Hail the attribute
I had a talk last week with an industry luminary who assured me that identity will eventually be all about "the attribute."
Today, I saw a story that characterizes what he was talking about, including additional issues surrounding privacy.
The Centers for Disease Control and Prevention (CDC) reported that it tracked the source of an 8-month-old salmonella outbreak across 44 states using data collected via customer loyalty cards shoppers swipe at the grocery store.
By using "attributes" from shoppers's cards, i.e what they purchased and when, the CDC was able to pinpoint a Rhode Island company that makes salami and then to eventually hone in on the pepper used to season the meat.
Adhering to Kim Cameron's Seven Laws of Identity, users agreed to reveal their information. Costco, one of many retailers that participated in the investigation, told MSNBC that it provided data to CDC, but only the data in question.
Christine Summers, the Issaquah, Wash., chain's director of food safety, told the news outlet, "They ask, 'Did this member purchase products A, B or C in this time frame?' and we tell them, 'Yes, they did' or 'No, they didn't.'"
The specific information also adhered to the Seven Laws of Identity with its disclosure focused only on the relevant data.
In typical use cases, attributes are used to acquire something for the end-user, i.e. access to data/services. But in this case, a collection of a certain attribute from many users was aggregated to create, in essence, another attribute that pointed the CDC in the right direction. The agency acknowledged that the data provided the break that it needed.
Clearly, attributes and collections of attributes are key to the information needed to support authentication and fine-grained authorization. For the enterprise, the backbone should form around SAML and XACML. OpenID, OAuth and OAuth Wrap are likely to play key roles on the consumer side.
The other issue here is clearly around privacy. But given that users agreed to share data/attributes those issues may be unfounded in this case. The questions, however, highlight that privacy is essential, especially in a case where the collector of the data was sharing it with a third-party.
Katherine Albrecht, the director of a group called Consumers Against Supermarket Privacy Invasion and Numbering, told MSNBC that she worries the practice could lead to a switch from a voluntary system to mandatory use of such cards.
"That sends chills down my spine," she said.


Join change leaders, security, cloud and identity experts in Keystone, Colorado to shape the new era of Identity-Aware Security & Cloud Computing
