#0 - July 6, 2010, 7:29 p.m.
A little background on me: I develop privacy and digital identity strategy for one of the top-3 largest banks in the USA. If anyone knows about dealing with protecting customer privacy and providing them a secure online experience, we do.
Blizzard seems to have found a new toy, Real ID, they are willing to share, well actually FORCE, their customers to use in order to enjoy some of the game-related content. I'm talking about official forum participation. I expect they will eventually move toward enforcement of Real ID for game login and in-game communication as well, similar to what they did with battle.net authentication (which I think was a good thing).
To avoid making this post several pages long I'll refer you to an excellent piece written by Kim Cameron who is currently employed by Microsoft but despite this is considered one of the technology industry thought leaders on the topic. It's called the Seven Laws of Identity: http://www.identityblog.com/stories/2004/12/09/thelaws.html
I'll point out that forcing customers to use Real ID violates two of these best practices:
2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties
The main problem with Real ID is that it exposes too much private information to an audience that really doesn't need it: the gaming community. It also adds a layer of identity into a system that already has plenty of information about us and doesn't really need it (the Blizzard admin system) but exposes a part of it that is considered non-public (real first and last name).
Blizzard is positioning this requirement as a way of promoting personal reputation within the forum community. However, the presence of someone's real first and last way is not a good reputation method unless you can also connect that name with an actual individual who can be contacted in the real world. Unless an individual person can be identified, then reputation is really meaningless, or at best, very weak.
However exposing real names enable fraudsters, hackers, etc to have one more (and very important) piece of information about somenoe they may not have had otherwise. Combine several pieces of information inadvertently disclosed over the course of a few months in various forum posts, and you could collect pieces of information that would geographically and individually identify a person:
- Location (City)
- Gender
- Age bracket
- Real name
This kind of information is the stuff that keeps police and electronic crime investigators up at night, because the more identification points you have on someone, the easier it is to find them. Real name is a biggie, right up there with SSN and account number. It's one of the pieces of information we classify in the banks as "non-public information" (NPI) that is watched very closely to make sure we do not transmit alongside with other NPI (such as address/SSN/account).
Bottom line: a computer game is not the kind of place you want to FORCE your customers to have to start disclosing pieces of personal information.
When the terms of service for the game changes to disallow identity aliases and force people to use their real names I'll be suggesting to my friends that we find another game to play. Yes, you can have my stuff.
