At Identity.Next yesterday, we had some discussion as to the desirable characteristics of the identifiers, especially in the context of National or Citizen IDs.
In most cases, the use of such identifier seems to be restricted in a way that it can be used in some particular purposes.
However, enforcement seems to be an issue.
The breach of the privacy can happen in various ways but we have discussed two particular form of it:
1) breach by multi-party collusion/linking
– two pieces of information at different locations linked together to extract an information that the person did not wish.
2) breach by inter-temporal linking
– two pieces of information now and past to extract an information that the person did not wish.
Purpose restriction is a measure against 1) but does not protect against 2).
As humans makes a lot of mistakes (esp. when young), some protection against 2) should be put in place as well.
The typical way of dealing with 2) is use temporal (not-permanent) identifiers such as Germans do in their new eID scheme that started this November 1, 2010.
In any case, 360 degree identifier (the identifier that is permanent and that can be used for any purpose) seems to be a bad idea from the point of view of the privacy protection. From time to time such an identifier seems to be proposed to improve “efficiency” but it probably is best to avoid. It would be worthwhile to consider such a scheme that has “visible but sectoral and temporary identifiers” coupled with “invisible and strictly controlled persistent identifier”. It will require “identifier rotation” per the systems because they only see the temporary identifiers, but it would be a good design to do so in any case to improve the robustness of the system, just like we MUST take care of the key rotation in the systems.