Category: Identity

Caspar Bowden just sent me a bad news / good news missive which I'd like to share with all of you.

First, the bad news.

We've all missed the 10th International Conference on User Modeling (UM’05) in Edinburgh, UK, which, according to Caspar, was fantastic. The conference was intended for researchers and practitioners both in the domain of personalization systems and in the area of privacy and security:

Personalizing people's interaction with computer systems entails gathering considerable amounts of data about them. As numerous recent surveys have consistently demonstrated, computer users are very concerned about their privacy. Moreover, the collection of personal data is also subject to legal regulations in many countries and states. Such regulations impact a number of frequently employed personalization methods. This workshop will explore the potential of research on “privacy-enhanced personalization,” which aims at reconciling the goals and methods of user modeling and personalization with privacy constraints imposed by individual preferences, conventions and laws.

And now the good news.

The proceedings are available online.

Caspar “recommended” Privacy, Shilling, and The Value of Information in Recommender Systems by Shyong K Lam and John Riedl (page 85).

I don't know if I agree with him, because as I was trying to skip forward to page 85, I fell deeply into Perceived Control: Scales for Privacy in Ubiquitous Computing by Sarah Spiekermann on page 3. You don't see enough empirical verification – so I find this kind of study fascinating. And there are a lot of other really good papers here.

Seems like an amazing 10,000 people have now looked at Scoble's Channel 9 Interview with me on Identity. I say amazing because we at identityblog.com pride ourselves on being, after all, the hair on the end of the long long tail…

In comments to this piece about the interview, Alex Krupp really came down hard on Greg Hughes assertion that he is trying “…to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.” He says,

This is the exact reason why bank security is so bad, because instead of focusing on securing the transaction they are focusing on securing the person who makes the transaction, which is impossible.

All you need to know is that the person who put the money in is taking it out for savings, and their name/company for checking. If they are worried about personal information being stolen then the battle is already lost, because they shouldn't need personal information to begin with.

It's true that once everyone has nice strong keys associated with their accounts, a lot of things get a lot easier. And I look to InfoCards as a way to finally get “nice strong keys” into the hands of customers.

But I don't think this makes the problem of protection of personal information go away. Bank databases contain vast amounts of sensitive personal information already. In fact I look at all of my banking data as sensitive personal data. As the banks make services more accessible through the Internet, I think it is both commendable and necessary for people like Greg to think very hard about how to protect the associated personal information – and isolate the people who are going after it.

Anyway, later, Alex comes back to add:

I watched the entire video, very interesting stuff. I will have to check out Solove's book.

I think your example of going into starbucks and having the option to broadcast pieces of identity is very good. Personally though, I think the cellphone is a poor medium for this. Cell batteries drain fast because of their phone use, it is large and bulky, and it is very insecure because it has to be able to take calls, install games and ringtones, browse the web, use bluetooth, etc. If you put your identity on a normal cellphone it would be a suboptimal experience, especially if hacked.

Instead imagine this: a ‘presence pen’ that gives you a digital identity in the physical world. It has the form factor of a pen and can broadcast selected bits of identity to who you tell it. You set these options on your computer before you leave your house. It can fit in a shirt pocket, and the battery lasts for 2+ weeks since it only needs to use bluetooth. You can't message friends on it, but you can toggle through preset away messages and send presence pokes to your friends. Sell it for 50 bucks, and for an extra 25 you can get built in GPS. A one line LCD displays all necessary data and you can toggle everything through two or three buttons.

Just an idea I've been working on. 🙂

In another comment, Tom Gordon says,

I had a quiet giggle at Robert's [Scobles…] totally irony-free comment, ‘I want to be able to store my personal details on Windows where I know it's secure’ 🙂

Overall I enjoyed the interview (and yes, I did watch all of it).

I had some thoughts about transience of identity information as well – it's all well and good if we have strong personal identity providers, but what if we want to move? Does the old provider retain data (on backup tapes, in archives, by legislative requirement) or should we be claiming the right not only to strong personal identity, but strong control over who is allowed to store, record and *keep* our personal data?

Personally I'd be eminently happy if my own personal identity provider's systems crashed and they couldn't restore my information – it means I still have control over what is stored about me…

The same goes for being able to choose my own personal identity provider, and I'd like to be able to share a secret with organisations where we both trust that a particular provider knows who I am, so I can authenticate myself with my chosen identity provider, and the company I'm dealing with takes it on trust that I am who I am, because my identity provider asserts I am who I am, rather than me doing it directly.

Which lets me do business without giving over any personal information at all. I posted these thoughts in slightly expanded form here.

I'm sitting on the edge of my seat, waiting to see the cool things people are going to build into InfoCards.

Identity Woman has put together an identity superevent in San Francisco – the July Planetwork Focus on Digital Identity Tools.

Thursday, July 28th doors at 6, program at 7
CIIS, Namaste Hall,3rd Floor
1453 Mission St. San Francisco (2 blocks from Civic Center BART)

In addition to Identity Woman Kaliya, you will meet:

Light Weight Identity – LID
Johannes Ernst NetMesh Inc. .
Light-Weight Identity(tm)– LID(tm)– a new and very simple digital identity protocol that puts users in control of their own digital identities, without reliance on a centralized party and without approval from an “identity provider”.

OpenID
Brad Fitzpatrick Six Apart, Ltd.
OpenID, a decentralized identity system, but one that’s actually decentralized and doesn’t entirely crumble if one company turns evil or goes out of business. An OpenID identity is just a URL.

Sun Single Sign On
Pat Patterson Sun Microsystems
Sun is announcing the intention to open source web single sign-on. This project, called Open Web Single Sign-On, or OpenSSO, gives developers access to the source code to these basic identity services allows them to focus on innovations that solve more urgent problems, such as securely connecting partner networks, ensuring user privacy, and proving compliance.

Opinity, Inc
Ted Cho
Opinity provides open reputation for end users. It is a young start up offering free online reputation management related services so that individuals can authenticate, aggregate, and mobilize their website (eBay, Amazon, etc.) reputations. Opinity also offers reputation management tools so that individuals can monitor, build, and work to enhance their own reputation going forward. Individuals can also review other individuals at the Opinity website.

It's cool to see the posting by Greg Hughes at Lockergnome, who one can tell has paid his dues as a security professional, about my Channel 9 video. He actually seems to have gotten through all 55 minutes.

Over on Microsoft’s Channel 9, Scoble’s posted a new video of Kim Cameron, who has a weblog called the Identity Blog. He discusses identity and trust, and what it will take to build a single-experience trusted system for common identification. It’s an interesting conversation. I’ve read his weblog for a while now, so it’s good to see him speak about this.

“Identity is like the Hotel California of Technology – you can come but you can never leave. We have a lot of work to do.”

This is a topic that is near and dear to my professional heart. Identity protection and theft is something I deal with every day. It's complicated. It's not easy. It's a goose chase at times. There are almost no standards. But it's of great importance right now. The people I manage and work with are super-talented and are building a couple terrific pieces of security software right now, software intended to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.

Where I work, we are charged with protecting the identities and assets of people who are doing critical financial transactions with their banks and credit unions. To us, this stuff matters – it matters a lot. And it should matter to anyone that's doing business on the ‘net and everyone who writes software used to do business on the ‘Net.

“It's impossible to be too paranoid about this… We have to be paranoid.”

The video is about 55 minutes, and it's worth the time for people who are concerned (or who should be concerned) about the topic. You'll need to get about two-thirds of the way through it til you get to Cameron's “Laws of Identity,” which are akin to pure gold in their simplicity. Go watch.

Isn't it great to think of people like Greg building systems like the one he describes in accordance with the Laws of Identity?

Craig Burton and Marc Canter have a heated exchange going over SXIP's introduction of a hardware “identity appliance“.

Craig put it this way in a piece called Sxip the Insanity:

For starters — sorry Dick — I think it is insane to go into the hardware business. Who wants to buy a Sxip-branded rack mount?

Marc Canter, a big supporter of SXIP technology, responded using the real-world example of his friends at Marqui and the problems they had with their Salesforce application.

With all their bells and whistles, Salesforce doesn't provide secure reliable provisioning and access control. So if someone leaves your company, they can still get onto the system. Or if you've turned off their account, it's still really there, or the system just ain't secure enough! Whatever the problem is – it can be fatal.

So Sxip figured that their system would a) be a great helper app for Salesforce while b) showing off the power of Sxip.

As a Sxip developer and supporter this is really imporant.

At the same time – they probably also found out that the cost of incorproating identity security into a system is HUGE and it's STILL not that reliable. So why not offer the whole security layer as a hosted service – or even better – a box.

Spend all your time on mapping the two ID systems together – and rest assured that no matter what – the Sxip side of the equation is secure and stable.

Brilliant! – if I say so myself.

Back at the Burton blog, Craig is far from convinced:

He [Marc…] basically says that Sxip's support of Salesforce.com is best served by a hardware appliance. He actually calls it “brilliant.”

Poppycock.

I can't imagine how a customer is best served by a software identity infrastructure vendor (Sxip) by being a supplier of hardware. The only way for Sxip to make it work is to charge the customer for more than it is worth. All Sxip is doing is loading software to someone elses box with their name on it. What customer wants to pay Sxip employees for loading software? It simply makes no sense. Dick, rethink this.

What Sxip should be providing is a solution that will simply and easily load and run on anybodys box. When it comes to commodities — rack mount boxes — customer freedom of choice rules.

I ran into a number of people after the “User-centric Identity Day” at Catalyst who were confused by the hardware announcement and ended up thinking SXIP requires specialized hardware.

So let's clear that up at least for everyone who reads this blog: the Sxip Access appliance is only one Sxip option among several. You can implement Sxip in software-only form. Or you can have Sxip Networks host it for you. I think the experimentation with different delivery mechanisms stems from the fact that Dick Hardt cares and thinks about the “long tail” of identity – how sites with few IT resources can become identity enabled.

By the way, for those who don't know Craig Burton's background, he is the man who convinced Novell to stop tying their network operating system to a bizarre, proprietary network appliance known as a Novell server. And indeed, cutting the ties with prioprietary hardware – previously the essence of the network product – opened a whole new world of opportunities for Novell. So in the appliance market, as in many others, Craig's is a voice to be reckoned with.

It's a really interesting discussion.

I'm just back from Catalyst, the yearly Burton Group Conference with a strong Identity theme. My hallway conversations left me with the impression that everyone who attended the Identity and Privacy strategies track thought it was a great success this year. I popped in to see what Anne Thomas Manes was up to in the Application Platform Strategies track as well. I think the Burton Group's work on integrating the worlds of application and identity strategy is tremendously useful and important. Hats off to all involved! Burton is doing a European conference in the fall, as described here.

Meanwhile, Phil Windley was blogging up a storm, and becoming more drole by the minute. How do you like this little report:

Scott Blackmer, speaking at Catalyst, just referred to something he saw on the Net about how it’s amazing that we can track the calves of a cow born in Canada right to their pens in Washington state, but we can’t track 11 million illegal aliens. The suggestion is that we give each illegal alien a cow.

Of course I'm an alien, so I don't think this is very funny, eh? But I'll take my cow anyway.

Then there was this tale from the crypt:

Jarrod Jasper of GM just told the story about an employee phone that was not deprovision when the employee left. The former employee decided to run a 900 number service through the phone. That one phone cost GM $50,000 per month—for 18 months—before it was shut down. Whoa!

Phil also posted Jamie Lewis’ keynote over at Between the Lines. And did a summary of Mike Neuenschwander's session, which featured the Seven Flaws of Identity:

1. Failure of the weakest link mustn’t lead to catastrophe. For example, smart card deployments are sufficient protection against social engineering and inside attacks. Encrypting the channel doesn’t stop dumpster diving.
2. Don’t put the role before the start. Role engineering is important, but it doesn’t drive the project.
3. Not every identity nail requires the technology hammer. Technology may be fine, but without governance, it will fail.
4. Use of a system invites abuse of the system. Test the architecture with attack vectors.
5. Identifying things doesn’t make the more secure. Identification can improve security, but security isn’t an inevitable outcome. Over-identification has repercussions.
6. Identity isn’t about the individual. It’s about the relationship. IdM encompasses the services community’s need for organization.
7. There are a lot more than seven flaws.

Finally, Phil covered the “Identity Gang” meeting that preceded the conference itself. It's a good description of what went on, and I agree with his conclusion that we need to move on to something a bit more structured.

I spent yesterday afternoon in an identity BOF meeting in San Diego. (See pictures at Kaliya’s Flickr site.) As you might expect, there’s plenty of people with an interest in identity systems at Burton Group’s Catalyst conference and so we took the opportunity to have a face-to-face discussion with about a dozen people who care about identity metasystems.

The topics today were far ranging and difficult to summarize, but there were some interesting issues.

There seems to be big disagreement (surprise) around whether HTTP, SMTP, and the like are completely broken from an identity standpoint or whether they can be salvaged. If not, then Microsoft’s move to SOAP-based protocols for the identity metasystem is a necessary first step for any transactions where identity is important.

To put this in perspective, banks and other financial institutions have pretty much been forced to abandon email as a means of communicating with their customers because of phishing. This is a problem even with things like SSL that allows, but doesn’t require that, users check the integrity of the sites that they visit.

Moving to different protocols requires different clients, or at least changes to existing clients to understand the new infrastructure. Of course, InfoCards (Microsoft’s proposed digital identity system) includes such a client, buried deep in the OS.

Kim Cameron believes that we can’t ask humans to manage multiple systems at the experiential level as well as manage the trust decisions, and everything else we need from them. This is a little bit of a “one client to rule them all” strategy, but there’s some sense to it. The browser is a great example of how a UI standard provides a common UI experience (at least to some degree) regardless of the vendor.

Another issue I found interesting had to do with auditing and transparency. One critical requirement for enterprise identity systems is auditing in order to ensure compliance, etc. For an Internet wide infrastructure there are other auditing requirement. For example, the user may want to disable auditing for privacy reasons. Of course, you may not be obligated to provide service without auditing enabled. The policy negotiation requirements in such a system boggle the mind.

Related to that is the need to provide human readable equivalents of machine readable tokens and assertions and to ensure that they are confluent. The microformats discussion that’s caught my eye lately seems suited to that requirement. I wonder if microformats can meet other requirements as well (and what they might be).

Fourth party auditing of actions provides checks and balances to protect entities from abuses by authenticating gatekeepers or asserting identifiers. Many times these fourth parties would be courts operating in widely varying jurisdictions. The metasystem can’t enforce these actions, only provide for them with proper transparency and auditing.

Another point of contention seems to be the very name “identity metasystem” itself. I think it was coined by Microsoft innocently enough to describe an identity system that ties other identity systems together. I think some would prefer it was called a “network” or something else. The work “system” implies there’s a there there, but in reality, it’s more about protocols and interop.

I think that we need to get this group, along with others together for a more formal discussion where we can get to the heart of what we can all agree on, find out where we really disagree (that’s not clear), and use that as an underpinning to understanding proposals. I’d like to see the various proposals laid out with philosophical beliefs, understand how those beliefs influence architectural choices, and then dive into whether we can agree that specific architectures support those various philosophies. I’m thinking of organizing a workshop in October (in the slot Digital ID World used to use) to do just that.

Today WS-SecurityPolicy, which is an important specification needed to build components that support InfoCards, was published here.

That means within the next couple of weeks we can release a version of The InfoCard Implementors’ Guide.

The Implementors’ guide will show the exact parts of WS-SecurityPolicy, WS-Trust and so on that will be used by the Windows InfoCard Selector (working name), and explain how all the knobs and levers work in the context of the proposed multi-centered identity metasystem that includes services and components running on other platforms and operating systems.

The guide will contain wire traces. My dream is that my team at Microsoft would work with other teams who are developing compatible systems so the InfoCard Implementors’ Guide becomes the clearest document of its type ever produced…

It will be interesting to see how far we still need to go in this regard!

Gee I love that name. I mean the Symposium On Usable Privacy and Security (SOUPS).

Last time I mentioned SOUPS (my new Sixth Law buddies) I used an unofficial link which later broke, but this paper, and the SOUPS outfit in general, is so interesting I want to bring it up again so anyone discouraged last time tries again. Meanwhile we got this invitation from Lorrie Cranor:

This paper was presented at SOUPS 2005. See here last week. We hope to be able to announce details of SOUPS 2006 soon… stay tuned… we hope some of you interested in the human issues of identity metasystems will participate.

In the abstract for my paper on the Laws of Identity, I wrote:

Ben Laurie commented on my response to Doug Kaye's challenge with this:

This punts completely on a pile of issues that aren't obvious from your example. The top of my list are:

a) How do I know that Kim Cameron is the person who “signed” the release.

b) How do I know that Kim Cameron has anything to do with the event (that is, suppose (a) is satisfied, how do I tie that identity to the performance that is included in the event?)?

I think what Doug was looking for was a way to eliminate his liability from a content provider point of view. Thus the issue is not whether the real Kim Cameron is signing the release – it is whether the person speaking at the event has signed the release. Let's assume Darth Vader poses as Kim Cameron and speaks at the event. With the proposal we have outlined, Doug can be sure that Darth can't claim he didn't give approval to podscast his duplicitous public appearance. In this sense, the podcast stands.

The issue of whether Darth is Kim (or visa versa) is a matter of normal journalistic integrity, and concerns the relations between IT Conversations and its producers. It is a completely different question – potentially involving the identity metasystem but potentially involving a number of other brick and mortar approaches.

What I found so interesting about Doug's problem was that it was the identity of the event and its participants – as participants – which was at stake. The “context” was really unique.