December 16, 2003

Who's In The Room With You?

I've been in the business of hosting online meeting rooms ever since we at Delphi discovered in 1982 that communication generates more follow-on sessions than does information retrieval (Believe it or not, Delphi was originally called the Kussmaul Encyclopedia!)

In the mid eighties we provided a full-featured collaboration system (full-featured as long as you don't consider graphics to be a feature.) Most significantly, we could offer your professional group or other organization a fairly strong assurance of the identities of the people in your private space. You might have a foyer (Web site predecessor) open to the public, and different areas within your private space with fine-grained access controls and privilege controls.

People in the general Delphi "public" user base as well as the members of your private or semi-private group could of course use pseudonyms (screen names and other "nyms"). It was totally up to the user whether or not to disclose his or her real identity. But underlying it all was an understanding that the management did indeed have access to real identities. We had a means to take action when hostile, illegal or slanderous behavior was brought to our attention.

Furthermore, if your group's user agreement provided for it and you had reason to suspect an individual of using a false identity in order to spy or commit fraud, then we could disclose to you the identity of the person or organization that was responsible for paying the bill for that account.

Most group user agreements needed no such provision, because most groups represented what I call "bars," that is, hangouts for birds-of-a-feather. After all, who really cares if "catlover3" in reality detests felines and is just baiting the real cat lovers? It's just a bar, after all.

We cared very much, though, if an adult male showed up in the Preteen Chat purporting to be a seventh grader named Amanda. We may not have had a complete dossier on "Amanda" but we did know more than most groups operating a conference facility know today about the identities of their users. There was a trail, there was recourse.

Today one of the fastest growing categories in the IT solutions mix is Identity Management. Operators of VPNs and conference facilities and networks in general really want to know who has access to important information. But what's the point in being able to manage identities when the identities themselves are uncertain?

In the U.S. we have a new law and set of regulations mandating that physicians share information. So what is to prevent an investigator working for a plaintiff's lawyer from inventing a hospital credential and purporting to be a physician?

Of course whenever we talk about establishing authoritative identities we must at the same time ensure that they cannot be used to erode privacy; indeed, a well-designed identity credential should be an individual's main bulwark against misuse of his or her personal information. This is entirely doable. In future discussions we will show how strong identity credentials can be our main protection against invasion of privacy.

Posted on December 16, 2003 at 05:21 PM

TRACKBACK

TrackBack URL for this entry: