The Privacy, Identity & Consent Blog

Privacy is often defined as “the right to be left alone” (OED). The key issue here is the ‘right’ - not the ‘alone’. Very few of us choose to be left entirely alone, we surround ourselves with people, phones, computers, tvs, radios etc. But we want to know we could be left alone in a given context: I’m happy to be called by family & friends at weekends, but have no interest in receiving calls from double glazing firms.

I only have one identity. That’s me. I know who I am. You can’t steal it from me. But I use many personae, and the UK, like many ‘western’ nations, is built upon pseudonymity. For example, I have about a dozen pieces of plastic in my wallet. There is no direct link between the Toby that holds a Visa card and the T Stevens that holds an Amex. When I apply for a new financial product, the provider has to rely on the likes of Experian and Equifax to derive confidence about whether those are the same individual.

In light of James Garner's marathon effort, I'd like to put in a sponsorship plug for my forthcoming charity cycle ride. Please read on and lend your support!

Dave Birch has done an excellent job of describing a point that is oft-discussed in identity/privacy circles: that we in fact rarely need to identify ourselves. Government ministers bang on about how good citizens need to identify themselves many times each day. Utter poppycock. We need to prove entitlement to a service, or authenticate ourselves as the legitimate recipient, but we rarely need to identify ourselves. Please can we sit down with the policymakers and educate them on some of the most elementary principles of ID before they start writing user specifications for massive database systems? (Of course if we educated them properly, the systems wouldn't be massive in the first place).

I get particularly annoyed when I'm asked for inappropriate credentials. Government offices will very often request a credit card so that I can prove who I am when going into a building. What exactly does that prove? That I'm capable of stealing a wallet or making a false credit card? My solution is always to respond to a request for an inappropriate credential with an inappropriate credential: my favourite cards are my National Rifle Association membership (that always leaves security guards with a dilemma) or my CLAS membership (a little piece of laminated card that in theory says I have security clearance, but in practice has nothing to bind it to the bearer other than a name on the front).

Of course the politician's response to this problem is to day that it proves the need for an identity card. Oh no, it doesn't. It proves the need for an identity metasystem, and that's a very different beast indeed.

Dave has posted some excellent thoughts on this month's Scientific American special on privacy. In particular, if you've not considered how some folks feel about RFID tags then take a look.

Next week beings the first Identity & Privacy Forum. Our keynote speaker this year is the Information Commissioner, Richard Thomas. We also have a host of experts from the fields of privacy, identity, security and biometrics.

The conference will be held on 14th and 15th May 2009, sponsored by Consult Hyperion with support from HP, Microsoft, Symantec, Verisign and VoicePay. The Forum will be held at the Guoman Charing Cross Hotel, London, and will be structured around four sessions - 'online identity', 'privacy and consent', 'sharing front line experiences' from the public sector and 'catching up with biometrics' - together with interactive expert panel discussions.

Why are we kicking off this new Forum? Well, for some years the Digital Identity Forum and EPG have been running their own events every year and usually only a week or two apart. We've noticed that the overlap between the events - in terms of subjects, speakers and delegates - has been growing year-on-year, so we decided to get together and focus our efforts on one event that inherits both traditions: debate, discussion and learning in a relaxed atmosphere, mixing technology, business and policy to try and create new ideas, new breakthroughs in identity management for the 21st century.

We have only a limited number of seats for this event, and a small pool of FREE TICKETS. Please contact me directly if you're interested in joining us at the event.

[Please excuse the blatant plug - but this is a not-for-profit event with any profits going to charity]

Sorry about the extended break from blogging - I've been away in the woods on a Bushcraft course, so no phone or email for me - but we're back to normal service now.

I spoke on the topic of "Privacy Impact Assessments: Experiences from Industry" at the Engineering and Science Research Council event on 30th June, and the slides are now available online. Rather than discussing the process of a PIA, I focussed on when (and when not) to do a PIA; how to avoid the traps and pitfalls on the way; and how to make best use of the results.