Identity and eGovernment in Britain

I&#39ve been taking occasional breaks from the long-running Christmas party and swimming upstream into my email torrent.

I have to recommend the British Ideal Government blog – “a web user&#39s antidote to personal frustration with public services” run by William Heath as a kind of wikki with a lot discussion of eGovernment and related subjects. It seems to be a good vantage point from which we in North America can get an unofficial view of the approaching British rendezvous with government identity cards.

Having myself followed William&#39s advice on this matter, I recommend that everyone interested in identity issues read the British Information Commissioner&#39s perspective on the Identity Cards Bill.

Of course, government eIdentity cards run smack into the Law of Fewest Parties (Third Law of Identity):

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. (Starts here…)

Interestingly, this law is well understood by the Information Commissioner, who has obviously thought long and hard about these issues (American readers are advised not to miss the understated intensity of the words ‘myriad’ and ‘plethora’):

The problems (…administrative and technical – Kim) would be substantially exacerbated if it becomes the norm for a myriad of organisations – including commercial bodies – to check the Register for a plethora of purposes completely unconnected with those public interest objectives set out on the face of the Bill (Clause 1(4)).

One of the most thought-provoking aspects of the proposed scheme is the auditing of uses of the identity asserted by the card. This aspect of identity systems is one to which we will dedicate considerable attention going forward.

The example is given of employers being required to verify a person&#39s right to work before hiring them. This would involve the card-holder (in conjunction with the employer?) accessing “the registry” by using the card. The card&#39s use would in turn be recorded as part of an ever-growing audit trail of transactions associated with the subject. The commissioner points out that in this kind of scenario, much more guidance is required. Is the card to be used and audited every time you apply for a job? Only when the job offer is accepted? And above all, why?

We will all learn a lot by watching Britain grapple with these issues. In Britain there seem to be many mixed opinions. But it is encouraging that the national identification card is not proposed as a universal or commercial identity. It seems to be intended for use in official government contexts, making it conform to the Third Law.

Spying on high tech won’t trump terrorists use of low tech

On Monday (December 20th) my flight became substantially shorter and cheerier when I came across a terrific piece by Tom Zeller Jr. in the New York Times. “On the Open Internet, a Web of Dark Alleys” (registration required) cogently introduces the general reader to the idea that there is no magic privacy-invading wand that can be waved over the internet to protect it from criminal elements.

As Zeller says, “the troubling truth is that terrorists rarely have to be technically savvy to cloak their conversations. Even simple, prearranged code words can do the job when the authorities do not know whose e-mail to monitor or which Web sites to watch.”

Zeller says it is widely believed that Mohammed Atta, suspected of being the leader of the Sept. 11 hijackers, transmitted this final message to his co-conspirators over the Internet: “The semester begins in three more weeks. We&#39ve obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts, and the faculty of engineering.” Encryption was hardly necessary – who but the participants would imagine that the faculties represented the World Trade center and the Pentagon?

To drive the idea home, Zeller then reports on an another extreme case of how low tech trumps high tech:

Michael Caloyannides, a computer forensics specialist and a senior fellow at Mitretek Systems, a nonprofit scientific research organization based in Falls Church, Va., said the nature of a networked universe made it possible for just about anyone to communicate secretly. Conspirators do not even need to rely on code-hiding programs, because even automated teller machines can be used to send signals, Dr. Caloyannides explained,

A simple withdrawal of $20 from an account in New York might serve as an instant message to an accomplice monitoring the account electronically from halfway around the world, for example.

Tom Zeller has an amazing talent for making complex ideas seem simple. It is great to have him thinking and writing about these widely misunderstood issues.

Conspirators are able to make use of the current internet – an insecure internet which leaks personal information and is contemptuous of privacy – to help accomplish their goals. There is no silver bullet that can stop the kinds of attacks Zeller describes. But we do know that an internet with a stronger identity framework, including more privacy, would make citizens, businesses and governments safer in many other ways.

Standing on his head

James Kobielus of Network World and the Burton Group has astonished me by calling upon me to abandon my “cypherpunk” ways.

He goes on to say that the Laws of Identity “are at odds with the real, legislated, post-9/11 laws in this country and elsewhere. There are overarching authorities who are rendering your hoped-for privacy-friendly identity regime politically infeasible.” He also says, “At heart, Cameron’s “laws” are merely ideological, normative precepts with a transparent agenda and a limited, though laudable, aim.”

The truth is that I am not animating this discussion for ideological reasons. The Laws are not sermons, but explanations of why previous identity systems have failed where they failed and succeeded where they succeeded. Further, they are ways of understanding what is required for identity systems to succeed in the future. Both”normative precepts” and ideology are legitimate objects of study by social science. Attempting to understand normative precepts is not itself ideological: normative behavior, some of which is transcultural, underlies social institutions. Social behavior and institutions shape many of the characteristics of distributed systems. As computer scientists, we need to take them into account.

People are befuddled by the question of terror, and this must please the terrorists. By far the greatest problem of terror is our vulnerability to it. At some point cyberterror will professionalize enough that it will graduate from attacks on single processes and machines to attacks on the distributed system and all its components. It is a race against time to get a universal identity system in place that can alone provide the infrastructural underpinning necessary to counter these attacks.

Everyone must understand identity for our virtual future (and the future virtual) to be safe. That means identity must be understandable. James surely agrees that the active support of millions of computer users will vastly speed the process of building an identity system. (And that their opposition would grind it to a halt.) So his dismissal of how the user is treated while we build the identity system totally mystifies me. Could he himself be subject to some ideology?

The laws do nothing to prevent legitimate investigators from getting relevant parties to share information which, once assembled, would confirm or rule out guilt. If anything, a system based on these laws would make such proofs more scientific. The laws simply prevent indiscriminate leakage of identity information. In this sense, they reduce peoples’ vulnerability to attack.

Nor do the laws prevent third parties (some of whom may present themselves as authorities) from making assertions. They simply propose that the identity system be built such that if the user is called upon to present such assertions, she can see what assertions are being made about her and decide whether to release them. This does not imply that a provider could not make opaque assertions – only that the user would understand they were opaque. The user might choose to release the assertions anyway – or find another more forward thinking provider who will compete by being open.

James offers four principles which I will examine some other time. But his theory that my identity is owned and controlled by the authorities who make assertions about me is really upside down. I assert, as an authority, that James is standing on his head. Do I now own and control his identity? It sounds like voodoo to me.

Totally awake at the wheel

Marc Canter must have a news reader running real-time, because he just replied:

Fine – I&#39ll trade yah some MSDN manuals, PDC bookbags and some old Flight Simulator disks for some juicy broiled prawns and a cup of hot apple cidar.

I really need more PDC bookbags for my collection, so this sounds like a great compromise. By the way, Marc is a guru and if anyone should get fees it is him.

Totally asleep at the wheel

I just received mail asking why I hadn&#39t answered the marvelous post by Marc Canter, father of Macromedia. I have to admit I was totally asleep at the wheel – could it be my day job?

Marc opines in his lovable blend of angel and baseball bat:

Here&#39s where Kim tells us about how ‘Passport is dead’ – while simultaneously being used by 200M people. MSN Spaces sure uses it. ]

I&#39d bet that his new InfoCards technology super-sets Passport – making it just one of many identity systems – which all have to work together. So Sxip, Liberty and Passport/WS-* all using i-names, FOAF and XFN. To be exact.

So what I&#39d say to Kim is: “Hey Kim? Where&#39s that all expense paid, guru fees junket, PR suck-up strategy session where Microsoft pays us to go up there, eat Oyster stew and learn about InfoCards?”

And we reply with even more open source ideas – for free.

Well, I&#39ve been trying to animate a discussion about the objective factors constraining what an identity system must be in order to be successful. And a bunch of the people you mention are looking at this deeply and thinking about the fundamental issues in identity that will make a universal system possible.

I don&#39t personally think that Microsoft should operate an identity provider other than for its own properties – and I don&#39t think that&#39s in our plans. I do think we should provide great identity software – that interoperates with great identity software from others. I also think MSN properties should be able to use other identity providers if that&#39s what people want – so Passport needs to be able to federate in that sense.

Further, I&#39m convinced no one will get out of this without reving what they&#39ve done so far. We all need to move forward. And I think this discussion shows many people are willing to move forward.

So yes, we need an open, inclusive system, but the constituent technologies all need to come into alignment with the laws of identity in order to succeed.

By the way, I want to organize some meetings. And I&#39ll bet I can get Microsoft to spring for the oyster stew. But if I don&#39t want the meetings to be PR junkets – and I don&#39t – I&#39m worried we&#39ll have to dispense with the all-expense paid guru fees part.

Mark Wahl on the Third Law

Anyone who knows LDAP has probably heard of Mark Wahl. And they will likely enjoy this amazing page which defines Mark – are you ready? – as an OSI OID. For those who don&#39t know about this type of thing, oidy is way beyond nerdy (in the positive sense). But those were the days when we were young and flush with the first blush of LDAP. There was a “whole lot of LDAP goin’ on”!

Mark was co-author and editor of the LDAP V3 specification. He built great directory at Innosoft, which was acquired by Critical Angle, which was acquired by SUN, and he contributed many ideas and refinements to the standardization of directory protocols. These days he has left SUN and has a startup called Informed Control.

While the First and Second laws didn&#39t seem to wrankle him, he sent me extensive comments on the Third Law. I have posted them here.

Remember the Third Law? (If you need more context, check out the RECAP link on the identityblog home page.)

The Law of Fewest Parties

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. (Starts here…)

While Mark admits I gave some good examples of the usefulness of this law, he asks – and several other commentators have done the same – “Justifiable to whom? And who or what does the justifying?” He argues, “there may not even be agreement among the parties that one or more parties belong in the relationship”.

He then presents a number of examples in which identifying information is routinely forwarded to parties the consumer did not consider to be involved: a clearing house in an electronic funds transfer, a debt collector in the case where a consumer doesn&#39t pay a debt, a government agency during a criminal investigation. “Today when a consumer signs up to a service provided by a bank or credit card issuer, they implicitly agree to share their identity information to a large and unbounded set of parties.”

What does the justifying? And justifiable to whom?

The First Law of Identity requires that disclosure of identity or private information be under the control of the party who is disclosing it. Doing so must make sense to her. So the justification requirements of the third law apply to the subject who is disclosing.

The identity system must make its user aware of the party or parties with whom she is interacting while sharing information.

Further, the system must be “translucent”. The user needs to understand the system, as we will see in an upcoming law. In the physical world we are able to judge the situation we are in and decide what we want to disclose about ourselves at any particular time. And we must be granted the same level of control in the cyber world.

Having disclosed an identity to another party, that party may have reason to pass information along to third parties. So it should provide the disclosing party with a policy statement about information use. This policy should govern what happens to disclosed information – I save this discussion for another day. But I&#39ll suggest in passing that one can view this policy as defining “delegated rights” issued by the disclosing party.

No limits should be placed on how the party to whom I disclose information organizes itself, as long as it responsibly applies the policy under which I shared information.

Clearly such a policy would allow all parties to respond in the case of criminal investigations – but this does not mean the state is a therefore party to the identity relationship! Of course, this should be made explicit in the polcy under which information is shared.

The cases presented by Mark all dissolve as exceptions in light of this thinking.

Stefan Brands’ Identity and Privacy Reading List

I asked Stefan Brands, who has both an academic and practical interest in identity systems, to put together a reading list of interesting papers and books on identity-related issues that we should take a look at. And I&#39m sure most of us will enjoy seing what he has set out for us… I&#39ve posted it here. Maybe one of these will be the perfect “holiday gift” for your spouse (or your spouse&#39s spouse).

Great discussion on identity theft and authentication

Everyone needs to go here to read this interchange between Bob Blakely and Carl Ellison on authentication, authorization and identity theft.

Bob Blakely is Chief Scientist at IBM Tivoli in the security area and a stellar presence.  And Carl Ellison has long been a powerful and original force in the “speaks for” theory that now shapes the claims-based world – a key inventor of SDSI and SPKI.

NetworkWorldFusion from the Kearns Laboratory

NetworkWorldFusion&#39s piece on the laws of identity really sent me for a loop since it started with:

If Kim Cameron, Microsoft&#39s architect of directory services, had been a physicist, there might be one or two fewer buildings in Redmond today, and more holes in the ground – or maybe the world would be a lot better off.

I had to meditate to get past this paragraph.

Whoa… that must be Dave Kearns… and the man really does know how to write – with a sardonic wit that I enjoy. Let&#39s just say that his virtual quill has a point on it.

He startled me again with the idea that I want to be the Asimov of Identity, bequeathing laws similar to the Laws of Robotics. I had been thinking of myself as more of a Newton action figure. It sure would be nice if going forward, when someone proposes some goofy invasive scenario, we could just say, “Uh uh uh… Don&#39t even bother because it violates Identity Law Number 4. Here&#39s the URL so you can figure it out yourself next time.”

Dave says the laws “seem like simple truths that any application or service which purports to handle identity management should follow.” And I agree. Too bad so few have done so to date.

The only bad news here is that we have seven laws rather than three. But they&#39re very small laws. So they should take no more space in the brain than three large laws. Anyway, maybe by the time they get through Craig&#39s Crockpot we can “reduce them”.

Dave characterizes me as “organizationally challenged” in terms of my blog, and warns how hard it has been to follow the laws on my site. I have added the “recap of the laws” to the right so people can drop in and out as time permits. I&#39m really a server geek and don&#39t know much about html, so I hope people will be gentle with me as I figure this stuff out.

On blogging

I got a gentle mocking from Eric Norlin today:
so it seems your blog made both the digital id world and network world email newsletters in the same week….which, as far as i know, has never happened before and probably qualifies you for some sort of superstar blog status ;-)
ps: i like the 4th law.

Imagine unsuspecting readers who fall upon this site. I mean, it has to qualify as one of the more esoteric blogs going. Or maybe not. I don&#39t know any more. The experience of blogging makes you challenge a lot of assumptions. Which reminds me…

I really want to express my gratitude to the people who invented this whole blog thing, I know Dave Winer was a key guy. I want to find out more about what went on in the first blog days.

Funny thing is, although I really liked Dave Winer when Doc introduced me, it turns out I didn&#39t have a clue about what he had really done. It was sort of like meeting Bob Dylan at dinner but never having heard him sing. “Oh, you&#39re a singer – how interesting.”

I say that because I now realize you have to blog to understand blogging - and I hadn&#39t. In my case, at least, reading blogs was interesting enough and increased my level of information – but I saw nothing “revolutionizing” about it.

Yet writing a blog is profoundly affecting my thinking – and I&#39ve only done it for a few weeks. I get a lot of feedback and input. And it&#39s input of diverse kinds. Technologies that transform and help us evolve our thinking are truly precious and rare. Blogging is also transforming my relationships with people. I am awed by what its inventors have accomplished. This in turn underlines one more time how superficial and stupid insipid comments about “the end of innovation” really are.

I followed a link recently to a piece on “Alpha Bloggers”. I guess I shouldn&#39t be surprised that blogging is presented as a means to fame and glamour rather than “a means of consciousness”. Too bad.

I&#39ve been working on identity matters since the 1980’s. And I&#39ve thought of myself as a member of a community of thinkers that extended across many different companies and institutions since the early days of electronic mail. I&#39ve grown with that community – learning, sometimes leading, and occasionally being thrown into bizarre opportunities to change what&#39s up. My friends have often been my competitors, and I&#39ve been happy and grateful every time they have made an innovation. As competitors we create each others’ opportunities as whole new technologies become more highly valued.

In the past the community I am referring to has been an abstract thing. But I can see now that a person&#39s blog is written for their community – and, to a certain extent, at least in terms of subject matter, by its members. It is a reification (in the sense of making something abstract into a ‘thing’) of the ‘other’ with whom you communicate.