Identity Lifecycle

From IIW

Monday Session 4 Space E

Conference: IIW10 May 17-19, 2009 this is the complete Complete Set of Notes

We have several classes of data:



Uncontrollably exposed
 - Here we are throwing up our hands. 


Controllably exposed (for example by contract)
retrievable/withdraw able/erasable
   - Vanish is an example of a product here.



Is there another level here which is "Assured destruction"
   

Disappearing Ink was a company in this space.

Data security becomes very much like a DRM system.



How do we apply this to Identity Information?



Another taxonomy:


  • Permanent data that we might want to withdraw.

  • Transient data that should have a limited life.



What controls do we have here?


  • Contract

  • Legal obligation



Can a trusted 3rd party help ensure te dustruction/privacy/revocation.



A key question, "what is the incentive for people to be good actors?"  or what's the penalty for not obeying privacy restrictions?



Another interestion question of information lifecycle:  when the data changes context you may really care.  It can be a big problem.  The privacy boundaries here are significant and the user needs to be in control.