Author: Kim Cameron

Here is some important information, reported in New Scientist, from the Bureau of Intrusive Stupidity:

Ignoring adverts is about to get a lot tougher with the development of billboards and advertising posters that use Bluetooth to beam video ads direct to passing cell phones.

Is this the return of the repressed? I thought that was over.

Don't you love it? The video ads are not directed at us – who are, after all, people who have had their fill of peddlers sticking things in our faces. They are directed at passing cell phones. No, but wait:

As people walk past the posters they receive a message on their phone asking them if they wish to accept the advert. If they do, they can receive movies, animations, music or still images further promoting the advertised product.

Yes, we are lonely and need to be contacted by billboards. We desperately want them to phone us. Isn't there a song about this?

“It's all about delivering high quality content, tailored for mobile usage,” says Alasdair Scott, co-founder and chief creative officer of London-based Filter UK, who created the system, called BlueCasting.

Chief Creative Officer? Give this man treatment immediately! I wonder what his mother says?

Here is an example of what he calls “high quality content”.

The posters detected 87,000 Bluetooth phones over a two week period, of which about 17% were willing to download the clip, says Scott.

Right. Would you be expecting a phone call from a billboard? Not really. You might take the first call.

If BlueCasting still sounds too intrusive, there is always one solution, says Whitehouse: “Just make sure your Bluetooth device is set so that it’s not discoverable to other devices.”

How dare Mr. Whitehouse tell me I need to turn off my phone's discoverability if I don't want his billboards connecting to my device?

No. I should not be bothered by passing billboards unless I subscribe to the Billboard Interruption Service, or whatever these people are going to call it. It had better be “opt in”. Of course, Bluetooth's fixed addresses (in contravention of the Fourth Law of Identity) make it easy to put your phone's tracking key on such a list – so you can get your fill of billboard spam.

Meanwhile, where is the noble Steve Mann? With his digital glasses, you can opt to have billboards filtered out of your vision, if you want. Or just particular billboards, if you grow to detest some which are run by demented goofs.

People are coming up with some really interesting new proximity technologies whereby if a person wants to obtain information from a poster, she can take a simple action (like clicking her phone) to get it. Such a technology does not intrude, and can succeed. As for this one, not only would I not invest – but, to quote Jamie Lewis, I'd rather keep my money in a shoe.

Until then, I take this as just one more sign that Bluetooth needs desperately to evolve to a new standard in compliance with the Laws of Identity.

[tags: Bluetooth, Bluecasting]

From New Scientist via slashdot, some concete numbers to anchor estimates of impending bitrates in wireless connectivity:

Cellphones capable of transmitting data at blistering speeds have been demonstrated by NTT DoCoMo in Japan.

In experiments, prototype phones were used to view 32 high definition video streams, while travelling in an automobile at 20 kilometres per hour. Officials from NTT DoCoMo say the phones could receive data at 100 megabits per second on the move and at up to a gigabit per second while static.

At this rate, an entire DVD could be downloaded within a minute. DoCoMo's current 3G (third generation) phone network offers download speeds of 384 kilobits per second and upload speeds of 129 kilobits per second.

The technology behind NTT DoCoMo's high-speed phone network remains experimental, but the 4G tests used a method called Variable-Spreading-Factor Spread Orthogonal Frequency Division Multiplexing (VSF-Spread OFDM), which increases downlink speeds by using multiple radio frequencies to send the same data stream.

The article goes on to say:

Some countries have already begun cooperating on [such 4G] standards. Japan and China signed a memorandum on 24 August to work together on 4G. NTT DoCoMo hopes to launch a commercial 4G network by 2010.

[tags: Wireless, Future Trends]

Steven Grimaud has written to point out Bruce Schneier‘s very nice posting on the heartbreak of global secrets:

Global secrets are generally considered poor security. The problems are twofold. One, you cannot apply any granularity to the security system; someone either knows the secret or does not. And two, global secrets are brittle. They fail badly; if the secret gets out, then the bad guys have a pretty powerful secret.

This is the situation right now in Sydney, where someone stole the master key that gives access to every train in the metropolitan area, and also starts them.

Unfortunately, this isn't a thief who got lucky. It happened twice, and it's possible that the keys were the target:

The keys, each of which could start every train, were taken in separate robberies within hours of each other from the North Shore Line although police believed the thefts were unrelated, a RailCorp spokeswoman said.

The first incident occurred at Gordon station when the driver of an empty train was robbed of the keys by two balaclava-clad men shortly after midnight on Sunday morning.

The second theft took place at Waverton Station on Sunday night when a driver was robbed of a bag, which contained the keys, she said.

So, what can someone do with the master key to the Sydney subway? It's more likely a criminal than a terrorist, but even so it's definitely a serious issue:

A spokesman for RailCorp told the paper it was taking the matter “very seriously,” but would not change the locks on its trains.

Instead, as of Sunday night, it had increased security around its sidings, with more patrols by private security guards and transit officers.

The spokesman said a “range of security measures” meant a train could not be stolen, even with the keys.

I don't know if RailCorp should change the locks. I don't know the risk: whether that “range of security measures” only protects against train theft — an unlikely scenario, if you ask me — or other potential scenarios as well. And I don't know how expensive it would be to change the locks.

Another problem with global secrets is that it's expensive to recover from a security failure.

And this certainly isn't the first time a master key fell into the wrong hands:

Mr Graham said there was no point changing any of the metropolitan railway key locks.

“We could change locks once a week but I don't think it reduces in any way the security threat as such because there are 2000 of these particular keys on issue to operational staff across the network and that is always going to be, I think, an issue.”

A final problem with global secrets is that it's simply too easy to lose control of them.

Moral: Don't rely on global secrets.

[tags: Global Secrets, Bruce Schneier]

I'm glad to say that my long-time friend Bob Blakley of IBM has started what is guaranteed to be a fascinating blog called “Ceci n'est pas un bob“. He's writing with a philosophico-literary bent about what he calls the “axioms of identity”. To get you hooked, here is his first piece on the axioms.

‘Pam commented:

‘”If you were to open an old photo album, and see a picture, let's say this picture was taken by an aunt or uncle. And this picture showed one of your children at christmas, looking up with delight just after they found out what their present was. Would you look at that picture and see that the lighting was all wrong, and that cousin Mervin was picking his nose in the background – or would you register that this loved one of yours was experiencing a moment of joy? Isn't it possible that you would register both? And that the emotion that is valid for you and a small handful of people within this very specific context makes up for the artistic absence?”

‘This is precisely right! I would register both a (negative) feeling for the photographic aesthetics and a (positive) feeling about my child. And a small group of people who know my children would register the second feeling, too (they might not register the first feeling, unless they too have The Photographer's Eye) – but most viewers would have either just the first feeling (“that photo sucks”) or they would have the first feeling together with a generic feeling of affection toward a child at Christmas.

‘Why does my feeling about this (hypothetical) photograph differ from the feelings of the multitudes who might view the photo on flickr? Because of the first axiom of identity:

‘IDENTITY IS SUBJECTIVE

‘Umberto Eco has said that a novel is a machine for generating interpretations; the same thing is true of a picture. But which interpretation a picture generates depends on one's experience.

‘When I see a picture of my own child, I recognize the child. Because of my experience, I know a rich, detailed story about the child, and I associate the picture with that story (the story is, from my point of view, my child's identity – since An Identity Is A Story).

‘A stranger – someone who doesn't know me or my children – has nothing to associate with the picture when she sees it, but she has to react anyway.

‘Because the stranger's experience does not provide her in advance with a story to go with the picture, she has two choices:

• She can associate the picture with a generic story which seems suitable to the content of the picture (here she may be using something like a Norman Rockwell painting of a child opening Christmas presents as an archetype).
• She can have a purely aesthetic reaction to the picture, without thinking of any story at all.

‘The picture doesn't contain either my version of my child's identity story or the generic story which the stranger makes up when she sees the picture; it's just kind of reference to those stories. Over time, more and more people either forget the stories, or forget what the subject of the stories looked like; this tends to disassociate the picture from the stories and make the picture less useful as a reference. (I remember a photo.net thread which asked “what do you most wish were in old pictures?”; the best answer was “name tags”.)

‘There's an important lesson here for people who want to use biometrics as identifiers; biometrics are essentially pictures of people, and people change over time. The practical effect of this is that the biometric database, over time, will tend to “forget” what the subjects of its stories look like (because it will be relying on old pictures) – and indeed one of the design parameters for biometric systems is the rate at which peoples’ physical features change.

‘In fact, of course, everything about a person changes over time – his physical appearance, his attitudes and beliefs, his creditworthiness, his address, his name (OK, more often her name), his bank account number, his employer, and so on. This is in fact our second axiom of identity:

‘IDENTITY CHANGES OVER TIME

‘This is blindingly obvious if you think about it; if An Identity Is A Story, then of course an identity will change over time – because the story keeps developing (unless you're reading some awful psychological novel or play where nothing ever happens).

‘But let's leave discussion of the second axiom for a future post. We haven't yet exhausted the riches of Eco's observation that a story is a machine for generating interpretations.

‘Anytime there's a story, there's also a storyteller and an audience. The storyteller has an intention in telling the story – just as I have an intention in taking a picture. But the members of the audience don't necessarily know what that intention is, and they don't share all of the storyteller's experiences; they bring their own attitudes and experiences to the the campfire around which the story is told.

‘Each listener's attitudes and experiences generate a unique interpretation of the story, just as Eco observed. And this means, of course, that if I tell an identity story, each member of my audience hears a different identity story. So when our first axiom says that IDENTITY IS SUBJECTIVE, it's not just saying that different observers know different parts of the same story. Even if two listeners hear exactly the same story, each of them feels and remembers a different story.

‘If you think about it, this is why more than one credit agency can exist; if all credit agencies had the same algorithms for taking information about me and turning it into a credit report, or a credit score, then they would all be delivering exactly the same product, and there would be no basis (except price) for competition and no reason to consult more than one agency. It's precisely the subjectivity of identity that creates the possibility of, and the need for, competing services.

‘Eco is careful to note that no interpretation should be considered privileged or canonical (as indeed the credit agency example makes clear; if one agency's interpretation were correct, that agency would be able to put the others out of business quickly).

‘The storyteller's own interpretation is particularly suspect (Eco writes “The author should die once he has finished writing. So as not to trouble the path of the text.”) What he's saying here is that interpretations are essentially subjective – that there can be no such thing as a true interpretation. And this too is true of identity stories; certainly the person the identity story is “about” is an unreliable narrator – he's got too much invested in the happy ending to be trusted to give us the unvarnished truth – but he's also the only one who knows all the facts!

So far, I'm in agreement with the “grand lines” of Bob's argument, and appreciate how beautifully he has presented his ideas.

Rather than expressing them as “Laws” or “Axioms”, I captured the ideas of subjectivity and change in the very definition of digital identity on which the Laws rest:

A digital identity is a set of claims made by one digital subject about itself or another digital subject.

Subjectivity is built in to the definition.

At the same time, I adopted the OED's definition of claims as “an assertion of the truth of something, typically one which is disputed or in doubt”; and defined a digital subject as “person or thing represented or existing in the digital realm which is being described or dealt with”.

The introduction of this notion of doubt is really no different from saying, “no interpretation should be considered privileged or canonical.”

I continue to feel it is better – given my role and goals with the metasystem – to avoid discussions of ontology and phenomenology, about which I fear humankind will continue to disagree. But Bob's piece explains some of the thinking that led to the definitions I proposed, and pulling these ideas out as “axioms” deepens the discussion.

I'm looking forward to having Bob joining the discussion. He has a wonderful mind and a great deal of experience in everything related to security.

[tags: Identity, Digital Identity, Bob Blakley, Umberto Eco, Axioms Of Identity, Laws Of Identity]

I've just been catching up on what Eric Norlin has been up to recently – the truth is I lost track of his feed when he moved his thinking from his old place to here.

Note to community: We have work to do on making it less painful to change URLs when using RSS. Could there be a special tag we could put in the last posting at OLD-URL that tells peoples’ blog readers to change their configuration to NEW-URL? Can Dave Winer devise such a thing – or is there some capability defined and I just don't have software that takes advantage of it?

So anyway, I assumed Eric was on vacation… But no way! So I missed some good stuff.

For example, without Eric to point it out, I missed this bizarre proposal by Jonathan Schwartz for government regulation of DRM standards.

And then there was this piece on the simplifying identity assumption being made these days in Malaysia – elimination of all segregation of context, and use of one government-issued identity for every aspect of life. The card conveniently conveys all the ‘necessary basic information’ – like your religion and ethnic group – and will be used for everything from driving to health insurance to credit transactions and digital signature. Could it be more than accidental that this “identity simplification” has evolved in a country which, according to Amnesty International, is plagued with “a pattern of human rights abuses such as fatal shootings, torture and deaths in custody”?

Eric also picks up on Doc's really interesting new work on Splogs:

‘Doc has posted a great blog entry about the rise of Splogs (spam blogs) and what it means for “content.”

‘In essence, Doc sees a possible world in which sites like Google allow “passport like” sign on to paid content that is free of splogs and comment spam, thus relegating the “rest” of the web into something similar to what some Microsoft guys once called the “darknet.”

‘His question to us identity folk has been – “can the identity metasystem solve this?” The answer of course (theoretically) is yes.

‘What's fascinating about this is that identity is on both possibles of this equation:

‘1. in the proliferation of the Darknet, identity enables the walled gardens of paid content to develop, while the rest of the net languishes in identity-poverty like the poor living outside the castle wall.

‘2. in the brighter future, identity isn't a divisive “enabler” but an underlying infrastructure for the entire Net.

‘I'm betting that #2 brings about more innovation and economic opportunity, as it fosters a more open and efficient marketplace.

‘Clearly, we've got some work to do. And clearly there are some bumps in the road and dark days ahead.’

Hope everyone else updates to Eric's new rss feed.

[tags: Identity, Eric Norlin, Digital Identity World, Doc Searls, Splogs]

Here is a must-see video clip called Epic 2015 that extrapolates current events and practices forward into a disturbing identity future. I doubt many will be able to stop themselves from laughing while they watch this, but not many will walk away thinking they have just seen a comedy!

I need to thank Lena Kannappan of France Telecom for sending me the link to this. Lena is a visionary – a founder of the Liberty Alliance – and the person who is now in charge of the OMA's Mobile Web Services group. (That's not him shown in the identity card clip from the video, by the way! )

I chatted with Lena at the OMA (Open Mobile Alliance) meeting in Montreal recently, where I was doing an informational presentation on InfoCards and the concept of an Identity Metasystem.

Lena is one of those people who is always “really interesting”. I hope to record some of my ongoing conversation with him so others, who follow this blog, can share firsthand his perceptions and ideas about how the telecom industry differs from (and intersects with) the internet-based software industry in this age of increasing convergence. I hope we can also explore what all this this means for identity.

[tags: Identity, Googlezon, Lena Kannappan, Epic 2015, Liberty Alliance]

If you want proof that protecting personal information is a hard thing and that Data Rejection is a key technology, read this report from the Washington Post:

A suspected hacker tapped into a US military database containing social security numbers and other personal information for 33,000 Air Force officers and some enlisted staff.

That figure represents about half of the officers in the USAF but no identity theft had been reported as of early today, said Tech Sgt James Brabenec, a spokesman at Randolph Air Force Base in Texas.

“We are doing everything we can to catch and prosecute those responsible,” Maj Gen Tony Przybyslawski said.

Social security numbers, birth dates and other information was accessed some time in May or June, apparently by someone with the password to the air force computer system, Brabenec said.

On Friday, the people affected were notified of steps they could take to protect their identity, he said.

The military, while protecting classified information, has had trouble protecting data about its people, a computer expert told The Washington Post, which first reported the incident.

“They have historically done much better at protecting operational systems than at protecting administrative systems,” said John Pike, director of GlobalSecurity.org.

In my view this is an excellent example of how even organizations well aware of security issues tend to excel at their core competencies – and proper handling of personal information is likely not the key driver in their approach to information, system desgin and operations.

This is why we can expect that those who specialize in and build their reputations by protecting personal identifying information are likely to do the best job at it.

A technology that allows relying parties to “request and then forget” personal information – this on a “need to know” basis and only when explicitly permitted by the user – is in my view the only sensible path forward. All information that is retained, for example for auditing purposes, should be encrypted under keys limited to the authorized off-line usage of appropriate personnel.

I like the use of “suspected hacker” in the article. Maybe it wasn't really a hacker who broke in – just someone who accidently ended up on the site, and traipsed on the social security numbers through sheer bad luck.

[tags: Identity, Identity Loss, Identity Theft, Data Rejection]

I've been playing with technorati tags so I could develop the practical understanding necessary to at least follow the discussion about how they relate to directory.

I think tags have interesting possibilities as a technology – more on this when I understand them better. But there are aspects of the way technorati works which still mystify me.

At the right, for example, is a screenshot of what technorati displayed yesterday when I searched for the Identity Metasystem Tag (a new tag I threw into the “tag pool”).

There seems to be a certain amount of randomness here. For example, why do some of my entries show up with a picture while others do not.

Why does Linux Journal Does The Identity Metasystem have no picture? Why does it have zero links when the URL is the same one other entries peg at 181 links? Why does the first entry have a title of HASH?

Are these bugs or am I doing something wrong? Who can I connect with at technorati to understand these issues?

Anyone know?

A few months ago, Marc Canter, Craig Burton and Doc Searls introduced me to Mitchell Baker of the Mozilla Foundation. We had a good discussion, and following up on that, I've been able to get together with the Foundation's Mike Shaver to talk about the identity metasystem. He is focusing on how to drive identity forward at Mozilla; he's got a strong background for this, including, amongst other things, his work at Zero-Knowledge. Even better, he blogs:

I was outed as a new member of the Mozilla Foundation team by a press release about a now-long-past keynote address, so there isn’t really much to announce here. My contract has me working primarily as a technology strategist, a necessarily-vague position that has been described pretty well by Mitchell’s post about new people and roles in the Mozilla Foundation world. I continue to help with release management, organizational governance, and even advising the intrepid devmo squad, but I try to spend most of my time with my sights on the technology strategy issues that are of significant interest to our community and products. (Which is not to say that I do spend most of my time there, but I’m learning how to do so better every day, and with every gentle nudge from my wicked-awesome manager.)

The primary area of technology strategy that I’ve been working on so far has centred around “identity”, which is of course a topic broad enough to consume several lifetimes. I count myself lucky to have developed a grounding in identity and privacy issues while at Zero-Knowledge, as it’s allowed me to get up to speed more quickly than I might otherwise have been able to.

The biggest strength of the current identity climate is also the biggest weakness: there are a number of identity systems that provide different capabilities, are built to emphasize different values, and require different amounts of infrastructure support. As the Mozilla Foundation is chartered to promote choice and innovation on the Internet, it would seem that we’re in good shape on at least half of our primary concern: choice.

I don’t think it’s really the case, unfortunately, because the sort of choice that the user faces is not one that empowers them at all: in many ways, it forces the user to pick a winner, and it forces similarly unpleasant choices on developers that want to take advantage of “Identity 2.0” capabilities in order to build interesting services, technologies, and experiences. Choice competes with innovation here, and while that’s a tension that arises in many contexts, it’s of even more concern when we’re talking about something this central to the web experience — and, I feel I can say without gross overstatement, to the social fabric of modern life, as mediated by all this computer nonsense.

(I should point out that all of the interesting proposals for modern identity infrastructure permit users to exert control over what organizations actually hold their private information, which is a huge step forward from the Passport nightmare we faced not that long ago. I still think that having to choose an identity system is a bad scene, but it could certainly be worse.)

Being the technology strategist for the Mozilla Foundation has its perks, and chief among them is that I get to work with a truly amazing team on a project that really is at the center of the modern web. Right after that, though, is that a lot (lot) of people want to talk to me, and while it can be a mixed blessing in terms of time management, it’s tremendously helpful in making sense of something as complex as the identity landscape. I had good, if preliminary, discussions with folks from the Passel and SXIP camps, while I was at OSCON, and I’ve since been setting up meetings with other identity-system boosters to get other perspectives. (If you are with an identity system group and you haven’t made contact with me yet, please do send mail and some information about your system, because I’m by no means done with that part of the process.)

Most recently, I had the pleasure of meeting with Kim Cameron, Microsoft’s Architect of Identity and Access and the father of InfoCard.

He came to spend some time with me in Toronto this week, and I was delighted to discover that we share many of the same positions on the key obstacles to having viable identity infrastructure on the web today. The InfoCard work looks to be pretty good from philosophical and architectural perspectives, and I’m trying to learn enough about the whole bloody WS-* stack to really grok the details. We had a very good conversation about a wide range of technical and social issues, and I look forward to more of them in the future. I’m pretty confident that Kim genuinely wants to do the Right Thing, and even more importantly he seems to have the Right Idea about what the Right Thing is — which is to say, in other words, that we agree about many things, much to his credit.

I hope to write more in the coming days about the identity systems I’ve looked at, and what I think the general form of Mozilla’s identity strategy should be, but I wanted to break my blogging fast and talk a little bit about what I’m working on these days. It’s really too exciting to keep to myself!

I was struck by the clarity of Mike's thinking about the impact of choice: at its worst, it means each participant must “bet on a winner.” This is a significant problem for individual users. But it represents an actual risk for developers and relying parties – since they have to bet on something which is very hard to predict. No wonder people have “run for the hills” when faced by proponents of emerging identity systems.

Mike sees the main advantage of an identity metasystem as being that instead of betting on “winners”, you bet on a “playing field”. Developers don't have to worry which particular participating systems turn out to be popular – their investment in the identity “playing field” will still pay off. By removing the need for people to place bets – reducing everyones’ risk – we make it possible for a lot more people to embrace the concepts – and thus improve the chances of all the players.

The day after our meeting, we both got “stuck” in a “small downpour”. The photo above shows “Lake Steeles” and was taken by Mike's friend madhava…

[tags: Identity, Mozilla, Mike Shaver, Identity Metasystem ]

When I was in Britain earlier this summer, I met Toby Stevens. How should I describe him? Can we invent the category of privacy entrepreneur?

Toby understands privacy issues deeply, and works in conjunction with veterans and visionaries like Simon Davies. He talks with wit and matter-of-factness about privacy as an opportunity for better relationships with customers – and potential for competitive wins. Not a whiff of odius obligation! Calm and relaxed, Toby easily convinces us that the new privacy era will be as hard to take as a pint of beer on a muggy day.

Now he has launched “a corporate membership body with the objective of identifying, developing and propagating best practice in privacy management. The forum (called Enterprise Privacy Group) will consider a broad spectrum of privacy and freedom of information issues.” A number of companies have joined already (including Microsoft, if I understand right).

He's also started a blog – and if this intelligent piece is any indication, it's a must-subscribe:

“Over recent weeks I've been talking with quite a number of potential member organisations, and one of the challenges has been explaining how we intend to cover a range of privacy issues, from very basic data protection through to some advanced identity management concepts. I had some difficulty explaining this spread, and from this I got round to thinking about the concept of a maturity model for privacy.

“My first ideas are in the diagram below:

“As the organisation develops through the maturity scale, it goes the following stages:

• Data Protection: at the earliest stages, the organisation understands that it has valuable personal information, and that there is a legal requirement to protect it in certain ways. However, there is no executive recognition that legal compliance does not necessarily protect the organisation from the consequences of misuse of that data.
• Privacy: the organisation recognises the moral imperative for ethical use of personal data, and that a proper usage policy – that applies greater controls than necessarily required by law – may reduce information risks and lead to better relationships with the individuals whose data is being stored and processed.
• Identity / Data Sharing: these issues are two sides of the same coin. In the private sector, organisations begin to recognise that data needs to be linked to an individual, rather than an asset. For example, a bank may start to link multiple accounts to the same account holder, and treat that holder as an individual in accordance with their privacy wishes. Data Sharing is the equivalent issue in public sector, where (contrary to common perception) most civil servants know that they already respect privacy of the citizen, and are seeking mechanisms to share data with other government departments without compromising that respect. Identity is crucial here if data is to be shared accurately and efficiently.
• ‘Data Rejection’: The top of the scale is Anonymity – an understanding that much of the personal data held by the organisation is simply unnecessary, and could in fact be more of a liability than an asset. For example, a bank does not (in theory, ignoring financial regulations) need to know who an account is, but simply how to check their credit score and how to contact them if necessary. The same bank faces heavy costs for compliance and risks of misuse whilst it holds that personal data. This has worked perfectly well for the Swiss banking industry for a very long time. When organisations start to minimise their personal data assets, then they are pushing to the top of the maturity model.

“Of course, ‘Data Rejection’ should be the goal of any true federated identity scheme. Once organisations and their clients realise the value of anonymised credentials, and the opportunities for new revenue streams based upon the trust that can be created this way, we should finally see someone reach this level in the maturity model (or maybe there's an organisation out there that's already done it?)

“I'd welcome comments on this idea, since it clearly needs lots of work before I start to back it up with hard survey data. Please feel free to let me know what you think.”

Toby's concept of Data Rejection bowls me over – I'll use it from now on. I think the continuum he has set up is tremendously useful. We haven't had a shorthand or sound bite – or even a word, really – to represent the practice of consistently using “just-in-time” information rather than taking on an unnecessary information retention liability. Now we have one.

At some point in the InfoCard research I realized that by associating the identity with a set of claims – under the control of the user – we do more than just give the user a way to conceptualize a digital identity that can be proven through use of a key. We also give her the ability to release claims as part of any identity negotiation process. By remembering what claims we have released where, the identity provider can make the same claims available to the same site next time they are asked for (assuming, of course, they have not changed, and the user hasn't decided to annul the relationship).

This means the relying party no longer has to remember them – even if they are essential to the business of the site – and data rejection becomes technologically feasable. The site just obtains the requisite information as convenient during its interaction with the user, and need not assume any information storage liability. Put another way, the information is stored in one place (the identity provider) rather than a hundred places (the sites a user visits). This reduces the probability of compromise by at least two orders of magnitude. We can probably expect that the difference could be closer to three orders of magnitude because maintaining the confidentiality of identity data would be the Identity Provider's core competency, not some burden it takes on in spite of itself.

If the relying party does need to audit and remember some information beyond its realtime usage, it should encrypt it under an asymmetric key guarded by special procedures within the glass house. None of the machinery of business needs to decrypt this information in realtime or on the network, greatly reducing the risk of vulnerability.

Maybe we should have a separate name for this, too.