browning wrote a decade ago (in Wired 5.11)
The true identity of a counterparty may be the least interesting fact about them in a commercial transaction.
Drummond’s point is made form the perspective from the U.S. National Retail Federation open letter to the credit card industry asking them to stop putting retailers on “the horns of a dilemma” by requiring them to store personal data, but then turning around and penalizing them when that data gets compromised. The LLP idea aims to help by giving retailers (and everyone else, of course) help to protect individuals by giving those individuals identities which contain only a limited amount of personal information (I don’t see why companies would have LLPs as well though). If this sounds familiar, and I sound uncritical, that’s because this is one of our PET projects: but we don’t call them LLPs (I prefer to shy away from the word “liability”) but pseudonymous virtual identities, and they solve more problems than PCI-DSS compliance.
Technorati Tags: identity, management, PKI, security
The article says (correctly) that there has to be a system of legal constructs and new entities geared toward reducing identity and privacy risk for all parties. In some sectors, these already exist. An example is Identrust in the financial sector, where I think it’s fair to observe that it was much more difficult to formulate and agree the legal “standards” for the distribution of liabilities than it was to sort out certificate formats, key lengths and the like. But, more generally, in Europe the legislation (the various digital signature and data privacy directives and such like) already provide everything that’s needed to implement this solution. The use of pseudonyms in qualified digital signatures is already legal for binding contracts (in Eurodirective-speak pseudonyms are known as “indirect identities”. This means that you can implement an entirely appropriate and legal solution using existing technology and solutions: with, for example, secure hardware to store private keys (eg, an appropriate smart card or USB token) as is required to form qualified signatures together with Cardspace (or whatever) as the mechanism for passing authenticated virtual identities containing subsets of data appropriate to the transaction at hand.
I haven’t got a snappy TLA so I’ll have to come up with some contrived acronym instead. Pseudonymous virtual identity together with a qualified digital signature: PVQ? PsViQs?m How about Ps+Qs? Then, when you’re telling consumers to be careful online and use their LLPs instead of their “real” identities, you can tell them to “mind their Ps+Qs”…
I have reasons for imagining that the LLP / Ps+Qs will actually be more tangible than they may at first seem to readers who don’t spend half their lives thinking about the future of identity. This is because I suspect that Ps+Qs will come to represent relationships and that the brand of those relationships will be important in enabling transactions. As I’ve said at a hundred conferences, my kids don’t want a Megabank Identity no matter how secure it is: they want a Nike Identity or an [insert name of popular beat combo here] Identity. Me, I want a Manchester City (It’s just like watching Brazil) Identity, and I’d pay for it.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
.
