Kim Cameron remembered via his 7 Laws for Identity
Friends of the late computer scientist Kim Cameron took the opportunity of gathering at the KuppingerCole European Identity & Cloud Conference (EIC 2022), to remember Cameron, his life and contribution to digital identity and beyond via his 7 Laws of Identity.
Published in 2005, the laws have proved highly influential for companies, networks and individuals in tackling what Cameron saw as the fundamental issue for online identity: “The Internet was not built with an Identity layer.”
Seven of his friends and former colleagues and peers remembered Cameron through his seven laws in a special EIC 2022 session. Here are the 7 Laws as summarized by Kim Cameron in his 2005 paper, and the remarks of those remembering him through them.
Law 1: User control and consent
Technical identity systems must only reveal information identifying a user with the user’s consent
Doc Searls of Customer Commons revealed that while Cameron’s work influenced the later movement, the man himself did not like the term ‘Self-Sovereign Identity.’ When Cameron was formulating his laws, “it was in a world where companies needed to work with each other more than” individuals did, but he made this “right-side up” in his 2019 paper. Searls said that his understanding of Law 1 was consent should be on the terms of the user, not dictated to the user to agree with or decline.
Law 2: Minimum disclosure for a constrained use
The solution which discloses the least amount of identifying information and best limits its use is the most stable long-term solution
Joni Brennan, President of the Digital ID & Authentication Council of Canada (DIACC), explained Law 2 with a memory of visiting the Light Museum with Cameron (and Eve Maler, see below).
“The beauty of [the Light Museum] was how the light was shown and where it wasn’t. It was that disclosure if you will, of that light and where it wasn’t disclosed that made the art that we were paying attention to. If you had too much light the art wouldn’t be there and the experience wouldn’t be there.
“So I think data can be thought about in an artful way, as that light, and if we have too much data that’s shared and not minimized, we lose the delicateness of that transaction.”
Brennan believes Cameron brought that way of looking at things to data. “Truly an artist,” she said Cameron “looked at tech as a delicate art.”
Law 3: Justifiable Parties
Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship
“If these laws had been obeyed in 2005,” said Doc Searls, standing in for Joyce Searls, “we wouldn’t be in the pickle with privacy we have.”
It is the “grace of civilization” according to Searls, that we do not go around constantly parading our identities in the physical world. But online is different, where data is harvested, leading to what he called the Great Age of Marketing in the 2010s, which turned toxic and resulted in legislation such as GDPR and CCPA.
“If companies would have had the Kim Cameron-like manners not to pry into our private lives” we would all be better off, more trusting of companies and each other, said Searls.
Law 4: Directed Identity
A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles
OpenID Foundation board member Don Thibeau saw this law as highly consequential for the subsequent development of digital identity and efforts to prevent tracking and surveillance via paralysed identifiers.
Law 4 was incorporated into GDPR and foresaw an era of SSI, said Thibeau, who saw Cameron as a consequential man, of consequential work who took action in his beliefs: “For many of us, Kim was consequential, Kim was a mentor.”
Thibeau took the opportunity to announce the Kim Cameron Scholarship to a large audience.
Law 5: Pluralism of Operators and Technologies
A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers
Eve Maler, ForgeRock CTO, said Kim was prescient in its nod to the power of standards, for identity and individual autonomy.
For Maler, Law 5 has hidden depths and much of her life – professional and private – has been lived by it. She formed her friendship with Cameron while working at Sun, the rival of Cameron’s Microsoft.
“In pluralism, Kim grasped a particularly sticky nettle,” said Maler and described Kim’s influence in a world that witnesses a “pendulum swing between centralized and decentralized.”
Law 6: Human Integration
The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks
“Kim was always about the people,” said Mike Jones, a standards architect at Microsoft. Jones called Cameron a visionary who recognised potential in people and became their mentor.
Jones himself is paying this care forward by mentoring others and said he is “still motivated by his quest to build the internet’s missing identity layer.”
Law 7: Consistent Experience Across Contexts
The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies
Clear Skye’s Jackson Shaw, who hosted the panel, provided heartfelt recollections of Kim, who registered so many patents while at Microsoft that his office had a brick wall made up of the patent plaques that the firm awarded to its employees. Shaw even saw Cameron write RFCs on cocktail napkins.
For Law 7, Cameron was already aware of how life online would mean people would be wearing different hats in different contexts. Shaw’s understanding of Law 7 is for “us to have control of all the contexts and present [our multiple identities] how we want.”
More memories of Kim Cameron have been gathered along with details of a new scholarship established in his name.
Article Topics
digital identity | EIC 2022 | European Identity and Cloud Conference | identity management | interoperability | Kim Cameron | KuppingerCole | privacy | self-sovereign identity | standards
Comments