Category: Privacy

Whobar identity 2.0 technology now available as open source

Not only does Whobar support InfoCards and related identity technology, but check this out:

Sxip is pleased to release the Whobar code to the community.

Whobar makes it easy for users to register and login to a website using their choice of emerging identity protocols such as InfoCard, i-names, and OpenID. It enables developers to easily add support of all these emerging Identity 2.0 technologies to their site. The benefits of this for users is a common website login experience. For web developers, to streamline their user registration and login process so that they don’t need to store user passwords, nor users needing to remember yet another password, thereby improving site conversion ratios. Future releases will also allow users if they so choose, release data about themselves with a single click.

Given the interest shown at the recent DIDW and Future of Web Apps conferences from Phil Windley, Rafe Needleman, and others in the community, we’ve made the Whobar technology available as open source. Whobar is written in PHP, but works like a proxy, so that the web application can be in any language. However, we’ve also been contacted by several developers interested in contributing a port to C#/.NET so stay tuned for additional modules. If you’re interested in getting involved, please check out our contributing page.

Congratulations to the SXIP team.  When I saw this at the DIDW conference I thought it was amazing.  I'll do a video capture over the next few days so those who haven't downloaded Cardspace or a Chuck Mortimer / Ian Brown identity selector can see what it's all about.

What a silo used to be…

Dave Winer at Scripting News brings us this.  The funny thing is, I actually had to cheat and read the HTML IMG tag to figure out that the tall cylinder in Dave's picture is a silo! 

I just saw it as a graphic of a barn, and wondered, “Why is Dave Winer putting a barn on his blog?  Has he run out of pictures?”

In my shrinking mind, the word “silo” had been totally disconnected from its original meaning, and usurped by the very notion of segregated technology realms that Dave is telling us about.  So the farm thing didn't register.

Doc talks about a Vendor Management Systems, to balance the other side’s Customer Management Systems. I, of course, like. A prototype for this is a movie review system where I own and control my data. Today, I rate movies on Netflix and Yahoo, but I can’t get them to share the data with each other, so they make recommendations without info the other one has. If I had a place where I kept my movie ratings and gave each of them a pointer to it, they could read it and I would control the data. It would be very easy to set up, the technology is no trick at all. The hard part is getting enough users to do it this way to gain critical mass. This is also the idea behind Edgeio and Marc Canter’s People Aggregator. Open systems, users own the data, silos smell of sulfur.

This is exciting stuff – I'm talking Identity Big Bang content.

The way I read Doc's ideas, he's talking about a real inversion of what advertising is and means.  Instead of suppliers advertising what they want us to buy (by spamming our attention), we'll advertise what WE want to buy, and suppliers will make us offers.  Sounds a lot more efficient to me.  What am I missing?  Why doesn't everyone want to do this?

Maybe because a lot of what advertising is about is getting us to want things we don't know we want.  But even that can be done in other better ways too.  Like by producing cool things and having them explode into discussion.  Doc said this too, didn't he:  Markets are conversations.

 

Could the world be upside down?

In my last post I shared Jon Udell's conversation about “translucent databases” as a way to protect us from identity catastrophies.  He mentions a lender (e.g. Prosper) who needs information from a credit bureau (e.g. Equifax) about a borrower's reputation.

I'll start by saying that I see the credit bureau as an identity provider that issues claims about a subject's financial reputation.  The lender is a relying party that depends on these claims.

The paradigm currently used is one where the borrower reveals his SSN (and other identifying information) to the lender, who then sends it on to the credit bureau, where it is used as a key to obtain further reputation and personal information.  In other words, the subject deals with the lender, and the lender deals with the credit bureau, which returns information about the subject.

There are big potential problems with this approach.  The lender initially knows nothing about the subject, so it is quite possible for the borrower to pose as someone else.  Further, the borrower releases someone's SSN to the lender – as each of us has given ours away in thousands of similar contexts – so if the SSN might once have been considered secret, it becomes progressively better known with every passing day.

What's next?  The lender uses this non-secret to obtain further private information from the identity provider – and since the user is not involved, there is no way he or she can verify that the lender has any legitimate reason to ask for that information.  Thus a financial institution can ask for credit information prior to spamming me with a credit card I have not applied for and do not want.  Worse still, as happened in the case of Choicepoint, an important opportunity to determine that criminals are phishing for information is lost when the subject is not involved.

Jon proposed ways of changing the paradigm a bit.  He would obfuscate the SSN such that a service operated by the user could later fill it in on its way from the lender to the credit bureau.  But he actually ends up with a more complex message flow.  To me it looks like the proposal has a lot of moving parts, and makes us wonder how the service operating on behalf of the user would know which lenders were authorized.  Finally, it doesn't answer Prosper's claim that it needs the SSN anyway to submit tax information.

Another simpler paradigm

 I hate to be a single trick pony, but “click, clack, neigh, neigh”.  What if we tried a user-centrilc model?  Here's a starting point for discussion:

The borrower asks the lender for a loan, and the lender tells him which credit bureaus it will accept a reputation from. 

The borrower then authenitcates to one of those credit bureaus.  Since the bureaus know a lot more about him than the lender does, they do a much better job of identifying and authenticating him than the lender can.  In fact, this is one reason why the lender is interested in the credit bureau in the first place.

The credit bureau could even facilitate future interactions by giving the subject an InfoCard usable for subsequent credit checks and so on.  (Judging by the email I constantly get from Equifax, it looks like they really want to be in the business of having a relationship with me, so I don't think this is too far-fetched as a starting point).

After charging the borrower a fee, the credit bureau would give out a reputation coupon encrypted to the lender's key.

The coupon would include the borrower's SSN encrypted for the Tax Department (but not visible to the lender).  The coupon might or might not be accompanied by a token visible to the borrower;  the borrower could be charged extra to see this information (let's give the credit bureaus some incentive for changing their paradigm!)

When the lender gets the coupon, it decrypts it and gains access to the borrower's reputation.  It stores the encrypted version of the borrower's SSN in its database (thus Jon's goal of translucency is achieved).  At the end of the year it sends this encrypted SSN to the tax department, which decrypts it and uses it as before.  The lender never needs to see it.

All of this can be done very simply with Information Card technology.  The borrower's experience would be that Prosper's web site would ask for an Equifax infocard.  If he didn't have one, he could get one from Equifax or choose to use the oldworld, privacy-unfriendly mechanisms of today.

Once he had an InfoCard, he would use it to authenticate to Equifax and obtain the token encrypted for Prosper.  One of the claims generated when using the Equifax card would be the SSN encrypted for the Tax Department. 

When you use an Information Card, the identity selector contacts the identity provider to ask for the token.  This is how the credit brueau can return the up-to-date status of the borrower.  This is also how it knows how to charge the borrower, and possibly, the lender.

InfoCard protocol flow

In my view, the problem Jon has raised for discussion is one of a great many that have surfaced because institutions “elided” users from business interactions.  One of the main reasons for this is that institutions had computers long before it could be assumed that individuals did. 

It will take a while for our society to rebalance – and even invert some paradigms – given the fact that we as individuals are now computerized too.

Pretexting and Privacy

I've never seen Craig Burton write about privacy before.  Clearly he's had enough of the recent goings-on: 

  1. I was listening to Talk of the Nation on National Public Radio this afternoon. There was a good discussion going on sparked by the fiasco that happened at HP the last few weeks. Since I cover lexicon, identity, and security, I thought it would be a good idea to cover some of the conversation.
  2. What has emerged new to the general conversation is the term “pretexting”. This is the practice that investigators–both private and internal–use to pretend that they are someone else to obtain personal information from service companies. This includes, the phone company, cell phone companies, banks, utilities, county ownership records, and other private and public agencies.
  3. This is not a new term, but one that is getting public recognition as a result of the HP fiasco.
  4. According to the conversation that I heard, there is a synonymous term in the hacker community for pretexting called “social engineering.” There are some states that have made pretexting and social engineering illegal. California, Tennessee and Florida are exceptions maybe. This is a gray area and is only coming to light after these events.
  5. The previous hacker turned consultant in the conversation is the author of the book The Art of Deception.
  6. Here is my take on this. The government and agencies are not going to be able to cope with this problem. This means that it is your responsibility to protect yourself. There are a few major areas that you can focus on that will help you.
  7. Use InfoCards for login when you can. I admit this is new stuff, but it is fundamental in protecting your information from phishing and hijacking. InfoCard technology will change the future of hackers and thieves. You can support this by understanding it and using it.
  8. Stop using common methods of identification. Your social security number, you mother's maiden name and your birth place are redily accessible to social engineering agents.
  9. Use encryption for your data and emails. There are several technologies that will help you with this. You can do it at work and for your personal emails where needed. Without encryption, you have to assume that your emails are totally accessible to anyone who wants them. The current email technology is hackable and in clear text that is readable by anyone.
  10. You have to assume that at work, there are people keeping track of what you do with your computer. This is an issue, but you can also understand that your employer probably doesn't have the resources to look that closely at what you do.
  11. However, they also had a guy on the program that was being offered a job–a high profile and high paying job–that was revoked after the person had some email conversations about the terms of employment with his attorney. The company actually monitored his email conversations and gave him the choice of resigning or being fired as a result of the interchange. Scary.

Ms. Dunn at HP has struck a deal with the HP board to resign as a result of the press and fiasco. Did she know what the legal dept. was doing? Probably not. My opinion is that she should have found out on an issue of this importance at that she should probably step down now and not later.

I appreciate his comment about the role of Cardspace. 

And while we're talking about Craig, Has everyone seen his recent Poser sculpture entitled, “If I just give this Web 2.0 bubble a flick, nobody will get hurt, right?“:

JP Rangaswami on how the OSP “feels”

A number of people have been writing good things about the Open Specification Promise.  The expression of good will speaks volumes about why I continue to love this milieu, and the people in it.

Your personal support in moving our work forward means a lot to Mike Jones and me.

I'm certain it will influence the way events unfold in the future.

Take a look at this piece by JP Rangaswami, author of Confused of Calcutta. I think he expresses what a lot of people are feeling. 

Ambrose Bierce, in The Devil’s Dictionary, defined a cynic as follows:

A blackguard whose faulty vision sees things as they are, not as they ought to be. Hence the custom among the Scythians of plucking out a cynic’s eyes to improve his vision.

Many years later, Albert Einstein defined common sense as “the collection of prejudices acquired by age eighteen”.

As I grow older, I realise that however hard I try to keep an open mind, and to learn, I land up with anchors and frames and perspective-biases that I don’t always know I have. Which means that sometimes I have to work hard to ensure that I don’t lapse insidiously into cynicism.

So you can understand why I had to work very hard indeed when analysing the Microsoft Open Specification Promise that was published yesterday. If you’re interested in the subject, then please do check out Kim Cameron’s blog hereDoc’s piece at IT Garage (where he asks for your opinion as well) and Phil Windley’s blog here, along with Becker and Norlin’s Digital ID World blog at ZDNet.

Microsoft are not known for their pioneering approaches in the opensource world. Identity is one of the three big issues that affects our ability to deliver the promise of today’s technology (the other two are Intellectual Property/Digital Rights and the “internet”, with or without Stevens’ Tubes). A valid solution for identity pretty much needs Microsoft’s support and that of its legions of lawyers.

And so we come to the Open Specification Promise. My early reactions? I think Kim Cameron and his team have done a brilliant job at pulling this off and getting something workable past the lawyers’ cynosure.

If you want to understand it, and don’t particularly feel like wading through “implication, exhaustion, estoppel or otherwise” (and who could blame you?), then skip the legalese and go straight to the Frequently Asked Questions section. I quote from the FAQs:

  • The Open Specification Promise is a simple and clear way to assure that the broadest audience of developers and customers working with commercial or open source software can implement specifications through a simplified method of sharing of technical assets, while recognizing the legitimacy of intellectual property.
  • We listened to feedback from community representatives who made positive comments regarding the acceptability of this approach.
  • Q: Why did Microsoft take this approach?
  • A: It was a simple, clear way, after looking at many different licensing approaches, to reassure a broad audience of developers and customers that the specification(s) could be used for free, easily, now and forever.
  • Q: How does the Open Specification Promise work? Do I have to do anything in order to get the benefit of this OSP?
  • A: No one needs to sign anything or even reference anything. Anyone is free to implement the specification(s), as they wish and do not need to make any mention of or reference to Microsoft. Anyone can use or implement these specification(s) with their technology, code, solution, etc. You must agree to the terms in order to benefit from the promise; however, you do not need to sign a license agreement, or otherwise communicate your agreement to Microsoft.
  • Q: What is covered and what is not covered by the Open Specification Promise?
  • A: The OSP covers each individual specification designated on the public list posted at http://www.microsoft.com/interop/osp/. The OSP applies to anyone who is building software and or hardware to implement one or more of those specification(s). You can choose to implement all or part of the specification(s). The OSP does not apply to any work that you do beyond the scope of the covered specification(s).

We have a long way to go before we can solve all this. We’re not going to solve all this unless we stop acting like cynics. So let’s get behind Kim Cameron on this and see what happens. That’s what I’m going to do.

An aside: Why can’t legal agreements be written like FAQ sections? Is there a law against it?

That's very generous, JP – although in fairness, I want to give the lawyers – from Microsoft as well as the open source world – full credit for getting behind this and making it real.

Friends, let's not stop until we get to the identity big bang.  Let's all keep our concentration.  Let's knock down the wall between us and the coming virtual reality.  Let's make it possible to know who we're dealing with on the Internet – when that is appropriate.  And let's do all this in a way that cradles our privacy.

What you have versus what you are

 Ralf Bendrath sees biometrics as being about “what you have” (had?) rather than “what you are”.

Kim Cameron at Identityblog picked up on Jerry Fishenden's post on the problems of biometrics (by the way: Jerry will speak at our privacy workshop in Athens, see below). He again brings up the story from Malaysia, where some brutal car thieves cut off the index finger of a Mercedes owner in order to circumvent the biometric engine lock. First of all, the thieves could have had it much easier, also without having to carry around a rotting finger. With a bit more high-tech, in the future they could maybe just read the fingerprint out of the car owner's passport.

But more important, this case shows the problems with identity and how hard it is to proof to a machine who you are. It is often based on the classic trinity of authentication, which either can be done by something you have (a key, a USB dongle, a chipcard), something you know (a password, a PIN, your mother's maiden name), or something you are (your fingerprint, your retina). There are of course other possible authentication factors, but these are the most common.

This story makes clear that “what you have” is much clearer than “what you are”. I would prefer saying “I have ten fingers” instead of “I am ten fingers”. “What I am” relates more directly to my personality / identity than “what I have” or “what I know”. It is a story, a flowing amorphous thing, changing from context to context and over time. Of course, you can break it down to some extent to single pieces of data (address, date of birth, employer, email, favourite mp3s, …) – but this is all not good for authentication purposes, as most of it is not really secret. “What I know” can be secret, and as Jerry Fishenden points out in his post, could be linked to “what I have” in order to have multi-factor authentication. But it again is not the same as “what I am”.

Biometrics therefore is more about what I have than what I am. The only difference is that it can't be stolen as easily as a car key or a passport. Fingers can be cut off, but faces? Ok, Hollywood was always ahead of us.

Last open question: Can “what you have” also be said about the way you walk? Probably not. But is that really what you are?

Giving identity thieves the finger

Jerry Fishenden has been posting about biometrics recently, and I'll comment on the issues over the next little while. But before we get there, just to put everything in perspective, here's a piece from the BBC, quoted by Jerry, that I missed when it first came out.

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb.

The gang, armed with long machetes, demanded the keys to his car. It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.

Stripped naked

The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off.

But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it.

They stripped Mr Kumaran naked and left him by the side of the road – but not before cutting off the end of his index finger with a machete.

Police believe the gang is responsible for a series of thefts in the area.

Note to self:  don't purchase technology based on retinal scans.

Future discussion:  not only “things you are” but “things you know” can ultimately expose you to harm.

P.S.  Who would ever buy an S-Class?

 

Protect yourself from your credit cards

Via a cool Digg, a pointer to a holding action that uses brute force to apply the Fourth Law of Identity:

The Emvelope® Wallet Insert is an innovative, patent-pending product that provides a simple, convenient, and easy way to contain the wireless signals being emitted by RFID chips. Simply place the insert into the bill area of your wallet and press firmly around the edges. Close the wallet and you'll have a Faraday Cage small enough to slip in your pocket. Don't let the size and simplicity fool you. Emvelope® inserts will block RF frequencies up to 2.4Ghz. More than enough to insure your safety.

Now if you travel, don't stop with your wallet. The handy passport accessory shown here will protect you from your passport.

Rumor has it the company is working on an insert for hats as well.   

Aggregation through a single identifier

Through the miracle of pingbacks I just came across Terrell Russell's blog, This Old Network.   Poking around, I was led to his cool proposal for MicroIDs, which I like and will discuss later.  I also found many interesting pieces, including today's interesting reflection related to issues addressed in my fourth law of identity:

First, our friend the search engine…

Search data recently released from AOL allows anyone with some intrepid follow-up skills and some social engineering to quickly narrow in on unique individuals – individuals who never considered their independent searches were being aggregated by their ISP. A recent flurry of activity designed to protect us from the search engines signals a slumbering uneasiness with this situation. Something dark has been uncovered and in the short term there is much handwaving and interest. However, as time passes, we’ll fall back into our ‘normal’ ways and continue to put our most personal information-seeking into that gloriously simple bare single box. “It’s just too convenient”, you say. “They’ve done nothing wrong.”

And here’s where the discussion changes. It’s not about Google. Or MSN. Or Yahoo. It’s about one person. Or one subpeona. The fact that it’s all being aggregated is the problem. The fact that there’s a potential for negligence, court-order or simple employee curiosity has profound implications for a great number of people. That is what makes this discussion so important.

Note that the reason employees could inappropriately access sensitive information was because it was sitting in databases they could get to – not because it was present on a card in someone’s wallet. 

Centralized databases worry me way more than any other aspect of this technology.

– Kim Cameron

We need to understand that our daily breadcrumbs – our attention – our personal interests in where we’re going and what we’re looking for and what we’re buying, are all being sucked up and stored with a unique identifier. We need to realize we’re broadcasting our attention and that it has great value to those who would suck it up. Inform yourself and make a conscious decision about where you spend your time and what you look for. You’re not alone while you surf. AOL has shown us the light.

And onto IM…

Most users think they’re anonymous behind their instant messenger accounts. They think their words aren’t being recorded. You think your friend on the other end of the IM doesn’t have her auto-logging turned on? And that it’s not fully searchable later? Severe paranoia and tin-foil hats notwithstanding, you’re being very naive.

And that’s just your friends. How about when the person on the other end reports you?

Earlier this week the UK government-funded Child Exploitation & Online Protection Centre announced a partnership with Microsoft Messenger. Messenger will be putting a button on the toolbar to allow any user to ‘report abuse’ to the authorities. This is a dangerous precedent. How is this any different than the Terrorist Information and Prevention System (TIPS) program proposed by the US back in 2002?

How much money will be tied up in the next 12 months because of this trigger being too easy to pull? How many prank reports will eat through the government funding? How will danah boyd react to the feeding frenzy this will create once the first one is ‘caught’?

Be aware of what you project. Be aware that this is a global medium. Be aware that it’s being broadcast and recorded. This Internet thing will be around for a while.

This should give those who think that maybe we should just back off identity issues and let things take “their natural course”, reason for pause.  I certainly hope that the “panic button” referred to above is limited to use within communities whose members consent to it.

 

David Weinberger – lover of the status quo?

David Weinberger at Joho the Blog has a thoughtful piece on privacy and anonymity that more or less wraps up the ongoing thread between him, Eric Norlin, Ben Laurie and others including myself.

It's long and detailed, so I suggest you check it out at Joho (don't get distracted by his piece about Snakes on a Plane.) 

While I have the chance I'll mention that I really don't like the way David uses the phrase “real world” – and counterposes it to the Internet. 

But here's what I wanted to discuss:

My fear is that we are in the process of building a new platform for identity in order to address some specific problems. We will create a system that, like packaged software, has defaults built in. The most important defaults in this case will not be the ones explicitly built into the system by the software designers. The most important defaults will be set by the contingencies of an economic marketplace that does not particularly value anonymity, privacy, dissent, social role playing, the exploration of what one is ashamed of, and the pure delight of wearing masks in public. Economics will drive the social norms away from the social values emerging. That is my fear.

Economics will drive the social norms?  Why isn't it possible that social behavior will also drive our economics?  Is there a cluetrain?

An obvious example might be the ability to market more effectively without ANY personally identifying information about an indvidual.  This sounds counterintuitive until you take into account the fact that people are willing to reveal more about themselves – and their needs – when they are not individually identified.

I have confidence that the people designing these systems are going to create the right software defaults. The people I know firsthand in this are privacy fanatics and insistent that individuals be in control of their data. This is a huge and welcome shift from where digital ID was headed just a few years ago. We all ought to sigh in relief that these folks are on the job.

I'm not sure if fanatics is the right word. Once you see that privacy is security from the point of view of the individual, then it just becomes a normal part of security modelling. 

But, once these systems are in place, vendors of every sort will of course require strong ID from us. If I want to buy from, say, Amazon, they are likely to require me to register with some ID system and authenticate myself to them…far more strongly and securely than I do when I pay with a credit card in my local bookstore. Of course, I don't have to shop at Amazon. But why won't B&N make the same demand? And Powells? And then will come the blogs that demand I join an ID system in order to leave a comment. How long before I say, “Oh, to hell with it,” and give in? And then I've flipped my default. Rather than being relatively anonymous, I will assume I'm relatively identified.

Where is the proof for this?  Vendors will want to do whatever lets them sell most effectively.  Pseudonymous relationships, as I mentioned above, may well be perfect for this.  Amazon sells to me by knowing what I like to read and watch – not by knowing my name.  Next generation credit and delivery systems will allow us to purchase without revealing anything about who we are or where we live to the merchant. 

With an identity platform in place, a payment transaction can be a one-time transaction guaranteed by a bank.  No name or credit card number is necessary.

WIth an identity platform in place, delivery can be done by giving the merchant a one-time transaction number linked to my Fedex account – without the merchant needing to know where I live or take responsibility for product delivery.

Why would merchants want to keep all the liability of the material world if they can reduce their costs and increase their sales by moving on into the virtual one?  Doesn't that sound real? 

Does that matter? I think it does, for the political, social and person reasons mentioned above. Don't make me also argue against being on one's best behavior and against being accountable for everything one does! I'm willing to do it! I will pull this car over and do it! Just try me!

The basic problem is, in my opinion, that the digital ID crew is approaching this as a platform issue. Most places on the Web have solved the identity problem sufficiently for them to operate. Some ask for the three digits on the back of your credit card. Some only sign you up if you confirm an email. Some only let you on if you can convince an operator you know the name of your first pet and the senior year season record of your high school's football team. Sites come up with solutions as needed.

David, David, David.  You think the current situation is so good for your privacy?  You like the increasing proliferation of personally identifying information that characterises the current technology?  You're happy with the way enterprises and governments build their centralized systems?  They aren't.  Everyone realizes that our current ways of doing things are too dangerous – and much of that comes from the fact that we have been forced to store information we don't need precisely because there has been no identity platform.

Good. Local solutions to local problems are less likely to change norms and defaults. But the push is on for an identity management platform. It's one solution — federated, to be sure — that solves all identity problems at once. If you want to change a social default, build a platform. That's not why they're building it, but that will (I'm afraid) be the effect. It's not enough that anonymity be possible or permitted by the platform. The default isn't about what's permitted but about what's the norm. If the default changes to being naked at the beach, saying, “Well, you can cover up if you want to,” doesn't hide the fact that wearing a bathing suit now feels way different. Yes, there's something wrong – and distracting – about the particulars of this analogy. But I think the overall point is right: We're talking about defaults, not affordances.

There are serious problems caused by weaknesses in current identity solutions. Identity theft is nothing to sneer at, for example. But are we sure we want to institute a curfew instead of installing better locks?

Is it better to have been born, or not to have been born? (Yes, I know what the ancients said.) 

There are dangers – do we therefore have to submit to a long sleep?