Author: Kim Cameron

Weaverluke is a remarkable read any day. There Luke Razzel deals with digital identity at a much higher level than I do – exploring its uses, meaning and possibilities. If you don't know Weaverluke, you might start with this piece on systems that could calculate the ontological distance between digital subjects.

Luke imagines a multi-dimensional network model of identity (as relationships) that could be built on top of an infrastructure for privacy and collaboration of the kind we are discussing at identityblog.

“In the sense that to perceive ourselves as unique individuals, I must perceive you as not me, and vice-versa, you and I inevitably have different ontologies. And, according to our differing experiences in life, we will invariably have developed many other ontological differences such as “my friends”, “my family”, “my self-image”, “my moral values”, “the one true religion” (optional!) and so on.

“Given that we recreate our personal and communal ontologies within the identity net, and that those ontologies are inevitably mutually divergent, it seems to me that distance in the identity net can most usefully be used to express ontological distance between the nodes of the network. In simple terms, we can then explore identity as an expression of ontological distance between two entities.”

Luke then explores what this might mean in different contexts, be they mundane or even sexual, leading him to examine the factors mitigating the indiscriminate release of information. Thinking about the technical infrastructure we are talking about here, he says:

“What are the implications for contemporarily-practical applications of digital identity? Kim Cameron's focus on identity assertions as a do-able goal is, I feel, just right. Microformats—small data-structures for a specific purpose, such as expressing identity attributes, for example—seem to be the most effective way right now to enable two entities to inter-operate their ontologies within a specific remit, agreeing on the smallest-practical patch of common ontological ground for the purpose.”

Reading this I was reminded of Doc Searls‘ admonitions about how near the beginning we are in terms of the arc that will describe identity in cyberspace. I totally agree. Our current tools are cavemen's flints. People like Luke – and the social computing movement as a whole – make it clear that we are just taking our first steps on the way to new cyberworlds. Can we remember to build a metasystem which takes as its first premise that it must be a vehicle for evolution? Speaking of which, Luke then says:

“We can presumably anticipate a Darwinian contest between rival identity microformats leading to the evolution of a few or many common microformats for digital identity. As for context-dependence for the disclosure of identity attributes, I understand this as being absolutely in tune with the notion, expressed above, of identity as a wholly subjective property that arises from within relationship.”

The Darwinian contest can only happen once there is an ecology. When we talk of an identity metasystem which is both polycentric and polymorphous we refer to a system creating precisely such an ecology, and allowing the “rivalry for microformats” through which new concepts like “ontological distance” can be turned into reality.

My key takeaway is that we should keep our assumptions about how the identity metasystem will be used out of the system itself. Our assumptions may be right, but they are not the only right assumptions. That is why I keep pushing things like “how you believe a claim” or “whether a claim is true” to the level above the metasystem itself, where various possible approaches can be tried. Of course, you need answers to those questions, and products that provide those answers. But we mustn't mix them up with the metasystem and its characteristics.

The LSE (London School of Economics) has released The Identity Project – An assessment of the UK Identity Cards Bill & its implications. (Interim Report). Ideal Government says:

It demolishes both the government’s published aims and their proposals.

Should such repeated high profile failures raise questions about the future of the Home Office: Has the current Home Office itself become a major threat to the UK?

I know everyone is busy, but really, take a look at this thoughtful report.

It is a breakthrough piece of work in exploring, in a holistic and all-sided way, the relation between social issues and technologies of identity. I suspect that government technology leaders and policy makers around the globe will pay increasingly more attention to the thinking it represents – if they want to avoid the missteps against which it is a reaction. The report includes a discussion of identity initiatives in France, giving the impression that the French have already transcended many of the problems not addressed in the British Government's proposals.

Consider these powerful arguments:

Individuals today are represented by an abundance of identifiers that are designed to be relied on only by one or a few service providers only in specific contexts. An Internet Service Provider does not record our NHS number (and has no knowledge or concern whether we have been issued such an identifier, nor any means of linking to such a number). Sport club membership cards are not linked with our employee information, and are identifiers issued in accordance with club membership policies and requirements. As a matter of design, the identifiers held by the sports club are in essence useless to any other entity other than the sports club. It is also fair to say that in a number of these relationships, records are not even in a computerised form. The personal data that is collected for the issuance of an identifier is not even verified, nor is it required to be.

Local identifiers enable service providers to identify individuals within their specific transaction contexts, to create accounts for them, and to effectively deal with fraudsters. At the same time, local identifiers have the important benefit of limiting the capabilities of service providers to create profiles of an individual’s activities with other parties. A pub owner does not need to know our name, birth date or birthplace but merely whether we are of the legal age to consume alcoholic beverages. Previously a relationship of trust would be established between the publican and the clientele; or a form of identity would be verified to ensure that the individual’s birth year is prior to the threshold year. Our prior means of identification involved natural segmentation that ensures that identity thieves can only do damage with specific providers where they have gained information on users of those providers.

Bravo! Then the report continues:

The envisioned national ID card would replace today’s local non-electronic identifiers by universal identifiers that are processed fully electronically. This migration would remove the natural segmentation of traditional activities. In the case of a pub, if additional information was disclosed, say through a national ID card, malicious staff could steal this information, or this information can be abused in other ways.

As a consequence, the damage that identity thieves can cause would no longer be confined to narrow domains, nor would identity thieves be impaired any longer by the inherent slowdowns of today’s non-electronic identification infrastructure. Furthermore, service providers and other parties would be able to electronically profile individuals across multiple activities on the basis of the universal electronic identifiers that would inescapably be disclosed when individuals interact with service providers.

Ironically, the currently envisioned ID card architecture therefore has severe implications for the security and autonomy of service providers. When the same universal electronic identifiers are relied on by a number of autonomous service providers in different domains, the security and privacy threats for the service providers no longer come only from eavesdroppers and other traditional outsiders. A rogue system administrator, a hacker, a virus, or an identity thief with insider status would be able to cause massive damage to service providers, could electronically monitor the identities and visiting times of all clients of service providers, and could impersonate and falsely deny access to the clients of service providers.

Again Bravo! This is a wonderful presentation of various ideas which have animated these pages for some months, and which lie behind our fourth law.

The discussion of how – technically speaking – unnecessary data centralization leads to increased and unmotivated risk also resonates deeply.

The report concludes:

In the context of a national ID card infrastructure, security and privacy are not opposites but, assuming that proper privacy-preserving technologies are deployed, are mutually reinforcing. In order to move forward constructively with a national ID card, it is important for government to investigate technological alternatives that hold the promise of multi-party security while preserving privacy.

Not only will this approach preserve privacy, but it will also protect the existing relationships in society. It will ensure that the rail company knows what it needs to know for granting special prices to students; that sports clubs know the required information for membership purposes; and the NHS has sufficient information to authenticate patients; without unnecessarily binding these relationships with additional needless information. This approach will also diminish the potential for the amassing and sharing of information that is unnecessary and disproportionate.

I met Scoble recently when he and Charles Torre of Channel 9 decided to interview me. Funny thing is I thought we were just getting together so I could learn about their approach to video. Well, I learned one thing: if guys with cameras want an interview, they get an interview. These are cool dudes.

Anyway, it was great fun and there is good news. Seems like Scoble thought a lot about what we were talking about. And that's huge, because he, like Doc Searls, can tie identity into a lot of other conversations. Here‘s some of what he Scobleized:

Can't wait for my interview with Kim Cameron to be up… (I think that's video talk for ‘podcast’ … Kim)

I'm now on the identity bandwagon. I don't care if you don't like Microsoft. Learn about identity and see if you can help get us identity systems that put users in control. I'm there. I'll be cheering you on.

One thing: I didn't grok Kim's blog until I met him and talked with him. Now it totally makes sense.

Starter kit? Listen to this IT Conversations show with the world's identity leaders.

Everything I do professionally has as its goal the creation of an inclusive identity metasystem for the Internet.

Inclusive means that every vendor, every innovator, every thinker in every generation can be part of it, shaping and using it as they see fit – a real ecology.

Metasystem means that identity claims can be provided by many different types of parties, each meaningful in some context which unites those in an interaction.

Metasystem also means that no one gets to proclaim they have the culminating technology – there is always room to innovate and evolve the underlying pieces as fresh thinkers inevitably transcend what we can do from our vantage point here in 2005.

In other words, I want to build a system flexible enough that it doesn't fall down the first time the world shakes.

It would be silly to hinge anything this important on a personage as imperfect as I am. I would rather hinge things on a set of objective statements, which is what I have done in proposing we converge around the laws of identity.

But in moving forward, I want to reach out – even to fellow techies who think like this:

Microsoft is trying to put on a kinder, gentler shell, but underneath it's still the same old dictatorial slimebags.

This is where it comes down to real people talking about their real lives and inner worries and reflexes and – dare I say it – ideology.

It is so important that people see the Identity Big Bang is not a game of Dungeons and Dragons, but rather a defining moment in laying out a governable infrastructure for our transition into cyberspace. It takes a bit of serious thought.

It's embarrasing for me to point skeptics to this wonderfully kind piece by standards activist Drummond Reed. Let him be my final witness before we return to a discussion of what is objective:

I just want to go on record that Kim is 100% the real thing. I’ve never met anyone like him. The Laws didn’t come from any preconceived agenda or marketing spin, they came straight from the heart of Kim’s lifetime of messaging and metadirectory experience and his passion for creating a true Internet-wide identity infrastructure that will finally usher in what he calls “the big bang” – the explosion of new applications that will be possible with authenticated online trust relationships (also known as the Social Web.)

As he began to talk to the open standard/open source/open trust community about the basic principles and architecture underlying InfoCards – and the fact that it must be an open, platform-independent solution that we all agree to, not unlike TCP/IP itself – he ran into a steady stream of gaping jaws. Could this be this the same Microsoft that had only three years ago proposed Passport and Hailstorm to the world?

Well, it’s not the same Microsoft. It’s the Kim Cameron-inspired Microsoft. Call me a starry-eyed optimist, but to put a twist on my favorite quote from Margaret Mead : “Never doubt that a small group of thoughtful, committed citizens can change Microsoft. Indeed, it’s the only thing that ever has.”

Kim needs our support to pull this off. He’s got mine.

This endorsement says way more about Drummon's vision and immunity to ideology than about me as an individual. He's a clear-eyed guy who wants the same metasystem I do. Like many others, he wants Microsoft to be part of the conversation and do its extensible (pluggable) backplane thing because if we're not there, it's going to take a long time (read long long time) to get Internet identity in place.

As for my relationship with Microsoft, I won't say I never “argue passionately with myself”. But I do my best to represent the Microsoft which turned computers from a bureaucratic contraption to an extension to the human mind and cortex. Not alone! And not perfectly! But in a way that transformed human reality for the better. And I see myself as one of the many who are calling on her to be true to her DNA, and in light of all she has learned as she matured, to apply her shoulder to bringing forth a new era in software, where again it becomes obvious that there is opportunity for everyone.

Scoble really broke me up with this one:

Dave Winer breaks away from the EFF over the role that copyrights will play in the future.

I've been having passionate and interesting arguments about the role of copyright in our future systems and communities too. In fact, I've found myself arguing with myself over copyright. (emphasis is mine)

Funny, I was just talking with an old friend who has been looking at the differences between Hegel's and Aristotle's view of dialectics. Aristotle saw dialectic as elucidation of truth through questioning rather than assertion. Hegel saw it as transcendence of the contradiction between what is and what is not. Whatever flavor your prefer, I love how Scoble makes it seem so appropriate and natural. I really like that side of him.

The continuous collision of the cyber and mortar worlds will release vast fields of energy. And I think we'll all be having a lot of passionate arguments with ourselves on our way to understanding what is happening.

I've tried to keep my day and nighttime existence somewhat separate, but it's hard. After all, the laws of identity are the same at work and at home.

I know a number of you are following the drama that is currently unfolding in light of an early (unprompted) round of stories on ‘InfoCards’ (a code name). If people at a place like Microsoft try to do something “open” and “inclusive”, word gets around. And I've been trying to adopt what is – to my knowledge – a relatively new approach: “Innovation by blogsphere”. So it's not exactly like my ideas are top secret!

But then you end up with an investigative guy from outside the identity realm who puts the pieces together and sees a “kaboom”. Even if the initial story is more or less accurate (if profoundly incomplete), it turns into one of those cases where the other press and analysts haven't been briefed – but are none the less required to write something. So they end up drawing conclusions that in many cases can't be right. And a spiral can ensue.

Somehow we have to turn “the press” on to the things that really matter to us – by “us” I mean those who participate in this concersation – what the masterful Marc Canter of Macromedia fame calls the “emerging mega meta momma backplane”. Is this a case of blogsphere versus mainstream media?

I guess this frames the neat piece by Eric Norlin:

Cnet's got this story about Longhorn today — complete w/ a bit on InfoCards:

The company is also looking to bring back some old ideas. It's working on a technology called “info-cards” in which consumers could securely store information that is to be shared with online commerce sites. Based on the WS-* Web services architecture, info-cards will help customers manage multiple identities, Microsoft said, much as people have multiple cards in their wallet: credit cards, bank cards and membership cards.

In many ways, the idea is a throwback to Microsoft's Passport authentication program, which met with only tepid interest from e-commerce companies and others. The software maker said it is talking with partners but would not say who it might have lined up in support of the info card plan.

Ugh. I don't even work at Microsoft and this frustrates the hell outta me — reporting that can't understand something on its own terms, so it must use *bad* analogies….ie, InfoCards really *isn't* an “old idea” being “brought back.”

For a while i had this bright (or not so bright idea) that i'd go back to the original Hailstorm/Passport Press Release (yes, i have it bookmarked in my IE browser) and rewrite the thing to see if I could make it a more effective message in hindsight. But as I read this piece, I'm realizing that's somewhere beyond the town known as pointless — the preconceived stigma around msft is just too thick.

So – whadya do? Simple – make it personal.

People want to know the people behind things — and (much as its not Kim's schtick) Kim Cameron (who's behind this InfoCards thingy) is a *great* story: likeable, canadian (i think ;-), working on something open in the open, having these cool pc forum conversations, engaging with folks like me, dick hardt (sxip), drummond reed (cordance), mitchell baker (mozilla! hullo!)…..its a great story — *if* its told as Kim's Identity Work…..

now i know that kim doesn't want it to be that way – but this stuff needs a face and a person right now. Its so much harder for a reporter to write a bad story about a good person trying to do good things.

there. that's my no-sleep, early morning, blogging marketing thought for the day: Microsoft should make it personal — and trott kim out to become the face of their InfoCards stuff — and let him just be himself (no PR prepping for this one; kim should just talk and say whatever the hell he wants). Otherwise, we're gonna hear the endless droning on of passport comparisons (which is already sickening and it hasn't even really started) — and this stuff is gonna have the uphill battle from hell.

I'm not trying to be critical of the msft guys (i really like what they're trying to do over there) — but sometimes i wonder if the msft marcom machine doesn't get in the way of their own succeeding…..

(ps: i'm not sure i've ever actually met someone from that machine, btw — outside of the WagEd guys that were assigned to me when I was covering Palladium for DIDW)

Maybe, rather than putting me on tour, Eric, Doc, Craig, Mark, Dick, Drummond, Chris, Dave, Paul, Phil, Mike, Johannes, Radovan, Identity Woman, the Head Lemur, Scoble and all the rest of the Gang will be able to start telling the true story of what we are all attempting to do together.

Anyway, one thing for sure. I remain confident that in the end, the truth will out. And I mean the real truth that we are making as an industry – the Identity Big Bang.

Gosh, here's more pure Ceppi. It's sobering to see what the industry rhetoric has led to. I'm touched when colleagues from other companies stand up for my contribution. I get optimistic when we tackle these issues together. I also believe that if we are very very patient we will get our ideas across.

Excellent Kim Cameron interview (by David Berlind at PC Forum) available here…the comments on the ZDNet site are a fun read. One is titled “I can manage my own identity, thank you very much.” – this is about as misguided as saying “I can make my own Driver's License, thank you very much.”

Another describes a 1984-like scenario – only with more comprehensive surveillance technology – that Kim's company is supposedly bring into being. The reality is that Kim is one of the most articulate advocates for reforming identity, protecting privacy, and empowering individuals .

The fear, mistrust, and misinformation around identity – especially as it relates to Microsoft – continue to bubble up – meanwhile the identity status quo remains spooky. The sad reality is that many of the identity dynamics that the fear mongers fear are already at work. Your consumer behavior is tracked, your transaction history is aggregated and sold, your core identity assets – the attributes that can be used to breed accounts – are managed by incompetent or unscrupulous IT staff .

The identity status quo will be reformed (and very likely regulated), the reform will involve technology innovation, that innovation will be delivered by software vendors large and small, and the major beneficiaries of the reform will be individuals.

How long all this takes depends in large part on how many ungrounded arguments the fear mongers can come up with to delay much needed reform.

You can't get much funnier than this positing by Chris Ceppi at Arbitrage:

Doc Searls, Marc Canter, Drummond Reed, et al. are all a flittter about an Open Identity System or Internet Identity Infrastructure that has been worked out in insider conversations at PC Forum (where the elite meet to be discrete and then tell you about part of it on their blogs.) The universal identity metasytem solution sounds amazing and I can't wait to hear more – which means the hype has worked and this group has me right where they want me.

As we've discussed previously, the identity world already has it's unicycle, it's Cessna, and it's Space Shuttles – I'm just hoping the Universal Identity Infrastructure Metasystem doesn't turn out to be our Segway…

Bonus excerpt from the hype hall of fame:

“Developed at a cost of more than $100 million… Doerr predicts…the Segway Co. will be the fastest outfit in history to reach $1 billion in sales.”

Chris drives one of those, right?

I received an “i-names” email from Aldo Castaneda who is doing his legal thesis on what he calls “Open Legal Writing”. I guess, in effect, he is “blogging his thesis”… If you visit his site, you'll see he is editing it in real time in response to input – same sort of thing I'm trying to do here but in a different realm. (Oh yeah… A further difference is that I don't get another degree at the end of this… although I do get… the Identity Big Bang…)

The subject is the relation between intellectual property rights and identity management system open standards. All in all this looks like it is shaping up to be a discussion which well help us share ideas and thinking across silos. I am really glad to see the governance discussions converging with the technical ones in an intellectually probing manner:

Good legal scholarship should make (1) a claim that is (2) novel, (3) nonobvious, (4) useful, (5) sound, and (6) seen by the reader to be novel, nonobvious, useful and sound.[1]

(1) a claim:

Few if any of the Intellectual Property Rights (IPR) policies of Open Standards[2] organizations are consistent with Open Principles[3]. Therefore contributors and implementers of Identity Management System Open Standards must understand the strengths and weaknesses of each of the current IPR approaches to select the IPR policies best suited to their strategic objectives.[4]

Notes : At present [2005-3-22 at 9:35:55 AM], the Open Standards organizations to be considered include: OASIS , XDI.org, The Liberty Alliance, W3C, WS-Federation and The Trusted Computing Group (not necessarily in that order).

(2) that is novel: To date no published work presents a comparative analysis of the strengths and weaknesses of “Open Standards” relative to Identity Management standards contributors and implementers.

(3) Nonobvious: This analysis requires that 1) Open Standards be precisely defined, providing 2) a benchmark against which current Identity Mangement Systems standards can be compared and constrasted.

(4) Useful: This analysis will potentially be useful because it will provide 1) a comprehensive analysis of the strengths and weaknesses of current Identity Management System Open Standards and 2) a practical analytical model for use by Identity Management System Open Standards contributors and implementers.

(5) Sound: To ensure that my analysis is sound I will employ a test suite[1] to check my analysis for consequences I might not otherwise considered. This test suite[1] will based upon a definition of an IPR policy that would conform entirely to Open Principles. I will likely use that definition as a benchmark against which the various current IPR policies will be compared and contrasted.

(6) Seen by the reader to be novel, non0bvious, useful and sound. (Part of the purpose of drafting online is to expose my work scrutiny early and often. Ideally, through this process element #6 will be satisfied)

[1] Academic Legal Writing: Law Review Articles, Student Notes, Seminar Papers, and Getting on Law Review by Eugene Volokh Professor of Law UCLA School of Law, Second Edition

[2] “Open Standards” is an ambiguous concept, therefore for the purposes of this paper I will need to define “Open Standards” precisely so that I can use that definition as a benchmark against which to compare and contrast current Identity Management IPR policies. (Scott Blackmer commented: “Bruce Perens of the Open Source Initiative offers one thoughtful definition (http://www.perens.com/OpenStandards/Definition.html), amplified recently by Lawrence Rosen (http://www.openstandardsalliance.org/dowloads/LRosen.pdf)”)

[3] Open Source Licensing, Software Freedom and Intellectual Property Law by Lawrence Rosen.

[4] I am indebted to Scott Blackmer for his guidance in arriving at this claim.

Looks like the DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service coming up on April 14 will be more than interesting. Check out the program.