Disintermediation: an Amazon parable

New York TImes Technology ran a story yesterday about the publishing industry that is brimming with implications for almost everyone in the Internet economy.  It is about Amazon and what marketing people call “disintermediation”.  Not the simple kind that was the currency of the dot.com boom;  we are looking here at a much more advanced case:

SEATTLE — Amazon.com has taught readers that they do not need bookstores. Now it is encouraging writers to cast aside their publishers.

Amazon will publish 122 books this fall in an array of genres, in both physical and e-book form. It is a striking acceleration of the retailer’s fledging publishing program that will place Amazon squarely in competition with the New York houses that are also its most prominent suppliers.

It has set up a flagship line run by a publishing veteran, Laurence Kirshbaum, to bring out brand-name fiction and nonfiction…

Publishers say Amazon is aggressively wooing some of their top authors. And the company is gnawing away at the services that publishers, critics and agents used to provide…

Of course, as far as Amazon executives are concerned, there is nothing to get excited about:

“It’s always the end of the world,” said Russell Grandinetti, one of Amazon’s top executives. “You could set your watch on it arriving.”

But despite the sarcasm, shivers of disintermediation are going down the spines of many people in the publishing industry:

“Everyone’s afraid of Amazon,” said Richard Curtis, a longtime agent who is also an e-book publisher. “If you’re a bookstore, Amazon has been in competition with you for some time. If you’re a publisher, one day you wake up and Amazon is competing with you too. And if you’re an agent, Amazon may be stealing your lunch because it is offering authors the opportunity to publish directly and cut you out. ” [Read whole story here.]

If disintermediation is something you haven't thought about much, you might start with a look at wikipedia:

In economics, disintermediation is the removal of intermediaries in a supply chain: “cutting out the middleman”. Instead of going through traditional distribution channels, which had some type of intermediate (such as a distributor, wholesaler, broker, or agent), companies may now deal with every customer directly, for example via the Internet. One important factor is a drop in the cost of servicing customers directly.

Note that the “removal” normally proceeds by “inserting” someone or something new into transactions.  We could call the elimination of bookstores “first degree disintermediation” - the much-seen phenomenon of replacement of the existing distribution channel.   But it seems intuitively right to call the elimination of publishers “second degree disintermediation” - replacement of the mechanisms of production, including everything from product development through physical manufacturing and marketing, by the entities now predominating in distribution.  

The parable here is one of first degree disintermediation “spontaneously” giving rise to second degree disintermediation, since publishers have progressively less opportunity to succeed in the mass market without Amazon as time goes on.  Of course nothing ensures that Amazon's execution will cause it to succeed in a venture quite different from its current core competency.  But clearly the economic intrinsics stack the deck in its favor. Even without displacing its new competitors it may well skim off the most obvious and profitable projects, with the inevitable result of underfunding what remains.

I know.  You're asking what all this has to do with identityblog.

In my view, one of the main problems of reusable identities is that in systems like SAML, WS-Federation and Live ID, the “identity provider” has astonishing visibility onto the user's relationship with the relying parties (e.g. the services who reuse the identity information they provide).  Not only does the identity provider know what consumers are visiting what services; it knows the frequency and patterns of those visits.   If we simply ignore this issue and pretend it isn't there, it will become an Achilles Heel.

Let me fabricate an example so I can be more concrete.  Suppose we arrive at a point where some retailer decides to advise consumers to use their Facebook credentials to log in to its web site.  And let's suppose the retailer is super successful.  With Facebook's redirection-based single sign-on system, Facebook would be able to compile a complete profile of the retailer's customers and their log-on patterns.  Combine this with the intelligence from “Like” buttons or advertising beacons and Facebook (or equivalent) could actually mine the profiles of users almost as effectively as the retailer itself.  This knowledge represents significant leakage of the retailer's core intellectual property – its relationships with its customers.

All of this is a recipe for disintermediation of the exact kind being practiced by Amazon, and at some point in the process, I predict it will give rise to cases of spine-tingling that extend much more broadly than to a single industry like publishing. 

By the time this becomes obvious as an issue we can also predict there will be broader understanding of ”second degree disintermediation” among marketers.  This will, in my view, bring about considerable rethinking of some current paradigms about the self-evident value of unlimited integration into social networks.  Paradoxically disintermediation is actually a by-product of the privacy problems of social networks.  But here it is not simply the privacy of end users that is compromised, but that of all parties to transactions. 

This problem of disintermediation is one of the phenomena leading me to conclude that minimal disclosure technologies like U-Prove and Idemix will be absolutely essential to a durable system of reusable identities.  With these technologies, the ability of the identity provider to disintermediate is broken, since it has no visibility onto the transactions carried out by individual users and cannot insert itself into the relationship between the other parties in the system. 

Importantly, while disintermediation becomes impossible, it is still possible to meter the use of credentials by users without any infringement of privacy, and therefore to build a viable business model.

I hope to write more about this more going forward, and show concretely how this can work.

Who is harmed by a “Real Names” policy?

Skud at Geek Feminism Blog has created a wiki documenting work she and her colleagues are doing to “draft a comprehensive list” of those who would be harmed by a policy banning pseudonymity and requiring “real names”.

The result is impressive.  The rigour Skud and colleagues have applied to their quest has produced an information payload that is both illuminating and touching.

Those of us working on identity technology have to internalize the lessons here.  Over-identification is ALWAYS wrong.  But beyond that, there are people who are especially vulnerable to it.  They have to be treated as first class citizens with clear rights and we need to figure out how to protect them.  This goes beyond what we conventionally think of as privacy concerns (although perhaps it sheds light on the true nature of what privacy is – I'm still learning).

Often people argue in favor of “Real Names” in order to achieve accountability.  The fact is that technology offers us other ways to achieve accountability.  By leveraging the properties of minimal disclosure technology, we can allow people to remain anonymous and yet bar them from given environments if their behavior gets sufficiently anti-social.

But enough editorializing.  Here's Skud's intro.  Just remember that in this case the real enlightenment is in the details, not the summary.

This page lists groups of people who are disadvantaged by any policy which bans Pseudonymity and requires so-called “Real names” (more properly, legal names).

This is an attempt to create a comprehensive list of groups of people who are affected by such policies.

The cost to these people can be vast, including:

  • harassment, both online and offline
  • discrimination in employment, provision of services, etc.
  • actual physical danger of bullying, hate crime, etc.
  • arrest, imprisonment, or execution in some jurisdictions
  • economic harm such as job loss, loss of professional reputation, etc.
  • social costs of not being able to interact with friends and colleagues
  • possible (temporary) loss of access to their data if their account is suspended or terminated

The groups of people who use pseudonyms, or want to use pseudonyms, are not a small minority (some of the classes of people who can benefit from pseudonyms constitute up to 50% of the total population, and many of the others are classes of people that almost everyone knows). However, their needs are often ignored by the relatively privileged designers and policy-makers who want people to use their real/legal names.

Wait a minute.  Just got a note from the I Can't Stop Editorializing Department: the very wiki page that brings us Skud's analysis contains a Facebook “Like” button.  It might be worth removing it given that Facebook requires “Real Names”, and then transmits the URL of any page with a “Like” button to Facebook so it can be associated with the user's “Real Name” – whether or not they click on the button or are logged into Facebook.

Privacy Bill of Rights establishes device identifiers as PII

In my view the Commercial Privacy Bill of Rights drafted by US Senators McCain and Kerry would significantly strengthen the identify fabric of the Internet through its proposal that “a unique persistent identifier associated with an individual or a networked device used by such an individual” must be treated as personally identifiable information (Section 3 – 4 – vii).   This clear and central statement marks a real step forward.  Amongst other things, it covers the MAC addresses of wireless devices and the serial numbers and random identifiers of mobile phones and laptops.

From this fact alone the bill could play a key role in limiting a number of the most privacy-invasive practices used today by Internet services – including location-based services.  For example, a company like Apple could no longer glibly claim, as it does in its current iTunes privacy policy, that device identifiers and location information are “not personally identifying”.  Nor could it profess, as iTunes also currently does, that this means it can ”collect, use, transfer, and disclose”  the information ”for any purpose”.  Putting location information under the firm control of users is a key legislative requirement addressed by the bill.

The bill also contributes both to the security of the Internet and to individual privacy by unambiguously embracing ”Minimal Disclosure for a Constrained Use” as set out in Law 2 of the Laws of Identity.  Title III explicitly establishes a “Right to Purpose Specification; Data Minimization; Constraints on Distribution; and Data Integrity.”

Despite these real positives, the bill as currently formulated leaves me eager to consult a bevy of lawyers – not a good sign.  This may be because it is still a “working draft”, with numerous provisions that must be clarified. 

For example, how would the population at large ever understand the byzantine interlocking of opt-in and opt-out clauses described in Section 202?  At this point, I don't.

And what does the list of exceptions to Unauthorized Use in Section 3 paragraph 8 imply?  Does it mean such uses can be made without notice and consent?

I'll be looking for comments by legal and policy experts.  Already, EPIC has expressed both support and reservations:

Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the “Commercial Privacy Bill of Rights Act of 2011,” aimed at protecting consumers’ privacy both online and offline. The Bill endorses several “Fair Information Practices,” gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information.

But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a “Safe Harbor” arrangement that exempts companies from significant privacy requirements.

EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies’ to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission.

Kerry McCain bill proposes “minimal disclosure” for transaction

Steve Satterfield at Inside Privacy gives us this overview of central features of new Commercial Privacy Bill of Rights proposed by US Senators Kerry and McCain (download it here):

  • The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data.  The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
  • The draft also states that businesses should “seek” to collect only as much “covered information” as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service
  • “Covered information” is defined broadly and would include not just “personally identifiable information” (such as name, address, telephone number, social security number), but also “unique identifier information,” including a customer number held in a cookie, a user ID, a processor serial number or a device serial number.  Unlike definitions of “covered information” that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
  • The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service “or for a reasonable period of time if the service is ongoing.” 
  • The draft contemplates enforcement by the FTC and state attorneys general.  Notably — and in contrast to Rep. Rush's bill — the draft does not provide a privacy right of action for individuals who are affected by a violation. 
  • Nor does the bill specifically address the much-debated “Do Not Track” opt-out mechanism that was recommended in the FTC's recent staff report on consumer privacy.  (You can read our analysis of that report here.) 

As noted above, the draft is reportedly still a work in progress.  Inside Privacy will provide additional commentary on the Kerry legislation and other congressional privacy efforts as they develop.   

Press conference will be held tomorrow at 12:30 pm.  [Emphasis above is mine - Kim]

Readers of Identityblog will understand that I see this development, like so many others, as inevitable and predictable consequences of many short-sighted industry players breaking the Laws of Identity.

 

Malcolm Compton on power imbalance and security

Australia's CRN reports that former Australian Privacy Commissioner Malcolm Crompton has called for the establishment of a formal privacy industry to rethink identity management in an increasingly digital world:

Addressing the Cards & Payments Australasia conference in Sydney this week, Crompton said the online environment needed to become “safe to play” from citizens’ perspective.

While the internet was built as a “trusted environment”, Crompton said governments and businesses had emerged as “digital gods” with imbalanced identification requirements.

Power allocation is where we got it wrong,” he said, warning that organisations’ unwarranted emphasis on identification had created money-making opportunities for criminals.

Malcolm puts this well.  I too have come to see that the imbalance of power between individual users and Internet business is one of the key factors blocking the emergence of a safe Internet. 

CRN continues:

Currently, users were forced to provide personal information to various email providers, social networking sites, and online retailers in what Crompton described as “a patchwork of identity one-offs”.

Not only were login systems “incredibly clumsy and easy to compromise”; centralised stores of personal details and metadata created honeypots of information for identity thieves, he said…

Refuting arguments that metadata – such as login records and search strings – was unidentifiable, Crompton warned that organisations hording such information would one day face a user revolt

He also recommended the use of cloud-based identification management systems such as Azigo, Avoco and OpenID, which tended to give users more control of their information and third-party access rights.

User-centricity was central to Microsoft chief identity architect Kim Cameron’s ‘Laws of Identity’ (pdf), as well as Canadian Privacy Commissioner Ann Cavoukian’s seven principles of ‘Privacy by Design’ (pdf).

Full article here.

Lazy headmasters versus the Laws of Identity

Ray Corrigan routinely combines legal and technological insight at B2fxxx - Random thoughts on law, the Internet and society, and his book on Digital Decision Making is essential.  His work often leaves me feeling uncharacteristically optimistic - living proof that a new kind of legal thinker is emerging with the technological depth needed to be a modern day Solomon.

I hadn't noticed the UK's new Protection of Freedoms Bill until I heard cabinet minister Damian Green talk about it as he pulverized the UK's centralized identity database recently.  Naturally I turned to Ray Corrigan for comment, only to discover that the political housecleaning had also swept away the assumptions behind widespread fingerprinting in Britain's schools, reinstating user control and consent. 

According to TES Connect:

The new Protection of Freedoms Bill gives pupils in schools and colleges the right to refuse to give their biometric data and compels schools to make alternative provision for them.  The several thousand schools that already use the technology will also have to ask permission from parents retrospectively, even if their systems have been established for years…

It turns out that Britain's headmasters, apparently now a lazy bunch, have little stomach for trivialities like civil liberties.  And writing about this, Ray's tone seems that of a judge who has had an impetuous and over-the-top barrister try to bend the rules one too many times.  It is satisfying to see Ray send them home to study the Laws of Identity as scientific laws governing identity systems.   I hope they catch up on their homework…

The Association of School and College Leaders (ASCL) is reportedly opposing the controls on school fingerprinting proposed in the UK coalition government's Protection of Freedoms Bill.

I always understood the reason that unions existed was to protect the rights of individuals. That ASCL should give what they perceive to be their own members’ managerial convenience priority over the civil rights of kids should make them thoroughly ashamed of themselves.  Oh dear – now head teachers are going to have to fill in a few forms before they abuse children's fundamental right to privacy – how terrible.

Although headteachers and governors at schools deploying these systems may be typically ‘happy that this does not contravene the Data Protection Act’, a number of leading barristers have stated that the use of such systems in schools may be illegal on several grounds. As far back as 2006 Stephen Groesz, a partner at Bindmans in London, was advising:

“Absent a specific power allowing schools to fingerprint, I'd say they have no power to do it. The notion you can do it because it's a neat way of keeping track of books doesn't cut it as a justification.”

The recent decisions in the European Court of Human rights in cases like S. and Marper v UK (2008 – retention of dna and fingerprints) and Gillan and Quinton v UK (2010 – s44 police stop and search) mean schools have to be increasingly careful about the use of such systems anyway. Not that most schools would know that.

Again the question of whether kids should be fingerprinted to get access to books and school meals is not even a hard one! They completely decimate Kim Cameron's first four laws of identity.

1. User control and consent – many schools don't ask for consent, child or parental, and don't provide simple opt out options

2. Minimum disclosure for constrained use – the information collected, children's unique biometrics, is disproportionate for the stated use

3. Justifiable parties – the information is in control of or at least accessible by parties who have absolutely no right to it

4. Directed identity – a unique, irrevocable, omnidirectional identifier is being used when a simple unidirectional identifier (eg lunch ticket or library card) would more than adequately do the job.

It's irrelevant how much schools have invested in such systems or how convenient school administrators find them, or that the Information Commissioner's Office soft peddled their advice on the matter (in 2008) in relation to the Data Protection Act.  They should all be scrapped and if the need for schools to wade through a few more forms before they use these systems causes them to be scrapped then that's a good outcome from my perspective.

In addition just because school fingerprint vendors have conned them into parting with ridiculous sums of money (in school budget terms) to install these systems, with promises that they are not really storing fingerprints and they can't be recreated, there is no doubt it is possible to recreate the image of a fingerprint from data stored on such systems. Ross, A et al ‘From Template to Image: Reconstructing Fingerprints from Minutiae Points’ IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 29, No. 4, April 2007 is just one example of how university researchers have reverse engineered these systems. The warning caveat emptor applies emphatically to digital technology systems that buyers don't understand especially when it comes to undermining the civil liberties of our younger generation.

Social Network Users’ Bill of Rights

The  “Social Network Users’ Bill of Rights” panel at the South by Southwest Interactive (SXSW) conference last Friday had something that most panels lack:  an outcome.  The goal was to get the SXSWi community to cast their votes and help to shape a bill of rights that would reflect the participation of many thousands of people using the social networks.

The idea of getting broad communities to vote on this is pretty interesting.  Panelist Lisa Borodkin wrote:

There is no good way currently of collecting hard, empirical, quantitative data about the preferences of a large number of social network users. There is a need to have user input into the formation of social norms, because courts interpreting values such as “expectations of privacy” often look to social network sites policies and practices.

Where did the Bill of Rights come from?  The document was written collaboratively over four days at last year's Computers, Freedom and Privacy Conference and since the final version was published has been collecting votes through pages like this one.  Voting is open until June 15, 2011 – the “anniversary of the date the U.S. government asked Twitter to delay its scheduled server maintenance as a critical communication tool for use in the 2009 Iran elections”.  And guess what?  That date also coincides with this year's Computers, Freedom and Privacy Conference.

The Bill – admirably straightforward and aimed at real people – reads as follows:

We the users expect social network sites to provide us the following rights in their Terms of Service, Privacy Policies, and implementations of their system:

  1. Honesty: Honor your privacy policy and terms of service
  2. Clarity: Make sure that policies, terms of service, and settings are easy to find and understand
  3. Freedom of speech: Do not delete or modify my data without a clear policy and justification
  4. Empowerment : Support assistive technologies and universal accessibility
  5. Self-protection: Support privacy-enhancing technologies
  6. Data minimization: Minimize the information I am required to provide and share with others
  7. Control: Let me control my data, and don’t facilitate sharing it unless I agree first
  8. Predictability: Obtain my prior consent before significantly changing who can see my data.
  9. Data portability: Make it easy for me to obtain a copy of my data
  10. Protection: Treat my data as securely as your own confidential data unless I choose to share it, and notify me if it is compromised
  11. Right to know: Show me how you are using my data and allow me to see who and what has access to it.
  12. Right to self-define: Let me create more than one identity and use pseudonyms. Do not link them without my permission.
  13. Right to appeal: Allow me to appeal punitive actions
  14. Right to withdraw: Allow me to delete my account, and remove my data

It will be interesting to see whether social networking sites engage with this initiative.  Sixestate reported some time ago that Facebook objected to requiring support for pseudonyms. 

While I support all other aspects of the Bill, I too think it is a mistake to mandate that ALL communities MUST support pseudonymity or be in violation of the Bill…  In all other respects, the Bill is consistent with the Laws of Identity.  However the Laws envisaged a continuum of approaches to identification, and argued that all have their place for different purposes.  I think this is much closer to the mark and Right 12 should be amended.  The fundamental point is that we must have the RIGHT to form and participate in communities that DO choose to support pseudonymity.  This doesn't mean we ONLY have the right to participate in such communities.

Where do the organizers want to go next? Jon Pincus writes:

Here’s a few ideas:

  • get social network sites to adopt the concept of a Bill of Rights for their users and as many of the individual rights as they’re comfortable with.   Some of the specific rights are contentious  — for example, Facebook objected to in their response last summer.  But more positively, Facebook’s current “user rights and responsibilities” document already covers many of these rights, and it would be great to have even partial support from them.  And sites like Twitter, tribe.net, and emerging companies that are trying to emphasize different values may be willing to go even farther.
  • work with politicians in the US and elsewhere who are looking at protecting online, and encourage them to adopt the bill of rights framework and our specific language.  There’s a bit of “carrot and stick” combining this and the previous bullet: the threat of legislation is great both for encouraging self-regulation and getting startups to look for a potential future strategic advantage by adopting strong user rights from the beginning.
  • encourage broad participation to highlight where there’s consensus.  Currently, there are a couple of ways to weigh in: the Social Network Users’ Bill of Rights site allows you to vote on the individual rights, and you can also vote for or against the entire bill via Twitter.  It would be great to have additional voting on other social network sites like Facebook, MySpace, Reddit to give the citizens of those “countries” a voice.
  • collaborate with with groups like the Global Network Initiative, the Internet Rights and Principles Coalition, the Social Charter, and the Association for Progressive Communications that support similar principles
  • follow Gabrielle Pohl’s lead and translate into multiple languages to build awareness globally.
  • take a more active approach with media outreach to call more attention to the campaign.  #privchat, the weekly Twitter chat sponsored by Center for Democracy and Technology and Privacy Camp, is natural hub for the discussion.

Meanwhile, here are some ways you can express your views:

 

ZIP ruled personally identifying in California

From CNN this surprising story:

California's high court ruled Thursday that retailers don't have the right to ask customers for their ZIP code while completing credit card transactions, saying that doing so violates a cardholders’ right to protect his or her personal information.

Many retailers in California and nationwide now ask people to give their ZIP code, punching in that information and recording it. Yet California Supreme Court's seven justices unanimously determined that this practice goes too far.

The ruling, penned by Justice Carlos Moreno, overrules earlier decisions by trial and appeals courts in California. It points to a 1971 state law that prohibits businesses from asking credit cardholders for “personal identification information” that could be used to track them down.

While a ZIP code isn't a full address, the court's judgment states that asking for it — and piecing that 5-digit number together with other information, like a cardholder's name — “would permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly, (therefore) ‘end-running’” the intent of California state laws.

“The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction,” the decision states. “We hold that personal identification information … includes the cardholder's ZIP code.”

Bill Dombrowski, president of the California Retailers Association, said it is “ironic” that a practice aimed partly at protecting consumers from fraud is being taken away.

“We think it's a terrible decision because it dramatically expands what personal information is, by including a ZIP code as part of an address,” Dombrowski said. “We are surprised by it.”

The court decision applies only in California, though it reflects a practice that is increasingly common elsewhere. It does not specify how or if all businesses that take credit cards, such as gas stations, would be affected — though it does state that its objection is not over a retailer seeing a person's ZIP code, but rather recording and using it for marketing purposes.

The discussion began with a June 2008 class-action lawsuit filed initially by Jessica Pineda against home retailer Williams-Sonoma.

In her suit, Pineda claimed that a cashier had asked for her ZIP code during a purchase — information that was recorded and later used, along with her name, to figure out her home address. Williams-Sonoma did this tapping a database that it uses to market products to customers and sell its compiled consumer information to other businesses.

Pineda contended the practice of asking for ZIP codes violates a person's right to privacy, made illegal use of her personal information and gave a retailer, like Williams-Sonoma, an unfair competitive advantage.

Williams-Sonoma claimed that a ZIP code doesn't constitute “personal identification information,” as stated in the 1971 state law.

The state supreme court ruling, only addressing the “identification information” issue, determined that a ZIP code should be protected, since the law specifically mentions protecting a cardholder's address. The court concluded requesting a ZIP code is not much different than asking for a phone number or home address.

It is not illegal in California for a retailer to see a person's ZIP code or address, the ruling notes: For instance, one can request a customer's driver's license to verify his or her identity. What makes it wrong is when a business records that information, according to the ruling, especially when the practice is “unnecessary to the sales transaction.”

In reversing the Court of Appeals judgment, the supreme court remanded the case back to a lower court to order specific changes and policies “consistent with this decision.”

The important thing here is that the Court understood a very nuanced technical point: although the ZIP is not in itself personally identifying, when used with other information such as name, the ZIP becomes personally identifying.  Understanding the privacy implications of such information combinations is key. I think there is much wisdom in the Court recognizing that this is a defining issue.

In terms of industry reaction, the notion that recording our ZIP protects us is totally ludicrous and shows to what extent we are in need of stronger privacy-protecting identity solutions like U-Prove. The logic of the California Retailers Association is pathetically convoluted – will someone please give these people a consultant for Christmas?

My thanks to Craig Wittenberg for the heads up on this story. He saw it as a sign that minimal disclosure laws already exist in the US…

That's an interesting idea. One way or the other, it is extremely important to get harmonization on this kind of question across business jurisdictions.  Looking at cases like this one, I have a feeling harmonization might possibly take “quite a while” to achieve…

From CardSpace to Verified Claims

Last week Microsoft announced the availability of Version 2 of the U-Prove Technology Preview.

What’s new about it?

The most important thing is that it offers a new, web-oriented user experience carefully tailored to helping people control the release of “verified claims” while protecting their privacy.  By verified claims I mean things that are said about them as flesh-and-blood people by entities that can speak, at least in certain contexts, with authority. By protecting privacy I mean keeping information released to the minimum necessary, and ensuring that the authority making the claims – for example a government – is not able to track and profile the way your information is used.

The system takes a number of the good ideas from CardSpace but is also informed by what CardSpace didn’t do well. It doesn’t require the installation of new components on your computer. It works on all the major browsers and phones. It roams between devices. Sites don't have to worry about users “getting a card” before the system will work. And it allows claims providers and relying parties to shape and brand their users’ experiences while still providing a consistent interface for claims approval.

In other words, it represents a big step forward for protecting privacy using high value credentials to release claims.

A focused approach

When it comes to verified claims, the “U-Prove Agent” goes beyond CardSpace.  One way it does this is by being highly focused and integrated into a specific type of identity experience. I’ll be posting a video soon that will help you get a concrete sense of why this works.

That focus represents a change from what we tried to do with CardSpace.   One of the key goals of CardSpace was to provide a “generalized solution” – an alternative to the “patchwork quilt” of what I called “identity kludges” that characterize peoples’ experience of identity on the Internet.

In fact I still believe as much as ever that a “generalized solution” would be nice to have. I would even go so far as to say that a generalized solution is inevitable – at some point in time.

But the current chaos is so vast – and peoples’ thinking about it so fractured – that the only prudent practical approach is to carve the problem into smaller pieces. If we can make progress in some of the pieces we can tie that progress together. The U-Prove Agent for exchange of verified claims is a good example of this, making it possible to offer services that would otherwise be impossible because of privacy problems.

What about CardSpace?

Because of its focus, the U-Prove agent isn’t capable of doing everything that CardSpace attempted to do using Information Cards.

It doesn’t address the problem of helping users manage ALL their identities while keeping them separate. It doesn’t address the user problems of password fatigue, phishing and pervasive “secret questions” when logging into consumer web sites.  It doesn’t solve the famous “home realm discovery problem” when using federation. And perhaps most frustrating when it comes to using devices like phones, it doesn’t give the user a simple way to pick their identities from a set of visual representations (icons or cards).

These issues are all more pressing today than they were in 2006 when CardSpace was first proposed. Yet one thing is clear: in five years of intensive work and great cross-industry collaboration with other innovators working on Apple and Linux computers and phones, we weren’t able to get Information Cards onto the radar of the big web properties users depend on.

Those properties had other priorities. My friend Mike Jones put it well at Self-Issued:

“In my extensive experience talking with potential adopters, while many/most thought that CardSpace was a good idea, because they didn’t see it solving a top-5 pain point that they were facing at that moment or providing immediate compelling value, they never actually allocated resources to do the adoption at their site.”

Regardless of why this was the case, it explains why last week Microsoft also announced that it will not be shipping CardSpace 2.0.

In my personal view, we all certainly need to keep working on the problems Information Cards address, and many of the concepts and technologies used in Information Cards should be retained and evolved. I think the U-Prove team has done a good job at that, and provides an example of how we can move forward to solve specific problems. Now the question is how to do so with the other aspects of user-centric identity.

Over the next while I’m going to do a series of posts that explore some of these issues further – drawing some lessons from what we’ve learned over the last few years.  Most of all, it is important to remember what great progress we’ve made as an industry around the Identity Metasystem, federation technology, and claims-based computing. The CardSpace identity selector dealt with the hardest and most forward-looking problems of the Metasystem:  the privacy, security and usability problems that will emerge as federated identity becomes a key component of the Internet.  It also challenged industry with an approach that was truly user centric.

It's no surprise that it is hardest to get consensus on forward-looking technologies!  But meanwhile,  the very success of the Identity Metasystem as a whole will cause all the issues we’ve been working on with Information Cards to return larger than life.

 

Vittorio's new book is a must-read

Vittorio's new bookIf you are a programmer interested in identity, I doubt you'll find a more instructive or amusing video than this one by Vittorio Bertocci.  It's aimed at people who work in .NET and explores the Windows Identity Foundation.   I expect most programmers interested in identity will find it fascinating no matter what platform they work on, even if it just provides a point of comparison.

And that brings me to Vittorio's new book:  Programming Windows Identity Foundation.  I really only have one thing to say about it:  you are crazy to program in WIF without reading this book.  And if you're an architect rather than a coder – but still have a sense of reading code – you'll find that subjects like delegation benefit immensely from the concrete presentation Vittorio has put together.

I have to admit to being sufficiently engrossed that I had to drop everything I was doing in order to deal with some of the miniature brain-waves the book induced.  

But then, I have a soft spot for good books on programming.  I'm talking about books that have real depth but are simple and exciting because the writer has the same clarity as programmers have when they are in “programming trance”.  I used to even take a bunch of books with me when I went on vacation - it drove my mother-in-law nuts.

I'm not going to try to descibe Vittorio's book – but it really hangs together, and if you're trying to do anything original or complex it will give you the depth of understanding you need to do it efficiently.  Just as important, you'll enjoy reading it.