Digital Identity – Page 10 – Kim Cameron's Identity Weblog

Business, Model, Scenario and Technology

Reading more of the discussion about Identity Oracles, I've come to agree with the importance of having separate names for the business model and the underlying technology that would be used to deliver services. So I buy Dave Kearns's advice:

Drop it while you can, Kim. Bob's right on this one. The “Identity Oracle” is a business model, not a technology feature.

Why was I conflating things?

Well, when we were devising the technology for claims transformers, we were specifically trying to enable the scenario of providing answers to questions without releasing the information on which the answers are based (in other words, support derived claims). We intended the claims transformer to be the technology component that could supply such answers.

I saw the name “Identity Oracle” as describing the scenario.

Now I see the advantages of having very precise naming for a number of interrelated things. It can leave us with this taxonomy:

Reading Dave Kearn's post on how a service like HealthVault might evolve in the direction of an Identity Oracle, I couldn't help wondering about the problems of liability implied by some of these behaviors.

For example, consider a health-related Identity Oracle that could answer the question, “Can Kim take drug X without fear of drug interactions?”. The resultant “yes” or “no” would be a lot more privacy friendly than releasing all of Kim's drug prescriptions and the medical information necessary to adequately answer the question.

However, the Identity Oracle presumably assumes more liability by “selling” its “yes” or “no” conclusion than it would by releasing simple facts (assuming the right permissions and use restrictions were in place).

In other words, success of this model will involve a transfer of liability from the party currently making a decision to the oracle. This liability has to be factored into the cost structure of the identity oracle business model, and the resultant pricing must make sense to the requesting party.

Success brings complexities too

Pamela Dingle is the awesome, programming, geek, girl Canadian who runs The Pamela Project. She produced the WordPress InfoCard plugin that I use on my blog. In this piece, she has a different take on Information Card adoption:

“It has been a while since Iâ€™ve meandered through my thoughts on where the world of the Identity Metasystem is going these days.

“A few entries in the blogosphere have examined what this system is not – which is in common use. I canâ€™t deny the truth of such statements. However, what I do see, is a growing number of people who are contacting me, because they are working hard to change this fact.

“I can honestly say that I donâ€™t worry about whether Information Cards will succeed. What I worry about, is what happens when it does. To me, this is why it is critical to run interops via OSIS, and not only that, but to create a body of work that anyone can use to understand, test, and create correctly operating components. We are in the lull before the storm.

“Have you ever heard the term â€˜victims of our own successâ€™? This is what we will be, if the wave of mass adoption comes, and we havenâ€™t made it easy to be a GOOD member of the Identity Metasystem. If we donâ€™t set community consensus on edge cases, abuse cases, some common standards for basic user interface, and other such things now, if we all donâ€™t get busy implementing and learning from our mistakes and fixing them while it is still easy to do so, it is going to be chaos when suddenly the big thing is for every site out there to accept Information Cards.

“My view is, that user-centric technology in general is a massive tsunami moving towards the coast. It doesnâ€™t look like much now because the wavelength is long â€” but once we get close to shoreâ€¦ If Iâ€™m right, there will be a sudden, immediate, and critical demand for architects, sys-admins, and developers with experience in this space. The more mistakes we make now and learn from, the less mistakes these future techies will have to make en masse.

“â€¦ and if Iâ€™m wrong about the tsunami â€” well I guess weâ€™ll all have stories to tell around the campfireâ€¦. “

Continue reading Success brings complexities too

EPIC opposes Google / Doubleclick merger

Last week the Electronic Privacy Information Center (EPIC) made an agenda-setting intervention on the newest dangers in digital privacy. EPIC is perhaps the worldâ€™s most influential privacy advocacy group, and presented its brief to a US Senate hearing looking into Googleâ€™s proposed acquisition of Doubleclick.

According to USA Today,

â€œThe Federal Trade Commission is already reviewing whether the Google-DoubleClick combination would violate antitrust law. Consumer groups are pressing the agency to also scrutinize Google's privacy practices. Marc Rotenberg, executive director of the Electronic Privacy Information Center, told the Senate committee that Google should be required to strengthen its privacy practices as a condition of the acquisition.â€

Continue reading EPIC opposes Google / Doubleclick merger

What if we fail?

As innovators we need to think about what happens if our systems fail. I've argued, for example, that the starting point for designing a secure system is to recognize it will be breached.

So I took Ben Laurie's recent piece on CardSpace as an invitation to review one more time what can go wrong with Information Cards and CardSpace.

For those who don't know him, Ben has been a leading innovator in terms of open source SSL, and currently works at Google. In his piece he writes that OpenID isn't gaining much traction. Then he turns to CardSpace, which he says “appears to be supported only by Microsoft products.”

A number of people gagged on this, including Dale Olds of Novell (who none the less retained his unflappable charm). Dale had just released his new DigitalMe product providing Information Card support for Mac and Linux. In fact, at Digital ID World, the open source Bandit Project had launched a â€œControl Your Identityâ€ campaign to promote awareness and use of information card technology. Hmmm. I wonder if Linux is a Microsoft product?
Continue reading What if we fail?

Managed information cards for secure online purchasing

Here's news of an important technology demonstration from Ping Identity and ACI Worldwide at the upcoming DIDW Conference (just two weeks away in San Francisco in case you have forgotten to register).

To put this in context, ACI Worldwide is the world leader in retail payments – over half the plastic card transactions in the world (55 billion last year) go through ACI's software at banks, merchants and networks in over 85 countries. Continue reading Managed information cards for secure online purchasing

We need a spectrum

Stefan Brands runs off in the wrong direction in his recent treatise on OpenID. Who really needs a â€œshock and aweâ€ attempt to bonk the new OpenID “cryptographic primitives” back into the stone age?

It's not that you shouldn't read the piece; even though subtlety is not its strong suit, it brings together a lot of information about a threat model for OpenID.

The main problem is simply that it misses the whole point about why OpenID is of interest.
Continue reading We need a spectrum

Emperor of the Amateurs

If you are looking for a real hoot, and have nothing enjoyable or worthwhile to do, consider spending an hour (no more) with Andrew Keenâ€™s The Cult of the Amateur. Whatever you do, donâ€™t buy it â€“ youâ€™re sure to find discarded copies lying around. Mine, for example. Continue reading Emperor of the Amateurs

Grab them eyeballs! Any cred at all!

Want to deeply understand how OpenID would make our lives better on social networks? Check out this piece by Dare Obasanjo, a program manager within Windows Live. But be prepared to be jolted. According to Dare, there is indeed a promised land, but we won't be allowed into it.

Dare is responding to Wired's Slap in the Facebook: It's Time for Social Networks to Open Up. He talks about the common-sense economics of identity, then asks why “there seem to be more OpenID providers than there are consumers”, concluding:

Why would Facebook implement a feature that reduced their user growth via network effects? Why would MySpace make it easy for sites to extract user profile information from their service? Because openness is great? Yeahâ€¦right.

Openness isnâ€™t why Facebook is currently being valued at $6 Billion…

Dare's explanation of how the big web properties see things is spot on. But are they right?
Continue reading Grab them eyeballs! Any cred at all!

Digital gifts for my digital birthday

When I do a telephone transfer at my bank, they ask me to prove I'm legitimate by giving them a few pieces of information – including my birth date. I also know that by combining birth date, surname and zip code, marketers can uniquely identify almost the whole population. To my way of thinking, this puts it in the same class as a social security number, and I'm careful about who I give it to.

So when signing up for Facebook I didn't consider for one moment the idea of publishing my natural birth date. Nor did I read the terms of service. If sites hide away their terms of service, I figure that means they don't expect me to read them anyway. Continue reading Digital gifts for my digital birthday

Dynamite interview with Latanya Sweeney

Scientific American has published a must-read-in-its-entirety interview with Carnegie Mellon computer scientist Latanya Sweeney. She begins by showing that privacy is not a political issue, but an animal need:

“We literally can't live in a society without it. Even in nature animals have to have some kind of secrecy to operate. For example, imagine a lion that sees a deer down at a lake and it can't let the deer know he's there or [the deer] might get a head start on him. And he doesn't want to announce to the other lions [what he has found] because that creates competition. There's a primal need for secrecy so we can achieve our goals.”

Then she ties privacy to human ontogenesis – again, a requirement for the existence of the species:

Privacy also allows an individual the opportunity to grow and make mistakes and really develop in a way you can't do in the absence of privacy, where there's no forgiving and everyone knows what everyone else is doing. There was a time when you could mess up on the east coast and go to the west coast and start over again. That kind of philosophy was revealed in a lot of things we did. In bankruptcy, for example. The idea was, you screwed up, but you got to start over again. With today's technology, though, you basically get a record from birth to grave and there's no forgiveness. And so as a result we need technology that will preserve our privacy.

Continue reading Dynamite interview with Latanya Sweeney