Better Business Bureau and Javelin Strategy & Research have released a study that indicates

…that despite growing fears about identity theft and online fraud, of the victims that know the identity and method used by the criminal, these crimes are more frequently committed offline than online. Internet-related fraud problems are actually less severe, less costly and not as widespread as previously thought.

However, they put the annual dollar volume of identity fraud still at 52.6 billion dollars in the US.

Absolutely, any broadly useful digital identity system must include people as essential parts. In that respect, the 6th law is absolutely essential.

Where I’m getting confused is in the long explanation leading the the 6th law in Kim’s post. For example, when he says:

What is to prevent a piece of code running on your machine from overwriting the DNS name and throwing up a fake lock icon - so you are convinced you are visiting one secure site when you are actually visiting another insecure one?

While that is definitely an attack that’s going to happen (Pip Coburn writes on AlwaysOn today about the 611 viruses he found on his wife’s tablet), I would think that once an essential communications endpoint in any system has been broken into and taken over, all bets are off. Kim is certainly not suggesting that digital identity systems must also solve the virus-on-Windows problem?

But if we take the break-in aspects of the issue away, what seems to remain of the 6th law is that we need a "language" (words, symbols, pictures, animations, whatever …) that enables the technical components of an identity system to communicate with the human in a way so that the average user can easily, and unambigously understand the identity-related information and operations offered by a computer screen.

Great idea! Any human-interface researchers out there looking for a worthwhile new project?

P.S. LID’s architecture should very much facilitate this as every user, at least in principle, can run their very own version of such human-machine interface software. That would allow a hacker to see raw certificates, while it may show a 10-yr old cartoon animations. And technophobes can run minimalistic software installed by their 12-yr olds, but all speaking the same protocol. Catalyzing decentralized innovation will probably be one of LID’s most valuable contributions to the digital identity universe in the long term.

William Heath writes about the ongoing universal identity debate in the UK in the response to a few blog posts including mine on the George Mason University identity break-in:

The sickening logic is that these ill-conceived university ID systems make appealing targets for identity thieves, and that a compulsory UK ID system will be far more appealing still.

I guess if government was on the leading edge rather than the trailing edge of technology innovation, they would design a digital identity system whose #1 requirement was "resilient in the face of digital identity attacks". When designing a new identity system, one has the luxury of prioritizing requirements in that way, and there is little excuse not to do this in this year 2005.

As Kim Cameron points out when discussing his newly published 6th law, the inevitable side-effect of the increasing importance of digital identities are ever-more sophisticated identity attacks. Identity attacks are a growth business, no question.

Just imagine if a for-profit hacker — or worse, a hostile government or non-state actor — hacked into a digital identity database containing rich identity information about virtually everybody in a country. And unless an identity system is designed to resilient from day one, it is going to happen with a likelihood of 1. The only question is when it is going to happen, and even if we are going to know it once it has happened. Stuff for a Tom Clancy novel?

Kim Cameron writes:

In the last few days, an amazing number of people have written asking me to comment on LID.

Being one of the people who came up with LID, I’m quite happy about that. We’ve been getting a tremendous response, for sure.

I was asked how exactly LID™ relates to Kim Cameron’s Laws of Identity that have been getting a lot of buzz recently. Here are my thoughts:

The Law of Control

Technical identity systems MUST only reveal information identifying a user with the user’s consent.

LID only reveals information that has been specifically declared, by the LID URL owner, to be either public, or available to a particular client (who may be an other person or a website).

Further, LID gives the user the ability to track which information has been retrieved when by a given site or user, and of course the ability to return different information to different users even if they ask for the same (e.g. cell phone number for a limited set of users, work voice mail for everybody else).

Ergo: LID fully supports this.

The Law of Minimal Disclosure

The solution which discloses the least identifying information is the most stable, long-term solution.

First of all, many LID use cases only require the exchange of a LID URL (which may be a LID pseudonym that cannot be correlated to any other LID URL).

If a scenario requires additional information about the user (Kim’s/Eric’s music preferences example), the site can make a fine-grained query using the LID xpath= expression. The information behind that expression can be secured on a data element-level, leading to the exchange of the smallest amount of information that makes the scenario work.

Ergo: LID fully supports this.

The Law of Fewest Parties

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

LID does not introduce or require any middlemen of any sort; identity owners interact directly with others (people, sites, …) that require the identifying information.

Ergo: LID fully supports this.

The Law of Directed Identity

A universal identity system MUST support both "omnidirectional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

[I'm not sure the last word has been spoken on the way this particular law is phrased. What the law intends to convey, however, is of course correct.]

LID supports pseudonyms that cannot be correlated to other LID URLs owned by the same owner. The word "cannot" here really means "cannot" as the identity owner may operate entirely different LID URLs through different sites and/or service providers that have no knowledge of each other. Even where multiple LID URLs of the same owner are operated by the same service provider, it would very difficult and require a security breach to correlate those LIDD URLs.

Ergo: LID fully supports this.

The Law of Pluralism

A universal identity system MUST channel and enable the interworking of multiple identity technologies run by multiple identity providers.

It’s difficult to judge whether any identity system, LID included, meets this requirement. Kim gives RSS as an example that could easily be supported by many different systems.

If so, LID very clearly can be supported by many different identity system implementations as it only requires agreement on a very small set of simple HTTP requests. Most certainly, LID can be implemented in many different ways, and we ourselves have two entirely different implementations.

So I feel comfortable to say that LID supports this law.

Interestingly enough, LID was designed quite some time before Kim published his laws, and we have not done any adjustments in our implementation to conform to the principles he sets out. I think that makes the Laws a good validation point for LID, and LID a good validation point for the Laws … it also proves that not only the Laws are desirable, but that they indeed can be implemented, which I’m not sure has been proven before.