Ex-Commissioner calls for privacy restructure

Former Privacy Commissioner Malcolm Crompton has called for the establishment of a formal privacy industry to rethink identity management in an increasingly digital world.

Addressing the Cards & Payments Australasia conference in Sydney this week, Crompton said the online environment needed to become “safe to play” from citizens’ perspective.

While the internet was built as a “trusted environment”, Crompton said governments and businesses had emerged as “digital gods” with imbalanced identification requirements.

“Power allocation is where we got it wrong,” he said, warning that organisations’ unwarranted emphasis on identification had created money-making opportunities for criminals.

“We are in an identity management arms race that we are going to lose. Why don’t we take out the value proposition for crooks by relying on identity less.”

Crompton compared online transactions to those in the “meat world”, where buyers typically did not need to identify themselves when handing cash to a supermarket cashier.

He suggested that shopkeepers were reassured by physical information like a customer’s appearance and residual fingerprints, which could be investigated by police if necessary.

“Identity is not really the issue; it’s the way we solve a deeper problem – to ascertain reliability, trustworthiness,” he said.

Currently, users were forced to provide personal information to various email providers, social networking sites, and online retailers in what Crompton described as “a patchwork of identity one-offs”.

Not only were login systems “incredibly clumsy and easy to compromise”; centralised stores of personal details and metadata created honeypots of information for identity thieves, he said.

Current systems were also biased, he said, explaining that websites could be spoofed if they required users to identify themselves without offering similar authentication in return.

Refuting arguments that metadata – such as login records and search strings – was unidentifiable, Crompton warned that organisations hording such information would one day face a user revolt.

“You can make money for one year, three years, five years by exploiting people, but you can’t grow without trust,” he said.

Crompton encouraged businesses to undertake privacy impact assessments, which were more commonly used to consider the use of personal information in the public sector.

He also recommended the use of cloud-based identification management systems such as Azigo, Avoco and OpenID, which tended to give users more control of their information and third-party access rights.

User-centricity was central to Microsoft chief identity architect Kim Cameron’s ‘Laws of Identity’ (pdf), as well as Canadian Privacy Commissioner Ann Cavoukian’s seven principles of ‘Privacy by Design’ (pdf).

Crompton said the Canada’s open, proactive, embedded approach to privacy was endorsed by “all of the world’s privacy regulators” at the October 2010 International Conference of Data Protection and Privacy Commissioners.

The concept was also backed by the European Data Protection Supervisor (pdf) and US Federal Trade Commission, which recommended that companies build privacy protections into everyday business practices.

“Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfil that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy,” the FTC wrote last December (pdf).

“Companies also should implement and enforce procedurally sound privacy practices throughout their organisations, including, for instance, assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services.

“Such concepts are not new, but the time has come for industry to implement them systematically.”