In one week, the average person living in Britain has 3,254 pieces of personal information stored about him or her, most of which is kept in databases for years and in some cases indefinitely.

We know it’s not just Big Brother but is really the 10,000 Little Brothers that are collecting the data. We also know they’re collecting way beyond what’s actually needed to complete any specific transaction. According to Matt Flynn, 89% of data leakage incidents in 2007 went unreported. While there’s a mismatch in years, I don’t think it alters the big picture: corporations treat personal datalike a big slushy resource with no regard for the individuals behind it. Moreover, I don’t think this practice or attitude has changed since this time. Facebook is a prime example of this corporate hubris.

There’s a short and informative post on Information Answers about the Trust Index Outputs that proposes a set of questions to help score trustworthiness on 12 topic areas. The specific questions that lead to the scores on each topic aren’t included, but I like the 12 areas:

1. Overall Approach
2. Data Collection
3. Data Use
4. Minimum Data Capture
5. Data Accuracy
6. Data Retention
7. Subject Access
8. Data Security
9. Data Sharing
10. Liability
11. Data Breaches
12. Adding Value

A set of metrics like this would go a long way toward recognizing and connecting with potential (and currently wasted) value in the information marketplace.

Coaching moment: As a person, I’d love to have some way of measuring the information sharing practices of companies I do business with. I’d love to know that someone was being held accountable for doing things in a measurable, trustworthy manner. As a company, I’d love to have the opportunity to show my value AND ensure cost-saving and efficient ways of keeping the data accurate and appropriate to my specific needs. Such a proposal as this Trust Index helps point to how we can make this happen. If you’re reading this as an individual, would you like to see such a thing? If you’re a company, what are your concerns?

More »

Related posts:

1. PII 2011: Personal Identity Management
2. The secret life of your personal data
3. Trust, Culture, Chaos, and the Market

Awareness

The first subject in talking about security is awareness. We need to be aware, for example, that we are not always safe in the world (online and offline). When we are online, most people are aware that there are certain dangers such as viruses, phishing, and spam that threaten our safety (personal, financial, or data). Once we know that problems exist, we are more likely to learn about and take steps to avoid danger and keep ourselves safe and secure.

Authentication

Authentication is the process of verifying that you are the real you. Your friend may authenticate you to other friends by saying something like “this is my friend Chris” (or whatever your name is). You may prove that you’re who you are to a business entity by answering questions that only you would know the answer to. You are usually being authentic when you speak honestly, from your perspective, to someone you love.

Authorization

When you are authorized, you have access to a computer system. Verifying users of your computer, or your work’s computer, or any storage systems or online accounts, can help you track the activity in files and resources. An unauthorized user can be prevented from gaining access to your information. Authorization is the process of assigning permission to use certain files and resources.

Access Control

Setting permissions on files, directories, accounts, or computers can establish limits to these resources. You may wish to be the only person that read and update your personal finances, for example. This is referred to as individual read-write access (only the owner of the file can read or update). At work, your group may have access to read and maybe edit a collaborative document. Most of the web pages offer global read-only access. Individual, group, or global access can be set to allow reading, editing, and/or other permissions.

Auditing

As individual computer users, we don’t often think about the clues that we can use to track where we’ve been and what we’ve been doing. However, whenever we visit a web site, the site’s server automatically keeps a record of things like our domain name or IP #, the time and date of our request, the page or file requested, a code indicating success or error, the number of bytes transferred, and more. As the visitor, we don’t have such tracking tools (and in many cases, don’t need them). However, as our habits and travels on the Internet are increasingly scrutinized by the sites we visit, we have a stronger case for understanding what is being compiled about us.

Coaching moment: In reality, these five A’s are somewhat intertwined. For example, it doesn’t make sense to have Authentication without Authorization. Access control doesn’t happen without Authentication and Authorization, and none of these make sense without Awareness.

What does this have to do with digital identity? These are the pieces that make up our digital records, including who we are and what we’re allowed to do. Sometimes we have control over these decisions, and sometimes control is in the hands of others. It depends on the context of where we are and what we need.

More »

Related posts:

1. Identity as Revealed