Karen Lawrence

The subject of privacy and identity is by no means new, and many countries have legislation geared towards the protection of personal information. There exist nonetheless inconsistencies between countries regarding the right for privacy. Information gathering engines are prevalent wherever we go online, gathering our personal data as quickly as we share it — wittingly or unwittingly.

What is new is the paradigm shift on how we use the Internet: we like to show the world that we are here, what we do in our lives and what we think. This article briefly examines this shift and how perceptions concerning the responsibility for our personal information are due for an overhaul.

Originally the Internet was motivated by the need to share information, which has led to a thriving e-business community and the resulting drive for information security. The focus for information security has traditionally been to ensure the availability, confidentiality and integrity of information. The success in this area has led to a significant migration of consumer activities from the traditional brick and mortar storefronts to a thriving global e-commerce community. This migration has also prompted crucial security concerns: the safety of personal information and privacy.

Protection of our privacy is not new. Well before the majority of us went online, we signed up for loyalty cards (store cards, air miles, etc.) that gave us privileged status with our favorite store, airline, etc. Our reward was getting special discounts on purchases, express checkout in the supermarket and maybe invitations for special events, free flights, priority upgrading, etc. In return, the card providers received information on us — consumer demographics: what we bought, how often we bought, where we traveled and how often, and more. These card are still popular today, and from the information gathered card providers can derive the size of our household, our lifestyle, our salary, age, job, children, cats, dogs, etc. We, as consumers, also receive in addition to discounts, advertising materials targeted personally at each of us as an identified consumer group. This can actually feel nice, perhaps giving us a feeling of belonging and increased importance and status with the card provider. This is particularly the case with airline loyalty programs and stores targeting higher income groups. We consumers, it seems, have for some time been quite comfortable giving away our personal information when we perceive the benefit outweighs the intrusion.

Privacy Secured
In Europe privacy is a basic human right supported by the EU Directive on Data Privacy (95/46/EC). In the United Kingdom, the Data Protection Act 1998 (DPA) protects the private information of UK residents. Organizations that collect personal data must register with the government and take precautions against the misuse of that data. DPA prohibits the collection, use and dissemination of personal information without the individual's consent. Individuals have the right to know the reason their data is being collected and to be assured that their personal information is not being sold or used for other purposes. Organizations are obliged to tell individuals the reason for information collection, to provide access and to correct any inaccuracies that may have been stored. Finally these organizations must demonstrate that personal information is kept secure and inaccessible to unauthorized parties. For example, if you live in the UK, your medical records cannot be shared with any party without your permission; you have the right to access this information; and your health authority has an obligation to ensure that your private data is stored securely. DPA also protects you against a company's selling your personal information in countries that do not adhere to the same rules as regulated in the EU.

This is all very well except that the Internet is global and borderless. Hence, it is not obvious which country is hosting the site you are browsing. (See In effect this means that those gathering your personal information, which you — knowingly or unknowingly — shared with them, are controlled by their business ethics, their motivations for collecting the information, and how they are restricted by the legislation of the hosting country. For example, the U.S. approach to data privacy has a strong cultural bias and a business philosophy for self-regulation with minimal federal and state legislation. Examples include the Health Insurance Portability and Accountability Act (HIPAA), which has had a far reaching impact on the American healthcare sector by enforcing the protection of patients' medical records; Gramm-Leach-Bliley Act (GLBA) which protects the privacy of an individual's financial records; and COPPA which was
enacted to add controls on the collection of personal information on children. There is, nevertheless, nothing so encompassing nor as far reaching as the EU Data Protection Directive and its fundamental assumption that privacy is a basic human right.

Privacy for Sale
In the United States some members of the U.S. Congress have tried to pass pro-privacy legislation, but they have been blocked., whose members include AOL,, Yahoo!, eBay and DoubleClick, is a powerful lobbying force for self-regulation. (See{ A26D1466-305E-467B-884C-9346DF70A932} ) For these companies, privacy is bad for business, and they use data gathered from us in order to make money.

How they do this is simple:

1. When you purchase goods online your identity is logged automatically during authentication.

2. Whether or not you buy anything, how you navigate over the Web site — mouse movements, clicks, pages visited, etc. — might be logged by using cookies stored on your computer (according to the article, "Cookies and Web Bugs," which appeared in Information Security Management Handbook 2005).

Sometimes we will be warned that they are collecting information on us, and we may even be given the option to opt-out after reading a long privacy statement. However, many of us do not understand or care enough to take assertive action. This means the online store knows who you are, what you purchased, and your buying habits.

Consequently your private information can become a part of the Internet, a constituent of a living information pool fueling those ethical and less ethical practices found with data collection and use of that data.

Your private information, which traditionally only had a value to you, is of significant value in the hands of others. The privacy implications are profound. Information about you, when collected, could end up anywhere in the world and proliferate exponentially during our lifetime. The question is how much of this information is Personally Identifiable Information (PII) — information that is linked directly to you personally. Is there personally identifiable information out there that could be damaging to you?

Online Identities
Web 2.0 brings a whole new arena of social networking. This was recently brought to public attention by Time magazine's selecting The Person of the Year 2006 as "You." The implication being that each one of us has collectively made contributions to major milestones acknowledged as significant during 2006. For example, it is the collaborative efforts of individuals that have made Wikipedia such a powerful tool. We review books and collectively have the power to sway public opinions. We are virtual communities, and we are using the Internet to willingly share our private information with the rest of the world, e.g., blogging is cool! We like to show the world that we are here, what we do in our lives and what we think. We even publish photos and videos of ourselves online. While many attach real names to published content, it is common to use online identities (alias names). Online identities are sometimes linked to our physical identity in some form, although the linkage is not always obvious or known.

Online anonymity provides users with the opportunity to take part in forums without needing to be accountable for their actions which may otherwise have an impact upon their reputation. Anonymity also gives people, who may otherwise be inhibited, the opportunity to communicate in a way they have never done before. This may lead to increased self-confidence, as well as provide increased satisfaction and development potential in their physical — real — life. Occasionally, when we participate in forums, we may chose to reveal our real identity to those members with whom we wish to extend the relationship into the physical world.

We are not just playing at social networking; we are doing this in our professional lives too. Many of us have created professional profiles within online network communities that are built upon the base assumption of mutual trust and personal recommendations. How much personal information you include in your profile is determined by the need to provide enough information to network effectively, while on the other hand, keeping personal content to a minimum since it is after all public. You add someone to your personal network on the assumption that you either know him or her personally or by referral of someone you trust. If you are using LinkedIn (, for example, your network consists of Direct Connections (those that you know/trust), Two Degrees (those that are friends of friends) and Three Degrees (their friends). Your total network grows exponentially with every new connection. Head hunters are power users of these types of trust networking tools, as are those searching for new employment and business opportunities.

The Information Age is here — a paradigm shift that includes 1000s upon 1000s of thriving online communities, covering any topic you dare to imagine. And most of us have at sometime partaken of online communities of one form or another. Over time active participation can lead to online relationships and reputations which are influenced by how we interact as part of the online community.
Networking and collaboration are the buzz words along with a growing awareness that, in addition to our physical life, we can also have a Virtual Life. Well known virtual worlds include World of Warcraft, Lineage and Second Life.

The Virtual World
Second Life ( was initially an empty virtual world that is now populated by over 3.3 million virtual people (avatars) with real physical identities behind each one of them. These numbers are growing at 230,000 per week, according to an Investor's Business Daily article. (See

The social side of Second Life attracts many players. Residents in Second Life can buy their own islands, create dream houses, become clothing designers, go fishing, spend nights partying in clubs and bars and, of course, have virtual sex with each other.

Everything in Second Life costs Linden Dollars (L$) which can be purchased using real money. It is possible to exchange real money to L$ and back again using the L$ exchange rate. It is perhaps not surprising that Second Life and comparable virtual worlds are giving rise to considerable attention and participation from the mainstream business world as a new marketing opportunity, and some are even making money. For example IBM has acquired 24 Second Life islands. Other companies with a presence are General Motors, Toyota Motor Corporation, Dell, Cisco Systems, Sun Microsystems and Reuters Group (according to the article in Investor's Business Daily).

The real beauty of Second Life is that you are unrestricted by those physical, cultural, and sociological boundaries of your physical environment. You create an avatar and evolve your virtual identity. Over time this could include the purchase of additional avatar abilities or commodities that facilitate the evolution of your online experience and reputation. In Second Life you meet other residents and become part of Second Life communities — just like in the real world. Your avatar protects your anonymity with fake name and looks.

Theoretically the use of anonymity in Second Life should mean that there is no link to your physical identity. Unfortunately there was a security breach on the Second Life member database recently (2006) whereby the fear was that sensitive information had been disclosed. (Read the Security Bulletin at It could be argued that the compromised information could link members' virtual identities to their physical identities via their credit card that they used to buy L$.

The Identity Linkage Continuum
Evidently any individual may have many virtual identities and a portion of those could present some identity linkage to their physical life. To what extent is to some degree influenced by ourselves, i.e., our online awareness. Exposure of personal or sensitive content could be in the form of a blog, some remark we left on somebody else's blog, or an book review. It could be something from our virtual life. The fact is that even if we delete any identifying data — something that might at some time compromise or sully our real identities — something will, without a doubt, still be out there somewhere.

Today's recruitment agencies google applicants during the screening process and some of us do the same when we meet somebody new. This brings to mind some questions concerning our identity, such as, what is our identity? Are we at threat of losing control of ourselves: who we are or who we are perceived to be? Are there not things in our lives that we would prefer not to have recorded digitally for prosperity? If our virtual identities become linked to our physical identities, what are the consequences? Is it possible that whatever we do as our virtual identities can influence decisions that other people make about us in the physical world? In effect, our personal or sensitive information stored on the Internet yesterday has the potential of jeopardizing what we may want to achieve today or tomorrow.

In the scope of this article, there has been a fuzzy relationship between identity and reputation since, firstly, what we do in our life has an impact on our reputation (professional/personal, etc.); and secondly, it is by building our reputation that we create for ourselves an identity. The theme that presents itself repeatedly is the possible linkage between our online activities and our physical identity and the potential impact our online activities could have on our physical identity/reputation. This linkage is referred to as Identity Linkage Continuum. (See wiki/Pseudonymity#Pseudonymity_and_online_reputations.)

Identity linkage continuum denotes a many-to-one relationship between an individual's online activities and physical identity. The identity linkage is not affected by time and may comprise of positive or negative influences on an individual's physical identity/reputation at any given time during life.

The Janus Identity Model
The Janus model presents the concept of the identity linkage continuum, setting the physical and online identities as reflecting each other on a timeline, and the time is today. The online activities are somewhere in the past — which could be a measurement of seconds, minutes or years — and have the potential of impacting an individual's physical identity today. The residue (information that is floating out there somewhere in cyberspace) of online activities is timeless and hence has the power to impact — either positively or negatively — an individual's reputation in the real world, regardless of where on the timeline the physical identity is situated.

The model takes its name from the Roman mythological god Janus, the god of gates, doors, doorways, beginnings, and endings. Janus was frequently used to symbolize change and transition, such as the progression of past to future, of one condition to another, of one vision to another. The identity model, like the god, is depicted with two faces looking in opposite directions, representing the physical and the virtual world. With the model the assumption is that most online activities are at sometime linked to an online identity, whether an alias, a real name, an e-mail address, etc.

Not all online activities that are digitally preserved are linked to the physical identity — some could have a ‘dormant' identity linkage, i.e., a link that is not apparent but becomes active as a result of some real person having knowledge of specific personal information (e.g., name change). Hence, the aggregate of knowledge leads to an identity-linkage and exposure that would not have otherwise been possible, largely because aggregations of data maybe more sensitive than the individual items.

We can only speculate on how today's younger generation will deal with this challenge in the future, when they realize that something that they may have published, shared or done online in the past may impact their professional or personal prospects in the physical world today and tomorrow. Yes, there are laws protecting, to a degree, privacy. However, they are inadequate given the social evolution that we have seen happening over the last few years. What we can expect is a rapid growth in those businesses specialized in hunting down and eradicating digitally stored information residue that could be linked to us — as people.

The control that we have over our identity today influences how we are perceived by our friends, employers, colleagues and others whom we have not yet met. It also impacts how we are perceived in the future. This is nothing new except when we consider that often what we do today is stored in digitally somewhere by someone and something. The consequences can be positive and negative. It is positive if it reaffirms what you have stated about yourself. If it is something that you would prefer be forgotten, then you could have a problem…

References and Further Reading
Time, December 2006
Hedley, Steve and Aplin, Tanya, Blackstone's Statutes on IT Commerce and e-commerce. 2nd ed. Oxford University Press, 2004
Stewart, James Michael, Tittel, Edan and Chapple, Mike , CISSP Study Guide. 3rd ed.
Data Protection in the European Union,

Karen Lawrence Öqvist, MscIS, is a Senior Information Security Consultant with Hewlett-Packard based in Sweden and has 15 years experience in the IT industry, 10 of these years in Identity Management. She worked for Novell before joining HP Sweden in November 2006. She has a Masters Degree in Information Security from the Royal Holloway University of London. She can be contacted at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, and hosts a blog at

©2007 ISSA Journal. Reprinted from ISSA Journal April 2007 with permission from ISSA, Inc. and the


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»