He's had enough ‘ease of use’…

I wonder what Ben Hyde Ascription ate for breakfast before writing this one

The rhetoric of putting the user at the center runs the risk of being hollow. At worst it is disingenuous. At minimum it diverts our attention from the complexity of seeing the needs and requirements of the other players in the problem space. You don’t solve the identity problem without bring most of those constituencies along. What we don’t know is what proportions of each is required.

If Ben is talking about the user's identity, which I think he is, doesn't it then make sense that the user “be at the center”? I expect “the other constituencies” will think this makes sense too… Especially if we end up with a more secure and more intuitive way to use identities.

Each time I hear one of the players announce he is putting the user at the center I can’t help roll my eyes. Let me pick on Microsoft, I’m sure it won’t hurt won’t hurt the big old monopoly’s feelings. When Microsoft talks about placing the user at the center what do I hear? First off I hear the echos of the 80s dream, that the personal computer will empower the the under served little guy; ripping power from the hands of the computer center. Then I hear the passion of the UI designer selling his wares. “Ease of use.” “Ease of use, damn it!” He chants, he rants. I hear the a delusion, that the PC monopoly can still set standards like this; that’s not true anymore – the browser war demonstrated that first. That the installed base now includes things like smart cards and telephones only makes it less credible today.

Gee, is Ben bitter about the opening of the glass house? I don't believe it. There must be some enthusiasm in his heart for the benefits heaped on the “little guy” through use of personal computers connected to the planetary mesh. I've seen a lot of empowered people, that's for sure, including all my friends and my children. As for ease of use, I share much of Ascription‘s skepticism. It's a challenge. So what? The same is true for most technology.

But mostly I hear a classic example of agency. The presumption that a product manager is a legitimate agent for the customers. Product managers aspire to that, great product managers get close. But never ever does a product manager become legit. A product manager is always absolutely the advocate of his product. Microsoft’s product is the OS and when Microsoft says they wish to put the customer they run very close to becoming illegit and disingenuous. I find myself thinking – great it’s browser war time again; instead of solving the problem we will have the identity version of the HTML tag battles. For example if UI is key, which it obviously is, where is the open transparent legitimate process for getting that widely deployed?

Hmmm. I don't know where to start on this one. How about this? As I tell my “product manager” friends, product managers aren't all bad! After all, without them, there would be no products… Sure, people feel passionate, Ben foremost amonst them. I think that's one of the best things about our industry.

On the other hand, I know how offensive it can be to hear people in our business talking as though they have been elected, when often they have just been appointed, so to speak.

What I like in some of Microsoft’s current rhetoric, well Kim’s rhetoric, is the emphasis on the seeking the “identity big bang.” That should be our common cause. Players in this space should stop pretending they are legitimate spokesmen for other constituencies and substitute in it’s place a clear and transparent statement of what they believe they are doing to bring each and every one of the necessary constituencies into what we hope is the comming big bang.

I agree with Ben on these last points. All constituencies are very important, and no one should claim to be a spokesman.

We should just make sure our technologies give individuals and organizations freedom of choice, and nurture an ecology of alternatives. Then people can “vote with their feet (fingers?)”.

A believable scenario – if done right

Nice posting from Ascription Is An Anathema to any Enthusiasm that gives a believable scenario for account linking:

In the midst of a delightfully shrill posting we see Ross Mayfield yearning to authorize two vendors he uses to share data about him. What some of us call linking accounts.

Tivo and Netflix Need Each Other: Why don’t they know what movies I have rented or watched? If it’s in my rental queue and I saw it for free on cable, spare us both the hassle.

That’s exactly the kind of thing that Project Liberty and more recently SAML have been trying to enable. One user with two account relationships. Two firms with info about their users. Information they would love to exchange to make those users happier. Serious issues about what embarrassing viewing habits Ross has that he probably doesn’t want getting passed around the internet rumor mill. The firms are just as worried about their secrets.

We can solve this problem. The two firms negotiate an agreement about data sharing. Ross gives his permission to allow his personal data to be shared. Everything necessary to do this is available today. The plumbing isn’t hard. Blocking out the orchestration of the deal is straight forward.

It remains hard getting a legal framework (and that’s what the term circle of trust means) that is robust and reasonable for all three parties.

Stefan Brands on Dave Berlind's interview with me

I was taken aback to come across a post by Stefan Brands where he transcribes and comments on the ideas I put forward in an interview that ZDNet's cool David Berlind did with me at PCForum. I met Stefan recently at the Computers, Freedom and Privacy conference and he impressed me as a very talented technologist who really understands privacy and other security issues.

Just for the record, I want everyone to know that I'm not Microsoft's “Chief Architect”… That title belongs to Bill Gates… I am “Architect of Identity and Access” – meaning I'm the architect responsible for the identity software products: Active Directory (AD), Microsoft Identity Integration Services (MIIS), Active Directory Federation Services and so on. In turn, each of these products have someone working on detailed architecture.

Anyway, on to Stefan's piece:

Kim Cameron on the role of privacy in digital identity:

[4:31] “You need more than just the ability to be public, you need the ability to be private, it’s two sides of the same coin. ” [4.58] “Anonymity is [not] the most important aspect of things, but I think privacy is very important and the ability to protect is very important, as well as the ability to be public and provide access. ” [5.58] “Identity has to be able to be uni-directional or multi-directional or, basically, anonymous. You need to be able to support all three types of things. If you look at our current technologies, they are really based on supporting public entities much better than private entities.

[7.09] “If I as an individual go to a web site I don’t want the identity I use there to be shared between that web site and other web sites. ” [7.58] “I have a private relationship with each of these parties. Now, under certain circumstances I might be convinced that I should let them actually share parts of my profile because it will benefit me. ” [8.12] “We should not have a system based on this widespread profile being created automatically. So, in order to do that what we need is an identity when we are dealing with each of those that is just uni-directional, it concerns only the relationship between me and that web site.” [8.30] “The public model came along first, and everybody has sort of assumed that identity for individuals should follow that public model. That isn’t good enough, you need both the public and the private capabilities.

Wonderful! Note that such user-controlled (un)linkability would have serious implications for current online marketing tactics that thrive on the capability to link user activities without explicit user permission – including Microsoft’s new search engine strategy.

[11.24] “We need to rethink how you build this identity system in such a way that it behaves the way people expect it to behave. One of those things is the uni-directional thing, one of the things is don’t have any irrelevant parties in your identity relations. ” [12.10] “We need to have a unified way of doing identity that encompasses both our customers who are individuals and our customers who are enterprises.

Kim on two major shortcomings of Passport, user privacy concerns and service provider privacy concerns:

[9.18] “Passport actually began supporting uni-directional identifiers. Over time it changed to just omni-directional because the web sites wanted to be able to amalgamate digital dossiers in order to market to us better. Nobody had really thought very deeply about what these issues meant in terms of how people would react and so on. The technology evolved, I think personally, in the wrong direction.” [9.54] “Passport had other problems. ” [10.09] “People would ask: “what exactly is Microsoft doing between me and Amazon?” It did not make sense to people that the Microsoft site would be there. And a lot of the web sites themselves would look at it and go: “do I really want a Microsoft service between me and my customer base?” And they would say “No.”

On Liberty Alliance:

[27.20] “Liberty is a very interesting set of proposals and implementations. But it deals with some very specific scenarios which are from the point of view of a company that is in a circle of trust with some other companies and they want to share your profile. [] It is federation, in my view, in a particular set of scenarios. [] It is from the point of view of the company which is trying to provide a portal onto these other associated companies. That is different than the requirements of the consumer in general, for instance, or it is different from the requirements of a lot of companies who just want to manage a customer relationship. [] It could still function inside this metasystem that I am talking about. [] Just like I am trying to incorporate Passport into it.

Stories that tell our story…

Eric Norlin has posted some comments on Chris Ceppi's explanation of “Identity Reform“:

1. i'm not sure if Identity Reform is the proper way to speak about what we're all doing.

2. I like what these cummulative posts are saying — namely, the critical thinking and conversation is a beginning point, the technology is a continuation of that —- the story around that is a third, important piece…..I'd call the first and third parts marketing :-)

Of course while marketing may be critical thinking and conversation, I'm not sure that means critical thinking and conversation is marketing… But hey – Eric is pushing our buttons – so I won't say anything.

3. don't underestimate the power of a good story. chris points out frank lutz. doc often speaks of Lakoff. we have yet to dig up all of the story threads in identity — but several have already been told (and had effect) — threads like:

A) the entrepreneur whiz kid that starts an identity company because he just *knows* it'll be the next big thing [any guesses what i'm referring to there?]

B) the “laws discussion” — a thread that implies community discussion and some kind of *rational* thought that will allow the deduction of *what* should be built….ie, not only is everyone being included, but once the laws are done, we'll have some agreement grounded in “the natural state of things” [note: AKMA should have a ball dissecting how the laws of identity relates to Augustine theology up through Erasmus and the rise of the protestant work ethic…natural law anyone?]

C) the “people's” identity: the us v. (insert big bad evil entity) story is a powerful one…..open source movements feed on this one, but its certainly not limited to them. the idea that we can all become involved in something bigger than ourselves that will strip away the wrong-doings of an existing order of things…..well….

and other threads will form:

the technology that was the best that never suceeded

the person who champions reform after a tragedy

the evil CEO that fights reform to the end

….feel the mythic qualities? see, the more closely you weave in “mythic” elements, the more powerful they become….and let me stress this mythic DOES NOT equal false. all of the stories i've cited are true — and mythic.

good “marketing” is not just conversation — its recognizing the stories that people *want* to tell and acting accordingly.

The identity story is a powerful one because it touches most of us very deeply. the depth of it is attested to by the oft-had response of “the individual must own” their identity information and its use. Watch the emotion that attaches to that response – people *react* – with their hearts and minds.

The story of identity is being told in multiple ways with many different threads — in such a way that it has room for everyone and all of their stories. the last technology that I know of that was big enough for that was blogging (everyone tells their story); before that, the internet (the wild west gold rush); before that the personal computer (bringing to life the Jetsons future); before that the credit card (you can have what you want now, and worry about it later); before that the automobile (freedom on the open road); before that, the land rush (free land and fortune); before that, the american promise…….;-)

ps: wanna hear a good story?

the entrepreneur whiz kid founds an identity company after being inspired to think deeply about technology by the events of 9/11. he grows out of whiz kid and into experienced executive, as his company grows through funding – assembling a bright young staff of developers to build out the infrastructure of his vision. this company goes on to be a rising star in a david v. goliath fight versus the big technology stack guys — bringing a “best of breed” (which is marketing codeword for david v. goliath story) technology to market — with critical customer wins – it becomes a press and analyst darling….

how does the story end? i dunno – yet.

yes, my friends, we don't live out our stories. our stories live us.

So true.

1 Raindrop from Gunnar Peterson

Here‘s a new blog by Gunnar Peterson called 1 Raindrop. This is quality thinking for those interested in issues of distributed computing.

It consists of “loosely coupled thoughts on distributed systems, security, and software that runs on them.” Gunnar summarizes alternate web technologies this way: “When you are content to simply be yourself and don’t compare or compete, everybody will respect you.” - Lao Tzu

Four laws in one blow

I've been meaning to draw peoples’ attention to this story (via Identity Woman) by David Lazarus at sfgate.com:

“The University of California has suffered yet another potential data breach, this one involving the names and Social Security numbers of about 7, 000 students, faculty and staff at the San Francisco campus.

“For Sen. Diane Feinstein, D-Calif., enough is enough. She told me Tuesday that she'll introduce federal legislation within the next few days requiring encryption of all data stored for commercial purposes.

“This latest incident involving UCSF follows news that UC Berkeley lost control of personal info for nearly 100,000 grad students, alumni and applicants last month when a laptop computer was stolen from an unlocked campus office.

“It also follows a flurry of other security lapses, including San Francisco's Wells Fargo, the nation's fourth-largest bank, experiencing no fewer than three data breaches due to stolen computers over the past year and a half.”

Senator Feinstein said, “What this shows is that there is enormous sloppy handling of personal data.”

It seems to me the question of whether the personal information was handled sloppily or tidily is just part of the problem. I'm equally bothered by the information being there in the first place. How and why did it get there? Did the identified subjects agree to this usage of the information? Why were public identifiers (social security numbers) kept for private individuals? Once these questions are answered, we can turn to operational issues: why the information appeared on a test machine, and why a test machine was deployed with no firewall.

All of this is so far a disturbing mystery. There should be a public investigation of the circumstances through which this breach (and all like it) came about. We need to understand what was going on in the heads of the people who put the data on the compromised machine. The best practice is not to store unnecessary information, and not to store it in unnecessary places. What were these guys thinking about? We need to build peoples’ understanding of the underlying issues.

I expect this information disaster came about by breaking four identity laws at once. What a run!

  • Were users in control of what their information was being employed for? Were they told where and how it was being used (law of user control)?
  • Was there really a need to store social security numbers rather than some local or derived identifier (law of minimal information, law of directional identity)?
  • Would the identified subjects see a “test machine” as a legitimate party to their identity relationship with the university (law of fewest parties)?

Encryption is a good idea but will probably lead to a false sense of confidence and further breaches. We need a more holistic solution.

One final comment. We should give UCSF's forensic staff credit for detecting the breach:

In UCSF's case, campus techies noticed in late February that a server used in part by the university's accounting and personnel departments was generating an unusually high level of network activity.

I'm willing to bet things like this are happening almost everywhere and almost every day – but that most institutions don't have the mechanisms in place to detect what is going on.

From identity to identifiers – Law of Control

I am really fascinated by work Drummond Reed has started on his blog in which he uses the laws of identity to structure a discussion on identifiers. I look forward to seeing where this goes, since Drummond has thought incredibly deeply about identifiers (he is the technical chair of the OASIS Extensible Resource Identifier – XRI – Technical Committee; not to mention his work on XDI…). I know from conversations with my friends at NAC (the Network Applications Consortium) that identifiers are becoming a super-hot pragmatic issue.

Drummond explains what he's doing this way:

When Kim published his Fourth Law (the Law of Directed Identity), it was the first (and only) law that touched directly on identifiers. I knew his Laws had gained quite a following when I quickly received several email messages asking if XRIs (Extensible Resource Identifiers), the new OASIS specifications for abstract identifiers, conformed to the 4th Law.

In discussing this with other members of the XRI TC, as well as with Kim, we realized that each of his “Laws of Identity” has a “Corollary For Identifiers”. In particular, these corollaries would apply to any universal identifier metasystem that aspired to be the addressing scheme for the “mega momma backplane” (as Kim, Marc Canter, and Craig Burton put it.)

That, of course, is precisely the goal of the OASIS XRI effort dating back to 2003 (and previously to the XNS work dating back to 1999.) Given that the XRI 2.0 specifications are currently in public review in advance of a full OASIS vote, now seems like a good time to follow Kim’s lead and publish “The Seven Corollaries of Identifiers”.

The idea that each of the laws has its own ‘identifier corollary’ makes perfect sense. And I'm struck by the way in which the laws provide a conceptual handle through which the issues of identification can be understood by an audience wider than those who wake up, have a coffee, and think about identifiers all day long.

So let's look at the first corollory:

1. The Law of Control

Technical identity systems MUST only reveal information identifying a user with the user’s consent.

1a. The Corollary of Identifier Control.

The identifiers in a universal identifier metasystem MUST only reveal information identifying a user with the user’s consent.

Funny how intuitive it seems when you put it this way. A user’s online identifier should not force the user to reveal any more information than they wish. And yet one of the online identifiers most frequently requested from users squarely violates this principle: an email address. Websites who require an email address to register – and many have no choice because it is often the only easy, universal way to perform basic user authentication – force individuals into revealing information that in many cases they would rather not.

So half the Web breaks this corollary before we’re even out of the starting gate. But it gets worse. Look at one of the current bulwarks of online identification: DNS. A standard requirement for most DNS name registries is accurate, current contact data for the registrant that is published publicly as “Whois” data. Although many registrars now offer proxy registration services to preserve registrant privacy and prevent spam, there’s no escaping that a major component of our current Internet identifier infrastructure breaks the First Corollary squarely in two.

So can XRIs fix this problem? Yes. The first principle of XRI architecture is that XRIs are abstract – the association between an XRI and the real-world resource it represents is entirely under the control of its XRI authority (the person or organization registering the XRI, at any level of delegation). So nothing in an XRI need reveal anything about the authority’s identity or messaging address.

So how can the identifier be authenticated, i.e., what’s the XRI equivalent of the simple email address verification test that websites use every day? The ISSO (I-Name Single Sign-On) protocol, which combines XRI 2.0 resolution with SAML 2.0 authentication assertion exchange. It’s easier, faster, and much more secure than email authentication – and still does not require revealing any other information identifying the user.

So that fixes the first problem. What about the second – the DNS “Whois” problem? What registrant data is required when registering an XRI? Here I can only speak for the XRI global registry services to be offered by XDI.ORG. Based on its Global Services Specifications (GSS) that have been in public review since December, the answer is: none. Following XDI.ORG’s Minimum Information Policy, a cornerstone of its Data Protection Policies, the XDI.ORG global registries will store only registered XRIs, resolution values, and authentication credentials. There is no public (or private) “Whois” service. (There is a Public Trustee Service that provides an alternate means of authenticating a registrant to XDI.ORG if they lose their registration credential, but that data is entirely private.)

So what provides accountability for global registrations? Dispute Notification Service. Every global XRI registrar is required to provide a means of forwarding authenticated dispute notifications to a registrant. This accomplishes the same goal as DNS Whois service but without revealing registrant identifying data or exposing registrants to spam.

This really helps me understand what XRI is all about. And we're just at law 1.

Identity Reform

Chris Ceppi has gone further in explaining his ideas around ‘Identity Reform’. And now I understand the interesting point he is making. We are talking about technological reform.

In an earlier post I referenced the work of Frank Luntz, a Republican pollster and wordsmith who has, regrettably since I often find myself at odds with his positions, been very successful at promoting legislative initiatives by correctly determining the most compelling words to use to promote them. Luntz has done loads of research showing the dramatic effect using different words can have on how the same idea is received. A few notable examples from politics in last few years include:

  • Eliminating the “Estate Tax” is much less popular than eliminating the “Death Tax” – same legislation, broader appeal since everyone dies, but not everyone has an estate worth worrying about.
  • “Welfare Cuts” raised fears and were not popular, “Welfare Reform” (including cuts) passed with broad support under Clinton.
  • Social Security “Phase out” is a non starter, “Private Accounts” are less unpopular but still better than “Privatization”.

The connotations triggered by word choice can ultimately determine whether an idea flies in the mainstream or not – this is why Luntz makes a good living helping Republican politicians craft the language they use to market less than popular initiatives. Given the high degree of suspicion of new identity technology (see ACLU Pizza, attitudes toward Microsoft, etc.) in the general public, I think it is important for those of us developing new technology in this space to be very conscious of the language we use to frame our work.

My view is that the technical innovation surrounding identity is, in fact, part of an ad hoc reform effort. The technical systems, business practices, and regulatory regimes that currently touch identity are primitive and badly broken – these systems and practices need to be upgraded to better serve the interests of important stakeholders.

So what is the most compelling way to communicate the need for technical innovation in the current climate of mistrust and borderline paranoia about identity? Emphasizing the sorry state of the status quo and calling for ‘Identity Reform’ is my current best guess.

These days I'm really focussed on the need to develop a cross-platform system embracing technical alternatives that allow users to select specific variants which ‘work best’ for them. We need to think in terms of an “identity bus” that allows individuals and organizations to “plug in” such alternatives. I see the emergence of these alternatives as being the essential vehicle by which all the relevant parties can posit and influence our digital identity future.

Doing in this could indeed be called a reform of the current chaotic and primitive status quo.

Empire and Communications sleuths, we thank you!

The good news is that Empire and Communications sleuth Janet R located a relatively inexpensive copy here, The bad news is that I bought it.

The good news is that Mark P found a “print to order” copy here. The bad news is that it's…

…still out of my range at $74. The author is listed as Harold Innis, rather than Harold Innes, by the way. First edition, $100 here. Soft cover edition, $61.95 here. Hope these help someone.

Mark is right that I mispelled Harold's name – I have fixed the posting and apologized to Harold.

The good news is that when I receive the copy I just ordered, I will make it available for readers of this blog to borrow (I have my own copy, currently on loan). I've been thinking of getting the book its own I-name to make this easier. I wonder if Drummond has a domain for books? Maybe he will cut me a special deal. Can a blogger be a lending library?

So much for (out of) print…

Yesterday I mentioned Empire and Communications by Harold Innis. A number of people asked how to get it and at this point it appears you need to go to a university library (I think it's worth it to do so, since the book is a seminal piece on the relationship between technology and culture). In trying see if the book can be purchased, the search engines took me to Is there a Mesh Size Problem with the Internet – a lecture given by philosopher John Scott in 1999 at Memorial University. He clearly had the same reaction to Innis’ work as I did:

… [The] Internet is going to force us to take some needed, but overdue, institutional and political steps to address something like what eye doctors call an “accommodation” problem. When our eyes do not adjust quickly enough, or fully enough, or appropriately to the changing objects in our field of view the doctors tell us we have an “accommodation” problem.
We have been accommodating changes in language-technologies in different and dramatic ways since the beginning of recorded history. Changes associated with the internet's vices and virtues are no different, except that the orders of magnitude seem considerably increased. The Internet changes the ways we record, send, and receive messages and will radically continue to change where and how we live, just as past messaging innovations have.
This is nothing new. Harold Innis was saying it in the ’40s ’50s and ’60s. His Empire and Communications was published in 1950. He chronicled there the impact on Egyptian culture of the introduction of the new technology, papyrus. The development of law in Hammurabi's Babylon flowed largely, he suggests, from the introduction there of a consistently efficient system of writing; and the growth of reflective, democratic institutions in Greece grew out of its institutionalized oral language patterns. Then the “Word” went on to build the Cathedral towns of Europe and their associated political structures over the first thousand years of Christianity…. Until these structures were swept away when the Word found a more fluid and portable home in Guttenberg's movable type… which has shaped the public and private institutions accommodating our lives until very recently. It was Guttenberg, you will remember, on whom McLuhan focussed when he first took Innis’ message to the media in the early ’60s and later.
So we should hardly be surprised that the internet has so now changed how and where we live, work, shop, get medical, financial (and all kinds of other intimate) advice and services – and even vote – without leaving our homes. And our homes can now be located almost wherever our fancies (and the mortgage companies) dictate. There is nothing new about the inevitability of change medium-based change. But it makes us a bit breathless, nonetheless, about whether we have choices over the kinds of accommodations we are going to have to make, or even any way to identify them before they wall us into new, and perhaps, very frightening kinds of places.

By the way, Empire and communication (University of Toronto Press [1950, 1972]) does not represent a crude technological determinism – it was a series of lectures presented at Oxford (as I recall) at the end of Dr. Innis’ life, and is one of the most erudite works on human history, culture and technology I have read.