Identity Issues with Bluetooth

Our polycomm scenario includes use of Bluetooth. While doing my posting about the first law, it became obvious to me that we need to learn quite a bit about Bluetooth – it will soon be ubiquitous. I was lucky to find that Noel Anderson, who has thought a whole lot about these issues, works in my building.

I invited Noel into my office for a tutorial – which I recorded so others in this discussion can share what I learned. (Maybe I'll start podblogging – of course there are a few technical issues I need to master).

You'll find some of what Noel says really shocking – especially the prospect of a “personal bomb”.

Responses to the first law…

Eric Norlin of Ping has responded to my First Law of Identity with “My running commentary on Kim's exposition“. As he says,

Kim's posting about the “laws of identity” — using a scenario i sent him to tease them out. So, in true redactive fashion, I thought it only right for me to post a running commentary on his laws (since I provided the original text ;-).

Other interesting people have contributed comments as well. So although I've only made it through to the first law, I can already see that doing this kind of thing using Weblogs is going to be really different than banging out an article in “the private space” of my office. And I think this is “way cool”…

Here is the First Law of Identity I put forward…

The “Owner Decides” Law of identity

Technical identity systems MUST only reveal information identifying a user with the user's consent.

On the content of the first law, Eric “absolutely agrees — kinda”:

An employer (like Kim's) maintains data about the user that they use to log the user onto various corporate applications that they run (i'd bet that kim did this today) — in that case, the employee has given implicit consent by collecting a paycheck and the employer is NOT encumbered with giving the user consent privileges. Bottom line: getting paid is consent.

But whoa there Eric… you go too fast, man.

Is it my employer who “logs me in” to various corporate applications? Not really. Instead, it is me who logs myself in to my employer's corporate network.

I also chose to give my employer my name, my address, my social security number and my educational background. In other words, there are a whole series of explicit actions here.

Every day, I choose to use my corporate identity through the admittedly incantational act of pressing control-alt-delete and entering a password. This is explicit consent, not implicit. The consent is in the logging in and the filling out of forms – not the getting paid.

I see more and more attention to explicit consent by my employer (which is Microsoft, for those just tuning in). Recently, when I registered for a new service offered through the corporate portal, I was asked to explicitly approve the collection of tracking information necessary to monitor and improve the level of service I received. So even though I had already logged in to its network, Microsoft explicitly asked me for further approval to collect additional information. I assume this was done because, as Eric would put it, my paycheck does not represent implicit consent for Microsoft to do whatever it wants with regard to my identity information.

I've actually had personal experience with the incorrect version of the first law that Eric has proposed. Back in the mid 1990’s, during my ZOOMIT days, we put a web “protocol head” on our VIA metadirectory. This created a personal web page for each user. Like many other technology companies, we believed in “eating our own dog food”, so we had a VIA microdirectory of our employees. Since I was a naturally public person, I thought (or perhaps “didn't think” is a better way of putting it) that everyone would just love to have a web page, and asked one of our writers to interview all our employees so we could set up an initial page for everyone. The idea was that they could then alter things as they saw fit, and we would be off to the races. In addition, we asked everyone for a photograph.

Talk about surprises… Within hours, a number of people let me know in a fairly assertive way that as much as they loved me, not to mention ZOOMIT and their paycheck, this was really going too far (especially the photo bit). And of course it was! So you can see I have a true nerd pedigree on this matter. And I've come a long way, baby! I haven't forgotten the lesson. It doesn't cost anybody anything to ask employees if they want their information to cross organizational boundaries – and be explicit about it – at least once.

In general I can't agree with Eric's contention that the first law of identity applies, as a fundamental principle, only to “consumer-facing scenarios”. I'm more accepting of what he says about control versus ownership:

Properly speaking, identity info is about control. The end user should be given *control* over their information — because there is a ton of identity information about me that I simply cannot, in any practical sense, *own*.

I was thinking of “owning” in the sense of “possessing” – in orther words, in the philosophical sense (I guess I'm allowed to say that, since Eric can say “redactive”). The trouble with the word “owning” is that it tends to be associated with our current economic superstructure. I don't mean that we *own* our identities in the same way we *own* a house in the suburbs… However we do possess an identity. But it's really hard to talk about a “possessor” without sounding like a David Cronenberg movie…

Anyway, I can go with the “Law of Control”. So let's call it that. I hope Eric will drop support for his proposed amendment. I think that as soon as we put in place an infrastructure embodying the Law of Control, it will trump inferior ad hoc practices which arose historically in corporate environments. And I think this forshadows the emerging approaches to compliance that are arising here and around the world.

I find it encouraging that a number of people are jumping ahead of my exposition and coming up with solutions that do in fact respect the laws of identity (see, for example, various comments by eminently sane people). But I hope you will will stick with me a bit longer as I slog forward trying to tease these laws out of the current example.

I'm not trying to pedantically beat a dead horse – I'm hoping to provide some axioms we can refer to in our future discussions… But for now I need to get some “work” done in my day-job.

I also learned that I can't just drag pictures into my magical radioland window – which explains why the pathetic pictograph I prepared for yesterday's discussion can't be seen by anyone. I'm trying to get the “enable pictures” thing to work, but they don't seem to arrive at the RadioLand cloud site – still waiting for “help to arrive”. When I do post this pictograph I'm sure you will all hear the guffaws!

The Owner Decides

Our last installment had us shivering on the edges of our seats with this scenario from Eric Norlin:

you walk into a conference room; dial into a con call on the polycomm; the polycomm senses your bluetooth phone and (using a discovery service) looks at your personal attribute known as “music preferences”; thus your current favorite music (by how often you listen to it) is downloaded from your “federated” mp3 player — and the hold music while you wait for your fellow con-callers is *your* favorite music.

sound a bit advanced? actually, you could (technically) do this right now with the Liberty Alliance specifications…

To facilitate discussion, I have scratched out a pictorial representation of the components (to keep incredulous comments at bay, I won&#39t say this is a “diagram”).

The little thing beside stick person is a phone, and interaction (1) uses Bluetooth to determine stick person&#39s identity by retrieving an identifier from the phone.The polycomm then interacts with a discovery service (2) to find out where stick person&#39s “federated mp3” server is located.Then it pulls down some music (3) conforming to stick person&#39s sense of what&#39s hip and appropriate. Note that the components are functional pieces only. At this point we are making no assumptions about how they are implemented or where they are located.

Now there are a great many ways this polycomm scenario could be realized.I don&#39t want to make judgments about which realization is best.However I am interested in the underlying dynamics at work.To bring some of these out, I&#39ll posit a couple of realizations and discuss some of the implications.I&#39ve never discussed this scenario with Eric and don&#39t have a clue what he had in mind – so if I say something that bothers anyone, it&#39s not his fault!

To start drilling, let&#39s look at the role of the polycomm. It senses my phone and uses Bluetooth to discover my identity.

Issue:What and who is able to use Bluetooth to discover my identity, and what does that mean?

To what extent is Bluetooth like RFID?Is the identity discovered through Bluetooth an invariant tracking tag?Can any Bluetooth enabled device discover our identity as we approach it?What are the implications of this?

When you first start asking questions like these, it seems unlikely that the designers wouldn&#39t have figured all this stuff out.And I certainly don&#39t yet know enough about Bluetooth to provide any definitive answers.But the official Bluetooth website didn&#39t really drive up my confidence with this story:

The group of lanky tourists strolling through the Swedish capital&#39s old town never knew what hit them…As they admired handicrafts in a storefront window, one of their cell phones chirped with an anonymous note: “Try the blue sweaters. They keep you warm in the winter.”

The tourist was “bluejacked” — surreptitiously surprised with a text message sent using a short-range wireless technology called Bluetooth.

As more people get Bluetooth-enabled cell phones — both sender and recipient need them for this to work — there is bound to be more mischievous messaging of the unsuspecting.

It&#39s a growing fad, this fun with wireless…

But there&#39s more than bluejacking to consider, as these further quotes from the Bluetooth site tell us:

What is bluebugging?


Bluebugging allows skilled individuals to access the mobile phone commands using Bluetooth wireless technology without notifying or alerting the phone&#39s user. This vulnerability allows the hacker to initiate phone calls, send and read SMS, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet. As with all the attacks, the hacker must be within a 10 meter range of the phone. This is a separate vulnerability from bluesnarfing and does not affect all of the same phones as bluesnarfing.

What is bluesnarfing?

 

Bluesnarfing allows hackers to gain access to data stored on a Bluetooth enabled phone using Bluetooth wireless technology without alerting the phone&#39s user of the connection made to the device. The information that can be accessed in this manner includes the phonebook and associated images, calendar, and IMEI (International Mobile Equipment Identity). By setting the device in non-discoverable, it becomes significantly more difficult to find and attack the device. Without specialized equipment the hacker must be within a 10 meter range of the device while running a computer with a Linux operating system and the specialized software

NOTE: None of this is intended as a criticism of Bluetooth. I am completely agnostic with respect to competing protocols – if any actually compete. I&#39m simply using Bluetooth as an example of the work we as an industry must do to get identity right.

So in light of all this, it seems quite possible that Bluetooth protocols might give out an invariant ID to any device which asks for it.And further, it looks like this is not the number one security issue the Bluetooth engineers are working on – at least until bluejacking, bluebugging and bluesnarfing are taken care of.

 

The point is that – when we get this right – a phone should only give out a user&#39s ID to devices the user wants it given to.

Let&#39s return to our scenario for an example.If the polycomm belongs to my employer, and if I&#39ve chosen to recognize my employer&#39s polycomms, then no problem – the phone should reveal my identity to the polycomm.But otherwise, it shouldn&#39t. We can codify this as one of the laws of identity:

The “Owner Decides” Law of identity:

Technical identity systems MUST only reveal information identifying a user with the user&#39s consent.

I will argue later that we who are technical servants of the “general will” need to obey the laws of identity.If we don&#39t, we will create a snarled mess of reinforcing side-effects that will undermine all the systems we put in place. Our ignoring a law of identity is analogous to an engineer who decides not to obey the law of gravity.

Ah, but we&#39re just beginning to get substantive. And I have a big day tomorrow (you know – that day-job thing), so I&#39m going to call it a night and drill into other aspects of this scenario next time.

Apologies to Macpeople and End of Heightened RSS Alert

I got this note from Bill Tozier, who has one of the most interesting bio&#39s I&#39ve ever seen. He has a unique perspective from which to contribute to identity issues.

No problems in Safari here. But I do note that there isn&#39t a big “I” in Macintosh. The tartan look went out some time back. Now it&#39s just silver and chrome and glowing white, uncapped.

Meanwhile Doc Searls came through with what seems like a complete engineering report – it sounds like he has a control room going with ten or twenty consoles. Maybe that&#39s how he stays on top of everything.

I just viewed the blog in Safari, and it looks fine. Same with Firefox. Both on OS X. On Linux, I just viewed it in Firefox and Konquerer, and it looks fine there, too. I&#39ll assume it looks cool in IE and Firefox on Windows.

Now safe for OS X!

Dick Hardt tells me my “main page now loads fine in Safari.. I also run NetNewsWire (“THE” aggregator for OS X) and it seems to glurp up the feed fine.”

I'll be careful what I cut and paste from now on! Seems that a bunch of automated transformations confused some parsers.

I spent yesterday working on a “virtual transcontinental” podblogging setup with Craig Burton – it was a lot of fun, and we'll have something to show for it as soon as we figure out a few hundred more technicalities. I should have been spending my time “getting substantive” as per my promises below, but maybe I'll get to that tonight.

My polycomm knows me

Eric Norlin from Ping just sent me this to consider:

Imagine:

you walk into a conference room; dial into a con call on the polycomm; the polycomm senses your bluetooth phone and (using a discovery service) looks at your personal attribute known as “music preferences”; thus your current favorite music (by how often you listen to it) is downloaded from your “federated” mp3 player — and the hold music while you wait for your fellow con-callers is *your* favorite music.

sound a bit advanced? actually, you could (technically) do this right now with the Liberty Alliance specifications…

It's a great scenario to think through, and exposes all kinds of issues. So my plan is to start drilling into the laws of identity by examining alternative ways to implement this scenario.

For tonight, seems like I'm off to a party. Maybe two.

Going substantive

OK – I've been bloggin’ for a week and haven't written about any substantive identity issues yet. I've just been getting used to the environment, which is pretty incredible. And starting tomorrow, I will turn over a new leaf, I promise! None of this self-referential biff! boom! bah! with Marc Canter and my other friends. Except to report that he now says this (I can't help myself):

It's great to see Kim extending olive braches in the spirit of BIG BANG and distributed computing.

We gotta realize that Microsoft IS 1,000 Tornados – and maybe all those young Turks there will realize that Windows based machines WILL be connected to a distributed mesh of devices (whetehr they like it or not) – which yes – will be runing somebody ELSE's software (heaven forbid.)

In that scenario – it behooves us ALL to make sure that Microsoft is there – with Indigo, InfoCards and Users & Groups.

Gee – I hate it when Marc calls me a young turk.

bbb

Compliance testing

It's worse than I had originally thought… My weblog was (I hope it is no longer) bringing down Safari. – and then reports of this (I'm quoting here from a remarkably calm Dave Ely):

It's not just your site, butt also your feed which locks up WebKit (killing NetNewsWire). I suspect that it's something in the LDAP spec table down stream a bit.

Not my feed too! It can't be!

I don't yet know what NetNewsWire is (though it sounds really, really important), but RadioLand technical support said that although they could see nothing wrong with my blog, I should probably simplify my LDAP spec table – which, I must admit, went through several magical translations (all automated). Are the fates punishing me for my work on mapping? No, that can't be.

Getting behind the myths

I just saw Craig Burton's “A thousand tornadoes deep“. Craig has been around. We've had a hundred conversations over the years, and I truly admire his ability to see uderlying taxonomies.

Craig was the one who, a number of years ago, taught me not to prejudge Microsoft – and explained his “ten tornado” theory (he has since – I think rightly – adjusted it by two orders of magnitude).

So his vote of confidence means a lot to me:

“There are good people with vision and integrity at Microsoft. Kim Cameron is one of those people. You can't go wrong working with Kim.”

I like the wit and wicked incision in his comment that:

Each tornado (or hailstorm if you like) has its own path, thinking and objective. They seldom cross paths and are too busy dealing with the issues at hand to even talk to each other.

That, in fact, says a lot about the real Microsoft – and is much more realistic than those who talk about plots. I wish we, as a company, allowed more visibility into our nature, which is close to the one Craig describes.

Then he concludes:

Microsoft bashing aside, when two people like Marc and Kim get together and collaborate, expect good things to happen that go beyond the history of giants — even the giant of all time — Microsoft.

I look forward to seeing what they can do.

And, I have to say, I do too.

In order that this conversation on identity can go forward, I have so far edited out (or is it just that I have “not mentioned”) Craig's “one further” comment that:

“Microsoft is an unabashed bully. The leaders of Microsoft– Bill Gates and Steve Ballmer — lead the bully behaviour.”

It's so wierd. As though I had caught myself sleeping through the first half of some dream (or in fact wasn't there for it), and now that I'm in the second half, I can't quite follow the plot. In fact, maybe that's what has happened.

Although I don't know Steve and can't comment on what he's like from first hand experience, I have spent a fair amount of time with Bill. He is a remarkable and uniquely generous person, witty – a real engineer of great breadth and depth, as well as a deeply disruptive thinker. I just can't recognize him in his demonized form. (Don't get the idea we go fishing together – we don't.)

Anyway, to make a long story short, many many moons ago, Craig and Bill didn't seem to, er, really hit it off together. But I still like them both a lot.

Safari Crash in RadioLand

The good news is that within an hour of sending an email to RadioLand about the sad fate of Safari users who try to read my RadioLand blog, someone called Lawrence was back to me. The bad news is that there doesn't seem to be anything wrong:

I'll check internally with some people that use OS X/Safari to see if they can verify the problem, but there doesn't seem to be anything out of the ordinary in the page that would cause it to lockup.

Lawrence

I guess I'll try contacting Safari too.