Month: August 2006

The virtualization of crime

I love this piece by Scott Adams:

Imagine.  The Internet has no way of knowing who you are dealing with.  What environment could be more convenient for the criminally inclined?

Since starting to work on the Identity Metasystem I've learned more and more about the hoists being pulled off in the context of virtual reality.  Over time, we have seen the attacks become more professionalized, and ultimately linked to well organized international syndicates.  Part of the basic equation is that the international nature of virtual reality makes it especially hard to deal with the type of organization that is emerging at the boundary of its interface with the brick and mortar world.

But recently, we've seen more highly focused attacks that are essentially artisinal.  It seems to be a case of “think globally, act locally.”  Some of the schemes put in place depend on intimate knowledge of the workings of specific sites, and even specific communities and indvidiuals.  This is no longer generic targeting.  It's highly individualized, the work of community professionals of a special kind, who may draw upon internationally organized resources as necessary.

And of course this all makes sense.  Computerization has progressively worked its way through the various professions and industry sectors and nooks and crannies of our society, and we've reached the point that a growing number of criminals are no more likely to function without computers than are accountants (not to cast judgement on whether some accountants are or are not ciminals…)

As the level of familiarity with technology grows and increasingly wider swaths of the population become aware of the opportunities that await us in virtual reality, it is obvious that more and more criminals will find their place there. 

I walked into my local Office Depot a few days ago and amazingly, almost all the stationary goods and high class pens and filing contraptions and things that have always made such places interesting, had basically disappeared into a distant corner, while the whole center of the store consisted of computers, printers, electronic cash registers and cameras.  A further indication of the growing virtualization of which cyber criminalization is just a natural a part.

But to keep any balance at all, we really do need to fix the fundamental architectural problem of the internet: having a way that we can, when we want to, be sure who we are connecting with.

In other words, we need to put in place an Identity Metasystem.

Protect yourself from your credit cards

Via a cool Digg, a pointer to a holding action that uses brute force to apply the Fourth Law of Identity:

The Emvelope® Wallet Insert is an innovative, patent-pending product that provides a simple, convenient, and easy way to contain the wireless signals being emitted by RFID chips. Simply place the insert into the bill area of your wallet and press firmly around the edges. Close the wallet and you'll have a Faraday Cage small enough to slip in your pocket. Don't let the size and simplicity fool you. Emvelope® inserts will block RF frequencies up to 2.4Ghz. More than enough to insure your safety.

Now if you travel, don't stop with your wallet. The handy passport accessory shown here will protect you from your passport.

Rumor has it the company is working on an insert for hats as well.   

Phil Becker on Identity's First Big War: a history lesson

Phil Becker is getting us ready for the DIDW in Santa Clara this September 11:

It's been half a decade since the first, and biggest, “identity war” ended. It is worth revisiting what happened (and what was learned) in light of how identity technology is gaining traction and beginning to face related challenges that could lead to similar issues arising again.

History has a way of looking inevitable in hindsight, like it really couldn't have turned out any different than it did. Those who lost can easily seem like they were just shortsighted, venal or stupid while others look unnaturally aware and smart. The truth is usually somewhat different, and if we are to benefit fully from the lessons of history, we must review it as objectively as possible.

“You could start a consultancy with what you learn at this conference.” -Katarina Kreutzfeldt, Managing Director, KOGit, GMBH

Before I begin, however, I want to remind all my readers our annual Digital ID World conference is just two weeks from Monday. It's August, and easy to think that it's further away than that. I wouldn't want you to miss out because you didn't get that two week advance air fare discount, or plan time to attend until too late. This year's conference is shaping up to be our best ever on several fronts. Check out the conference web site at http://conference.digitalidworld.com/2006 and when you register be sure you don't forget the $200 off discount code in the ad above.

I'm also doing a webinar next Thursday, August 31, exploring the convergence of physical and logical identity through deployment experience. As you can see from our conference schedule, I believe that deployment experience is the best way to understand identity technology. This webinar looks at this subject through a deployment experience, a subject that has been mostly talk but which is now becoming reality . You can register for that free webinar at: http://www.actividentity.com/didwebinar

The first identity war didn't start out as a war at all. It began when Microsoft, who had fully committed to web services long before anyone else, realized that an internet scale authentication infrastructure was required before those services could truly gain the traction they had envisioned.

As a company, Microsoft tends to look at computing problems through the lens of the user experience. In the case of the internet, this led them to see (earlier than most) the tremendous friction that requiring a user to log in to each web site with separate credentials created. In 1999, they began to address that problem with Passport, which they felt that they could grow to become an internet scale authentication system.

Here is the Schedule and here are the Exhibitors.

Brian Arbogast, then VP of .NET Core Services, summarized this in 2001 when he said, “Back in 1999, Microsoft looked at the Internet landscape. More and more, when people went to Web sites — to shop, retrieve news stories, download software or participate in chats — they had to log in, giving their name, password and, often, additional information. There are so many user names and passwords that people have to remember today that it can create a pretty frustrating experience; in fact, most people write that information down on paper — which is not a safe or secure way to store this information. Authentication services like Microsoft Passport are designed to help transform today's Internet and computing experience by enabling single sign-in to multiple sites and services with one secure password.”

Note how all of this is framed from the perspective of the user experience, with no recognition of how centralizing authentication might create side effects that people would be unhappy with. It is this framing of the problem that led Microsoft to miss those implications that would ultimately launch the first identity war. This view also led most of those involved in identity management at that time to view it narrowly as an exercise to achieve single sign-on.

In March of 2001, Microsoft took Passport to the next level, announcing Hailstorm, a way to use web services to create a unified identity experience on the internet. Announcing Hailstorm on March 19, 2001, Bill Gates said, “The .NET vision encompasses the idea of having your information wherever you want to go. This includes the future cell phones, your TV set, your tablet form factor PC, your desktop PC. Wherever you are, and whatever role you're in, whether you're working, you're acting as a family member, you're acting on behalf of some other group you belong to, your information will be there available in the context that's most appropriate for what you're trying to get done.”

Examining that sentence reveals that on one level, Microsoft understood precisely where the internet was going and what identity would have to provide to get it there. It is a classic example of how visionaries can see something so clearly that they miss (or drastically underestimate) the implications. Microsoft felt that the internet was just one centralized authentication system away from its “big bang” of value creation, and missed the devil that lurked in the details.

On stage that March day was Ray Ozzie, the person that Bill Gates is now turning Microsoft strategy over to. At that time Ozzie was CEO of Groove Systems, and said “what it's really about is enabling individuals out on the Internet who need to work together the ability very quickly, very spontaneously, to get together, to share information, to interact with one another directly over the Net — even across firewall boundaries. We believe that the services that are inherent to ‘HailStorm’ provide for a much richer user experience, and in general put the user in control of information that formerly has been in the control of apps of various types.”

Again, you see the focus on enabling a user experience, including the need for the user to feel in control of the identity transactions and information. At the same time, there was little or no understanding of the implications of the architecture chosen for the identity infrastructure. But those implications weren't missed by the public and the real “storm” was one of fear that Passport/Hailstorm just might work, with the result that Microsoft would end up controlling the identity information of the internet. The rumblings that would lead to the first identity war had begun.

In 2001, enterprise was also realizing it needed a way to unify its authentication infrastructures. It was being seen that directories just couldn't grow big enough to centralize all authentication without becoming projects that cost far more than they were worth, and that the cultural impact of centralizing all of the processes behind managing the data they held was unreasonable. In 2001, this pressure led to the SAML protocol efforts. These efforts to create a standard way to share authentication information across domains advanced very quickly and several demonstration projects with the proposed protocol occurred.

One of the first articles I wrote for the Digital ID World web site in 2002 was:  The Digital ID Wars Intensify…

In that article I wrote “last September marked the real beginning of the Single Sign On wars, and this is currently the hottest battlefield in the Digital Identity struggle (although there are many other battlefields that will show their faces as the struggle continues.)” The reference was to the formation of the Liberty Alliance in September 2001. That group formed specifically to find an alternative way to achieve single sign on without creating a centralized identity system. Liberty proceeded to build on the foundation of SAML, create their ID-FF protocol, and release it by July 2002. The word federation entered the identity conversation and the concept of networking decentralized identity domains using standardized protocols began gaining acceptance.

Under the pressure of the first identity war, Liberty Alliance did its job so rapidly and well that it has largely been forgotten how significant it was. The ID-FF protocol was incorporated into SAML 2.0, and the sub-battle over how federation would occur has largely been put to rest. The first identity war officially ended when Microsoft quietly shelved the renamed Hailstorm project, MyServices.

This first identity war deeply affected how identity technology has evolved since then. It is useful to revisit it because several large internet sites are again in the midst of deciding whether their identity systems should be open or closed, and how they should be architected. If they don't pay attention to what Microsoft learned in the first identity war, we can expect to see some bad experiences again.

Following the first identity war, Microsoft, deeply impacted by the experience, came to realize that *how* identity was implemented had far more implications than they initially imagined. In response they put more effort into the WS-* protocols to create far richer capabilities than just single sign on and allow greater flexibility in how those capabilities could be architected. In recent years, Kim Cameron has worked on defining a WS-* identity meta-system that allows interoperability between different identity infrastructures while creating an identity based user experience to be part of the forthcoming Microsoft CardSpace in Vista. Nearly all identity management systems today acknowledge that decentralization will grow, that federation is a required mode, and several competing user-centric identity architectures are vying for acceptance.

There are many more lessons to be drawn from the first identity war, among them being that understanding what is needed functionally is quite different from understanding how it should be provided or the implications of different approaches on how users will accept or reject the result. Identity is complex because it carries tremendous power — power to accomplish the desired goals, and power to create unanticipated side effects.

This is why gaining a good identity-centric perspective of computing is so essential to success in IT today. It is also why you are seeing identity unifying technology from the network layers through the application layers. Without an identity perspective, IT security and infrastructure tends to take on a “Whack-a-Mole” nature where the solution to one problem only seems to create two more problems.

I'm sure it will come as no surprise that I would tell you that the *very best* way to gain such a deep identity-centric perspective is by attending the Digital ID World conference. No one who attends will leave without gaining a deeper understanding and broader perspective of the place of identity in computing, how technology is evolving, the best practices that lead to success, and how each identity technology applies to the overall set of tasks at hand based on real world experience.

Identity is a Whack-a-Mole phenomenon?  Top that, Thurcydides and Emerson!  Meanwhile, I hope to see everyone, especially Phil, at DIDW in Santa Clara.

Denial of servce attacks on the GE Puffer?

Here's a sobering piece on the GE Puffer by Martin Tibbits at Kangaekata.  He quotes me as a “detractor” of the GE Puffer, and he couldn't be more right.  The so-called Puffer (which should be renamed “Blaster” to dispell the cutesy lie that is its name) is beyond invasive and mysanthropic; it's a bad dream from the world of stupid product designs. 

The good news is that it has a competitor called the Senitinal, made by Smiths, that is beautifully conceived and has none of the problems of GE's abomination (I compared the two machines here). I therefore expect that no one competently evaluating this technology will ever install a Puffer again – and GE, in light of how inferior its own version is, will take it off the market to avoid humiliating its design staff.

That being said, Martin's insights really caught me off guard.

I’m sure that by now many of you have experienced the “Puffer“…a new explosives detection device being tested at several major US airports. 

The puffer is made by GE… based on technology developed by Smiths and Barringer Technology.

The technology works like this:

The Puffer blows air on you collecting tiny tiny tiny particles of just about anything you have come in contact with. It then ionizes these particles and performs some complicated analysis. The upshot is that the Puffer can detect quantities of explosives as small as a picogram!

How small is a picogram? Well a picogram is 10 to the -12 grams. Essentially if you zoomed a BB to the size of a school bus, a picogram would be the size of a grain of salt in the bus.

As a technology, puffers are pretty cool, despite their detractors. As a downside they are generally pretty slow, taking 10-40 seconds per person to perform their magic. I would be surprised if they had throughput greater than 30 per hour, honestly.

But the speed isn’t the only real problem. Were the FAA to rely on soley on puffers, here is exactly what could happen:

Al Qaida or any other terrorist group with feet on the ground in the US would be empowered to bring air traffic to a complete halt in the US, at will.

How? Simple.

Terrorists could simply spill a little RDX or C4 dust in front of the security line at major airports. It could be so little that it would be unnoticable. Picograms…remember?

People would walk through the dust…and the puffers would give off nothing but false positives. The airports would have to revert to pat downs and other time intensive security measures.

The result? A reversion to limited or no protection against explosives in flight.
Am I giving something away here? I hope not. Let’s not assume the terrorists are any less intelligent than we are.

Amazing.  A chemical denial of service attack.  Obvious in retrospect, like so many security flaws.

Advanced auditing at Centrelink

Phil at Improving New Account Opening speculates about Centrelink's auditing system while making the important point – not necessarily related factually to this incident – that auditing systems can themselves raise privacy issues.

Kim Cameron's Identity Blog highlighted the case of more than 100 Australian government employees being forced out of a single agency for snooping on client information. According to the Sydney Morning Herald article, hundreds more were demoted or faced salary deductions as punishment.

Interestingly I have a little insight into some of the Centrelink agency's online applications. Despite this, the rest of the specifics to Centrelink in this post are wild speculation, so take them with a pinch of salt.

The agency provides a range of online services to Australians, especially around benefits and financial support, and enables users to perform many interactions and transactions with the agency online. This leads to approximately 80 million online transactions per week. As I understand it, before going online the agency had struggled with how to counter individual users claiming that information they had (or had not) provided online was incorrectly recorded, leading to incorrect payment of benefits and other issues. This would mean that cases that led to litigation would be hard to defend. The requirement for non-repudiation rested with the agency and this proved difficult for them to address.

Here is where the wild speculation starts. Centrelink is considered a gold-standard in the Australian government for an online service that is secure and trusted. It employs a website monitoring application called WebCapture that for online transactions records both the information presented to a user, the forms they see and the documents requested, alongside any information that users enter into forms, the options they select, links they follow and buttons they click. This information is recorded on the web-server, stored to a repository and may be played back by authorized users as a virtual video recording of the entire transaction. As I understand it, the captured, replayable transaction has been tested in court as having appropriate legal weight to provide non-repudiation: the logged in user did perform the transaction, and this is exactly the information they were presented and they responded with.

I am guessing if some of the employees in question used this monitoring capability to snoop on customer information that they couldn't access in other systems. WebCapture information is held in an extremely secure repository, with metadata passed to a standard database. The question is whether the agency effectively designed and enforced their security policies with respect to accessing this data. A system's security is only a strong as the security policies you define for it. In this case, it may be that the WebCapture repository or associated database was the subject of poor IT security policy enforcement or poor governance around the maintenance of those policies or the users that could access it.

If this scenario is actually true, it highlights an issue that should be obvious, but may have been missed in this case. As we add additional layers of software into our infrastructure, if they are not subject to good IT governance and management processes they may be fraudulently used to access personal data and transactions, or lead to other security issues. Every new layer of infrastructure needs to be managed – personal data does not just reside in the database anymore.

With good governance and management of the systems and security policies using best practices like ITIL, a system like WebCapture can provide undeniable proof of transactions performed by clients, protecting the organization from false claims and litigation. This is a huge benefit to an organization like Centrelink. There is no substitute for good management of data in all IT systems, not just the database.

 

Aggregation through a single identifier

Through the miracle of pingbacks I just came across Terrell Russell's blog, This Old Network.   Poking around, I was led to his cool proposal for MicroIDs, which I like and will discuss later.  I also found many interesting pieces, including today's interesting reflection related to issues addressed in my fourth law of identity:

First, our friend the search engine…

Search data recently released from AOL allows anyone with some intrepid follow-up skills and some social engineering to quickly narrow in on unique individuals – individuals who never considered their independent searches were being aggregated by their ISP. A recent flurry of activity designed to protect us from the search engines signals a slumbering uneasiness with this situation. Something dark has been uncovered and in the short term there is much handwaving and interest. However, as time passes, we’ll fall back into our ‘normal’ ways and continue to put our most personal information-seeking into that gloriously simple bare single box. “It’s just too convenient”, you say. “They’ve done nothing wrong.”

And here’s where the discussion changes. It’s not about Google. Or MSN. Or Yahoo. It’s about one person. Or one subpeona. The fact that it’s all being aggregated is the problem. The fact that there’s a potential for negligence, court-order or simple employee curiosity has profound implications for a great number of people. That is what makes this discussion so important.

Note that the reason employees could inappropriately access sensitive information was because it was sitting in databases they could get to – not because it was present on a card in someone’s wallet. 

Centralized databases worry me way more than any other aspect of this technology.

– Kim Cameron

We need to understand that our daily breadcrumbs – our attention – our personal interests in where we’re going and what we’re looking for and what we’re buying, are all being sucked up and stored with a unique identifier. We need to realize we’re broadcasting our attention and that it has great value to those who would suck it up. Inform yourself and make a conscious decision about where you spend your time and what you look for. You’re not alone while you surf. AOL has shown us the light.

And onto IM…

Most users think they’re anonymous behind their instant messenger accounts. They think their words aren’t being recorded. You think your friend on the other end of the IM doesn’t have her auto-logging turned on? And that it’s not fully searchable later? Severe paranoia and tin-foil hats notwithstanding, you’re being very naive.

And that’s just your friends. How about when the person on the other end reports you?

Earlier this week the UK government-funded Child Exploitation & Online Protection Centre announced a partnership with Microsoft Messenger. Messenger will be putting a button on the toolbar to allow any user to ‘report abuse’ to the authorities. This is a dangerous precedent. How is this any different than the Terrorist Information and Prevention System (TIPS) program proposed by the US back in 2002?

How much money will be tied up in the next 12 months because of this trigger being too easy to pull? How many prank reports will eat through the government funding? How will danah boyd react to the feeding frenzy this will create once the first one is ‘caught’?

Be aware of what you project. Be aware that this is a global medium. Be aware that it’s being broadcast and recorded. This Internet thing will be around for a while.

This should give those who think that maybe we should just back off identity issues and let things take “their natural course”, reason for pause.  I certainly hope that the “panic button” referred to above is limited to use within communities whose members consent to it.

 

David Weinberger – lover of the status quo?

David Weinberger at Joho the Blog has a thoughtful piece on privacy and anonymity that more or less wraps up the ongoing thread between him, Eric Norlin, Ben Laurie and others including myself.

It's long and detailed, so I suggest you check it out at Joho (don't get distracted by his piece about Snakes on a Plane.) 

While I have the chance I'll mention that I really don't like the way David uses the phrase “real world” – and counterposes it to the Internet. 

But here's what I wanted to discuss:

My fear is that we are in the process of building a new platform for identity in order to address some specific problems. We will create a system that, like packaged software, has defaults built in. The most important defaults in this case will not be the ones explicitly built into the system by the software designers. The most important defaults will be set by the contingencies of an economic marketplace that does not particularly value anonymity, privacy, dissent, social role playing, the exploration of what one is ashamed of, and the pure delight of wearing masks in public. Economics will drive the social norms away from the social values emerging. That is my fear.

Economics will drive the social norms?  Why isn't it possible that social behavior will also drive our economics?  Is there a cluetrain?

An obvious example might be the ability to market more effectively without ANY personally identifying information about an indvidual.  This sounds counterintuitive until you take into account the fact that people are willing to reveal more about themselves – and their needs – when they are not individually identified.

I have confidence that the people designing these systems are going to create the right software defaults. The people I know firsthand in this are privacy fanatics and insistent that individuals be in control of their data. This is a huge and welcome shift from where digital ID was headed just a few years ago. We all ought to sigh in relief that these folks are on the job.

I'm not sure if fanatics is the right word. Once you see that privacy is security from the point of view of the individual, then it just becomes a normal part of security modelling. 

But, once these systems are in place, vendors of every sort will of course require strong ID from us. If I want to buy from, say, Amazon, they are likely to require me to register with some ID system and authenticate myself to them…far more strongly and securely than I do when I pay with a credit card in my local bookstore. Of course, I don't have to shop at Amazon. But why won't B&N make the same demand? And Powells? And then will come the blogs that demand I join an ID system in order to leave a comment. How long before I say, “Oh, to hell with it,” and give in? And then I've flipped my default. Rather than being relatively anonymous, I will assume I'm relatively identified.

Where is the proof for this?  Vendors will want to do whatever lets them sell most effectively.  Pseudonymous relationships, as I mentioned above, may well be perfect for this.  Amazon sells to me by knowing what I like to read and watch – not by knowing my name.  Next generation credit and delivery systems will allow us to purchase without revealing anything about who we are or where we live to the merchant. 

With an identity platform in place, a payment transaction can be a one-time transaction guaranteed by a bank.  No name or credit card number is necessary.

WIth an identity platform in place, delivery can be done by giving the merchant a one-time transaction number linked to my Fedex account – without the merchant needing to know where I live or take responsibility for product delivery.

Why would merchants want to keep all the liability of the material world if they can reduce their costs and increase their sales by moving on into the virtual one?  Doesn't that sound real? 

Does that matter? I think it does, for the political, social and person reasons mentioned above. Don't make me also argue against being on one's best behavior and against being accountable for everything one does! I'm willing to do it! I will pull this car over and do it! Just try me!

The basic problem is, in my opinion, that the digital ID crew is approaching this as a platform issue. Most places on the Web have solved the identity problem sufficiently for them to operate. Some ask for the three digits on the back of your credit card. Some only sign you up if you confirm an email. Some only let you on if you can convince an operator you know the name of your first pet and the senior year season record of your high school's football team. Sites come up with solutions as needed.

David, David, David.  You think the current situation is so good for your privacy?  You like the increasing proliferation of personally identifying information that characterises the current technology?  You're happy with the way enterprises and governments build their centralized systems?  They aren't.  Everyone realizes that our current ways of doing things are too dangerous – and much of that comes from the fact that we have been forced to store information we don't need precisely because there has been no identity platform.

Good. Local solutions to local problems are less likely to change norms and defaults. But the push is on for an identity management platform. It's one solution — federated, to be sure — that solves all identity problems at once. If you want to change a social default, build a platform. That's not why they're building it, but that will (I'm afraid) be the effect. It's not enough that anonymity be possible or permitted by the platform. The default isn't about what's permitted but about what's the norm. If the default changes to being naked at the beach, saying, “Well, you can cover up if you want to,” doesn't hide the fact that wearing a bathing suit now feels way different. Yes, there's something wrong – and distracting – about the particulars of this analogy. But I think the overall point is right: We're talking about defaults, not affordances.

There are serious problems caused by weaknesses in current identity solutions. Identity theft is nothing to sneer at, for example. But are we sure we want to institute a curfew instead of installing better locks?

Is it better to have been born, or not to have been born? (Yes, I know what the ancients said.) 

There are dangers – do we therefore have to submit to a long sleep?

Radia Perlman on PBE

The ever-interesting James McGovern posted about Encryption Based Encryption a while ago, wondering if Microsoft and Sun might add it to their product suites.

I was so busy travelling that I got swept away by other issues, but Sun's Pat Patterson persisted and recently posted a cogent note by Radia Perlman, one of his colleagues, which I thought hit a lot of the issues:

Identity based encryption.
Sigh.

This is something that some people in the research community have gotten all excited about, and I really think there's nothing there. It might be cute math, and even a cute concept. The hype is that it makes “all the problems of PKI go away”.

The basic idea is that you can use your name as your public key. The private key is derived from the public key based on a domain secret, known to a special node called the PKG (private key generator), which is like a KDC, or an NT domain controller.

Some of the problems I see with it:

a) public key stuff is so nice because nobody needs to know your secret, and the trusted party (the CA) need not be online. The PKG obviously needs to be online, and knows everyone's secrets

b) If Alice is in a different trust domain than Bob, she has to somehow securely find out Bob's PKG's public parameters (which enable her to turn Bob's name into a public key IN THAT DOMAIN).

c) Bob has to somehow authenticate to the PKG to get his own private key

d) There is no good answer to revocation, in case someone steals Bob's private key

e) There is no good answer to revocation, in case someone steals the PKG's domain secret.

I've seen hype slides about identity based encryption saying “which identity is easier to remember?

In PKI: 237490798271278094178034612638947182748901728394078971890468193707
In IBE: radia.perlman@sun.com

This is such ill-conceived hype. In PKI no human needs to see an RSA key. The RSA key is not your identity. Your identity is still something like radia.perlman@sun.com

So, it looks like IBE gives with one hand (sender can create a public key without the recipient's involvement) but takes much more away with the other (key secrecy, PKG has to be online, revocation issues). I guess there is no such thing as a free lunch…

Let me put the same points just a bit differently. 

IBE is very interesting if you think everyone in the world can trust a single authority to hold everyone's secrets. 

OK, now let's move on.

When you do have multiple authorities, you need a way to discover those, so you need a secure email-to-authority mapping and lookup.  Yikes.  The only way to do that which is simpler than public key itself, is to use mail domains as the authority boundary combined with some kind of secure DNS.

But in that case, your mail server can decrypt anything you receive, so it's no better than a conventional edge to edge encryption scheme (e.g. where mail from me to Pat gets encrypted leaving the Microsoft mail system and then decrypted when entering the Sun mail system). 

Edge encryption is pretty well what everyone's building anyway, isn't it?  So what's the role for PBE?

My vision is that one day, Information Cards will be used to convey the information needed to do real end-to-end encryption using asymmetric keys – without the current difficulties of key distribution.  This said, signing interests me a lot more than end-to-end encryption in the short term.

More about this some other day.

Snoops highlight importance of second law

I'm back from a really intense visit to Australia. Some would call the trip home a “long flight”. But not me. I had the Sydney Morning Herald to read, which the day before had featured this piece on 100 government employees fired by their agency, Centrelink (hundreds of others were demoted). It seems – you guessed it – they had been snooping on (and even changing) hundreds of personal records.

So I was fascinated when I came across this piece during my flight. It quotes the head of the Australian government's Smartcard Privacy Taskforce, Professor Allan Fels:

Serious concerns have been raised about the federal government's planned Smartcard after more than 100 Centrelink staff lost their jobs for inappropriately accessing client records.

Labor has called for the privacy commissioner to investigate the breaches, in which 600 Centrelink staff browsed the welfare records of friends, family, neighbours and ex-lovers without authorisation.

And the man heading a privacy taskforce looking into the proposed Smartcard says he is deeply concerned by the breaches.

A total of 19 staff were sacked and 92 resigned after 790 cases of inappropriate access were uncovered.

In the most serious cases, staff members changed client details without authorisation as they spied on sensitive information.

Smartcard Privacy Taskforce head Allan Fels said the breaches highlighted why data on the proposed new card should be kept to a minimum.

The Smartcard will link welfare and other personal details of at least 17 million Australians.

The Centrelink revelations are deeply disturbing,” Prof Fels told ABC radio.

“I take some comfort from the fact that the government has caught them and punished them but there is still a huge weight now on the government to provide full proper legal and technical protection of privacy with the access card.”

Prime Minister John Howard said Centrelink had dealt appropriately with employees who abused their positions of trust.

But opposition human services spokesman Kelvin Thomson said Privacy Commissioner Karen Curtis had to investigate.

Mr Thomson said the news came on top of revelations in June that the Child Support Agency had 405 privacy breaches in nine months – two of which required mothers and their children to be relocated at taxpayers’ expense.

He said the breaches raised serious concerns about the Smartcard.

“The government cannot expect Australians to accept the Smartcard proposal until it satisfies them that it has resolved their legitimate privacy concerns,” he said.

Centrelink spokesman Hank Jongen said five cases had been referred to the Australian Federal Police for investigation, while more than 300 staff faced salary deductions or fines, another 46 were reprimanded, and the remainder were demoted or warned.

The staff were caught using sophisticated “spyware” software monitoring access to client records.

Mr Jongen described the dragnet as a “mopping up exercise”, saying the number of staff involved was small considering Centrelink handled 80 million transactions every week for more than six million customers.

“So you've got to keep these incidents in context,” Mr Jongen told ABC radio.

“The overwhelming majority of our staff have not been involved in these activities.

“Often these activities have simply involved one of our staff, for example, surfing the details of family and friends or taking a peek at their neighbour's records.

“The number of serious offences that have occurred is only a small proportion of the total number.”

Community and Public Sector Union deputy national president Lisa Newman said the job losses were regrettable but the union had long warned Centrelink members about the dangers of inappropriate data access.

Opposition Leader Kim Beazley said the breaches demonstrated the government's administrative incompetence.

Mr. Jongen sounds like a lot of spokesmen, doesn't he? Do spokesmen all train as junior camp councillors? He doesn't see “taking a peek at a neighbour's records” as being “a serious offense”? Luckily we have Mr. Fels standing by to provide adult supervision.

The interesting thing about this story is that on one hand, you have the prospect of a card. On the other, you have the current problems of centralized data storage.

Note that the reason employees could inappropriately access sensitive information was because it was sitting in databases they could get to – not because it was present on a card in someone's wallet.

Centralized databases worry me way more than any other aspect of this technology.

Practice equals theory – demos OK

In terms of certificate behavior, at least, all the metasystem components worked together as designed, across platforms and operators, during the recent change of site key and SSL certificate at identityblog.

I have to give textdrive.com, the operators of my site, credit for going through this on extremely short notice and without charge.  You could look at it as a proof of their ability to handle an emergency revocation, and another example of what a good company they are.

When using Information Cards in the most basic configuration, as I do on my site, the SSL certificate is also used for encryption of the WS-Trust token sent from the identity provider, so everything has to line up at the transport and message level.  The good news is that all this worked as predicted.

It's now fine to use the site for demos – with only the usual caveats…