Digital Identity – Page 18 – Kim Cameron's Identity Weblog

Information Cards supported on Community Server

Armand du Plessis at Impersonation Falure writes about his work to add Information Card support to his Community Server:

A couple of days ago I enabled experimental Windows Cardspace support on http://dotnet.org.za/. I mentioned that I'll post the source code and controls but with Tech-Ed Africa and some other work I never got around to posting it.

So now the updated Community Server files is available here and the source code for both the Community Server controls and the underlying ASP.NET controls available here.

To enable Community Server to make use of Information Cards for authentication the following steps are required :

Install and configure your site with a SSL certificate. (Make sure it's a certificate issued by a Certification Authority trusted by popular browsers so you don't make the same mistake as me. See this post for more info)

Grant access to the certificate's private key to your application pool user. Easiest method to do this is using the winhttpcertcfg.exe utility.

winhttpcertcfg -g -c CertLocation -s SubjectStr -a Account

Add your certificate's thumbprint to your web.config appSettings section so the Token processor helper class can find it :

The thumbprint can be obtained through the MMC Certificates snap-in.

Unzip the updated Community Server files over the CS web files. The following files will be replaced so make sure you've backed them up before this step :

\Themes\default\Masters\master.ascx

\Themes\default\Skins\Skin-EditProfile.ascx

\login.aspx

How it works is relatively straigth forward, kudos to the design of the Cardspace web integration and the Community Server SDK. A quick explanation :

The source consists of four core controls :

Adp.CardSpace.InformationCardRequest – A very basic ASP.NET control that takes care of rendering the < object > element used to engage the Identity Selector with the desired claims the Relying Party wants from the Identity Provider. This can either be placed in the head of the page when working together with the InformationCardSubmit control, or as a standalone in a form body.

Adp.CardSpace.InformationCardSubmit – Another basic ASP.NET control that renders the required script and a button that can be used to engage the Identity Card Selector. It is meant for consumption by higer-level controls that can subscribe to it's OnTokenReady event which is fired when a postback triggered by the ICS happens.

Adp.CommunityServer.Controls.Association – A Community Server control used in the profile section to allow a user to associate an Information Card with his/her account.

Adp.CommunityServer.Controls.CardSpaceLogin – A Community Server control used to authenticate the user using his Information Card instead of the usual username/password.

The claim requirements is expressed through the Claims property on the Adp.Cardspace.InformationCardRequest control. This can be done programmatically or declaratively and the control added either to the page head or to a form body. Adding the control to the page head as done in the Community Server integration allows for fine grained control over when the Identity Selector is invoked without interfering with other form submit buttons on your page.

Below is an extract from master.ascx which embeds a request for two claims, email and PPID, into the page. (By default self-issued cards are accepted but this can be configured through the Issuer property on the control)
< CS:Head runat="Server">
< meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
< CS:Style id="UserStyle" runat="server" visible = "true" />
< CS:Style id="s2" runat="server" visible = "true" Href="../style/Common.css" />
< CS:Style  runat="server" Href="../style/common_print.css" media="print" />
< CS:Script id="s" runat="server"  />
< ADP:InformationCardRequest ID="_xmlToken" runat="server" Claims-Capacity="4">
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Required="true" />
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Required="true" />
ADP:InformationCardRequest>
CS:Head>
Where the Identity Selector trigger is required the Adp.Cardspace.InformationCardSubmit control is placed. The sole responsibilty of this control is to invoke the Identity Selector and raise an OnTokenReady event which can be consumed by other interested parties. Below is an extract from the Skin-CardspaceLogin.ascx (a Community Server control which uses the InformationCardSubmit control to obtain the encrypted token)
< ADP:InformationCardSubmit CssClass = "CommonTextButtonBig" runat="server" id="csSubmit" />
That's all that's required to invoke the ICS. To decrypt and extract the token using the very useful TokenProcessor from the Microsoft samples the following code is required to hookup and handle the OnTokenReady event. (This code is in the above mentioned CardSpaceLogin control, a composite control utilizing the InformationCardSubmit control and other default Community Server Controls)
protected override void  AttachChildControls()
{
submit = FindControl("csSubmit") as InformationCardSubmit;
message = FindControl("csMessage") as StatusMessage;
 
submit.OnTokenReady += new EventHandler(submit_OnTokenReady);
if ((submit == null) || (message == null))
throw new CSException(CSExceptionType.SkinNotSet);
}
The Token helper class takes care of decrypting and extracting all the tokens from the postback. (The token helper class is available in the samples on http://wcs.netfx3.com)

After breaking out the tokens we can access them through the indexed Claims property. All the claims we expressed in the InformationCardRequest control above is available for use in your code. In the sample below the token's unique id is extracted and assigned to an extended profile attribute in Community Server.
void submit_OnTokenReady(object sender, TokenEventArgs e)
{
try {
Token token = new Token(e.TokenValue);
if(context.User.Email !=
token.Claims[System.IdentityModel.Claims.ClaimTypes.Email]) {
DisplayMessage(ResourceManager.GetString("Association_EmailMismatch",
CSUtil.CsResourceFilename), false);
return;
}
 
context.User.SetExtendedAttribute(CSUtil.CsExtendedAttributeName,
token.UniqueID);
Users.UpdateUser(context.User);
 
DisplayMessage(
ResourceManager.GetString("Association_Success",
CSUtil.CsResourceFilename),true);
 
}
catch (Exception e1) {
string displayMessage = ResourceManager.GetString("Association_GenericException",
CSUtil.CsResourceFilename);
 
CSException e2 = new CSException(CSExceptionType.UnknownError,
displayMessage, e1);
e2.Log();
 
DisplayMessage(displayMessage, false);
}
}
Some limitations in this implementation is that it currently don't detect whether or not the browser supports Infocards. Also triggering the Identity Selector through script currently don't seem to be supported by the Firefox Identity Selector plug-in.

Currently the implementation on dotnet.org.za still suffers from the use of the Starfield SSL certificate which requires users to first import the Intermediate Certificate as a trusted issuer before Cardspace will accept it. This will be rectified soon.

Links:

Community Server

Windows Cardspace

Privacy and Identity – IGF workshop outcomes

From the Internet Governance Forum, via Ralf Bendrath's blog:

The workshop on privacy and identity we held together with the LSE information systems group this morning sparked an interesting discussion.

Christian MÃ¶ller gave some examples of how privacy is not only important in itself, but how it also is a necessary condition for freedom of expression.

Microsoft’ Jerry Fishenden presented their InfoCards concept and the “7 Laws of Identity” as one approach on how to handle user data based on different credentials. While most of the panelists agreed that this is a good basis for a start, and especially welcomed the company's recent efforts to make it more privay-friendly, Jan SchallabÃ¶ck and Mary Rundle pointed at one major drawback: Once you have sent your personal information to a company – no matter if through InfoCards or another system – you can not control what happens with it afterwards.

Jan, who is with the data protection authority of the German land of Schleswig-Holstein, therefore presented the ideas, concepts and systems developed in the EU-funded Privacy and Identity Management in Europe (PRIME) project as an alternative.

Their model is that user data given to web service providers will have â€œsticky privacy policyâ€ attached to it in the form of meta-data. This meta-data will move with the personal data and can help ensure that it is only used or tranferred in a way the user has agreed to.

Mary from NetDialogue suggested (having) a similar way as the Creative Commons license: Privacy Policies should be human readable, lawyer readable, and machine readable. The advantages would be that the users can better decide how they “licence” the use of their data to other parties. Mary even presented a very nice series of icons that symbolize different use policies. This approach might be one way to address the failure or “myth of user empowerment”, as Ives Poullet called it.

Stephanie Perrin, research director at the Office of the Privacy Commissioner of Canada, finished by saying that the privacy community has to become much more involved in international technical standardization processes. As always, time was too short. Therefore, we will discuss a collaborative follow-up process later this evening.

Actually, the “sticky privacy policy” notion can be implemented by identity providers using version 1 of Cardspace – it doesn't limit the token types that can be exchanged. A new type of token that includes metadata about use policy is a good example of why this flexibility is useful. I support the idea.

Maybe Jan SchallabÃ¶ck and Mary Rundle are aware of this, but are talking about the self-issued identity provider used to “bootstrap” Cardspace. In v1.0, it does not have this kind of metadata built in to it.

I look forward to collaborating with Mary and Jan to create the kinds of visual and metadata systems now being discussed. I don't actually see PRIME as being “alternative” in any way to the work I've been doing – we have the same goals.

Feedback from Urs Gasser at Berkman

Here's some feedback on Rubinstein and Daemen's new Metasystem Privacy paper posted by Urs Gasser on his Law and Information blog. Urs is an expert in cyber law associated with the Berkman Center at Harvard Law School.

Microsoft released a white paper entitled â€œThe Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity.â€ The excellent paper, authored by Microsoftâ€™s Internet Policy Council Ira Rubinstein and Tom Daemen, senior attorney with Microsoft, and posted on Kim Cameronâ€™s blog, is a must-read for everyone interested in user-centric ID management systems. (Disclosure: As you can take from the acknowledgments, I have commented on a draft version of the paper, based on my earlier observations on â€œIdentity 2.0â€-like initiatives.)

Among my main concerns â€“ check here for other problem areas – has been Microsoftâ€™s claim that the i-card model is â€œby designâ€ in compliance with the unambiguous and informed consent requirement as set forth, for instance, by EU data protection law. Iâ€™ve argued that the â€œhardwiredâ€-argument (obviously a variation on the theme â€œregulation by codeâ€) might be sound if one focuses on a particular relationship between one user and one identify provider and/or one relying party â€“ as the white paper does. However, at the aggregated level, the i-card modelâ€™s complexity â€“ i.e. the network of informational relationships between one user and multiple ID providers and relying parties â€“ increases dramatically. If we were serious about the informed consent requirement, so my argument goes, one would wish that the user could anticipate not only the consequences of consent vis-Ã -vis one ID provider, but would understand he interplay among all the components of the ID-system. Even in less complex informational environments, experience has shown that the making available of various privacy policies canâ€™t be the answer to this problem – as the white paper seems to acknowledge.

In this regard, I particularly sympathize with the white paperâ€™s footnote 23. It might indeed be a starting point for an answer to what we might call the â€œtransparency challengeâ€ to create â€œa system enabling web sites to represent privacy policies in a simple, iconic fashion analogous to food labels. This would allow consumers to see at a glance how a siteâ€™s practices compared to those of other Web sites using a small number of universally accepted visual icons that were both secure against spoofing and verified by a trusted third party.â€ (p. 19, FN 23.) Such a system could become particularly effective if the icons â€“ machine-readable analogous to creative commons labels â€“ would be integrated in search results and monitored by â€œNeighborhood campaignsâ€ similar, for instance, to Stopbadware.com.

Although Microsoftâ€™s paper leaves some important issues unadressed, it seems plain to me that it takes the discussion on identity and privacy protections as code and policy an important step further â€“ in a sensible and practical manner.

I agree with Urs when he talks about where we can go with visual icons representing the practices and policies of sites and identity providers. Let's do it.

Just to be clear, I see Information Card technology as providing a platform for people to control their digital identity. As a platform, it leaves people the freedom to put things of their choice onto that platform.

Let's make an analogy with some other technology – say plasma screens. The technologists can produce a screen with fantastic resolution, but people can still use it to view blurry, distorted signals if they want to. But once people see the crsytal clarity of high definition, they move away from the inferior uses. Even so, there still might be artifacts that are important historically that they want to watch in spite of their resolution.

In the same way, people can use the Information Card technology to host identity providers with different characteristics. It's a platform. And my belief is that a high fidelity and transparent identity platform will lead to uses that respect our rights. If this requires help from legislators and the policy community, that's just part of the process. In other words, I don't think CardSpace is the magic bullet that solves all privacy problems. But it is an important step forward to have a platform finally allowing them to be solved.

Once you let one party send information to another party, there is no way to prevent it – technically – from sending a correlating identifier. As a morbid example, terrorists have been known to communicate by depositing and withdrawing money from bank accounts. The changes in the account are linked to a codebook. So any given information field can be used to communicate unrelated information.

What you can do is prevent the platform itself from creating correlation handles or doing things without a user's knowledge. You can use policy, legal frameworks and market forces so providers and consumers of identity are transparent about what they are doing. You can create technology that can help discover and prove breaches of transparency. You can facilitate holding third parties to their promises. And you can put in place social and legal protections of technology users, along the lines of the privacy-embedded laws of identity.

That's why I see the contributions of legal and policy experts as being just as fundamental as the contribution of technologists in solving identity problems. In in the long term, the social issues may well be more important than the technical ones. But the success of the technology is what will make it possible for people to understand and discuss those issues.

I advise following some of the thoughtful links to which Urs refers.

Grandstanding to drive up his ratings?

When Doc Searls was first telling me about blogging, he asked if I wanted to see something incredible. Then he typed the word “doc” into a certain search engine, and the first or second result was the address of his blog.

I was amazed. He was right up there. On a level with the Department of Communications. He still is today (try it!)

So a while ago, I decided to check out the results for “Kim”. Narcissistic? I guess. And worse, the kind of thing that irreversibly links your identity to the audit trail of your searches.

But I was curious.

Let's face it. As I've said before, this blog is the “hair on the end of the long tail.” It was obvious I wouldn't be in the same league as Doc. And we all know the entire country of Korea has the name ‘Kim’. One search engine lists 227 million references. So my hopes weren't high.

But despite all this, the results were pretty amazing:

Was it possible? I beat out Kim Jong-il, president of North Korea, who came in at number 8. In fact I easily passed him at 5! I could see he's maybe not the most popular person in the world, but still, he does run a country, a country much discussed in some circles. Anyway, I decided to check out a competing engine:

Not quite as good, maybe, but hey, Rudyard Kipling and Kim Basinger are certainly both more fundamentally accessible than identityblog (!), so it seems right.

Anyway, over time I came to take this state of affairs pretty much for granted.

But last week, visiting Canada, a friend asked me what would happen if he just searched for ‘Kim’, so I told him to try it. He went to www.google.ca, and to my horror I could see that I had slipped:

Suddenly the reality of the situation sank in. Was the underground nuclear test that Kim Jong-il set off just grandstanding intended to increase his search engine ranking?

Had Kim Basinger and I actually been in grave danger all along for thwarting a dictator's desire to appear at the top of a result set?

The poor helpless souls in some CNN documentary flashed before my eyes, and I acepted that losing out to Jong-il wasn't all bad.

And then the kicker. I VPNed to a computer back in the States, so I could get to the US versions of the search engines (on my friend's ISP it was impossible to get to the actual “.com” site rather than “.ca”).

Guess what? Back in the States it was business as usual. Kim Basinger and I were still up ahead of Jong-il, despite all of his antics. My friend and I had been looking at a rating that was somehow Canada specific.

I guess that for search engine experts all of this would come as no surprise. But I am pretty curious about how these international variations in ranking come about.

Second Law of Identity

Here is the Second Law of Identity as expressed by Anne Cavoukian, Privacy Commissioner of Ontario. The “technology” law is on the left; the “privacy-embedded” form is on the right:

MINIMAL DISCLOSURE FOR A CONSTRAINED USE

The identity metasystem must disclose the least identifying information possible, as this is the most stable, long-term solution.

MINIMAL DISCLOSURE FOR LIMITED USE:
DATA MINIMIZATION

The identity metasystem must disclose the least identifying information possible, as this is the most stable long-term solution. It is also the most privacy protective solution.

The concept of placing limitations on the collection, use and disclosure of personal information is at the heart of privacy protection. To achieve these objectives, one must first specify the purpose of the collection and then limit one's use of the information to that purpose,avoiding disclosure for secondary uses. The concept of data minimization bears directly on these issues, namely, minimizing the collection of personal information in the first instance, thus avoiding the possibility of subsequent misuse through unauthorized secondary uses.

Dr. Cavoukian's restatement of the First Law is here. I can't overstate the importance of her collaboration with the identity community. Nothing is more important to getting identity right than getting privacy right. And there's no better way to get privacy right than by working side by side with those who, like Dr. Cavourkian, have been studing, writing about and protecting privacy for many years.

Download the Privacy-Embedded laws as a brochure or a whitepaper.

Ping unveils Managed Card IP written in Java

Ashish Jain of Ping Identity seems to have broken another barrier by demonstrating a “managed card” identity provider written in Java.

In the world of InfoCards, we talk about two kinds of “identity provider”. One is a “self-issued” card provider, through which individuals can make claims about themselves. The other is a “managed” card provider, which supports claims made by one party about another party.

Examples of managed card providers could include claims made by an employer about its employees; a financial institution about its customers; an enterprise about its customers; or a reputation service making claims about its users. While the technology for posting tokens from an identity selector like Cardspace to a web site can be very light weight (RESTful), that for building managed card providers is more challenging.

Here's how Ashish puts it:

The Managed Card IdP as well as the RP server that we demonstrated at DIDW is now available for a test run. Itâ€™s still early accessâ€¦so expect some issues. But if you do want to try early, give it a go. It should give you an idea of the things to come.

Please do the following (you need to have RC1 client installed on your machine).

Access the IdP Demo here.
Enter your information and click â€˜Get Cardâ€™.
When the popup happens, click â€œopenâ€ to save it to the CardSpace Client. Alternatively, you can save it to the disk and double-click to install it. (You can change the extension from .crd to .xml if you are interested in looking at the contents).
Close the CardSpace Client.
Next go to the RP site here.
Click on the Managed Infocard Image.
Your CardSpace client should pop-up at this time and only the relevant card should be available for selection.
Select the card and it will challenge you to enter your IdP credentials. The server doesnâ€™t perform any password validation at this time (as long as the username is correct).

And you should be logged in to the Relying party. The relying party page also displays the IdP as well as the RP message flow.

I tried it and it definitely worked for me. I'll do a screen capture.

I don't know if the picture in Ashish's piece shows something he drank as a baby, but if so, a lot of other programmers may want to try some.

Privacy characteristics of the Identity Metasystem

Microsoft has just completed a whitepaper that looks systematically at how the proposal for an Identity Metasystem advances privacy.

The document offers a useful general overview of how the Metasystem is intended to work – in a form I think will be accessible to those concentrating on policy. It also contains an instructive analysis of how the Metasystem embodies the principles articulated in the European Uniion data protection directives.

I will run some exerpts that I think will be of general interest. But I suspect all those interested in policy and identity technology will want to download the document, so I've added it to the roster of Identityblog white papers.

Introduction
Existing ID Card Schemes
Anonymity, Privacy, and Security
The Identity Metasystem
The Seven Laws of Identity
Roles
Microsoftâ€™s InformationCard Technology: Windows CardSpace
Scenario One: Basic Protocol Flow
Scenario Two: Protocol Flow with Relying Party STS
User Experience
Creating an Information Card
Logging In with an Information Card
Submitting an Information Card
Example of InformationCard Interaction
Privacy Benefits of Windows CardSpace and the Information Card Model
Protection of Users Against Identity Attacks
Information Card Technology and EU Data Privacy
Overview of EU Data Privacy Law
Data Controllers and Their Legal Obligations
EU Data Privacy Laws and Information Cards
Legitimate Processing
Proportionate Processing
Security
Limits on Secondary Use
Conclusion
Acknowledgments

From the Executive Summary:

Just as individual identity is fundamental to our face-to-face interactions, digital identity is fundamental to our interactions in the online world. Unfortunately, many of the challenges associated with the Internet stem from the lack of widely deployed, easily understood, and secure identity solutions. This should come as no surprise. After all, the Internet was designed for sharing information, not for securely identifying users and protecting personal data. However, the rapid proliferation of online theft and deception and the widespread misuse of personal information are threatening to erode public trust in the Internet and thus limit its growth and potential.

Microsoft believes that no single identity management system will emerge and that efforts should instead be directed toward developing an overarching framework that connects different identity systems and sets out standards and protocols for ensuring the privacy and security of online interactions. Microsoft calls this concept the Identity Metasystem. The Identity Metasystem is not a specific product or solution, but rather an interoperable architecture that allows Internet users to use context-specific identities in their various online interactions.

This paper describes the Identity Metasystem and shows how it can meaningfully advance Internet user privacy. In particular, it will show how Microsoftâ€™s contribution to the engineering of the Identity Metasystemâ€”the Information Card technologyâ€”promotes privacy in three primary ways:

First, it helps users stay safe and in control of their online identity interactions by allowing them to select among a portfolio of digital identities and use them at Internet services of their choice. These digital identities may range from those containing no or very little personal information (perhaps nothing more than proof of an attribute such as age or gender) to those with highly sensitive personal information needed for interacting with financial, health institutions, or obtaining government benefits. The key point is that a web site or service only receives the information it needs rather than all of the personal information an individual possesses.
Second, it helps empower users to make informed and reasonable decisions about disclosing their identity information by enabling the use of a consistent, comprehensive, and easily understood user interface. Moreover, this technology implements a number of advanced security features that help safeguard users against identity theft by reliably authenticating sites to users and users to sites.
Third, and more generally, Information Card technology is hardwired to comply with data privacy laws and conforms to key requirements in the European Unionâ€™s privacy regime, including legitimate and proportionate processing, security, and restraints on secondary use.

In short, this new framework and new technology offer a cutting-edge solution to the digital identity debacle that is stifling the growth of online services and systems.

I want to congratulate Ira Rubinstein, Internet Policy Counsel for Microsoft, and Tom Daemen, a senior attorney in his group, for writing this analysis. Other contributors include our Chief Privacy Stragegist, Peter Cullen, and Caspar Bowden, Chief Security and Privacy Officer for Europe. Not to mention the inimitable Mike Jones, well known for his contribution to Identity Metasystem thinking.

Although the document uses the Cardspace implementation in illustrating its points, it's my hope that everyone working on the Identity Metasystem across the industry benefits from this work, since the notions apply to all of us.

DasBlog site InfoCard enabled

Of course Kim Cameron's Identity Blog has been InfoCard enabled for a while, and I've written about the process. Now others are working (more on this later) to produce a WordPress InfoCard Plugin for everyone who wants to start accepting InfoCards.

Then a while ago I learned that Rob Richards had InfoCard-enabled his Serendipity-based blog and again published the code for others to examine.

Now Kevin Hammond has done the same for DasBlog – though I'm not sure yet if I can leave comments using InfoCards:

Taking inspiration from Kim Cameron and how he CardSpace-enabled WordPress, I did the same with DasBlog 1.9.6264.0. casadehambone.com now supports logging into the administrative account using Windows CardSpace allowing me to throw the use of passwords to the wind!

The great thing is that it only took minor changes to three source files and the introduction of one new configuration option each to site.config and siteSecurity.config. I have a little more work before me to make configuration just a tad easier, but the great thing is that this works really well.

I owe special thanks to Clemens Vasters who suggested this morning that the proper “hack” to get this working was to build DasBlog with Visual Studio 2005 and the Visual Studio 2005 Web Application Project add-on. DasBlog built out-of-the-box without issue, making the integration of TokenProcessor.cs to decrypt the SAML token a piece of cake.

If you haven't looked at Windows CardSpace yet, head on over to cardspace.netfx3.com and start reading. Now that Windows Internet Explorer 7.0 is released and Release Candidate 1 of .NET Framework 3.0 is available, you'll find the mainstream barriers to adoption are quickly eroding.

I hope Kevin also publishes his code so others can learn from it.

Privacy czar pushing for better ID protection

Anne Cavoukian's remarkable speech to the International Association of Privacy Professionals is available here in MP3 (total time: 23 minutes) .

It's a ground-breaking speech. It defines a new intersection between the privacy community and those of us who've been working in the blogosphere to understand and advance identity.

It represents a substantial widening of the discussion we've been having in these pages.

Dr. Cavoukian and her team have come up with a version of the Laws of Identity that teases out the privacy implications and articulates them with reference to the privacy discourse that has emerged over the last decade.

I'll be publishing Anne's version so everyone can ponder the implications.

Here's how the CTV national televison network described Anne's initiative:

Ontario's information and privacy commissioner says she supports a new global online identity system to protect consumers.

Dr. Anne Cavoukian said there are currently few ways for online consumers to tell the good guys from the bad guys.

“The existing identity infrastructure of the Internet is no longer sustainable,” she said. “Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise.”

The solution lies in the global online identity system based on seven “privacy-embedded” laws, she said.

“The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud,” said the release.

As a result, people are subject to new crimes like “phishing,” in which people are fooled into sending key information to what they think is a trustworthy business, but is actually an identity theft criminal.

The seven laws would create an “identity layer” for the Internet that would guard against such acts.

The “laws,” or principles, are:

Personal control and consent

Minimal disclosure for limited use: data minimization

Justifiable parties: “need to know” access

Directed identity: Protection and accountability

Pluralism of operators and technologies: minimize surveillance

The human face: Understanding is key

Consistent experience across contexts: Enhanced user empowerment and control

The benefit of law 1 would be that an Internet user would store their identity credentials rather than in a centralized online database.

Law 2 would help by minimizing the amount of information given out for a given transaction — and that only the right information be given.

“In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one's age?” Cavoukian said.

These laws grew out of a global, blog-based dialogue amongst security and privacy experts, she said.

With the next generation of Web-based services (“Web 2.0”) emerging, more identity credentials and more trust will be required to make it work, she said.

Microsoft — proprietor of the Windows operating system, the fundamental software that allows a computer to run — is obviously a major player in personal computing security.

Cavoukian said Microsoft's next-generation operating system, called Vista, has some features that will help protect identity.

Vista, which is set for release in January, will introduce a technology called Cardspace. The system will use “infocards,” which will allow websites to verify a customer's identity without receiving or keeping personal or financial information.

Banks could function as middlemen in online purchases, sending payment confirmation to a retailer without sending the person's credit card number.

There would also be different infocards for different applications, much as people have different cards in real life for different purposes.

At a news conference on Wednesday, Kim Cameron, Microsoft's chief identity architect, said Cardspace is a start. He also said it can't just be a Microsoft thing.

“It has to work across Microsoft, Linux, Apple, every possible permutation and combination. It has to work on computers, it has to work on cellphones so it's really a very all embracing thing.”

Some companies have agreed to start accepting infocards, but Cameron wouldn't name the firms.

Both Cameron and Peter Cullen, Microsoft's chief privacy strategist, said another advantage of this coming system is it will allow users to avoid “password fatigue.”

Currently, people need to pick a user name and password when they register at an Internet website.

Because it's difficult to remember a large number of passwords, some use the same password for all websites, which creates a security risk.

Anti-phishing Mashup

Here's a site dedicated to phishing control that has produced a bizarre mashup that I find fascinating – Web 2.0 meets Magnum PI. It combines information from the Anti-Phishing Working Group with novel visualization techniques and animation so you can analyse the topologies of phishing trips over time.

A phishing message arrives in your mailbox, pretending to be from a bank, or from an etailer such as eBay or Paypal. It directs you to a web page and asks you to enter your password or social security number to verify your identity, but the web page is not one actually associated with the bank; it's on some other server.

InternetPerils has discovered that those phishing servers cluster, and infest ISPs at the same locations for weeks or months.

Here's an example of a phishing cluster in Germany, ever-changing yet persistent for four months, according to path data collected and processed by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group (APWG) repository.

Figure 1: A Persistent Phishing Cluster

The ellipses in this animation represent servers; the boxes represent routers; and the arrows show the varying connectivity among them. Colors of boxes reflect ownership of parts of the network. Times are GMT.

The animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.

Graphs were produced using PerilScopeâ„¢, which is InternetPerils‘ interactive topology examination interface, based upon the GAIN platform.

Go to their site to see the actual animated mashup.