Sir Jerry?

I chose the article below, entitled “Microsoft slams UK ID card database”, out of more than 10,000 blogosphere and magazine references to Jerry Fishenden's recent piece in the Scotsman (I carried it here.) What an amazing demonstration of the way the Blogosphere can light up when someone says what needs to be said.

Jerry is the National Technology Officer for Microsoft in Britain, and I really commend him for trying to convince the British Home Office to back away from a plan which doesn't at all seem to have been thought through technically or embody the Laws of Identity.

On my recent visits to England, I didn't encounter one individual with an IT background who approved of the current Home Office proposals – whether they were high ranking government officials, industry experts, consultants or people interested in public policy. And I met many hundreds.

Here's the content of the article.

Microsoft‘s national technology officer has attacked the UK government's plans for a centralised database supporting the proposed national ID card scheme.

Jerry Fishenden told that current plans for a centralised database with large amounts of information on each person are a mistake, and could lead to “massive identity fraud”.

He went on to criticise the IT industry for not clearly voicing the real concerns.

“It is unnecessary to build a system with all the data in one place,” he said. “The Home Office should be basing the design on the knowledge that any system of that size will be breached, most likely by criminal gangs with huge resources.”

When asked why he was making such statements on the day the Commons voted on the ID Card Bill, Fishenden said only that the IT industry had so far not been getting its views across properly.

“When we attend meetings with the Home Office I have noticed that industry representatives do not voice their concerns very much. Only outside the meetings do you hear their concerns,” he explained.

Fishenden pulls no punches concerning the industry's lack of input so far. ” I do not think that the IT industry has been coherent and consistent enough about the way the ID card system is conceived,” he said.

“Any ID system needs only to keep information that is appropriate to a particular search in one location. That way you reduce the impact of loss or theft by decentralising the data.”

Part of the problem could be because the Home Office liaises with a number of IT industry groups, notably Eurim, Intellect and the British Computer Society (BCS).

Fishenden maintained that his views are supported by the BCS, which has made similar representations to the Home Office.

“The IT industry needs to find a language in relation to privacy and identity to talk to the wider community,” said Fishenden.

Critics may see the attack as a means of pulling the programme more in the direction of Microsoft's view of IT systems.

Fishenden sees no conflict of interest in saying that “decentralised IT is part of Microsoft's philosophy. It's all part of our shared services agenda.”

Again, hats off to Jerry Fishenden – I look forward to seeing him and shaking his hand. I hope one day he will be one of those knighted for bravery, valor, and defense of Britain's identity information. And I continue to hope the Home Office will look at some of the ways they could use cryptography and distribution to build a much safer system capable of achieving the goals they seek without tempting entropy.

The ultimate biometric

Stefan Brands pointed us recently to an editorial by Neils A Bjergstrom, long-time IT security expert and editor of the Information Security Bulletin. As Stefan says, the piece does “a great job of explaining in plain language the most important concerns and issues that ought to be addressed:”

If you still haven't gotten around to reading LSE's report into the UK government's Identity Project you can fetch it here:

It's a bit over 300 pages long and fascinating reading. It concludes – like earlier editorials in ISB – that the proposed project is not feasible, saying that the proposals are too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence. LSE's report also concludes that the risk of failure in the current proposal is therefore magnified to the point where the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals.

I will add to this that the proposals are particularly unimaginative. Given a blank slate for such a fascinating potentially future-shaping project, is this really the best vision politicians and government employees can come up with?

The whole approach to this project is reactive rather than forward-looking and proactive. The justifications for introducing a national identity system in the Bill include ‘the interest of national security’, ‘the enforcement of prohibitions on unauthorised working’, ‘enforcement of immigration controls’ and ‘prevention and detection of crime’.

These goals seem to be missing: ‘enabling and facilitating a society based on e-commerce’, ‘increasing individual freedom by enhancing anonymity and privacy’, ‘enabling irrefutable authentication of humans to machines’ and ‘providing individuals with transactional security’. These are some of the positive drivers of an eID system, some of the drivers that will actually be able to underpin the acceptance by the public and justify the huge expenses initially associated with establishing and not least running an eID system. I also think that the positive drivers are better predictors of a positive ROI of such a project. In fact I think it will be quite easy to demonstrate a high likelihood of a positive ROI if you follow the path of analysing the potential benefits of an eID system rather than focussing on the preventive measures you can tie to such a system like the legislation does.

For a moment, let us look at the concept of identity. What is an identity? Well, a person normally has a whole range of different identities: the ‘IT trouble-shooter’ on the job, the ‘regional champion’ in the go-kart club, ‘Mrs. Smith’ in the GP's office, etc. Thus, identities are context-specific. They are maintained by individuals as social and economic players in society.

How can one substantiate a claim to a particular identity? By having an employee badge at the job, a membership card in the go-kart club and a National Security card at the medical centre, for example. In other words, by authenticating oneself. An identity can only be substantiated through authentication. This again implies some sort of enrollment process: in order to acquire an identity in a given context you need to enroll. In the UK most identities are based on being able to show documents such as a driving license or utility bills, i.e. resting on an earlier enrollment and its ensuing identity. At the bottom of this hierarchy somebody witnesses a birth and testifies to the fact: Mrs Jones has had a baby girl (who later married Mr. Smith but that is an added complication). Somebody issues a birth certificate, which is recorded by the local registrar of births.

In the 21st century this is of limited use. Even if someone carries her birth certificate it suffers from two problems:

  • the carrier of the document can't prove the connection between the piece of paper and herself
  • machines are not very good at reading paper documents, so authenticating on the basis of a birth certificate always requires human intervention (a man-in-the-middle) and at the end of the day, some other kind of authentication

In a digital world what we need is an irrefutable electronically readable document that can serve as a ‘digital birth certificate’, without the problems of the paper one, in other words, a Root Identity.

This, I would argue, should be the main line of thought when designing an eID system. The eID must serve as a Root Identity.

If you adopt this line of reasoning you find that in order to function in this capacity the eID must have some specific properties:

  • it must be able to bind out to other processes
  • it must specifically be able to facilitate an irrefutable link between its user and itself
  • it must be able to participate in authorisation procedures, in my view without leaking any identity information – helping to answer the question: is this individual allowed to do this in this context? In most cases you do not need identification to answer this type of question
  • it should be able to facilitate authentication processes without compromising identity – allowing anonymity or pseudonymity most of the time is a fundamental requirement of any eID system in a free society
  • it should be able to uniquely represent the legitimate holder (and only the legitimate holder) in public key cryptographic protocols – a consequence of the two points above
  • it should be able to participate in identification processes if identification is required and legitimate
  • it must not depend on irreplaceable personal characteristics, in the sense that the system as such must be able to cope with the problem of compromised or lost/changed characteristics
  • the token containing the eID must be replaceable without unwanted consequences, or as a corollary, theft or loss of a token must not enable impersonation
  • all its functions, including any disclosure of information in the token, must be fully controlled by the owner

There are more necessary factors but I don't have space to write a book about it here. I would like to draw your attention to one extremely important fact, though: a national eID system bears very limited resemblance to a corporate Identity Management system, and the solutions cannot simply be transferred!

Hear! Hear!

Several problems are in evidence here. The issue of irrefutability is not easy. It basically implies that a given token can only function in connection with one particular individual on the planet, and it must not be able to function unless it is provably authorised to do so by that individual.

The system must not rely so heavily on any particular personal characteristic that a compromise or loss of that characteristic (amputation of a finger for example) makes it impossible for the individual to participate.

Both these two problems point at biometric solutions and how these are used. The thing is that unless the token and the person can be irrefutably tied together, an eID is no worse and not much better than a birth certificate and the whole exercise a waste of time and money. To create this tie you need to use some suitable biometric.

There are not many of those – universally usable across races, constant with age, replaceable in case of compromise or loss – in fact I can only think of one: DNA. If you want to know more about how DNA can be used as the basis of eIDs without leaking information or compromising personal details, look at the presentation/paper I gave at InfoSeCon 2005 in Dubrovnik last June. There is no real alternative.

Don't get me wrong here. Using DNA analysis on a day-to-day basis is not technically feasible, nor desirable.

However, for an eID to really constitute a Root Identity DNA must be included (establishing a correct database begins at birth and takes a generation – this is why, even if not used, DNA should be included in a national identity system from the outset. Adding DNA information to an existing database without making too many errors will not be easy). I suggest DNA verification be used mainly in case an individual needs other types of biometrics updated or installed on her eID. This information should not be stored in any database and it doesn't need to be. It is sufficient to store a cryptographic value derived from the information.

The whole system must be as decentralised as possible, building on information inside the eID token (ideally an eID token should only be asked to answer yes or no to (cryptographic) questions, never to give out information stored on the token). Implementations interfacing to the eID system must be subject to strict risk analysis, so that the level of credential asked for is proportional to the risk involved per transaction. Otherwise it gets far too expensive because in many cases multiple biometrics must be used (for the simple reason that any particular biometric system is not sufficiently universal or reliable to be used as a stand-alone system for high-value transactions – ‘value’ in this context does not only mean financial value but e.g. also ‘privacy value’).

With regard to the UK bill I am not going to argue with it here although – technical issues aside – it certainly is an obnoxious piece of legislation, moving the relationship between state and citizen several hundred years back, introducing important components of a totalitarian state by stealth – the ID card part is in a way the least important. It is a piece of legislation that does not belong in a democratic country (which of course, given the role of the unelected House of Lords, the UK isn't anyway).

Technically, it builds on a range of false assumptions, including the pie-in-the-sky idea that technologies to solve these issues exist and can be deployed. This is not the type of project you can simply give to a vendor or two and expect them to be able to deliver. More than anything I can recall ever seeing, this project requires a top-down architectural design process. It is not a vendor-problem that you can throw existing components at. This problem is so complex that it requires close co-operation between scientists, government and vendors. It will take a small extremely competent work group at least a year to identify possible solutions and consequences.

Unfortunately the current bill is so poorly drafted that it can't form the basis for discussion and amendment – back to square one. Normally that would make me complain bitterly over waste of my tax money but in this case there are only a handful of people in the world competent to do it right. Those are the individuals the UK government needs to find.

I think I know the people who can design and produce most of the deliverables but who asks the old editor? 🙂

I have to think a lot more about the use of DNA as the ultimate biometric in a system like this. I am impressed that Neils is himself aware that it carries its own dangers – I'll try to find the hyperlink to his paper. It also strikes me that even if this is theoretically the right thing to do, there is a vast amount of technological progress to be made before initiatives in this regard can be taken safely.

I'd like to know what conclusions Simon Davis, of Privacy International, has come to about this ultimate biometric. I think I'll ask him.

AMs shocked to test positive for drugs

Watching Them Watching Us, from UK's SpyBlog, posted this comment on my piece about the vile GE Entryscan:

I tried one of those GE machines at a security exhibition (priced at about a quarter of a million pounds!). Presumably the air jet blasts have been designed to forever replay the “Marilyn Monroe over a subway grating” scenario.

There is no reason to suppose that these machines are being calibrated or operated any better than the other drug and explosives testing machines which GE sell: False Positives for Drugs in the Welsh Assembly.

What happens to your characteristic “chemical aroma” signature data ? Is it stored and used as a “smell biometric” without your permission, or is it destroyed ?

The very concept of a smell biometric is something I've never considered before. I guess it works for dogs. Perhaps I'll get over it.

Following Watching's link takes you to a really nice page from the SpyBlog, and a very bizarre article about the whole sniffer technology by Gareth Morgan of the Western Mail in Wales. I'm guessing that AM's are representatives elected to the Welsh National Assembly:

‘ALMOST everybody in Wales will have hard drugs on their hands at some point today, according to a cutting-edge detection machine.

‘The problem has reached the point that bank notes, taps and door handles in pubs, nightclubs and even the offices of Wales have traces of class A narcotics.

‘It even infiltrates the National Assembly building in Cardiff Bay.

‘Depending on how cynical one might be about the behaviour of our fine upstanding political representatives, this may not seem the most obvious place to demonstrate the powers of the Ion Track Trace Detector Machine.

‘But AMs were yesterday shocked to discover readings of drugs like heroin and cocaine on their hands. Out of curiosity, they queued to volunteer themselves for trial using the machine with its stern beeping noises and complicated light-up screen. And there were a few raised eyebrows as the machine did its work.

‘Edwina Hart, social justice minister for Wales, tested positive for cannabis after her hands were swabbed using a special cloth.

‘She said, “You could pick it up anywhere, couldn't you?

‘”It could come out of cash, a cash-point, a beer mat, or anything else.

‘”It is a very sophisticated system that can pick up anything, if you have been in contact with someone's jacket or anything.”

‘Conservative AM William Graham organised the demonstration using the first machine introduced to Wales, which is owned by Gwent Police.

‘But even he was shocked to test positive for THC, the chemical found in cannabis. “Good gracious, where the dickens could I have got that from?” he asked.

‘Nick Bourne, leader of the Welsh Conservatives, was one of the AMs who tested negative.

‘He said, “May I pay tribute to the Ion Track system, despite the fact that both the Minister and William Graham tested positive.

‘”I was relieved that I didn't – but it is an excellent system nonetheless.”

‘With their pin stripe suits and attempts to cultivate a clean-cut image, politicians are hardly the stereotype of the drugs criminals that police regularly deal with.

‘PC Simon James, crime prevention officer, said that it showed there was no place to hide.

‘”The major use will be in nightclubs and drug dealers would be an idiot to come into a club with this machine in there.

‘”It is a deterrent and preventive measure really. In Gwent we have a hit-list of 10 pubs and can use this machine to do swabs on tables, chairs and narrow things down to improve our intelligence.

‘”It can be used to search houses. For example in some parts of the UK where there is a problem with crack cocaine they have swabbed microwaves and found traces.”

‘PC James denied that this machine casts suspicion on everybody, and that it is not subjective enough.

‘”The way we interpret the readings plays a big part, as does the way a person reacts if found with traces of drugs on their hands,” he said. “We can adjust the sensitivity and exclude certain drugs depending on how the machine is being used.”

‘Gwent Police had the first machine in Wales but recently two have been installed at Cardiff International Airport and South Wales Police also acquired a machine last week.

‘Despite his positive testing, Mr Graham said he supported the machine. He said, “Anything that deters people from taking drugs is a good thing. If people know this thing exists, then they know they might get caught.”

‘THE £40,000 Ion Track narcotics detection machine will be used in pubs, clubs, schools, workplaces and during roadside checks.

‘The machine is so sensitive it can detect the equivalent in drugs to a grain of salt in an Olympic-sized swimming pool.

‘It works even days after a person has handled drugs or explosives, and no matter how many times they wash, it can pick up traces.

‘A swab paper is wiped over the person's hands and then placed into a slot in the machine.

‘It analyses the swab for a range of drugs, from heroin and cocaine to cannabis and the sports- enhancement drug ephedrine.

‘The levels of contamination on that person's skin are also revealed by the machine, to help police determine how much contact with the substance has been made.

By the way, the price of the aweful and painful GE blaster contraption which I originally wrote about, inferior in every way to a competing product by Smiths, has dropped to a mere $120,000.00. It would be interesting to know how the issues described in the article above affect results.

US Passport Progress on Fourth Law

According to an article this week in PC World, it seems the US Passport Office is tuning in to the Fourth Law of Identity. We may not be out of the woods yet, but it it is encouraging to see that the Passport Office is listening to concerns by privacy experts and technologists about how Passport RFID, badly implemented, could cause many more problems that it solves. A number of us have been concerned that the original proposal offered new high tech weapons to terrorists and organized crime.

‘By October 2006, the U.S. government will require nearly all of the passports it issues to include a computer chip containing the passport holder's personal information, according to regulations published this week.

‘Starting in early 2006, the U.S. Department of State will begin issuing passports with 64-kilobyte RFID (radio frequency identification) chips that will contain the name, nationality, gender, date of birth, and place of birth of the passport holder, as well as a digitized photograph of that person.

‘The chip's contents will match the data on the paper portion of the passport, improving passport security by making it more difficult for criminals to tamper with passports, backers say. U.S. government efforts to make passports harder to forge began in response to the terrorist attacks on the United States on September 11, 2001.


After the State Department proposed last February to include RFID chips in passports, privacy groups such as the American Civil Liberties Union and the Electronic Frontier Foundation expressed concern. Because some RFID chips can be scanned remotely, criminals may be able to covertly scan groups of passport holders at airports, the EFF said in April. RFID passports could thus act as “terrorist beacons,” as well as indiscriminately exposing U.S. residents’ personal information to strangers.

For the record, I could not agree more with those expressing these concerns. It is a key responsibility of technologists to consider how what they are building can be misused by those with criminal intent. But so far, we don't seem very good at taking this responsibility. Our knee-jerk reaction is to label critics as lunatics in tinfoil hats. We should be learning about how to do a privacy threat analysis from the ACLU and EFF so we don't propose goofy technologies in the first place. And I for one applaud them for going to the mat on this issue.

‘In a letter commenting on the State Department proposal, the EFF argued that the agency lacked congressional authority to require RFID chips in passports.

‘”RFID in passports is a terrible idea, period,” said EFF senior attorney Lee Tien, in a posting to the EFF's Web site. “But on top of that, the State Department is acting without the appropriate authority and without conducting any form of credible cost-benefit analysis. It's asking Americans to sacrifice their safety and privacy ‘up front’ for a dangerous experiment that it hasn't even bothered to justify.”

‘The State Department received 2335 public comments on its February proposal to introduce electronic passports. More than 98 percent of the comments were negative, the State Department said, and most of them raised issues about security and privacy.

Note for others involved in similar schemes: If the Passport proposal had taken the Fourth Law of Identity into account from the get-go, most of these 2288 negative comments wouldn't have landed at their door.

Security Precautions

‘In the passport rules it released Tuesday, the State Department said that it was taking several security precautions. The RFID chips will use encrypted digital signatures to prevent tampering; and they will be so-called passive RFID chips, which do not broadcast personal information unless within inches of an RFID reader machine. To protect against data leaks, the e-passports will come with an “antiskimming” material that blocks radio waves on the passport's back and spine, the State Department notice said.

‘The new passports would comply with an International Civil Aviation Organization specification on e-passports, the State Department said.

‘Though the State Department moved away from its earlier proposal of a self-powered RFID chip in favor of a passive one that relies on a reader machine's power, privacy concerns remain, said Barry Steinhardt, director of the ACLU's Technology and Liberty Program. Steinhardt called the State Department's security measures a “step forward,” but he said bar codes could be used to match electronic data with paper data on passports.

“It still raises the question [of] whether or not this is an appropriate technology,” Steinhardt said. “There are still some essential concerns about whether this is secure or not.”

I agree with Barry that we need more technical analysis by radio experts to know the extent to which these initiatives address the problem. But having scrapped the active tags and included the shielding, we know the scheme is qualitatively less dangerous than it was six months ago. Still, I would like to see the passport information protected from improper release through cryptography.

Neville Pattinson, director of technology and Government affairs for Texas RFID card vendor Axalto, praised the State Department's changes, including the passive chips and antiskimming materials. “This is a fine example of the government listening to public opinion and adopting technology that protects citizen's privacy,” he said. “With the changes, information cannot be extracted from it.”

I agree that the Passport Office already deserves credit for listening, unlike some more stubborn entities in various national governments who don't seem to care at all about the dangers of their proposals. It seems like the scheme is becoming a lot safer – and I hope the improvement can continue.

Companies like Axalto have such great technology that they could make a passport chip that would not respond unless triggered by a reader with a valid “inquiry coupon”. In fact, they may already have such capabilities. What would an inquiry coupon look like? It would be cryptographically signed by the US State Department and grant the operator of a reader permission to query American passports. This kind of a system would really bring the system into accord with the Fourth Law.

Of course a proposal like this would require an upgrade to the International Civil Aviation Organization specification on e-passports. The sooner we get to this, the sooner we can move toward real, long term, solutions.

GE Puffer Stinks of Dr. Strangelove

I've been traveling way too much recently. And when you do too much of something, you can get too nonchalant about it.

For example, this week, not only did I take a “multi-destination” flight, but I rebooked part of it at the last minute so I could adjust my schedule when a meeting was cancelled. Abnormal behavior, right? Apparently.

I guess everyone will feel safer knowing that my deviation from a conventional “pre-booked return” travel profile alerted American West to put me through special screening – both on my way from San Francisco to Vegas, and on my way from Vegas back to Seattle. One marvels at the integration of artificial intelligence (in the true sense of the first word) into the ticketing system.

Giant imprints reading ‘SSSS‘ appeared in enormous boldface type both on my eTicket and the attached stub – a novel mechanism that unambiguously identifies a suspect to security line attendants in both cities.

All of this was fascinating, but nothing compared to what I went through once I was identified as what the transport security industry calls a “selectee”.

Instead of the conventional “pat down”, I was forced to experience first-hand two implementations of a new explosive-sniffing device called a “puffer”. Reading the sites of puffer manufacturers, you get the impression that their use with “selectees” is just a prelude to universal screening. According to one travel industry article, the machines are in place as part of a test by Safe Skies. According to a spokeswoman (whose dress seems to have been permanently puffed by the GE machine, as shown below):

Safe Skies tests equipment with “real people, real lighting conditions, real architecture,” but does not disclose results. The technology receiving the most buzz now in aviation circles is a walk-through portal made by GE Ion Track in Wilmington, Massachusetts. Affectionately called “the puffer,” the portal has a hood that captures the plume of heat that naturally rises off a person's body; it then puffs jets of air which shake loose particles. The machine vaporizes the particles, gives them a charge, and measures how fast the ions are traveling. Using that speed, screeners can identify the presence of banned substances, such as explosives.

According to a blurb at the GE site:

A picture

GE Ion Track's revolutionary walk-through portal quickly screens people for contraband without physical contact. Thanks to our patented Ion Trap Mobility Spectrometer (ITMS®) technology, EntryScan3 detects a wider range of explosives and narcotics with unprecedented sensitivity. It is the ideal complement to X-ray and metal detectors.

For higher throughput, visible and audible commands streamline checkpoints by automatically directing passengers to enter or leave the portal. If traces of explosives or narcotics are detected-or a person leaves before being prompted-EntryScan3 instantly sounds an alarm to facilitate rapid containment.

What's it like?

People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt.

I had been told there would be “puffs of air”, but these were not, by any definition, puffs.

“Puffs” make me think of cigar smoke. Or “Puff the magic dragon”. Puffs of wind. But these were hurricane strength blasts.

Meanwhile the machine barks orders like a concentration camp commandant. Where did they get the voice? It speaks in a chilling metallic imperative borrowed from a really bad science fiction movie. In fact it was barely believable that adults would unleash this contraption on anyone.

On the way back from Vegas, I was put through a different puffer, this time the Sentinel II manufactured by Smiths. In the large sense, it is just as invasive. But the difference between this machine and the GE machine is astounding. The Smiths machine speaks in a voice no more unreasonable than any amusement park ride, and, as the company says, “Gentle puffs of air dislodge any particles trapped on the body, hair, clothing and shoes.” And the puffs are gentle – a completely different experience from the horror devised by the idiots at GE. Further, the machine doesn't produce the sense of being trapped.

Apparently you can select a traditional “pat down” rather than going through these devices, but I was only told about that after expressing my dismay about being subjected to the vile GE contraption. This machine should be destroyed before it is foisted on the traveling public.

If I were GE, I would get my logo off this device as fast as I could. In fact, I would pull the machine back into the lab for a serious rethink, and apologize.

Who owns the metasystem?

After successfully avoiding the hurricane in Cancun, I came home to find a potential tempest gathering on the googlegroups idworkshop list dedicated to the identity metasystem. My friend Johannes Ernst, trying to ward off any misunderstandings, had written:

Just received — as you probably have — an e-mail invitation to the upcoming “Digital Identity World/Financial Services Conference” that features the following talk:

11:15AM – 11:45AM: Implications of the Microsoft Identity Metasystem for Strong Authentication Microsoft – Mike Jones (InfoCards)

Arising from unusually open conversations, and based on the laws of identity developed by Kim Cameron through these conversations, Microsoft will be releasing a cross-platform identity metasystem and InfoCard user interface with Windows Vista. This system takes a quite different approach to identity and authentication, allowing many new approaches to solving this problem at scale.

Mike Jones will detail the identity metasystem, and highlight its implications for the problems faced by financial services.

So Microsoft will be releasing the identity metasystem with Windows Vista? And it will be the “Microsoft Identity Metasystem” per title of this talk? Can somebody from Microsoft clarify whether this is indeed the way you position it, or whether this was just the work of an overzealous copy editor somewhere? If that's how you present it, do we — i.e. everybody who is not releasing an identity metasystem with Windows Vista because we are not Microsoft — need a different name for what we are all striving for? The NetMesh Identity Metasystem and the SXIP Identity Metasystem, perhaps?

Or do we need the Identity Meta-meta-system? 😉

I think the question of whether there'll be one identity metasystem everybody participates in — equally? — or whether it is controlled/branded/ perceived to be owned/wanted to be owned by one vendor remains a fairly confused subject.

[This is not meant to be an attack or anything like it, but I really think we need to put this issue to bed. It has been discussed over and over without ever really being resolved, and it's not that hard to resolve … can I encourage Microsoft's powers-that-be to just pick one definition vs the other and stick with it. I'm fine with either choice, I just want to know what the term means…]

So let me provide some definitive and public answers that represent my thinking as Microsoft's Architect of Identity – thinking which I have already articulated in the Laws of Identity; which has been clearly stated in the Microsoft Vision for an Identity Metasystem document; and which Mike Jones, Andy Harjanto, John Shewchuk, and all the rest of us from identity land at Microsoft see as self-evident:

No one can own the identity metasystem – that would be a silly goal by any standards.

We need to work together to create an identity metasystem, and we are doing that – across the industry, and beyond it. We are trying to create and ride a wave. A unique opportunity. There are people with many different skills who are becoming involved with this. We are brought together through our understanding of what digital identity (or the lack of it) means to the future of the virtual and mortar worlds, and trying to push our understanding of these critical issues to the limit.

We at Microsoft are trying to do our part to contribute metasystem components – but we are fully aware that the metasystem has to reach across platforms and technologies (law 5). We have the greatest respect for everyone who is on this expedition. We hope, working with them, to build a ubiquitous unifying fabric, just like TCP/IP.

As for the passage Johannes quotes, it is not our intended message. We've talked about Microsoft's Vision for an Identity Metasystem, but never implied we “owned” the system.

The conference brochure in question was put together at DIDW by people racing against the clock to include InfoCards in a really interesting identity conference for the financial sector (more in an upcoming piece). They did the best they could given that we hadn't sent them a written blurb. In this regard I take responsibility for any ambiguity.

As usual, the DIDW conference organizers were more than responsive when I contacted them. Within minutes the text had been edited to remove any ambiguity of the sort Johannes worried about.

Now the line in question reads:

Microsoft will be releasing the InfoCard user interface for a cross-platform WS-Trust based identity metasystem with Windows Vista.

All said and done, experience tells me there will be lots of things written that do not reflect our – or anyone's – intended messages! That is just the nature of a free-thinking press – and of a technology tornado (read technology hurricane!) As far as I'm concerned, we want both.

[tags: , , , ]

The Tao of XDI

I've always thought Andy Dale was a very interesting person, but somehow missed out on the fact that he has been putting together a major body of work on his blog at xditao. In case it's not obvious, the name combines XDI as in, and tao as in what makes the world go round. I found it informative to go through the archives – you really get an outstanding grasp of what XDI can do for us. Here's a sample – and presto, you understand Link Contracts.

I have talked a lot about Link Contracts lately, so why stop now. As I have said, Link Contracts are composed of several, signed, parts. Some of the parts are network enforceable and some are not. The non-network enforceable bits are meant to be enforced in some social system of accountability. These non-network enforceable bits are what I refer to as the ‘Terms and Conditions’ of the data sharing. The bit that says “You may not sell my data. You may not use my data for any purpose other than the original purpose of this agreement”, that kind of stuff. The problem with these terms and conditions is, they aren’t meant to be network enforceable or, therefore, machine understandable.

So if we don’t do this right this is what happens:

I address an email to you with your i-name. My email client asks your authority for your current email address. Your authority returns a response that says; you can have that info if you agree to these terms and conditions. My client is meant to sign these terms and conditions and return them to your authority in order to get the data I require. SO, the problem is; I don’t want to read some terms and conditions every time I do anything that involves someone else’s data. You know I’m not going to read it anyway, but I don’t even want to have to do that extra click. I mean, who knows what’s in those terms and conditions? What’s to stop you from adding some line 20 pages down that says “By signing this agreement you agree to pay me $500”. If this is how it worked, the Dataweb would be broken before it even started.

So… what do we do?

Rather than us all writing and using our own DSA (Data Sharing Agreements; terms and conditions) we will use ones provided by ‘trusted third parties’. I can read IDC (Identity Commons) Standard DSA #5 once and setup a preference that I am always willing to accept data under those terms. So in future when I ask for your email, you will say “under IDC DSA #5 (version 1.3)” my email client will simply sign the contract and send it back.

Now, the reality is, I’m probably not even going to read the IDC DSAs but that’s the point of having it provided by an organization that is ALL about trust. I know that if IDC publishes this DSA under their name… it must be ok. Ultimately there may be other organizations that provide DSAs that we can all trust, or at least use; Visa, HIPAA, SEC, etc…

For now we need to bootstrap this ecosystem. I have worked with Owen of IDC to outline three basic DSAs that can get us started;-

    1. Basic – This one will put some simple constraints on the consumer of the data to ‘respect’ the owner’s privacy. This is the first real step toward giving the individual some control over their virtual self. It will include:

      • No selling my data
      • No giving my data away
      • Only use my data in the context in which this agreement was forged
      • Upon request or discontinuation of this agreement you will anonymize or remove my data, remove all PII (Personally Identifying Information) and any contact channel information (address info). I call for anonymization as an option as companies must have the ability to execute their operational reporting and auditing.

    2. Wild West – This is for the organization that wants to take advantage of the higher quality data source that the Dataweb provides, but cannot, for technical, business or other reasons, conform to the restrictions of the Basic DSA. Accepting this agreement would be no different from filling out a registration form at a service today, just easier for all concerned.

    3. Full Empowerment – This agreement is for the truly forward thinking organization. Under this agreement the requester of the data offers reciprocation. They say they will give you a copy of your transaction records in exchange for having access to your data. In practice this would mean that I give netflicks access to my contact info and they will, automatically, programmatically, give me a copy of the list of movies I have rented ( and how much I spent, and how long I kept them and all that good stuff). When the contract ends, I still have a copy of that information that I can take with me to my new movie rental provider.
    I characterize option 1 as individuals having privacy statements instead of organizations. Option 2 as, status quo and option 3 as the next step in the evolution toward a fully empowered consumer.

    Ultimately, I believe, option 3 evolves to a point where vendors simply use our repositories as the place that they keep the data about us. By giving us that level of control, and trust, and respect; why would we go to another vendor?

    Please let me know if you think we need another DSA, or that I am totally off base!!

    Escaping Wilma

    People who saw Adele and me on TV over the last few days have been writing to ask if we're OK – they saw us lined up at the Cancun airport trying to “escape hurricane Wilma.”

    Thanks to everyone who has expressed their concern. We are fine!

    It's funny how TV works. The image and interview became part of the Wilma system. They were replayed day after day as Wilma stalled and mercilessly bashed the Yucatan.

    The truth is, I had registered for Cancun weather notifications prior to starting my vacation. Monday morning, I received this email:

    The tropical depression # 24 was upgraded this morning to Tropical Storm Wilma and it was located this morning at 502 miles east southeast of Cancun, Mexico. Interests in Cancun, Isla Mujeres, Cozumel, Puerto Morelos, Playa del Carmen, Puerto Aventuras, Akumal, Tulum and the Costa Maya area must monitor the development of Wilma over the next few days.

    To see the most complete information about the storm please go to:

    The tropical storm names for this hurricane season has been depleted, this happened only in 1933 and Wilma ties that record.

    I checked the site periodically. Tuesday evening the storm suddenly developed into a category 5 hurricane coming straight towards us.

    As I told the TV crew, “I've been in a hurricane before, and don't want to be in another one.” Visions of holding out in an emergency shelter with no air conditioning spurred me to lay down my Margarita and get to my feet.

    Again using the Internet, I bought tickets on a flight the next morning to Puerto Vallarta. That's another beautiful Mexican town, far from Cancun on the Pacific side of Mexico, where the sun was still shining and the dolphins still playing.

    Only thirty-six hours before the eye of the storm hit Cancun, we drove to the airport on an empty road. Many of the local Mexicans, veterans of endless minor hurricanes, were skeptical that this one would hit them head on. Our ticket agent told us we were crazy to leave – he said we should go back to our hotel, where “recreation directors would be throwing hurricane parties in the ballrooms.” Tourists weren't aware of what was coming either. When I was interviewed by the TV crew, the only reason I was in a lineup at all was because I had accidentally joined a group of French tourists who were clogging the checkin lane waiting for their tour guide to arrive. The airport was no busier than it normally is.

    Whatever the explanation, it all made for a good visual. And apparently got replayed many times.

    The images coming back from Cancun and the Riviera now are more than frightening. The devastation is terrible. My heart goes out to the local people, who I have always found to be endlessly friendly and helpful. They know a lot about how to handle hurricanes, and I'm sure they'll recover as quickly as anyone could.

    As for me, I count myself super lucky to have had access to information and mobility. It's another example of how much is changed by the Internet.

    [tags: , , , ]

    New blog at

    Kris Magnusson, who was open source program manager at Novell, pinged me recently to tell me about his new blog called I see postings like this:

    Yes, I Am. . . an advocate for the Identity Metasystem. Craig Burton convinced me for reasons he didn't know about and reasons I didn't explain to him.

    The big reason I believe in it was that it fit my criteria for becoming Internet infrastructure, with an exception that I think can be rectified over time, namely that multiple reference open source implementations don't currently exist. However, the Metasystem is young and these things will most certainly change.

    Everything else about the Metasystem is right. It doesn't displace any existing infrastructure, requiring only a simple plugin for web sites to interoperate with the Metasystem. The InfoCard system is a great way to put users safely in control of their own identity claims, and it looks like it will find its way into alternative browsers like Firefox and Safari, making it ubiquitous.

    I really have a distaste for silos now that I've experienced the openness of the Metasystem. You'll have to pardon me if I seem too hard on them, especially Sxip, who have their heart in the right place by putting claims back in the hands of users, more or less. It's just that having worked with Dr. Marshall T. Rose and having had a taste of what standardizing Internet infrastructure is all about, and having had exposure to the Metasystem's openness, I don't want to go backward to silos and proprietary networks.

    My gosh: Marshall T. Rose – author of the Open Book and the Little Black Book and grand savant of OSI. That brings back memories. Anyway, moving on, I continue to hope that sxip and lid and other emerging systems will develop implementations that are part of the proposed identity metasystem.

    In his email, Kris sets up a direct question for me:

    My hope is that the metasystem will become true internet infrastructure in the same way dns/bind or http is currently. I think in order for this to happen that multiple open source reference implementations have to be developed. I don't think Microsoft can go it alone. Moving the WS* specs through OASIS is fabulous, as is getting support from IBM and hopefully later from Sun, but open standards are not sufficient to make a software system internet-standard. Ubiquitous implementation is key. So i'm hoping that someone will step up to the plate and develop an open source implementation of the metasystem for non-windows platforms. What do you think about this?

    I totally agree. I have heard Craig's recording of “I, I, I cry ubiquity…” and thought it pretty much catches the spirit of the times. Hard-wiring is fading fast, and we will need identity metasystem capabilities in every nook and cranny of the Internet.

    [tags: , , ]

    Risks of poor design means huge potential security problems

    Jerry Fishenden, who is Microsoft's National Technology Officer for the UK, just contributed this first rate piece to the Scotsman:

    A WELL-DESIGNED UK national identity card could help tackle many problems, including the upward trend in identity fraud and theft. But important technical, security and privacy issues need to be tackled to ensure its success.

    One major challenge is that no computer system is 100 per cent secure. We've seen various prosecutions arising from unauthorised access to computer systems such as the Police National Computer and DVLA. Putting a comprehensive set of personal data in one place produces a “honeypot” effect – a highly attractive and richly rewarding target for criminals. Forty million users’ personal credit card records were compromised recently in the US – highlighting the very real risks such systems face.

    We should not be building systems that allow hackers to mine information so easily. Putting all of our personal identity information in a single place is something that no technologist would ever recommend: it leads to increased and unnecessary risk. And it is poor security and poor privacy practice. Inappropriate technology design could provide new hi-tech ways of perpetrating massive identity fraud on a scale beyond anything we have seen before: the very problem the system was intended to prevent.

    The UK identity card also intends to exploit advanced biometrics – technology for measuring and analysing human body characteristics (such as scans of your face, fingerprints and retina). Correctly used, biometrics can provide a useful additional technology to assist with identification – acting as a cross-reference when you need to authenticate yourself.

    But as the British Computer Society has commented: “No scheme on this scale has been undertaken anywhere in the world and the technology envisioned is to a large extent untested and unreliable on such a scale. Smaller and less ambitious systems have hit technological and operational problems that are likely to be amplified in a large-scale national system.”

    The security and privacy implications of storing biometrics centrally are enormous. Unlike other forms of information such as credit card details, if core biometric details such as your fingerprints are compromised, it is not going to be possible to provide you with new ones.

    The ID card itself also needs to be carefully designed to ensure it doesn't add to identity fraud problems by carelessly “broadcasting” personal information every time it's used. Using the same identifiers wherever we present the ID card is a highly risky technical design. Would you be happy if online auction sites, casinos or car rental company employees are given the same identity information that provides you with access to your medical records? It's unnecessary: we can already design systems that ensure the disclosure of personal information is restricted only to the minimum information required (a pub landlord, for example, needs only to know that you are over 18). Keeping identity information relevant to the context in which it is used is both good privacy and good security practice.

    The US government has already started to re-think the way it approaches some of their large-scale government IT systems: for example, they actively encourage IT privacy and security experts to attempt to find flaws in their new electronic passport system so that it can be improved.

    This is proving a successful model that should be more widely adopted, to the benefit of the UK identity card.

    A well designed identity card could help simplify our interactions with public services, provide additional protection from identity fraud and improve public service delivery. But we need to ensure technology industry expertise and successful models, such as that being adopted for the US e-Passport programme, become an integral part of projects such as the UK identity card. There is no need to contemplate designing a system embodying so much risk when the same results can be achieved without any risk at all.

    After all, if someone were proposing to build the most ambitious bridge the world had ever seen and engineers could see that it would fail, and suggest ways in which it could be improved, we would expect their views to be taken into account.

    This is a great article and I hope it will get discussion going about other ways to approach the problems the card is meant to address. Jerry speaks for most of us when he points out the unnecessary and troubling risks of the proposed system. And his analogy with a misdesigned bridge could not be more apt.