Assertion trails in the identity net

In my post on Online-Offline Information Brokers, I explored a scenario for the integration of pseudonymous presence (of a particular, unique human being) across identity net services, which in turn could facilitate the emergence of distributed reputation mechanisms.

The flip-side of even pseudonymous presence integration, through, is the possibility that information (perhaps the user's real name and address, for example) disclosed by a user to just, say, one service could be disclosed by that service to another service within the user's "pseudonymous presence integration ring" without the user's authorisation. This security loophole could potentially completely undermine the user's pseudonymity, and hence privacy both within and beyond the identity net.

One mechanism that could discourage this kind of unauthorised disclosure is what I will call an "assertion trail". For simplicity (it's still pretty involved stuff I'm afraid, but do bear with me!), let us suppose a pseudonymous User X of identity net Service A in the following explanation.

If Service A was to store, along with each piece of information it ascribes to (or assertions about) User X, a reference to the provenance of that information, User X would be able to hold Service A, and the third-party services* who Service A accepts assertions about User X from, accountable for their transacting of such information:

1) User X can require Service A to show that a certain Service B, who they accepted assertions about User X from, themselves asserted that they (Service B) had User X's permission to make the transaction;

2) User X can require Service B show that User X gave them (Service B) permission to make assertions on his behalf to Service A in the first place.

In this way, if User X discovers unauthorised assertions about his pseudonymous presence in an identity net service within his "integration ring", he is able to pinpoint exactly where the breach of trust occurred and take appropriate action—either by simply giving the guilty service negative feedback, which in turn will impact on their reputation within the identity net, or possibly even by taking legal action against the service.

But what would prevent an identity net service from leaking assertions about User X outside the identity net? Or from storing those assertions secretly in order to better target User X with their service? It is hard to imagine how such a rogue organisation would be prevented by purely technical means** from subverting the system in these ways.

It would seem, then, if the alluring promise of pseudonymous presence integration is to be realised, we must perhaps look beyond purely technical solutions and additionally consider legislative approaches that could enforce compliance to key standards for data privacy and concommitant organisational transparency. Such legislation might make it a legal requirement for organisations that store assertions about people:

1) To append to each stored assertion about a person a reference to the provenance of that assertion, even if the person is only referred to pseudonymously.

2) To make each stored assertion about a person available to that person for inspection.

3) To disclose the stored assertions about a person only in accordance with the express wishes of that person.

Law is not my area, so I can't really comment on the extent to which the European Data Protection Act, for example, already covers (3); I know that in the US, at least, (2) is already in effect, but our British Freedom of Infomation Act has been rather watered down and delayed. In any case, if these three legislative elements were all to be put in place, along with the distributed technical architecture we are discussing, I feel we would have a great chance of making the tantalising dream of an integrated yet distributed identity net a tangible reality.

*Interestingly, it seems as if for pseudonymous presence integration to be viable, the network nodes directly involved in the transacting of assertions about those pseudonymous identities would themselves have to be named (or have an "omni-directional identifier" in Kim Cameron's terms) if our User A is to be able to hold them legally accountable for their actions.

**I am assuming that, as current trends in thinking on digital identity would indicate, that the identity net will not be governed by any one centralised organisation but rather will be made up of a decentralised and emergent patchwork of organisations and technologies.

Topic: identity