My dog ate my homework

Am I the only one, or is this a strange email from Facebook?

I mean, “lost”??  No backups?  

I hear you.  This must be fake – a phishing email, right?   

No https on the page I'm directed to, either… The average user doesn't have a chance when figuring out whether this is legit or not.  So guess what.  He or she won't even try.

I'll forget and forgive the “loss”, but following it up by putting all their users through a sequence of steps that teaches them how to be phished really stinks.

Seems to drive home the main premise of Information Cards set forth in the Laws of Identity:

Hundreds of millions of people have been trained to accept anything any site wants to throw at them as being the “normal way” to conduct business online. They have been taught to type their names,
secret passwords and personal identifying information into almost any input form that appears on their screen.

There is no consistent and comprehensible framework allowing them to evaluate the authenticity of the sites they visit, and they don’t have a reliable way of knowing when they are disclosing private information to illegitimate parties.

 

Protecting the Internet through minimal disclosure

Here's an email I received from John through my I-name account:

I would have left a comment on the appropriate entry in your blog, but you've locked it down and so I can't 🙁

I have a quick question about InfoCards that I've been unable to find a clear answer to (no doubt due to my own lack of comprehension of the mountains of talk on this topic — although I'm not ignorant, I've been a software engineer for 25+ years, with a heavy focus on networking and cryptography), which is all the more pertinent with EquiFax's recent announcement of their own “card”.

The problem is one of trust. None of the corporations in the ICF are ones that I consider trustworthy — and EquiFax perhaps least of all. So my question is — in a world where it's not possible to trust identity providers, how does the InfoCard scheme mitigate my risk in dealing with them? Specifically, the risk that my data will be misused by the providers?

This is the single, biggest issue I have when it comes to the entire field of identity management, and my fear is that if these technologies actually do become implemented in a widespread way, they will become mandatory — much like they are to be able to comment on your blog — and people like me will end up being excluded from participating in the social cyberspace. I am already excluded from shopping at stores such as Safeway because I do not trust them enough to get an affinity card and am unwill to pay the outrageous markup they require if you don't.

So, you can see how InfoCard (and similar schemes) terrify me. Even more than phishers. Please explain why I should not fear!

Thank you for your time.

There's a lot compressed into this note, and I'm not sure I can respond to all of it in one go.  Before getting to the substantive points, I want to make it clear that the only reason identityblog.com requires people who leave a comment to use an Information Card is to give them a feeling for one of the technologies I'm writing about.  To quote Don Quixote: “The proof of the pudding is the eating.”  But now on to the main attraction. 

It is obvious, and your reference to the members of the ICF illustrates this, that every individual and organization ultimately decides who or what to trust for any given reason.  Wanting to change this would be a non-starter.

It is also obvious that in our society, if someone offers a service, it is their right to establish the terms under which they do so (even requiring identification of various sorts).

Yet to achieve balance with the rights of others, the legal systems of most countries also recognize the need to limit this right.  One example would be in making it illegal to violate basic human rights (for example, offering a service in a way that is discriminatory with respect to gender, race, etc). 

Information Cards don't change anything in this equation.  They replicate what happens today in the physical world.  The identity selector is no different than a wallet.  The Information Cards are the same as the cards you carry in your wallet.  The act of presenting them is no different than the act of presenting a credit card or photo id.  The decision of a merchant to require some form of identification is unchanged in the proposed model.

But is it necessary to convey identity in the digital world?

Increasing population and density in the digital world has led to the embodiment of greater material value there – a tendency that will only become stronger.  This has attracted more criminal activity and if cyberspace is denied any protective structure, this activity will become disproportionately more pronounced as time goes on.  If everything remains as it is, I don't find it very hard to foresee an Internet vulnerable enough to become almost useless.

Many people have come or are coming to the conclusion that these dynamics make it necessary to be able to determine who we are dealing with in the digital realm.  I'm one of them.

However, many also jump to the conclusion that if reliable identification is necessary for protection in some contexts, it is necessary in all contexts.  I do not follow that reasoning. 

Some != All

If the “some == all” thinking predominates, one is left with a future where people need to identify themselves to log onto the Internet, and their identity is automatically made available everywhere they go:  ubiquitous identity in all contexts.

I think the threats to the Internet and to society are sufficiently strong that in the absence of an alternate vision and understanding of the relevant pitfalls, this notion of a singular “tracking key” is likely to be widely mandated.

This is as dangerous to the fabric and traditions of our society as the threats it attempts to counter.  It is a complete departure from the way things work in the physical world.

For example, we don't need to present identification to walk down the street in the physical world.  We don't walk around with our names or religions stenciled on our backs.  We show ID when we go to a bank or government office and want to get into our resources.  We don't show it when we buy a book.  We show a credit card when we make a purchase.  My goal is to get to the same point in the digital world.

Information Cards were intended to deliver an alternate vision from that of a singular, ubiquitous identity.

New vision

This new vision is of identity scoped to context, in which there is minimal disclosure of specific attributes necessary to a transaction.  I've discussed all of this here

In this vision, many contexts require ZERO disclosure.  That means NO release of identity.  In other words, what is released needs to be “proportionate” to specific requirements (I quote the Europeans).  It is worth noting that in many countries these requirements are embodied in law and enforced.

Conclusions

So I encourage my reader to see Information Cards in the context of the possible alternate futures of identity on the Internet.  I urge him to take seriously the probability that deteriorating conditions on the internet will lead to draconian identity schemes counter to western democratic traditions.

Contrast this dystopia to what is achievable through Information Cards, and the very power of the idea that identity is contextual.  This itself can be the basis of many legal and social protections not otherwise possible. 

It may very well be that legislation will be required to ensure identity providers treat our information with sufficient care, providing individuals with adequate control and respecting the requirements of minimal disclosure.  I hope our blogosphere discussion can advance to the point where we talk more concretely about the kind of policy framework required to accompany the technology we are building. 

But the very basis of all these protections, and of the very possibility of providing protections in the first place, depends on gaining commitment to minimal disclosure and contextual identity as a fundamental alternative to far more nefarious alternatives – be they pirate-dominated chaos or draconian over-identification.  I hope we'll reach a point where no one thinks about these matters absent the specter of such alternatives.

Finally, in terms of the technology itself, we need to move towards the cryptographic systems developed by David Chaum, Stefan Brands and Jan Camenisch (zero knowledge proofs).    Information Cards are an indispensible component required to make this possible.  I'll also be discussing progress in this area more as we go forward.

 

The Identity Domino Effect

My friend Jerry Fishenden, Microsoft's National Technology Officer in the United Kingdom, had a piece in The Scotsman recently where he lays out, with great clarity, many of the concerns that “keep me up at night”.  I hope this kind of thinking will one day be second nature to policy makers and politicians world wide. 

Barely a day passes it seems without a new headline appearing about how our personal information has been lost from yet another database. Last week, the Information Commissioner, Richard Thomas, revealed that the number of reported data breaches in the UK has soared to 277 since HMRC lost 25 million child benefit records nearly a year ago. “Information can be a toxic liability,” he commented.

Such data losses are bad news on many fronts. Not just for us, when it's our personal information that is lost or misplaced, but because it also undermines trust in modern technology. Personal information in digital form is the very lifeblood of theinternet age and the relentless rise in data breaches is eroding public trust. Such trust, once lost, is very hard to regain.

Earlier this year, Sir James Crosby conducted an independent review of identity-related issues for Gordon Brown. It included an important underlying point: that it's our personal data, nobody else's. Any organisation, private or public sector, needs to remember that. All too often the loss of our personal information is caused not by technical failures, but by lackadaisical processes and people.

These widely-publicised security and data breaches threaten to undermine online services. Any organisations, including governments, which inadequately manage and protect users’ personal information, face considerable risks – among them damage to reputation, penalties and sanctions, lost citizen confidence and needless expense.

Of course, problems with leaks of our personal information from existing public-sector systems are one thing. But significant additional problems could arise if yet more of our personal information is acquired and stored in new central databases. In light of projects such as the proposed identity cards programme, ContactPoint (storing details of all children in the UK), and the Communications Data Bill (storing details of our phone records, e-mails and websites we have visited), some of Richard Thomas's other comments are particularly prescient: “The more databases set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made. The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer. Put simply, holding huge collections of personal data brings significant risks.”

The Information Commissioner's comments highlight problems that arise when many different pieces of information are brought together. Aggregating our personal information in this way can indeed prove “toxic”, producing the exact opposite consequences of those originally intended. We know, for example, that most intentional breaches and leaks of information from computer systems are actually a result of insider abuse, where some of those looking after these highly sensitive systems are corrupted in order to persuade them to access or even change records. Any plans to build yet more centralised databases will raise profound questions about how information stored in such systems can be appropriately secured.

The Prime Minister acknowledges these problems: “It is important to recognise that we cannot promise that every single item of information will always be safe, because mistakes are made by human beings. Mistakes are made in the transportation, if you like – the communication of information”.

This is an honest recognition of reality. No system can ever be 100 per cent secure. To help minimise risks, the technology industry has suggested adopting proposals such as “data minimisation” – acquiring as little data as required for the task at hand and holding it in systems no longer than absolutely necessary. And it's essential that only the minimum amount of our personal information needed for the specific purpose at hand is released, and then only to those who really need it.

Unless we want to risk a domino effect that will compromise our personal information in its entirety, it is also critical that it should not be possible automatically to link up everything we do in all aspects of how we use the internet. A single identifying number, for example, that stitches all of our personal information together would have many unintended, deeply negative consequences.

There is much that governments can do to help protect citizens better. This includes adopting effective standards and policies on data governance, reducing the risk to users’ privacy that comes with unneeded and long-term storage of personal information, and taking appropriate action when breaches do occur. Comprehensive data breach notification legislation is another important step that can help keep citizens informed of serious risks to their online identity and personal information, as well as helping rebuild trust and confidence in online services.

Our politicians are often caught between a rock and a very hard place in these challenging times. But the stream of data breaches and the scope of recent proposals to capture and hold even more of our personal information does suggest that we are failing to ensure an adequate dialogue between policymakers and technologists in the formulation of UK public policy.

This is a major problem that we can, and must, fix. We cannot let our personal information in digital form, as the essential lifeblood of the internet age, be allowed to drain away under this withering onslaught of damaging data breaches. It is time for a rethink, and to take advantage of the best lessons that the technology industry has learned over the past 30 or so years. It is, after all, our data, nobody else's.

My identity has already been stolen through the very mechanisms Jerry describes.  I would find this even more depressing if I didn't see more and more IT architects understanding the identity domino problem – and how it could affect their own systems. 

It's our job as architects to do everything we can so the next generation of information systems are as safe from insider attacks as we can make them.  On the one hand this means protecting the organizations we work for from unnecessary liability;  on the other, it means protecting the privacy of our customers and employees, and the overall identity fabric of society.

In particular, we need to insist on:

  • scrupulously partitioning personally identifying information from operational and profile data;
  • eliminating “rainy day” collection of information – the need for data must always be justifiable;
  • preventing personally identifying information from being stored on multiple systems;
  • use of encryption;
  • minimal disclosure of identity intormation within a “need-to-know” paradigm.

I particularly emphasize partitioning PII from operational data since most of a typical company's operational systema – and employees – need no access to PII.  Those who do need such access rarely need to know anything beyond a name.  Those who do need greater access to detailed information rarely need access to information about large numbers of people except in anonymized form.

I would love someone to send me a use case that calls for anyone to have access – at the same time – to the personally identifying information about thousands of individuals  (much less millions, as was the case for some of the incidents Jerry describes).  This kind of wholesale access was clearly afforded the person who stole my identity.  I still don't understand why. 

Personal information can be a toxic liability…

From Britain's Guardian, another fantastic tale of information leakage:

The home secretary, Jacqui Smith, yesterday denounced the consultancy firm involved in the development of the ID cards scheme for “completely unacceptable” practice after losing a memory stick containing the personal details of all of the 84,000 prisoners in England and Wales.

The memory stick contained unencrypted information from the electronic system for monitoring offenders through the criminal justice system, including information about 10,000 of the most persistent offenders…

Smith said PA Consulting had broken the terms of its contract in downloading the highly sensitive data. She said: “It runs against the rules set down both for the holding of government data and set down by the external contractor and certainly set down in the contract that we had with the external contractor.

An illuminating twist is that the information was provided to the contractor encrypted.  The contractor, one of the “experts” designing the British national identity card, unencrypted it, put it on a USB stick and “lost it”.   With experts like this, who needs non-experts? 

When government identity system design and operations are flawed, the politicians responsible suffer  the repercussions.  It therefore always fills me with wonder – it is one of those inexplicable aspects of human nature – that politicians don't protect themselves by demanding the safest possible systems, nixing any plan that isn't based on at least a modicum of the requisite pessimism.  Why do they choose such rotten technical advisors?

Opposition parties urged the government to reconsider its plan for the introduction of an ID card database following the incident. Dominic Grieve, the shadow home secretary, said: “The public will be alarmed that the government is happy to entrust their £20bn ID card project to the firm involved in this fiasco.

“This will destroy any confidence the public still have in this white elephant and reinforce why it could endanger – rather than strengthen – our security.”

The Liberal Democrats were also not prepared to absolve the home secretary of responsibility. Their leader, Nick Clegg, accused Smith of being worse than the Keystone Cops at keeping data safe.

Clegg said: “Frankly the Keystone Cops would do a better job running the Home Office and keeping our data safe than this government, and if this government cannot keep the data of thousands of guilty people safe, why on earth should we give them the data of millions of innocent people in an ID card database?”

David Smith, deputy commissioner for the information commissioner's office, said: “The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability if it is not handled properly , and reinforces the need for data protection to be taken seriously at all levels.”

Home Office resource accounts for last year show that in March of this year two CDs containing the personal information of seasonal agricultural workers went missing in transit to the UK Borders Agency. The names, dates of birth, and passport numbers of 3,000 individuals were lost.

If you are wondering why Britain seems to experience more “data loss” than anyone else, I suspect you are asking the wrong question.  If I were a betting man, I would wager that they just have better reporting – more people paying attention and blowing whistles.

But the big takeaway at the technical level is that sensitive information – and identity information in particular – needs to be protected throughout its lifetime.  If put on portable devices, the device should enforce rights management and only release specific information as needed – never allow wholesale copying.  Maybe we don't have dongles that can do this yet, but we certainly have phone-sized computers (dare I say phones?) with all the necessary computational capabilities.

 

The Laws of Identity

Thanks to Eric Norman, Craig Burton and others for helping work towards a “short version” of the Laws of Identity. So here is a refinement:

People using computers should be in control of giving out information about themselves, just as they are in the physical world.

The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necesary.

It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.

We need choice in terms of who provides our identity information in different contexts.

The system must be built so we can understand how it works, make rational decisions and protect ourselves.

Devices through which we employ identity should offer people the same kinds of identity controls – just as car makers offer similar controls so we can all drive safely.

The Laws of Identity

I've been working on how to make the Laws of Identity accessible to busy people without a technical background.  If you have ideas about how this can be improved please let me know:

 

People using computers should be in control of giving out information about themselves, just as they are in the physical world.

 

Only information needed for the purpose at hand should be released, and only to those who need it, just as we don’t indiscriminately broadcast our private information in daily life.   

 

It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet.  A single identifier that stitches everything up would be a big mistake. 

 

 

We need choice in terms of who provides our identity information in different contexts.

 

The system must be built so that as users, we can understand how it works, make rational decisions and protect ourselves. 

 

And finally, for all these reasons, we need a single, consistent, comprehensible user experience even though behind the scenes, different technologies, identifiers and identity providers are being used.

 

[UPDATE:  important comments integrated and new version here.]

Resources have rights too

Paul Madsen has a knack for pithy identity wisdom.  But his recent piece on HealthVault's use of OpenID made me do a double take.

“Simon Willison defends HealthVault‘s choice of OPs [OpenID providers – Kim].

“I disagree. It is I, as a user, that should be able to dictate to HealthVault the OPs from which they are to accept identity assertions through OpenID.

“Just as I, as a user of Vista, should be able to dictate to Microsoft which software partners they work with to bundle into the OS (I particularly like the Slow Down to Crawl install).

“Just as I, as a Zune user … oh wait, there are no Zune users….

“The mechanism by which I (the user) am able to indicate to HealthVault, or Vista, my preferences for their partners is called ‘the market‘.”

Hmmm.  All passion aside, are Vista and HealthVault really the same things?

When you buy an operating system like Vista, it is the substratum of YOUR personal computer.  You should be able to run whatever YOU want on it.  That strikes me as part of the very definition of the PC.

But what about a cloud service like HealthVault?  And here I want to get away from the specifics of HealthVault, and talk generically about services that live in the cloud.  In terms of the points I want to make, we could just as easily be talking about Facebook, LinkedIn, Blogger or Hotmail.

As a user, do you own such a service? Do you run it in whatever way you see fit?  

I've tried a lot of services, and I don't think I've ever seen one that gives you that kind of carte blanche. 

Normally a service provides options. You can often control content, but you function within parameters.  Your biggest decision is whether you want to use the service in the first place.  That's a large part of what “the market” in services really is like.

But let me push this part of the discussion onto “the stack” for a moment.

PUSH

Last week a friend came by and told me a story.  One of his friends regularly used an Internet advertising service, and paid for it via the Internet too.  At some point, a large transaction “went missing”.  The victim contacted the service through which he was making the transaction, and was told it “wasn't their problem”.  Whose problem was it?

I don't know anything about legal matters and am not talking from that point of view.  It just seems obvious to me that if you are a company that values its relationships with customers, this kind of breach really IS your problem, and you need to face up to that.

And there is the rub.  I never want to be the one saying, “Sorry – this is your problem, not ours.”  But if I'm going share the problem, shouldn't I have some say in preventing it and limiting my liability?

POP

I think that someone offering a service has the right to define the conditions for use of the service (let's for now ignore the fact that there may be some regulation of such conditions – for example certain conditions might be “illegal” in some jurisdictions).  And that includes security requirements.

In other words, matters of access control proceed from the resource.  The resource decides who can access it.   Identity assertions are a tool which a resource may use to accomplish this.  For years we've gotten this backwards, thinking access proceeded from the identity to the resource – we need to reverse our thinking.

Takeaway:  “user-centric” doesn't mean The Dictatorship of the Users.  In fact there are three parties whose interests must be accomodated (the user, the resource, and the claims provider).  At times this is going to be complex.  Proclamations like, “It is I, as a user, that should be able to dictate…” just don't capture what is at stake here. 

I like the way Simon Willison puts this:

“You have to remember that behind the excitement and marketing OpenID is a protocol, just like SMTP or HTTP. All OpenID actually provides is a mechanism for asserting ownership over a URL and then “proving” that assertion. We can build a pyramid of interesting things on top of this, but that assertion is really all OpenID gives us (well, that and a globally unique identifier). In internet theory terms, it’s a dumb network: the protocol just concentrates on passing assertions around; it’s up to the endpoints to set policies and invent interesting applications.

“Open means that providers and consumers are free to use the protocol in whatever way they wish. If they want to only accept OpenID from a trusted subset of providers, they can go ahead. If they only want to pass OpenID details around behind the corporate firewall (great for gluing together an SSO network from open-source components) they can knock themselves out. Just like SMTP or HTTP, the protocol does not imply any rules about where or how it should be used…”

In a later post – where he seems to have calmed down a bit – Paul mentions a Liberty framework that allows relying parties to “outsource the assessment of… OPs to accredited 3rd parties (or at least provide a common assessment framework…)”.  This sounds more like the Paul I know, and I want to learn more about his thinking in this area.

Trends in what is known about us

We know how the web feeds itself in a chain reaction powered by the assembly and location of information.  We love it.  Bringing information together that was previously compartmentalized has made it far easier to find out what is happening and avoid thinking narrowly.  In some cases it has even changed the fundamentals of how we work and interact.  The blogosphere identity conversation is an example of this.  We are able to learn from each other across the industry and adjust to evolving trends in a fluid way, rather than “projecting” what other peoples’ thinking and motivations might be.  In this sense the content of what we are doing is related to the medium through which we do it.

Information accumulates power by being put into proximity and aggregated.   This even appears to be an inherent property of information itself.  Of course information can't effect its own aggregation, but easily finds hosts who are motivated to do so: businesses, governments, researchers, industries, libraries, data centers – and the indefatigable search engine.

Some forms of aggregation involve breaking down the separation between domains of facts.  Facts are initially discerned within a context.   But as  contexts flow together and merge , the facts are visible from new perspectives.  We can think of them as “views”.

Information trends and digital identity 

How does this fundamental tendency of information to reorganize itself relate to digital identity?

This is clearly a complicated question.  But it is perhaps one of the most important questions of our time – one that needs to come to the attention of students, academics, policy makers, legislators, and through them, the general public.   The answer will affect everyone.

It is hard to clearly explain and discuss trends that are so infrastructural.  Those of us working on these issues have concepts that apply, but the concepts don't really have satisfactory names, and just aren't crisp enough.  We aren't ready for a wider conversation about the things we have seen.

Recently I've been trying to organize my own thinking about this through a grid expressing, on one axis, the tendency of context to merge; and, on the other, the spectrum of data visibility:

Tendency of data to join and become visible

The spectrum of visibility extends from a single individual on the left to everyone in the society on the right  [if reading a text feed please check the graphic – Kim]

The spectrum of contextual separation extends from complete separation of information by context at the top, to complete joining of data across contexts at the bottom.

I've represented the tendency of information to aggregate as the arrow leading from separation to full join, and this should be considered a dynamic tendency of the system.

Where do we fit in this picture?

Now lets set up a few markers from which we can calibrate this field.  For example, let's take what I've labelled “Today's public personas”.  I'm talking about what we reveal about ourselves in the public realm.  Because it's public, it's on the “Visible to all” part of the spectrum.  Yet for most of us, it is a relatively narrow set of information that is revealed – our names, property we own, aspects of our professional lives.  Thus our public personas remain relatively contextual.

You can imagine variants on this – for example a show-business personality who might be situated further to the right than the “public persona”, being known by more people.  Further, additional aspects of such a person's life might be known, which would be represented by moving down towards the bottom of the quadrant (or even further).    

I've also included a marker that represents the kind of commercial relationships encountered in today's western society.  Now we're on the “Visible to some” part of the visibility spectrum. In some cases (e.g. our dealings with lawyers), this marker would hopefully be located further to the left, indicating fewer parties to the information.  The current location implies some overlapping of context and sharing across parties – for example, transactions visible to credit card companies, merchants, and third parties in their employ.

Going forward, I'll look at what happens as the dynamic towards data joining asserts itself in this model.

All about Phorm

The Law of User Control is hard at work in a growing controversy about interception of people's web traffic in the United Kingdom.  At the center of the storm is the “patent-pending” technology of a new company called Phorm.  It's web site advises:

Leading UK ISPs BT, Virgin Media and TalkTalk, along with advertisers, agencies, publishers and ad networks, work with Phorm to make online advertising more relevant, rewarding and valuable. (View press release.)

Phorm's proprietary ad serving technology uses anonymised ISP data to deliver the right ad to the right person at the right time – the right number of times. Our platform gives consumers advertising that's tailored to their interests – in real time – with irrelevant ads replaced in the process.

What makes the technology behind OIX and Webwise truly groundbreaking is that it takes consumer privacy protection to a new level. Our technology doesn't store any personally identifiable information or IP addresses, and we don't retain information on user browsing behaviour. So we never know – and can't record – who's browsing, or where they've browsed.

It is counterintuitive to see claims of increased privacy posited as the outcome of a tracking system.  But even if that happened to be true, it seems like the system is being laid on the population as a fait accompli by the big powerful ISPs.  It doesn't seem that users will be able to avoid having their traffic redirected and inspected.  And early tests of the system were branded “illegal” by Nicholas Bohm of the Foundation for Information Policy Research (FIPR). 

Is Phorm completely wrong?  Probably not.  Respected and wise privacy activist Simon Davies has done an Interim Privacy Impact Assessment that argues (in part):

In our view, Phorm has successfully implemented privacy as a key design component in the development of its Phorm Technology system. In contrast to the design of other targeting systems, careful choices have been made to ensure that privacy is preserved to the greatest possible extent. In particular, Phorm has quite consciously avoided the processing of personally identifiable information.

Simon seems to be suggesting we consider Phorm in relation to the current alternatives – which may be worse.

To make a judgment we need to really understand how Phorm's system works.  Dr. Richard Clayton, a computer security researcher at the University of Cambridge and a participant in Light Blue Touchpaper, has published a succinct ten page explanation that that is a must-read for anyone who is a protocol head.

Richard says his technical analysis of the Phorm online advertising system has reinforced his view that it is “illegal”, breaking laws designed to limit unwarranted interception of data.

The British Information Commissioners Office confirmed to the BBC that BT is planning a large-scale trial of the technology “involving around 10,000 broadband users later this month”.  The ICO said: “We have spoken to BT about this trial and they have made clear that unless customers positively opt in to the trial their web browsing will not be monitored in order to deliver adverts.”

Having quickly read Richard's description of the actual protocol, it isn't yet clear to me that if you opt out, your web traffic isn't still being examined and redirected.  But there is worse. I have to admit to a sense of horror when I realized the system rewards ISPs for abusing their trusted role in the Internet by improperly posing as other peoples’ domains in order to create fraudulent cookies and place them on users machines.  Is there a worse precedent?  How come ISPs can do this kind of thing and other can't?  Or perhaps now they can…

To accord with the Laws of Identity, no ISP would examine or redirect packets to a Phorm-related server unless a user explicitly opted-in to such a service.  Opting in should involve explicitly accepting Phorm as a justifiable witness to all web interactions, and agreeing to be categorized by the Phorm systems.

The system is devised to aggregate across contexts, and thus runs counter to the Fourth Law of Identity.  It claims to mitigate this by reducing profiling to categorization information.  However, I don't buy that.  Categorization, practiced at a grand enough scale and over a sufficient period of time, potentially becomes more privacy invasive than a regularly truncated audit trail.    Thus there must be mechanisms for introducing amnesia into the categorization itself.

Phorm would therefore require clearly defined mechanisms for deprecating and deleting profile information over time, and these should be made clear during the opt-in process.

I also have trouble with the notion that in Phorm identities are “anonymized”.  As I understand it, each user is given a persistent random ID.  Whenever the user accesses the ISP, the ISP can see the link between the random ID and the user's natural identity.  I understand that ISPs will prevent Phorm from knowing the user's natural identity.  That is certainly better than many other systems.  But I still wouldn't claim the system is based on anonymity.  It is based on controlling the release of information.

[Podcasts are available here]