Day: February 14, 2005

Mark Wahl has written to clarify the difference between the ScanPak RFIDs mentioned in my earlier piece and typical passive tags. He says the ScanPak press release mentions they have a read range of up to 200 meters and that the RF tag is “powered by two parallel lithium coin cells.”

These are active tags: they contain their own power source. In contrast, a passive tag does not contain batteries, it obtains power from from the reader, and generally could not be reliably accessed over such a distance. A tag that is intended to be read only from a few, well-defined locations such as a passing through a doorway, or a tag that is intended to be attached to a low-value consumer item, would likely be a passive tag.

Thanks for the heads up, Mark. It looks like hackers will have to get up out of the Food Court and head right on in to the stores.

Still, experts are routinely quoted as saying the range of passive RFID devices is being significantly extended by new reader and antenna technology. For example:

But what about a more powerful RFID reader, created by criminals or police who don't mind violating FCC regulations? Eric Blossom, a veteran radio engineer, said it would not be difficult to build a beefier transmitter and a more sensitive receiver that would make the range far greater. “I don't see any problem building a sensitive receiver,” Blossom said. “It's well-known technology, particularly if it's a specialty item where you're willing to spend five times as much.”

You can build quite a transciever for the price of a Comme des Garcons outfit.

And strangely, the RFID components used by the Britton School District were the size of a “roll of dimes” – meaning they could easily be Active tags.

Chris Ceppi has picked up and extended an interesting piece by Stefan Brands where he uses a transportation analogy to classify personal digital identity systems such as FOAF and LID as bicycles whereas SAML and Liberty are jet planes. Chris goes on to say:

Under this taxonomy, I see LID as a unicycle – novel, but impractical and limited to people with a very specialized set of skills. As has been dissected in numerous other places (most expertly at Burningbird), LID's dependence on URLs as an identifier misses the mark in a number of ways – like a unicycle, LID is just not a useful way to get around.

SXIP would then be a Cessna – complex enough (with its hosted identities and 3rd party assertions) that you need a pilots license to use it, but not rigorous enough for a broad set of air travel requirements (e.g. SXIP is not based on standards).

SAML and Liberty as they have currently been implemented might be considered the space shuttles of identity.

I'm not sure I buy this taxonomy – I think several of the systems have a lot to offer – but it is really amusing. And I do buy Chris’ conclusions – we have work to do in getting to a unifying metasystem.

William Heath of Ideal Government has been thinking and talking with colleagues in the United Kingdom about what we have called the Law of Control:

Technical identity systems MUST only reveal information identifying a user with the user's consent.

He writes:

Kim's laws (as well as Liberty Alliance and the state-of-the-art identity debate) take shape in a crucible of US-based entrpreneurial creativity. This is principally and primarily business and consumer focussed. Just like every other aspect of IT it needs a bit of a stretch and a rethink when we come to apply it to public services.

Imagine we get arrested (for a crime of conscience, eg deliberate trespass on a foreign military base). We don't control the process as our identity details are taken by the police and passed to court to prison to probation services. Yet we may accept collectively that institutions within a democratically elected government have the right to do this to one of us. In this sense “collective consent” (or just “consent”) might be a closer expression of what we mean than “control”. So I'm not entirely comfortable with it being called the law of control.

I'm aware of the inevitable limitations of our perspective, although I confess to having many friends and collaborators in the public service. My limitations make me deeply interested in the perspectives of people like William, so I look forward to reaching a mutual understanding on these issues.

William is discussing the relations between the individual and the institutions of democracy, which operate just as he describes, and owe their endurance to deep collective consent.

I'm not sure what this has to do with the Law of Control, which discusses the relation between the computer user and her technical identity system.

Let's leave the name aside for a moment, and concentrate on the content of the law itself.

Would those in the public services rather have it read, “Technical identity systems MUST only reveal information identifying a user with the user's consent – or that of the state”? And if not this formulation, what would they like to see expressed?

I think one way to look at it is to say that the individual controls her identity system – even if under certain circumstances the state may control the individual.

But I am open to the idea that there is more to it than this, and am waiting to hear what William has in mind.

Jamie Lewis has caught a good one here:

According to this story on SFGate.com, the Brittan School District — a small district in California — in January began requiring all students to wear RFID-enabled badges that monitor their whereabouts on campus. The district has 587 kindergarten through eighth-graders who now have the privilege of being “the first public school kids in the country to be tracked on campus by such a system.” The story says the system “is designed to ease attendance taking and increase campus security.” The school district did this without involving the parents, many of whom are now raising a ruckus. How many ways does this system violate Kim's laws of identity?

It's strange – I was just catching up on RFID progress myself… But this is a really nutso development. Do you think one day products will need to carry a tag that says ‘Compliant with the laws of identity’? That would sure cut down on embarassing public pronouncements.

Of course, we know that the reaction of the outraged parents was totally predictable through the first law of identity (which states that people will tend to reject identity systems which do not obtain consent about the release of identity information). There has so far been no explicit reaction to the improper use of omnidirectional identifiers (an equal or worse offense in Identity Court), but that seems to be because criminals have just begun to take advantage of the technology. Those of us who think about this know it is only a matter of time before we witness some very bad outcomes.

“It's baffling why so many people are bothered by the district being able to tell them where their kids are at,” said Tim Crabtree, a high school teacher who said he hoped the technology would come to his classroom.

I like the word ‘baffling’ as used here.

Seven classrooms were equipped with the readers, as were two bathrooms. The bathroom readers were never turned on, according to school and company officials, and were removed Wednesday by InCom because of objections by parents.

Yes, bathrooms are very important. Of course administrators often fit them with sensors and never turn them on.

InCom has also disabled its system and deleted data it has collected to date. Readers have been turned off until the board reaches a decision next week.

I can hardly wait to see what the outcome will be. The RF readers have been turned off – but not the tracking badges themselves, which I assume continue to emit omnidirectional “public” identifiers when queried.

Developers of the system say parents concerned over privacy violations don't understand the short range of radio frequency identification devices.

“The tags physically can't be read from a long distance,” said Doug Ahlers, an InCom partner.

I wonder what distance the developers are quoting. It wouldn't be 15 feet by any chance, would it? Seems like not many people follow radio technology and advanced antenna design these days.

I would like to brainstorm with the InCom partners about what could be done to bring their system into compliance with the laws of identity. If anyone knows them, why not introduce us?

Bill Barnes suggested it might be possible to simplify the 7th law to this:

The unifying identity metasystem must make it easy for humans to make fully informed identity choices in the course of interacting with relying parties.

I see this as an important practical corollary of the law. But the law implies more.

• First, we need a system in which different identities (and kinds of identities) are reified (represented as “things”) in a consistent way, so the user can easily conceptualize and enumerate different identities, and select the right one for a given context. So from the point of view of the user the identities need to represent a harmonious set.
• Second, the relying party should be able to switch between different kinds of identities as needed with no technical or programming overhead, even if the identities are based on completely different technical systems and tokens – so from the point of view of the relying party, the identities again constitute a harmonious set

Thus we say:

The unifying identity metasystem MUST facilitate negotiation between a relying party and user of a specific identity – presenting a harmonious human and technical interface while permitting the autonomy of identity in different contexts.