ID Cards – UK&#39s high tech scheme under the microscope

People who&#39ve followed this blog for a while know that I&#39m very interested in the debate around government issued ID cards currently taking place in Britain. Like Americans, Britons aren&#39t used to compulsary ID cards. The proposed British scheme is based on a single universal identifier used across all government contexts and possibly across commercial applications as well. It is tied to a central database and audit log intended to track all uses of citizen identity information. And the scheme would concentrate a great deal of information – including biometric data – in a single place, and then make it widely available to government employees and systems.

These factors taken together have already resulted in significant criticism, skepticism and frustration. The famous London School of Economics has recently produced the final version of a study by 100 of the country&#39s top academics and experts. Those interested in identity issues will likely want to take a good long look at it. The report is hard hitting. It&#39s well written. And it makes a number of technical points with great clarity. Don&#39t miss it.

Some have been critical of the LSE report for being too “engaged”. That&#39s because it attempts to estimate the cost of deployment of the government proposal. The authors claim British citizens will need to shell out 300 to 500 American dollars each for the compulsory ID cards and passports – a tax holiday in reverse!

Whatever the price tag turns out to be, there is no doubt that it would have been infinitely better to define a system which made people feel secure about the privacy of their identity information.

Here&#39s how the LSE describes its report:

The likely cost of rolling out the UK government&#39s current high-tech identity cards scheme will be £10.6 billion on the ‘low cost’ estimate of researchers at the London School of Economics and Political Science (LSE), without any cost over-runs or implementation problems. Key uncertainties over how citizens will behave and how the scheme will work out in practice mean that the ‘high cost’ estimate could go up to £19.2 billion. A median figure for this range is £14.5 billion.

If all the costs associated with ID cards were borne by citizens (as Treasury rules currently require), the cost per card (plus passport) would be around £170 on the lowest cost basis and £230 on the median estimate…

The LSE report The Identity Project: an assessment of the UK Identity Cards Bill and its implications is published today (27 June) after a six month study guided by a steering group of 14 professors and involving extensive consultations with nearly 100 industry representatives, experts and researchers from the UK and around the world. The project was co-ordinated by the Department of Information Systems at LSE.

The LSE report concludes that an ID card system could offer some basic public interest and commercial sector benefits. But it also identifies six other key areas of concern with the government&#39s existing plans:

  • Multiple purposes Evidence from other national identity systems shows that they perform best when established for clear and focused purposes. The UK scheme has multiple rather general rationales, suggesting that it has been ‘gold-plated’ to justify the high tech scheme. For example, the government estimates that identity fraud crimes may cost up to £1.3 billion a year, but only £35 million of this amount can be addressed by an ID card.
  • Will the technology work? No scheme on this scale has been undertaken anywhere in the world. Smaller and less ambitious schemes have encountered substantial technological and operational problems that are likely to be amplified in a large-scale national system. The use of biometrics creates particular concerns, because this technology has never been used at such a scale.
  • Is it legal? In its current form, the Identity Cards Bill appears to be unsafe in law. A number of elements potentially compromise Article 8 (privacy) and Article 14 (discrimination) of the European Convention on Human Rights. The government may also be in breach of law by requiring fingerprints as a pre-requisite for receipt of a passport. The report finds no clear case why the ID card requirements should be bound to internationally recognized requirements on passport documents.
  • Security The National Data Register will create a very large data pool in one place that could be an enhanced risk in case of unauthorized accesses, hacking or malfunctions.
  • Citizens’ acceptance An identity system that is well-accepted by citizens is likely to be far more successful in use than one that is controversial or raises privacy concerns. For example, it will be critical for realizing public value that citizens want to carry their ID cards with them and to use them in a wide range of settings.
  • Will ID cards benefit businesses? Compliance with the terms of the ID cards Bill will mean even small firms are likely to have to pay £250 for smartcard readers and other requirements will add to the administrative burdens firms face.

The LSE report concurs with 79 out of the 85 recommendations made by the House of Commons Home Affairs Committee in its report on the draft Identity Cards Bill. Following up suggestions there and coming from industry and academic experts, the LSE team also set out an alternative ID card scheme that would still incorporate biometrics, but would be simpler to implement and radically cheaper. The LSE alternative ID card would also give citizens far more control over who can access data about them, and hence would be more likely to win positive public and industry support.

Dr Gus Hosein, a fellow in the Department of Information Systems at LSE, said : ‘We have proposed an alternative model that we believe to be cheaper, more secure and more effective than the current government proposal. It is important that Parliament gets the chance to consider a range of possible models before the ID Cards Bill is passed. Even if government figures were correct, the costs of the government scheme are disproportionately higher than the scheme&#39s ability to protect the UK from crime, fraud or terrorism.’

Professor Patrick Dunleavy, Professor of Political Science and Public Policy at LSE, said: ‘This report is not an argument for or against ID cards, but an impartial effort to improve the evidence base available to Parliament and the public. The Home Office currently officially suggests that ID cards will cost around £6 billion to implement over ten years, but it has not yet justified this estimate in detail. By contrast, we recognize considerable uncertainties ahead with such a novel, high tech scheme and we show how these uncertainties might affect costings.’

To download the executive summary, see http://is.lse.ac.uk/idcard/identitysummary.pdf
To download the full report (approx 300 pages), see http://is.lse.ac.uk/idcard/identityreport.pdf

I&#39m still travelling in Europe and too jet-lagged to comment as fully as might otherwise be the case. Stefan Brands, a cryptographer specializing in privacy who has contributed ideas to the report (and to this blog), pulls out key points here, here, here and, of course, here.

The red herring of data protection

OK. Just when I thought I was on top of Eric&#39s new posting regimen, he has to publish this – not on ping, this time, but on cnet!

The numbers have been staggering: 145,000; 13.9 million; 40 million.

A picture named eric.jpg

I&#39m speaking, of course, about the recent rash of data loss–the innocuous term for millions of accounts containing personal data being exposed to the wrong eyes. Whether it&#39s MasterCard, ChoicePoint, LexisNexis, Bank of America, Wachovia, Stanford University or the University of California at Berkeley, the rapid expansion of this problem is stunning.

The reasons for the data loss are all over the map, ranging from physical tapes lost in transit, to hackers, and even malicious insiders. And of course, there is always the ever-present bogey of bad network security practices.

We&#39re told the solution is to embrace better network security, better encryption, better corporate safeguards and better “data protection.” Of course, all of these proffered solutions are a bit specious, since they&#39re always accompanied by the corporate lawyer caveat: “We cannot guarantee that this won&#39t happen again.”

This isn&#39t really a question of data loss, data protection or data safeguarding. That, my friends, is a red herring.

All of this will ultimately result in some bloated piece of federal legislation around data privacy and protection that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really?

I don&#39t think so.

This isn&#39t really a question of data loss, data protection or data safeguarding. That, my friends, is a red herring. The real question is why corporations need to store all of this personal data in the first place. Why does my credit card company need to store my social security number? Why does Amazon need to store my credit card number? Why shouldn&#39t every company store only what I tell them they can store? And why shouldn&#39t the data that they store be as little as they possibly need to conduct business?


Possible future directions
Federated identity is an infrastructure that makes security follow the transaction. It does this by making the identity associated with the transaction “portable” across heterogeneous security domains. The identity metasystem is a newer concept, one that bubbled forth from community conversations around Kim Cameron&#39s Web log.

In brief, the identity metasystem is a conceptual backplane that would allow individuals to have control over which attributes or claims are presented and stored about them. This could be anything from a birthday to a credit card number to a favorite color. What we&#39re really talking about is a framework for individual control and presentation of identity data. Taken together, federated identity (the infrastructure) and the identity metasystem (the control and presentation) would give individuals control over their digital identity in ways that have so far eluded them.

When I buy something from Amazon, it asks for, receives and stores my credit card number. In a future of federated identity and the identity metasystem, I would grant permission to seek a one-time use of my credit card. This permission could be presented to my credit card company, which could then charge my account. Amazon would no longer have a need to store (or even see) my credit card number.

This future would be a lot closer to a web of electronic commerce that protected both customers and companies. We would have actually moved toward solving the problems around personal data. In the meantime, however, we&#39ll still hear a lot about data protection, corporate safeguards and legislative initiatives.

biography
Eric Norlin is vice president of corporate marketing at Ping Identity, a company focused on identity management.

Eric caught reading techie talk

Speaking of which, Eric Norlin has belied his marketing nonchalance by admitting he&#39s reading a blog intended for… true techies!

This is an interesting weblog for our true techie-readers out there: A weblog written by a Microsoft employee that is devoted (apparently) to the technical implementation of weblogs.

I think he maybe meant “technical implementation of InfoCards” rather than “technical implementation of weblogs” – but hey, InfoCards will soon be used in Weblogs, right?

Quoting:
Ready, set, go…

Once you complete the WinFX Runtime installation, you’re ready…

1. First, you must start “InfoCard Service” manually; you could use the command prompt: net start “InfoCard Service”.
Note: this is Beta 1 behavior. In a subsequent beta release, it’s very likely that you don’t have worry about starting the InfoCard Service anymore.

2. Go to control panel, you will see a new control applet, call “Digital Identities” – double click it.

3. You will see the InfoCard Management UI. I’m going to warn you that this is a ‘wire frame’ UI, it is enough get basic ideas across, but it is no where close to the final UI, and it will be radically different in a subsequent beta release, so please don’t read too much into this.

I gotta say – this sure is snappier than my description – thanks Eric.

An SNL Skit? Onion headline?

Eric Norlin seems to be bloging on the Digital ID World site as well as his own site. I&#39m checking into what&#39s he&#39s posting where and will let you know. Whatever the story, here&#39s a post after my own heart:

I&#39m sorry, but reading the first paragraph of this story made me think that maybe I was reading the Onion, or watching Saturday Night Live:

“Credit card users, don&#39t fret. Only a small fraction of the 13.9 million credit cards accounts at MasterCard exposed to possible fraud were considered at high risk, the company said Saturday.”

Only a “small fraction” of the 13.9 million accounts were at “high risk”? Were the rest at “medium risk”? And what – *exactly* – is “medium risk” in Mastercard terms? Is “medium” risk equivalent to Defcon 3? If so, is “high” risk equivalent to mutally assured destruction?

The equivocation in this opening paragraph is a wonderful example of a huge PR budget at work. Congratulations to Mastercard. Of course, with the frequency of data loss these days, this all just seems commonplace now (“OOPS! we lost 13.9 *million* account numbers – sorry – hehehehe”).

Yes, I like the idea of sending the PR team repsonsible for this to do a year at SNL – though I think we need them to stay on at MasterCard too – just in case they are needed there as well.

CardSystems appointed Professor of Identity

When I presented the Laws of Identity at the DIDW conference, someone asked how we would “enforce the laws”. I tried to explain that the laws are not what Bob Blakley calls “desiderata” – things that we would like to see. They are the objective characteristics of an enduring identity system at Internet scale.

Timothy Grayson of Recursive Progress has written very eloquently about how CardSystems has served as his teacher in this regard:

A while back, I took aim at The Laws of Identity with a critique that missed the mark, I&#39m sure, because I opted (well, truly, I had no choice) not to evaluate it with through the lens of a technologist. One of my comments in regard to Law 2: Minimal Disclosure for a Constrained Use was:

I think that minimal disclosure for a constrained use is essential for privacy and user control, which, presumably, is what drives Law no. 2. The statement, “There is no longer the possibility of collecting and keeping information ‘just in case’ . . .” [emphasis mine] is, however desirable and logical an outcome of a need-to-know minimal distribution of information, not part of technical mechanics. It is, as everyone doubtlessly knows, a matter of policy and practice. Somewhere I read not all that long ago that two of the non-obvious forces that are driving the creation of massive directories and databases — about people — are that (a) thanks to computing capability it&#39s easy to accumulate rich records over time and (b) thanks to cheap storage there&#39s no disincentive to keep accumulating information. These together with the underlying belief that “information is power” and all the other marketing and security-driven forces for creation of directories may be a little bit more than the principle of minimal disclosure can overcome, methinks.

Today, MSNBC (among others) is carrying a story about data mishandling by a credit card processing firm in Atlanta (Processing firm: Credit card data mishandled – Consumer Security). This situation speaks to digital identity generally, and at least from one angle to Law 2. Here&#39s the money quote to support my earlier statement:


He [John Perry, chief executive of Atlanta-based CardSystems Solutions Inc., which was hacked] said the data was being stored for “research purposes” to determine why some transactions had registered as unauthorized or uncompleted. “We should not have been doing that,” Perry said in Monday&#39s editions of The New York Times.

Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.

“CardSystems provides services and is supposed to pass that information on to the banks and not keep it,” Joshua Peirez, a MasterCard official, told the Times. “They were keeping it.”

Oops. Broken law. Technology — architecture or otherwise — may or may not have been able to avoid it.

Durand on User Centricity

Here&#39s some more interesting thinking by Andre Durand – CEO of Ping.

Bryan, David and a few others over here in Pingland were kicking around some afternoon whiteboarding ideas on InfoCards. Figured since I&#39m getting back into my bloghead, I&#39d start posting a bit more…

  1. It centers on the user. Users rule.
  2. It can stop Phishing attacks cold — as we know them today
  3. It’s better than Gator-like utilities or IE’s auto formfill for new account registration
  4. It provides users with the convenience of SSO
  5. It eliminates the need to manage weak passwords
  6. It’s a branding opportunity for 3rd party Identity Providers
  7. And of course, the client will be built into every Windows desktop

Challenges to overcome…

  • How to roam and maintain your InfoCards
  • How to recover if something bad happens to your computer
  • How to enable InfoCards on other operating systems
  • How to streamline the 1st time user experience

Implications

  • Existing consumer-facing (external) federation use-cases will be displaced by user-mediated exchanges of attributes between IdP’s and SP’s

A battle will ensue between companies looking to become the branded (most trusted) identity providers

All Andre&#39s challenges represent opportunities to contribute to the ecosystem. For example, roaming provides opportunities for smart card manufacturers, USB donglemakers, people who build phones (or software that runs on them) and web service operators. And so on for the other challenges. More about these as we go forward.

I agree with Andre&#39s “implications” point: the proposal puts the user front and center, and thus rebalances the federation equation. This is bound to be unsettling to some – until it is understood that the new formula raises all the components of the previous equation to a higher power.

Andy&#39s InfoCard Blog

Andy Harjanto, one of my really good friends at Microsoft, has just started Andy&#39s InfoCard Blog – specifically dedicated to helping people understand and work with Microsoft&#39s “InfoCard” Identity Selector and the Indigo programming environment. For those new to the discussion on this blog, an Identity Selector is a component of what we think of as an identity metasystem that works across platforms, vendors and technologies. It displays what we have codenamed “InfoCards”, that represent users’ relationships with identity providers, so that users can decide what identity to use with different “relying parties”.

Let me tell you a bit about Andy Harjanto. We&#39ve worked closely together since the early days of InfoCard thinking. Beyond the fact that he&#39s absolutely great at what he does – making it all seem effortless – he has an amazing, hypnotising gentleness. So don&#39t hesitate to contact him if you have problems of any kind trying out the Microsoft implementation.

His first posting tells you how to install our very early version (wireframe UI) of the “InfoCard” service for Windows. Because it is packaged with Indigo and Avalon, it&#39s about a 30M download. I installed it on my Windows XP.

We didn&#39t want to put up a public “relying party” site for this beta (we will do this later in the process when we have a more realistic UI and want a wider audience involved.) So you need to download Visual Studio Express (I think that was about another 35M) in order to try out a “hello world” application.

One of the best reasons to try it out is to see how the identity selector integrates with the new Indigo WS programming environment. And don&#39t worry. You don&#39t have to get into gobs of details to try things out. It&#39s very simple and you can stay at a high level.

Please note that the first beta only supports self-asserted identities (the next one will add managed cards for third party providers). And the UI is nothing like the final product – and doesn&#39t show off the privacy features. But the beta does demonstrate our use of the protected subsystem, private desktop and WS-Trust – all the really hard underlying technical issues. One of our top goals is to keep everyone in the industry informed about what we are working on, demonstrating how easy it will be to take advantage of this technology from other platforms. We also want Windows developers to start understanding the technology and thinking about applications based on identities.

Andy is publishing a guide that shows how to write a tiny relying party service and a “hello world” client apllication that wants to connect to it. The demo shows what you need to do to configure the relying party to accespt InfoCards (namely change a few lines in the service&#39s configuration file).

I believe we can get to the point where accepting “InfoCards” is just a matter of configuring your web service (already the case in Indigo), or adding a few tags to your web page – if people building web servers want to do it. So, I need to get back to work.

Phil Windley at Between the Lines

Dan Farber and David Berlind, quintessential professionals, have made Between the Lines an indispensible source of information for all of us who follow IT issues. Now they seem to have recruited Phil Whindley, a leading expert on digital identity, who contributed this posting. By the way, the pantheon they have assembled also includes legend Steve Gillmor.

Over at the IT Garage, Doc Searls goes through some history of Microsoft&#39s InfoCard initiative and asks some good questions. InfoCard is an identity metasystem that Doc correctly describes as a “barn raising project” led by Microsoft. Kim Cameron, Microsoft&#39s chief identity architect, believes that Microsoft has an important role to play in enabling identity, rather than seeing it as a revenue center. That&#39s a good start and Kim has played the politics (both inside and outside of Microsoft) well with his seven laws of digital identity.

InfoCard is based on Web services. No surprise there–Microsoft has been a consistent proponent of Web services (at least for everyone else) and some of the standards provide the exact behavior that the identity metasystem needs. Most important among those are SOAP, WS-Security, WS-Policy, and WS-Trust (along with attendant standards). While Microsoft intends to build and offer all of the required components–including the Longhorn embedded client (called a “selector”), the identity provider (IP), and relying party (RP) pieces–the architecture is open and others, including open source projects, will be able to build interoperable components as well.

Doc asks two questions. The first: Does the metasystem require adoption of SOAP and the whole WS-* suite of protocols (or whatever those are) … or something much less than that? The second: What will it take to get open source developers, and the rest of the non-Microsoft world, to adopt and deploy stuff that works within the metasystem?

The first question is easier to answer than the second, since I&#39m not sure anyone really knows what it takes to get a community to form around an idea in open source land. Even so, I&#39m convinced that if Microsoft does what they say they will, the open source community will build components if for no other reason than the fact that they will have to to participate in the identity environment that will grow up around the standard Microsoft creates.

But does this require SOAP and the WS-* stack? Is there a RESTful equivalent? Not as currently constituted, as far as I can tell, but that doesn&#39t mean their couldn&#39t be one in the future. The problem is that things like WS-Policy and WS-Trust aren&#39t just things people did because they were bored, there are real issues surrounding things like how you tell someone what security tokens you accept and how to exchange the token you have for one that will work. There&#39s no RESTful equivalent. REST is almost defined by not having these kinds of standards and yet, without them, we&#39re left to invent 20 different ways of stating metadata about a service and hoping that the market can sort it out.

I&#39ve done my share of throwing rocks at the seemingly unending proliferation of WS-* standards, but let&#39s face it, sometimes you need things like that. For example, I think the development of RESTful intermediaries has been significantly hampered because there&#39s no standard for service description.

I don&#39t think all is lost, however. I believe that in the sense of Doc&#39s barn-raising, there&#39s a chance for the community that cares about digital identity and RESTful Web services to define an alternate REST-based interface to InfoCard and build it into their own versions of the IP and RP services. These services would have to support the WS stack interface as well. Using RESTful interfaces for these tasks should be feasible, but I haven&#39t looked at the possibility in great detail.

Whether such an interface could survive and thrive would depend on many factors, not the least of which is whether an open source (or at least alternately sourced) version of the IP and RP services were widely adopted. Given the popularity of Amazon&#39s RESTful service over its SOAP-based service, I think there&#39s real hope that developers would take to it and build identity selectors that make use of it.

This will be a good vantage point from which to examine why the WS-Trust protocol is shaped the way it is. Of course we have a few more of the Microstandards to deal with before we get there.

Mining for Memes

Jon Udell has responded to my question about whether his approach to meme-tracking could be used to determine whether the increased reporting of identity breaches was leading to desensitization or increased watchfulness:

Bruce Schneier wonders if the ongoing reports of identity loss are creating a boy-who-cried-wolf situation. Are people starting to tune this stuff out? And will that result in less pressure for reform?

Kim Cameron wonders whether or not the boy really is crying wolf:

Bruce&#39s concept of an attenuation effect is pretty interesting. But I&#39m not sure it&#39s true. I really get the feeling that the public is gaining a consciousness of these issues. That is a really big deal. The increased consciousness – and thus interest – may counteract attenuation. It would be interesting to see our friend Jon Udell do one of his meme studies to see if the attenuation is really happening. I&#39ll ask him if it&#39s possible.

What Kim is referring to is this posting about the ACLU Pizza screencast, which lots of people had seen before he had. While it&#39s flattering to be considered some kind of meme mining expert, though, that&#39s hardly the case. All I did was chart Bloglines and del.icio.us references to a single URL.

A variant of this approach has been around for a long time: mining the Usenet for occurrences of keywords. Via Nat Torkington&#39s post on PHP&#39s 10th anniversary I found this “memegraph” from Broward Horne, who&#39s evidently been doing meme mining for a while.

These techniques are useful, but they only scratch the surface. I can imagine a methodology that uses correlated bundles of URLs and keywords. It would deliver historical views of references to the URLs, and occurrences of the keywords, across: the Usenet; the blogosphere; the online Old Media; and segmented slices of these: left/right, corporate/citizen, etc.

When you attempt this kind of thing, as I sometimes have, you pretty quickly run into a wall. Creating these bundles and slices is a speculative and iterative game. But when you&#39re playing the game with web crawlers and screenscrapers, it&#39s tedious. Each iteration takes a long time, and requires you to abuse your data sources.

What you&#39d really like to do is query the web&#39s aggregation engines in a structured, high-volume way. When I&#39ve mentioned this before, the pushback has always been: “Why should they offer such services for free?” And my answer has been: “They shouldn&#39t. Offering metered versions of such services is a huge business opportunity.”

In some cases, I&#39m told, these mining services are available on a partner basis. But they&#39ve yet to emerge into the mainstream, and I&#39d love to see that happen. It would unleash a flood of creative trend analysis. It would also be a fascinating study in the economics of web services. What kinds of queries can feasibly be offered? How can the quantity or resolution of results be tuned for tiered pricing? What kinds of queries can&#39t be released into the wild because they&#39re so strategic that they&#39d erode competitive advantage?

Meanwhile, of course, if I were a Microsoft architect or developer trying to understand trends affecting my technology or product, I&#39d hope that my company&#39s own aggregation engine would support me with the kinds of data mining I&#39m envisioning. I wonder if it does?

I like Jon&#39s no-nonsense approach. We should be treating aggregation engines as sensors to be monitored in a kind of realtime process control sense.

He&#39s right. I would be able to do a better job with the toolset he describes. And his questions about Microsoft&#39s aggregation engine are good ones. Time for me to go off and think.

Credit where it&#39s due

Mary Branscombe of Britain&#39s The Guardian posted an article today on the Identity Metasystem and “InfoCard” in which she accurately captures the essence of the technology (and the opportunity for the industry) and explains it clearly to her wide and important audience – all in just a few paragraphs.

Microsoft&#39s InfoCard could integrate the internet&#39s many different identity systems, resulting in a safer surfing experience for all. By Mary Branscombe

Thursday June 9, 2005
The Guardian

Can you tell the difference between a real email from PayPal, warning you that your credit card is about to expire, and a fake email asking for your bank account details? It is getting increasingly difficult, and a mistake could have unfortunate financial consequences. But Microsoft is working on an open system that could help: InfoCard. It is like keeping several credit cards in your wallet, along with your business card, your driving licence and a few membership cards; you can pick which to use if you need to prove who you are.

With InfoCard, the different cards have different amounts of information about your identity: one might have details of where you work, another could have your address or credit card details. And you know who is asking for the information.

Criminals are now using at least two techniques to steal ID: phishing and pharming. Phishing emails lure users to fake copies of banking and shopping websites where they type in their account details; these are used to break into accounts on the real site. Pharming uses viruses to redirect your web browser to fake sites.

But even if you go to what looks like a legitimate site, how do you know you are safe? Microsoft&#39s identity architect, Kim Cameron, says leaving the security interface up to individual websites is like “sheep going to a sheep farm operated by wolves: when you visit an evil site, you put yourself into a user experience 100% controlled by those assaulting you”.

The fundamental problem, says Cameron, isn&#39t poor website security or naive users. It is that the net was not designed to cope with the question of who&#39s who online. It has no framework for dealing with identity.

“In the early days, people improvised to get by: we ended up with a patchwork of ad hoc solutions,” he says. “But, unfortunately, no one can know for sure what&#39s going on in any given interaction because every part of the patchwork behaves differently. What is safe and what is dangerous? What is real and what is scam? Who are you giving your information to when you type it into a browser? How do you know whether it is being intercepted? You have no way to evaluate the risks you are taking.”

Improving site security with a better password system, or a toolbar that checks you are at the right site, can&#39t fix a general security problem. “There are excellent people working on these things, but they can&#39t counter current threats without changing the way computers behave in a distributed fashion,” Cameron says. “We need to work together.”

Cameron&#39s solution is an identity metasystem based on open Web Services (WS-*) standards, especially WS-Trust, which allows systems to securely “trade” one kind of security token for another, and the seven “laws of identity” he has thrashed out on his blog. The laws are about privacy and consent, disclosing as little information as possible and only for a good reason, putting the user in the driving seat (because otherwise people will ignore systems they don&#39t like), and promoting multiple identity technologies run by multiple identity providers.

Cameron thinks any security architecture has to follow these principles if it is to succeed, but he isn&#39t suggesting a single architecture, or a single identity system. He wants to keep existing identity systems, whether that&#39s Active Directory or the Liberty Alliance standards, fit them together, and give them a consistent user interface. That way, you won&#39t have to remember the quirks of individual sites to know you are in a safe place.

Unlike Passport, this isn&#39t a system that Microsoft would run, or charge for, and it holds no personal information. Instead, websites plug their identity systems into the metasystem. John Shewchuk, an architect in Microsoft&#39s distributed systems group, says: “Just like we put an abstraction over [a] file system, so we could have different kinds of hard drives, the identity metasystem bumps up the abstraction, so you can plug in lots of different kinds of systems. In the first version, InfoCard supports usernames and passwords, X.509 smart cards and other kinds of technologies, all in an integrated package.”

When you visit a website to buy a book or check your bank statement, or post a comment to a message board, you always see the same Identity Selector interface: on Windows, that is InfoCard. However, you won&#39t provide the same information to every site. You could use an official ID issued by a government site or your ISP or your company, or an identity you have created yourself. You simply pick which InfoCard to provide. You also get to see the identity of the site you are visiting.

Microsoft isn&#39t dictating the look of the InfoCards or the information on them. However, it does insist that logos are cryptographically verified, so users can be sure they are not forged.

For the system to work, it needs to cover more than just Windows. There will have to be Identity Selectors for Linux, Macintosh, mobile phones and any other devices used to browse securely. Microsoft has already demonstrated InfoCard working with an open source Java implementation on Linux, which gives Cameron hope that the industry will see this as more than just Passport 2.

“To me,” he says, “it demonstrates that innovative people can get into this and that it can truly be a cross-platform solution that transcends the usual faultlines of the industry.”

How can she do that? I guess five years as Senior Editor of the AOL UK Technology Channel gives you a pretty strong background…