Day: June 21, 2005

Speaking of which, Eric Norlin has belied his marketing nonchalance by admitting he's reading a blog intended for… true techies!

This is an interesting weblog for our true techie-readers out there: A weblog written by a Microsoft employee that is devoted (apparently) to the technical implementation of weblogs.

I think he maybe meant “technical implementation of InfoCards” rather than “technical implementation of weblogs” – but hey, InfoCards will soon be used in Weblogs, right?

Quoting:
Ready, set, go…

Once you complete the WinFX Runtime installation, you’re ready…

1. First, you must start “InfoCard Service” manually; you could use the command prompt: net start “InfoCard Service”.
Note: this is Beta 1 behavior. In a subsequent beta release, it’s very likely that you don’t have worry about starting the InfoCard Service anymore.

2. Go to control panel, you will see a new control applet, call “Digital Identities” – double click it.

3. You will see the InfoCard Management UI. I’m going to warn you that this is a ‘wire frame’ UI, it is enough get basic ideas across, but it is no where close to the final UI, and it will be radically different in a subsequent beta release, so please don’t read too much into this.

I gotta say – this sure is snappier than my description – thanks Eric.

Eric Norlin seems to be bloging on the Digital ID World site as well as his own site. I'm checking into what's he's posting where and will let you know. Whatever the story, here's a post after my own heart:

I'm sorry, but reading the first paragraph of this story made me think that maybe I was reading the Onion, or watching Saturday Night Live:

“Credit card users, don't fret. Only a small fraction of the 13.9 million credit cards accounts at MasterCard exposed to possible fraud were considered at high risk, the company said Saturday.”

Only a “small fraction” of the 13.9 million accounts were at “high risk”? Were the rest at “medium risk”? And what – *exactly* – is “medium risk” in Mastercard terms? Is “medium” risk equivalent to Defcon 3? If so, is “high” risk equivalent to mutally assured destruction?

The equivocation in this opening paragraph is a wonderful example of a huge PR budget at work. Congratulations to Mastercard. Of course, with the frequency of data loss these days, this all just seems commonplace now (“OOPS! we lost 13.9 *million* account numbers – sorry – hehehehe”).

Yes, I like the idea of sending the PR team repsonsible for this to do a year at SNL – though I think we need them to stay on at MasterCard too – just in case they are needed there as well.

When I presented the Laws of Identity at the DIDW conference, someone asked how we would “enforce the laws”. I tried to explain that the laws are not what Bob Blakley calls “desiderata” – things that we would like to see. They are the objective characteristics of an enduring identity system at Internet scale.

Timothy Grayson of Recursive Progress has written very eloquently about how CardSystems has served as his teacher in this regard:

A while back, I took aim at The Laws of Identity with a critique that missed the mark, I'm sure, because I opted (well, truly, I had no choice) not to evaluate it with through the lens of a technologist. One of my comments in regard to Law 2: Minimal Disclosure for a Constrained Use was:

I think that minimal disclosure for a constrained use is essential for privacy and user control, which, presumably, is what drives Law no. 2. The statement, “There is no longer the possibility of collecting and keeping information ‘just in case’ . . .” [emphasis mine] is, however desirable and logical an outcome of a need-to-know minimal distribution of information, not part of technical mechanics. It is, as everyone doubtlessly knows, a matter of policy and practice. Somewhere I read not all that long ago that two of the non-obvious forces that are driving the creation of massive directories and databases — about people — are that (a) thanks to computing capability it's easy to accumulate rich records over time and (b) thanks to cheap storage there's no disincentive to keep accumulating information. These together with the underlying belief that “information is power” and all the other marketing and security-driven forces for creation of directories may be a little bit more than the principle of minimal disclosure can overcome, methinks.

Today, MSNBC (among others) is carrying a story about data mishandling by a credit card processing firm in Atlanta (Processing firm: Credit card data mishandled – Consumer Security). This situation speaks to digital identity generally, and at least from one angle to Law 2. Here's the money quote to support my earlier statement:

He [John Perry, chief executive of Atlanta-based CardSystems Solutions Inc., which was hacked] said the data was being stored for “research purposes” to determine why some transactions had registered as unauthorized or uncompleted. “We should not have been doing that,” Perry said in Monday's editions of The New York Times.

Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.

“CardSystems provides services and is supposed to pass that information on to the banks and not keep it,” Joshua Peirez, a MasterCard official, told the Times. “They were keeping it.”

Oops. Broken law. Technology — architecture or otherwise — may or may not have been able to avoid it.