Diagram 2.0: No hub. No center.

As I wrote here, Mary Jo Foley's interpretation of one of the diagrams in John Shewchuk's second WAAD post made it clear we needed to get a lot visually crisper about what we were trying to show.  So I promised that we'd go back to the drawing board.  John put our next version out on twitter, got more feedback (see comments below) and ended up with what Mary Jo christened “Diagram 2.0”.  Seriously, getting feedback from so many people who bring such different experiences to bear on something like this is amazing.  I know the result is infinitely clearer than what we started with.

In the last frame of the diagram, any of the directories represented by the blue symbol could be an on-premise AD, a Windows Azure AD, something hybrid, an OpenLDAP directory, an Oracle directory or anything else.  Our view is that having your directory operated in the cloud simplifies a lot.  And we want WAAD to be the best possible cloud directory service, operating directories that are completely under the control of their data owners:  enterprises, organizations, government departments and startups.

Further comments welcome.

Good news and bad news from Delaware Lawmakers

Reading the following SFGate story was a real rollercoaster ride: 

DOVER, Del. (AP) — State lawmakers have given final approval to a bill prohibiting universities and colleges in Delaware from requiring that students or applicants for enrollment provide their social networking login information.

The bill, which unanimously passed the Senate shortly after midnight Saturday, also prohibits schools and universities from requesting that a student or applicant log onto a social networking site so that school officials can access the site profile or account.

The bill includes exemptions for investigations by police agencies or a school's public safety department if criminal activity is suspected.

Lawmakers approved the bill after deleting an amendment that expanded the scope of its privacy protections to elementary and secondary school students.

First of all there was the realization that if lawmakers had to draft this law it meant universities and colleges were already strong-arming students into giving up their social networking credentials.  This descent into hell knocked my breath away. 

But I groped my way back from the burning sulfur since the new bill seemed to show a modicum of common sense. 

Until finally we learn that younger children won't be afforded the same protections…   Can teachers and principals actually bully youngsters to log in to Facebook and access their accounts?  Can they make kids hand over their passwords?  What are we teaching our young people about their identity?

Why oh why oh why oh? 

 

Identity Management As A Service

A few weeks ago at the European Identity and Cloud Conference I gave a keynote called Conflicting Visions of Cloud Identity. It was the first time that I reported publicly on the work I've been doing over the last year on understanding what cloud computing means for identity – and vice versa.

The keynote led to many interesting exchanges with others at the conference. The conversations ranged from violent agreement to “animated dissidence” – and most important, to the discussion of many important nuances.

It became clear to me that a lot of us involved with information technology could really benefit from an open exchange about these issues. We have the chance to accelerate and align our understanding and to explore the complexities and opportunities.

So today I'd like to take a first step in that direction and lay out a few high level ideas that I'll flesh out more concretely in upcoming posts.  I hope these will goad some of you into elaborating, pushing back, and taking our conversation in other completely different directions.

Preparing for dramatic change

To me, the starting point for this conversation is that Identity Management and the way it is delivered will change dramatically over the next decade as organizations respond to new economic and social imperatives by adopting cloud technology.

We all need to understand this change.

Organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud.

We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.

Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.

Identity Management As A Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost.

Redefining Identity Management

The term “Identity Management” will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world.  This is so profound that it constitutes a “reset”.

As a category, Identity Management will expand to encompass all aspects of identity:

  • registration of people, organizations, devices and services;
    management of credentials;
  • collection and proofing of attributes;
  • claims issuance;
  • claims acceptance;
  • assignment of roles;
  • management of groups;
  • cataloging of relationships;
  • maintenance of personalization information;
  • storage and controlled publication of information through directory;
  • confidential auditing; and
  • assurance of compliance.

The baseline capability of Identity Management will be to enhance the security and privacy of both organizations and individuals.

There will be a new market of next-generation identity management service providers with characteristics shaped by the importance of identity for both the protection of assets and the enhancement of relationships as we enter the era of the social enterprise.

Meanwhile, the current market for identity management products will be challenged by the simplification, cost reduction and increased innovation possible in the cloud.

Going forward, the term Identity Management As A Service will come up so often that we need an acronym.  For the time being I'm going to adopt the one my friend Eric Norlan proposed over six years ago : IDMaaS. While we're at it, it is worth looking at Eric's prescient article in ZDNet – he wrote it back in 2006 when he was a partner at Digital ID World. Eric reports on a conversation where Jamie Lewis (then CEO of the Burton Group) argued that “companies would find identity data too important to hand-over to others” – a view that certainly described the way enterprises felt at that time.  These issues are still critically important, though many profound evolutions have, I think, transformed the variables in the equations.  These new variables will be ones we want to drill into going forward.

Microsoft and IDMaaS

One of the reasons I want to share my thoughts about Identity Management as a Service now is that they constitute part of the theoretical framework that lies behind many of the decisions about the kind of organizational identity service we at Microsoft are offering. 

I'm therefore really excited to say that today we are able to start bringing you up to speed on exactly what that is.  Here's a quote from today's blog post by my close colleague and friend John Shewchuk, the Technical Fellow who plays a key role in getting our cloud identity offering engineered right: 

What is Windows Azure Active Directory?

We have taken Active Directory, a widely deployed, enterprise-grade identity management solution, and made it operate in the cloud as a multitenant service with Internet scale, high availability, and integrated disaster recovery.

Since we first talked about it in November 2011, Windows Azure Active Directory has shown itself to be a robust identity and access management service for both Microsoft Office 365 and Windows Azure–based applications.

In the interim, we have been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.

The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization’s Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within your organization, the Active Directory service that is available through Windows Azure is your organization’s Active Directory. Because it is your organization’s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn’t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud.

Meanwhile, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your information.

John's post is called Reimagining Active Directory for the Social Enterprise.  It's done in two parts, and following that John will join into our broader conversation about the identity management reset.   I hope the combination of our two blogs can help animate an industry-wide discussion while providing a specific channel through which people can get the information they need about Microsoft's identity service offering.

Later this week:  The Changing Model of Identity Management.  I hope to see you there.

 

Disintermediation: an Amazon parable

New York TImes Technology ran a story yesterday about the publishing industry that is brimming with implications for almost everyone in the Internet economy.  It is about Amazon and what marketing people call “disintermediation”.  Not the simple kind that was the currency of the dot.com boom;  we are looking here at a much more advanced case:

SEATTLE — Amazon.com has taught readers that they do not need bookstores. Now it is encouraging writers to cast aside their publishers.

Amazon will publish 122 books this fall in an array of genres, in both physical and e-book form. It is a striking acceleration of the retailer’s fledging publishing program that will place Amazon squarely in competition with the New York houses that are also its most prominent suppliers.

It has set up a flagship line run by a publishing veteran, Laurence Kirshbaum, to bring out brand-name fiction and nonfiction…

Publishers say Amazon is aggressively wooing some of their top authors. And the company is gnawing away at the services that publishers, critics and agents used to provide…

Of course, as far as Amazon executives are concerned, there is nothing to get excited about:

“It’s always the end of the world,” said Russell Grandinetti, one of Amazon’s top executives. “You could set your watch on it arriving.”

But despite the sarcasm, shivers of disintermediation are going down the spines of many people in the publishing industry:

“Everyone’s afraid of Amazon,” said Richard Curtis, a longtime agent who is also an e-book publisher. “If you’re a bookstore, Amazon has been in competition with you for some time. If you’re a publisher, one day you wake up and Amazon is competing with you too. And if you’re an agent, Amazon may be stealing your lunch because it is offering authors the opportunity to publish directly and cut you out. ” [Read whole story here.]

If disintermediation is something you haven't thought about much, you might start with a look at wikipedia:

In economics, disintermediation is the removal of intermediaries in a supply chain: “cutting out the middleman”. Instead of going through traditional distribution channels, which had some type of intermediate (such as a distributor, wholesaler, broker, or agent), companies may now deal with every customer directly, for example via the Internet. One important factor is a drop in the cost of servicing customers directly.

Note that the “removal” normally proceeds by “inserting” someone or something new into transactions.  We could call the elimination of bookstores “first degree disintermediation” – the much-seen phenomenon of replacement of the existing distribution channel.   But it seems intuitively right to call the elimination of publishers “second degree disintermediation” – replacement of the mechanisms of production, including everything from product development through physical manufacturing and marketing, by the entities now predominating in distribution.  

The parable here is one of first degree disintermediation “spontaneously” giving rise to second degree disintermediation, since publishers have progressively less opportunity to succeed in the mass market without Amazon as time goes on.  Of course nothing ensures that Amazon's execution will cause it to succeed in a venture quite different from its current core competency.  But clearly the economic intrinsics stack the deck in its favor. Even without displacing its new competitors it may well skim off the most obvious and profitable projects, with the inevitable result of underfunding what remains.

I know.  You're asking what all this has to do with identityblog.

In my view, one of the main problems of reusable identities is that in systems like SAML, WS-Federation and Live ID, the “identity provider” has astonishing visibility onto the user's relationship with the relying parties (e.g. the services who reuse the identity information they provide).  Not only does the identity provider know what consumers are visiting what services; it knows the frequency and patterns of those visits.   If we simply ignore this issue and pretend it isn't there, it will become an Achilles Heel.

Let me fabricate an example so I can be more concrete.  Suppose we arrive at a point where some retailer decides to advise consumers to use their Facebook credentials to log in to its web site.  And let's suppose the retailer is super successful.  With Facebook's redirection-based single sign-on system, Facebook would be able to compile a complete profile of the retailer's customers and their log-on patterns.  Combine this with the intelligence from “Like” buttons or advertising beacons and Facebook (or equivalent) could actually mine the profiles of users almost as effectively as the retailer itself.  This knowledge represents significant leakage of the retailer's core intellectual property – its relationships with its customers.

All of this is a recipe for disintermediation of the exact kind being practiced by Amazon, and at some point in the process, I predict it will give rise to cases of spine-tingling that extend much more broadly than to a single industry like publishing. 

By the time this becomes obvious as an issue we can also predict there will be broader understanding of “second degree disintermediation” among marketers.  This will, in my view, bring about considerable rethinking of some current paradigms about the self-evident value of unlimited integration into social networks.  Paradoxically disintermediation is actually a by-product of the privacy problems of social networks.  But here it is not simply the privacy of end users that is compromised, but that of all parties to transactions. 

This problem of disintermediation is one of the phenomena leading me to conclude that minimal disclosure technologies like U-Prove and Idemix will be absolutely essential to a durable system of reusable identities.  With these technologies, the ability of the identity provider to disintermediate is broken, since it has no visibility onto the transactions carried out by individual users and cannot insert itself into the relationship between the other parties in the system. 

Importantly, while disintermediation becomes impossible, it is still possible to meter the use of credentials by users without any infringement of privacy, and therefore to build a viable business model.

I hope to write more about this more going forward, and show concretely how this can work.

Robots reshaping social networks

In May I was fascinated by a story in the Atlantic  on The Ecology Project – a group “interested in a question of particular concern to social-media experts and marketers: Is it possible not only to infiltrate social networks, but also to influence them on a large scale?” 

The Ecology Project was turning the Turing Test on its side, and setting up experiments to see how potentially massive networks of “SocialBots” (social robots) might be able to impact human social networks by interacting with their members.  

In the first such experiment it invited teams from around the world to manufacture SocialBots  and picked 500 real Twitter users, the core of whom shared “a fondness for cats”.  At the end of their two-week experiment, network graphs showed that the teams’ bots had insinuated themselves strikingly into the center of the target network.

The Web Ecology Blog summarized the results this way:

With the stroke of midnight on Sunday, the first Socialbots competition has officially ended. It’s been a crazy last 48 hours. At the last count, the final scores (and how they broke down) were:

  • Team C: 701 Points (107 Mutuals, 198 Responses)
  • Team B: 183 Points (99 Mutuals, 28 Responses)
  • Team A: 170 Points (119 Mutuals, 17 Responses)

This leaves the winner of the first-ever Socialbots Cup as Team C. Congratulations!

You also read those stats right. In under a week, Team C’s bot was able to generate close to 200 responses from the target network, with conversations ranging from a few back and forth tweets to an actual set of lengthy interchanges between the bot and the targets. Interestingly, mutual followbacks, which played so strong as a source for points in Round One, showed less strongly in Round Two, as teams optimized to drive interactions.

In any case, much further from anything having to do with mutual follows or responses, the proof is really in the pudding. The network graph shows the enormous change in the configuration of the target network from when we first got started many moons ago. The bots have increasingly been able to carve out their own independent community — as seen in the clustering of targets away from the established tightly-knit networks and towards the bots themselves.

The Atlantic story summarized the implications this way:

Can one person controlling an identity, or a group of identities, really shape social architecture? Actually, yes. The Web Ecology Project’s analysis of 2009’s post-election protests in Iran revealed that only a handful of people accounted for most of the Twitter activity there. The attempt to steer large social groups toward a particular behavior or cause has long been the province of lobbyists, whose “astroturfing” seeks to camouflage their campaigns as genuine grassroots efforts, and company employees who pose on Internet message boards as unbiased consumers to tout their products. But social bots introduce new scale: they run off a server at practically no cost, and can reach thousands of people. The details that people reveal about their lives, in freely searchable tweets and blogs, offer bots a trove of personal information to work with. “The data coming off social networks allows for more-targeted social ‘hacks’ than ever before,” says Tim Hwang, the director emeritus of the Web Ecology Project. And these hacks use “not just your interests, but your behavior.”

A week after Hwang’s experiment ended, Anonymous, a notorious hacker group, penetrated the e-mail accounts of the cyber-security firm HBGary Federal and revealed a solicitation of bids by the United States Air Force in June 2010 for “Persona Management Software”—a program that would enable the government to create multiple fake identities that trawl social-networking sites to collect data on real people and then use that data to gain credibility and to circulate propaganda.

“We hadn’t heard of anyone else doing this, but we assumed that it’s got to be happening in a big way,” says Hwang. His group has published the code for its experimental bots online, “to allow people to be aware of the problem and design countermeasures.”

The Ecology Project source code is available here.  Fascinating.  We're talking very basic stuff that none-the-less takes social engineering in an important and disturbingly different new direction. 

As is the case with the use of robots for social profiling, the use of robots to reshape social networks raises important questions about attribution and identity (the Atlantic story actually described SocialBots as “fake identities”).  

Given that SocialBots will inevitably and quickly evolve, we can see that the ability to demonstrate that you are a natural flesh-and-blood person rather than a robot will increasingly become an essential ingredient of digital reality.  It will be crucial that such a proof can be given without requiring you to identify yourself,  relinquish your anonymity, or spend your whole life completing grueling captcha challenges. 

I am again struck by our deep historical need for minimal disclosure technology like U-Prove, with its amazing ability to enable unlinkable anonymous assertions (like liveness) and yet still reveal the identities of those (like the manufacturers of armies of SocialBots) who abuse them through over-use.

 

New paper on Wi-Fi positioning systems

Regular readers will have come across (or participated in shaping) some of my work over the last year as I looked at the different ways that device identity and personal identity collide in mobile location technology.

In the early days following Google's Street View WiFi snooping escapades, I became increasingly frustrated that public and official attention centered on Google's apparently accidental collection of unencrypted network traffic when there was a much worse problem staring us in the face.

Unfortunately the deeper problem was also immensely harder to grasp since it required both a technical knowledge of networked devices and a willingness to consider totally unpredicted ways of using (or misusing) information.

As became clear from a number of the conversations with other bloggers, even many highly technical people didn't understand some pretty basic things – like the fact that personal device identifiers travel in the clear on encrypted WiFi networks… Nor was it natural for many in our community to think things through from the perspective of privacy threat analysis.

This got me to look at the issues even more closely, and I summarized my thinking at PII 2010 in Seattle.

A few months ago I ran into Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, who was working on the same issues.  We decided to collaborate on a very in-depth look at both the technology and policy implications, aiming to produce a document that could be understood by those in the policy community and still serve as a call to the technical community to deal appropriately with the identity issues, seeking what Ann calls “win-win” solutions that favor both privacy and innovation.

Ann's team deserves all the credit for the thorough literature research and clear exposition.  Ann expertly describes the policy issues and urges us as technologists to adopt Privacy By Design principles for our work. I appreciate having had the opportunity to collaborate with such an innovative group.  Their efforts give me confidence that even difficult technical issues with social implications can be debated and decided by the people they affect.

Please read WiFi Positioning Systems: Beware of Unintended Consequences and let us know what you think – I invite you to comment (or tweet or email me) on the technical, policy and privacy-by-design aspects of the paper.

Google opposing the “Right to be forgotten”

In Europe there has been a lot of discussion about “the Right to be Forgotten” (see, for example, Le droit à l’oubli sur Internet).  The notion is that after some time, information should simply fade away (counteracting digital eternity).    

In America, the authors of the Social Network Users’ Bill of Rights have called their variant of this the “Right to Withdraw”.  

Whatever words we use, the right, if recognized, would be a far-reaching game-changer – and as I wrote here, represent a “cure as important as the introduction of antibiotics was in the world of medicine”.

Against this backdrop, the following report by CIARAN GILES of the Associated Press gives us much to think about. It appears Google is fighting head-on against the “the Right to be Forgotten”.  It seems to be willing to take on any individual or government who dares to challenge the immutable right of its database and algorithms to define you through something that has been written – forever, and whether it's true or not.

MADRID – Their ranks include a plastic surgeon, a prison guard and a high school principal. All are Spanish, but have little else in common except this: They want old Internet references about them that pop up in Google searches wiped away.

In a case that Google Inc. and privacy experts call a first of its kind, Spain's Data Protection Agency has ordered the search engine giant to remove links to material on about 90 people. The information was published years or even decades ago but is available to anyone via simple searches.

Scores of Spaniards lay claim to a “Right to be Forgotten” because public information once hard to get is now so easy to find on the Internet. Google has decided to challenge the orders and has appealed five cases so far this year to the National Court.

Some of the information is embarrassing, some seems downright banal. A few cases involve lawsuits that found life online through news reports, but whose dismissals were ignored by media and never appeared on the Internet. Others concern administrative decisions published in official regional gazettes.

In all cases, the plaintiffs petitioned the agency individually to get information about them taken down.

And while Spain is backing the individuals suing to get links taken down, experts say a victory for the plaintiffs could create a troubling precedent by restricting access to public information.

The issue isn't a new one for Google, whose search engine has become a widely used tool for learning about the backgrounds about potential mates, neighbors and co-workers. What it shows can affect romantic relationships, friendships and careers.

For that reason, Google regularly receives pleas asking that it remove links to embarrassing information from its search index or least ensure the material is buried in the back pages of its results. The company, based in Mountain View, Calif., almost always refuses in order to preserve the integrity of its index.

A final decision on Spain's case could take months or even years because appeals can be made to higher courts. Still, the ongoing fight in Spain is likely to gain more prominence because the European Commission this year is expected to craft controversial legislation to give people more power to delete personal information they previously posted online.

“This is just the beginning, this right to be forgotten, but it's going to be much more important in the future,” said Artemi Rallo, director of the Spanish Data Protection Agency. “Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don't want to be there.”

Many details about the Spaniards taking on Google via the government are shrouded in secrecy to protect the privacy of the plaintiffs. But the case of plastic surgeon Hugo Guidotti vividly illustrates the debate.

In Google searches, the first link that pops up is his clinic, complete with pictures of a bare-breasted women and a muscular man as evidence of what plastic surgery can do for clients. But the second link takes readers to a 1991 story in Spain's leading El Pais newspaper about a woman who sued him for the equivalent of euro5 million for a breast job that she said went bad.

By the way, if it really is true that the nothing should ever interfere with the automated pronouncements of the search engine – even truth – does that mean robots have the right to pronounce any libel they want, even though we don't?

Privacy Bill of Rights establishes device identifiers as PII

In my view the Commercial Privacy Bill of Rights drafted by US Senators McCain and Kerry would significantly strengthen the identify fabric of the Internet through its proposal that “a unique persistent identifier associated with an individual or a networked device used by such an individual” must be treated as personally identifiable information (Section 3 – 4 – vii).   This clear and central statement marks a real step forward.  Amongst other things, it covers the MAC addresses of wireless devices and the serial numbers and random identifiers of mobile phones and laptops.

From this fact alone the bill could play a key role in limiting a number of the most privacy-invasive practices used today by Internet services – including location-based services.  For example, a company like Apple could no longer glibly claim, as it does in its current iTunes privacy policy, that device identifiers and location information are “not personally identifying”.  Nor could it profess, as iTunes also currently does, that this means it can “collect, use, transfer, and disclose”  the information “for any purpose”.  Putting location information under the firm control of users is a key legislative requirement addressed by the bill.

The bill also contributes both to the security of the Internet and to individual privacy by unambiguously embracing “Minimal Disclosure for a Constrained Use” as set out in Law 2 of the Laws of Identity.  Title III explicitly establishes a “Right to Purpose Specification; Data Minimization; Constraints on Distribution; and Data Integrity.”

Despite these real positives, the bill as currently formulated leaves me eager to consult a bevy of lawyers – not a good sign.  This may be because it is still a “working draft”, with numerous provisions that must be clarified. 

For example, how would the population at large ever understand the byzantine interlocking of opt-in and opt-out clauses described in Section 202?  At this point, I don't.

And what does the list of exceptions to Unauthorized Use in Section 3 paragraph 8 imply?  Does it mean such uses can be made without notice and consent?

I'll be looking for comments by legal and policy experts.  Already, EPIC has expressed both support and reservations:

Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the “Commercial Privacy Bill of Rights Act of 2011,” aimed at protecting consumers’ privacy both online and offline. The Bill endorses several “Fair Information Practices,” gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information.

But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a “Safe Harbor” arrangement that exempts companies from significant privacy requirements.

EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies’ to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission.

Kerry McCain bill proposes “minimal disclosure” for transaction

Steve Satterfield at Inside Privacy gives us this overview of central features of new Commercial Privacy Bill of Rights proposed by US Senators Kerry and McCain (download it here):

  • The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data.  The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
  • The draft also states that businesses should “seek” to collect only as much “covered information” as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service
  • “Covered information” is defined broadly and would include not just “personally identifiable information” (such as name, address, telephone number, social security number), but also “unique identifier information,” including a customer number held in a cookie, a user ID, a processor serial number or a device serial number.  Unlike definitions of “covered information” that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
  • The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service “or for a reasonable period of time if the service is ongoing.” 
  • The draft contemplates enforcement by the FTC and state attorneys general.  Notably — and in contrast to Rep. Rush's bill — the draft does not provide a privacy right of action for individuals who are affected by a violation. 
  • Nor does the bill specifically address the much-debated “Do Not Track” opt-out mechanism that was recommended in the FTC's recent staff report on consumer privacy.  (You can read our analysis of that report here.) 

As noted above, the draft is reportedly still a work in progress.  Inside Privacy will provide additional commentary on the Kerry legislation and other congressional privacy efforts as they develop.   

Press conference will be held tomorrow at 12:30 pm.  [Emphasis above is mine – Kim]

Readers of Identityblog will understand that I see this development, like so many others, as inevitable and predictable consequences of many short-sighted industry players breaking the Laws of Identity.

 

WSJ: Federal Prosecutors investigate smartphone apps

If you have kept up with the excellent Wall Street Journal series on smartphone apps that inappropriately collect and release location information, you won't be surprised at their latest chapter:  Federal Prosecutors are now investigating information-sharing practices of mobile applications, and a Grand Jury is already issuing subpoenas.  The Journal says, in part:

Federal prosecutors in New Jersey are investigating whether numerous smartphone applications illegally obtained or transmitted information about their users without proper disclosures, according to a person familiar with the matter…

The criminal investigation is examining whether the app makers fully described to users the types of data they collected and why they needed the information—such as a user's location or a unique identifier for the phone—the person familiar with the matter said. Collecting information about a user without proper notice or authorization could violate a federal computer-fraud law…

Online music service Pandora Media Inc. said Monday it received a subpoena related to a federal grand-jury investigation of information-sharing practices by smartphone applications…

In December 2010, Scott Thurm wrote Your Apps Are Watching You,  which has now been “liked” by over 13,000 people.  It reported that the Journal had tested 101 apps and found that:

… 56 transmitted the phone's unique device identifier to other companies without users’ awareness or consent.  Forty-seven apps transmitted the phone's location in some way. Five sent a user's age, gender and other personal details to outsiders.  At the time they were tested, 45 apps didn't provide privacy policies on their websites or inside the apps.

In Pandora's case, both the Android and iPhone versions of its app transmitted information about a user's age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

Legal experts said the probe is significant because it involves potentially criminal charges that could be applicable to numerous companies. Federal criminal probes of companies for online privacy violations are rare…

The probe centers on whether app makers violated the Computer Fraud and Abuse Act, said the person familiar with the matter. That law, crafted to help prosecute hackers, covers information stored on computers. It could be used to argue that app makers “hacked” into users’ cellphones.

[More here]

The elephant in the room is Apple's own approach to location information, which should certainly be subject to investigation as well.   The user is never presented with a dialog in which Apple's use of location information is explained and permission is obtained.  Instead, the user's agreement is gained surreptitiously, hidden away  on page 37 of a 45 page policy that Apple users must accept in order to use… iTunes.  Why iTunes requires location information is never explained.  The policy simply states that the user's device identifier and location are non-personal information and that Apple “may collect, use, transfer, and disclose non-personal information for any purpose“.

Any purpose?

Is it reasonable that companies like Apple can  proclaim that device identifiers and location are non-personal and then do whatever they want with them?  Informed opinion seems not to agree with them.  The International Working Group on Data Protection in Telecommunications, for example, asserted precisely the opposite as early as 2004.  Membership of the Group included “representatives from Data Protection Authorities and other bodies of national public administrations, international organisations and scientists from all over the world.”

More empirically, I demonstrated in Non-Personal information, like where you live that the combination of device identifier and location is in very many cases (including my own) personally identifying.  This is especially true in North America where many of us live in single-family dwellings.

[BTW, I have not deeply investigated the approach to sharing of location information taken by other smartphone providers – perhaps others can shed light on this.]