Academic journal article Journal of the Association for Information Systems

Robbing Peter to Pay Paul: Surrendering Privacy for Security's Sake in an Identity Ecosystem

Academic journal article Journal of the Association for Information Systems

Robbing Peter to Pay Paul: Surrendering Privacy for Security's Sake in an Identity Ecosystem

Article excerpt

1 Introduction

Information security is a prominent concern for many entities, such as individuals, organizations, militaries, and national governments. One core reason for such concern comes from the importance of and demand for information privacy, which represents agents' desire to have influence over data about themselves (Bélanger & Crossler, 2011). In highlighting the extent to which the protection of sensitive information is an issue, the Privacy Rights Clearinghouse has chronicled nearly 4,700 publicly reported privacy breaches in the decade from 2005-2015 in the US alone. During roughly the same time period (i.e., 2005-2014), many E.U. member countries experienced similar types of breaches with a collective total of 229 events that equated to 645 million records potentially compromised across various entities (e.g., commercial, educational, government, medical, and military) (Howard, 2014). Thus, issues surrounding the protection of sensitive data are not unique to one country, industry, or entity type.

Not surprisingly, discussions regarding the need for the development and implementation of more secure environments have arisen. The Association for Information Systems (AIS) has also recognized the need to reengineer the Internet and has launched a grand challenge called the Bright ICT Initiative (also referred to as the Bright Internet Initiative) to do so (Lee, 2015). As a result of the Bright ICT Initiative, the AIS and the United Nations International Telecommunications Union have signed a memorandum of understanding to work together to create a safe Internet that eliminates malicious attacks without sacrificing individual Internet users' privacy (Pritchett, 2015). Further outcomes of these discussions aim to improve the degree with which sensitive data are protected from threats. Interestingly, some of the more recently proposed solutions appear to offer improved security but sacrifice information privacy (Dyck & Pearson-Merkowitz, 2013; Goss, 2013; Schneier, 2008). These proposals suggest that, if online agents-individuals and organizations-are vetted and connect through a known and "trusted" identitymanagement intermediary, then certain types of personal information would not need to be shared across the public Internet infrastructure, which would reduce the likelihood that unknown attackers would intercept any transmitted sensitive information. Thus, agents would need to share complete and accurate identifying information with one or more known entities relatively few times (i.e., federated login) rather than known and potentially unknown entities repetitively so that agents could engage in secured activities with each other when they share sensitive data. These centralized entities would, therefore, be responsible for many activities including but not limited to vetting network agents (e.g., individual users, corporations, and educational institutions), managing credentials, and revoking access rights for agents who become noncompliant with the identity-management system specifications. Thus, researchers and policy makers have come to call these types of systems "identity ecosystems".

In summary, identity ecosystems provide a controlled environment where users provide their sensitive and identifying information to a third party that manages their and other users' access to the Internet. In doing so, users (both consumers and vendors) would not have to provide sensitive identifying information to each other to conduct secure transactions because the managing third party would have already validated them both. Conceptually, doing so would decrease the privacy and security risks in individual transactions but would necessitate users' trusting their private information to the centralized third party manager of the entire identity ecosystem. Thus, this situation creates an interesting tradeoff between selectively sharing personal information and making security-related decisions by trusting a single party with all of this information (which includes all Internet activity that one conducts in the identity ecosystem). …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.