Here‘s a new blog by Gunnar Peterson called 1 Raindrop. This is quality thinking for those interested in issues of distributed computing.
It consists of “loosely coupled thoughts on distributed systems, security, and software that runs on them.” Gunnar summarizes alternate web technologies this way: “When you are content to simply be yourself and don’t compare or compete, everybody will respect you.” – Lao Tzu
I've been meaning to draw peoples’ attention to this story (via Identity Woman) by David Lazarus at sfgate.com:
“The University of California has suffered yet another potential data breach, this one involving the names and Social Security numbers of about 7, 000 students, faculty and staff at the San Francisco campus.
“For Sen. Diane Feinstein, D-Calif., enough is enough. She told me Tuesday that she'll introduce federal legislation within the next few days requiring encryption of all data stored for commercial purposes.
“This latest incident involving UCSF follows news that UC Berkeley lost control of personal info for nearly 100,000 grad students, alumni and applicants last month when a laptop computer was stolen from an unlocked campus office.
“It also follows a flurry of other security lapses, including San Francisco's Wells Fargo, the nation's fourth-largest bank, experiencing no fewer than three data breaches due to stolen computers over the past year and a half.”
Senator Feinstein said, “What this shows is that there is enormous sloppy handling of personal data.”
It seems to me the question of whether the personal information was handled sloppily or tidily is just part of the problem. I'm equally bothered by the information being there in the first place. How and why did it get there? Did the identified subjects agree to this usage of the information? Why were public identifiers (social security numbers) kept for private individuals? Once these questions are answered, we can turn to operational issues: why the information appeared on a test machine, and why a test machine was deployed with no firewall.
All of this is so far a disturbing mystery. There should be a public investigation of the circumstances through which this breach (and all like it) came about. We need to understand what was going on in the heads of the people who put the data on the compromised machine. The best practice is not to store unnecessary information, and not to store it in unnecessary places. What were these guys thinking about? We need to build peoples’ understanding of the underlying issues.
I expect this information disaster came about by breaking four identity laws at once. What a run!
Encryption is a good idea but will probably lead to a false sense of confidence and further breaches. We need a more holistic solution.
One final comment. We should give UCSF's forensic staff credit for detecting the breach:
In UCSF's case, campus techies noticed in late February that a server used in part by the university's accounting and personnel departments was generating an unusually high level of network activity.
I'm willing to bet things like this are happening almost everywhere and almost every day – but that most institutions don't have the mechanisms in place to detect what is going on.
I am really fascinated by work Drummond Reed has started on his blog in which he uses the laws of identity to structure a discussion on identifiers. I look forward to seeing where this goes, since Drummond has thought incredibly deeply about identifiers (he is the technical chair of the OASIS Extensible Resource Identifier – XRI – Technical Committee; not to mention his work on XDI…). I know from conversations with my friends at NAC (the Network Applications Consortium) that identifiers are becoming a super-hot pragmatic issue.
Drummond explains what he's doing this way:
When Kim published his Fourth Law (the Law of Directed Identity), it was the first (and only) law that touched directly on identifiers. I knew his Laws had gained quite a following when I quickly received several email messages asking if XRIs (Extensible Resource Identifiers), the new OASIS specifications for abstract identifiers, conformed to the 4th Law.
In discussing this with other members of the XRI TC, as well as with Kim, we realized that each of his “Laws of Identity” has a “Corollary For Identifiers”. In particular, these corollaries would apply to any universal identifier metasystem that aspired to be the addressing scheme for the “mega momma backplane” (as Kim, Marc Canter, and Craig Burton put it.)
That, of course, is precisely the goal of the OASIS XRI effort dating back to 2003 (and previously to the XNS work dating back to 1999.) Given that the XRI 2.0 specifications are currently in public review in advance of a full OASIS vote, now seems like a good time to follow Kim’s lead and publish “The Seven Corollaries of Identifiers”.
The idea that each of the laws has its own ‘identifier corollary’ makes perfect sense. And I'm struck by the way in which the laws provide a conceptual handle through which the issues of identification can be understood by an audience wider than those who wake up, have a coffee, and think about identifiers all day long.
So let's look at the first corollory:
Technical identity systems MUST only reveal information identifying a user with the user’s consent.
1a. The Corollary of Identifier Control.
The identifiers in a universal identifier metasystem MUST only reveal information identifying a user with the user’s consent.
Funny how intuitive it seems when you put it this way. A user’s online identifier should not force the user to reveal any more information than they wish. And yet one of the online identifiers most frequently requested from users squarely violates this principle: an email address. Websites who require an email address to register – and many have no choice because it is often the only easy, universal way to perform basic user authentication – force individuals into revealing information that in many cases they would rather not.
So half the Web breaks this corollary before we’re even out of the starting gate. But it gets worse. Look at one of the current bulwarks of online identification: DNS. A standard requirement for most DNS name registries is accurate, current contact data for the registrant that is published publicly as “Whois” data. Although many registrars now offer proxy registration services to preserve registrant privacy and prevent spam, there’s no escaping that a major component of our current Internet identifier infrastructure breaks the First Corollary squarely in two.
So can XRIs fix this problem? Yes. The first principle of XRI architecture is that XRIs are abstract – the association between an XRI and the real-world resource it represents is entirely under the control of its XRI authority (the person or organization registering the XRI, at any level of delegation). So nothing in an XRI need reveal anything about the authority’s identity or messaging address.
So how can the identifier be authenticated, i.e., what’s the XRI equivalent of the simple email address verification test that websites use every day? The ISSO (I-Name Single Sign-On) protocol, which combines XRI 2.0 resolution with SAML 2.0 authentication assertion exchange. It’s easier, faster, and much more secure than email authentication – and still does not require revealing any other information identifying the user.
So that fixes the first problem. What about the second – the DNS “Whois” problem? What registrant data is required when registering an XRI? Here I can only speak for the XRI global registry services to be offered by XDI.ORG. Based on its Global Services Specifications (GSS) that have been in public review since December, the answer is: none. Following XDI.ORG’s Minimum Information Policy, a cornerstone of its Data Protection Policies, the XDI.ORG global registries will store only registered XRIs, resolution values, and authentication credentials. There is no public (or private) “Whois” service. (There is a Public Trustee Service that provides an alternate means of authenticating a registrant to XDI.ORG if they lose their registration credential, but that data is entirely private.)
So what provides accountability for global registrations? Dispute Notification Service. Every global XRI registrar is required to provide a means of forwarding authenticated dispute notifications to a registrant. This accomplishes the same goal as DNS Whois service but without revealing registrant identifying data or exposing registrants to spam.
This really helps me understand what XRI is all about. And we're just at law 1.
Chris Ceppi has gone further in explaining his ideas around ‘Identity Reform’. And now I understand the interesting point he is making. We are talking about technological reform.
In an earlier post I referenced the work of Frank Luntz, a Republican pollster and wordsmith who has, regrettably since I often find myself at odds with his positions, been very successful at promoting legislative initiatives by correctly determining the most compelling words to use to promote them. Luntz has done loads of research showing the dramatic effect using different words can have on how the same idea is received. A few notable examples from politics in last few years include:
- Eliminating the “Estate Tax” is much less popular than eliminating the “Death Tax” – same legislation, broader appeal since everyone dies, but not everyone has an estate worth worrying about.
- “Welfare Cuts” raised fears and were not popular, “Welfare Reform” (including cuts) passed with broad support under Clinton.
- Social Security “Phase out” is a non starter, “Private Accounts” are less unpopular but still better than “Privatization”.
The connotations triggered by word choice can ultimately determine whether an idea flies in the mainstream or not – this is why Luntz makes a good living helping Republican politicians craft the language they use to market less than popular initiatives. Given the high degree of suspicion of new identity technology (see ACLU Pizza, attitudes toward Microsoft, etc.) in the general public, I think it is important for those of us developing new technology in this space to be very conscious of the language we use to frame our work.
My view is that the technical innovation surrounding identity is, in fact, part of an ad hoc reform effort. The technical systems, business practices, and regulatory regimes that currently touch identity are primitive and badly broken – these systems and practices need to be upgraded to better serve the interests of important stakeholders.
So what is the most compelling way to communicate the need for technical innovation in the current climate of mistrust and borderline paranoia about identity? Emphasizing the sorry state of the status quo and calling for ‘Identity Reform’ is my current best guess.
These days I'm really focussed on the need to develop a cross-platform system embracing technical alternatives that allow users to select specific variants which ‘work best’ for them. We need to think in terms of an “identity bus” that allows individuals and organizations to “plug in” such alternatives. I see the emergence of these alternatives as being the essential vehicle by which all the relevant parties can posit and influence our digital identity future.
Doing in this could indeed be called a reform of the current chaotic and primitive status quo.
The good news is that Empire and Communications sleuth Janet R located a relatively inexpensive copy here, The bad news is that I bought it.
The good news is that Mark P found a “print to order” copy here. The bad news is that it's…
…still out of my range at $74. The author is listed as Harold Innis, rather than Harold Innes, by the way. First edition, $100 here. Soft cover edition, $61.95 here. Hope these help someone.
Mark is right that I mispelled Harold's name – I have fixed the posting and apologized to Harold.
The good news is that when I receive the copy I just ordered, I will make it available for readers of this blog to borrow (I have my own copy, currently on loan). I've been thinking of getting the book its own I-name to make this easier. I wonder if Drummond has a domain for books? Maybe he will cut me a special deal. Can a blogger be a lending library?
Yesterday I mentioned Empire and Communications by Harold Innis. A number of people asked how to get it and at this point it appears you need to go to a university library (I think it's worth it to do so, since the book is a seminal piece on the relationship between technology and culture). In trying see if the book can be purchased, the search engines took me to Is there a Mesh Size Problem with the Internet – a lecture given by philosopher John Scott in 1999 at Memorial University. He clearly had the same reaction to Innis’ work as I did:
… [The] Internet is going to force us to take some needed, but overdue, institutional and political steps to address something like what eye doctors call an “accommodation” problem. When our eyes do not adjust quickly enough, or fully enough, or appropriately to the changing objects in our field of view the doctors tell us we have an “accommodation” problem.
We have been accommodating changes in language-technologies in different and dramatic ways since the beginning of recorded history. Changes associated with the internet's vices and virtues are no different, except that the orders of magnitude seem considerably increased. The Internet changes the ways we record, send, and receive messages and will radically continue to change where and how we live, just as past messaging innovations have.
This is nothing new. Harold Innis was saying it in the ’40s ’50s and ’60s. His Empire and Communications was published in 1950. He chronicled there the impact on Egyptian culture of the introduction of the new technology, papyrus. The development of law in Hammurabi's Babylon flowed largely, he suggests, from the introduction there of a consistently efficient system of writing; and the growth of reflective, democratic institutions in Greece grew out of its institutionalized oral language patterns. Then the “Word” went on to build the Cathedral towns of Europe and their associated political structures over the first thousand years of Christianity…. Until these structures were swept away when the Word found a more fluid and portable home in Guttenberg's movable type… which has shaped the public and private institutions accommodating our lives until very recently. It was Guttenberg, you will remember, on whom McLuhan focussed when he first took Innis’ message to the media in the early ’60s and later.
So we should hardly be surprised that the internet has so now changed how and where we live, work, shop, get medical, financial (and all kinds of other intimate) advice and services – and even vote – without leaving our homes. And our homes can now be located almost wherever our fancies (and the mortgage companies) dictate. There is nothing new about the inevitability of change medium-based change. But it makes us a bit breathless, nonetheless, about whether we have choices over the kinds of accommodations we are going to have to make, or even any way to identify them before they wall us into new, and perhaps, very frightening kinds of places.
By the way, Empire and communication (University of Toronto Press [1950, 1972]) does not represent a crude technological determinism – it was a series of lectures presented at Oxford (as I recall) at the end of Dr. Innis’ life, and is one of the most erudite works on human history, culture and technology I have read.
Eric Norlin steals the stand-up spotlight with his posting on how I ruffled some of Chris Ceppi's feathers yesterday. Chris says:
Some exaggeration for effect on Identityblog today:
“As much as I think Chris understands policy issues, I don't think anyone could be more wrong than he is in eliding the role of technical innovation in achieving the new architecture Solove is looking for. Legal remedies will not be plausible without the right technological infrastructure. We need everyone to understand this. It is what underlies the historical urgency of the present identity discussion. And it explains why identity architecture must make possible specific capabilities, like formal ways to demonstrate the contract under which a user has made information available. We must think about the long term.”
After consulting Eric Norlin to find out what it means to elide something – thanks Eric! – I believe Kim has gone hyperbolic here on a couple of fronts. First, it is, in fact, possible to be more wrong. I have been myself on several occasions – notably in my early work with the government e-authentication initiative in 2003 when I vastly underestimated the impact privacy concerns would have on the nature and timing of federated identity deployments.
OK. Chris has got me on this. Maybe I should have said “slur over” rather than “elide”… And Chris’ slur was far from the “wrongest” thing in the world… But heck. I'm a technologist. So what was I to make of this bizarre statement:
…the technical innovation surrounding digital identity is best seen as a reform effort.
To me, this is like saying ying is important, yang is a reform effort. Protons are important, electrons are a reform effort. Science is important, art is a reform effort. In my thinking, all aspects of this are important, and equally necessary to reach a successful outcome.
Chris continues:
So, what is the proper role of technical innovation in reforming identity? Given the broad set of powerful stakeholders involved, it would be surprising if technology architects, even those as influential as Kim, settle that issue unilaterally. It is more likely that the role technology plays will not be designed or planned, but will evolve in response to a set of dynamic forces.
Of course I don't believe that an identity infrastructure can be built through unilateral actions. It has been tried before, and failed. In fact, few things in life can be built unilaterally.
This said, technology has its own inevitabilities, quite apart from our consciousness or will. For example, the industrial revolution dramatically changed all the societies it touched, including people and groups who did not want to be changed. The same was true of the introduction of electronic media. The cyber revolution is yet one more example. I would refer readers to Harold Innis (the mentor of Marshall McLuan) and his 1950 book, Empire and Communications.
We need to recognize this to produce good social outcomes. The laws of identity, for example, are an attempt to come to grips with some of these inevitabilities in the particular area of technology I am involved with. The fifth law states that widespread acceptance of an identity infrastructure will depend on it being a metasystem, enabling free choice between multiple technologies run by multiple operators. This approach is the technological design allowing solutions to “evolve in response to a set of dynamic forces” – as Chris himself says.
I salute and embrace Chris’ view that our relation to all the stakeholders of identity (meaning everyone) should be based on “cooperation, curiosity, discovery, openness, respect, trust, and humility.”
Panopticon – the 15th Annual Conference on Computers, Freedom & Privacy – is taking place this week at the Westin Hotel in Seattle.
The list of speakers and participants is a privacy who's who. It includes Stefan Brands, well known to readers of this blog given his crossover into identity technologies, as well as Daniel Solove, who I just wrote about – not realizing he was actually in the city – and a host of others. As if this wasn't amazing enough, tomorrow will begin with a debate around the work of the brilliant and disturbing identity futurist Steve Mann, from the University of Toronto. I see him as the cyborg Iggy Pop of identity, passion incarnate, with wires in his brain:
For many years, Dr. Steve Mann has been working on wearable computing. He now goes everywhere recording and broadcasting on the Internet his every movement and experience. As surveillance in society grows, Steve fights back by recording his own version of experience, which he claims as his inalienable right. Is sousveillance the only weapon individuals have, or are more cameras just adding to the problem? We will hear from a panel of experts with widely divergent views: Dr. Mann, the Cyborg; David Brin, author of The Transparent Society; Dr. Ivan Szekely, drafter of information and privacy legislation in the former eastern bloc state of Hungary; and computer scientist Dr. Latanya Sweeney of Carnegie Mellon. The panel will be moderated by Anita Ramasastry of the University of Washington Law School. > Organizer: Stephanie Perrin
I was scheduled to be away from Seattle this week but my plans changed at the very last minute – I wonder if you can still get in?
Identity Woman has been telling us for some time about Daniel Solove's amazing book, The Digital Person.
Of course a lot of books have come out recently which discuss privacy issues – even making the cover of last week's New York Times Book Review section (William Safire discussing No Place To Hide and Chatter).
But Solove's work is in a class by itself.
In an argument worthy of George Lakoff he convinces us that privacy advocates need to move beyond the secrecy-based “Big Brother” metaphor, and embrace the metaphor of Kafka's “The Trial” – a novel in which the subject is arrested for charges which constantly elude him, put forward by unknown accusers who remain just out of sight – a situation which might be remedied at any moment should the bureaucratic process, which of course is undefined and impenetrable, wend its way to a positive conclusion (naturally it doesn't).
Solove argues that, in general, superdossiers are assembled not by punitive central government authorities, but by an uncontrolled and unknowable web of commercial actors whose self-interest lies in knowing-us-to-death.
Solove wants us to move away from the paradigm where an affront to privacy is defined as revealing something secret. After all, things like our names, sex, age, address and profession are in some sense public information (i. e. are published in public documents). If an invasion of privacy consists only in revealing secret information, then third parties who make personally identifying information available to others do nothing wrong, when in fact the construction of superdossiers that remain out of our control is fundamentally dehumanizing. He demonstrates clearly that the secrecy approach has failed to produce rational outcomes in many legal cases.
His main interest lies in updating the “legal architecture” protecting privacy in the United States. (The book includes an interesting discussion of the similarities between physical, software, and legal architecture).
Recently Solove has teamed up with Chris Jay Hoofnagle of the Electronic Privacy Information Center West Coast Office to author the Regime for Privacy Protection. This document proposes a series of concrete measures the authors see as practical ways of addressing privacy concerns of the modern technological period.
Identity colleague Chris Ceppi reviews “the regime” this way:
As someone who feels very strongly that the technical innovation surrounding digital identity is best seen as a reform effort, I was delighted to come across this extremely thorough and hopefully influential study of identity and privacy published by Daniel Solove and Chris Hoofnagle.
Solove and Hoofnagle's Model Regime presents a clearly defined set of problem descriptions and proposed regulatory remedies for a whole set of privacy concerns currently plaguing digital identity – it is a good bet that their thinking will find its way into the technology that is deployed in this reform effort.
Of particular interest is the historical context they provide for the development of privacy legislation. If you have ever wondered how in the world the Social Security Number was allowed to proliferate as a universal identifier used by businesses, you'll be heartened to learn that restricting the use of SSN by businesses was proposed for inclusion in the 1974 Privacy Act – but the restriction on SSN use did not make it into the final Act. Ouch
As much as I think Chris understands policy issues, I don't think anyone could be more wrong than he is in eliding the role of technical innovation in achieving the new architecture Solove is looking for. Legal remedies will not be plausible without the right technological infrastructure. We need everyone to understand this. It is what underlies the historical urgency of the present identity discussion. And it explains why identity architecture must make possible specific capabilities, like formal ways to demonstrate the contract under which a user has made information available. We must think about the long term.
Readers of this blog will be aware of my conclusion that the technical designers of the identity metasystem need to avoid architectural decisions which impose their prejudices on it. Instead we should provide the framework in which various kinds of technologically and operationally unrelated identity providers suitable to specific contexts can be selected by users who are effectively given ultimate freedom of choice.
This kind of technological freedom puts the levers of technology in the hands of citizens and thereby allows the normal processes of legal architecture to reach out into the newly evolving technology realms.
I trust that one day legal and techological architects will meet up to further discuss these issues.
Andrew Layman, who is one of the key forces behind the WS-* set of industry standards, asked me recently if taxonomically speaking there was an activity called “phraud” that encompassed both “phishing” and “pharming”. And I thought he was joking!
But the concept struck me as a simplifying principle that would clean up a lot of slideware, so I asked if I could attribute the new category to him. Then a couple of days later, he sent me this etymologically satisfying email:
“It is such an obvious joke that I doubted I was the first one to think of it, so I searched the web for “phraud” and discovered lots of hits, most of them ambiguous, but clearly I’m not the first person to use that word.
“Interestingly, I also think they shed some light on the plausible origins of the term “phishing.” It appears that in the subculture of people who like to steal services from the phone company and the like, it is conventional to substitute ‘ph’ for ‘f’ a lot. Probably originating from ‘phone freak’ becoming ‘phone phreak’ and thence to all similar transformations. So luring people, that is, fishing, would quickly become ‘phishing’.”
I had actually had the same intuition. In fact I became sufficiently fascinated by the strange destinations associated with ‘phraud’ that I successfully avoided my growing pile of urgent tasks for several hours while exploring how far back its usage goes.
And then I hit the mother load. I mean a world where ‘Ph’ is hegemonic. A place where everyone has a ‘Ph’ D. Just look at this:
==Phrack Inc.==
Volume One, Issue Eight, Phile #2 of 9
==Phrack Pro-Phile V==
Written and Created by Taran King
June 25, 1986
Welcome to Phrack Pro-Phile V.Phrack Pro-Phile is created to bring information to you, the users, about old or highly important/controversial people. This month, I bring to you one of the most influential users of our times and of days of old…
An article on an identity system called (control yourselves) ISDN includes this quote from Mr. R., an AT&T supervisor:
“One of the controlling factors behind The Integrated Services Digital Network is the simple fact that AT&T, MCI, and other long distance companies are losing MILLIONS to Phone Phraud.”
Another “phile” which has not had the requisite cosmetic application of ‘Ph’ begins:
This file will detail the use of a rural junction box to fraud the phone company and make all the free phone calls you want to BBS or AE by.
Seems like Andrew hit the nail on the head.
