Privacy and the 7 Laws of Identity

In 2005, the late Kim Cameron penned “The Laws of Identity.” The paper explored how to give internet users a deep sense of safety, privacy, and certainty about their interactions online. With the proliferation of web-based services and applications, it was essential to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail. Nearly 20 years later, Cameron’s seven laws of identity are still applicable today. 

Published shortly after the dot-com bust and the introduction of social media, this paper came at a point of inflection for the Internet. Today, with the promise of Web3, a metaverse, and adjusting to a largely virtual working world, we’re living through a similar shift in history. For both points in time, digital identity is at the epicenter—and it’s worth remembering some tried and true lessons from the past.

While it’s exciting to fast-forward to what’s in store for the identity space based on current events or new tools and technologies coming to market, what can be even more valuable is to look back to where it all started. This article will explore the 7 laws of identity and how enterprise IT leaders can apply them to their organizations today.

1. User Control and Consent 

The first law states that “technical identity systems must only reveal information identifying a user with the user’s consent.” Essentially, this implies that systems should be designed to put the user in control—not only of the information they release but also of the convenience and simplicity of how it’s collected. Whether user decisions are made on a case-by-case basis, or they’ve opted into an automatic system, all these components are crucial. 

Let’s focus on the latter two tenets: convenience and simplicity. Nowhere is this more important than in an enterprise setting. If security measures prevent people from gaining access to systems and applications that enable them to carry out everyday job functions, your identity strategy has failed. With the amount of context switching that takes place in modern, digital business, it’s crucial that people can access what they need, when they need it, without jumping through hoops. Otherwise, you can guarantee they’ll find workarounds that compromise security or won’t be able to function efficiently—both of which hurt the bottom line. 

2. Minimal Disclosure for a Constrained Use 

The second law focuses on the best practice of using the “least identifying information.” This refers to the information least likely to identify a given individual across multiple contexts. For example, it’s far less risky for an organization to acquire and store an employee’s company ID number than their driver’s license or social security number, which can uniquely identify them and expose more information.

In a perfect world, no one would have access to information or data they didn’t need. But we don’t live in a perfect world, and unfortunately, granting and removing access in an enterprise organization can take hours to weeks. This means past employees, or in some cases, disgruntled employees could have access to customer information, trade secrets, and other highly sensitive information. Beyond collecting least identifying information, enterprises should be sure they are appropriately granting and removing access in a timely way. Additionally, regular audits should be the norm to ensure protocols and safety measures are being met: for example, HIPAA and HITRUST regulations for healthcare-facing organizations. 

3. Justifiable Parties Digital Identity 

The third law states that systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in an identity relationship. In recent history, laws like GDPR and the CCPA have cracked down on third-party data sharing to protect consumers’ information. However, this is a bit more ambiguous in an enterprise environment, especially when considering most businesses work with public cloud providers, open-source solutions, or other SaaS applications that rely on your data to perform. 

Weighing the precautions partners and service providers take when handling your organization’s data is of utmost importance, but managing multiple vendors and their data safety practices is no easy undertaking. This is one of the reasons we’re seeing businesses move from many best-of-suite solutions to platform solutions. For example, companies using ServiceNow will have access to their suite of products and integrations ranging from areas such as identity governance and GRC to chatbots and software asset management. Your data is not shared beyond the trusted platform, and the easy integrations and familiar interfaces make it a safe and advantageous option for enterprises. 

4. Directed Identity

The fourth law highlights the support for identifiers needed for both public and private entities. This is a key component of self-sovereign identity (SSI), an approach that gives individuals control of their digital identities and how they establish trust. Enabling public discovery where necessary, it also prevents the correlation of private records, protecting personally identifiable information that a user may not want to share broadly. 

Both enterprise and consumer organizations need to be vigilant about keeping digital identities secure. This is a big tenet of GDPR: putting power back in the hands of individuals, who ultimately get to decide how and by whom their data is used. This will be an important area of focus as the conversation around blockchain technology and Web3 persists. 

5. Pluralism of Operators and Technologies

Having one way to express identity would certainly be easy, but it’s not realistic. Rather, different identity systems must exist in a "Metasystem." This entails having simple, agreed-upon protocols with a unified user experience (UX) that allows individuals and organizations to select appropriate identity providers and features. Essentially, we must all play by the same rules, but how we get there is dependent on other factors. 

For example, it may be appropriate to ask for a person’s social security number as an identifier when filling out government forms, but not on an e-commerce site. In a professional setting, identifiers can range from a password and a one-time code sent to someone’s mobile phone or a physical token. The identifier should be proportional to what the individual is trying to access. It shouldn’t be complicated, but it should be varied by case. 

6. Human Integration

Cameron uses the example of the communication from a plane’s cockpit to the control tower to explain the law of human integration. In this environment, people know what to expect from the intentional language used, and as such, can tell quickly when something has gone awry, and address it immediately. Unfortunately, digital identity is not so cut and dry. 

After all, it's why phishing attacks continue to be the most popular method for cybercriminals. People believe they’re interacting with a trusted source, and it’s why most breaches start on the inside. These tactics have been used since the ‘90s and are still happening today. To protect identities, businesses must achieve highly reliable communication between a system and its human users and test safeguards regularly. 

7. Consistent Experience Across Contexts 

The identity Metasystem must guarantee its users a simple, consistent experience while enabling the separation of contexts through multiple operators and technologies. Essentially what this means is that different relying parties will require different kinds of digital identities—and within that context, users will be able to decide what identity to use. 

As mentioned in the fifth law, these identifiers consist of a range of commonly accepted things but will be different for public, personal, and professional use. In the enterprise, people will generally understand why certain safety measures are in place, but it’s the employer’s job to ensure that processes are streamlined and don’t hinder productivity. If there’s an expectation to follow identity protocols, they can’t be burdensome or people will find workarounds, compromising your business’ safety.  

The Laws of Identity are nothing new, but years later, still capture all the components we need to be thinking about when it comes to privacy and digital identity. These foundations are all about finding the balance between trust and usability, which has proven to be a challenge, still today. All business leaders should be questioning how they’re integrating identity into their workflow, and how they stack up when it comes to Cameron’s laws.