Category: Digital Identity

Half-life of personal information

In November I coined the term “Identity Chernobyl” for Britain's HMRC fiasco (at least it seems that way when I look at Google).

Cory Doctorow elaborates on this in a nice Guardian piece:

When HM Revenue & Customs haemorrhaged the personal and financial information of 25 million British families in November, wags dubbed it the “Privacy Chernobyl”, a meltdown of global, epic proportions [Hey, Cory, are you calling me a wag? – Kim].

The metaphor is apt: the data collected by corporations and governmental agencies is positively radioactive in its tenacity and longevity. Nuclear accidents leave us wondering just how we're going to warn our descendants away from the resulting wasteland for the next 750,000 years while the radioisotopes decay away. Privacy meltdowns raise a similarly long-lived spectre: will the leaked HMRC data ever actually vanish?

The financial data in question came on two CDs. If you're into downloading movies, this is about the same size as the last couple of Bond movies. That's an incredibly small amount of data – my new phone holds 10 times as much. My camera (six months older than the phone) can only fit four copies of the nation's financial data.

Our capacity to store, copy and distribute information is ascending a curve that is screaming skyward, headed straight into infinity. This fact has not escaped the notice of the entertainment industry, where it has been greeted with savage apoplexy.

Wet Kleenex

But it seems to have entirely escaped the attention of those who regulate the gathering of personal information. The world's toughest privacy measures are as a wet Kleenex against the merciless onslaught of data acquisition. Data is acquired at all times, everywhere.

For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it.

Hidden in that toxic pile are a million seams waiting to burst: a woman secretly visits a fertility clinic, a man secretly visits an HIV support group, a boy passes through the turnstiles every day at the same time as a girl whom his parents have forbidden him to see; all that and more.

All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper.

How long does this information need to be kept private? A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side.

If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor.

Every gram – sorry, byte – of personal information these feckless data-packrats collect on us should be as carefully accounted for as our weapons-grade radioisotopes, because once the seals have cracked, there is no going back. Once the local sandwich shop's CCTV has been violated, once the HMRC has dumped another 25 million records, once London Underground has hiccoughup up a month's worth of travelcard data, there will be no containing it.

And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror.

The best answer is to make businesses and governments responsible for the total cost of their data collection. Today, the PC you buy comes with a surcharge meant to cover the disposal of the e-waste it will become. Tomorrow, perhaps the £200 CCTV you buy will have an added £75 surcharge to pay for the cost of regulating what you do with the footage you take of the public.

We have to do something. A country where every snoop has a plutonium refinery in his garden shed is a country in serious trouble.

The notion of information half-life is a great one.  Let's adopt it.

The tendency for “information to merge” is one of the defining transformations of our time.  When it comes to understanding what this means, few think forward, or even realize that there “is a forward”.

The “contextual separation” in our lives has been central to our personalities and social structures for many centuries.   

Call me conservative, but we need to  retain this separation. 

The mobility and clonability of digital information, in combination with commercial interest and naivite, lead us toward a vast sea of personal information intermixed with our most intimate and tentative thoughts. 

The essence of free-thinking is to be able to think things you don't believe as part of the process of grasping the truth.  If the mind melts into the computer, and the computer melts into a rigid warehouse of indelible data, how easy is it for us to change, and what is left of the mind that is “transcendental” (or even just unfettered…)?

The ramifications of this boggle the mind.  The alienation it would cause, and the undermining of institutions it would bring about, concern me as much as any other threat to our civilization.

    

Scotland's eCare wins award

Scotland's eCare has been recognised at an international awards ceremony on good practice in data protection.  On Tuesday, 11 December, the Data Protection Agency of the Region of Madrid awarded the eCare framework one of two “special mention” awards.  The aim of the annual prize is to expand the awareness of best practices in data protection by government bodies across Europe.

I'm really pleased to see the authors of eCare recognized. They have created a system for sharing health information that concretely embodies the kind of thinking set out in the Laws of Identity.

A Scottish Executive publication describes eCare this way:

The system is designed with a central multi-agency eCare store in a ‘demilitarised’ zone (hanging off NHS net), which links to the multiple back office legacy systems operating locally in the partner agencies. This means that each locality will have its own locally defined and unique approach.

All data shared is subject to consent by the client. The system users are authenticated through their local systems, and are only entitled to view the data of their clients. Clients can change their consent status, and as soon as this is logged on the local system the records cannot be viewed by the partner practitioners.

Benefits that the programme will deliver

The direct benefit to the citizen will be through improved experience of care. Single Shared Assessment, through electronic information sharing, will reduce the volume of questions repeatedly asked by professionals, as data will only have to be collected from the client once, then shared through the technology.

The Children's Services stream will focus on the delivery of an electronic Personal Care Record, an Integrated Children’s Services Record, and a Single Assessment Framework for sharing, to benefit both Scotland’s children, and care practitioners. Across the streams’ care groups, practitioners will save time, because core data will be shared, rather than gathered by multiple agencies. This will reduce the possibility of duplicated or inappropriate care. A more holistic picture of the client will be created, which will help to ensure services that more accurately meet peoples needs.

The principal deliverables of the Learning Disability stream are the development of integrated local service records, which will help planning across a range of services, and the piloting of a national anonymised database, which will enable the Scottish Executive to monitor implementation of ‘The same as you?’ initiative.

Ken Macdonald, Assistant Commissioner (Information Commissioner’s Office, which provided a note of support for the eCare application) has commented:

It is wonderful to see UK expertise in data protection being officially recognised in Europe for the second year running.  Recent events have highlighted the need to comply with the principles of the Data Protection Act and I am delighted to see the eCare Framework and the Scottish Government setting such a fine example to others not just in the UK but throughout Europe.

I hope the work is published more broadly.  From seeing presentations on the system, it partitions information for safety.  It employs encrypted data, not simply network encryption.  It favors local administration, and leaves information control close to those responsible for it.  It puts information sharing under the control of the data subjects.  It consistently enforces “need to know” as well as user consent prior to information release.  In fact it strikes me as being everything you would expect from a system built after wide consultation with citizens and thought leaders – as happened in this case.  And not surprisingly with such a quality project, it uses innovative new technologies and approaches to achieve its goals.

NAO's “redaction” adds fuel to the flames

Google's Ben Laurie has a revealing link to correspondence published by the National Auditing Office relating to HMRC's recent identity disaster. 

He also explains that the practice of publishing “redacted texts” is itself outmoded in light of the kinds of statistical attacks that can now be mounted.  He concludes that, “those who are entrusted with our data have absolutely no idea of the threats it faces, nor the countermeasures one should take to avoid those threats.”

In the wake of the HMRC disaster (nicely summarised by Kim Cameron), the National Audit Office has published scans of correspondence relating to the lost data.

First of all, it's notable that everyone concerned seems to be far more concerned about cost than about privacy. But an interesting question arises in relation to the redactions made to protect the “innocent”. Once more, NAO and HMRC have shown their lack of competence in these matters…

A few years ago it was a popular pastime to recover redacted data from such documents, using a variety of techniques, from the hilarious cut'n'paste attacks (where the redacted data had not been removed, merely covered over with black graphics) to the much more interesting typography related attacks. The way these work is by working backwards from the way that computers typeset. For each font, there are lookup tables that show exactly how wide each character is, and also modifications for particular pairs of characters (for example, “fe” often has less of a gap between the characters than would be indicated by the widths of the two letters alone). This means that if you can accurately measure the width of some text it is possible to deduce which characters must have made up the text (and often what order those characters must appear in). Obviously this isn't guaranteed to give a single result, but often gives a very small number of possibilities, which can then be further reduced by other evidence (such as grammar or spelling).

It seems HMRC and NAO are entirely ignorant of these attacks, since they have left themselves wide open to them. For example, on page 5 of the PDF, take the first line “From: redacted (Benefits and Credits)”. We can easily measure the gap between “:” and “(“, which must span a space, one or more words (presumably names) and another space. From this measurement we can probably make a good shortlist of possible names.

Even more promising is line 3, “cc: redacted@…”. In this case the space between the : and the @ must be filled by characters that make a legal email address and contain no spaces. Another target is the second line of the letter itself “redacted has passed this over to me for my views”. Here we can measure the gap between the left hand margin and the first character of “has” – and fit into that space a capital letter and some other letters, no spaces. Should be pretty easy to recover that name.

And so on.

This clearly demonstrates that those who are entrusted with our data have absolutely no idea of the threats it faces, nor the countermeasures one should take to avoid those threats.

Childrens’ birthdates, addresses and names revealed

Here is more context on the HMRC identity catastrophe.    

According to Terri Dowty, Director of Action on Rights for Children (ARCH):

“This appalling security lapse has placed children in the UK in immediate danger especially those who are already vulnerable. Child Benefit records contain every child’s address and date of birth [italics mine – Kim]. We are not surprised that the Chair of HMRC’s Board has resigned immediately.”

Last year Terri Dowty co-authored a report for the British Information Commissioner which highlighted the risks to children’s safety of the government’s policy of creating large, centralised databases containing sensitive information about children. But he says the government chose to dismiss the concerns of the report's authors. 

Dowty's experience is a clear instance of my thesis that reduction of identity leakage is still not considered to be a “must-have” rather than a “nice-to-have”.

“The government has recently passed regulations allowing them to build databases containing details of every child in England. They have also announced an intention to create a second national database containing the in-depth personal profiles of children using services. They have batted all constructive criticism away, and repeatedly stressed that children’s data is safe in their hands.

“The events of today demonstrate that this is simply not the case, and all of our concerns for children’s safety are fully justified.”

The report ‘Children’s Databases: Safety and Privacy’ can be downloaded here.

Today the “inconvenient” input of people like Terry Dowty is often dismissed – much the way other security concerns used to be – until computer systems began to fall under the weight of internet and insider attacks…

I urge fellow architects, IT leaders, policy thinkers and technologically aware politicians to consider very seriously the advice of advocates like Terry Dowty.  We can deeply benefit from building safe and privacy-enhancing systems that are secure enough to withstand attack and procedural error.  Let's work together to translate this thinking to those who are less technical.  We need to explain that all the functionality required for government and business can be provided in ways that enhance privacy, rather than diminish it or set society up for failure.   

Feeling fragmented?

Here is one of the best comments on digital identity I have ever seen.  Francis Shannahan makes it crystal clear how overly fragmented our online identities really are.  But he also shows perfectly that it would make no sense to try to compress all aspects of ourselves into a single context.  This is exactly the contradiction the Identity Metasystem is intended to resolve.

I love the diagram because it is so concrete – click on it to make it readable.  At the same time, it avoids over-simplification.  Francis has captured a lot about the yin and yang of identity, and I hope this diagram becomes an emblem for us.

“A few weeks ago I joined Facebook (after much resistence). Facebook sucks you in, making it so easy to give up bits of information about yourself, many times without even realizing it. It occurred to me that I'm leaving pieces of my identity everywhere.

“Last night I took a stab at listing out the various entities that know me, regardless of how they know me. The list is overwhelming. It quickly became apparent that to develop a comprehensive list was not feasible. What I ended up with was a good all around representation. I then generalized it to include things not solely pertaining to me as an individual (e.g. I'm an immigrant, I can never have govt clearance).

“With all the talk of identity and claims federation, this was a good way to step back and at least understand the problem space a little better. I'm sure there are other such diagrams out there but the benefit for me was to go through the process of drawing it rather than take one off the shelf.

“Here's the diagram, it turns out there are bits of us EVERYWHERE!!!  Click for a larger view.

Continue reading Feeling fragmented?

Display Tokens in Information Cards

I recommend an interesting exchange between Citi's Francis Shanahan, Microsoft's Vittorio Bertocci, and University of Wisconsin's Eric Norman.  Here's the background.  Francis has spent a lot of time recently looking in depth at the way CardSpace uses WS-Trust, and even built a test harness that I will describe in another piece.  While doing this he found something he thought was surprising:  CardSpace doesn't show the user the actual binary token sent to a relying party – it shows a description crafted by the identity provider to best communicate with the user.

(The behavior of the system on this – and other – points is documented in a paper Mike Jones and I put together quite a while ago called “Design Rationale Behind the Identity Metasystem Architecture“.  There is a link to it in the WhitePapers section on my blog.)

Francis has his priorities straight, given the way he sees things:

I'm not sure how to solve this. I'm not sure if it's a fault inherent in the Identity Meta-system or if it's just a fact of life we have to live with.

I would never want to put the elegance of a meta-system design and accommodation of potential future token types ahead of supporting Law #1.

There is no question that elegance of design cannot be pitted against the Laws of Identity without causing the whole design to fail and any purported elegance to evaporate.

So clearly I think that the current design delivers the user control and consent mandated by the First Law of Identity. 

Let's start by seeing the constraints from a practical point of view.  In an auditing identity provider, one of the main characteristics of the system is that the provider knows the identity of the relying party.  Think of the consequences.  The identity provider is capable of opening a back channel to any relying party and telling it whatever it wants to.  In fact, from a purely technical point of view, the identity provider can just broadcast all the information it knows about you, me and all our activities to the entire world! 

We put trust in the identity provider when we provide it with information that we don't want universally known.  And more trust is involved when we accept “auditing mode”, in which the identity provider is able to help protect us by seeing the identity of the party we are connecting with (e.g. during a banking transaction).

Should we conclude the existence of scenarios requiring auditing mean the laws aren't “laws”?

“Going back to my original question which was “Does the DisplayToken violate the First Law of Identity?” I am not convinced it does. What I think I am discovering is that the First Law of Identity is not necessarily enforced.

“For me, being Irish Catholic (and riddled with guilt as a result) I take a very hard-line approach when you start talking about “Laws”. For example, I expect the Law of Gravity to be obeyed. I don't view it as a “Recommendation for the Correct Implementation of Gravity”…

The point here is that when the user employs an auditing identity provider, she should understand that's what she is doing. 

While we can't then prevent evil, we can detect and punish it.  The claims in the token are cryptographically bound to the claims in the display token.  The binding is auditable.  So policy enforcers can now audit that the human readable claims, and associated information policy, convey the nature of the underlying information transfer.  

This auditability means it is possible to determine if identity providers are abiding by the information policies they claim they are employing.  This provides a handle for enforcing and regulating the behavior of system participants.

We've spoken so far about “auditing” identity providers.  The system also supports “non-auditing” providers, who do not know the identity of the relying party.  In this case, a back channel is not possible.  The auditing of the accuracy of the display token is still possible however.

There is also an option for going even further, through the use of “minimal disclosure tokens”.  In such a system, the user can have an identity provider that she operates, and which submits her claims to a service for validation.  In this architecture, the user can really be guaranteed that there are no back channels or identity-provider injected goop.

Again, we are brought to understand that the identity metasystem spans a whole series of requirements, use cases and behaviors.  The most important thing is that it support all of them. 

I do not want a “non-auditing” bank account.  In that context, display tokens bound to information tokens and associated with an information policy all seem fine to me.

On the other hand, when browsing the web and doing many other types of transactions I want to prevent any identity provider from profiling me or obtaining any more information than necessary.  Minimal disclosure tokens are the best answer under those circumstances.

The uberpoint:  unless we have a system that embraces all these use cases, we break more than the first law.  We break the laws of minimal disclosure, necessary parties, identity beacons, polymorphism, human integration and consistent experience.   We need a balanced, pragmatic approach that builts transparency, privacy, user control and understanding into the system – integrated with a legal framework for the digital age.

Ready or not: Barbie is an identity provider…

From Wired's THREAT LEVEL, news of an identity provider for girls.

Just today at the CSI Conference in Washington, DC, Robert Richardson was saying he saw signs everywhere that we were “on the cusp of digital identity truly going mainstream”.  Could anything be more emblematic of this than the emergence of Barbie as an identity provider?  It's really a sign of the times. 

From the comments on the Wired site (which are must-reads), it seems Mattel would be a lot better off giving parents control over whitelist settings (Law 1:  user control and consent).  It would be interesting to review other aspects of the implementation.  I guess we should be talking to Mattel about support for “Barbie Cards” and minimal disclosure…  I certainly tip my hat to those involved at Mattel for understanding the role identity can play for their customers.

At last, a USB security token for girls! 

Pre-teens in Mattels’ free Barbie Girls virtual world can chat with their friends online using a feature called Secret B Chat. But as an ingenious (and presumably profitable) bulwark against internet scum, Mattel only lets girls chat with “Best Friends,” defined as people they know in real life.

That relationship first has to be authenticated by way of the Barbie Girl, a $59.95 MP3 player that looks like a cross between a Bratz doll and a Cue Cat, and was recently rated one of the hottest new toys of the 2008 holiday season.

The idea is, Sally brings her Barbie Girl over to her friend Tiffany's house, and sets it in Tiffany's docking station — which is plugged into a USB port on Tiffany's PC.  Mattel's (Windows only) software apparently reads some sort of globally unique identifier embedded in Sally's Barbie Girl, and authenticates Sally as one of Tiffany's Best Friends.

Now when Sally gets home, the two can talk in Secret B Chat. (If Sally's parents can't afford the gadget, then she has no business calling herself Tiffany's best friend.)

It's sort of like an RSA token, but with cute fashion accessories and snap-on hair styles. THREAT LEVEL foresees a wave of Barbie Girl parties in the future, where tweens all meet and authenticate to each other — like a PGP key signing party, but with cupcakes.

Without the device, girls can only chat over Barbie Girls’ standard chat system, which limits them to a menu of greetings, questions and phrases pre-selected by Mattel for their wholesome quality. 

In contrast, Secret B Chat  lets girls chat with their keyboards — just like a real chat room. But it limits the girl-talk to a white list of approved words. “If you happen to use a word that's not on our list (even if it's not a bad one), it will get blocked,” the service cautioned girls at launch. “But don't worry —  we're always adding cool new words!”

By the way, Kevin Poulsen has to get the “High Tech Line of the Year Award” for “a PGP key signing party, but with cupcakes.”  Fantastic!

[Thanks to Sid Sidner at ACI for telling me about this one…]

OSIS User-Centric Identity Interop at Catalyst Europe

OSIS conducted the third in our series of User-Centric Identity Interop events last week at the Burton Group Catalyst conference in Barcelona. 

As in San Francisco, the Burton Group hosted and provided support for the event, and in this posting, analyst and cat herder Bob Blakley reports on what was accomplished:

There were a few differences between the Barcelona interop and the earlier event held at Catalyst North America 2007.   The most noticeable difference is that the Barcelona interop has been conducted entirely in public.  You can visit the Interop wiki to see details of the organization, planning, use cases, and participants; if you’re in a hurry, though, I’ll summarize here.

Fourteen projects and organizations participated; you can see the list here.

The participants tested 6 identity selectors, 13 identity providers, and 24 relying parties.  The Barcelona interop added a significant amount of testing of OpenID interoperability; 6 OpenID providers and 5 OpenID relying parties participated.

The participants have posted their results on the wiki, and a few words are in order about these results.  The first thing you’ll notice is that there are a significant number of “failure” and “issue” results.  This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems.  What you don’t see in the matrix is that when testing began, there were even more failures – which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes.  When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

I’d like to call your attention to one more thing.  At the Catalyst North America interop in San Francisco, all the interop participants were onsite, sitting in a room together.

Here in Barcelona, as you can see in the Participant Profile table, about half the participants worked remotely.  What this means in practical terms is that a lot of the components in this interop were accessed over the Internet, in the same configuration you’d use if you deployed them in your business.

I expect that the results table will continue to evolve for a while as additional information from the event is digested and entered into the wiki; I’ll probably post another blog entry with some analysis of the significance of the results after the conference is over and I’ve gotten some sleep.  But my preliminary sense is that this interop continued to demonstrate progress toward an open, deployable, interoperable identity metasystem. Continue reading OSIS User-Centric Identity Interop at Catalyst Europe

Agenda Setters 2007

Friends have pointed out that the awards panel at Silicon.com ranked me at No. 33 on their Agenda Setters Top 50 List for 2007. Looking at the people on the list, it's a great honor, and one which I think reflects the fact that more and more people are understanding the importance of identity.

Silicon.com writes:

Kim Cameron is the only Microsoft name to appear on the 2007 Agenda Setters list and he's there because the panel felt that the identity management work he oversees is one of the few really innovative areas where Microsoft is active.

As ID and access guru at the software giant, Cameron has driven the development of systems such as the Active Directory, which helps users identify fraudulent activity to combat spam and phishing.

With online crime and fraud on the rise, Microsoft's Vista incorporates a lot of the technology that Cameron has been overseeing and which is being promoted as a major advantage of the new operating system.

Security and ID management will continue to be a big issue and so the work Cameron has been doing will continue to be extremely influential over the next few years.

For the record, I actually think this is quite a good time in terms of innovation at Microsoft. I see the company's support for my work, which would challenge any organization, as a remarkable sign. But this isn't the moment to cast aspersions on the panel's good sense!

So instead, I'd like to thank them for their interest in identity.  In my view the honor really belongs to all those who have been working on identity and security issues and technology, both inside Microsoft and across the industry.

By the way, people actually get to vote to increase or decrease my ranking (see below).   (This may not be ideal since Linus Torvalds and a number of other popular technologists appear below me in the list! )

Long Zheng tweaks Information Card icon

Long Zheng's blog – iStartedSomething.com – is way cool , and though he describes himself as “technophobic”, he has not only understood the meaning of Information Cards – he has applied his obvious talent to tweaking the icon

A while ago, Microsoft began working on an icon to symbolize Information Cards. The download describes, “this icon is intended to provide a common visual cue that Information Cards can be used to provide information to a site or program, similarly to how the RSS icon is used to indicate the availability of syndicated content.”

If you don’t know what InfoCards are, these are basically virtual cards containing identification information such as your name which can be sent and received by websites and web services. On Windows, this is implemented via the CardSpace technology. Other platforms have their own implementation but theoretically Information Cards are universal. If you’re on Vista, type “CardSpace” into your start menu, make an InfoCard for yourself and use it on the demo site here.

I think the idea of an icon is great, especially in comparison to the RSS icon which not only serves as a symbol but also a promotional message to attract people to subscribe to content. On top of just indicating a website is ‘InfoCards compatible’, it also spreads the word about InfoCards. However I wasn’t too keen on the design. The purple was unique, but it wasn’t very bright or vivid either. The roundness of the outside border didn’t match the squareness of the inside cutout. But I did like the “i”, and how it is shaped like a person.

I had a stab at coming up with my own alternative design. Continue reading Long Zheng tweaks Information Card icon