Personal Information Centralization

Kim Cameron bloged today about something that I've been pondering about for some time - Personal Information Centralization.

Overcentralization of identity information increases the risks involved once the idea of a breach is accepted. So does the ability to assemble information from different contexts which should strictly be separated.
That's right, I believe. Overcentralization is not good. But that does not apply to server-side only. The information may be overcentralized on the client-side also.

Take InfoCards as an example. If we'll use only self-issued claims in the InfoCards system, all the personal information will be stored on one's personal computer. That will make common PC a rewarding target for attack. Do you know how difficult is to hack a PC? I do not. PCs were not much targeted by hackers, yet. There was nothing really important there. But now, it may change ... And the PCs are well uniform. Find one good hole and you can hack millions of PCs all around the world in few minutes.

I do not think that storing personal data on PC is any better that storing them on a server. Overcentralization is equally bad in both cases, but the "PC case" is much harder to recognize. And the things that are hidden are the worst ones ... and that's not limited to computer security.