Category: Identity

You've probably read as many articles like this one from bankrate.com as I have:

Anything you wouldn't feel comfortable having someone pick up and read, you should shred, says Jerry Haas, vice president of sales and marketing for American Document Destruction Corp. in Tampa, Fla.

Criminals need very little information to steal your identity. With your Social Security number they can apply for credit cards, cellular phones, loans, bank accounts, apartments and utility accounts.

Garbages hold a plethora of information. Once your Social Security number or an account number hits the dumpster, your identity is floating among the refuse, just waiting to be stolen. Shredding is a minimal inconvenience and minor expense compared to its alternative — becoming an identity theft victim.

But James Governor, a leading member of the British Identerati, has brought our attention to a far simpler, cost-effective solution:

DON'T waste money on expensive paper shredders to avoid having your identity stolen. Simply place a few dog doo's in the bin bags along with your old bank statements.

Is there a digital equivalent for this piercing simplification and refactoring?

I'm not sure if this proposal originated on easypeasy.com, but it appears so since the site is full of good ideas. Here is a further example:

WORRIED that your teeth will be stained after a heavy night drinking red wine? Simply drink a bottle of white wine before going to bed to remove the stains.

[tags: Identity Theft, James Governor, easypeasy.com, Doggy Doo's, Shredding]

Eric Norlin is one of the people who really encouraged me when I started to blog. For some time he's been involved both with Ping Identity and Digital Identity World (DIDW). Today we learned that he has moved on from Ping and will be working primarily on DIDW. We get a sense for how his thinking is evolving from this post.

The conference industry has an “in” crowd. For years, that in-crowd was at PC Forum – Esther Dyson's high class, high bandwidth, high priced summit for the digerati. The first time I attended a PC Forum, I was a little star struck. The sheer power of people walking around was – well, a little initimidating (that all faded quickly, by the way).

Beyond PC Forum, you have some of the O'Reilly events (Foo Camp comes to mind) that cater to the in-crowd. And, exclusivity aside, a lot of these events do generate a tremendous amount of heat.

Web 2.0 is the new hot kid on the block. It takes place this week in San Francisco, but don't think about registering late – its “sold out.”

Phil and I have been speaking about the Web 2.0 meme for a while now, and we recently decided to attend this show (so, i'm leaving for it tomorrow). The funny thing is — not a lot of people see the connection between Web 2.0 and digital identity. So, I thought i'd ramble on a bit…

But first…
First things first: What exactly is this Web 2.0 meme?

If you'd like the long answer, Tim O'Reilly (one of the organizers) has attempted to give you one.

If, on the other hand, you'd like the Cliff Notes version – you're in luck.

Simply put, “Web 2.0” is the idea that the web is now the platform. In the development of computing we always think in “platforms” — Microsoft achieved its dominant position because it recognized the desktop as a platform, blew out the marketshare for that (the Windows Operating System), and proceeded to own the applications that sat on top of that platform (Office, Word, Excel, even Internet Explorer).

The organizers of Web 2.0 are theorizing that the web (not the desktop) is the new platform – on top of which applications are built. I tend to agree.

The Web as Platform
How much of your computing experience is now done on top of the web as platform? When I purchased a laptop for home use several months ago, my only considerations were the machine's ability to get online efficienty.

The web as platform is happening at the edges — chipping away at the desktop via things like Gmail or Yahoo mail. But its also happening at the center — Google provides the most widely used web-as-platform application on the planet.

From eBay to Amazon to Yahoo to Microsoft to Google to Salesforce.com to Oracle, all of the “big guys” are launching offerings into the “Web 2.0” space. Move past the big guys, and the universe explodes. Start-ups in this space are simply the hottest thing going. As has been pointed out in several sarcastic Venture Capitalist weblogs, selling *software* is sooooooo nineties. Selling a service on the web as a platform (via the Salesforce.com model) — now *that's* a company worth funding.

Why Digital ID World
Right about now you're saying, “interesting eric – but I don't really see why Digital ID World is going.”

Put aside the fact that one of the companies in the identity space is a sponsor there (Sxip), and what you'll find is a bunch of companies that are building applications (and sub-platforms) on the Web 2.0 meme — and they *all* are either touching digital identity or going to need digital identity.

You see, the simple answer really is simple: Just as the web services world has quickly discovered that they need identity to secure their services, so too will the Web 2.0 world quickly (i hope) discover that identity is at the core of what they're working on.

And when they discover that — really interesting things will happen and Digital ID World will be there to see them.

The Inevitability of Identity
The web, in any form, will not go forward simply as a network of anonymity. Digital Identity is here in many forms and coming faster every day.

For much of our history, Digital ID World has tried to convince the enterprise how it is that they need to view and use identity as a construct. However, any of you that were at our first conference know that we didn't start that way.

Back then in the foggy mists of time, Digital ID World spent a great deal of time talking about the dynamics of end-user identity (or Web 2.0 identity, or Identity 2.0 – take your pick). We never really abandoned that conversation – it has been present in every show since then; represented valiantly by folks like Doc Searls and Drummond Reed. But, as the identity marketplace has expanded, so too did we.

Finally, we are coming to a place where we can begin to connect all of those dots again. Finally, we see the “web 2.0” meme propagating in such a way that little working groups of identity are popping up — from the Berkman center to the Identity gang to Phil Windley's Internet Identity Workshop.

I'm proud to say that nearly all of these people are people that we've known over here at Digital ID World for (in most cases) years. And I'm pleased to report that a truly significant thing is occurring — the identity architects in the enterprise are beginning to mingle with the identity folks out in end-user land. This may not seem momentous, but it really is. Its momentous because we're finally seeing people struggling with how to present unified metaphors, experiences and technologies that do not chop the digital identity problem up into two primary slices: enterprise and end-user. Granted, this has been tried before (Novell's DigitalMe comes to mind), but for some reason, the winds seem to be blowing correctly this time.

So, why am I going to Web 2.0? Because I believe the technology stars are beginning to align; that the marketplace is beginning (beginning, I say) to catch up with the conversation; that maybe – just maybe – we're about to be able to pull together the strands of conversation from the very first Digital ID World with the strands of conversation from the last Digital ID World — and in doing so, we'll find our conversations to be bigger, more productive, and learning at a faster pace.

The web as platform is the next great movement for digital identity. While digital identity has started the long hard slog into the enterprise (a journey that will take the next several years), we've barely opened the door to identity's involvement in the web as platform. It can be seen in our problems (spam, phishing, id fraud). It can be seen in our past identity technology failures. And it can be seen in the excitement around the web as platform.

The technology described in this important piece from Government Technology is an attempt to unify that experience – in essence tying in with identity laws six and seven: human integration and consistent experience. While it is commendable to try to do something as quickly as possible, the technology proposed is subject to many kinds of attack as the criminal element adjusts to it. I'm not trying to make excellence an enemy of the good. I'm just saying that only a holistic and multi-layered approach such as that represented by the proposed identity metasystem can really respond to the threats so clearly articulated here in a way that lasts beyond a single campaign.

On Tuesday, Kentucky Secretary of State Trey Grayson announced a new effort to protect voters from fraudulent websites in anticipation of the largest election in Kentucky history with more than 4,000 races on the ballot.

Grayson was joined by New Mexico Secretary of State Rebecca Vigil-Giron. Kentucky and New Mexico will be the first states in the country to address fraudulent candidate websites.

The new service will be available, free-of-charge, to all candidates who file with the Office of the Secretary of State. The service utilizes technology developed by ElectionMall Technologies, Inc. The Election Security Seal Program provides an online environment in which viewers are assured they are dealing with the legitimate websites of candidates.

What it is:

• The “Election Security Seal Program” is a program designed to verify the authenticity of political websites and protect political candidates, officials, groups and consumers against scams and false information associated with fraudulent political Web sites, through the use of an encrypted digital seal.
• The program creates an official online “Registrar Directory” of legitimate political websites, including candidate sites, campaign sites, 527’s, political action group sites and other political organization sites. This registrar may then be used by the public to verify the authenticity of political websites.

How it works:

• The political candidate, official or group registers through his or her appropriate Secretary of State. In the registration form, the candidate is asked if he/she would like to have the SOS seal appear on his/her candidate website to certify and authenticate the site.
• The SOS office verifies the identity of the candidate/authenticity of the site.
• The candidate is listed in the official Registrar Directory.
• If the approved candidate/official wishes to add the SOS seal to their website, it will appear at the bottom of the site.
• When a visitor clicks on the seal, it will redirect them to a site for official authentication.
• The seal will have a scroll-over capability that will allow the visitor to see the certification.

“Protecting the integrity of Kentucky's elections is the highest priority for the Office of the Secretary of State and for the hundreds of local elections officials throughout the Commonwealth,” stated Secretary Grayson. “In the last few elections, political websites and online fundraising have proliferated, and so have concerns about fraudulent activity connected to such sites. Election administrators must protect citizens from fraudulent political websites, or we may run the risk of alienating potential voters.”

During the 2004 elections, 75 million Americans used the Internet to obtain political news and information, making the Internet and online campaigning a top focus and communications medium for politicians and political groups.

Secretary Grayson, the youngest Secretary of State in the country and current chairman of the National Association of Secretaries of State's Election's Committee, as well as the national chairman of the Republican Association of Secretaries of State, has encouraged other states to follow Kentucky's lead in this effort.

I recommend that identity geeks check out Election Security Seal Program White Paper. It contains quotes like these:

“During the 2004 campaign, thousands of voters who believed that they were participating in the political process were victims of fraudulent electronic mail and website solicitations.”

“Marc Elias, the chief counsel to John Kerry for President, testified that this kind of fraud is “the biggest threat the Internet poses to the political power of average Americans. If individual voices can be diminished by the concentration of economic power they can be silenced altogether when those individuals discover that their credit card information has been fraudulently captured, or that the contributions they thought they were making to a candidate went to someone else.” (Testimony before FEC hearing regarding Internet Communications on June 28, 2004).”

“According to a Pew Research Center Report, entitled The Internet and Campaign 2004, over four million people made on-line contributions to candidates during the 2004 election cycle. Many of these people were average Americans who became empowered by the Internet to engage in the political process. Unless security measures are taken to verify campaign websites, many other citizens will become victims of Internet fraud and will be less likely to engage in the political process in the future.”

We need to get more information on the technology being used. It would be doubly demoralizing if people who thought they were taking every reasonable precaution to ensure their protection were still, in fact, being duped.

[tags: Government Technology, Phishing, Government, Digital Identity]

I told you I would relay a couple of recent Government Technology articles. I'm sure you'll agree this is a great piece by Jim McKay, Justice Editor at the magazine.

Private data brokers play growing role in criminal investigations.

For the good of homeland security or other law enforcement use, would most Americans give their Social Security and driver's license numbers, among other personally identifying information, to the FBI or other law enforcement agencies?

The fact is, Americans release such information daily, whether they mean to or not. Send a package via FedEx and it usually gets there on time. End of story, right? Wrong.

S I D E B A R FedEx on the Frontline In response to 9/11 and requests for help from the U.S. government, FedEx Inc. granted federal government officials, including the Department of Homeland Security (DHS) and customs inspectors, access to its international databases. FedEx has elaborate computer systems that contain information about its customers and their shipping habits, and that information could help authorities in the war on terror, according to a May report in the Wall Street Journal. The databases contain the names and addresses of shippers, as well as starting points and destinations of packages. Collected data also includes credit card information and other payment details, which the government is not entitled to unless involved in a criminal investigation. The access to FedEx information allows federal agents to cross-reference FedEx data with data the government has. In return for their goodwill, FedEx and other companies want access to the government's secret terrorist watch list. FedEx encourages its 250,00 employees to keep an eye out for suspicious dealings, and says access to the watch list could be a boon for public safety. It would also help companies screen potential employees. FedEx is currently developing a system by which reports of suspicious activities would be sent to the DHS via computers.

S I D E B A R Collected Data Personally identifying information includes a host of data linked to one person, such as company or organization affiliations; title; license plate number; make, model and year of vehicle; e-mail address; home address; phone number; birth date; income; Social Security number; account numbers; mother's maiden name; and driver's license number.

S I D E B A R Driver Info Use Prohibited A 2002 Iowa Supreme Court ruling put a halt to the practice by LocatePLUS — doing business as Worldwide Information Inc. — of gathering driver information from state agencies and reformatting it electronically for use by law enforcement agencies and other entities. The court ruled that under the Driver's Privacy Protection Act, the state Department of Transportation was prohibited from disclosing driver information to a company for resale. Worldwide Information Inc. was formatting data from state motor vehicle records on computer disks, allowing a quick search for information on a driver. Searches could be conducted by name; address; date of birth; license plate number; partial license identification number; and color, model or year of vehicle.

FedEx keeps people's personally identifying information in a database and makes it available to the FBI for homeland security purposes.

Furthermore, a growing number of data aggregators — otherwise known as data brokers — collect citizens’ personally identifying information and sell it for profit. Among the organizations buying this information are law enforcement agencies, which increasingly turn to the private sector for help with improving intelligence and aiding criminal investigations.

Collect and Sell
The practice of aggregating and selling data gained notice recently when data broker ChoicePoint acknowledged that crooks had duped the company out of the personal data of nearly 145,000 people. ChoicePoint is not the only victim of this type of scam, and not the only company to lose private citizens’ information. Those who want to see changes in the way personally identifiable information is bandied about contend it's too easy for this information to fall into the wrong hands.

“Thirty years ago, we were concerned about the big, bad federal government and what it was doing,” said Lee Strickland, director of the Center for Information Policy at the University of Maryland and former Central Intelligence Agency analyst. “Now it's really the commercial entities, and not just the data aggregators, but any company.”

Data aggregators such as ChoicePoint, LocatePLUS and Seisint — which was acquired in 2004 by LexisNexis — collect information from a multitude of public and private source, and assemble dossiers on many, if not most, Americans. Then they sell that information to government agencies, such as 50 different Massachusetts police departments and the Florida Department of Law Enforcement (FDLE), which use it for everyday law enforcement investigations.

Public-Sector Systems
Florida uses a software application called the Factual Analysis Criminal Threat Solution (FACTS), which is the same software system used by the defunct Multistate Anti-Terrorism Information Exchange (MATRIX) that once linked several states to data about possible terrorists. The MATRIX, which included a central database where states deposited data, was created after 9/11 to thwart potential terrorist attacks. Federal funding for the MATRIX was halted in April, mostly because of privacy concerns.

The MATRIX database is gone, but the FACTS software continues to run — and Florida, Ohio, Pennsylvania and Connecticut take advantage of its commercial data-gathering capabilities. The system accesses multiple commercial databases when queried about specific data. Law enforcement officials say it's foolish not to take advantage of all the data available to them, whether it comes from commercial databases or not.

Mark Zadra, the FDLE agent in charge of FACTS, said the system simply provides law enforcement with information that's already available to the public, only more quickly. The exceptions are criminal history records and driver's license photos, both of which law enforcement is entitled to anyway. Law enforcement also has access to Social Security numbers through drivers’ licenses.

What they don't have, according to Zadra, is credit information. Law enforcement can get “credit headers” from credit bureaus to obtain recent addresses, but that information is limited to name, address, date of birth and Social Security number. Zadra said he doesn't have access to information about what people are buying or what naughty movies they're renting.

The key advantage to using commercial databases is time. It would take days or weeks to gather data on an individual without this access, whereas law enforcement can now get data in real time.

“The information we make available to law enforcement is what we call public filing or public domain,” said ChoicePoint Vice President Jim Zimbardi. “The dilemma [for law enforcement] is the time and effort needed to go get it.”

Narrow It Down
The FACTS system doesn't tell law enforcement where to go or who to arrest, nor does it monitor or track people, Zadra said. “It's an application loaded onto my computer. It's query based. It doesn't run at night and say, ‘Here's the top 10 terrorists in Florida’ when I come in in the morning.”

For instance, Zadra said, if a child was abducted in a white van and somebody saw that it had a Florida tag with the number seven in it, and it was driven by a middle-aged white man, the system could narrow the search to white males who are registered sex offenders, and drive white vans licensed in Florida. It would take minutes rather than days, which could mean life or death for the child.

“Does that mean I can serve a search warrant or make an arrest? Absolutely not,” Zadra said. “But it can tell me I need to find these people to possibly eliminate them quickly and begin focusing on the right people.”

Solving crimes still comes down to good police work, Zadra said. “Investigators and analysts solve crimes. The system doesn't solve crimes. It's a tool. It produces investigative leads. We go through the same time-honored investigative techniques we always did. I'm a citizen and a law enforcement officer. The truth is, I don't know what the problem is with law enforcement having that data.”

What About Privacy?
Privacy advocates, including Carol Rose, executive director of the Massachusetts American Civil Liberties Union, do have a problem with law enforcement's access to personally identifying information.

“When we have the government outsourcing data aggregation to other companies, the question is, do the restrictions that apply to the government apply to the companies as well? And of course, the answer is, only if we know what information the government is accessing,” Rose said.

Under the federal Privacy Act, said Rose, citizens have the right to make sure data held by the government is correct. It's unclear, however, whether data accessed by government officials from commercial databases is covered under the act.

Privacy concerns surround financial and health information, and some wonder whether data aggregators collect such information. “They can say they don't have that, but we don't know,” Rose said. “A lot of them say they collect everything.”

Although law enforcement says all that information is available to them anyway, Rose insists, “We don't know that, because for the most part, the data aggregators keep that proprietary. We don't know what processes private companies are using because they don't have the same restrictions as government does.”

James Lee, ChoicePoint's chief marketing officer, said the company does sometimes provide credit reports to government agencies, but that they are truncated reports, meaning they don't have account numbers. “They don't have the information you need to see what a person does with their finances,” he said. “They don't have mortgage or buying information. Our information is nonfinancial.”

A law enforcement agency could get its hands on that information, and since privacy restrictions don't appear to apply to government's use of commercial data, this creates the possibility of abuse, Rose said. She called this an end run around the First and Fourth amendments.

Rose said law enforcement is free to use that data for whatever it wants, even personal exploits. “When [law enforcement] can do it in their official capacity and for free, the potential for abuse becomes greater and there don't appear to be any restrictions on the information the government can access, on who gets the information and on what they can do with it,” Rose said.

Zadra has a different view.

“If I could monitor everywhere you went by your expenditures, I could understand [the concern],” he said. “But we don't have access to that information.”

A Secure Situation
Perhaps a larger problem is the data's security in the hands of the data brokers. When ChoicePoint was duped, it put nearly 145,000 people at risk of identity fraud. That incident, and others like it, stimulated interest in legislation to restrict data aggregators.

Some states — including California, Washington, Arkansas, Georgia, Montana and North Dakota — already have laws that penalize companies for failing to alert customers that their personal or financial information has been lost or stolen. Indiana just passed legislation that would alert residents if their Social Security numbers had been divulged, and legislation in Florida, if signed by the governor, would impose a $1,000 fine for each day of the first month that a company fails to disclose a data breach. For each month thereafter, the company would pay a $50,000 fine.

At the federal level, legislation proposed by U.S. Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would restrict the sale or publication of Social Security numbers and prohibit businesses from requiring Social Security numbers except in a few circumstances.

For its part, ChoicePoint says it now takes unprecedented steps to protect its databases. The company recently created an independent Credentialing, Compliance and Privacy office, and hired Carol DiBattiste as its chief officer. DiBattiste is a former prosecutor, former undersecretary of the Air Force, and most recently worked for the Department of Homeland Security on transportation security.

She said the information ChoicePoint provides to law enforcement agencies lets them link one bad person to another and could help uncover a terrorist group. That said, the company does restrict who has access to personally identifiable information and how they will get it.

ChoicePoint limited its business to customers that fall into just three categories, where the potential buyer's product must either: support consumer-driven transactions, such as insurance, banking and mortgage lending; be used for fraud detection or as an authentication tool for insurance, banking or mortgage lending entities; or be used by law enforcement.

ChoicePoint now authenticates the customer with a personal visit, something that wasn't done before. “That's one procedure to help tighten the credentialing procedure,” DiBattiste said. “We will use many sources to verify customer authenticity, to verify they are who they say they are. We've also tightened our user ID and password protections.”

The company hired consultants to help DiBattiste develop a best practices study. “At the end of the day, they'll help me do the framework for my compliance program, which I'll be instituting corporatewide,” she said.

That probably won't be enough to stave off federal legislation protecting personal data, which Strickland said is due.

“This is very valuable information that could contribute significantly to homeland security, and we would be foolish not to take advantage of it,” Strickland said. “At the same time, we have to have policies in place to make certain we don't become a surveillance state or a police state.”

Strickland said the Privacy Act, which developed a framework in 1974 for the control of personal information held by the federal government following Watergate and other FBI excesses, might be out of date and not applicable under some of these circumstances.

“If the government receives this information, it becomes subject to the Privacy Act,” Strickland said. “That's my view as a lawyer, but you have people making arguments, for one reason or another, that it doesn't.” He said the courts have generally upheld those arguments and that as long as the company in question is not a credit bureau, it can virtually take over ownership of personal data.

“Really, the problem is that the courts are inclined to recognize that your information, once it gets into the hands of a private company, is no longer your information. It's their information,” Strickland said. “It's absolutely necessary that we get a law in place that provides people with the basic rights of notice, access and opportunity to challenge and correct — redress in other words. The most fundamental question is notice. The public needs to have notice.”

Past, Present, Future
It's important to develop privacy policies, Strickland said, so the country can move forward with programs that protect the safety of Americans, like the defunct Total Information Awareness, a system developed by the Defense Advanced Research Projects Agency after 9/11 that linked to databases of public and private information throughout the country for intelligence purposes.

The Computer Assisted Passenger Pre-Screening System (CAPPS II) was an airline security system that was grounded by privacy concerns. Secure Flight, another screening system introduced last summer by the Transportation Security Administration, is also being delayed because of privacy concerns.

“All of these ideas were inherently good in the sense that they had the potential to enhance homeland security, but nobody gave enough thought to privacy so it became a political issue,” Strickland said. “We've got a totally dysfunctional system because we didn't get CAPPS II and Secure Flight is being delayed. It's almost as if government is shooting itself in the foot by not being more aggressive on the privacy issue.”

[tags: Government Technology, Nick Mudge, Identity Theft, Digital Identity]

I have come across so many interesting blogs recently that I haven't been able to stop reading them long enough to write about them. I guess I'm in input mode.

One example is Nick Mudges Technology and Government Weblog. It's irresistable. Who is Nick Mudge? He says, “I am a news editor for Government Technology. I primarily find and edit GT news, which is the news that appears on the homepage of Govtech, and goes out in the Government Technology Executive Newsletter (GTEN).”

Nick is very up close and up front. Amongst other things, he tackles the role of government bloggers and communication strategy. He makes it clear that this is all still in its infancy. (Check out this rather thin registry of government-related blogs. The exception seems to be the City of Eden Prairie in Minnesota, where everyone blogs! Can anyone explain why?)

Nick's magazine, Government Technology, is now on my must-read list. I will relay a couple of articles to help get you hooked. Besides reporting on government technology initiatives, it gives us a fascinating look behind the scenes. The writing is great, and there is real investigative reporting by writers who, like Nick, are well informed about technology and its implications.

I like reading about the nitty gritty aspects of eGovernment – check out this Digital Communities section, which includes insider perspective on how people in government are looking at digital issues like municipal wi-fi.

Nick Mudge is clearly interested in identity issues. In one piece, where he is really talking about how bloggers affect perception, he says:

Personally, I started liking Microsoft a lot more after I found and started reading Robert Scoble's blog and Kim Cameron's blog. (Kim Cameron, Microsoft's identity architect.)

As long as Kim is in control of how identity systems are developed, deployed and managed, I'll be okay with what Microsoft wants to do with identity. I got that confidence through reading Kim's blog. If you don't trust Microsoft with identity, go read Kim's blog for awhile. Send me an email about what you think afterwards.

This is an amazing example of how blogging changes things. Because of my blog, Nick understands what I'm doing, what I'm thinking, and what motivates me. Having followed my blog for a while, he has connected with the network of ideas that guide my work. The trust that has developed is based on an ongoing intellectual relationship – even though we have never met or corresponded.

And guess what? I'm going to understand a lot more about eGovernment and digital governance by having discovered Nick's site.

[tags: Government Technology, Nick Mudge, Blogging, Digital Identity]

Here's an article by Robert McMillan (of IDG News Service) that appeared recently on InfoWorld. He caught me speaking to an audience of entrepreneurs and venture capitalists at the recent DataCenter Ventures 2005 Conference in Redwood City.

I participated in the conference to try and get attendees interested in building and funding software and devices whose behavior reflects identity. I was also arguing that InfoCards, as a cross-platform phenomenon providing a consistent interface to multiple underlying identity systems, finally made this plausible.

Hoping to learn from the lessons of its unsuccessful Passport initiative, Microsoft is taking a more open tack in developing its new InfoCard identity management platform, a company executive said Tuesday.

Like Passport, InfoCard, is designed to make it easier for users to surf the Web by keeping track of their user names and passwords as they move from site to site. Unlike Passport, however, InfoCard is being designed to work on client and server software that was not developed by Microsoft.

The presentation didn't deal with the fact that InfoCards uses advanced cryptography rather than passwords, so Robert can't be faulted for this assumption.

Since the beta version of InfoCard was released in May, Microsoft has been working with developers of the Firefox and Opera browsers, as well as organizations like the Apache Software Foundation and Apple Computer, said Kim Cameron, Microsoft's chief architect of identity and access, speaking at the DataCenter Ventures 2005 conference in Redwood City, California.

“These aren't your typical Microsoft customers,” he said. “The main thing is, we need a solution that works on Linux boxes as much as it works on Microsoft boxes.”

Though the Passport identity management system now processes about 1 billion authentication requests per day, making it too popular to rightly be called a failure, the service has never gained popularity outside of Microsoft's own Web properties, Cameron said.

I argued that Passport is one of the most widely used authentication service on the Web – and its success in different roles has been determined by the Third Law of Identity:

“When it comes to identity, people want to understand why the parties to any interaction are there,” he said. “It makes sense for people to use passport, run by Microsoft… to access Microsoft properties. It didn't make sense for users to use Passport to access eBay.”

Likewise, Europeans were uncomfortable with the fact that Passport data was stored on servers in Redmond, Washington, he said.

InfoCard seeks to get around this problem by operating in what Cameron calls a “polycentric,” and “polymorphic” fashion, meaning that the software will run on different operating systems, and the data will be stored in places that make sense to the user.

After its release, Passport was blasted by privacy advocates, including the Electronic Privacy Information Center, which argued that Microsoft was not taking adequate steps to protect and give users control of their data.

At the time, Microsoft disputed these concerns, but the company now needs to welcome them, Cameron said.

“We need to invite the people who used to be called privacy extremists into our hearts because they have a lot of wisdom,” Cameron said. “This (is) not the son of Passport”

Microsoft's goal is to make it easier to create “identity-aware software,” while at the same time respecting the users privacy concerns, he said.

Privacy will become an even more important issue as the implications of wireless networking become better understood, the Microsoft executive said.

At a recent security conference pranksters tracked a Bluetooth device that Cameron was using to offer attendees a real-time map of his progress through the convention center, a light-hearted hack that underlined a more serious point.

That same kind of technology could be used to build more intelligent, bombs, Cameron said. “Nobody has thought through the privacy threats that this involved,” he said. “Now I can build a device that explodes when a specific person is in the vicinity.”

With the quality of online attacks improving, and consumer confidence already somewhat shaken by recent security scares, technology vendors like Microsoft are more pressed than ever to develop a reliable, widely used identity system for the Internet, he said. “We have to put on our tinfoil hats; we have to think through these technologies; we have to fix them.”

In a piece by Mike Shaver which I relayed here, he referred to an article in Network World by John Fontana. John is always in front of the curve – recently I came across his article on InfoCards from the 2003 PDC with great quotes from Ray Ozzie. I'm going to find that piece and quote exerpts so you can see how clearly he got what we were trying to do even back then.

Meanwhile, here's the InfoCard piece John wrote this week:

‘Looking to ease the way customers manage their digital identities, Microsoft has begun working to integrate its InfoCard authentication technology with Internet Explorer and is in discussions with the Firefox and Safari browser developers to have them include the technology on their platforms.

‘According to Microsoft officials, InfoCard integration could show up in Internet Explorer 7.0 even though InfoCard is currently not on the feature list. The goal is to improve security and privacy on the Internet using the InfoCard model, which puts users in control of their personal identity information and would eliminate the need for user names and passwords to sign into a Web site.

‘”We are still working on if there is enough time to get this done” for Internet Explorer 7, says Michael Stephenson, Microsoft's group product manager for Windows Server. “We expect many different applications, smart apps, Web apps and browsers, to use InfoCard. Our own browser will take advantage of it.”

‘In addition, Microsoft is hoping others will adopt its InfoCard model on the Web to help improve security and privacy with a common identity layer.

‘”We are having concrete discussions with Firefox and others about specific mechanisms that would communicate between a Web site and the browser so we can enable credential selection such as InfoCard,” says John Shewchuk, CTO of distributed systems for Microsoft. “If we do this right, all browser vendors could provide a common mechanism for identity.”

‘Experts say that would improve security on the Internet.

‘”Adoption of a common user-friendly metaphor for identity can only help,” says Daniel Blum, an analyst with Burton Group.

‘In June, Microsoft unveiled its identity metasystem, which includes user-centric privacy controls in the form of InfoCard, a middleware technology called Windows Communication Foundation, Active Directory and a slate of Web services-based protocols led by WS-Trust that Microsoft and IBM have been developing.

‘WS-Trust is key for creating Security Token Service (STS), lightweight gateways for servers and clients that negotiate the exchange of security tokens, such as Kerberos or the Security Assertion Markup Language (SAML). IBM supports the technology in its federation server, and Ping Identity has an open source implementation of WS-Trust.

‘In the browser model, Web sites would need to run an STS in order to signal browser users to provide their InfoCard identity credentials.

‘”If there is useful information from the InfoCard work that doesn't necessarily require InfoCard technology and makes browsers more secure then we would like to see that happen,” says Scott Cantor, who works on the Internet2’s Shibboleth identity project and the SAML technical committee at the Organization for the Advancement of Structured Information Standards (OASIS). He also is the author of OpenSAML and the security architect at Ohio State University.

‘Another key to recruiting partners is standardization of WS-Trust. Microsoft's Stephenson says the company and partner IBM are finalizing the language on a charter to get WS-Trust, WS-SecurityPolicy and WS-SecureConversation submitted this month to OASIS for standardization.’

[tags: Identity, Mozilla, John Fontana, Identity Metasystem ]

Readers may be interested in this posting by Mike Shaver, the architect working on technology strategy issues that are of significant interest to the Mozilla community and products – including Firefox:

I ran across this article this morning, about how Microsoft is reaching out to other browsers like Firefox and Safari to encourage adoption of InfoCard technologies. The article is certainly true as written, and I’ve written before about some of my involvement in those discussions, but I would like to caution people against reading into it that we have made or announced concrete plans to support InfoCard as a piece of the Firefox platform.

I think that support for rich and user-empowering identity infrastructure is an important element of the future growth of both the web and Firefox, and I think — perhaps somewhat more controversially — that InfoCard’s principles and protocols are a pretty strong basis for that infrastructure, but there’s a big gap between those beliefs and an item in the committed Firefox roadmap.

For better or for worse, my still-forming opinions about technologies do not Mozilla technology policy make.

Mike was clear from the first day I met him that there is a whole process to go through here – first of investigation and consultation, then of considering the alternatives and figuring out what is best for his community, and finally of making a decision and winning consensus. Mozilla – and all of us in the industry – are very lucky to have him around. I wish each of us, in pushing identity forward, could just snap our fingers – and everything would just fall into place. But the world demands more of us and then gives us more in return.

[tags: Identity, Mozilla, Mike Shaver, Identity Metasystem ]

I got a note recently from Paul Sweeney, who sent me to a digital rights landscape mindmap that is worth pondering. He also pointed us to this macabre report from the BBC via the very cool out-law.com (I hadn't seen it before) via the register:

Revenue and Customs has apologised to customers of investment bank UBS Laing and Cruickshank after losing sensitive account information. The Revenue lost a computer disc, sent by the bank, which contained address and account details of UBS's Personal Equity Plan (Pep) investors.

The Revenue is investigating how the disc went missing from its offices.

The bank has offered to change the account details of customers whose personal information was on the disc.

Worried customers

UBS said the CD Rom was sent in late April at the request of the Revenue.

Customer information on the data disc included addresses, dates of birth, national insurance numbers, UBS account numbers and the value of their Peps.

Last week, UBS Laing and Cruickshank wrote to its customers telling them of the loss.

A UBS spokesman told BBC News that worried customers who wanted to change their account numbers would be allowed to do so.

It is not clear how many UBS customers had their account details on the CD Rom.

However, a spokesman for the bank told BBC News that it was only a “small percentage” of investors.

In a statement, the Revenue apologised for losing the disc, which it said had been “mislaid within a local office”.

“Following exhaustive searches, we contacted UBS Wealth Management to apologise,” it added.

“This is a one off incident in a single office which receives thousands of pieces of post per week. We are urgently reviewing our procedures to make sure this does not happen “

Another recent register link people may find interesting is this story on onion routing and associated technologies.

[tags: Identity Theft, Privacy Threat Analysis, Identity]

After a whole lot of development effort, we finally have a resource kit available which allows you to build and experiment with most aspects of the InfoCard world – identity provider, identity selector and relying party. I think everyone, including those whose primary interest is in developing compatible components on other platforms, will find this version of the software very helpful. This is still not the final look – we are still learning from and responding to usability studies, and adjusting “the glass”. Further, we can't claim that we won't have to tweak the protocols slightly if we need to fix problems. But there's enough here that you see exactly what is possible – and most important, how simple it is.

Here's the view from Andy's InfoCard Blog.

What a great week, last week! I met many of you at PDC, discussing InfoCard and the Identity Metasystem. I learned plenty from you, understanding the scenarios, your customers’ requirements, or discussing how other technologies could use “InfoCard”. Thank you!

As I promised at the PDC, we'll make the resource kit available to the public this week. This resource kits contains a document and samples, describing step-by-step instructions on how to build “Indigo” (WCF) applications/services that use “InfoCard”. In addition, it also includes Security Token Services (STS) samples that you can customize. Now, you could build an end-to-end scenario, and play the role of Identity Provider, or Relying Party or both.

As the name indicates, this release only works with WinFX Sept 2005 CTP and VS 2005 Extensions for Sept 2005 CTP. Please install in the followin order:

• If you'd like to use the STS samples, please install IIS prior to installing WinFX Sept 2005 CTP.
• Then install WinFX Sept 2005 CTP
• Next install Visual Studio Extensions for Sept 2005 CTP
• WinFX and VS 2005 are installed, please download the resource kit

Since you'll be using pre-release versions, I recommend using a test machine.

Enjoy, and I'm looking forward to hearing your feedback!

If you have problems or comments on your experiences trying out the resource kit, Andy has comments enabled on his site and wants to use these to help guide everyone through the process of understanding the technology.

[tags: InfoCards, Digital Identity, Identity Metasystem, Download]