Bruce Schneier writes about his desire to let go of the tarbaby.
Months have passed, and I no longer want an ongoing relationship with the e-commerce site. I don’t want a username and password. I don’t want them to have my credit-card number on file. I’ve received my purchase, I’m happy, and I’m done. — …more
This is one of the design problems in the identity space I find most puzzling. The business forces are reasonably straight forward; the commercial firm’s valuation is dependent on the # of relationships it “owns.” That creates a powerful incentive for the firm to create sticky relationships and then a powerful incentive for it to work those relationships over time.
The relationships are a problem because they create risks. For example after a few years, when it becomes obvious your never coming back to do more business, the firm is sorely tempted to try some spamming action to garner some value out of the relationship. I had AT&T credit card, for example, that I stopped using. As each year would pass they would try more and more obnoxious ways of capturing some value out of the relationship. Finally they started calling me and trying to sell me life insurance! They had sold my name to some telemarketing life insurance company along with permission for that company to calm they were “AT&T”.
Bruce talks about the risk that something bad will happen with the account.
Near as I can tell, the username and password I typed into that e-commerce site puts my credit card at risk until it expires. If the e-commerce site uses a system that debits amounts from my checking account whenever I place an order, I could be at risk forever. (The US has legal liability limits, but they’re not that useful. According to Regulation E, the electronic transfers regulation, a fraudulent transaction must be reported within two days to cap liability at US$50; within 60 days, it’s capped at $500. Beyond that, you’re out of luck.)
I don’t think that’s exactly right. I believe that the credit card consumer protections (at least currently in the US) are somewhat stronger than the electronic transfer ones. On the other hand the debit card rules aren’t.
But, consumer protection is the right stick to hit this problem with. I can not see any way the market forces are going to resolve this problem.
The problem is that a relationship creates some rights to hold data and do stuff with that data. For example the right to send me email announcing that something I ordered has been shipped. The right to retain my shipping address so they can expedite future sales. These rights of data retention and action need to decay. Traditionally mother nature saw to it that they would decay, but no more. Technology tends to do the inverse. The data doesn’t tend to decay, it tends to spread. These organizations don’t forget, they gossip.
Large relationship aggregators need to be brought to heel. It is not in their localized best interest for that to happen. The only player in the game with the power to do that are governments.
Oh wait! I forgot I’m supposed to make this a law: “Let go, damn it!”