Law and Information

Over the past two days, I had the pleasure to co-moderate with my colleagues and friends Prof. John Palfrey and Colin Maclay the second Berkman/St. Gallen Workshop on ICT Interoperability and eInnovation. While we received wonderful initial inputs at the first workshop in January that took place in Weissbad, Switzerland, we had this time the opportunity to present our draft case studies and preliminary findings here in Cambridge. The invited group of 20 experts from various disciplines and industries have provided detailed feedback on our drafts, covering important methodological questions as well as substantive issues in areas such as DRM interoperability, digital ID, and web service/mash ups.

Like at the January workshop, the discussion got heated while exploring the possible roles of governments regarding ICT interoperability. Government involvement may take many forms and can be roughly grouped into two categories: ex ante and ex post approaches. Ex post approaches would include, for example, interventions based on general competition law (e.g. in cases of refusal to license a core technology by a dominant market player) or an adjustment of the IP regime (e.g. broadening existing reverse-engineering provisions). Ex ante strategies also include a broad range of possible interventions, among them mandating standards (to start with the most intrusive), requiring the disclosure of interoperability information, labeling/transparency requirements, using public procurement power, but also fostering frameworks for cooperation between private actors, etc.

There was broad consensus in the room that governmental interventions, especially in form of intrusive ex ante interventions, should be a means of last resort. However, it was disputed how the relevant scenarios (market failures) might look like where governmental interventions are justified. A complicating factor in the context of the analysis is the rapidly changing technological environment that makes it hard to predict whether the market forces just need more time to address a particular interoperability problem, or whether the market failed in doing so.

In the last session of the workshop, we discussed a chart we drafted that suggests steps and issues that governments would have to take into consideration when making policy choices about ICT interoperability (according to our understanding of public policy, the government could also reach the conclusion that it doesn’t intervene and let the self-regulatory forces of the market taking care of a particular issue). While details remain to be discussed, the majority of the participants seemed to agree that the following elements should be part of the chart:

1. precise description of perceived interoperability problem (as specific as possible);
2. clarifying government’s responsibility regarding the perceived problem;
3. in-depth analysis of the problem (based on empirical data where available);
4. assessing the need for intervention vis-à-vis dynamic market forces (incl. “timing” issue);
5. exploring the full range of approaches available as portrayed, for example, in our case studies and reports (both self-regulatory and regulation-based approaches, including discussion of drawbacks/costs);
6. definition of the policy goal that shall be achieved (also for benchmarking purposes), e.g. increasing competition, fostering innovation, ensuring security, etc.

Discussion (and research!) to be continued over the weeks and months to come.

I’m currently in wonderful San Francisco, attending the Berkman Center’s Mobile Identity workshop – a so-called “unconference” — led by my colleagues Doc Searls, Mary Rundle, and John Clippinger. We’ve had very interesting discussions so far, covering various topics ranging from Vendor Relationship Management to mobile identity in developing countries.

In the context of digital identity in general and user-centric identity management systems in particular, I’m especially interested the question as to what extent the issues related to mobile ID are distinct from the issues we’ve been exploring in the browser-based and traditionally wired desktop-environment. Here’s my initial take on it:

Although mobile identity can be best understood as part of the generic concept of digital identity and despite the fact that identity as such has some degrees of mobility by definition, I would argue that mobile (digital) identity has certain characteristics that might (or should) have an impact on the ways we frame and address the identity challenges in this increasingly important part of the digitally networked environment. I would argue that the characteristics, by and large, may be mapped onto four layers.

• Hardware layer: First and most obviously, mobile devices are characterized by the fact that we carry them with us – from location to location. This physical dimension of mobility has a series of implications regarding identity management, especially at the logical and content layer (see below), but also with regard to vulnerabilities such as theft and loss. In addition, the devices themselves have distinct characteristics – ranging from relatively small screens, small keyboards to limited computing power, but also SIM cards, among other things — that might shape the design of the identity management solution.
• Logical layer: One of the consequences of location-to-location mobility and multi-mode devices is that identity issues have to be managed in a heterogeneous wireless infrastructure environment, which includes multiple providers of different-generation cellular networks, public and private WiFi, Bluetooth, etc., that are using different technologies and standards, and are operating under different incentive structures. This links back to our last week’s discussion about ICT interoperability.
• Content layer: The characteristics of mobile devices have ramifications at the content layer. Users of mobile devices are limited in what they can do with these devices. Arguably, mobile device users tend to carry out rather specific information requests, transactions, tasks, or the like – as opposed to open, vague and time-consuming “browsing” activities. This demand has been met on the supply-side with application and service providers offering location-based and context-specific content to mobile phone users. This development, in turn, has increased the exchange of location data and contextual information among user/mobile device and application/service providers. Obviously, the increased relevance of such data adds another dimension to the digital ID and privacy discussion.
• Behavioral layer: The previous remarks also make clear that different dimensions of mobility and the characteristics of mobile devices lead to different uses of mobile devices when compared to desktop-like devices. The type and amount of personal information, for example, that is disclosed in a mobile setting is likely to be distinct from other online settings. Furthermore, portable devices get more often lost (or stolen) than non-portable devices. These “behavioral” characteristics might vary among cultural contexts – a fact that might add to the complexity of mobile identity management (Colin Maclay, for instance, pointed out that sharing cell phones is a common practice in low income countries.)

Today, I got the sense that the technologists in the room have a better understanding of how to deal with the characteristics of mobile devices when it comes to digital identity management. At least it appears that technologists have identified both the opportunities and challenges associated with these features. I’m not sure, however, whether we lawyers and policy people in the room have fully understood the implications of the above-mentioned characteristics, among others, with regard to identity management and privacy issues. It only seems plain that many of the questions we’ve been discussing in the digital ID context get even more complicated when we move towards ubiquitous computing. (One final note in this context: I’m not sure whether we focused too much on mobile phones at this workshop – ID-relevant components of the mobile space such as RFID tags, for instance, have remained largely unaddressed – at least in the sessions I attended.)

Microsoft released a white paper entitled “The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity.” The excellent paper, authored by Microsoft’s Internet Policy Council Ira Rubinstein and Tom Daemen, senior attorney with Microsoft, and posted on Kim Cameron’s blog, is a must-read for everyone interested in user-centric ID management systems. (Disclosure: As you can take from the acknowledgments, I have commented on a draft version of the paper, based on my earlier observations on “Identity 2.0”-like initiatives.)

Among my main concerns – check here for other problem areas – has been Microsoft’s claim that the i-card model is “by design” in compliance with the unambiguous and informed consent requirement as set forth, for instance, by EU data protection law. I’ve argued that the “hardwired”-argument (obviously a variation on the theme “regulation by code”) might be sound if one focuses on a particular relationship between one user and one identify provider and/or one relying party – as the white paper does. However, at the aggregated level, the i-card model’s complexity – i.e. the network of informational relationships between one user and multiple ID providers and relying parties – increases dramatically. If we were serious about the informed consent requirement, so my argument, one would wish that the user could anticipate not only the consequences of consent vis-à-vis one ID provider, but would understand he interplay among all the components of the ID-system. Even in less complex informational environments, experience has shown that the making available of various privacy policies can’t be the answer to this problem – as the white paper seems to acknowledge.

In this regard, I particularly sympathize with the white paper’s footnote 23. It might indeed be a starting point for an answer to what we might call the “transparency challenge” to create “a system enabling web sites to represent privacy policies in a simple, iconic fashion analogous to food labels. This would allow consumers to see at a glance how a site’s practices compared to those of other Web sites using a small number of universally accepted visual icons that were both secure against spoofing and verified by a trusted third party.” (p. 19, FN 23.) Such a system could become particularly effective if the icons – machine-readable analogous to creative commons labels – would be integrated in search results and monitored by “Neighborhood campaigns” similar, for instance, to Stopbadware.com.

Although Microsoft’s paper leaves some important issues unadressed, it seems plain to me that it takes the discussion on identity and privacy protections as code and policy an important step further – in a sensible and practical manner.

Today, the Boston Globe runs a story about a promising cross-industry project on user-centric identity that is directed by my colleague Dr. John Clippinger at the Berkman Center for Internet and Society, Harvard Law School. It has now become public that the Berkman Center together with an industry consortium of tech companies, including IBM Corp. and Novell Inc., is working on an open security project – code-named Higgins – aimed at creating code that gives users more control over their online identities. John is quoted as follows:

Recently, I commented on this blog on the merits of user-centric identity systems – sometimes referred to as Identity 2.0 – from a privacy perspective. After the discussions at the workshop mentioned in the previous post, I’m more convinced than ever that the approach taken by Clippinger et al – despite remaining challenges, which, BTW, were fully acknowledged by the leading technologists at the workshop – has the potential to solve some of the thorniest pivacy issues on the web.

I trust that we’ll get back to this issue before the June conference mentioned in the Globe. In any event, stay tuned.

Later today, I will be traveling “back home” to Cambridge, MA, where I will be attending an invitation only workshop on user centric identity and commerce hosted by the Berkman Center at Harvard Law School and organized by Berkman Fellow John Clippinger. In preparation for a panel on identity and privacy at this workshop, I have written a discussion paper. Here are the main points:

1. User-centric approaches to online identity management such as Identity 2.0 have several advantages compared to previous attempts—commonly referred to as Privacy Enhancing Technologies (PET)—aimed at regulating the flow of personal information through Code. Three achievements are particularly noteworthy: First, Identity 2.0-like approaches mirror the social phenomenon that privacy must be understood as an aggregation of an individual’s choices along a spectrum between the poles “complete anonymity” and “complete identification.” In other words, Identity 2.0 reflects, inter alia, the granular nature of offline privacy and replicates it at the design level of the digitally networked environment. Second, user profiles containing personal information (as elements of identity profiles) that have been created under the regime of previous PETs are often not “portable” across services and applications. Profiles based on concepts such as Identity 2.0, by contrast, are user-centric and, in that sense, universal in their use. Third, Identity 2.0 seeks to provide a set of profiles that enable an individual user to have parallel identities and make situative choices about the flow of personal data in the context of (commercial) interactions.

2. Consequently, user-centric identity systems have the potential to eliminate some of the basic weaknesses of previous incarnations of identity and privacy management technologies. From a privacy perspective, however, a series of important questions and problems remain to be addressed. First, it is striking that user-centric identity and privacy concepts like Identity 2.0 seek to restore an individual’s control over personal data through the medium “choice,” thereby following a property rights approach to privacy. The designers’ choice is remarkable because the majority of analyses suggest that the privacy crisis in cyberspace, by and large, is the product of extensive data collecting, processing, and aggregating practices by commercial entities vis-�-vis the individual user. In other words, Identity 2.0 concepts are regulating—via Code—the behavior of the sender of personal information (user) rather than targeting the source of the problem, i.e. the informational behavior of the recipients (commercial entities.) Viewed from that angle, the approach taken by Identity 2.0 is in tension with some of the basic principles of data protection, which seek to avoid the use of personal information by the recipient and to establish restrictive requirements on the collection, storage, and usage of personal data while leaving an individual user’s informational behavior unregulated. Although counterintuitive, a user-centric approach to identity and privacy management might therefore result in less user autonomy—understood as the freedom to communicate about oneself—when compared to a traditional data protection approach that aims to regulate the informational practices of the data collectors. This tension between identity architecture and fundamental data protection principles might become more explicit in jurisdictions outside of the U.S.

3. The second persistent challenge results from yet another design choice. Starting point is the observation that user-centric identity and privacy schemes are built upon what might be called the “consent approach,” an approach that ultimately suggests user’s choice as the solution to online identity and privacy problems. Indeed, the emerging generation of identity management and privacy enhancing technology aims to provide the tools to make (and express) choices. However, experiences with previous choice-based mechanisms and standards (like P3P) seem to suggest that the promise of this approach is fairly limited. Even the most sophisticated architecture cannot counter power asymmetries between individual users and the Amazons, eBays, Googles, etc. of this world. From such a pragmatic perspective, it remains doubtful to what extent real choices are available to the user. Or, as Herbert Burkert pointed out in the context of PET, “… the data subject is [usually] asked to choose between giving consent and losing advantages, privileges, rights, or benefits, some of which may be essential to the subject in a given situation.” Further, economic incentives which may motivate people to give away personal information in return for free services such as email accounts, content management sites, social networks, etc. might be particularly strong in the online environment and have a limiting effect on the freedom to choose, especially in situations where users (e.g. due to financial constraints) are forced to rely on such deals. Finally, the user acceptability of consent-based tools heavily depends on the ease-of-use of those instruments, as P3P and similar initiatives have illustrated. Given the number of stakeholders, interests, and standards involved, it remains to be seen whether the apparently complex web of identity providers, identity mechanisms, privacy profiles, etc. in fact will be manageable over one easy-to-use interface as has been envisioned by leading designers.

4. The observation that user-centric concepts such as Identity 2.0 contain many different interacting elements and relations—and, thus, add technological and social complexity to the Net—leads to the third conceptual challenge. Consent and choice in the privacy context means informed consent and choice, respectively. It has been observed with regard to much less complex designs of privacy enhancing technologies that data subjects “cannot know how much they should know without fully understanding the system and its interconnection with other systems.” (H. Burkert) In other words, informed consent by users requires transparency for users, but transparency usually decreases in complex and highly technical environments. Someone with a non-technical background who seeks to understand how the emerging protocols and governance models in the area of user-centric work and what the differences among them are will immediately recognize how difficult it will be to make truly informed choices among different identity providers and privacy management systems. The more individuals depend on complex user-centered technology in order to manage their online identities, the more desirable it seems from a policy perspective that users know about the underlying Code, the functionalities, and risks. So far, it remains unclear whether is a realistic scenario that someone will have access to this meta-information and will aggregate it for users.

5. The three challenges outlined above are not meant as argument against the Identity 2.0 concept. Rather, the remarks are intended as a cautionary note—we should resist the temptation to overestimate the promise of any user-centric and choice-based approaches in the context of privacy. In response to the above arguments, however, one might argue that the emerging user-centric approaches will not exclusively rely on Internet users who are educated enough (probably supported by some sort of “choice assistants”) to dynamically manage their multiple online identities and exchanges of personal information on the Net. Rather, according to this argument, identity and privacy policies developed and monitored by private parties would supplement the user-centric approach. Indeed, such a complementary approach addresses some of the concerns mentioned above. However, the experiences with self-regulation in the area of Internet privacy in the U.S. have been rather disillusioning as several studies demonstrate. Viewed from that angle, it does not seem entirely clear why a similar approach should work well in the context of an Identity 2.0 environment.

6. The previous question leads us to another emerging problem under an Identity 2.0-like environment. It is the question about the control of the information practices of the identity providers themselves. The control issue is a particularly important one because it seems inevitable that the emergence of identity providers will be associated with an increased degree of centralization where personal information in the online environment is managed for the purpose of identity building. Again, the common line of argument currently suggests that self-regulation in the form of peer-auditing and/or reputation systems is an adequate solution to the problem. However, once more a look back at the history of privacy regulation in cyberspace might trigger doubts as to whether an industry-controlled self-regulatory scheme will be adequately effective to ensure fair information practices on the part of identity providers as the new and important players of the future Internet. Against this backdrop, it seems advisable to consider alternatives and critically rethink the interaction between code and law and their respective contributions to an effective management of the identity and privacy challenges in cyberspace. This step may mark the beginning of a discussion on Identity 3.0.