Category: Digital Identity

Giving identity thieves the finger

Jerry Fishenden has been posting about biometrics recently, and I'll comment on the issues over the next little while. But before we get there, just to put everything in perspective, here's a piece from the BBC, quoted by Jerry, that I missed when it first came out.

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb.

The gang, armed with long machetes, demanded the keys to his car. It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.

Stripped naked

The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off.

But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it.

They stripped Mr Kumaran naked and left him by the side of the road – but not before cutting off the end of his index finger with a machete.

Police believe the gang is responsible for a series of thefts in the area.

Note to self:  don't purchase technology based on retinal scans.

Future discussion:  not only “things you are” but “things you know” can ultimately expose you to harm.

P.S.  Who would ever buy an S-Class?

 

Dynamic detection of client dialect requirements

It seems I might not have found quite the magic recipe yet in my attempt to dynamically recognize whether you are coming from a July CTP or release candidate client.  “Close, probably, but no cigar.”

If you have any kind of problem logging in with an Information Card, please email me the output of this diagnostic.

“Funny, it worked on MY machines.” (From Programming Yarns, Volume 1, Chapter 1). 

Sorry for having been a little optimistic about my initial success.  A bunch of people had reported that things worked – and I prematureluy took that as meaning that they didn't NOT work. 

I'm still trying to sort out why some people are having problems.  So if you don't mind trying out and mailing in the diagnostic, I'd really appreciate it.

 

Upcoming DIDW

I hope everyone's going to Digital ID World (DIDW) next week. We'll start on Monday with an Identity Open Space Unconference (don't worry, Virgos, they're unstructured, but not without shape and self-revealing purpose). Once this gives rise to the main event, there are a number of sessions that look fascinating for identity afficionados – like “What Do the Internet's Largest Sites Think About Identity?”, a panel moderated by Dan Farber and featuring representatives of the large sites and a new presentation by Dick Hardt. There will also be an OSIS meeting – and of course, the endless hallway conversation.

I'm pairing up with Patrick Harding (from Ping Identity) on a Wednesday session called “Understanding InfoCards in an Enterprise Setting“. It will include a demo that I think will really help show the concrete benefits of InfoCards inside the enterprise. What can you expect? 

First, you'll see the latest version of Ping's InfoCard server, now featuring both Managed IdP as well as Service Provider capabilities. Ping's goal is to show how to seamlessly chain passive and active federation – allowing for on-the-fly privacy context switching.  They'll use real-world use-cases where passive federation gives way to active and vice-versa.

According to Andre Durand, Ping Identity's CEO:

“The Digital ID World demo will show two scenarios to depict how passive federation (via SAML 2.0 Web SSO Profiles or WS-Federation) and active federation (via CardSpace) can both play a role in enabling a seamless user experience for accessing outsourced applications. The plan is to demonstrate how passive and active federation work together to enable a myriad of different business use cases when chained together in different situations

“Scenario 1:

“An enterprise employee leverages her internal employee portal to access applications that are hosted externally. In the first case we show how SAML 2.0 Web SSO (passive federation) is used to enable seamless access into the SF.com web site. The user accepts this as part of her employment contract – the employer has deemed that the use of SF.com is critical to their business and they want no friction for their sales force in entering information for forecasting purposes.

“In the second case we'll show how CardSpace is used to ‘optionally’ enable seamless access into the employees Employee Benefits web site. As the Employee Benefits web site is made up of a mixture of personal and corporate information (i.e. 401k, health and payroll) the employee is given the choice of whether to enable SSO via the use of CardSpace. The Employee Benefits web site is enabled with CardSpace. After the user clicks on the ‘Benefits’ link in their corporate portal, she is prompted with different Cards (Employer and Benefits) which she can then choose between for accessing the Benefits web site. If she chooses ‘Employer’ then she will be enabled with SSO from the Corporate Portal in future interactions.”

By the way, Andre, please tell me there's some way for her to change her mind later!

“Scenario 2:

“An enterprise employee is traveling and loses her cell phone. She uses her laptop to access her corporate cell phone provider in an effort to have the phone replaced immediately. The employee would normally access this web site via SSO from her corporate portal. The cell phone provider web site is enabled with Card Space to simplify the IdP discovery and selection process. The employee is prompted to use her Employer card to authenticate to her employer's authentication service. The cell phone provider web site leverages CardSpace to handle IdP Selection rather than having to discover this themselves. Once the user has authenticated to her employer the returned security token contains the relevant information to service the employee's request for a new cell phone.”

It all sounds very interesting – amongst the first examples of what it means to have a full palette of identity options.  Ping is emblematic of an emerging ecology – many of us, across the industry, moving us towards the Identity Big Bang.

Doc Searls will be doing the closing Keynote.  I'm really looking forward to that and to seeing you in Santa Clara.

The virtualization of crime

I love this piece by Scott Adams:

Imagine.  The Internet has no way of knowing who you are dealing with.  What environment could be more convenient for the criminally inclined?

Since starting to work on the Identity Metasystem I've learned more and more about the hoists being pulled off in the context of virtual reality.  Over time, we have seen the attacks become more professionalized, and ultimately linked to well organized international syndicates.  Part of the basic equation is that the international nature of virtual reality makes it especially hard to deal with the type of organization that is emerging at the boundary of its interface with the brick and mortar world.

But recently, we've seen more highly focused attacks that are essentially artisinal.  It seems to be a case of “think globally, act locally.”  Some of the schemes put in place depend on intimate knowledge of the workings of specific sites, and even specific communities and indvidiuals.  This is no longer generic targeting.  It's highly individualized, the work of community professionals of a special kind, who may draw upon internationally organized resources as necessary.

And of course this all makes sense.  Computerization has progressively worked its way through the various professions and industry sectors and nooks and crannies of our society, and we've reached the point that a growing number of criminals are no more likely to function without computers than are accountants (not to cast judgement on whether some accountants are or are not ciminals…)

As the level of familiarity with technology grows and increasingly wider swaths of the population become aware of the opportunities that await us in virtual reality, it is obvious that more and more criminals will find their place there. 

I walked into my local Office Depot a few days ago and amazingly, almost all the stationary goods and high class pens and filing contraptions and things that have always made such places interesting, had basically disappeared into a distant corner, while the whole center of the store consisted of computers, printers, electronic cash registers and cameras.  A further indication of the growing virtualization of which cyber criminalization is just a natural a part.

But to keep any balance at all, we really do need to fix the fundamental architectural problem of the internet: having a way that we can, when we want to, be sure who we are connecting with.

In other words, we need to put in place an Identity Metasystem.

Phil Becker on Identity's First Big War: a history lesson

Phil Becker is getting us ready for the DIDW in Santa Clara this September 11:

It's been half a decade since the first, and biggest, “identity war” ended. It is worth revisiting what happened (and what was learned) in light of how identity technology is gaining traction and beginning to face related challenges that could lead to similar issues arising again.

History has a way of looking inevitable in hindsight, like it really couldn't have turned out any different than it did. Those who lost can easily seem like they were just shortsighted, venal or stupid while others look unnaturally aware and smart. The truth is usually somewhat different, and if we are to benefit fully from the lessons of history, we must review it as objectively as possible.

“You could start a consultancy with what you learn at this conference.” -Katarina Kreutzfeldt, Managing Director, KOGit, GMBH

Before I begin, however, I want to remind all my readers our annual Digital ID World conference is just two weeks from Monday. It's August, and easy to think that it's further away than that. I wouldn't want you to miss out because you didn't get that two week advance air fare discount, or plan time to attend until too late. This year's conference is shaping up to be our best ever on several fronts. Check out the conference web site at http://conference.digitalidworld.com/2006 and when you register be sure you don't forget the $200 off discount code in the ad above.

I'm also doing a webinar next Thursday, August 31, exploring the convergence of physical and logical identity through deployment experience. As you can see from our conference schedule, I believe that deployment experience is the best way to understand identity technology. This webinar looks at this subject through a deployment experience, a subject that has been mostly talk but which is now becoming reality . You can register for that free webinar at: http://www.actividentity.com/didwebinar

The first identity war didn't start out as a war at all. It began when Microsoft, who had fully committed to web services long before anyone else, realized that an internet scale authentication infrastructure was required before those services could truly gain the traction they had envisioned.

As a company, Microsoft tends to look at computing problems through the lens of the user experience. In the case of the internet, this led them to see (earlier than most) the tremendous friction that requiring a user to log in to each web site with separate credentials created. In 1999, they began to address that problem with Passport, which they felt that they could grow to become an internet scale authentication system.

Here is the Schedule and here are the Exhibitors.

Brian Arbogast, then VP of .NET Core Services, summarized this in 2001 when he said, “Back in 1999, Microsoft looked at the Internet landscape. More and more, when people went to Web sites — to shop, retrieve news stories, download software or participate in chats — they had to log in, giving their name, password and, often, additional information. There are so many user names and passwords that people have to remember today that it can create a pretty frustrating experience; in fact, most people write that information down on paper — which is not a safe or secure way to store this information. Authentication services like Microsoft Passport are designed to help transform today's Internet and computing experience by enabling single sign-in to multiple sites and services with one secure password.”

Note how all of this is framed from the perspective of the user experience, with no recognition of how centralizing authentication might create side effects that people would be unhappy with. It is this framing of the problem that led Microsoft to miss those implications that would ultimately launch the first identity war. This view also led most of those involved in identity management at that time to view it narrowly as an exercise to achieve single sign-on.

In March of 2001, Microsoft took Passport to the next level, announcing Hailstorm, a way to use web services to create a unified identity experience on the internet. Announcing Hailstorm on March 19, 2001, Bill Gates said, “The .NET vision encompasses the idea of having your information wherever you want to go. This includes the future cell phones, your TV set, your tablet form factor PC, your desktop PC. Wherever you are, and whatever role you're in, whether you're working, you're acting as a family member, you're acting on behalf of some other group you belong to, your information will be there available in the context that's most appropriate for what you're trying to get done.”

Examining that sentence reveals that on one level, Microsoft understood precisely where the internet was going and what identity would have to provide to get it there. It is a classic example of how visionaries can see something so clearly that they miss (or drastically underestimate) the implications. Microsoft felt that the internet was just one centralized authentication system away from its “big bang” of value creation, and missed the devil that lurked in the details.

On stage that March day was Ray Ozzie, the person that Bill Gates is now turning Microsoft strategy over to. At that time Ozzie was CEO of Groove Systems, and said “what it's really about is enabling individuals out on the Internet who need to work together the ability very quickly, very spontaneously, to get together, to share information, to interact with one another directly over the Net — even across firewall boundaries. We believe that the services that are inherent to ‘HailStorm’ provide for a much richer user experience, and in general put the user in control of information that formerly has been in the control of apps of various types.”

Again, you see the focus on enabling a user experience, including the need for the user to feel in control of the identity transactions and information. At the same time, there was little or no understanding of the implications of the architecture chosen for the identity infrastructure. But those implications weren't missed by the public and the real “storm” was one of fear that Passport/Hailstorm just might work, with the result that Microsoft would end up controlling the identity information of the internet. The rumblings that would lead to the first identity war had begun.

In 2001, enterprise was also realizing it needed a way to unify its authentication infrastructures. It was being seen that directories just couldn't grow big enough to centralize all authentication without becoming projects that cost far more than they were worth, and that the cultural impact of centralizing all of the processes behind managing the data they held was unreasonable. In 2001, this pressure led to the SAML protocol efforts. These efforts to create a standard way to share authentication information across domains advanced very quickly and several demonstration projects with the proposed protocol occurred.

One of the first articles I wrote for the Digital ID World web site in 2002 was:  The Digital ID Wars Intensify…

In that article I wrote “last September marked the real beginning of the Single Sign On wars, and this is currently the hottest battlefield in the Digital Identity struggle (although there are many other battlefields that will show their faces as the struggle continues.)” The reference was to the formation of the Liberty Alliance in September 2001. That group formed specifically to find an alternative way to achieve single sign on without creating a centralized identity system. Liberty proceeded to build on the foundation of SAML, create their ID-FF protocol, and release it by July 2002. The word federation entered the identity conversation and the concept of networking decentralized identity domains using standardized protocols began gaining acceptance.

Under the pressure of the first identity war, Liberty Alliance did its job so rapidly and well that it has largely been forgotten how significant it was. The ID-FF protocol was incorporated into SAML 2.0, and the sub-battle over how federation would occur has largely been put to rest. The first identity war officially ended when Microsoft quietly shelved the renamed Hailstorm project, MyServices.

This first identity war deeply affected how identity technology has evolved since then. It is useful to revisit it because several large internet sites are again in the midst of deciding whether their identity systems should be open or closed, and how they should be architected. If they don't pay attention to what Microsoft learned in the first identity war, we can expect to see some bad experiences again.

Following the first identity war, Microsoft, deeply impacted by the experience, came to realize that *how* identity was implemented had far more implications than they initially imagined. In response they put more effort into the WS-* protocols to create far richer capabilities than just single sign on and allow greater flexibility in how those capabilities could be architected. In recent years, Kim Cameron has worked on defining a WS-* identity meta-system that allows interoperability between different identity infrastructures while creating an identity based user experience to be part of the forthcoming Microsoft CardSpace in Vista. Nearly all identity management systems today acknowledge that decentralization will grow, that federation is a required mode, and several competing user-centric identity architectures are vying for acceptance.

There are many more lessons to be drawn from the first identity war, among them being that understanding what is needed functionally is quite different from understanding how it should be provided or the implications of different approaches on how users will accept or reject the result. Identity is complex because it carries tremendous power — power to accomplish the desired goals, and power to create unanticipated side effects.

This is why gaining a good identity-centric perspective of computing is so essential to success in IT today. It is also why you are seeing identity unifying technology from the network layers through the application layers. Without an identity perspective, IT security and infrastructure tends to take on a “Whack-a-Mole” nature where the solution to one problem only seems to create two more problems.

I'm sure it will come as no surprise that I would tell you that the *very best* way to gain such a deep identity-centric perspective is by attending the Digital ID World conference. No one who attends will leave without gaining a deeper understanding and broader perspective of the place of identity in computing, how technology is evolving, the best practices that lead to success, and how each identity technology applies to the overall set of tasks at hand based on real world experience.

Identity is a Whack-a-Mole phenomenon?  Top that, Thurcydides and Emerson!  Meanwhile, I hope to see everyone, especially Phil, at DIDW in Santa Clara.

Aggregation through a single identifier

Through the miracle of pingbacks I just came across Terrell Russell's blog, This Old Network.   Poking around, I was led to his cool proposal for MicroIDs, which I like and will discuss later.  I also found many interesting pieces, including today's interesting reflection related to issues addressed in my fourth law of identity:

First, our friend the search engine…

Search data recently released from AOL allows anyone with some intrepid follow-up skills and some social engineering to quickly narrow in on unique individuals – individuals who never considered their independent searches were being aggregated by their ISP. A recent flurry of activity designed to protect us from the search engines signals a slumbering uneasiness with this situation. Something dark has been uncovered and in the short term there is much handwaving and interest. However, as time passes, we’ll fall back into our ‘normal’ ways and continue to put our most personal information-seeking into that gloriously simple bare single box. “It’s just too convenient”, you say. “They’ve done nothing wrong.”

And here’s where the discussion changes. It’s not about Google. Or MSN. Or Yahoo. It’s about one person. Or one subpeona. The fact that it’s all being aggregated is the problem. The fact that there’s a potential for negligence, court-order or simple employee curiosity has profound implications for a great number of people. That is what makes this discussion so important.

Note that the reason employees could inappropriately access sensitive information was because it was sitting in databases they could get to – not because it was present on a card in someone’s wallet. 

Centralized databases worry me way more than any other aspect of this technology.

– Kim Cameron

We need to understand that our daily breadcrumbs – our attention – our personal interests in where we’re going and what we’re looking for and what we’re buying, are all being sucked up and stored with a unique identifier. We need to realize we’re broadcasting our attention and that it has great value to those who would suck it up. Inform yourself and make a conscious decision about where you spend your time and what you look for. You’re not alone while you surf. AOL has shown us the light.

And onto IM…

Most users think they’re anonymous behind their instant messenger accounts. They think their words aren’t being recorded. You think your friend on the other end of the IM doesn’t have her auto-logging turned on? And that it’s not fully searchable later? Severe paranoia and tin-foil hats notwithstanding, you’re being very naive.

And that’s just your friends. How about when the person on the other end reports you?

Earlier this week the UK government-funded Child Exploitation & Online Protection Centre announced a partnership with Microsoft Messenger. Messenger will be putting a button on the toolbar to allow any user to ‘report abuse’ to the authorities. This is a dangerous precedent. How is this any different than the Terrorist Information and Prevention System (TIPS) program proposed by the US back in 2002?

How much money will be tied up in the next 12 months because of this trigger being too easy to pull? How many prank reports will eat through the government funding? How will danah boyd react to the feeding frenzy this will create once the first one is ‘caught’?

Be aware of what you project. Be aware that this is a global medium. Be aware that it’s being broadcast and recorded. This Internet thing will be around for a while.

This should give those who think that maybe we should just back off identity issues and let things take “their natural course”, reason for pause.  I certainly hope that the “panic button” referred to above is limited to use within communities whose members consent to it.

 

David Weinberger – lover of the status quo?

David Weinberger at Joho the Blog has a thoughtful piece on privacy and anonymity that more or less wraps up the ongoing thread between him, Eric Norlin, Ben Laurie and others including myself.

It's long and detailed, so I suggest you check it out at Joho (don't get distracted by his piece about Snakes on a Plane.) 

While I have the chance I'll mention that I really don't like the way David uses the phrase “real world” – and counterposes it to the Internet. 

But here's what I wanted to discuss:

My fear is that we are in the process of building a new platform for identity in order to address some specific problems. We will create a system that, like packaged software, has defaults built in. The most important defaults in this case will not be the ones explicitly built into the system by the software designers. The most important defaults will be set by the contingencies of an economic marketplace that does not particularly value anonymity, privacy, dissent, social role playing, the exploration of what one is ashamed of, and the pure delight of wearing masks in public. Economics will drive the social norms away from the social values emerging. That is my fear.

Economics will drive the social norms?  Why isn't it possible that social behavior will also drive our economics?  Is there a cluetrain?

An obvious example might be the ability to market more effectively without ANY personally identifying information about an indvidual.  This sounds counterintuitive until you take into account the fact that people are willing to reveal more about themselves – and their needs – when they are not individually identified.

I have confidence that the people designing these systems are going to create the right software defaults. The people I know firsthand in this are privacy fanatics and insistent that individuals be in control of their data. This is a huge and welcome shift from where digital ID was headed just a few years ago. We all ought to sigh in relief that these folks are on the job.

I'm not sure if fanatics is the right word. Once you see that privacy is security from the point of view of the individual, then it just becomes a normal part of security modelling. 

But, once these systems are in place, vendors of every sort will of course require strong ID from us. If I want to buy from, say, Amazon, they are likely to require me to register with some ID system and authenticate myself to them…far more strongly and securely than I do when I pay with a credit card in my local bookstore. Of course, I don't have to shop at Amazon. But why won't B&N make the same demand? And Powells? And then will come the blogs that demand I join an ID system in order to leave a comment. How long before I say, “Oh, to hell with it,” and give in? And then I've flipped my default. Rather than being relatively anonymous, I will assume I'm relatively identified.

Where is the proof for this?  Vendors will want to do whatever lets them sell most effectively.  Pseudonymous relationships, as I mentioned above, may well be perfect for this.  Amazon sells to me by knowing what I like to read and watch – not by knowing my name.  Next generation credit and delivery systems will allow us to purchase without revealing anything about who we are or where we live to the merchant. 

With an identity platform in place, a payment transaction can be a one-time transaction guaranteed by a bank.  No name or credit card number is necessary.

WIth an identity platform in place, delivery can be done by giving the merchant a one-time transaction number linked to my Fedex account – without the merchant needing to know where I live or take responsibility for product delivery.

Why would merchants want to keep all the liability of the material world if they can reduce their costs and increase their sales by moving on into the virtual one?  Doesn't that sound real? 

Does that matter? I think it does, for the political, social and person reasons mentioned above. Don't make me also argue against being on one's best behavior and against being accountable for everything one does! I'm willing to do it! I will pull this car over and do it! Just try me!

The basic problem is, in my opinion, that the digital ID crew is approaching this as a platform issue. Most places on the Web have solved the identity problem sufficiently for them to operate. Some ask for the three digits on the back of your credit card. Some only sign you up if you confirm an email. Some only let you on if you can convince an operator you know the name of your first pet and the senior year season record of your high school's football team. Sites come up with solutions as needed.

David, David, David.  You think the current situation is so good for your privacy?  You like the increasing proliferation of personally identifying information that characterises the current technology?  You're happy with the way enterprises and governments build their centralized systems?  They aren't.  Everyone realizes that our current ways of doing things are too dangerous – and much of that comes from the fact that we have been forced to store information we don't need precisely because there has been no identity platform.

Good. Local solutions to local problems are less likely to change norms and defaults. But the push is on for an identity management platform. It's one solution — federated, to be sure — that solves all identity problems at once. If you want to change a social default, build a platform. That's not why they're building it, but that will (I'm afraid) be the effect. It's not enough that anonymity be possible or permitted by the platform. The default isn't about what's permitted but about what's the norm. If the default changes to being naked at the beach, saying, “Well, you can cover up if you want to,” doesn't hide the fact that wearing a bathing suit now feels way different. Yes, there's something wrong – and distracting – about the particulars of this analogy. But I think the overall point is right: We're talking about defaults, not affordances.

There are serious problems caused by weaknesses in current identity solutions. Identity theft is nothing to sneer at, for example. But are we sure we want to institute a curfew instead of installing better locks?

Is it better to have been born, or not to have been born? (Yes, I know what the ancients said.) 

There are dangers – do we therefore have to submit to a long sleep?

Trying out certificate behavior

I'm trying out revocation of my www.identityblog.com certificate – and changing my site's private key.

Since we are going where few men have gone before, in the worst case this might lead to abnormal behavior for those logging in with Information Cards over the next twenty-four hours. 

Identity blog should only be used for demos with an extra dose of caveats until I report back that the test has been concluded.

Normally this would be a ten minute test.  But the task is more daunting since I run my blog in ye-olde-typical-hosted environment.  I have no direct access to the machines or web servers or configuration – or control over anyone's schedule or priorities. 

Techies will understand that when you're not used to this it makes you a bit nervous.  But of course this is the way a great many people will experience things – and that's what I'm trying to get a feel for.

 

Law of Minimal Disclosure or Norlin's Maxim?

John at IDology has posted a more detailed description of how knowledge-based authentication works.  I'll pick up part of it here.  Go to his blog to see his response to Adam's comments.  John says:

“…Let's look at this in relation to an e-commerce transaction where we are buying something on the Internet over $250.

“First, because we (the consumers) have voluntarily submitted our information with the intention of entering into a business transaction, we have given our consent for the business to verify the information we’ve presented.

“Once the business receives the information, in the interest of controlling fraud and completing the transaction as quickly as possible (avoiding a manual review of the transaction by the business), it uses an automatic system to verify that the personal information submitted is linked to a real person and that I am indeed that person.

“Enter IDology’s knowledge-based authentication (KBA) which scours (without exposing) billions of public data records to develop on-the-fly intelligent multiple choice questions for the person to answer. Our clients vary in their delivery of KBA, some reward their customer with expedited shipping for going through the process, others consider it a further extension of the credit card approval process which during the process various data elements associated with the credit card will be validated such as address verification along with the credit approval.

“The key is for a business to use a KBA system that bases its questions on non-credit data and reaches back into your public records history so that the answers are not easily guessed or blatantly obvious. Typically, consumers find credit based questions (what was the amount of your last mortgage payment, bank deposit, etc) intrusive and difficult to answer, and these type of answers can be forged by stealing someone’s credit report or accessed with compromised consumer data. Without giving away too much of our secret sauce, our questions relate to items such as former addresses (from as far back as college), people you know, vehicle information and anything else that can be determined confidentally while not exposing data from existing public data sources. Once the system processes the results (which is all real-time processing), it simply shares how many questions were answered right or wrong so that the business can determine how to handle the transaction further. The answers are not given within the transaction processing (protecting the consumer and the business from employees misusing data) and good KBA systems have lots of different types of questions to ask, so that the same questions are not always presented and one question doesn’t give away the answer to another…

“At the end of the day, the consumer, by completing this ecommerce transaction, is establishing a single pointed trusted identity with that business. The next extension is how the consumer can utilize this verification process to validate his/her identity to complete other economic transactions or have an established verified identity to make posts to a blog or enter into a conversation in a social network where participants have agreed to be verified to establish a trusted network or may be concerned with the age of someone in their verified network. To us, KBA can be an important part of establishing and maintaining a trusted identity.Let's begin by supposing this technology becomes widely adopted.”

My first concern would regard the security of the system from the merchant and banking point of view.  Why wouldn't an organized crime syndicate be able to set itself up with exactly the same set of publicly available databases used by IDology and thus be able to impersonate all of us perfectly – since it would know all the answers to the same questions?  It seems feasible to me.  I think it is likely that this technology, if initially successful and widely deployed, will crumble under attack because of that very success.

My second concern regards the security of the system from the point of view of the individual; in other words, her privacy.  IDology's approach takes progressively more obscure aspects of a person's history and then, through the question and answer process, shares them with sites that people shouldn't necessarily trust very much. 

The scenario is intended to weed out bad apples talking to good sites, but if adopted widely, infringes the security of good apples talking to bad sites – or even of good apples talking to sites whose morals are influenced by the profit motive (not that there are many of those around.)

Is this really an application of minimal disclosure?  I fear it is more an application of Norlin's Maxim:  The internet inexorably pulls information from the private domain into the public domain.  As in the case of a tree falling in a forest with no one to observe it, historical data which, despite being digital, is left alone, represents less of a privacy problem than that which is circulated widely.

I would much rather see IDology apply its resources to the initial registration of a user, and provision a service which then releases only the results of its inquest (e.g. some number between 1 and 10) as an identity claim.  This would be data minimalization in line with my second law.

I still worry that organized crime could take advantage of its access to public information to subvert even the singular registration phase, but at least the mechanisms used by IDology and like firms could include ones which attackers are unlikely to learn about (this is itself no small feat). 

Clearly, in line with the first law of identity, users would have to know what the strength of their rating is, and how to seek redress should it not be right. 

It's not my place to argue how things should be done – I'm just expressing my concerns about John's system as he has described it and I have understood it.

In short, I would much prefer a claims based approach to that of having the “secret public” information flow through untrusted relying parties.  I especially worry about teaching users to enter even more obscure information into forms appearing on free-floating web pages – which would be like enrolling them in a graduate course at the School of Blabbing Your Secrets.

Issues raised by Knowledge Verification

Adam at Emergent Chaos outlines several issues he thinks arise from IDology's approach to Knowledge Verification

I don’t like these types of systems for three reasons:

First, they are non-consensual for the consumer. Companies such as IDology make deals with other companies, such as my bank, and then I’m forced to use the system.

Second, the information that such companies can gather are probably already being gathered by Choicepoint, Axciom, Google, and others. So the assertions that “its cheap for us, and expensive for the attackers” are hard to accept as credible.

Third, if truth and your database don’t agree, then we’re forced to have a reconciliation process, in which I, or the id thief, convince the company to change its answers. How does that process work?

I hope John at IDology can respond at the same time he gives us concrete examples of how the system works in practice.