Don't take identities from our homes without our consent

Joerg Resch of Kuppinger Cole in Germany wrote recently about the importance of identity management to the Smart Grid – by which he means the emerging energy infrastructure based on intelligent, distributed renewable resources:

In 10-12 years from now, the whole utilities and energy market will look dramatically different. Decentralization of energy production with consumers converting to prosumers pumping solar energy into the grid and offering  their electric car batteries as storage facilities, spot markets for the masses offering electricity on demand with a fully transparent price setting (energy in a defined region at a defined time can be cheaper, if the sun is shining or the wind is blowing strong), and smart meters in each home being able to automatically contract such energy from spot markets and then tell the washing machine to start working as soon as electricity price falls under a defined line. And – if we think a bit further and apply Google-like business models to the energy market, we can get an idea of the incredible size this market will develop into.

These are just a few examples, which might give you an idea on how the “post fossile energy market” will work. The drivers leading the way into this new age are clear: energy production from oil and gas will become more and more expensive, because pollution is not for free and the resources will not last forever. And the transparency gain from making the grid smarter will make electricity cheaper than it is now.

The drivers are getting stronger every day. Therefore, we will soon see many large scale smart grid initiatives, and we will see questions rising such as who has control over the information collected by the smart meter in my home. Is it my energy provider? How would Kim Cameron´s 7 laws of Identity work in a smart grid? What would a “grid perimeter” look like which keeps information on the usage of whatever electric devices within my 4 walls? By now, we all know what cybercrimes are and how they can affect each of us. But what are the risks of “smart grid hacking”? How might we be affected by “grid crimes”?

In fact at Blackhat 2009, security consultant Mike Davis demonstrated successful hacker attacks on commercially available smart meters.  He told the conference,

“Many of the security vulnerabilities we found are pretty frightening and most smart meters don't even use encryption or ask for authentication before carrying out sensitive functions like running software updates and severing customers from the power grid.”

Privacy commission Ann Cavoukian of Ontario has insisted that industry turn its attention to the security and privacy of these devices:

“The best response is to ensure that privacy is proactively embedded into the design of the Smart Grid, from end to end. The Smart Grid is presently in its infancy worldwide – I’m confident that many jurisdictions will look to our work being done in Ontario as the privacy standard to be met. We are creating the necessary framework with which to address this issue.”

Until recently, no one has talked about drive-by mapping of our home devices.  But from now on we will.  When we think about home devices, we need to reach into the future and come to terms with the huge stakes that are up for grabs here.  

The smart home and the smart grid alert us to just how important the identity and privacy of our devices really is.  We can use technical mechanisms like encryption to protect some information from eavesdroppers.   But not the patterns of our communication or the identities of our devices…  To do that we need a regulatory framework that ensures commercial interests don't enter our “device space” without our consent.

Google's recent Street View WiFi boondoggle is a watershed event in drawing our attention to these matters.

Misuse of network identifiers was done on purpose

Ben Adida has a list of achievements as long as my arm – many of which are related to privacy and security.  His latest post concerns what he calls, “privacy advocacy theater… a problem that my friends and colleagues are guilty of, and I’m sure I’m guilty of it at times, too.  Privacy Advocacy Theater is the act of extreme criticism for an accidental data breach rather than a systemic privacy design flaw. Example: if you’re up in arms over the Google Street View privacy “fiasco” of the last few days, you’re guilty of Privacy Advocacy Theater.”

Ben then proceeds take me to task for this piece:

I also have to be harsh with people I respect deeply, like Kim Cameron who says that Google broke two of his very nicely crafted Laws of Identity. Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. (I’m giving them the benefit of the doubt. If they are lying, that’s a different problem, but no one’s claiming they’re lying, as far as I know.) The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data. If anyone is breaking the Laws of Identity, it’s the WiFi access points that don’t actively nudge users towards encrypting their WiFi network.

But let's hold on a minute.  My argument wasn't about the payload data that was collected accidently.  It was about the device identification data that was collected on purpose.  As Google's Alan Eustace put it: 

We said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data…

Device identifiers were collected on purpose

SSID and MAC addresses are the identifiers of your devices.  They are transmitted as part of the WiFi traffic just like the payload data is.  And they are not “publically broadcast” any more than the payload data is. 

Yet Google consciously decided to abscond with, tabulate and monetize the identities of our personal, business and home devices.  The identifiers are persistent and last for the lifetime of the devices.  Their collection, cataloging and use is, in my view, more dangerous than the payload data that was collected. Why? The payload data, though deeply personal, is transient and represents a single instant.  The identifiers are persistent, and the Street View WiFi plan was to use them for years.  

Let's be clear:  Identity has as much to do with devices, software, services and organizations as with individuals.  And equally important, identity is about the relationships between these things.  In fact identity can only be adequately expressed through the relationships (some call it context).

When Google says, “MAC addresses are a simple hardware ID assigned by the manufacturer” and “We cannot identify an individual” using those “simple hardware IDs”,  it sounds like the devices found in your home and briefcase and pocket have nothing to do with you as a flesh and blood person.  Give me a break!  It reminds me of an old skit by “Beyond the Fringe” where a police inspector points out that “Once you have identified the criminal's face, the criminal's body is likely to be close by…”  Our identities and the identities of our devices are related, and understanding this relationship is essential to getting identity and privacy right.

One great thing about blogging is you find out when you haven't been clear enough.  I hope I'm making progress in expressing the real issues here:  the collection of device identifiers was purposeful, and this represents precisely the kind of “systemic privacy design flaw” to which Ben refers.  

It bothers me that this disturbing systemic privacy design flaw – for which there has been no apology – is being obscured through the widely publicized apology for a completely separate and apparently accidental sin.  

In contemporary networks, the hardware ID of the device is NOT intended to be a “universal identifier”.  It is intended to be a “unidirectional identifier” (see The Fourth Law) employed purely to map between a physical machine and a transient, local logical address.  Many people who read this blog understand why networking works this way.  In Street View WiFi, Google was consciously misusing this unidirectional identifier as a universal identifier, and misappropriating it by insinuating itself, as eavesdropper, into our network conversations.

Ben says, “The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data.”  But I hope he rethinks this in the context of what identity really is, its use in devices and systems, and the fact that human, device and service identities are tied together in what one day should be a trustworthy system.  I also hope to see Google apologize for its misuse of our device identities, and assure us they will not be used in any of their systems.

Finally, despite Ben's need to rethink this matter,  I do love his blog, and strongly agree with his comments on  Opera Mini, discussed in the same piece.

 

EPIC on Google WiFi eavesdropping

Readers have drawn our attention to a recent letter from EPIC's Marc Rotenberg to  FCC Chairman, Julius Genachowski.

In the detailed letter, Marc Rotenberg specifically calls attention to the mapping of private device identifiers, saying, “We understand that Google also downloaded and recorded a unique device ID, the MAC address, for wireless access devices as well as the SSID assigned by users.”

He argues:

The capture of Wi-Fi data in this manner by Google Street View could easily constitute a violation of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, also known as the Wiretap Act, as amended by the Electronic Communications Privacy Act (ECPA) of 1986 to include electronic communications. Courts most oten define “interception” under ECPA as “acquisitions contemporaneous with transmission.” The Wiretap Act provides for civil liability and criminal penalties against any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any… electronic communication [except as provided in the statute].”

The Wiretap Act imposes identical liability on any person who “intentionally discloses … to any other person the contents of any… electronic communication, knowing or having reason to know that the information was obtained through the interception of a[n] … electronic communication in violation of
this subsection,” or “intentionally uses … the contents of any… electronic communication, knowing or having reason to know that the information was obtained through the interception of a[n]… electronic communication in violation of this subsection.”

Full text (including many footnotes elided in the quote above) is available in pdf and Word format.  See also The Hill's technology blog.

The Laws of Identity smack Google

Alan Eustace, Google's Senior VP of Engineering & Research, blogged recently about Google's collection of Wi-Fi data using its Street View cars:

The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.  

I think the idea of learning all the lessons he can from Google's mistake is a really good one, and I accept that Alan really is sorry.  But what constituted the mistake?

Last month Google was good enough to provide us with a “refresher FAQ” that dealt with the subject in a particularly specious way, even though it was remarkable in its condescension:

“What do you mean when you talk about WiFi network information?
“WiFi networks broadcast information that identifies the network and how that network operates. That includes SSID data (i.e. the network name) and MAC address (a unique number given to a device like a WiFi router).

“Networks also send information to other computers that are using the network, called payload data, but Google does not collect or store payload data.*

“But doesn’t this information identify people?
“MAC addresses are a simple hardware ID assigned by the manufacturer. And SSIDs are often just the name of the router manufacturer or ISP with numbers and letters added, though some people do also personalize them.

“However, we do not collect any information about householders, we cannot identify an individual from the location data Google collects via its Street View cars.

“Is it, as the German DPA states, illegal to collect WiFi network information?
“We do not believe it is illegal–this is all publicly broadcast information which is accessible to anyone with a WiFi-enabled device…

Let's start with the last point. Is information that can be collected using a WiFi device actually being “broadcast”?  Or is it being transmitted for a specific purpose and private use?  If everything is deemed to be “broadcast” simply by virtue of being a signal that can be received, then surely payload data – people's surfing behavior, emails and chat – is also being “broadcast”.  Once the notion of “broadcast” is accepted, the FAQ implies there can be no possible objection to collecting it.

But Alan's recent post says, “it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks.”  He adds, “We want to delete this data as soon as possible…”  What is the mistake?  Does Alan mean Google has now accepted that WiFi information is not by definition being “broadcast” for its use?  Or does Alan see the mistake as being the fact they created a PR disaster?  I think “learning everything we can” means learning that the initial premises of the Street View WiFi system were wrong (and the behavior perhaps even illegal) because the system collected WiFi information that was intended to be used for private purposes and not intended to include Google.  

The FAQ claims – and this is disturbing – that the information collected about network identifiers “doesn't identify people”.  The fact is that it identifies devices that are closely associated with people – including their personal computers and phones.  MAC addresses are persistent, remaining constant over the lifetime of the device.  They are identifiers that are extremely reliable in establishing identity by virtue of being in peoples’ pockets or briefcases.

As a result, Google breaks two Laws of Identity in one go with their Street View boondoggle, 

Google breaks Law 3, the Law of  Justifiable Parties.

Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship

Google is not part of the transactions between my network devices and is not justified in intervening or recording the details of their use and relationship. 

Google also breaks Law 4, Directed Identity:

A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

My network devices are private entities intended for use in the contexts for which I authorize them.  My home network is a part of my home, and Google (or any other company) has not been invited to employ that network for its own purposes.  The identifiers in use there are contextually specific, not public, and not intended to be shared across all contexts.  They are more private than the IP addresses used in TCP/IP, since they are not shared across end-points in different networks.  The same applies to SSIDs.

One can stand in the street, point a directional microphone at a window and record the conversations inside.  This doesn't make them public or give anyone the right to use the conversations for commercial purposes.  The same applies to recording the information we exchange using digital media – including our identifiers, SSIDs and MAC addresses.  It is particularly disingenuous to argue that because information is not encrypted it doesn't belong to anyone and there are no rights associated with it.  If lack of encryption meant information is fair game a lot of Google's own intellectual property would be up for grabs,

Google's justification for collecting MAC addresses was that if a stranger walked down your street, the MAC addresses of your computers and routers could be used provide his systems (or Googles’?)  with information on where he was.  The idea that Google would, without our consent, employ our home networks for its own commercial purposes betrays a problem of ethics and a lack of control.  Let's hope this is what Alan means when he says,

“Given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.”

I know there are many people inside Google who will recognize that these problems represent more than a “mistake” – there is clearly the need for a much deeper understanding of identity and privacy within the engineering and business staff.   I hope this will be the outcome.  The Laws of Identity are a harsh teacher, and it's sad to see the Street View technology sullied by privacy catastrophes.

Meanwhile, there is one more lesson for the rest of us.  We tend to be cavalier in pooh poohing the idea that commercial interests would actually abuse our networks and digital privacy in fundamental ways.  This episode demonstrates how naive that is.  We need to strengthen the networking infrastructure, and protect it from misuse by commercial interests as well as criminals.  We need clear legislation that serves as a disincentive to commercial interests contemplating privacy-invasive use of technology.  And on a technical note, we need to fix the problems of static MAC addresses precisely because they are strong personal identifiers that ultimately will be used to target individuals physically as criminals begin to understand their possible uses.

 

Issuing Information Cards with ADFS 2.0

When  Microsoft released Active Directory Federation Services V2 recently, we indicated we were holding off on shipping CardSpace 2.0 while figuring out how to best integrate Minimal Disclosure Technology (U-Prove) and create maximum synergy with the OpenID and OAuth initiatives.  Some feared the change in plan meant Microsoft was backing away from the idea of Information Cards and a visual identity selector.  Nothing could be further from the truth – the growth in adoption of federation and the shift toward cloud computing both make Information Card technology more important than ever.

This new announcement from Technet identity blog will therefore come as good news:

Today, Microsoft is announcing the availability of the Information Card Issuance Community Technology Preview (CTP) to enable the following scenarios with Active Directory Federation Services 2.0 RTM:

  • Administrators can install an Information Card Issuance component on AD FS 2.0 RTM servers and configure Information Card Issuance policy and parameters.
  • End users with IMI 1.0- or IMI 1.1 (DRAFT)-compliant identity selectors can obtain Information Cards backed by username/password, X.509 digital certificate, or Kerberos.
  • Continued support for Windows CardSpace 1.0 in Windows 7, Windows Vista and Windows XP SP 3 running .NET 3.5 SP1.

We have also added two new mechanisms for interaction and feedback on this topic, an Information Card Issuance Forum and a monitored e-mail alias ici-ctp@microsoft.com

 

Interview on Identity and the Cloud

I just came across a Channel 9 interview Matt Deacon did with me at the Architect Insight Conference in London a couple of weeks ago.  It followed a presentation I gave on the importance of identity in cloud computing.   Matt keeps my explanation almost… comprehensible – readers may therefore find it of special interest.  Video is here.

 

In addition, here are my presenation slides and video .

Vittorio Bertocci brings it all together for us

My good friend Vittorio is one of the most gifted technology presenters – an artist!  But he's also a talented engineer and architect – the rat!  Vittorio has been a great supporter of minimal disclosure.  I want to point you to his nice little guide to the minimal disclosure videos…  None of Vittorio's real-time cartoons this time, but I hope they're coming…

“As is customary by now, the IdElement is providing extensive coverage of the U-Prove CTP:

Announcing Microsoft’s U-Prove Community Technical PreviewStefan describes U-Prove, some typical scenarios where traditional technologies fall short while U-Prove provides a solution, and a summary of what we are releasing.  image
image U-Prove CTP: a Developers’ PerspectiveChristian and Greg explore the CTP, clarifying U-Prove’s role in the Identity Metasystem and describing how ADFSv2, WIF and CardSpace have been extended in the CTP for accommodating U-Prove’s functionality.
Deep Dive into U-Prove Cryptographic protocolsA feast for cryptographers and mathematicians! in this video Stefan describes in details the cryptography behind U-Prove’s algorithm. Not for the faint of heart!    image

“I know that my good friend Felix felt strongly about U-Prove: I am so glad that we can finally share this! Congratulations to Stefan, Christian, Greg and everybody in the IDA division that made this happen 🙂

Downloads

U-Prove CTP

– U-Prove SDK C# edition or Java edition

U-Prove Minimal Disclosure availability

This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills!  But today, just for once, I'm going to pick up an actual Microsoft press release and lay it on you.  The reason?  Microsoft has just done something very special, and the fact that the announcement was a key part of the RSA Conference Keynote is itself important:

SAN FRANCISCO — March 2, 2010 — Today at RSA Conference 2010, Microsoft Corp. outlined how the company continues to make progress toward its End to End Trust vision. In his keynote address, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, explained how the company’s vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity metasystem, and called for public and private organizations alike to prevent and disrupt cybercrime.

“End to End Trust is our vision for realizing a safer, more trusted Internet,” said Charney. “To enable trust inside, and outside, of cloud computing environments will require security and privacy fundamentals, technology innovations, and social, economic, political and IT alignment.”

Further, Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy.

The company also shared details about a new partnership with the Fraunhofer Institute for Open Communication Systems in Berlin on an interoperability prototype project integrating U-Prove and the Microsoft identity platform with the German government’s future use of electronic identity cards.

As further evidence of how the company is enabling a safer, more trusted enterprise, Microsoft also today released Forefront Identity Manager 2010, a part of its Business Ready Security strategy. Forefront Identity Manager enables policy-based identity management across diverse environments, empowers business customers with self-service capabilities, and provides IT professionals with rich administrative tools.

In addition, Charney reviewed company efforts to creatively disrupt and prevent cybercrime. Citing Microsoft’s recently announced Operation b49, a Microsoft-led initiative to neutralize the well-known Waledac botnet, Charney stated that while focusing on security and privacy fundamentals and threat mitigation remains necessary, the industry needs to be more aggressive in blunting the impact of cybercriminals. Operation b49 is an example of how the private sector can get more creative in its collective approach to fighting criminals online.

“We are committed to collaborating with industry and governments worldwide to realize a safer, more trusted Internet through the creative disruption and prevention of cybercrime,” Charney said.

Readers may remember the promise I made when Microsoft's purchase of U-Prove and Credentica was announced in March 2008 and some worried Microsoft might turn minimal disclosure into something proprietary:

[It isn't…] trivial to figure out the best legal mecahnisms for making the intellectual property and even the code available to the ecosystem.  Lawyers are needed, and it takes a while.  But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo.

So here are the specifics of today's annoucement:

  • Microsoft is opening up the entire foundation of the U-Prove intellectual property by way of a cryptographic specification published under the Microsoft Open Specification Promise (OSP).  
  • Microsoft is donating two reference SDKs in source code (a C# and a Java version) under a liberal free software license (BSD); the objective here is to enable the broadest audience of commercial and open source software developers to implement the technology in any way they see fit.
  • Microsoft is releasing a public Community Technology Preview (CTP) of the integration of the U-Prove technology (as per the crypto spec) with Microsoft’s identity platform technologies (Active Directory Federation Services 2.0, Windows Identity Foundation, and Windows CardSpace v2).
  • As part of the CTP, Microsoft is releasing a second specification (also under the OSP) that specifies the integration of the U-Prove technology into so-called “identity selectors” using WS-Trust and information cards.

I really want to thank Stefan Brands, Christian Paquin, and Greg Thompson for what they've done for the Internet in bringing this work to its present state.  Open source availability is tremendously important.  So is the achievement of integrating U-Prove with Microsoft's metasystem components so as to show that this is real, usable technology – not some far-off dream.

At RSA, Scott Charney showed a 4-minute video made with the Fraunhofer FOKUS Institute in Germany that demonstrates interoperability with the German eID card system (scheduled to begin rolling out in November 2010). The video demonstrates how the integration of the U-Prove technology can offer citizens (students, in this case) the ability to minimally disclose authoritative personal information.

There is also a 20-minute video that explains the benefits of integrating the U-Prove technology into online identity management frameworks.

The U-Prove code, whitepaper and specifications, along with the modules that extend ADFS V2, WIF and CardSpace to support the technology, are available here.

Cloud computing: an unsatisfied customer?

Gunnar Peterson has written many good things about architecture and identity over the last few years. Now he lays down the guantlet and challenges cloud advocates with a great video that throws all the fundamental issues into sardonic relief. Everyone involved with the cloud should watch this video repeatedly and come back with really good answers to all that is implied and questioned… albeit through humor.

Not Invented Here

There's a new comic strip about software with the, um, mysterious title, Not Invented Here (I just caught the preposterous domain name:  http://notinventedhe.re)…   The strip deals with issues like security, and comments posted by readers say things like, “I DEMAND you take the bug out of my company's conference room immediately!” and “Wow, it is as if you have a mole in our office!”.   So, with the authors’ permission, here's a taste.

It all starts off innocently enough:

Wait.  I think I've met these people.

Yikes.  Maybe I am these people!

And if you're in the business, you can't miss this one, which will take you over to the NIH site.

If you're wondering where this can possibly come from, the strip is by Bill Barnes and Paul Southworth.  I don't know Paul yet, but readers may know Bill's work from Unshelved, which has been making librarians guffaw for years (an  easy task?)  The truth is, Bill knows a lot about what goes on with software – in fact one of his gigs was herding cats during the first version of CardSpace.  Now he's totally dedicated to his strips – should be a lot of fun – and enlightening too.