Next week, SWIFT Innotribe will be hosting the European eID Interoperability Conference 2010.

It’s a great agenda with presentations by European experts on eID, and also some of the smartest SWIFT folks on identity. For example, we’ll have Jacques Hagelstein, our Chief Architect, and we’ll also run an Innotribe Lab on day-2. Check out and download the PDF agenda here.

Hosting this sort of events is an interesting win-win model, where we at SWIFT can share our great meeting and auditorium facilities and at the same time dove-tail with important topics that are relevant in our industry.

Acting like this beyond our traditional boundaries nicely fits The Medici Effect that i described in my previous post, although i am not sure we at SWIFT apply this principle always with full consciousness and intent. It does not matter, the key thing is that it just happens, and i feel confident that on this intersection of worlds some new ideas will emerge naturally.

Thinking through how we deal with company and personal identities in an on-line world, and being able to deliver this on a world-wide, predictable, resilient and secure way is one of the key value propositions of SWIFT in the financial services eco-system. SWIFT has the advantage – it’s a deliberate choice – that we are a community based venture, and a lot of services we offer adhere to standards and rulebooks that have been subscribed to by our membership. Even then, delivering this is not a sinecure.

But in this post, i’d like to take you on a journey beyond SWIFT’s ecosystem and edges, and look at what is happening in terms of identity and privacy outside our safe community walls.

My first contacts with privacy related matters date back to my Microsoft period, where I was quite involved in the Belgian eID project.

Microsoft saw Belgium as a good test ground to see what happens when a country rolls-out in a mandatory way 8 million electronic identity cards to its citizens, what applications get developed, and what needed to be done at the level of Windows, Office, MSN Chat, etc to support an identity card issued by a third party, in this case a government. At that time, I experienced the Belgian Privacy Commission more as a pain in the neck, limiting us in doing ‘”real cool things” with on-line identity. But they surely planted in my head the first seeds of some “culture” of privacy. It’s only now that i start to fully appreciate the importance of privacy, and the role of Privacy commissions and alike.

Now the Belgian eID cards are rolled out, we even look at a second and third generation, but the number of applications that are really leveraging the eID on a day-to-day basis are disappointingly low.

Already when the first eID cards got rolled out, it appeared to me that the card was already a dated old-fashioned way of dealing with identities. It does not make a difference whether we talk here about a smart-card, a USB token, or whatever other hardware device.

The point i am trying to make is that

the model of an identity “card”

does not match anymore

the online realities of today

The “card” is an artifact of the physical world, and we try – in vain – to squeeze all sort of on-line concepts into an off-line model.

The next occasion where I felt something was wrong with our model, was when i saw the demo of Intelius Date Checker. See also my post on “privacy is dead” for more details on this application. I was shocked that nobody in the audience made any reflection on the huge privacy issues at stake here. It must have been American culture ?

Then a couple of months ago, there was the famous debate launched by Mark Zuckerberg of Facebook, where he basically suggested to change the paradigm with 180°: in stead of considering "private” as the default setting of personal data and letting the user decide what data he releases to whom, he suggested “public” as the default setting, forcing to “un-public” data the user did not want to make public and keep private. See also ReadWriteWeb coverage here. Unfortunately for Zuckerberg, there was around the same period an article about a Facebook employee revealing how much privacy data they have access to by for example super-admin passwords and alike.

And even ex-colleague Paul Shetler took the pain to scream out his frustration on why public as a default really does not make sense.

It all makes me feel very uncomfortable how much i have to believe from Mark Zucherberg or Eric Schmidt when they are behaving like the white-knights of privacy.

It looks to me that

privacy is out-of-control

and that they would like to officialise the dead of privacy by declaring “public” as the new norm. It looks to me as privacy has become

too complex to fix it

Via Facebook, Google Buzz, Twitter, etc, etc, there is already too much data out there. Fixing this taking into account regional and country laws and regulations must be a real nightmare for the Facebooks and alike.

It’s an interesting debate what should be the default: privacy or publicy. And Stowe Boyd rightly adds the dimension of “sociality”. Because you release some info about yourself consciously (when participating on social media, your really want people to know about yourself and your preferences) or passively (by accepting blindly the privacy notices on Facebook and alike. Some related info on sociality here.

This aspect of passive privacy is really well explained by David Birch. He recently wrote a whitepaper: “who do you want to be today ?” and “Kissing Phones”. Check-out here. And just a couple of weeks ago, David wrote this fantastic post about Moving to Privacy 3.0

And the big boys are feeling the pressure. A couple of years ago the audience at the Gartner IT Symposium in Cannes was still having fun with “The Great Google Hack” scenario. This session was part of an “Unconventional Thinking” set of sessions with following disclaimer from Gartner: “This research doesn’t have the full Gartner seal of approval (we call them Mavericks internally).” Today this is not just a scenario but getting very real. I am just picking one of the thousands of articles that have been written on the Google China hack described as the privacy breach of the year.

Let’s throw in some additional dimensions, so that you as novice reader on this subject really start feeling the pain.

• What have you browsed ? Interesting reflections by Microsoft’s Chief Architect Identity on “browser fingerprints”. Btw, Kim is confirmed speaker at the eID Interoperability Conference next week.
• Where have you been, and how your iPhone becomes a spy-phone here and here
• What have you bought recently ? How you can let a service like Blippy stream your purchases online.
• Who have you slept with ? Given some’s willingness to post all their data online, and the rising casual nature of some behavior, this isn’t so far out of reach to be completely ridiculous.
• Add to this things like Facesence MIT, about mind-reading
• Bodyscanners about being “sniffed-out” by chemical noses.
• Did you take your pil and when. In essence about “body-surfing” and RFID like tracking inside your body.
• Please rob me, in essence about real-time location tracking

Some suggested solutions for all this go into the direction of

“gatekeepers”

Trusted entities that are the safe-harbor for keeping these personal data. Or even distributed models of “gatekeepers” certification.

The recent announcement at the March 2010 RSA Conference of the Open Identity Exchange (OIX) goes in this direction. Please note that this initiative is backed by industry leaders Google, PayPal,Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton.

However, I don’t think it will work, and i am not alone, although from a different perspective (see below on PETs). I think it won’t work, because in the open online world, it will not be acceptable that somebody or some company sits in the middle of all this identity hocus-pocus, and controls our world. The internet has just become way too distributed to accept this sort of models. Maybe this works in a closed community (vertical or other) where users subscribe to a common set of standards and rules), but not on the open internet.

One possible route are PETs (privacy enhancing technologies).  For example, Stephan Engberg, one of the speakers at the European Commission’s December 2009 workshop talks about security (and privacy) “in context” and seems to be a big advocate of PETs. Check-out an interesting debate here.

The word “context” is very important here.

To come back to the beginning of this blog post, i believe we have to change the old eID model to a model where we acknowledge that the personal data are highly distributed on the net today and are dealt with “in context”.

Personal data sits everywhere, and you really can start imagining “data weavers” or “identity weavers” that combine these individual sets of personal data into new sets of relevant information, based on the context of usage.

The concept of data-weavers was already introduced in my guest blog “Digital Identity Weavers” by Gary Thompson from CLOUD, Inc.

I repeat myself by saying that this CLOUD vision goes way beyond the web of pages, goes way beyond the early thinking on Semantic Web. It is in essence proposing an identity architecture for the Internet. Because the internet is broken. It was never designed with identity in mind.

Its about user control of personal data.

It’s about context awareness.

It’s about who i am, how i am, and

what i do and intend to do in an on-line world.

But we all have problems in imagining how such standard and supporting system might work.

How it would look like ?

And then suddenly last night the pieces seemed to fall together. What if we start thinking about this in a way similar to “Information Right Management” (probably called something else today), something that Microsoft built as a feature in Microsoft Office, and basically put the user in control of what somebody could do with his documents. Mind you, this is about “USAGE” rights, not access-rights.

In Microsoft Office this was visualized by the “do not pass” sign.

By clicking on that icon, you – as the user – can control whether somebody can cut-and-paste from your document, whether they can print it, forward it, etc.

We need a standard that makes it possible to control/manage the usage-rights of the different pieces of our personal data that are distributed over the internet. And then we need to let play the competition on how this standard gets implemented in our day-to-day tools. Maybe by a clickable icon, maybe something else. Would be great to let Heads of User Experiences have a go at this.

But maybe it is too late. Maybe there is already so much data out there, that there is no way to 1) find where they are and 2) give back the control to the user/owner of the data. The breach already happened.

To conclude, get inspired by this NYT article “Redrawing the Route to Online Privacy”

So if the current model is broken, how can it be fixed? There are two broad answers: rules and tools.

“Getting this balance right is critical to the future of the Web, to foster innovation and economic growth,” Mr. Weitzner said.

Whatever the future of regulation, better digital tools are needed. Enhancing online privacy is a daunting research challenge that involves not only computing, but also human behavior and perception. So researchers nationwide are tackling the issue in new ways.

At Carnegie Mellon University, a group is working on what it calls “privacy nudges.” This approach taps computer science techniques like machine learning, natural language processing and text analysis, as well as disciplines like behavioral economics.

How would all this be relevant for our financial services industry ? One example would be to apply semantic web technologies to Corporate Actions. For folks at SWIFT it’s pretty obvious that we can apply our semantic knowledge to the data in the “messages” that are exchanged between parties of Corporate Actions.

What seems less obvious is to apply the same semantic tagging techniques to the personal data and attributes of the persons who participate in a Corporate Action transaction.

In essence this is about applying the CLOUD concepts. It’s about setting new standards and rules in this space. And are standards not one of the cornerstones of SWIFT.

It would be great to build an innovation prototype to educate our community on the power of semantic web.

I call this the “Identity Rights System 3.0”

UPDATE: apparently the subject is red-hot at SXSW in Austin this week. Check out Danah Boyd at SXSW “Privacy is not dead”