Identity Studies

I've received a number of notes from investigators and Ph.D. candidates in North America and Europe who want to focus on “digital identity management”. I think this is one more indicator that the importance of digital identity is permeating the intelligentsia. If I'm right about this, let the bells ring and the banners fly… How can we nurture their interest?

Academic research represents a great opportunity in our quest to “get identity right”.

We need the participation of the university. We need unimpeded research, review and contemplation. We need the next generation, born nearer to the world of virtual reality than many of us were, to start looking at identity technology as one of the key mechanisms for shaping and controlling a world which, no matter what, will be startlingly different from this one.

Jamie Lewis has generalized the idea of “cross-cutting concerns” used in aspect-oriented programming and applied it to digital identity. Refracting this into academia we can see that the study of digital identity should be cross-disciplinary.

So let's brainstorm. What about Identity Studies? Does it already exist? If not, I predict it will. We can be certain that software, robots, agents, avatars and many aspects of the built environment will learn to adapt to those who interact with them. At some point it will become obvious that we need people who understand the many implications of such technological innovations. Here's a first sketch…

Identity Studies: the discipline that grasps how who we are both changes and reflects the behavior of the world we inhabit – a theory of praxis, but one reaching beyond philosophy. It extends from understanding the mechanisms through which identity is acquired and transformed, to a theory of its protection, transmission, reception and perception. It looks at how different kinds of systems respond to – and evolve – through this perception, ultimately resulting in feedback and the transformation of identity itself.

Identity Studies will be founded by computer scientists, information theorists, cryptographers, privacy and security experts, semiologists, psychologists, sociologists, philosophers, architects and designers, lawyers, criminologists, political scientists, and policy researchers. All of these disciplines have important insights to contribute.

There are already programs at innovative universities which could evolve in the direction of this new discipline.

Several people have asked me to give “guidance on sub-areas of DIM that, based on your experience, you will recommend for research”.

In subsequent postings I'll suggest a couple of specific projects. But before I do, I'm going to give a better answer: set up Identity Labs and drop your preconceptions. Ask what happens when your environment has been programmed to respond to you. What is that you? What is that programming? What assumptions drive the interrelationships? Will you be able to alter your environment's view of you? How?

CNET's Top 100 Blogs

Identity Blog has been selected as one of CNET's top 100 blogs. More info here. And here's how CNET describes what they have tried to do:

A picture named identityblog.gif

With more than 14 million blogs in existence and another 80,000 being created each day, how is a person supposed to find the ones worth reading?

That is the question CNET News.com is attempting to answer with our first Blog 100 list. This effort adds to features such as News.com Blogs, Extra, My News, TalkBack, Newsburst, and Blogma, in which News.com editors and reporters are helping find the best news and views on the Web for the convenience of our readers.

Blogs have become an important source of information, but the signal-to-noise ratio makes it hard to find the gems. In our pursuit, we spent weeks checking out technology-oriented blogs based on the recommendations from our reporters and readers.

Of course, such a list is bound to generate vigorous agreement and vehement dissent. It's impossible to even get universal agreement on the definition of a blog.

For our search, we decided to be very liberal. You'll find blogs produced by a single person and others that have grown to include a staff of contributors. Some are associated with major news outlets, while some are published by large companies. The bottom line is that they all are produced by passionate people who have a wealth of information about their corner of the tech world.

After defining the types of blogs that could be considered for our list, the next question was to determine just what constitutes a “good” blog.

There are a lot of reasons people find particular blogs worthy of their time. Some are valued solely for their aggregation of pertinent news, while others have formed a devoted following based on the robust and educated comments of their readers. Still others have become popular because of their humor or for the biting tone of their writers’ opinions.

Feel free to send us feedback on our list, which we intend to regularly update as blogs change in quality. With a blog being created about every second, there are bound to be a few more good ones. And we'll help you find them.

I hope I can use this opportunity to bring identity issues to the attention of a larger audience.

Those of us in the identity community are lucky to have committed journalist colleagues like those at CNET who take the time to understand our complex issues – and who are able to explain them to a wide audience.

[tags: , , , ]

A Real Remedy for Phishers

Bruce Schneier just published this beautiful piece on identity theft in Wired News:

Security Matters columnist Bruce Schneier Last week California became the first state to enact a law specifically addressing phishing. Phishing, for those of you who have been away from the internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info — passwords, mostly. When this is done by hacking DNS, it's called pharming.

Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers — they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers’ assets. Unfortunately, the California law does nothing to address this.

The new legislation was enacted because phishing is a new crime. But the law won't help, because phishing is just a tactic. Criminals phish in order to get your passwords, so they can make fraudulent transactions in your name. The real crime is an ancient one: financial fraud.

These attacks prey on the gullibility of people. This distinguishes them from worms and viruses, which exploit vulnerabilities in computer code. In the past, I've called these attacks examples of “semantic attacks” because they exploit human meaning rather than computer logic. The victims are people who get e-mails and visit websites, and generally believe that these e-mails and websites are legitimate.

These attacks take advantage of the inherent unverifiability of the internet. Phishing and pharming are easy because authenticating businesses on the internet is hard. While it might be possible for a criminal to build a fake bricks-and-mortar bank in order to scam people out of their signatures and bank details, it's much easier for the same criminal to build a fake website or send a fake e-mail. And while it might be technically possible to build a security infrastructure to verify both websites and e-mail, both the cost and user unfriendliness means that it'd only be a solution for the geekiest of internet users.

These attacks also leverage the inherent scalability of computer systems. Scamming someone in person takes work. With e-mail, you can try to scam millions of people per hour. And a one-in-a-million success rate might be good enough for a viable criminal enterprise.

In general, two internet trends affect all forms of identity theft. The widespread availability of personal information has made it easier for a thief to get his hands on it. At the same time, the rise of electronic authentication and online transactions — you don't have to walk into a bank, or even use a bank card, in order to withdraw money now — has made that personal information much more valuable.

The problem of phishing cannot be solved solely by focusing on the first trend: the availability of personal information. Criminals are clever people, and if you defend against a particular tactic such as phishing, they'll find another. In the space of just a few years, we've seen phishing attacks get more sophisticated. The newest variant, called “spear phishing,” involves individually targeted and personalized e-mail messages that are even harder to detect. And there are other sorts of electronic fraud that aren't technically phishing.

The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it's easy to make a transaction, open an account, get a credit card and so on. For years I've written about how economic considerations affect security problems. They can put security countermeasures in place to prevent fraud, detect it quickly and allow victims to clear themselves. But all of that's expensive. And it's not worth it to them.

It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims. And in one in four cases, the victims have not been able to completely restore their good name.

In economics, this is known as an externality: It's an effect of a business decision that is not borne by the person or organization making the decision. Financial institutions have no incentive to reduce those costs of identity theft because they don't bear them.

Push the responsibility — all of it — for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud — because the companies won't stand for all those losses.

If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses — they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work.

Bruce is right. Let me put it this way. Sites must move as quickly as they can towards what Toby Stevens calls “Data Rejection“, minimizing retention of individually identifying information. They must ensure that PII which needs to be retained is encrypted, decipherable only through systems which are quaranteened from the Internet and have the proper operational controls.

The InfoCard system has been devised to allow companies to practice Data Rejection. It uses cryptography to recognize digital relationships so personal identifying information can be made available to an internet site while a transaction is in progress but not be stored there – except, perhaps, in encrypted audit logs.

Digital toys CAN have digital identities

In a private thread on digital identity, the ever-witty Dave Kearns observes, ‘If anything screams ‘Please use another term for this!’, it's this review of a new computer game:

“***** Top Spin 2

“One of the top Xbox sports games, in both sales and popularity returns for another victory on Xbox 360. Everything you loved about Top Spin is back and made even better. The peerless player-creator is reborn with the powerful DigitalIdentity that truly puts you in the game. Experience the pro tour in venues that are alive and dynamic with environmental elements that react to your play. Characters are even more stunning with the addition of HD technology and the inclusion of the top players in the world like Maria Sharapova, Venus Williams, Andy Roddick, Lleyton Hewitt and Roger Federer. Put it all online and you once again have the greatest tennis game ever created.

“Digital Identity – Create realistic player models and customize them with the highest level of details. Hairstyles, shirts, shorts, shoes, etc. allow you to create a player with your look and your style. Coupled with the ability to taunt your opponents with different attitudes, Top Spin 2 truly gives your player his own Digital Identity ()

I'm fascinated by the line, “Coupled with the ability to taunt your opponents with different attitudes”. Could this technology have broad applicability to a number of professional uses???

Anyway, I think these player models – and all other virtual entities – are, in fact, examples of digital identities.

People learn a lot about the world by playing with toys. And its not just kids who learn this way.

The emergence of digital identity toys tell us that we are using the right name, not the wrong one. They represent an important step forward on the road to Craig Burton's “ubiquity”.

[tags: , , , ]

Turn up your CD players

Thanks to Entrust's identity blog for pointing us to this website describing research by Li Zhuang, Feng Zhou, and J. D. Tygar on the privacy of typed material in the presence of microphones. The site contains links to their paper, and will shortly be supplemented with raw versions of their experimental data and setup. Note that it will be changing its URL to keyboard-emanations.org.

We show that using a generic microphone, we can successfully recover almost all text typed on standard keyboards. Unlike previous research our method works even if we have no information about the typist, the keyboard, and no “training data” (examples of the typist typing known text). Simply put a microphone in a room with a typist, record 10 minutes of data, and our algorithms recover the typed text … including arbitrary text, such as passwords. Our work breaks even “quiet” keyboards that are designed not make sounds. Our results suggest that recovery is possible even if microphones are outside the room (using parabolic microphones).

Paper: Keyboard Acoustic Emanations Revisited (to appear at the November 2005 ACM Conference on Computer and Communications Security)

[tags: , , , ]

New pharming implements

As the following article by Ben Charney from eWeek shows, toolbars can make excellent pharming implements. I predicted this in one of my early blog postings, and of course it had to come true. Please note that I'm not hitting on Google – I'm pointing out a problem much broader than any one company or technology.

An Internet security specialist says a new threat forces computers to install faked Google software, which then goes phishing.

Phishing is where e-mails, IM (instant messages) or Web sites parody a legitimate company, and try to get users to provide personal information or financial account numbers and passwords.

I actually see this as pharming as much as phishing, since the toolbar resides on your PC and continues to harvest information. But hey! Maybe it does both at once!

The latest cases involve bogus Google software spread via IM, and appear to be a variety of the infamous CoolWebSearch phishing scheme, according to Foster City-Calif.-based FaceTime Security Labs. CoolWebSearch has never been spread via IM before.

In the recent cases, IM users unwittingly download a rogue tool bar, which is installed on a Web browser and provides easier access to an Internet search provider.

Tool bars also contain measures to block pop-up advertisements.

The only working feature on the fake Google Toolbar saves credit card details, according to Christopher Boyd, the security research manager of Foster City, Calif.-based FaceTime Security Labs. A bevy of others, including one to “enable pornographic ads,” do not work.

IM is increasingly a target of phishers, as the latest attacks show.

Some IM-related attempts date back to 2003.

Most recently, in early March, Yahoo Inc. confirmed that some of its Yahoo Messenger customers received a message that appears to be coming from a buddy-list contact.

Users can be lulled into directing a Web browser to a Yahoo Web page requesting log-in information for Yahoo accounts, according to an analysis by Akonix Systems Inc.

The cases in point appear similar to a rather infamous method of hijacking Web browsers known as CoolWebSearch, Boyd adds.

Instant messaging is increasingly a target of phishers, as the latest attacks show.

Some IM-related attempts date back to 2003. Most recently, in early March, Yahoo Inc. confirmed, came under attack through Yahoo Messenger, its IM service.

In the attack, users receive an IM message that often appears to be coming from a buddy-list contact.

The IM attempts to lull users into clicking on a URL, which then takes them to a spoofed Yahoo page requesting login information for their Yahoo accounts, according to an analysis by Akonix Systems Inc.

Let's work on holistic solutions that protect against these attacks and leverage progress made in one application across all others. As I told Mary Branscombe of the Guardian,

Improving site security with a better password system, or a toolbar that checks you are at the right site, can't fix a general security problem. “There are excellent people working on these things, but they can't counter current threats without changing the way computers behave in a distributed fashion,” Cameron says. “We need to work together.”

[tags: , , , ]

Craig Burton cries ubiquity…

Craig Burton has a Master of Infrastructure from Novell. A co-founder, he was the major force in transforming it from a hardware company to one of the most innovative software forces in the history of networking. Later he got his Doctorate in Infrastructure from the Burton Group, which he founded with Jamie Lewis, proposing the Network Services Model.

Today, he released a new single on his blog, which went like this:

(To a Marley reggae beat): I, I, I cry ubiquity…

Ubiquity rules.

Identity 2.0 is a tough problem. This is because it not only requires a new architecture, but because it requires that the user rethinks how identity works.

It's a shift from

Identity 1.0–server-based user name and password

to

Identity 2.0–network-based user verified credentials.

This is no small shift. It changes everything.

However,

It will only change everything when Identity 2.0 infrastucture becomes ubiquitous. Free. A given. Like air and sunshine.

Most would-be identity systems–OpenID, Ping, Sxip, Liberty to name a few–are not well designed to become ubiquitous. They each require that you buy into their architecture to work. You must adopt their protocols and system intrinsics. Open and Simple by itself just doesn't cut it.

What is needed is an architecture that is independent of mandated adoption.

This is part of the bueaty of Kim Cameron's Identity Metasystem. I can't emphasize the importance of such a design towards the objective of ubiquity.

I, I, I cry ubiquity.

By definition, a metasystem must be inclusive of the other underlying systems. So for those new to the discussion, InfoCards are not positioned against any of the systems Craig mentions. In theory you could have an InfoCard that represented an identity provider based on SXIP technology, or on Liberty technology or whatever else. In fact a number of people are thinking about building this type of offering.

Would the underlying systems have to add a bit of code? Yes.

But ubiquity and inclusiveness make such a potent combination that it would be well worthwhile.

[tags: , , , , ]

An important simplification

You've probably read as many articles like this one from bankrate.com as I have:

Anything you wouldn't feel comfortable having someone pick up and read, you should shred, says Jerry Haas, vice president of sales and marketing for American Document Destruction Corp. in Tampa, Fla.

Criminals need very little information to steal your identity. With your Social Security number they can apply for credit cards, cellular phones, loans, bank accounts, apartments and utility accounts.

Garbages hold a plethora of information. Once your Social Security number or an account number hits the dumpster, your identity is floating among the refuse, just waiting to be stolen. Shredding is a minimal inconvenience and minor expense compared to its alternative — becoming an identity theft victim.

But James Governor, a leading member of the British Identerati, has brought our attention to a far simpler, cost-effective solution:

DON'T waste money on expensive paper shredders to avoid having your identity stolen. Simply place a few dog doo's in the bin bags along with your old bank statements.

Is there a digital equivalent for this piercing simplification and refactoring?

I'm not sure if this proposal originated on easypeasy.com, but it appears so since the site is full of good ideas. Here is a further example:

WORRIED that your teeth will be stained after a heavy night drinking red wine? Simply drink a bottle of white wine before going to bed to remove the stains.

[tags: , , , , ]

Eric Norlin , DIDW and Web 2.0

Eric Norlin is one of the people who really encouraged me when I started to blog. For some time he's been involved both with Ping Identity and Digital Identity World (DIDW). Today we learned that he has moved on from Ping and will be working primarily on DIDW. We get a sense for how his thinking is evolving from this post.

Eric Norlin The conference industry has an “in” crowd. For years, that in-crowd was at PC Forum – Esther Dyson's high class, high bandwidth, high priced summit for the digerati. The first time I attended a PC Forum, I was a little star struck. The sheer power of people walking around was – well, a little initimidating (that all faded quickly, by the way).

Beyond PC Forum, you have some of the O'Reilly events (Foo Camp comes to mind) that cater to the in-crowd. And, exclusivity aside, a lot of these events do generate a tremendous amount of heat.

Web 2.0 is the new hot kid on the block. It takes place this week in San Francisco, but don't think about registering late – its “sold out.”

Phil and I have been speaking about the Web 2.0 meme for a while now, and we recently decided to attend this show (so, i'm leaving for it tomorrow). The funny thing is — not a lot of people see the connection between Web 2.0 and digital identity. So, I thought i'd ramble on a bit…

But first…
First things first: What exactly is this Web 2.0 meme?

If you'd like the long answer, Tim O'Reilly (one of the organizers) has attempted to give you one.

If, on the other hand, you'd like the Cliff Notes version – you're in luck.

Simply put, “Web 2.0″ is the idea that the web is now the platform. In the development of computing we always think in “platforms” — Microsoft achieved its dominant position because it recognized the desktop as a platform, blew out the marketshare for that (the Windows Operating System), and proceeded to own the applications that sat on top of that platform (Office, Word, Excel, even Internet Explorer).

The organizers of Web 2.0 are theorizing that the web (not the desktop) is the new platform – on top of which applications are built. I tend to agree.

The Web as Platform
How much of your computing experience is now done on top of the web as platform? When I purchased a laptop for home use several months ago, my only considerations were the machine's ability to get online efficienty.

The web as platform is happening at the edges — chipping away at the desktop via things like Gmail or Yahoo mail. But its also happening at the center — Google provides the most widely used web-as-platform application on the planet.

From eBay to Amazon to Yahoo to Microsoft to Google to Salesforce.com to Oracle, all of the “big guys” are launching offerings into the “Web 2.0″ space. Move past the big guys, and the universe explodes. Start-ups in this space are simply the hottest thing going. As has been pointed out in several sarcastic Venture Capitalist weblogs, selling *software* is sooooooo nineties. Selling a service on the web as a platform (via the Salesforce.com model) — now *that's* a company worth funding.

Why Digital ID World
Right about now you're saying, “interesting eric – but I don't really see why Digital ID World is going.”

Put aside the fact that one of the companies in the identity space is a sponsor there (Sxip), and what you'll find is a bunch of companies that are building applications (and sub-platforms) on the Web 2.0 meme — and they *all* are either touching digital identity or going to need digital identity.

You see, the simple answer really is simple: Just as the web services world has quickly discovered that they need identity to secure their services, so too will the Web 2.0 world quickly (i hope) discover that identity is at the core of what they're working on.

And when they discover that — really interesting things will happen and Digital ID World will be there to see them.

The Inevitability of Identity
The web, in any form, will not go forward simply as a network of anonymity. Digital Identity is here in many forms and coming faster every day.

For much of our history, Digital ID World has tried to convince the enterprise how it is that they need to view and use identity as a construct. However, any of you that were at our first conference know that we didn't start that way.

Back then in the foggy mists of time, Digital ID World spent a great deal of time talking about the dynamics of end-user identity (or Web 2.0 identity, or Identity 2.0 – take your pick). We never really abandoned that conversation – it has been present in every show since then; represented valiantly by folks like Doc Searls and Drummond Reed. But, as the identity marketplace has expanded, so too did we.

Finally, we are coming to a place where we can begin to connect all of those dots again. Finally, we see the “web 2.0″ meme propagating in such a way that little working groups of identity are popping up — from the Berkman center to the Identity gang to Phil Windley's Internet Identity Workshop.

I'm proud to say that nearly all of these people are people that we've known over here at Digital ID World for (in most cases) years. And I'm pleased to report that a truly significant thing is occurring — the identity architects in the enterprise are beginning to mingle with the identity folks out in end-user land. This may not seem momentous, but it really is. Its momentous because we're finally seeing people struggling with how to present unified metaphors, experiences and technologies that do not chop the digital identity problem up into two primary slices: enterprise and end-user. Granted, this has been tried before (Novell's DigitalMe comes to mind), but for some reason, the winds seem to be blowing correctly this time.

So, why am I going to Web 2.0? Because I believe the technology stars are beginning to align; that the marketplace is beginning (beginning, I say) to catch up with the conversation; that maybe – just maybe – we're about to be able to pull together the strands of conversation from the very first Digital ID World with the strands of conversation from the last Digital ID World — and in doing so, we'll find our conversations to be bigger, more productive, and learning at a faster pace.

The web as platform is the next great movement for digital identity. While digital identity has started the long hard slog into the enterprise (a journey that will take the next several years), we've barely opened the door to identity's involvement in the web as platform. It can be seen in our problems (spam, phishing, id fraud). It can be seen in our past identity technology failures. And it can be seen in the excitement around the web as platform.

Authenticating Candidate Websites

I hadn't really thought about all the opportunities that a red-blooded identity thief would find in election campaigns. Of course the campaign websites are a perfect example of the “identity patchwork” problem described in the Laws of Identity: How can citizens possibly know whether a site is legitimate when each site offers a unique and unpredictable experience?

The technology described in this important piece from Government Technology is an attempt to unify that experience – in essence tying in with identity laws six and seven: human integration and consistent experience. While it is commendable to try to do something as quickly as possible, the technology proposed is subject to many kinds of attack as the criminal element adjusts to it. I'm not trying to make excellence an enemy of the good. I'm just saying that only a holistic and multi-layered approach such as that represented by the proposed identity metasystem can really respond to the threats so clearly articulated here in a way that lasts beyond a single campaign.

On Tuesday, Kentucky Secretary of State Trey Grayson announced a new effort to protect voters from fraudulent websites in anticipation of the largest election in Kentucky history with more than 4,000 races on the ballot.

Grayson was joined by New Mexico Secretary of State Rebecca Vigil-Giron. Kentucky and New Mexico will be the first states in the country to address fraudulent candidate websites.

The new service will be available, free-of-charge, to all candidates who file with the Office of the Secretary of State. The service utilizes technology developed by ElectionMall Technologies, Inc. The Election Security Seal Program provides an online environment in which viewers are assured they are dealing with the legitimate websites of candidates.

What it is:

  • The “Election Security Seal Program” is a program designed to verify the authenticity of political websites and protect political candidates, officials, groups and consumers against scams and false information associated with fraudulent political Web sites, through the use of an encrypted digital seal.
  • The program creates an official online “Registrar Directory” of legitimate political websites, including candidate sites, campaign sites, 527’s, political action group sites and other political organization sites. This registrar may then be used by the public to verify the authenticity of political websites.

How it works:

  • The political candidate, official or group registers through his or her appropriate Secretary of State. In the registration form, the candidate is asked if he/she would like to have the SOS seal appear on his/her candidate website to certify and authenticate the site.
  • The SOS office verifies the identity of the candidate/authenticity of the site.
  • The candidate is listed in the official Registrar Directory.
  • If the approved candidate/official wishes to add the SOS seal to their website, it will appear at the bottom of the site.
  • When a visitor clicks on the seal, it will redirect them to a site for official authentication.
  • The seal will have a scroll-over capability that will allow the visitor to see the certification.

“Protecting the integrity of Kentucky's elections is the highest priority for the Office of the Secretary of State and for the hundreds of local elections officials throughout the Commonwealth,” stated Secretary Grayson. “In the last few elections, political websites and online fundraising have proliferated, and so have concerns about fraudulent activity connected to such sites. Election administrators must protect citizens from fraudulent political websites, or we may run the risk of alienating potential voters.”

During the 2004 elections, 75 million Americans used the Internet to obtain political news and information, making the Internet and online campaigning a top focus and communications medium for politicians and political groups.

Secretary Grayson, the youngest Secretary of State in the country and current chairman of the National Association of Secretaries of State's Election's Committee, as well as the national chairman of the Republican Association of Secretaries of State, has encouraged other states to follow Kentucky's lead in this effort.

I recommend that identity geeks check out Election Security Seal Program White Paper. It contains quotes like these:

“During the 2004 campaign, thousands of voters who believed that they were participating in the political process were victims of fraudulent electronic mail and website solicitations.”

“Marc Elias, the chief counsel to John Kerry for President, testified that this kind of fraud is “the biggest threat the Internet poses to the political power of average Americans. If individual voices can be diminished by the concentration of economic power they can be silenced altogether when those individuals discover that their credit card information has been fraudulently captured, or that the contributions they thought they were making to a candidate went to someone else.” (Testimony before FEC hearing regarding Internet Communications on June 28, 2004).”

“According to a Pew Research Center Report, entitled The Internet and Campaign 2004, over four million people made on-line contributions to candidates during the 2004 election cycle. Many of these people were average Americans who became empowered by the Internet to engage in the political process. Unless security measures are taken to verify campaign websites, many other citizens will become victims of Internet fraud and will be less likely to engage in the political process in the future.”

We need to get more information on the technology being used. It would be doubly demoralizing if people who thought they were taking every reasonable precaution to ensure their protection were still, in fact, being duped.

[tags: , , , ]