Category: Laws of Identity

Learning from experience in eGovernment

The Oxford Internet Institute (OII) has posted the Webcast of Jerry Fishenden‘s talk “myGovernment.com – government the way you want it”.

This looks at how new technologies, the emergence of Web 2.0 and the citizen/consumer as creator enable a whole new model of government services and interactions, with the citizen at their center. It was part of a day's workshop themed around “Learning from Experience in eGovernment: Why Projects Fail and Why They Succeed“.

You can find both a streaming media version (which requires Realplayer), or the downloadable version (which requires an MP4 player – I had to download Quicktime 7.1) at http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20060705_151.

Jerry is Microsoft's National Technology Officer in the United Kingdom, and a person I deeply respect for his wisdom and willingness to tell it like it is.

Some recent podcasts

Cardspace screenFor those new to Identityblog and looking for an introduction, here is a short interview I did recently with PTS-TV in England:

 

If you are ready for something more challenging, William Heath of Ideal Government got me thinking about the problems of overly-centralized identity technology in a podcast he described as follows:

Here's an exclusive interview with Kim Cameron, speaking with Jerry Fishenden to me and my colleague Ruth Kennedy. Famous as the Identity law-maker, Kim delivered Microsoft's Damascene conversion on identity matters and has become the catalyst for a new-found cross-industry sense of purpose about what it'll take to get digital identity and authenication that works for all of us.

He speaks exclusively to Ideal Government about the UK's ID developments in the context of state-of-the-art industry developments such as the Laws of Identity, Information Cards and the imminent ID big bang.

Note from administrator: (This was a 40 minute interview – the key sections are linked to the text below.

The whole podcast is available here.

This is the first Ideal Government audioblog/podcast so please forgive any clunkiness and background noise – it was a hot day and we were glad of the aircon.) Best way to hear the audio extracts

Firefox users: right click and “Open Link in New Tab”
IE users: I dont know. But when you find out tell me.
Also, anyone can insert inline audio to Expression Engine please tell me!

He sets out what he means by “Identity” (and there are many different meanings). He explains what Information Cards are, and how Microsoft has implemented them under the brand name Cardspace. He explains why for all its regrettable clunkiness the ageing UK Government Gateway is more secure and privacy-friendly than the proposed Home Office ID system, and it's revealed that there is a working version of Information Cards showing UK Government Gateway transactions. But this isnt Passport/Hailstorm revisited: it's as clear to Microsoft as to anyone that this has to work for everyone. We need a cross-industry big Momma identity backplane, and then the identity big bang can happen. But no one entity, country or authority can be in control.

He sets out where his work stands in relation to a user requirement for the ID we need for e-enabled services in the UK. Users decide, he says. If the system isn't widely adopted, it fails. As an architect, he expresses his concerns about the Home Office's ID card system. Too much information is in the same place. It's a colossal blackmail-generation machine. Every system will be breached, he says. If you dont understand that, you don't understand security and should not be talking about it.

He's pretty frustrated about the prospect of a lugubrious ID system which will inevitably damage trust in e-services. But a combination of the difficulty of the undertaking and the common sense of the British public means it will fail. The Brits are sensible, he finds. Tall as he and I are, we all recognise there's a limit: you can't survive if you're much over 11′. “They're trying to build a 60′ man here,” he says. All the technology people he knows feel the same way.

Yet he's very optimisic: UK identity systems can be efficient, secure, privacy-friendly and cheap, he says. The example of an ideal ID architecture he offers is pretty close to home: it's the Scottish Executive. How pleased will the Scots be to have an expensive and ill-conceived UK-wide system forced upon them, in a new West Lothian twist?

WILL MERCHANTS USE GBUY?

I thought the following excerpt from a thoughtful piece by Steve Bryant at eWeek‘s GoogleWatch might interest you.  Steve is led to consider the Third Law of Identity – Justifiable Parties: 

Why does Google want to automate the advertiser click cycle and make it as fast as it possibly can? 

The first reason is obvious: Google makes money on click conversions. The more clicks done quickly, the more money for Google, and the happier the advertiser.

The second reason is that by automating the click cycle, Google will be vastly improving the efficacy of its search results, and how searches correlate with AdWords. Unlike destination sites that measure success by how much time is spent on a page, Google measures success by how quickly a user navigates off Google. The company is constantly testing out data centers to see which center returns the best results that get users off Google quicker.

There are other reasons: Google will begin compiling transactional data. That data alone, even without trending analysis, is worth billions. Google will also become the first company to own not only the method of advertising, but also the data on what advertising works best. Perhaps most importantly, GBuy, when combined with Google's new Cost Per Action feature, has the potential to significantly reduce click fraud.

But there's the rub. Will merchants actually use GBuy?

Of course, you say, why would they not? You could use Google for everything! AdWords, Page Creator, Analytics, GBuy … it's a virtuous circle of Googledom. And yes, even a curmudgeon like me is attracted to the idea of one Google to rule them all.

But let's not forget this has been tried before. It was called Yahoo PayDirect. Yahoo started the service as a competitor to PayPal. Unlike Google, Yahoo had a product incentive for this service. That is, Yahoo had a then-robust classifieds and auctions business that it wanted to tie PayDirect into. The math was simple: User browses Yahoo products, user buys with Yahoo system, Yahoo gets profit. PayDirect was free (most of the time), but it didn't work. Yahoo folded PayDirect in 2004, mostly because PayPal simply owned the market.

Of course, Google has several competitive advantages that Yahoo did not have. But what Google doesn't have — and this is important — is product to sell.

The main reason PayPal succeeded was because eBay was developing at the same time. There was no other easy way to pay an auctioneer, so users turned to PayPal. The two companies became so closely intertwined that eBay decided to buy PayPal and integrate it directly. Purchasing PayPal made perfect sense. As a merchant, why would eBay want give another vendor control of its clients?

This is the challenge that Google faces with GBuy. If you talk to a lot of retailers, I think you'll hear them saying the same thing: “Why would I give Google control of my customer?” Google's not selling anything. And traditionally, the merchant takes payment for an item because it's the merchant — not Google — that has to fulfill the order.

Of course, there is a new breed of merchant online that just aggregates content and has no interest in owning customers at all. Think Shopzilla. For sites like those, perhaps GBuy is the golden ticket.

But back to the traditional merchants. Online merchants already track purchases made via Google AdWords. They've already bought software to track orders, or they've integrated a code into their inventory systems that correlates a sale with an AdSense referral. There's an entire marketplace of shopping cart software that's already integrated PayPal.

So the question inevitably becomes: If I'm a merchant, and I've already gone through the trouble of integrating PayPal, and PayPal is cheaper and it's trusted, why would I switch to GBuy?

One possible answer to that question is that GBuy is free for AdWords customers. Yes, that's a great incentive. But don't expect GBuy to eclipse PayPal with that feature alone. Companies with large marketing budgets will be advertising over multiple sites, not just with Google AdWords. Does it make sense to switch to GBuy for a 1-2 percent gain? Perhaps.

At any rate, the market will decide. I'm still cautiously optimistic about GBuy. If merchants can be incentivized by the potential to reduce click fraud, and if they're not leery of giving too much control to Google, perhaps they'll switch…

PEOPLE IN THE PROTOCOL

A nice post from identity guru Pete Rowley of Red Hat: 

I have been at the Burton Catalyst this week. At the reception I was discussing with Paul Trevithick about how I define user-centric identity. The phrase I use is “the people are in the protocol.” Though I wasn’t expecting it, the next day Paul was on a panel when he was asked what user-centric identity was and he quoted me. Cool, but then the next day another panel was asked about the quote and whether having people in the protocol was just a way of excluding other protocols and groups. Well since I wasn’t on the panel to answer that I thought I would take the opportunity to do so here.

When I say protocol I mean it in its broadest sense, in the sense that showing my driving license to a cop at a traffic stop and the cop returning it to me is a protocol. In that transaction I am in possession of the information, I have full knowledge of what information I would pass along to the cop, and I also have the choice of saying no – even if that might result in bad things happening. So people in the protocol means that rather than being an end node that may begin a transaction and perhaps be the recipient of the end results but with only vague or even no information about the information passed in the transaction, they are rather a conduit for all identity decisions in an environment of informed consent. This necessarily means that the protocol must pass through the user, or in other words appear on the screen and be approved by the user. That is an architectural philosophy that results from Kim Cameron’s laws of identity and it is a necessary one in order to gain user buy in. It is also just the right thing to do.

It turns out that it really isn’t hard to architect identity systems to include freedom and choice, but it might not be what one would create if the issue were never considered. It is also not too difficult to re-architect to take account of the philosophy – some work has already begun in SAML for example. Putting people in the protocol is the first step towards providing a scaleable identity framework that takes account of the requirements of the important part – the person. The first step towards treating the users of identity systems with respect.

DEPERIMETERIZATION AT 1 RAINDROP

Seems like Gunnar Peterson of 1 raindrop finds the intersection of InfoCard and Federation as interesting as I do.  And in resonance with my recent post on enterprise identity management, his taxonomy includes the fascinating “deperimeterization” – I see that while I wasn't working he's done a whole much of good work on this.

Ping is set to demo its new Infocard authentication + federated SSO at Catalyst.

A user authenticates to a healthcare portal leveraging a self-asserted InfoCard. The user’s credentials are validated by a Java InfoCard Server built by Ping Identity. PingFederate is then used to enable federated single sign-on to a remote Web site without a redundant user authentication.

Pinginfocarddemo

 

There are a number of interesting aspects here including proving out Identity Law 5, which is, of course, Pluralism of Technologies and Operators, jacking InfoCards assertion into the federation network through the WS-Trust backplane, and the ability of InfoCards to help to strengthen the authentication process, for example through a smart card and then have that assertion carried through the system, Brian Snow:

Consider the use of smartcards, smart badges, or other critical functions. Although more costly than software, when properly implemented the assurance gain is great. The form factor is not as important as the existence of an isolated processor and address space for assured operations – an “Island of Security” if you will.

An island of security in a networked world, now there is a future worth inventing.

Is it really an island?

TIARA.ORG – A MAJOR IDENTITY SITE

O.K.  I've hit a gold mine.  It's called Tiara.org.  Who or what is Tiara?  “A PhD student in the Department of Culture and Communication at NYU, studying social technology from a feminist perspective.”  Go to her “About me” page and it has everything except… a name – at least in a form straightforward enough to come up in a search engine.  So for me she's just Tiara.

Tiara has assembled a spectacular identity bibliography.  I'm going to ask if she'll let me put it up on identityblog – with credit to her, of course.

It turns out Tiara had blogged about the Times’ Facebook story over the weekend.  Somehow through the miracles of ping-backs this floated past my desktop:

Kim Cameron, the architect of MS’ Infocard Identity Metasystem, which I’m not at all a fan of, writes a great post on Facebook and the globalization of identity, based on the NYT article I blogged over the weekend.

Wow.  Such a smart person is not a fan of the identity metasystem.  I need to find out more about this.  None the less, we seem to agree when it comes to some of the issues raised in the Facebook article.  After quoting my piece, she continues:

Beautiful point: Facebook (& MySpace) are extremely performative communities, where the values being espoused– being cool, being “hard”, being sexy, being transgressive, being resistant– are those of mythical teenage worlds. There’s not just a generation gap between teens/young adults and their future possible bosses, there’s a culture gap between the “professional world”, where we’re not really supposed to have any sort of interesting personal lives (witness the furor over academic blogging), and the “online world”, where we’re supposed to be larger-than-life (microcelebrity again!).

I also like Cameron’s point about companies not being “invited” into these worlds. I definitely feel that Facebook is a private community, and I don’t go poke around looking for my undergraduate students, because it’s none of my business what they do in their private lives. But, again, as I said the other day, there are no regulations about searching social networking sites (or even just Google) , and there aren’t likely to be. The justification that it’s public information trumps the contextualization argument.

I talked to someone else recently who said that their local sheriff’s office uses MySpace as a first resource whenever they are looking for something or bringing someone in — of course it’s a young receptionist who does the searching. And universities like UC Santa Barbara are formulating specific policies to discipline students based on their Facebook information. So although I agree with Cameron, it’s really irrelevant. As long as sites like MySpace and Facebook are viewed as public information, they will not enjoy any type of protection from authorities or employers.

It's not really irrelevant.  There are a lot of issues buried here, and I'm not about to give up the ghost on them. 

One question I have is whether it is possible for an operator to provide access to a site for specific reasons – and prevent it for others.  In other words, is it possible to require those entering a site to sign a binding statement of use?  Can liability be associated with breaking such an agreement? 

Let's go further.  Is it possible to prevent usage of a site for commercial purposes, or purposes of employment, or in the interests of an employer? 

I'm going to be at the identity mashup hosted by Berkman Center for Internet and Society at the Harvard Law School next week.  I'll should probably be able to find a few (hundred) lawyers there.  I'll try to find out more about these issues. 

But as Tiara says in her own interesting post on the matter:

So what’s “the solution”? I’ve heard three:
1. Young people should stop putting content online.
2. Recruiters and employers shouldn’t use Google or Facebook to research potential candidates (don’t hear this one very often, although you’d think in a country where it’s illegal to ask people to include a snapshot with their resume, there might be potential room for legislation here).
3. We just have to wait until there’s no longer a divide between your “work” persona and your “life” persona. I know this sounds stupid, but I heard it from the CEO of Facebook.  (Tiara heard it from the CEO of Facebook??? – Kim)

And here’s what’s actually happening: People are obfuscating personal data by using pseudonyms that can only be identified within situated, contextual networks, or by using services which allow them to restrict who can view their personal information. This is really the only one of these solutions which makes any sense.

O.K.  So we totally agree.  Contextual separation is one of the main concepts behind the identity metasystem.  I suspect she has impressions of what we are trying to do that just aren't accurate.

In truth, InfoCards and the metasystem have been designed to enable privacy while still being able to make provable assumptions.  For example, the system can be used to allow you to limit access to your site to full-time students – and recognize them when they return – without actually knowing their names or exposing their identities to the digital grim reaper.  The very problems Tiara worries are not solvable, are actually some of those addressed by this system.

And in truth, they have to be addressed if the resulting infrastructure is to be consistent with the “third law of identity”.  Identity information should only be available to relevant parties.  As an industry we need to think about how the virtual fabric will work and offer people separation of context – or there will be a further and terrible erosion of confidence in cyberspace by those who constitute its future inhabitants.

GUIDANCE AND TEST PLAN FOR RELYING PARTIES

I got a note recently from federation master Mike Beach – a man with a great deal of experience in terms of how users react to security:

Is it just me or does your site have an invalid cert.  When I attempt to
login using my new Infocard in IE7 I get the infamous “warning, go back, do
not enter, danger ahead” and things go all red (really more pink).

Given the primary drivers of Infocard are to save us from all the web evils
of today it would seem this is contrary reinforcement when I must ignore all
the security warnings to log in.

I thought, “That's weird.  I don't get that problem.”  – you know, the ancestral “That's funny.  It doesn't happen on MY box.”  But of course it really was happening to Mike, so I wrote back and asked if he could send some screenshots.  It turned out this wasn't necessary – he had already figured out the problem.

He had been visiting identityblog using this URL:  https://www.identityblog.com/.  

When he clicked on Login he was redirected to https://identityblog.com/wp-login.php.  

But my certificate is limited to https://www.identityblog.com/.  Therefore IE (correctly) saw Mike's identityblog.com and the certificate's www.identityblog.com as being different – resulting in the redish bar.  It looked like this:

 

That's enough to confuse anyone.  So clearly, redirecting to something that isn't consistent with your certificate is a no-no.  I was setting up an experience that would undermine my user's understanding of what was happening to her, breaking law six.  I should have been checking and redirecting to www.identityblog.com even if the user didn't supply the “www”.  Strangely, I had done the Dashboard link correctly – it was only the Login link that had the error.

All of which goes to show there are a set of gotchas that we have to nail down in terms of establishing prescriptive guidance for how a site should deal with these issues in order to be consistent.  We need a checklist – or better still, a test plan.  A wiki would be a good way to elaborate this.

Another big takeaway is that an identity 2.0 relying party has an obligation to make sure it doesn't do things that send mixed signals (in my case, nice InfoCard experience but big red warning bar in IE).  Everyone has to co-operate with the goal of not confusing the user.

It's worth pointing out that none of this is primarily an InfoCard problem.  The same considerations apply to any use of https.  But in the InfCard case we want to make sure we have the deployment practices nailed down to a higher level than has previously been the case.