Reduced Realism

Do not worry! The graphic to your right is not really happening!

A picture named ms_con_mgr.gifI&#39m currently switching to a new Toshiba Portege tablet PC (the HP tablet I was trying before was too heavy and the screen was u-n-b-e-l-i-e-v-a-b-l-y small).

As part of the grossly tedious job of moving my environment from last week&#39s system to this week&#39s, I had to set up my connection to Microsoft&#39s “Corporate Virtual Private Network”. This is the system we use to get to corporate resources when we&#39re at home or on the road.

This task brought me to the screen shown here – I know it now looks pretty ugly but it was scaring some of our more “protected” readers so I reduced its realism. The content relates directly to the conversation I&#39ve been having with Eric Norlin about trends with regard to explicit versus implicit consent when releasing identifying information. To me it is further indication that employers are increasingly willing to seek explicit consent.

The most interesting thing about such consent is that it is about more than being “a good and progressive employer”: it actually puts employers in a stronger legal position should disputes arise about their collection of information.

Axioms of Identity

Scott Lemon, who was a driving force behind Digital ME and is now working on a project called Free ID, is posting a series of “Axioms of Identity“. We are dealing with some of the same issues, but at different levels of abstraction. I hope to reference Scott&#39s axioms later when I get to the third law of identity. But it is great to be able to ponder them now.

Mike Foley, who runs the Bluetooth SIG, has contacted me about my comments on identity issues with Bluetooth. He has very good news to bring to the table about enhancements to the Bluetooth spec which start to solve the current identity problems. He was more than gracious about asking me to review the emerging proposals and put me in touch with others in the SIG. It is great to have Mike join in the discussion, and I will be interviewing him as soon as I can.

I&#39m trying to move my site from radio.weblogs.com/0141875 to http://identityblog.com. Several readers thought we needed something easier to remember (!). I wish I could say the change is going smoothly. Right now everything is pretty mixed up, so please bear with me. Lawrance at Radio Userland is helping a lot. Wish us luck!

 

Dropping of an Identity Bomb

Craig Burton listened to Noel Anderson talking about the Bluetooth Identity Bomb and transcribed some of my interview with him. He was as blown away as I was.

Craig also says he wants to put my first law of identity into the lexicon crockpot. That is great news. Craig is a master of lexicon – we need him on this expedition.

For those new to the way a master like Craig does things, we aren't talking seconds spent finding the right vocabulary. Or minutes. Or hours. Or even days, or weeks. We're talking months. Sometimes years. But at the end of it all, the words might last ten centuries. I predict people will still be using our word Metadirectory in 3004. And it was Craig who had the discipline to work out all the aspects of the lexicon until they were irresistable.

More from Digital Identity World

Scott Mace has now posted his interview with IBM's David Goodman – who played a major role in the early days of X.500 when he masterminded the Paradise project. Crossing the Atlantic, he became the innovative identity force at Lotus, eventually leaving to join Metamerge – which was ultimately gobbled up by IBM so that David came full circle – he can't get enough of a good thing. I will contact him – he told me he was thinking about blogging too.

Scott also did an interview with me, and a number of speakers at Digitial ID World. Apparently the whole conference will be made available soon, so I'll keep you posted when I see the public version of this.

Identity Issues with Bluetooth

Our polycomm scenario includes use of Bluetooth. While doing my posting about the first law, it became obvious to me that we need to learn quite a bit about Bluetooth – it will soon be ubiquitous. I was lucky to find that Noel Anderson, who has thought a whole lot about these issues, works in my building.

I invited Noel into my office for a tutorial – which I recorded so others in this discussion can share what I learned. (Maybe I'll start podblogging – of course there are a few technical issues I need to master).

You'll find some of what Noel says really shocking – especially the prospect of a “personal bomb”.

Responses to the first law…

Eric Norlin of Ping has responded to my First Law of Identity with “My running commentary on Kim's exposition“. As he says,

Kim's posting about the “laws of identity” — using a scenario i sent him to tease them out. So, in true redactive fashion, I thought it only right for me to post a running commentary on his laws (since I provided the original text ;-).

Other interesting people have contributed comments as well. So although I've only made it through to the first law, I can already see that doing this kind of thing using Weblogs is going to be really different than banging out an article in “the private space” of my office. And I think this is “way cool”…

Here is the First Law of Identity I put forward…

The “Owner Decides” Law of identity

Technical identity systems MUST only reveal information identifying a user with the user's consent.

On the content of the first law, Eric “absolutely agrees — kinda”:

An employer (like Kim's) maintains data about the user that they use to log the user onto various corporate applications that they run (i'd bet that kim did this today) — in that case, the employee has given implicit consent by collecting a paycheck and the employer is NOT encumbered with giving the user consent privileges. Bottom line: getting paid is consent.

But whoa there Eric… you go too fast, man.

Is it my employer who “logs me in” to various corporate applications? Not really. Instead, it is me who logs myself in to my employer's corporate network.

I also chose to give my employer my name, my address, my social security number and my educational background. In other words, there are a whole series of explicit actions here.

Every day, I choose to use my corporate identity through the admittedly incantational act of pressing control-alt-delete and entering a password. This is explicit consent, not implicit. The consent is in the logging in and the filling out of forms – not the getting paid.

I see more and more attention to explicit consent by my employer (which is Microsoft, for those just tuning in). Recently, when I registered for a new service offered through the corporate portal, I was asked to explicitly approve the collection of tracking information necessary to monitor and improve the level of service I received. So even though I had already logged in to its network, Microsoft explicitly asked me for further approval to collect additional information. I assume this was done because, as Eric would put it, my paycheck does not represent implicit consent for Microsoft to do whatever it wants with regard to my identity information.

I've actually had personal experience with the incorrect version of the first law that Eric has proposed. Back in the mid 1990’s, during my ZOOMIT days, we put a web “protocol head” on our VIA metadirectory. This created a personal web page for each user. Like many other technology companies, we believed in “eating our own dog food”, so we had a VIA microdirectory of our employees. Since I was a naturally public person, I thought (or perhaps “didn't think” is a better way of putting it) that everyone would just love to have a web page, and asked one of our writers to interview all our employees so we could set up an initial page for everyone. The idea was that they could then alter things as they saw fit, and we would be off to the races. In addition, we asked everyone for a photograph.

Talk about surprises… Within hours, a number of people let me know in a fairly assertive way that as much as they loved me, not to mention ZOOMIT and their paycheck, this was really going too far (especially the photo bit). And of course it was! So you can see I have a true nerd pedigree on this matter. And I've come a long way, baby! I haven't forgotten the lesson. It doesn't cost anybody anything to ask employees if they want their information to cross organizational boundaries – and be explicit about it – at least once.

In general I can't agree with Eric's contention that the first law of identity applies, as a fundamental principle, only to “consumer-facing scenarios”. I'm more accepting of what he says about control versus ownership:

Properly speaking, identity info is about control. The end user should be given *control* over their information — because there is a ton of identity information about me that I simply cannot, in any practical sense, *own*.

I was thinking of “owning” in the sense of “possessing” – in orther words, in the philosophical sense (I guess I'm allowed to say that, since Eric can say “redactive”). The trouble with the word “owning” is that it tends to be associated with our current economic superstructure. I don't mean that we *own* our identities in the same way we *own* a house in the suburbs… However we do possess an identity. But it's really hard to talk about a “possessor” without sounding like a David Cronenberg movie…

Anyway, I can go with the “Law of Control”. So let's call it that. I hope Eric will drop support for his proposed amendment. I think that as soon as we put in place an infrastructure embodying the Law of Control, it will trump inferior ad hoc practices which arose historically in corporate environments. And I think this forshadows the emerging approaches to compliance that are arising here and around the world.

I find it encouraging that a number of people are jumping ahead of my exposition and coming up with solutions that do in fact respect the laws of identity (see, for example, various comments by eminently sane people). But I hope you will will stick with me a bit longer as I slog forward trying to tease these laws out of the current example.

I'm not trying to pedantically beat a dead horse – I'm hoping to provide some axioms we can refer to in our future discussions… But for now I need to get some “work” done in my day-job.

I also learned that I can't just drag pictures into my magical radioland window – which explains why the pathetic pictograph I prepared for yesterday's discussion can't be seen by anyone. I'm trying to get the “enable pictures” thing to work, but they don't seem to arrive at the RadioLand cloud site – still waiting for “help to arrive”. When I do post this pictograph I'm sure you will all hear the guffaws!

The Owner Decides

Our last installment had us shivering on the edges of our seats with this scenario from Eric Norlin:

you walk into a conference room; dial into a con call on the polycomm; the polycomm senses your bluetooth phone and (using a discovery service) looks at your personal attribute known as “music preferences”; thus your current favorite music (by how often you listen to it) is downloaded from your “federated” mp3 player — and the hold music while you wait for your fellow con-callers is *your* favorite music.

sound a bit advanced? actually, you could (technically) do this right now with the Liberty Alliance specifications…

To facilitate discussion, I have scratched out a pictorial representation of the components (to keep incredulous comments at bay, I won&#39t say this is a “diagram”).

The little thing beside stick person is a phone, and interaction (1) uses Bluetooth to determine stick person&#39s identity by retrieving an identifier from the phone.The polycomm then interacts with a discovery service (2) to find out where stick person&#39s “federated mp3” server is located.Then it pulls down some music (3) conforming to stick person&#39s sense of what&#39s hip and appropriate. Note that the components are functional pieces only. At this point we are making no assumptions about how they are implemented or where they are located.

Now there are a great many ways this polycomm scenario could be realized.I don&#39t want to make judgments about which realization is best.However I am interested in the underlying dynamics at work.To bring some of these out, I&#39ll posit a couple of realizations and discuss some of the implications.I&#39ve never discussed this scenario with Eric and don&#39t have a clue what he had in mind – so if I say something that bothers anyone, it&#39s not his fault!

To start drilling, let&#39s look at the role of the polycomm. It senses my phone and uses Bluetooth to discover my identity.

Issue:What and who is able to use Bluetooth to discover my identity, and what does that mean?

To what extent is Bluetooth like RFID?Is the identity discovered through Bluetooth an invariant tracking tag?Can any Bluetooth enabled device discover our identity as we approach it?What are the implications of this?

When you first start asking questions like these, it seems unlikely that the designers wouldn&#39t have figured all this stuff out.And I certainly don&#39t yet know enough about Bluetooth to provide any definitive answers.But the official Bluetooth website didn&#39t really drive up my confidence with this story:

The group of lanky tourists strolling through the Swedish capital&#39s old town never knew what hit them…As they admired handicrafts in a storefront window, one of their cell phones chirped with an anonymous note: “Try the blue sweaters. They keep you warm in the winter.”

The tourist was “bluejacked” — surreptitiously surprised with a text message sent using a short-range wireless technology called Bluetooth.

As more people get Bluetooth-enabled cell phones — both sender and recipient need them for this to work — there is bound to be more mischievous messaging of the unsuspecting.

It&#39s a growing fad, this fun with wireless…

But there&#39s more than bluejacking to consider, as these further quotes from the Bluetooth site tell us:

What is bluebugging?


Bluebugging allows skilled individuals to access the mobile phone commands using Bluetooth wireless technology without notifying or alerting the phone&#39s user. This vulnerability allows the hacker to initiate phone calls, send and read SMS, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet. As with all the attacks, the hacker must be within a 10 meter range of the phone. This is a separate vulnerability from bluesnarfing and does not affect all of the same phones as bluesnarfing.

What is bluesnarfing?

 

Bluesnarfing allows hackers to gain access to data stored on a Bluetooth enabled phone using Bluetooth wireless technology without alerting the phone&#39s user of the connection made to the device. The information that can be accessed in this manner includes the phonebook and associated images, calendar, and IMEI (International Mobile Equipment Identity). By setting the device in non-discoverable, it becomes significantly more difficult to find and attack the device. Without specialized equipment the hacker must be within a 10 meter range of the device while running a computer with a Linux operating system and the specialized software

NOTE: None of this is intended as a criticism of Bluetooth. I am completely agnostic with respect to competing protocols – if any actually compete. I&#39m simply using Bluetooth as an example of the work we as an industry must do to get identity right.

So in light of all this, it seems quite possible that Bluetooth protocols might give out an invariant ID to any device which asks for it.And further, it looks like this is not the number one security issue the Bluetooth engineers are working on – at least until bluejacking, bluebugging and bluesnarfing are taken care of.

 

The point is that – when we get this right – a phone should only give out a user&#39s ID to devices the user wants it given to.

Let&#39s return to our scenario for an example.If the polycomm belongs to my employer, and if I&#39ve chosen to recognize my employer&#39s polycomms, then no problem – the phone should reveal my identity to the polycomm.But otherwise, it shouldn&#39t. We can codify this as one of the laws of identity:

The “Owner Decides” Law of identity:

Technical identity systems MUST only reveal information identifying a user with the user&#39s consent.

I will argue later that we who are technical servants of the “general will” need to obey the laws of identity.If we don&#39t, we will create a snarled mess of reinforcing side-effects that will undermine all the systems we put in place. Our ignoring a law of identity is analogous to an engineer who decides not to obey the law of gravity.

Ah, but we&#39re just beginning to get substantive. And I have a big day tomorrow (you know – that day-job thing), so I&#39m going to call it a night and drill into other aspects of this scenario next time.

Apologies to Macpeople and End of Heightened RSS Alert

I got this note from Bill Tozier, who has one of the most interesting bio&#39s I&#39ve ever seen. He has a unique perspective from which to contribute to identity issues.

No problems in Safari here. But I do note that there isn&#39t a big “I” in Macintosh. The tartan look went out some time back. Now it&#39s just silver and chrome and glowing white, uncapped.

Meanwhile Doc Searls came through with what seems like a complete engineering report – it sounds like he has a control room going with ten or twenty consoles. Maybe that&#39s how he stays on top of everything.

I just viewed the blog in Safari, and it looks fine. Same with Firefox. Both on OS X. On Linux, I just viewed it in Firefox and Konquerer, and it looks fine there, too. I&#39ll assume it looks cool in IE and Firefox on Windows.

Now safe for OS X!

Dick Hardt tells me my “main page now loads fine in Safari.. I also run NetNewsWire (“THE” aggregator for OS X) and it seems to glurp up the feed fine.”

I'll be careful what I cut and paste from now on! Seems that a bunch of automated transformations confused some parsers.

I spent yesterday working on a “virtual transcontinental” podblogging setup with Craig Burton – it was a lot of fun, and we'll have something to show for it as soon as we figure out a few hundred more technicalities. I should have been spending my time “getting substantive” as per my promises below, but maybe I'll get to that tonight.