But some will actually take the time to follow the link.  And what they’ll see actually is important.

First, they’ll find out that beginning this Thursday Google will amalgamate all the information it has about their activities and postings on all of Google’s sites and services into a single account profile.  This in spite of the fact that most people put content on those sites and entered queries into Google search pages thinking the information was limited to the specific context in which they were participating.

Second, they’ll find out that as customers they have no choice about the matter.  Even though in many cases they have helped create the knowledge and content that makes Google successful, their option if they dislike the policy is to completely stop using Google sites by Wednesday February 29th 2012. 

Of course all of this is perfectly in keeping with the creepy “Real Names” initiative forced upon us a few months ago.  At that time, we were told “Real Names” only applied to “certain Google sites” - like Google+.  What a surprise that so little time later, ALL account and profile information from ALL Google properties is being amalgamated under a single privacy and identity policy!  As we predicted, Real Names is slithering into the whole fabric of the company’s offerings, whether specific sites benefit from what will often be “over-identification” or not.

Happily, one group of people who actually bothered to look into the change were the Attorneys General of the United States.  Today they published a cogent and devastating letter that does an admirable job of enumerating the many deeply disturbing implications of Google’s latest identity initiative.  It begins,

“Google’s new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products. Consumers have diverse interests and concerns, and may want the information in their Web History to be kept separate from the information they exchange via Gmail. Likewise, consumers may be comfortable with Google knowing their Search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy. It rings hollow to call their ability to exit the Google products ecosystem a “choice” in an Internet economy where the clear majority of all Internet users use – and frequently rely on – at least one Google product on a regular basis.”

The Attorneys General then go on to discuss the contagion between Google’s consumer offerings and their enterprise ones…  What does this kind of identity grab mean for companies and governments who have put corporate and state information under Google’s stewardship?  Can the companies who steward the resources of the World Wide Web change their privacy and other policies in radical and even maniacal ways without regard to the policies in effect when those resources were created?   Can they simply tell those who have bought into previous promises to either accept their brave new world or “take a walk”?  As the attorneys put it,

“This invasion of privacy will be costly for many users to escape. For users who rely on Google products for their business – a use that Google has actively promoted1 – avoiding this information sharing may mean moving their entire business over to different platforms, reprinting any business cards or letterhead that contained Gmail addresses, re-training employees on web-based sharing and calendar services, and more. The problem is compounded for the many federal, state, and local government agencies that have transitioned to Google Apps for Government at the encouragement of your company, and that now will need to spend taxpayer dollars determining how this change affects the security of their information and whether they need to switch to different platforms.”

I urge everyone to read the letter in full and think deeply about the consequences.  

Not long ago, John Fontana suggested we get together to discuss the degree to which the Laws of Identity remain relevant seven years after they were published.  I look forward to that conversation.  Google’s actions show there are still companies who could benefit from reading them.  After all, it is clearly breaking three Laws of Identity:

• Law 1:  User Control and Consent.  Users should never have identity information merged or divulged without their consent.
• Law 2:  Minimal Disclosure for a Constrained Use.  It is wrong to link all information pertaining to a user across different contexts when it was provided for specific uses.
• Law 4:  Directed Identity.  Systems should not create unnecessary correlation across different contexts unless people opt to do that.  They thus should be able support identitfiers that are limited to specific scopes - as has been the case at Google’s sites until now.

And the Attorneys General are onto it…

SEATTLE — Amazon.com has taught readers that they do not need bookstores. Now it is encouraging writers to cast aside their publishers.

Amazon will publish 122 books this fall in an array of genres, in both physical and e-book form. It is a striking acceleration of the retailer’s fledging publishing program that will place Amazon squarely in competition with the New York houses that are also its most prominent suppliers.

It has set up a flagship line run by a publishing veteran, Laurence Kirshbaum, to bring out brand-name fiction and nonfiction…

Publishers say Amazon is aggressively wooing some of their top authors. And the company is gnawing away at the services that publishers, critics and agents used to provide…

Of course, as far as Amazon executives are concerned, there is nothing to get excited about:

“It’s always the end of the world,” said Russell Grandinetti, one of Amazon’s top executives. “You could set your watch on it arriving.”

But despite the sarcasm, shivers of disintermediation are going down the spines of many people in the publishing industry:

“Everyone’s afraid of Amazon,” said Richard Curtis, a longtime agent who is also an e-book publisher. “If you’re a bookstore, Amazon has been in competition with you for some time. If you’re a publisher, one day you wake up and Amazon is competing with you too. And if you’re an agent, Amazon may be stealing your lunch because it is offering authors the opportunity to publish directly and cut you out. ” [Read whole story here.]

If disintermediation is something you haven’t thought about much, you might start with a look at wikipedia:

In economics, disintermediation is the removal of intermediaries in a supply chain: “cutting out the middleman”. Instead of going through traditional distribution channels, which had some type of intermediate (such as a distributor, wholesaler, broker, or agent), companies may now deal with every customer directly, for example via the Internet. One important factor is a drop in the cost of servicing customers directly.

Note that the “removal” normally proceeds by “inserting” someone or something new into transactions.  We could call the elimination of bookstores “first degree disintermediation” - the much-seen phenomenon of replacement of the existing distribution channel.   But it seems intuitively right to call the elimination of publishers “second degree disintermediation” - replacement of the mechanisms of production, including everything from product development through physical manufacturing and marketing, by the entities now predominating in distribution.  

The parable here is one of first degree disintermediation “spontaneously” giving rise to second degree disintermediation, since publishers have progressively less opportunity to succeed in the mass market without Amazon as time goes on.  Of course nothing ensures that Amazon’s execution will cause it to succeed in a venture quite different from its current core competency.  But clearly the economic intrinsics stack the deck in its favor. Even without displacing its new competitors it may well skim off the most obvious and profitable projects, with the inevitable result of underfunding what remains.

I know.  You’re asking what all this has to do with identityblog.

In my view, one of the main problems of reusable identities is that in systems like SAML, WS-Federation and Live ID, the “identity provider” has astonishing visibility onto the user’s relationship with the relying parties (e.g. the services who reuse the identity information they provide).  Not only does the identity provider know what consumers are visiting what services; it knows the frequency and patterns of those visits.   If we simply ignore this issue and pretend it isn’t there, it will become an Achilles Heel.

Let me fabricate an example so I can be more concrete.  Suppose we arrive at a point where some retailer decides to advise consumers to use their Facebook credentials to log in to its web site.  And let’s suppose the retailer is super successful.  With Facebook’s redirection-based single sign-on system, Facebook would be able to compile a complete profile of the retailer’s customers and their log-on patterns.  Combine this with the intelligence from “Like” buttons or advertising beacons and Facebook (or equivalent) could actually mine the profiles of users almost as effectively as the retailer itself.  This knowledge represents significant leakage of the retailer’s core intellectual property - its relationships with its customers.

All of this is a recipe for disintermediation of the exact kind being practiced by Amazon, and at some point in the process, I predict it will give rise to cases of spine-tingling that extend much more broadly than to a single industry like publishing. 

By the time this becomes obvious as an issue we can also predict there will be broader understanding of ”second degree disintermediation” among marketers.  This will, in my view, bring about considerable rethinking of some current paradigms about the self-evident value of unlimited integration into social networks.  Paradoxically disintermediation is actually a by-product of the privacy problems of social networks.  But here it is not simply the privacy of end users that is compromised, but that of all parties to transactions. 

This problem of disintermediation is one of the phenomena leading me to conclude that minimal disclosure technologies like U-Prove and Idemix will be absolutely essential to a durable system of reusable identities.  With these technologies, the ability of the identity provider to disintermediate is broken, since it has no visibility onto the transactions carried out by individual users and cannot insert itself into the relationship between the other parties in the system. 

Importantly, while disintermediation becomes impossible, it is still possible to meter the use of credentials by users without any infringement of privacy, and therefore to build a viable business model.

I hope to write more about this more going forward, and show concretely how this can work.

… Google is currently trying to enforce a “common name” policy in Google+. The gist of the policy is that “your Google+ name must be “THE” name by which you are commonly known”.

This policy is insane. I really mean insane; the policy is simply completely divorced from the reality of how names really work AND the reality of how humans really work, and it’s also completely at odds with what Google is trying to achieve with G+.  (my emphasis - Kim)

The root of the problem is that Google suffers from the common – but false – belief that names are uniquely and inherently associated with people. I’ve already explained why this belief is false elsewhere, but for the sake of coherence, I’ll summarize here.

There isn’t a one-to-one correspondence between people and names. Multiple people share the same name (George Bush, for example, or even me: George Robert Blakley III), and individual people have multiple names (George Eliot, George Sand, George Orwell, or Boy George – or even me, George Robert “Bob” Blakley III). And people use different names in different contexts; King George VI was “Bertie” to family and close friends.

THERE IS NO SUCH THING AS A “REAL” NAME.

A name is not an attribute of a person; it is an identifier of a person, chosen arbitrarily and changeable at will. In England, I can draw up a deed poll in my living room and change my name at any time I choose, without the intervention or assistance of any authority. In California, I apparently don’t even need to write anything down: I can change my name simply by having people call me by the new name on the street.

COMMON NAMES ARE NOT SINGULAR OR UNIQUE.

Richard Garriott is COMMONLY known as “Richard Garriott” in some contexts (check Wikipedia), and COMMONLY known as Lord British in other contexts (go to a computer gaming convention). Bob Wills and Elvis are both “The King”.

Despite these complexities, Google wants to intervene in your choice of name. They want veto power over what you can call yourself.

Reversing the presumption that I choose what to be called happens – in the real world – only in circumstances which diminish the dignity of the individual. We choose the names of infants, prisoners, and pets. Imposing a name on someone is repression; free men and women choose their names for themselves.

But the Google+ common name policy isn’t even consistently repressive; it sometimes vetoes names which ARE “common” in the sense Google intends (Violet Blue is an example), it sometimes accepts plausible names based on clearly fraudulent evidence, and it even “verifies” fraudulent names.

Google+’s naming policy isn’t failing because it’s poorly implemented, or because Google’s enforcement team is stupid. It’s failing because what they’re trying to do is (1) impossible, and (2) antisocial.

(2) is critical. Mike Neuenschwander has famously observed that social software is being designed by the world’s least sociable people, and Google+ seems to be a case in point. Google wants to be in the “social” business. But they’re not behaving sociably. They’re acting like prison wardens. No one will voluntarily sign up to be a prisoner. Every day Google persists in their insane attempt to tell people what they can and can’t call themselves, Google+ as a brand becomes less sociable and less valuable. The policy is already being described as racist and sexist; it’s also clearly dangerous to some disadvantaged groups.

If you want to be the host of a social network, you’ve got to create a social space. Creating a social space means making people comfortable. That’s hard, because people don’t fit in any set of little boxes you want to create – especially when it comes to names. But that’s table stakes for social – people are complicated; deal with it. Facebook has an advantage here; despite its own idiotic real-names policy and its continual assaults on privacy, the company has real (i.e. human) sociability in its DNA – it was created by college geeks who wanted to get dates; Google+ wasn’t, and it shows.

If Google’s intention in moving into social networking is to sell ads, Google+’s common names policy gives them a lock on the North American suburban middle-aged conservative white male demographic. w00t.

The Google+ common name policy is insane. It creates an antisocial space in what is supposed to be a social network. It is at odds with basic human social behavior; its implementation is NECESSARILY arbitrary and infuriating, and it is actively damaging the Google+ brand and indeed the broader Google brand.

The problem is not flawed execution; it is that the policy itself is fundamentally unsound, unworkable, and unfixable.

Google can be a social network operator, or they can be the name police. They can’t be both. They need to decide – soon. If I were Google, I’d scrap the policy – immediately – and let people decide for themselves what they will be called.

 [Read the whole piece.  BTW,  Mike Neuenschwander has hit the nail on the head yet again.]

If you are interested in social networks, don’t miss the slick video about Max Schrems’ David and Goliath struggle with Facebook over the way they are treating his personal information.  Click on the red “CC” in the lower right-hand corner to see the English subtitles.

Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues.  In Europe there is a requirement that entities with data about individuals make it available to them if they request it.  That’s how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection.  He argues that the record Facebook provided him finds them to be in flagrante delicto.  

The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary).  This was followed by another perfectly executed move:  setting up a web site called Europe versus Facebook that does everything right in terms using web technology to mount a campaign against a commercial enterprise that depends on its public relations to succeed.

Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel.  As part of the documentation, they publicised the procedure Max used to get his personal CD.  Somehow this recipe found its way to reddit  where it ended up on a couple of top ten lists.  So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement that it provide the information within a 40 day period.

If that seems to be enough, it’s not all.  As Max studied what had been revealed to him, he noticed that important information was missing and asked for the rest of it.  The response ratchets the battle up one more notch: 

Dear Mr. Schrems:

We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).

To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).

Please note that certain categories of personal data are exempted from subject access requests.
Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

Thanks for contacting Facebook,
Facebook User Operations Data Access Request Team

What a spotlight

This throws intense light on some amazingly important issues. 

For example, as I wrote here (and Max describes here), Facebook’s “Like” button collects information every time an Internet user views a page containing the button, and a Facebook cookie associates that page with all the other pages with “Like” buttons visited by the user in the last 3 months. 

If you use Facebook, records of all these visits are linked, through cookies, to your Facebook profile - even if you never click the “like” button.  These long lists of pages visited, tied in Facebook’s systems to your “Real Name identity”, were not included on Max’s CD. 

Is Facebook prepared to argue that it need not reveal this stored information about your personal data because doing so would adversely affect its “intellectual property”? 

It will be absolutely amazing to watch how this issue plays out, and see just what someone with Max’s media talent is able to do with the answers once they become public. 

The result may well impact the whole industry for a long time to come.

Meanwhile, students of these matters would do well to look at Max’s many complaints:

I personally know hundreds - I’ll even say thousands -  of influential people around the world (in Europe, Asia and North America, in big companies and tiny startups, in government, the Academic world and NGOs,  in non-profit and for-profit ventures) who see Identity Woman as I do:  the soul of a very broad and interactive technical community, a moral force for good and excellence, and a smart innovator.  Besides that, did I say, a great lady and a superheroine?

Identity Woman is a super-talented facilitator - who operates outside the box. She has thrown herself into the task of getting a whole world of self-directed people working on identity for companies big and small to understand each other - and even to learn from and motivate each other.

So what would you think of someone who took it upon themselves to stop her from calling herself “Identity Woman”?  Does the word “control freak” come to mind?  How about “bully”.  Or maybe “megalomaniac”?

Or how about Google Plus - the supposedly cool and privacy friendly new social network.

It turns out Google Plus is not cool enough to tolerate even a single “Identity Woman”, in spite of her overwhealmingly positive reputation and the fact that an exact search on her name returns 390,000 hits on Google’s own search engine!

This is not a good day.  I’m sick and tired of seeing social network moguls pushing people around because we help them grow powerful.  Enough already!  Social networks are big because they are OUR networks.  They need to be run in ways that respect the nature of a free society.  This is going to become a social battleground.

Go over to Identity Woman’s site for the whole sad story. It teaches a lot about the need for a whole spectrum of identity requirements.  Sure, there are times when people need to present “natural” identities that reflect what their parents called them.   But in real life we don’t necessarily do that in our informal interactions.  We use nicknames and partial names and sometimes keep our names to ourselves.  Social networks need to grasp these nuances.  And those trying to limit our behaviors and squeeze our potential should just back off.

[More on this theoretical issue here.]

“When a LinkedIn user views a third-party advertisement on the social network, they will see user profile pictures and names of connections if that connection has recommended or followed a brand. Any time that a user follows a brand, they unwittingly become a cheerleader for the company or organization if it advertises through LinkedIn.”

And in case that doesn’t surprise you, how about this:

“In order to opt out of social advertising, the LinkedIn user has to take four steps to escape third-party advertisements:

“Hover over the user name in the top right hand corner of any LinkedIn page and click ‘Settings’. On the Settings page, click ‘Account’. On the Account tab, click ‘Manage Social Advertising’. Uncheck the box next to “LinkedIn may use my name, photo in social advertising.” and click the save button.”

What a mistake.

I know there are many who think that if Facebook can take the huddled masses to the cleaners, why shouldn’t everyone?

It seems obvious that the overwhelming majority of people who participate in Facebook are still a few years away from understanding and reacting to what they have got themselves into.

But Linked In’s membership is a lot more savvy about the implications of being on the site - and why they are sharing information there. Much of their participation has to do with future opportunities, and everyone is sensitive about the need to control and predict how they will be evaluated later in their career. Until yesterday I for one had been convinced that Linked In was smart enough to understand this.

But apparently not.  And I think it will turn out that many of the professionals who until now have been happy to participate will choke on the potential abuse of their professional information and reputation - and Linked In’s disregard for their trust.

My conclusion?  Linked in has just thrown down the gauntlet and challenged us, as a community of professionals, to come up with safe and democratic ways to network.

This much is obvious: we need a network that respects the rights of the people in it. Linked In just lost my vote.

The result is impressive.  The rigour Skud and colleagues have applied to their quest has produced an information payload that is both illuminating and touching.

Those of us working on identity technology have to internalize the lessons here.  Over-identification is ALWAYS wrong.  But beyond that, there are people who are especially vulnerable to it.  They have to be treated as first class citizens with clear rights and we need to figure out how to protect them.  This goes beyond what we conventionally think of as privacy concerns (although perhaps it sheds light on the true nature of what privacy is - I’m still learning).

Often people argue in favor of “Real Names” in order to achieve accountability.  The fact is that technology offers us other ways to achieve accountability.  By leveraging the properties of minimal disclosure technology, we can allow people to remain anonymous and yet bar them from given environments if their behavior gets sufficiently anti-social.

But enough editorializing.  Here’s Skud’s intro.  Just remember that in this case the real enlightenment is in the details, not the summary.

This page lists groups of people who are disadvantaged by any policy which bans Pseudonymity and requires so-called “Real names” (more properly, legal names).

This is an attempt to create a comprehensive list of groups of people who are affected by such policies.

The cost to these people can be vast, including:

• harassment, both online and offline
• discrimination in employment, provision of services, etc.
• actual physical danger of bullying, hate crime, etc.
• arrest, imprisonment, or execution in some jurisdictions
• economic harm such as job loss, loss of professional reputation, etc.
• social costs of not being able to interact with friends and colleagues
• possible (temporary) loss of access to their data if their account is suspended or terminated

The groups of people who use pseudonyms, or want to use pseudonyms, are not a small minority (some of the classes of people who can benefit from pseudonyms constitute up to 50% of the total population, and many of the others are classes of people that almost everyone knows). However, their needs are often ignored by the relatively privileged designers and policy-makers who want people to use their real/legal names.

Wait a minute.  Just got a note from the I Can’t Stop Editorializing Department: the very wiki page that brings us Skud’s analysis contains a Facebook “Like” button.  It might be worth removing it given that Facebook requires “Real Names”, and then transmits the URL of any page with a “Like” button to Facebook so it can be associated with the user’s “Real Name” - whether or not they click on the button or are logged into Facebook.

So far it looks like the go-to place for info on breaches - it even has a twitter feed for breach junkies.

Recently the Office published an account that raises a lot of questions:

I just read a breach disclosure to the New Hampshire Attorney General’s Office with accompanying notification letters to those affected that impressed me favorably. But first, to the breach itself:

StudentCity.com, a site that allows students to book trips for school vacation breaks, suffered a breach in their system that they learned about on June 9 after they started getting reports of credit card fraud from customers. An FAQ about the breach, posted on www.myidexperts.com explains:

StudentCity first became concerned there could be an issue on June 9, 2011, when we received reports of customers travelling together who had reported issues with their credit and debit cards. Because this seemed to be with 2011 groups, we initially thought it was a hotel or vendor used in conjunction with 2011 tours. We then became aware of an account that was 2012 passengers on the same day who were all impacted. This is when we became highly concerned. Although our processing company could find no issue, we immediately notified customers about the incident via email, contacted federal authorities and immediately began a forensic investigation.

According to the report to New Hampshire, where 266 residents were affected, the compromised data included students’ credit card numbers, passport numbers, and names. The FAQ, however, indicates that dates of birth were also involved.

Frustratingly for StudentCity, the credit card data had been encrypted but their investigation revealed that the encryption had broken in some cases. In the FAQ, they explain:

The credit card information was encrypted, but the encryption appears to have been decoded by the hackers. It appears they were able to write a script to decode some information for some customers and most or all for others.

The letter to the NH AG’s office, written by their lawyers on July 1, is wonderfully plain and clear in terms of what happened and what steps StudentCity promptly took to address the breach and prevent future breaches, but it was the tailored letters sent to those affected on July 8 that really impressed me for their plain language, recognition of concerns, active encouragement of the recipients to take immediate steps to protect themselves, and for the utterly human tone of the correspondence.

Kudos to StudentCity.com and their law firm, Nelson Mullins Riley & Scarborough, LLP, for providing an exemplar of a good notification.

It would be great if StudentCity would bring in some security experts to audit the way encryption was done, and report on what went wrong. I don’t say this to be punitive, I agree that StudentCity deserves credit for at least attempting to employ encryption. But the outcome points to the fact that we need programming frameworks that make it easy to get truly robust encryption and key protection - and to deploy it in a minimal disclosure architecture that keeps secrets off-line. If StudentCity goes the extra mile in helping others learn from their unfortunate experience, I’ll certainly be a supporter.

What?  Outside Britain I imagine most of us have simply assumed that breaking into peoples’ voicemails MUST be illegal.   So Pangloss’s excellent summary of the situation - I share just enough to reveal the issues - is a suitable slap in the face of our naivete:

The first relevant provision is RIPA (the Regulation of Investigatory Powers Act 2000) which provides that interception of communications without consent of both ends of the communication , or some other provision like a police warrant is criminal in principle. The complications arise from s 2(2) which provides that:

“….a person intercepts a communication in the course of its transmission by
means of a telecommunication system if, and only if … (he makes) …some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication”. [my itals]

Section 2(4) states that an “interception of a communication” has also to be “in the course of its transmission” by any public or private telecommunications system. [my itals]

The argument that seems to have been been made to the DPP, Keir Starmer, on October 2010, by QC David Perry, is that voicemail has already been transmitted and is thus therefore no longer “in the course of its transmission.” Therefore a RIPA s 1 interception offence would not stand up. The DPP stressed in a letter to the Guardian in March 2011 that this interpretation was (a) specific to the cases of Goodman and Mulcaire (yes the same Goodman who’s just been re-arrested and inded went to jail) and (b) not conclusive as a court would have to rule on it.

We do not know the exact terms of the advice from counsel as (according to advice given to the HC on November 2009) it was delivered in oral form only. There are two possible interpretations of even what we know. One is that messages left on voicemail are “in transmission” till read. Another is that even when they are stored on the voicemail server unread, they have completed transmission, and thus accessing them would not be “interception”.

Very few people I think would view the latter interpretation as plausible, but the former seem to have carried weight with the prosecution authorities. In the case of Milly Dowler, if (as seems likely) voicemails were hacked after she was already deceased, there may have been messages unread and so a prosecution would be appropriate on RIPA without worrying about the advice from counsel. In many other cases eg involving celebrities though, hacking may have been of already-listened- to voicemails. What is the law there?

When does a message to voicemail cease to be “in the course of transmission”? Chris Pounder pointed out in April 2011 that we also have to look at s 2(7) of RIPA which says

” (7)For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.”

A common sense interpretation of this, it seems to me (and to Chris Pounder ) would be that messages stored on voicemail are deemed to remain “in the course of transmission” and hence capable of generating a criminal offence, when hacked - because it is being stored on the system for later access (which might include re-listening to already played messages).

This rather thoroughly seems to contradict the well known interpretation offered during the debates in the HL over RIPA from L Bassam, that the analogy of transmission of a voice message or email was to a letter being delievered to a house. There, transmission ended when the letter hit the doormat.

Fascinating issues.  And that’s just the beginning.  For the full story, continue here.

The Ecology Project was turning the Turing Test on its side, and setting up experiments to see how potentially massive networks of “SocialBots” (social robots) might be able to impact human social networks by interacting with their members.  

In the first such experiment it invited teams from around the world to manufacture SocialBots  and picked 500 real Twitter users, the core of whom shared “a fondness for cats”.  At the end of their two-week experiment, network graphs showed that the teams’ bots had insinuated themselves strikingly into the center of the target network.

The Web Ecology Blog summarized the results this way:

With the stroke of midnight on Sunday, the first Socialbots competition has officially ended. It’s been a crazy last 48 hours. At the last count, the final scores (and how they broke down) were:

• Team C: 701 Points (107 Mutuals, 198 Responses)
• Team B: 183 Points (99 Mutuals, 28 Responses)
• Team A: 170 Points (119 Mutuals, 17 Responses)

This leaves the winner of the first-ever Socialbots Cup as Team C. Congratulations!

You also read those stats right. In under a week, Team C’s bot was able to generate close to 200 responses from the target network, with conversations ranging from a few back and forth tweets to an actual set of lengthy interchanges between the bot and the targets. Interestingly, mutual followbacks, which played so strong as a source for points in Round One, showed less strongly in Round Two, as teams optimized to drive interactions.

In any case, much further from anything having to do with mutual follows or responses, the proof is really in the pudding. The network graph shows the enormous change in the configuration of the target network from when we first got started many moons ago. The bots have increasingly been able to carve out their own independent community — as seen in the clustering of targets away from the established tightly-knit networks and towards the bots themselves.

The Atlantic story summarized the implications this way:

Can one person controlling an identity, or a group of identities, really shape social architecture? Actually, yes. The Web Ecology Project’s analysis of 2009’s post-election protests in Iran revealed that only a handful of people accounted for most of the Twitter activity there. The attempt to steer large social groups toward a particular behavior or cause has long been the province of lobbyists, whose “astroturfing” seeks to camouflage their campaigns as genuine grassroots efforts, and company employees who pose on Internet message boards as unbiased consumers to tout their products. But social bots introduce new scale: they run off a server at practically no cost, and can reach thousands of people. The details that people reveal about their lives, in freely searchable tweets and blogs, offer bots a trove of personal information to work with. “The data coming off social networks allows for more-targeted social ‘hacks’ than ever before,” says Tim Hwang, the director emeritus of the Web Ecology Project. And these hacks use “not just your interests, but your behavior.”

A week after Hwang’s experiment ended, Anonymous, a notorious hacker group, penetrated the e-mail accounts of the cyber-security firm HBGary Federal and revealed a solicitation of bids by the United States Air Force in June 2010 for “Persona Management Software”—a program that would enable the government to create multiple fake identities that trawl social-networking sites to collect data on real people and then use that data to gain credibility and to circulate propaganda.

“We hadn’t heard of anyone else doing this, but we assumed that it’s got to be happening in a big way,” says Hwang. His group has published the code for its experimental bots online, “to allow people to be aware of the problem and design countermeasures.”

The Ecology Project source code is available here.  Fascinating.  We’re talking very basic stuff that none-the-less takes social engineering in an important and disturbingly different new direction. 

As is the case with the use of robots for social profiling, the use of robots to reshape social networks raises important questions about attribution and identity (the Atlantic story actually described SocialBots as “fake identities”).  

Given that SocialBots will inevitably and quickly evolve, we can see that the ability to demonstrate that you are a natural flesh-and-blood person rather than a robot will increasingly become an essential ingredient of digital reality.  It will be crucial that such a proof can be given without requiring you to identify yourself,  relinquish your anonymity, or spend your whole life completing grueling captcha challenges. 

I am again struck by our deep historical need for minimal disclosure technology like U-Prove, with its amazing ability to enable unlinkable anonymous assertions (like liveness) and yet still reveal the identities of those (like the manufacturers of armies of SocialBots) who abuse them through over-use.

In the early days following Google’s Street View WiFi snooping escapades, I became increasingly frustrated that public and official attention centered on Google’s apparently accidental collection of unencrypted network traffic when there was a much worse problem staring us in the face.

Unfortunately the deeper problem was also immensely harder to grasp since it required both a technical knowledge of networked devices and a willingness to consider totally unpredicted ways of using (or misusing) information.

As became clear from a number of the conversations with other bloggers, even many highly technical people didn’t understand some pretty basic things - like the fact that personal device identifiers travel in the clear on encrypted WiFi networks… Nor was it natural for many in our community to think things through from the perspective of privacy threat analysis.

This got me to look at the issues even more closely, and I summarized my thinking at PII 2010 in Seattle.

A few months ago I ran into Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, who was working on the same issues.  We decided to collaborate on a very in-depth look at both the technology and policy implications, aiming to produce a document that could be understood by those in the policy community and still serve as a call to the technical community to deal appropriately with the identity issues, seeking what Ann calls “win-win” solutions that favor both privacy and innovation.

Ann’s team deserves all the credit for the thorough literature research and clear exposition.  Ann expertly describes the policy issues and urges us as technologists to adopt Privacy By Design principles for our work. I appreciate having had the opportunity to collaborate with such an innovative group.  Their efforts give me confidence that even difficult technical issues with social implications can be debated and decided by the people they affect.

Please read WiFi Positioning Systems: Beware of Unintended Consequences and let us know what you think - I invite you to comment (or tweet or email me) on the technical, policy and privacy-by-design aspects of the paper.

A number of readers have written to me about Mary Jo Foley’s report on a ”goodbye party” thrown at Microsoft a few weeks ago when I officially gave up my role as Chief Architect of Identity.  Others saw Vittorio Bertocci’s kind recollection of the progress we made over the years.

When Tim Cole interviewed me about my plans a few days later at the European Identity Conference, I hadn’t made the slightest progress in terms of thinking about my future…  I did say, though, that I hoped to keep my hand in the identity and social computing space to the extent that people found my input useful.

One way to do this was to look for opportunities to participate in interesting efforts on a per-project basis.  It turns out that within a few days I was asked to do this with Microsoft over the summer.  Not exactly a complete change (!) but it still feels liberating and different.

Don’t worry - I won’t bore you with reports on my gigs going forward, but thought in the interests of full disclosure, you should know how this particular situation is evolving

Takeaway:  Life is good, and even more than ever, this blog represents my own views, which can’t be blamed on anyone else even when I wish they could.

In Europe there has been a lot of discussion about “the Right to be Forgotten” (see, for example, Le droit à l’oubli sur Internet).  The notion is that after some time, information should simply fade away (counteracting digital eternity).    

In America, the authors of the Social Network Users’ Bill of Rights have called their variant of this the “Right to Withdraw”.  

Whatever words we use, the right, if recognized, would be a far-reaching game-changer - and as I wrote here, represent a “cure as important as the introduction of antibiotics was in the world of medicine”.

Against this backdrop, the following report by CIARAN GILES of the Associated Press gives us much to think about. It appears Google is fighting head-on against the “the Right to be Forgotten”.  It seems to be willing to take on any individual or government who dares to challenge the immutable right of its database and algorithms to define you through something that has been written - forever, and whether it’s true or not.

MADRID – Their ranks include a plastic surgeon, a prison guard and a high school principal. All are Spanish, but have little else in common except this: They want old Internet references about them that pop up in Google searches wiped away.

In a case that Google Inc. and privacy experts call a first of its kind, Spain’s Data Protection Agency has ordered the search engine giant to remove links to material on about 90 people. The information was published years or even decades ago but is available to anyone via simple searches.

Scores of Spaniards lay claim to a “Right to be Forgotten” because public information once hard to get is now so easy to find on the Internet. Google has decided to challenge the orders and has appealed five cases so far this year to the National Court.

Some of the information is embarrassing, some seems downright banal. A few cases involve lawsuits that found life online through news reports, but whose dismissals were ignored by media and never appeared on the Internet. Others concern administrative decisions published in official regional gazettes.

In all cases, the plaintiffs petitioned the agency individually to get information about them taken down.

And while Spain is backing the individuals suing to get links taken down, experts say a victory for the plaintiffs could create a troubling precedent by restricting access to public information.

The issue isn’t a new one for Google, whose search engine has become a widely used tool for learning about the backgrounds about potential mates, neighbors and co-workers. What it shows can affect romantic relationships, friendships and careers.

For that reason, Google regularly receives pleas asking that it remove links to embarrassing information from its search index or least ensure the material is buried in the back pages of its results. The company, based in Mountain View, Calif., almost always refuses in order to preserve the integrity of its index.

A final decision on Spain’s case could take months or even years because appeals can be made to higher courts. Still, the ongoing fight in Spain is likely to gain more prominence because the European Commission this year is expected to craft controversial legislation to give people more power to delete personal information they previously posted online.

“This is just the beginning, this right to be forgotten, but it’s going to be much more important in the future,” said Artemi Rallo, director of the Spanish Data Protection Agency. “Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don’t want to be there.”

Many details about the Spaniards taking on Google via the government are shrouded in secrecy to protect the privacy of the plaintiffs. But the case of plastic surgeon Hugo Guidotti vividly illustrates the debate.

In Google searches, the first link that pops up is his clinic, complete with pictures of a bare-breasted women and a muscular man as evidence of what plastic surgery can do for clients. But the second link takes readers to a 1991 story in Spain’s leading El Pais newspaper about a woman who sued him for the equivalent of euro5 million for a breast job that she said went bad.

By the way, if it really is true that the nothing should ever interfere with the automated pronouncements of the search engine - even truth - does that mean robots have the right to pronounce any libel they want, even though we don’t?

From this fact alone the bill could play a key role in limiting a number of the most privacy-invasive practices used today by Internet services - including location-based services.  For example, a company like Apple could no longer glibly claim, as it does in its current iTunes privacy policy, that device identifiers and location information are “not personally identifying”.  Nor could it profess, as iTunes also currently does, that this means it can ”collect, use, transfer, and disclose”  the information ”for any purpose”.  Putting location information under the firm control of users is a key legislative requirement addressed by the bill.

The bill also contributes both to the security of the Internet and to individual privacy by unambiguously embracing ”Minimal Disclosure for a Constrained Use” as set out in Law 2 of the Laws of Identity.  Title III explicitly establishes a “Right to Purpose Specification; Data Minimization; Constraints on Distribution; and Data Integrity.”

Despite these real positives, the bill as currently formulated leaves me eager to consult a bevy of lawyers - not a good sign.  This may be because it is still a “working draft”, with numerous provisions that must be clarified. 

For example, how would the population at large ever understand the byzantine interlocking of opt-in and opt-out clauses described in Section 202?  At this point, I don’t.

And what does the list of exceptions to Unauthorized Use in Section 3 paragraph 8 imply?  Does it mean such uses can be made without notice and consent?

I’ll be looking for comments by legal and policy experts.  Already, EPIC has expressed both support and reservations:

Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the “Commercial Privacy Bill of Rights Act of 2011,” aimed at protecting consumers’ privacy both online and offline. The Bill endorses several “Fair Information Practices,” gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information.

But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a “Safe Harbor” arrangement that exempts companies from significant privacy requirements.

EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies’ to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission.

As noted above, the draft is reportedly still a work in progress.  Inside Privacy will provide additional commentary on the Kerry legislation and other congressional privacy efforts as they develop.   

Press conference will be held tomorrow at 12:30 pm.  [Emphasis above is mine - Kim]

Readers of Identityblog will understand that I see this development, like so many others, as inevitable and predictable consequences of many short-sighted industry players breaking the Laws of Identity.

Federal prosecutors in New Jersey are investigating whether numerous smartphone applications illegally obtained or transmitted information about their users without proper disclosures, according to a person familiar with the matter…

The criminal investigation is examining whether the app makers fully described to users the types of data they collected and why they needed the information—such as a user’s location or a unique identifier for the phone—the person familiar with the matter said. Collecting information about a user without proper notice or authorization could violate a federal computer-fraud law…

Online music service Pandora Media Inc. said Monday it received a subpoena related to a federal grand-jury investigation of information-sharing practices by smartphone applications…

In December 2010, Scott Thurm wrote Your Apps Are Watching You,  which has now been “liked” by over 13,000 people.  It reported that the Journal had tested 101 apps and found that:

… 56 transmitted the phone’s unique device identifier to other companies without users’ awareness or consent.  Forty-seven apps transmitted the phone’s location in some way. Five sent a user’s age, gender and other personal details to outsiders.  At the time they were tested, 45 apps didn’t provide privacy policies on their websites or inside the apps.

In Pandora’s case, both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

Legal experts said the probe is significant because it involves potentially criminal charges that could be applicable to numerous companies. Federal criminal probes of companies for online privacy violations are rare…

The probe centers on whether app makers violated the Computer Fraud and Abuse Act, said the person familiar with the matter. That law, crafted to help prosecute hackers, covers information stored on computers. It could be used to argue that app makers “hacked” into users’ cellphones.

[More here]

The elephant in the room is Apple’s own approach to location information, which should certainly be subject to investigation as well.   The user is never presented with a dialog in which Apple’s use of location information is explained and permission is obtained.  Instead, the user’s agreement is gained surreptitiously, hidden away  on page 37 of a 45 page policy that Apple users must accept in order to use… iTunes.  Why iTunes requires location information is never explained.  The policy simply states that the user’s device identifier and location are non-personal information and that Apple “may collect, use, transfer, and disclose non-personal information for any purpose“.

Any purpose?

Is it reasonable that companies like Apple can  proclaim that device identifiers and location are non-personal and then do whatever they want with them?  Informed opinion seems not to agree with them.  The International Working Group on Data Protection in Telecommunications, for example, asserted precisely the opposite as early as 2004.  Membership of the Group included “representatives from Data Protection Authorities and other bodies of national public administrations, international organisations and scientists from all over the world.”

More empirically, I demonstrated in Non-Personal information, like where you live that the combination of device identifier and location is in very many cases (including my own) personally identifying.  This is especially true in North America where many of us live in single-family dwellings.

[BTW, I have not deeply investigated the approach to sharing of location information taken by other smartphone providers - perhaps others can shed light on this.]

A spokesman said Google was extending its Street View offering so Internet users could finally see inside peoples’ homes.  Indeed, Google indoors personnel were already knocking on doors, patiently explaining that if people had not already gone through the opt-out process, they had ”opted in”…

… so the technicians needed to get on with their work:

Google’s deep concern about peoples’ privacy had let it to introduce features such as automated blurring of faces…

 
… and the business model of the scheme was devilishly simple: the contents of peoples’ houses served as product placements charged to advertisers, with 1/10 of a cent per automatically recognized brand name going to the residents themselves.  As shown below, people can choose to obfuscate products worth more than 5,000 Euros if concerned about attracting thieves - an example of the advanced privacy options and levels the service makes possible.

Check out the video.  Navigation features within houses are amazing!  From the amount of effort and wit put into it by a major TV show, I’d wager that even if Google’s troubles with Germany around Street View are over, its problems with Germans around privacy may not be. 

Frankly, Das Erste (meaning “The First”) has to be congratulated on one of the best crafted April Fools you will have witnessed.  I don’t have the command of German language or politics (!) to understand all the subtleties, but friends say the piece is teeming with irony.  And given Eric Schmidt’s policy of getting as close to “creepy” as possible, who wouldn’t find the video at least partly believable?

[Thanks to Kai Rannenberg for the heads up.]

Addressing the Cards & Payments Australasia conference in Sydney this week, Crompton said the online environment needed to become “safe to play” from citizens’ perspective.

While the internet was built as a “trusted environment”, Crompton said governments and businesses had emerged as “digital gods” with imbalanced identification requirements.

“Power allocation is where we got it wrong,” he said, warning that organisations’ unwarranted emphasis on identification had created money-making opportunities for criminals.

Malcolm puts this well.  I too have come to see that the imbalance of power between individual users and Internet business is one of the key factors blocking the emergence of a safe Internet. 

CRN continues:

Currently, users were forced to provide personal information to various email providers, social networking sites, and online retailers in what Crompton described as “a patchwork of identity one-offs”.

Not only were login systems “incredibly clumsy and easy to compromise”; centralised stores of personal details and metadata created honeypots of information for identity thieves, he said…

Refuting arguments that metadata – such as login records and search strings – was unidentifiable, Crompton warned that organisations hording such information would one day face a user revolt…

He also recommended the use of cloud-based identification management systems such as Azigo, Avoco and OpenID, which tended to give users more control of their information and third-party access rights.

User-centricity was central to Microsoft chief identity architect Kim Cameron’s ‘Laws of Identity’ (pdf), as well as Canadian Privacy Commissioner Ann Cavoukian’s seven principles of ‘Privacy by Design’ (pdf).

Full article here.

I hadn’t noticed the UK’s new Protection of Freedoms Bill until I heard cabinet minister Damian Green talk about it as he pulverized the UK’s centralized identity database recently.  Naturally I turned to Ray Corrigan for comment, only to discover that the political housecleaning had also swept away the assumptions behind widespread fingerprinting in Britain’s schools, reinstating user control and consent. 

According to TES Connect:

The new Protection of Freedoms Bill gives pupils in schools and colleges the right to refuse to give their biometric data and compels schools to make alternative provision for them.  The several thousand schools that already use the technology will also have to ask permission from parents retrospectively, even if their systems have been established for years…

It turns out that Britain’s headmasters, apparently now a lazy bunch, have little stomach for trivialities like civil liberties.  And writing about this, Ray’s tone seems that of a judge who has had an impetuous and over-the-top barrister try to bend the rules one too many times.  It is satisfying to see Ray send them home to study the Laws of Identity as scientific laws governing identity systems.   I hope they catch up on their homework…

The Association of School and College Leaders (ASCL) is reportedly opposing the controls on school fingerprinting proposed in the UK coalition government’s Protection of Freedoms Bill.

I always understood the reason that unions existed was to protect the rights of individuals. That ASCL should give what they perceive to be their own members’ managerial convenience priority over the civil rights of kids should make them thoroughly ashamed of themselves.  Oh dear - now head teachers are going to have to fill in a few forms before they abuse children’s fundamental right to privacy - how terrible.

Although headteachers and governors at schools deploying these systems may be typically ‘happy that this does not contravene the Data Protection Act’, a number of leading barristers have stated that the use of such systems in schools may be illegal on several grounds. As far back as 2006 Stephen Groesz, a partner at Bindmans in London, was advising:

“Absent a specific power allowing schools to fingerprint, I’d say they have no power to do it. The notion you can do it because it’s a neat way of keeping track of books doesn’t cut it as a justification.”

The recent decisions in the European Court of Human rights in cases like S. and Marper v UK (2008 - retention of dna and fingerprints) and Gillan and Quinton v UK (2010 - s44 police stop and search) mean schools have to be increasingly careful about the use of such systems anyway. Not that most schools would know that.

Again the question of whether kids should be fingerprinted to get access to books and school meals is not even a hard one! They completely decimate Kim Cameron’s first four laws of identity.

1. User control and consent - many schools don’t ask for consent, child or parental, and don’t provide simple opt out options

2. Minimum disclosure for constrained use - the information collected, children’s unique biometrics, is disproportionate for the stated use

3. Justifiable parties - the information is in control of or at least accessible by parties who have absolutely no right to it

4. Directed identity - a unique, irrevocable, omnidirectional identifier is being used when a simple unidirectional identifier (eg lunch ticket or library card) would more than adequately do the job.

It’s irrelevant how much schools have invested in such systems or how convenient school administrators find them, or that the Information Commissioner’s Office soft peddled their advice on the matter (in 2008) in relation to the Data Protection Act.  They should all be scrapped and if the need for schools to wade through a few more forms before they use these systems causes them to be scrapped then that’s a good outcome from my perspective.

In addition just because school fingerprint vendors have conned them into parting with ridiculous sums of money (in school budget terms) to install these systems, with promises that they are not really storing fingerprints and they can’t be recreated, there is no doubt it is possible to recreate the image of a fingerprint from data stored on such systems. Ross, A et al ‘From Template to Image: Reconstructing Fingerprints from Minutiae Points’ IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 29, No. 4, April 2007 is just one example of how university researchers have reverse engineered these systems. The warning caveat emptor applies emphatically to digital technology systems that buyers don’t understand especially when it comes to undermining the civil liberties of our younger generation.

“What we’re doing today is CRUSHING, the final remnants of the national identity card scheme - the disks and hard drives that held the information on the national identity register have been wiped and they’re crushed and reduced to bits of metal so everyone can be absolutely sure that the identity scheme is absolutely dead and buried.

“This whole experiment of trying to collect huge amounts of private information on everyone in this country - and collecting on the central database - is no more, and it’s a first step towards a wider agenda of freedom.  We’re publishing the protection of freedoms bill as well, and what this shows is that we want to rebalance the security and freedom of the citizen.  We think that previously we have not had enough emphasis on peoples’ individual freedom and privacy, and we’re determined to restore the proper balance on that.”

Readers of Identityblog will recall that the British scheme was exceptional in breaking so many of the Laws of Identity at once.  It flouted the first law - User control and Consent - since citizen participation was mandatory.  It broke the second - Minimal Disclosure for a Constrained Use - since it followed the premise that as much information as possible should be assembled in a central location for whatever uses might arise…  The third law of Justifiable Parties was not addressed given the centralized architecture of the system, in which all departments would have made queries and posted updates to the same database and access could have been extended at the flick of a wrist.  And the fourth law of “Directed Identity” was a clear non-goal, since the whole idea was to use a single identifier to unify all possible information.

Over time opposition to the scheme began to grow and became widespread, even though the Blair and Brown governments claimed their polls showed majority support.  Many well-known technologists and privacy advocates attempted to convince them to consider privacy enhancing technologies and architectures that would be less vulnerable to security and privacy meltdown - but without success.  Beyond the scheme’s many technical deficiencies, the social fracturing it created eventually assured its irrelevance as a foundational element for the digital future.

Many say the scheme was an important issue in the last British election.  It certainly appears the change in government has left the ID card scheme in the dust, with politicians of all stripes eager to distance themselves from it.  Damian Green, who worked in television and understands it, does a masterful job of showing what his views are.  His video posted by the Home Office, seems iconic.

All in all, the fate of the British ID Card and centralized database scheme is exactly what was predicted by the Laws of Identity:

[Thanks to Jerry Fishenden (here and here) for twittering Damian Green's video]