A closer look at an identity authentication model

Privacy concerns have been voiced loud and clear by individuals, governments, and organizations across the globe. 

The Internet has given us great tools for finding the people and places we need, but at what cost to our privacy?  Is it hypocritical to question the sites which deliver the information we request?  Or maybe those sites have not acted responsibly?   

When it comes to unauthorized sharing of personal information, I suppose it doesn’t matter how innocent the intentions may be.  What matters most is that the information being shared is #1: authorized, and #2: authenticated.   

The government, and a growing number of concerned citizens, believe an identity authentication model should be developed to set standards for handling personal information online.  For example, the online socialization magnet, Facebook now allows users to access their healthcare records with their Facebook account.  This sort of expansion raises red flags for me and many others who feel this social mothership has gone too far off course.   

The purpose of an identity authentication model is to validate personally identifying information using a secure process, with user consent.  Sites like Google and Twitter have already been penalized by the FTC for unauthorized release of user attributes to the public, like user’s names, gender, and location.  Facebook is no exception; the company is currently dealing with the FTC over a complaint filed by a group of concerned users.   

People are right to question the privacy practices of any company they share personal information with; that is why healthcare providers and credit card companies are required to disclose their privacy policies with consumers.  At the very least, why not require the same process for online sites where personal information is shared.  As a user, if you are giving up your name, birth date, address, phone number, and/or social security number, a mental red flag should remind you to check the site’s privacy practices before giving your consent.   

I’d like to see an identity authentication model that starts with a mandate of privacy policy disclosures across the board.  When a user provides personal and potentially private information, they agree to the policy before the information is stored in a database; however, how many of us would actually read those privacy notes?  If you’re like me, I immediately toss any privacy notice I get in the trash because I assume the wording meets an acceptable, industry standard.   

The problem with Facebook, Twitter, Google, and the like, is that there is no “acceptable, industry standard” for privacy practices.  If such a standard did exist as an integral part of an identity authentication model, users would get familiar with the wording and ultimately come to accept it as an industry standard.  Of course, not everyone will be happy with the standard and those folks can opt out of participating or using the service further.  On the other hand, an in-your-face sort of privacy acknowledgement may remind users of the potential consequences associated with sharing certain types of content online and deter inappropriate use of social media.   

The second component of an identity authentication model is the validation process itself.  Recent developments from OpenID Connect and OAuth 2.0 (open authentication) have shown promising results by enabling users to control their personal data directly.  Another service known as “Street Identity” has been introduced by a group of companies including Google and Verizon.  This concept builds on OpenID’s and OAuth’s developments to aggregate and distribute authenticated user data with user consent. 

Together, these concepts may be the foundation for a real-world identity authentication model, but more analysis is needed.    Development of an identity authentication model will inevitably create a market where identities are being bought and sold, in a sense.  Companies will pay others to have access to the authenticated attributes for its users. 

As crazy as that sounds, it will solve a lot of problems by streamlining the identity authentication process worldwide.  Your information will be guarded by you and shared by one reliable company that meets an acceptable, industry standard for handling your personal data.