Vittorio's new book is a must-read

Vittorio's new bookIf you are a programmer interested in identity, I doubt you'll find a more instructive or amusing video than this one by Vittorio Bertocci.  It's aimed at people who work in .NET and explores the Windows Identity Foundation.   I expect most programmers interested in identity will find it fascinating no matter what platform they work on, even if it just provides a point of comparison.

And that brings me to Vittorio's new book:  Programming Windows Identity Foundation.  I really only have one thing to say about it:  you are crazy to program in WIF without reading this book.  And if you're an architect rather than a coder – but still have a sense of reading code – you'll find that subjects like delegation benefit immensely from the concrete presentation Vittorio has put together.

I have to admit to being sufficiently engrossed that I had to drop everything I was doing in order to deal with some of the miniature brain-waves the book induced.  

But then, I have a soft spot for good books on programming.  I'm talking about books that have real depth but are simple and exciting because the writer has the same clarity as programmers have when they are in “programming trance”.  I used to even take a bunch of books with me when I went on vacation – it drove my mother-in-law nuts.

I'm not going to try to descibe Vittorio's book – but it really hangs together, and if you're trying to do anything original or complex it will give you the depth of understanding you need to do it efficiently.  Just as important, you'll enjoy reading it.

Stephan Engberg on Touch2ID

Stephan Engberg is member of the Strategic Advisory Board of the EU ICT Security & Dependability Taskforce and an innovator in terms of reconciling the security requirements in both ambient and integrated digital networks. I thought readers would benefit from comments he circulated in response to my posting on Touch2Id.

Kim Cameron's comments on Touch2Id – and especially the way PI is used – make me want to see more discussion about the definition of privacy and the approaches that can be taken in creating such a definition.

To me Touch2Id is a disaster – teaching kids to offer their fingerprints to strangers is not compatible  with my understanding of democracy or of what constitutes the basis of free society. The claim that data is “not collected” is absurd and represents outdated legal thinking.  Biometric data gets collected even though it shouldn't and such collection is entirely unnecessary given the PET solutions to this problem that exist, e. g chip-on-card.

In my book, Touch2Id did not do the work to deserve a positive privacy appraisal.

Touch2Id, in using blinded signature, is a much better solution than, for example, a PKI-based solution would be.  But this does not change the fact that biometrics are getting collected where they shouldn't.
To me Touch2Id therefore remains a strong invasion of Privacy – because it teaches kids to accept biometric interactions that are outside their control. Trusting a reader is not an option.

My concern is not so much in discussing the specific solution as reaching some agreement on the use of words and what is acceptable in terms of use of words and definitions.

We all understand that there are different approaches possible given different levels of pragmatism and focus. In reality we have our different approaches because of a number of variables:  the country we live in, our experiences and especially our core competencies and fields of expertise.

Many do good work from different angles – improving regulation, inventing technologies, debating, pointing out major threats etc. etc.

No criticism – only appraisal

Some try to avoid compromises – often at great cost as it is hard to overcome many legacy and interest barriers.  At the same time the stakes are rising rapidly:  reports of spyware are increasingly universal. Further, some try to avoid compromises out of fear or on the principle that governments are “dangerous”.

Some people think I am rather uncompromising and driven by idealist principles (or whatever words people use to do character assaination of those who speak inconvenient truths).  But those who know me are also surprised – and to some extent find it hard to believe – that this is due largely to considerations of economics and security rather than privacy and principle.

Consider the example of Touch2Id.  The fact that it is NON-INTEROPERABLE is even worse than the fact that biometrics are being collected, since because of this, you simply cannot create a PET solution using the technology interfaces!  It is not open, but closed to innovations and security upgrades. There is only external verification of biometrics or nothing – and as such no PET model can be applied.  My criticism of Touch2Id is fully in line with the work on security research roadmapping prior to the EU's large FP7 research programme (see pg. 14 on private biometrics and biometric encryption – both chip-on-card).

Some might remember the discussion at the 2003 EU PET Workshop in Brussels where there were strong objections to the “inflation of terms”.  In particular, there was much agreement that the term Privacy Enhancing Technology should only be applied to non-compromising solutions.  Even within the category of “non-compromising” there are differences.  For example, do we require absolute anonymity or can PETs be created through specific built-in countermeasures such as anti-counterfeiting through self-incrimination in Digital Cash or some sort of tightly controlled Escrow (Conditional Identification) in cases such as that of non-payment in an otherwise pseudonymous contract (see here).

I tried to raise the same issue last year in Brussels.

The main point here is that we need a vocabulary that does not allow for inflation – a vocabulary that is not infected by someone's interest in claiming “trust” or overselling an issue. 

And we first and foremost need to stop – or at least address – the tendency of the bad guys to steal the terms for marketing or propaganda purposes.  Around National Id and Identity Cards this theft has been a constant – for example, the term “User-centric Identity” has been turned upside down and today, in many contexts, means “servers focusing on profiling and managing your identity.”

The latest examples of this are the exclusive and centralist european eID model and the IdP-centric identity models recently proposed by US which are neither technological interoperable, adding to security or privacy-enhancing. These models represent the latest in democratic and free markets failure.

My point is not so much to define policy, but rather to respect the fact that different policies at different levels cannot happen unless we have a clear vocabulary that avoid inflation of terms.

Strong PETs must be applied to ensure principles such as net neutrality, demand-side controls and semantic interoperability.  If they aren't, I am personally convinced that within 20 or 30 years we will no longer have anything resembling democracy – and economic crises will worsen due to Command & Control inefficiencies and anti-innovation initiatives

In my view, democracy as construct is failing due to the rapid deterioration of fundamental rights and requirements of citizen-centric structures.  I see no alternative than trying to get it back on track through strong empowerment of citizens – however non-informed one might think the “masses” are – which depends on propagating the notion that you CAN be in control or “Empowered” in the many possible meanings of the term.

When I began to think about Touch2Id it did of course occur to me that it would be possible for operators of the system to secretly retain a copy of the fingerprints and the information gleaned from the proof-of-age identity documents – in other words, to use the system in a deceptive way.  I saw this as being something that could be mitigated by introducing the requirement for auditing of the system by independent parties who act in the privacy interests of citizens.

It also occured to me that it would be better, other things being equal, to use an on-card fingerprint sensor.  But is this a practical requirement given that it would still be possible to use the system in a deceptive way?  Let me explain.

Each card could, unbeknownst to anyone, be imprinted with an identifier and the identity documents could be surreptitiously captured and recorded.  Further, a card with the capability of doing fingerprint recognition could easily contain a wireless transmitter.  How would anyone be certain a card wasn't capable of surreptitiously transmitting the fingerprint it senses or the identifier imprinted on it through a passive wireless connection? 

Only through audit of every technical component and all the human processes associated with them.

So we need to ask, what are the respective roles of auditability and technology in providing privacy enhancing solutions?

Does it make sense to kill schemes like Touch2ID even though they are, as Stephan says, better than other alternatives?   Or is it better to put the proper auditing processes in place, show that the technology benefits its users, and continue to evolve the technology based on these successes?

None of this is to dismiss the importance of Stephan's arguments – the discussion he calls for is absolutely required and I certainly welcome it. 

I'm sure he and I agree we need systematic threat analysis combined with analysis of the possible mitigations, and we need to evolve a process for evaluating these things which is rigorous and can withstand deep scrutiny. 

I am also struck by Stephan's explanation of the relationship between interoperability and the ability to upgrade and uplevel privacy through PETs, as well as the interesting references he provides. 

Blizzard backtracks on real-names policy

A few days ago I mentioned the outcry when Blizzard, publisher of the World of Warcraft (WoW) multi-player Internet game, decided to make gamers reveal their offline identities and identifiers within their fantasy gaming context. 

I also descibed Blizzard's move as being the “kookiest” flaunting yet of the Fourth Law of Identity (Contextual separation through unidirectional identifiers). 

Today the news is all about Blizzard's first step back from the mistaken plan that appears to have completely misunderstood its own community.

CEO Mike Morhaime  seems to be on the right track with the first part of his message:

“I'd like to take some time to speak with all of you regarding our desire to make the Blizzard forums a better place for players to discuss our games. We've been constantly monitoring the feedback you've given us, as well as internally discussing your concerns about the use of real names on our forums. As a result of those discussions, we've decided at this time that real names will not be required for posting on official Blizzard forums.

“It's important to note that we still remain committed to improving our forums. Our efforts are driven 100% by the desire to find ways to make our community areas more welcoming for players and encourage more constructive conversations about our games. We will still move forward with new forum features such as the ability to rate posts up or down, post highlighting based on rating, improved search functionality, and more. However, when we launch the new StarCraft II forums that include these new features, you will be posting by your StarCraft II Battle.net character name + character code, not your real name. The upgraded World of Warcraft forums with these new features will launch close to the release of Cataclysm, and also will not require your real name.”

Then he goes weird again.  He seems to have a fantasy of his own:  that he is running Facebook…

“I want to make sure it's clear that our plans for the forums are completely separate from our plans for the optional in-game Real ID system now live with World of Warcraft and launching soon with StarCraft II. We believe that the powerful communications functionality enabled by Real ID, such as cross-game and cross-realm chat, make Battle.net a great place for players to stay connected to real-life friends and family while playing Blizzard games. And of course, you'll still be able to keep your relationships at the anonymous, character level if you so choose when you communicate with other players in game. Over time, we will continue to evolve Real ID on Battle.net to add new and exciting functionality within our games for players who decide to use the feature.”

Don't get me wrong.  As convoluted as this thinking is, it's one big step forward (after two giant steps backward) to make linking of offline identity to gaming identity “optional”. 

And who knows?  Maybe Mike Morhaime really does understand his users…  He may be right that lots of gamers are totally excited at the prospect of their parents, lovers and children joining Battle.net to stay connected with them while they are playing WoW!  Facebook doesn't stand a chance!

 

How to anger your most loyal supporters

The gaming world is seething after what is seen as an egregious assault on privacy by World of Warcraft (WoW), one of the most successful multiplayer role-playing games yet devised.  The issue?  Whereas players used to know each other through their WoW “handles”, the company is now introducing a system called “RealID” that forces players to reveal their offline identities within the game's fantasy context.  Commentators think the company wanted to turn its user base into a new social network.  Judging from the massive hullabaloo amongst even its most loyal supporters, the concept may be doomed.

To get an idea of the dimensions of the backlash just type “WoW RealID” into a search engine.  You'll hit paydirt:

The RealID feature is probably the kookiest example yet of breaking the Fourth Law of Identity – the law of Directed Identity.   This law articulates the requirement to scope digital identifiers to the context in which they are used.  In particular, it explains why universal identifiers should not be used where a person's relationship is to a specific context.  The law arises from the need for “contextual separation” – the right of individuals to participate in multiple contexts without those contexts being linkable unless the individual wants them to be.

The company seems to have initially inflicted Real ID onto everyone, and then backed off by describing the lack of “opt-in” as a “security flaw”, according to this official post on wow.com:

To be clear, everyone who does not have a parentally controlled account has in fact opted into Real ID, due to a security flaw. Addons have access to the name on your account right now. So you need to be very careful about what addons you download — make sure they are reputable. In order to actually opt out, you need to set up parental controls on your account. This is not an easy task. Previous to the Battle.net merge, you could just go to a page and set them up. Done. Now, you must set up an account as one that is under parental control. Once your account is that of a child's (a several-step process), your settings default to Real ID-disabled. Any Real ID friends you have will no longer be friends. In order to enable it, you need to check the Enable Real ID box.

 Clearly there are security problems that emerge from squishing identifiers together and breaking cross-context separation.  Mary Landsman has a great post on her Antivirus Software Blog called “WoW Real ID: A Really Bad Idea“:

Here are a couple of snippets about the new Battle.net Real ID program:

“…when you click on one of your Real ID friends, you will be able to see the names of his or her other Real ID friends, even if you are not Real ID friends with those players yourself.”

“…your mutual Real ID friends, as well as their Real ID friends, will be able to see your first and last name (the name registered to the Battle.net account).”

“…Real ID friends will see detailed Rich Presence information (what character the Real ID friend is playing, what they are doing within that game, etc.) and will be able to view and send Broadcast messages to other Real ID friends.”

And this is all cross-game, cross-realm, and cross-alts. Just what already heavily targeted players need, right? A merge of WoW/Battle.net/StarCraft with Facebook-style social networking? Facepalm might have been a better term to describe Real ID given its potential for scams. Especially since Blizzard rolled out the change without any provision to protect minors whatsoever:

Will parents be able to manage whether their children are able to use Real ID?
We plan to update our Parental Controls with tools that will allow parents to manage their children's use of Real ID. We'll have more details to share in the future.

Nice. So some time in the future, Blizzard might start looking at considering security seriously. In the meantime, the unmanaged Real ID program makes it even easier for scammers to socially engineer players AND it adds potential stalking to the list of concerns. With no provision to protect minors whatsoever.

Thanks, Blizz…Not!

And Kyth has a must-read post at stratfu called Deeply Disappointed with the ‘RealID’ System where he explains how RealID should have been done.  His ideas are a great implementation of the Fourth Law.

Using an alias would be fine, especially if the games are integrated in such a way that you could pull up a list of a single Battle.net account's WoW/D3 characters and SC2 profiles. Here is how the system should work:

  • You have a Battle.net account. The overall account has a RealID Handle. This Handle defaults to being your real name, but you can easily change it (talking single-click retard easy here) to anything you desire. Mine would be [WGA]Kazanir, just like my Steam handle is.
  • Each of your games is attached to your Battle.net account and thereby to your RealID. Your RealID friends can see you when you are online in any of those games and message you cross-game, as well as seeing a list of your characters or individual game profiles. Your displayed RealID is the handle described above.
  • Each game contains either a profile (SC2) or a list of characters. A list of any profiles or characters attached to your Battle.net account would be easily accessible from your account management screen. Any of these characters can be “opted out” of your RealID by unchecking them from the list. Thus, my list might look like this:

    X Kazanir.wga – SC2 ProfileX Kazanir – WoW – 80 Druid Mal'ganisX Gidgiddoni – WoW – 60 Warrior Mal'ganis_ Kazbank – WoW – 2 Hunter Mal'ganisX Kazabarb – D3 – 97 Barbarian US East_ Kazahidden – D3 – 45 Monk US West

    In this way I can play on characters (such as a bank alt or a secret D3 character with my e-girlfriend) without forcibly having their identity broadcast to my friends.When I am online on any of the characters I have unchecked, my RealID friends will be able to message me but those characters will not be visible even to RealID friends. The messages will merely appear to come from my RealID and the “which character is he on” information will not be available.

  • Finally, the RealID messenger implementation in every game should be able to hide my presence from view just like any instant messenger application can right now. I shouldn't be forced to be present with my RealID just because I am playing a game — there should be a universal “pretend to not be online” button available in every Battle.net enabled game.

These are the most basic functionality requirements that should be implemented by anyone with an IQ over 80 who designs a system like this.

Check out the comments in response to his post.  I would have to call his really sensible and informed proposal “wildly popular”.  It will be really interesting to see how this terrible blunder by such a creative company will end up.

 [Thanks to Joe Long for heads up]

“Microsoft Accuses Apple, Google of Attempted Privacy Murder”

Ms. Smith at Network World made it to the home page of digg.com yesterday when she reported on my concerns about the collection and release of information related to people's movements and location. 

I want to set the record straight about one thing: the headline.  It's not that I object to the term “attempted privacy murder” – it pretty much sums things up. The issue is just that I speak as Kim Cameron – a person, not a corporation.  I'm not in marketing or public releations – I'm a technologist who has come to understand that we must  all work together to ensure people are able to trust their digital environment.  The ideas I present here are the same ones I apply liberally in my day job, but this is a personal blog.

Ms. Smith is as precise as she is concise:

A Microsoft identity guru bit Apple and smacked Google over mobile privacy policies. Once upon a time, before working for Microsoft, this same man took MS to task for breaking the Laws of Identity.

Kim Cameron, Microsoft's Chief Identity Architect in the Identity and Security Division, said of Apple, “If privacy isn’t dead, Apple is now amongst those trying to bury it alive.”

What prompted this was when Cameron visited the Apple App store to download a new iPhone application. When he discovered Apple had updated its privacy policy, he read all 45 pages on his iPhone. Page 37 lets Apple users know:

Collection and Use of Non-Personal Information

We also collect non-personal information – data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

· We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

The MS identity guru put the smack down not only on Apple, but also on Google, writing in his blog, “Maintaining that a personal device fingerprint has ‘no direct association with any specific individual’ is unbelievably specious in 2010 – and even more ludicrous than it used to be now that Google and others have collected the information to build giant centralized databases linking phone MAC addresses to house addresses. And – big surprise – my iPhone, at least, came bundled with Google’s location service.”

MAC in this case refers to Media Access Control addresses associated with specific devices and one of the types that Google collected. Google admits to collecting MAC addresses of WiFi routers, but denies snagging MAC addresses of laptops or phones. Google is under mass investigation for its WiFi blunder.

Apple's new policy is also under fire from two Congressmen who gave Apple until July 12th to respond. Reps. Edward J. Markey (D-Mass.) and Joe Barton (R-Texas) sent a letter to Apple CEO Steve Jobs asking for answers about Apple gathering location information on its customers.

As far as Cameron goes, Microsoft's Chief Identity Architect seems to call out anyone who violates privacy. That includes Microsoft. According to Wikipedia's article on Microsoft Passport:

“A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft's Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.”

Cameron seems to believe location based identifiers and these changes of privacy policies may open the eyes of some people to the, “new world-wide databases linking device identifiers and home addresses.”

 

Apple giving out your iPhone fingerprints and location

I went to the Apple App store a few days ago to download a new iPhone application.  I expected that this would be as straightforward as it had been in the past: choose a title, click on pay, and presto – a new application becomes available.

No such luck.  Apple had changed it's privacy policy, and I was taken to the screen at right,  To proceed I had to “read and accept the new Terms and Conditions”.  I pressed OK and up came page 1 of a new 45 page “privacy” policy.

I would assume “normal people” would say “uncle” and “click approve” around page 3.  But in light of what is happening in the industry around location services I kept reading the tiny, unsearchable, unzoomable print.

And there – on page 37 – you come to “the news”.  Apple's new “privacy” policy reveals that if you use Apple products Apple can disclose your device fingerprints and location to whomever it chooses and for whatever purpose:

Collection and Use of Non-Personal Information

We also collect non-personal information – data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

  • We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

No “direct association with any specific individual…”

Maintaining that a personal device fingerprint has “no direct association with any specific individual” is unbelievably specious in 2010 – and even more ludicrous than it used to be now that Google and others have collected the information to build giant centralized databases linking phone MAC addresses to house addresses.  And – big surprise – my iPhone, at least, came bundled with Google's location service.

The irony here is a bit fantastic.  I was, after all, using an “iPhone”.  I assume Apple's lawyers are aware there is an “I” in the word “iPhone”.  We're not talking here about a piece of shared communal property that might be picked up by anyone in the village.  An iPhone is carried around by its owner.  If a link is established between the owner's natural identity and the device (as Google's databases have done), its “unique device identifier” becomes a digital fingerprint for the person using it. 

Apple's statements constitute more disappointing doubletalk that is suspiciously well-aligned with the statements in Google's now-infamous WiFi FAQ.  Checking with the “Wayback machine” (which is of course not guaranteed to be accurate or up to date) the last change recorded in Apple's privacy policy seems to have been made in April 2008.  It contained no reference to device identifiers or location services. 

 

ID used to save “waggle dance”

MSN reports on a fascinating use of tracking:

Bees are being fitted with tiny radio ID tags to monitor their movements as part of research into whether pesticides could be giving the insects brain disorders, scientists have revealed

The study is examining concerns that pesticides could be damaging bees’ abilities to gather food, navigate and even perform their famous “waggle dance” through which they tell other bees where nectar can be found.

I can't help wondering if wearing an antenna twice one's size might also throw off one's “waggle dance”? There is too the question of how this particular bee gets back into its hive to be tracked another day.  But I leave those questions to the researchers.

 

Trip down memory lane

Joe Mansfield's comment that Bluetooth “doesn’t appear to be all that bad from a privacy leakage perspective” left me rummaging through memory lane – awakening memories that may help explain why I now believe that world-wide databases of MAC addresses constitute a central socio-technical problem of our time.

I was taken back to an unforgettable experience I had in 2005 while working on the Laws of Identity.  I had finished the Fourth Law and understood theoretically why technical systems should use “unidirectional identifiers” (meaning identifiers limited to a defined context) rather than “universal identifiers” (things like social security numbers) unless the goal was to be completely public.  But there is a difference between understanding something theoretically and right in the gut.

Rather than retell the story, here is what I wrote on my blog in Just a few scanning machines on Tuesday 6 September 2005:

Since I seem to be on the subject of Bluetooth again, I want to tell you about an experience I had recently that put a gnarly visceral edge on my opposition to technologies that serve as tracking beacons for us as private individuals.

I was having lunch in San Diego with Paul Trevithick, Stefan Brands and Mary Rundle. Everyone knows Paul for his work with Social Physics and the Berkman identity wiki; Stefan is a tremendously innovative privacy cryptographer; and Mary is pushing the envelope on cyber law with Berkman and Stanford.

Suddenly Mary recalled the closing plenary at the Computers, Freedom and PrivacyPanopticon Conference” in Seattle.

She referred off-handedly to “the presentation where they flashed a slide tracking your whereabouts throughout the conference using your Bluetooth phone.”

Essentially I was flabbergasted. I had missed the final plenary, and had no idea this had happened.

MAC Name Room Time Talk
Kim Cameron Mobile
00:09:2D:02:9A:68
Grand I (G1) Wed 09:32 09:32 ????
Grand Crescent (gc) Wed 09:35 09:35 Adware and Privacy: Finding a Common Ground
Grand I (G1) Wed 09:37 09:37 ????
Grand Crescent (gc) Wed 09:41 09:42 Adware and Privacy: Finding a Common Ground
Grand I (G1) Wed 09:46 09:47 ????
Grand III (g3) Wed 10:18 10:30 Intelligent Video Surveillance
Baker (ol) Wed 10:33 10:42 Reforming E-mail and Digital Telephonic Privacy
Grand III (g3) Wed 10:47 10:48 Intelligent Video Surveillance
Grand Crescent (gc) Wed 11:25 11:26 Adware and Privacy: Finding a Common Ground
Grand III (g3) Wed 11:46 12:22 Intelligent Video Surveillance
5th Avenue (5a) Wed 12:33 12:55 ????
Grand III (g3) Wed 13:08 14:34 Plenary: Government CPOs: Are they worth fighting for?

Of course, to some extent I'm a public figure when it comes to identity matters, and tracking my participation at a privacy conference is, I suspect, fair game. Or at any rate, it's good theatre, and drives home the message of the Fourth Law, which makes the point that private individuals must not be subjected – without their knowledge or against their will – to technologies that create tracking beacons.

A picture named kim_cameron.JPGLater Mary introduced me to Paul Holman from The Shmoo Group. He was the person who had put this presentation together, and given our mutual friends I don't doubt his motives. In fact, I look forward to meeting him in person.

He told me:

“I take it you missed our quick presentation, but essentially, we just put Bluetooth scanning machines in a few of the conference rooms and had them log the devices they saw. This was a pretty unsophisticated exercise, showing only devices in discoverable mode. To get them all would be a lot more work. You could do the same kind of thing just monitoring for cell phones or WiFi devices or whatever. We were trying to illustrate a crude version of what will be possible with RFIDs.”

The Bluetooth tracking was tied in to the conference session titles, and by clicking on a link you could see the information represented graphically – including my escape to a conference center window so I could take a phone call.

Anyway, I think I have had a foretaste of how people will feel when networks of billboards and posters start tracking their locations and behaviors. They won't like it one bit. They'll push back.

A foretaste indeed

One of my readers wrote to say I should turn my Bluetooth broadcast off, and I responded:

You’re right, and I have turned it off. Which bothers me. Because I like some of the convenience I used to enjoy.

So I write about this because I’d rather leave my Bluetooth phone enabled, interacting only with devices run by entities I’ve told it to cooperate with.

We have a lot of work to do to get things to this point. I see our work on identity as being directed to that end, at least in part.

We need to be able to easily express and select the relationships we want to participate in – and avoid – as cyberspace progressively penetrates the world of physical things.

The problems of Bluetooth all exist in current Wifi too. My portable computer broadcasts another tracking beacon. I’m not picking on Bluetooth versus other technologies. Incredibly, they all need to be fixed. They’re all misdesigned.

If anything has shocked me while working on the Laws of Identity, it has been the discovery of how naive we’ve been in the design of these systems to date – a product of our failure to understand the Fourth Law of Identity. The potential for abuse of these systems is collosal – enterprises like the UK’s Filter are just the most benign tip of an ugly iceberg.

For everyone’s sake I try to refrain from filling in what the underside of this iceberg might look like

Google's Street View group, which has been assembling a massive central registry of WiFi MAC addresses, has definitely crawled out from under this iceberg, and the project is more sinister than any I imagined only a few years ago.

But so as not to leave everyone feeling completely depressed, all the dreams of Billboards that recognize you from your Bluetooth phone have now been abandoned by Bluetooth manufacturers, and the specification has been greatly improved in light of the criticism it received.  Let's hope that geo-location providers, and Google in particular, see the same light, and assure us they will no longer collect or store the MAC address of any device unless that collection is approved by the subscriber.

Does the non-content trump the content?

In my previous post I referred to an interesting Wired story in which former U.S. federal prosecutor Paul Ohm says Google “likely” breached a U.S. federal criminal statute by intercepting the metadata and address information on residential and business WiFi networks.  The statute refers to a “pen register” – an electronic device that records all numbers dialed from a particular telephone line.  Wikipedia tells us the term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications.”  The story continues:

“I think it’s likely they committed a criminal misdemeanor of the Pen Register and Trap and Traces Device Act,” said Ohm, a prosecutor from 2001 to 2005 in the Justice Department’s Computer Crime and Intellectual Property Section. “For every packet they intercepted, not only did they get the content, they also have your IP address and destination IP address that they intercepted. The e-mail message from you to somebody else, the ‘to’ and ‘from’ line is also intercepted.”

“This is a huge irony, that this might come down to the non-content they acquired,” (.pdf) said Ohm, a professor at the University of Colorado School of Law.

I understand how people unacquainted with the emerging role of identity in the Internet can see this as an irony – a kind of side-effect – whereas in reality Google's plan to establish a vast centralized database of device identifiers has much longer-term consequences than the misappropriation of content.  Metadata is no less important than other data –  and “addresses” being referred to are really device identifiers clearly associated with individual users, much like the telephone numbers to which the statute applies.  Given the similarity to issues that arose with pre-Internet communication, we should perhaps not be surprised that there may already be regulation in place that prevents “registering” of the identifiers.

The Wired article continues:

Google said it was a coding error that led it to sniff as much as 600 gigabytes of data across dozens of countries as it was snapping photos for its Street View project. The data likely included webpages users visited and pieces of e-mail, video and document files…

The pen register act described by Ohm, which he said is rarely prosecuted, is usually thought of in terms of preventing unauthorized monitoring of outbound and inbound telephone numbers.

Violations are a misdemeanor and cannot be prosecuted by private lawyers in civil court, Ohm said. He said the act requires that Google “knew, or should have known” of the activity in question.

Google denies any wrongdoing.

In fact, Google knew about the collection of MAC addresses, and has never said otherwise or stated that their collection of these addresses was done accidently.  In fact they have been careful to never state explicitly that their collection was limited to Wireless Access Points.  The Gstumbler report makes it clear they were parsing and recording both the source and destination MAC addresses in all the WiFi frames they intercepted. 

The Wired article explains:

As far as a criminal court goes, it is not considered wiretapping “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.”

It is not known how many non-password-protected Wi-Fi networks there are in the United States.

What makes this especially interesting is the fact that it is not possible to configure a WiFi network so that the MAC addresses are hidden.  Use of passwords protects the communication content carried by the network, but does not protect the MAC addresses.  Configuring the WIreless Access Point not to broadcast an SSID does not prevent eavesdropping on MAC addresses either.   Yet we can hardly say the metadata is readily accessible to the general public, since it cannot be detected except acquiring and using very specialized programs. 

Wired draws the conclusion that,  “The U.S. courts have not clearly addressed the issue involved in the Google flap.”

 

Claims based identity tops IT security concerns

John Fontana has crossed the floor, moving from the critics box to the stage.  

Many people will remember John's articles at Network World, where he served as one of the most talented and informed journalists in the world writing about network infrastructure for as long as I can remember. 

While it is sad to lose him in his role as journalist, I really look forward to what he will do at his new digs: Ping.  

I know his ability to explain identity and its issues and technology in words people can actually understand will benefit the whole identity ecosystem.  Kudos to Andre Durand and Ping for having the wisdom to bring him over.

Meanwhile, there's exciting news in this post from the new John: 

If I could say it better than my former Network World colleague Ellen Messmer I would, but I can’t so I’m just going to link to her story on Gartner’s survey that shows identity management projects rank first in the top five priorities for IT's security spending.
The results of the survey come from interviews with IT professionals at 308 companies.

But let me highlight two paragraphs from Ellen's story:

“Identity management appears to be taking the lead as a top priority as businesses look to deploy some of the more advanced federated identity technologies both within the enterprise for single sign-on and as a way to potentially extend identity-based access control into cloud-computing environments.”

And this one:

“But in terms of firewalls as a priority, [Gartner] notes that there's a movement to install next-generation firewalls.”

On that last point, check this link to From Firewall to IdentityWall.

[John is on Twitter where he also puts together a Tweet list]