Author: Kim Cameron

It was good to hear from Robin Wilton, who by the way has a new role in Sun's CTO group:

Kim Cameron has just posted here on Stephen Deadman‘s recent paper concerning the legal implications of establishing a Liberty Circle of Trust.

Having just returned from the Liberty Sponsors‘ meeting, I think I can safely say that coffee-break conversation did sometimes turn to the topic of Kim‘s blog, and even if there were some specifics on which people might disagree, there was also a general appreciation of the way in which Kim‘s work brings important topics into the public domain in a constructive way, allowing different views to be aired.

That's very cool. Robin and the folks he describes have done a lot of really good work and I look forward to every opportunity to dialog with them.

There were just two sentences in Kim‘s post on which I wanted to offer my own personal comment, and here they are:

1 “The legal complexities of this style of federation are significant, and they must all be considered.”

I agree with the sentiment entirely… but not necessarily with the hint of an implication that there are other styles of federation which might be legally less complex.
Federation is one of the possible approaches to fixing the problem of trusted, interoperable authentication between multiple parties. My instinct is that relationships of that kind will give rise to pretty much the same legal complexity no matter which organisational and technical approach one adopts. It‘s just a tough (but not insoluble) problem.

Well, I want to assure Robin that this was not intended as a “complexity swipe” at Liberty or anyone else. I totally agree with the formulation that the policy problems are “tough but not insoluble.” Further, the Liberty participants should be congratulated for their leadership in thinking about the policy side of things and centering their thinking in concrete scenarios and use cases. These ideas are real contributions.

I contrasted possible “styles of federation” without giving you the slightest context for what I was thinking – sorry about that! Blame it on the rain.

Basically, I think there exists a second set of what Jamie Lewis is calling “personal” identity scenarios, and that such scenarios can be less complex from a policy point of view – when done right – than intercorporate scenarios. But that doesn't mean they replace intercorporate scenarios or represent some kind of “silver bullet” or higher path! Both sets of scenarios need to be solved. They are complementary.

2 “Now, perhaps I am just a man with a hammer who sees everything in the world as a nail, but the paper reinforced my thinking that the more our systems are built to guarantee that the user is the conscious agent of information release (rather than having this done on his behalf), the better privacy is served, and the simpler our lives become from a legal and policy point of view.”

Again, I agree with the basic statement but not the implication. In my view, the user can be “the conscious agent of information release” while still having that act performed on her behalf. For instance, when I write a cheque [check] I consciously act to make a payment, but I then rely on the clearing system to perform that payment on my behalf. In the online environment, I issue instructions to my bank to transfer funds to someone else; that‘s a process I trust a lot more than keeping my salary under the mattress!

So this is a trust model which already works in both the real and the online worlds; I think it can be applied to online attribute exchange as well – not necessarily as the whole and only solution, but certainly as a valid architectural option.

Totally agree, Robin. The option you propose is totally valid for the context you describe. When I was talking about a hammer, it was the hammer of user control and consent. There are many ways to achieve this and implement it in technology. I see you as a colleague who is as committed to this end as I am.

The Liberty Alliance has published a paper called “Circles of Trust: The Implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation” which is available for download here.

The paper was edited by Stephen Deadman and compiled by a very knowledgable panel of contributors including Luc Mathan, Christine Varney, Jeff Hodges, Paul Madsen, Joe Alhadeff, Piper Cole, and Stephanie Manning. It goes well beyond the Privacy and Security Best Practices paper released in 2003.

The paper situates the problems of privacy and data protection that arise when customer data is shared within the context of various European legal and normative initiatives (the thinking will be equally instructive to North Americans). At times I had the feeling the report raised almost as many questions as it answers – and that this was likely intentional. The legal complexities of this style of federation are significant, and they must all be considered.

The paper is a clarifying step forward for all of us who are working on federation solutions and deployments, whether they are based on Liberty profiles or other comparable technologies.

Now, perhaps I am just a man with a hammer who sees everything in the world as a nail, but the paper reinforced my thinking that the more our systems are built to guarantee that the user is the conscious agent of information release (rather than having this done on his behalf), the better privacy is served, and the simpler our lives become from a legal and policy point of view.

Stefan Brands has pubished a Primer on User Identification which can be downloaded here. It is a good introduction to Stefan's thinking and research – very stimulating work.

I know there are people who hear about a metasystem proposal and think, “Can't we just stick with TOKEN-X and have done with it?” And I understand that as a human reaction. But I urge people to look at systems like Stefan's- and the other innovative systems coming from other “identity innovator” colleagues. These systems are being built today. Each of them has characteristics that are ideally suited to various contexts. Let's make sure, as we build an identity infrastructure encompassing a few billion computers, that it will support these innovative ideas.

Privacy International just posted the list of winners of the U.S. Big Brother Awards.

Of course there were many potential candidates, but the prize for Most Invasive Proposal or Project went to an initiative I have previously called out as a blockbuster. I'm talking about the “Brittan Elementary School RFID tagging of students” project, which broke a whopping four laws of identity in one go (user control and consent, minimal information, fewest parties, and directional identity). The sfgate.com story is here and my commentary on the project's demise is here. There was apparently stiff competiton.

The Privacy International press release reads:

The judges selected Brittan Elementary School for the award. Citing the principal of the school who enjoyed the idea of spying on all students’ whereabouts “because it would streamline the taking of attendance, giving teachers a few minutes more each day to teach and boost accuracy, no small matter given that California school funding is based on how many children attend class each day.” Parents of students reacted negatively and organized campaigns against the scheme. The Big Brother Award will be delivered personally to the principal by concerned parents.

Privacy International also issued a special Lifetime Menace Award to Choicepoint.

I recently wrote about the Conference on Computers, Freedom and Privacy that just took place in Seattle.

I met a number of key thinkers there, people who have worked hard for a long time to understand what privacy really is and how to protect it as technology evolves and we settle cyberspace. I came away hoping they will work with us – and blog with us – to ensure our thinking about the identity metasystem contributes as much to the protection of privacy as it does to any other aspect of security. Privacy and security are not possible without each other.

Eric Norlin recently wrote that he'd “never actually found a privacy paper interesting enough to read past page 2.” I've heard that complaint before, so I want to turn him on to Steve Mann. Eric, Steve will not bore you. I think it was clever the way conference organizers used Steve's ideas to frame a number of discussions.

One such idea is called “sousveillance” – a response to what he calls “The surveillance super highway”. Steve has taken those little black domes that hide surveillance cameras intended to observe individuals, and used them to make personal surveillance systems that work in the opposite direction (through which the individual can record his treatment by organizations – see the photo at right for an example…) He ups the “anti” by calling them “maybecameras” – maybe they are real, maybe they are on, maybe they are recording, maybe they are broadcasting (he has developed sophisticated mechanisms for broadcasting video images in real time, and assembling them at a base station into wrap-around visual representations which can even be manipulated to edit out unpleasant sights like billboards). Of course, the maybecameras are really a “situationist” intervention, through which everyone starts thinking about many privacy issues.

So get this. The conference organizers actually turned every conference bag into a maybecamera replete with its individual dome… It was really bizarre and effective, causually mixing with hundreds of other dome-carriers at a conference with a title of “Panopticon”… And guess what? It's the first time I have come home from a conference with something both my (university age) children wanted!

The good news (in terms of future conversation) is that the folks from eyetap.org sent me this update:

Slides from the conference keynote, opening plenary panel (Steve Mann, David Brin, Latanya Sweeney, and others) are in wearcam.org/cfp2005/

Pictures are here, including pictures of the dome sewing party where many well known volunteers such as John Gilmore, Jon Pincus, Deborah Pierce, etc., helped to make 500 maybecameras, one for each conference attendee. Some of the maybecameras had wireless transmitters to send live video offsite, but attendees did not know whether or not they were watching.

For more background information on the maybecamera sousveillance project, see some of the papers published in Leonardo on this topic.

Do you think that Senator Feinstein, et al are in possession of a rock-solid “problem statement”? I think not. And these are the policy decision-makers who can make or break identity “reform” efforts. Call this Jack's One Law For Everything: Without a rock-solid problem statement, there can be no joy.

I wonder what Ben Hyde Ascription ate for breakfast before writing this one…

The rhetoric of putting the user at the center runs the risk of being hollow. At worst it is disingenuous. At minimum it diverts our attention from the complexity of seeing the needs and requirements of the other players in the problem space. You don’t solve the identity problem without bring most of those constituencies along. What we don’t know is what proportions of each is required.

If Ben is talking about the user's identity, which I think he is, doesn't it then make sense that the user “be at the center”? I expect “the other constituencies” will think this makes sense too… Especially if we end up with a more secure and more intuitive way to use identities.

Each time I hear one of the players announce he is putting the user at the center I can’t help roll my eyes. Let me pick on Microsoft, I’m sure it won’t hurt won’t hurt the big old monopoly’s feelings. When Microsoft talks about placing the user at the center what do I hear? First off I hear the echos of the 80s dream, that the personal computer will empower the the under served little guy; ripping power from the hands of the computer center. Then I hear the passion of the UI designer selling his wares. “Ease of use.” “Ease of use, damn it!” He chants, he rants. I hear the a delusion, that the PC monopoly can still set standards like this; that’s not true anymore – the browser war demonstrated that first. That the installed base now includes things like smart cards and telephones only makes it less credible today.

Gee, is Ben bitter about the opening of the glass house? I don't believe it. There must be some enthusiasm in his heart for the benefits heaped on the “little guy” through use of personal computers connected to the planetary mesh. I've seen a lot of empowered people, that's for sure, including all my friends and my children. As for ease of use, I share much of Ascription‘s skepticism. It's a challenge. So what? The same is true for most technology.

But mostly I hear a classic example of agency. The presumption that a product manager is a legitimate agent for the customers. Product managers aspire to that, great product managers get close. But never ever does a product manager become legit. A product manager is always absolutely the advocate of his product. Microsoft’s product is the OS and when Microsoft says they wish to put the customer they run very close to becoming illegit and disingenuous. I find myself thinking – great it’s browser war time again; instead of solving the problem we will have the identity version of the HTML tag battles. For example if UI is key, which it obviously is, where is the open transparent legitimate process for getting that widely deployed?

Hmmm. I don't know where to start on this one. How about this? As I tell my “product manager” friends, product managers aren't all bad! After all, without them, there would be no products… Sure, people feel passionate, Ben foremost amonst them. I think that's one of the best things about our industry.

On the other hand, I know how offensive it can be to hear people in our business talking as though they have been elected, when often they have just been appointed, so to speak.

What I like in some of Microsoft’s current rhetoric, well Kim’s rhetoric, is the emphasis on the seeking the “identity big bang.” That should be our common cause. Players in this space should stop pretending they are legitimate spokesmen for other constituencies and substitute in it’s place a clear and transparent statement of what they believe they are doing to bring each and every one of the necessary constituencies into what we hope is the comming big bang.

I agree with Ben on these last points. All constituencies are very important, and no one should claim to be a spokesman.

We should just make sure our technologies give individuals and organizations freedom of choice, and nurture an ecology of alternatives. Then people can “vote with their feet (fingers?)”.

Nice posting from Ascription Is An Anathema to any Enthusiasm that gives a believable scenario for account linking:

In the midst of a delightfully shrill posting we see Ross Mayfield yearning to authorize two vendors he uses to share data about him. What some of us call linking accounts.

Tivo and Netflix Need Each Other: Why don’t they know what movies I have rented or watched? If it’s in my rental queue and I saw it for free on cable, spare us both the hassle.

That’s exactly the kind of thing that Project Liberty and more recently SAML have been trying to enable. One user with two account relationships. Two firms with info about their users. Information they would love to exchange to make those users happier. Serious issues about what embarrassing viewing habits Ross has that he probably doesn’t want getting passed around the internet rumor mill. The firms are just as worried about their secrets.

We can solve this problem. The two firms negotiate an agreement about data sharing. Ross gives his permission to allow his personal data to be shared. Everything necessary to do this is available today. The plumbing isn’t hard. Blocking out the orchestration of the deal is straight forward.

It remains hard getting a legal framework (and that’s what the term circle of trust means) that is robust and reasonable for all three parties.

I was taken aback to come across a post by Stefan Brands where he transcribes and comments on the ideas I put forward in an interview that ZDNet's cool David Berlind did with me at PCForum. I met Stefan recently at the Computers, Freedom and Privacy conference and he impressed me as a very talented technologist who really understands privacy and other security issues.

Just for the record, I want everyone to know that I'm not Microsoft's “Chief Architect”… That title belongs to Bill Gates… I am “Architect of Identity and Access” – meaning I'm the architect responsible for the identity software products: Active Directory (AD), Microsoft Identity Integration Services (MIIS), Active Directory Federation Services and so on. In turn, each of these products have someone working on detailed architecture.

Anyway, on to Stefan's piece:

Kim Cameron on the role of privacy in digital identity:

[4:31] “You need more than just the ability to be public, you need the ability to be private, it’s two sides of the same coin. ” [4.58] “Anonymity is [not] the most important aspect of things, but I think privacy is very important and the ability to protect is very important, as well as the ability to be public and provide access. ” [5.58] “Identity has to be able to be uni-directional or multi-directional or, basically, anonymous. You need to be able to support all three types of things. If you look at our current technologies, they are really based on supporting public entities much better than private entities.”

[7.09] “If I as an individual go to a web site I don’t want the identity I use there to be shared between that web site and other web sites. ” [7.58] “I have a private relationship with each of these parties. Now, under certain circumstances I might be convinced that I should let them actually share parts of my profile because it will benefit me. ” [8.12] “We should not have a system based on this widespread profile being created automatically. So, in order to do that what we need is an identity when we are dealing with each of those that is just uni-directional, it concerns only the relationship between me and that web site.” [8.30] “The public model came along first, and everybody has sort of assumed that identity for individuals should follow that public model. That isn’t good enough, you need both the public and the private capabilities.”

Wonderful! Note that such user-controlled (un)linkability would have serious implications for current online marketing tactics that thrive on the capability to link user activities without explicit user permission – including Microsoft’s new search engine strategy.

[11.24] “We need to rethink how you build this identity system in such a way that it behaves the way people expect it to behave. One of those things is the uni-directional thing, one of the things is don’t have any irrelevant parties in your identity relations. ” [12.10] “We need to have a unified way of doing identity that encompasses both our customers who are individuals and our customers who are enterprises. ”

Kim on two major shortcomings of Passport, user privacy concerns and service provider privacy concerns:

[9.18] “Passport actually began supporting uni-directional identifiers. Over time it changed to just omni-directional because the web sites wanted to be able to amalgamate digital dossiers in order to market to us better. Nobody had really thought very deeply about what these issues meant in terms of how people would react and so on. The technology evolved, I think personally, in the wrong direction.” [9.54] “Passport had other problems. ” [10.09] “People would ask: “what exactly is Microsoft doing between me and Amazon?” It did not make sense to people that the Microsoft site would be there. And a lot of the web sites themselves would look at it and go: “do I really want a Microsoft service between me and my customer base?” And they would say “No.” ”

On Liberty Alliance:

[27.20] “Liberty is a very interesting set of proposals and implementations. But it deals with some very specific scenarios which are from the point of view of a company that is in a circle of trust with some other companies and they want to share your profile. [] It is federation, in my view, in a particular set of scenarios. [] It is from the point of view of the company which is trying to provide a portal onto these other associated companies. That is different than the requirements of the consumer in general, for instance, or it is different from the requirements of a lot of companies who just want to manage a customer relationship. [] It could still function inside this metasystem that I am talking about. [] Just like I am trying to incorporate Passport into it. ”

Eric Norlin has posted some comments on Chris Ceppi's explanation of “Identity Reform“:

1. i'm not sure if Identity Reform is the proper way to speak about what we're all doing.

2. I like what these cummulative posts are saying — namely, the critical thinking and conversation is a beginning point, the technology is a continuation of that —- the story around that is a third, important piece…..I'd call the first and third parts marketing 🙂

Of course while marketing may be critical thinking and conversation, I'm not sure that means critical thinking and conversation is marketing… But hey – Eric is pushing our buttons – so I won't say anything.

3. don't underestimate the power of a good story. chris points out frank lutz. doc often speaks of Lakoff. we have yet to dig up all of the story threads in identity — but several have already been told (and had effect) — threads like:

A) the entrepreneur whiz kid that starts an identity company because he just *knows* it'll be the next big thing [any guesses what i'm referring to there?]

B) the “laws discussion” — a thread that implies community discussion and some kind of *rational* thought that will allow the deduction of *what* should be built….ie, not only is everyone being included, but once the laws are done, we'll have some agreement grounded in “the natural state of things” [note: AKMA should have a ball dissecting how the laws of identity relates to Augustine theology up through Erasmus and the rise of the protestant work ethic…natural law anyone?]

C) the “people's” identity: the us v. (insert big bad evil entity) story is a powerful one…..open source movements feed on this one, but its certainly not limited to them. the idea that we can all become involved in something bigger than ourselves that will strip away the wrong-doings of an existing order of things…..well….

and other threads will form:

the technology that was the best that never suceeded

the person who champions reform after a tragedy

the evil CEO that fights reform to the end

….feel the mythic qualities? see, the more closely you weave in “mythic” elements, the more powerful they become….and let me stress this mythic DOES NOT equal false. all of the stories i've cited are true — and mythic.

good “marketing” is not just conversation — its recognizing the stories that people *want* to tell and acting accordingly.

The identity story is a powerful one because it touches most of us very deeply. the depth of it is attested to by the oft-had response of “the individual must own” their identity information and its use. Watch the emotion that attaches to that response – people *react* – with their hearts and minds.

The story of identity is being told in multiple ways with many different threads — in such a way that it has room for everyone and all of their stories. the last technology that I know of that was big enough for that was blogging (everyone tells their story); before that, the internet (the wild west gold rush); before that the personal computer (bringing to life the Jetsons future); before that the credit card (you can have what you want now, and worry about it later); before that the automobile (freedom on the open road); before that, the land rush (free land and fortune); before that, the american promise…….;-)

ps: wanna hear a good story?

the entrepreneur whiz kid founds an identity company after being inspired to think deeply about technology by the events of 9/11. he grows out of whiz kid and into experienced executive, as his company grows through funding – assembling a bright young staff of developers to build out the infrastructure of his vision. this company goes on to be a rising star in a david v. goliath fight versus the big technology stack guys — bringing a “best of breed” (which is marketing codeword for david v. goliath story) technology to market — with critical customer wins – it becomes a press and analyst darling….

how does the story end? i dunno – yet.

yes, my friends, we don't live out our stories. our stories live us.

So true.