In America, who’s watching the watchers?
The initiation of a joint ANSI and Better Business Bureau effort to establish guidelines or standards to prevent identity theft (Identity Theft Prevention and Identity Management Standards Panel (IDSP).) appears to represent another case of business protecting itself. On the surface, the list of participants (TransUnion, ANSI, BBB, AT&T, ChoicePoint, Citi, Dell Inc., Intersections Inc., Microsoft, Staples, Inc., and Visa U.S.A.) does not include anyone who could be viewed as a consumer advocate, and this could be the fly in the ointment. To achieve a sense of privacy, the individual in question needs appropriate control of his or her associated identity information. So long as businesses view identity information as their own information assets, privacy is a pipe dream. Businesses, and government, need to change their perspective from one of owners, to one of stewards of personally identifiable information (PII). This corresponds to Bob Blakely’s 2006 Catalyst presentation and Mike Neuenschwander’s recent post about the Law of Relational Symmetry, where, ideally, the balance of control is effectively shared.
The issue hitting home is one that a friend of mine recently discovered. He was surprised to learn how much PII is actually available on-line. He expressed his dismay to all of his friends and asserted how he’d take this issue to his congressman. My response was; “Too late, you have no right to privacy in this country.” The information is out there and freely available, or available (like Social Security Numbers) for a fee. Going to Congress may get traction, perhaps for the wrong reasons. Like business, government is in the business of collecting and leveraging this information for its own purposes, not protecting it from misappropriation and misuse.
Today, the strength of control over information is not in the hands of the individual, it is in the hands of the aggregator. What constitutes value in the relationships of identities with business and government is in their interaction. A secondary, fairly invisible market exists in the management, analysis, exchange and sale of identity information. Privacy policies have been highlighted to protect consumers in web-based transactions, but this is the tip of the iceberg in terms of the overall identity information market, which falls under the auspices of a patchwork of regulations, if at all.
The issue to individuals is the unintended and unapproved use of PII. The pendulum of control needs to swing in their direction. The challenge is organization. There are few (if any) advocates for individuals with the power or funds to affect change. Even with the Health Insurance Portability and Accountability Act (HIPAA), the real benefits are to the health care and insurance providers, not necessarily the patients it nominally protects. Individuals also don’t see the lack of control as something to lose sleep over, until something annoying or catastrophic occurs, at which point the burden of recovery lands squarely in their lap. It is then that they realize that the treatment and handling of identity information, like weapons, needs to be controlled, and that they need to be an active participant, if not the key controller in the process.
Identity information can be measured as a tangible asset, and the challenge is control. HIPAA is about control, so is the U.S. National Do-Not-Call list (notwithstanding the recent deluge of calls from political candidates). What is missing for my friend and for all of us is the ability to exert influence in a consolidated and effective manner. The time is coming when the paying for the cost of an advocate for individuals will be a more effective investment than paying for credit reports, fraud insurance, recovery from identity theft, and similar expenses associated with identity information charged to the consumer. It is interesting that the same people who profit from collecting this information today want to profit from allowing us to protect it, rather than share the profits. It’s another indicator for wresting control from business and the government.
A highly successful model for the balance of control is a lobbying organization like the National Rifle Association. One doesn’t have to advocate their cause or the positions they represent in order to acknowledge their effectiveness. A small but highly vocal community has essentially held regulation and control in check, in opposition to a variety of constituencies. For example, when one buys a firearm in the United States, detailed background information about the buyer is collected by the dealer and exchanged with the federal government for a go/no go decision on the purchase. This information is only kept on line for a matter of days, then deleted, in part because of the influence of the NRA to prohibit gun and owner registration. This also supports the idea that some of this information is transactional and should not remain available indefinitely.
If we view identity as an asset that needs protection, regulation, and control, it becomes apparent that individual control over personal information is viable and necessary. It comes down to recognition of the problem and clear objectives to establish and maintain the rights of individuals. The damage that the lack of control over identity information can cause is apparent. The mechanism for developing an individual advocacy also exists. The present lack of inclusion of an independent advocate in “industry” initiatives will help to make it a priority.
[posted by Kevin Kampman]
