From little brother to the naked corporation

When I was at the International Association of Privacy Professionals conference recently I was able to hear the multiply visionary Don Tapscott speak about where technology is going, and its relationship with business and society.  He is an extraordinary speaker, with a staggering breadth.  He seems to effortlessly integrate the disparate colliding tendencies and phenomena shaping our future.  If you don't know of him, I'll turn to the Wikipedia, itself a manifestation of forces that form the subject of his latest book:

Mr. Tapscott has authored or co-authored eleven widely read books on the application of technology in business. His new book, co-authored with Anthony Williams is [WIKINOMICS: How Mass Collaboration Changes Everything] (Portfolio, December 2006).

His penultimate book, co-authored with David Ticoll, is THE NAKED CORPORATION: How the Age of Transparency Will Revolutionize Business (Free Press, October 2003). The Naked Corporation describes how corporate transparency, accountability, and stakeholder relationships are the new frontier for competitive innovation.

He has also co-authored, DIGITAL CAPITAL: Harnessing the Power of Business Webs. This best seller describes how business webs are replacing the traditional model of the firm and changing the dynamics of wealth creation and competition.

There are many other important books – including “Paradigm Shift”…

But at the conference, Don spoke right after Anne Cavourkian, with whom, ten years ago, he had written, “Who knows?  Safeguarding your privacy in a networked world.”  With visionary chagrin, he joked that while he still thought it was a good book, the timing couldn't have been worse.  There it is in a nutshell: the visionary's dilemma.

Don went on to say:

In the book we argued that big brother's always been a problem.   But. because of the growing proliferation of networked computers, and databases connected to them, there's an emerging problem, called little brother.

In the old days, information was kept in filing cabinets, and filing cabinets don't communicate with each other very well.

But when information becomes bits, flying around through networks of sand and air, information starts to communicate, and as we go through life, as this becomes the basis for work, learning and entertainment and healthcare and human discourse, we leave a trail of digital crumbs, and these crumbs are being collected, on this vast network of networks, into a sort of virtual you, a mirror image of yourself, and your virtual you may know more about you than you do in some areas, because you can't remember, say, what movie you watched fourteen months ago.

The little brother problem is key to the work I've been doing on this blog.  And Don, who had been told about the Laws of Identity by Dr. Cavourkian, was kind enough to give me permission to post his full speech.  The mp3 version is here.  (Update:  changed from wma).

Grandstanding to drive up his ratings?

When Doc Searls was first telling me about blogging, he asked if I wanted to see something incredible.  Then he typed the word “doc” into a certain search engine, and the first or second result was the address of his blog. 

I was amazed.  He was right up there.  On a level with the Department of Communications.  He still is today (try it!)

So a while ago, I decided to check out the results for “Kim”.  Narcissistic? I guess.  And worse, the kind of thing that irreversibly links your identity to the audit trail of your searches. 

But I was curious.

Let's face it.  As I've said before, this blog is the “hair on the end of the long tail.”  It was obvious I wouldn't be in the same league as Doc. And we all know the entire country of Korea has the name ‘Kim’.  One search engine lists 227 million references.  So my hopes weren't high.

But despite all this, the results were pretty amazing: 

 

Better search engine

 

Was it possible?  I beat out Kim Jong-il, president of North Korea, who came in at number 8.  In fact I easily passed him at 5!  I could see he's maybe not the most popular person in the world, but still, he does run a country, a country much discussed in some circles.  Anyway, I decided to check out a competing engine:

 

Canadian version of well known search engine

Not quite as good, maybe, but hey, Rudyard Kipling and Kim Basinger are certainly both more fundamentally accessible than identityblog (!), so it seems right.

Anyway, over time I came to take this state of affairs pretty much for granted.

But last week, visiting Canada, a friend asked me what would happen if he just searched for ‘Kim’, so I told him to try it.  He went to www.google.ca, and to my horror I could see that I had slipped

American version of well known search engine

Suddenly the reality of the situation sank in.  Was the underground nuclear test that Kim Jong-il set off just grandstanding intended to increase his search engine ranking?  

Had Kim Basinger and I actually been in grave danger all along for thwarting a dictator's desire to appear at the top of a result set? 

The poor helpless souls in some CNN documentary flashed before my eyes, and I acepted that losing out to Jong-il wasn't all bad.

And then the kicker.  I VPNed to a computer back in the States, so I could get to the US versions of the search engines (on my friend's ISP it was impossible to get to the actual “.com” site rather than “.ca”).

Guess what? Back in the States it was business as usual.  Kim Basinger and I were still up ahead of Jong-il, despite all of his antics.  My friend and I had been looking at a rating that was somehow Canada specific.

I guess that for search engine experts all of this would come as no surprise.  But I am pretty curious about how these international variations in ranking come about.

 

Second Law of Identity

Here is the Second Law of Identity as expressed by Anne Cavoukian, Privacy Commissioner of Ontario. The “technology” law is on the left; the “privacy-embedded” form is on the right:

MINIMAL DISCLOSURE FOR A CONSTRAINED USE

The identity metasystem must disclose the least identifying information possible, as this is the most stable, long-term solution. 

MINIMAL DISCLOSURE FOR LIMITED USE:
DATA MINIMIZATION

The identity metasystem must disclose the least identifying information possible, as this is the most stable long-term solution. It is also the most privacy protective solution.     

The concept of placing limitations on the collection, use and disclosure of personal information is at the heart of privacy protection. To achieve these objectives, one must first specify the purpose of the collection and then limit one's use of the information to that purpose,avoiding disclosure for secondary uses. The concept of data minimization bears directly on these issues, namely, minimizing the collection of personal information in the first instance, thus avoiding the possibility of subsequent misuse through unauthorized secondary uses.

 

Dr. Cavoukian's restatement of the First Law is here.  I can't overstate the importance of her collaboration with the identity community.  Nothing is more important to getting identity right than getting privacy right.  And there's no better way to get privacy right than by working side by side with those who, like Dr. Cavourkian, have been studing, writing about and protecting privacy for many years.

Download the Privacy-Embedded laws as a brochure or a whitepaper.

Ping unveils Managed Card IP written in Java

Ashish Jain of Ping Identity seems to have broken another barrier by demonstrating a “managed card” identity provider written in Java.

In the world of InfoCards, we talk about two kinds of “identity provider”.  One is a “self-issued” card provider, through which individuals can make claims about themselves.  The other is a “managed” card provider, which supports claims made by one party about another party. 

Examples of managed card providers could include claims made by an employer about its employees; a financial institution about its customers; an enterprise about its customers; or a reputation service making claims about its users.  While the technology for posting tokens from an identity selector like Cardspace to a web site can be very light weight (RESTful), that for building managed card providers is more challenging.

Here's how Ashish puts it:

The Managed Card IdP as well as the RP server that we demonstrated at DIDW is now available for a test run. It’s still early access…so expect some issues. But if you do want to try early, give it a go. It should give you an idea of the things to come.

baby_beer400x299.jpeg

Please do the following (you need to have RC1 client installed on your machine).

  • Access the IdP Demo here.
  • Enter your information and click ‘Get Card’.
  • When the popup happens, click “open” to save it to the CardSpace Client. Alternatively, you can save it to the disk and double-click to install it. (You can change the extension from .crd to .xml if you are interested in looking at the contents).
  • Close the CardSpace Client.
  • Next go to the RP site here.
  • Click on the Managed Infocard Image.
  • Your CardSpace client should pop-up at this time and only the relevant card should be available for selection.
  • Select the card and it will challenge you to enter your IdP credentials. The server doesn’t perform any password validation at this time (as long as the username is correct).

And you should be logged in to the Relying party. The relying party page also displays the IdP as well as the RP message flow.

I tried it and it definitely worked for me.  I'll do a screen capture.

I don't know if the picture in Ashish's piece shows something he drank as a baby, but if so, a lot of other programmers may want to try some. 

 

Privacy characteristics of the Identity Metasystem

Microsoft has just completed a whitepaper that looks systematically at how the proposal for an Identity Metasystem advances privacy.  

The document offers a useful general overview of how the Metasystem is intended to work – in a form I think will be accessible to those concentrating on policy.  It also contains an instructive analysis of how the Metasystem embodies the principles articulated in the European Uniion data protection directives. 

I will run some exerpts that I think will be of general interest.  But I suspect all those interested in policy and identity technology will want to download the document, so I've added it to the roster of Identityblog white papers. 

  1. Privacy & MetasystemIntroduction
  2. Existing ID Card Schemes
  3. Anonymity, Privacy, and Security
  4. The Identity Metasystem
  5. The Seven Laws of Identity
  6. Roles
  7. Microsoft’s InformationCard Technology: Windows CardSpace
  8. Scenario One: Basic Protocol Flow
  9. Scenario Two: Protocol Flow with Relying Party STS
  10. User Experience
  11. Creating an Information Card
  12. Logging In with an Information Card
  13. Submitting an Information Card
  14. Example of InformationCard Interaction
  15. Privacy Benefits of Windows CardSpace and the Information Card Model
  16. Protection of Users Against Identity Attacks
  17. Information Card Technology and EU Data Privacy
  18. Overview of EU Data Privacy Law
  19. Data Controllers and Their Legal Obligations
  20. EU Data Privacy Laws and Information Cards
  21. Legitimate Processing
  22. Proportionate Processing
  23. Security
  24. Limits on Secondary Use
  25. Conclusion
  26. Acknowledgments 

From the Executive Summary:

Just as individual identity is fundamental to our face-to-face interactions, digital identity is fundamental to our interactions in the online world. Unfortunately, many of the challenges associated with the Internet stem from the lack of widely deployed, easily understood, and secure identity solutions. This should come as no surprise. After all, the Internet was designed for sharing information, not for securely identifying users and protecting personal data. However, the rapid proliferation of online theft and deception and the widespread misuse of personal information are threatening to erode public trust in the Internet and thus limit its growth and potential.      

Microsoft believes that no single identity management system will emerge and that efforts should instead be directed toward developing an overarching framework that connects different identity systems and sets out standards and protocols for ensuring the privacy and security of online interactions. Microsoft calls this concept the Identity Metasystem. The Identity Metasystem is not a specific product or solution, but rather an interoperable architecture that allows Internet users to use context-specific identities in their various online interactions.

This paper describes the Identity Metasystem and shows how it can meaningfully advance Internet user privacy. In particular, it will show how Microsoft’s contribution to the engineering of the Identity Metasystem—the Information Card technology—promotes privacy in three primary ways:

  • First, it helps users stay safe and in control of their online identity interactions by allowing them to select among a portfolio of digital identities and use them at Internet services of their choice. These digital identities may range from those containing no or very little personal information (perhaps nothing more than proof of an attribute such as age or gender) to those with highly sensitive personal information needed for interacting with financial, health institutions, or obtaining government benefits. The key point is that a web site or service only receives the information it needs rather than all of the personal information an individual possesses.
  • Second, it helps empower users to make informed and reasonable decisions about disclosing their identity information by enabling the use of a consistent, comprehensive, and easily understood user interface. Moreover, this technology implements a number of advanced security features that help safeguard users against identity theft by reliably authenticating sites to users and users to sites.
  • Third, and more generally, Information Card technology is hardwired to comply with data privacy laws and conforms to key requirements in the European Union’s privacy regime, including legitimate and proportionate processing, security, and restraints on secondary use.

In short, this new framework and new technology offer a cutting-edge solution to the digital identity debacle that is stifling the growth of online services and systems.

I want to congratulate Ira Rubinstein, Internet Policy Counsel for Microsoft, and Tom Daemen, a senior attorney in his group, for writing this analysis.  Other contributors include our Chief Privacy Stragegist, Peter Cullen, and Caspar Bowden, Chief Security and Privacy Officer for Europe.  Not to mention the inimitable Mike Jones, well known for his contribution to Identity Metasystem thinking.

Although the document uses the Cardspace implementation in illustrating its points, it's my hope that everyone working on the Identity Metasystem across the industry benefits from this work, since the notions apply to all of us.

DasBlog site InfoCard enabled

Of course Kim Cameron's Identity Blog has been InfoCard enabled for a while, and I've written about the process.  Now others are working (more on this later) to produce a WordPress InfoCard Plugin for everyone who wants to start accepting InfoCards.

Then a while ago I learned that Rob Richards had InfoCard-enabled his Serendipity-based blog and again published the code for others to examine.  

Now Kevin Hammond has done the same for DasBlog – though I'm not sure yet if I can leave comments using InfoCards:

Taking inspiration from Kim Cameron and how he CardSpace-enabled WordPress, I did the same with DasBlog 1.9.6264.0. casadehambone.com now supports logging into the administrative account using Windows CardSpace allowing me to throw the use of passwords to the wind!

The great thing is that it only took minor changes to three source files and the introduction of one new configuration option each to site.config and siteSecurity.config. I have a little more work before me to make configuration just a tad easier, but the great thing is that this works really well.

I owe special thanks to Clemens Vasters who suggested this morning that the proper “hack” to get this working was to build DasBlog with Visual Studio 2005 and the Visual Studio 2005 Web Application Project add-on. DasBlog built out-of-the-box without issue, making the integration of TokenProcessor.cs to decrypt the SAML token a piece of cake.

If you haven't looked at Windows CardSpace yet, head on over to cardspace.netfx3.com and start reading. Now that Windows Internet Explorer 7.0 is released and Release Candidate 1 of .NET Framework 3.0 is available, you'll find the mainstream barriers to adoption are quickly eroding.

I hope Kevin also publishes his code so others can learn from it.

Can this really bee?

Ian Brown's Blogzilla brings us this report on bugs in the British passport system.  

Yet surely all is not lost.  There are, after all, British politicians with an advanced understanding of privacy and computing.  For example, I would hope the technologically savvy Earl of Erroll, with his informed colleagues the Baroness Gardner of Parkes, the Countess of Mar, Lord Avebury, the Earl of Northesk, and Lord Campbell of Alloway, could prevail upon the good graces of Lord Sainsbury of Turville to have Britain move beyond the strange incident Ian brings to our attention. 

Remember the huge ID cards report row last year between the government and the LSE's Simon Davies? The Home Secretary Charles Clarke (remember him?) went on the Today programme and accused Davies of fabricating evidence for the LSE's report on the ID cards. Ministers from Blair down took turns inside and outside Parliament to rubbish and defame him at every possible opportunity. It turned very nasty and Davies for the remainder of the year was very much Enemy Number One for the Home Office.

Of course subsequent events vindicated the report. The ID scheme is falling to pieces in exactly the way it predicted.

Simon went to the Passport Office in London yesterday to renew his passport. As he approached the interview counter a huge wasp appeared from nowhere, hovering over his head and dive-bombing staff. Interview officers scrambled for cover and retreated to the back of the room. Overheard was the comment “Where the hell did THAT come from?” followed closely by an accusatory glance at Simon and the remark “It came in with HIM!”

The wasp continued to hold position over Simon's head while staff ducked and weaved to avoid the beast. Three security people were called in to deal with the crisis. For a full fifteen minutes work in the passport office came to an abrupt halt as a fearless security official danced around the room, batting the hapless wasp with a handy copy of Her Majesty's passport guidance notes.

The wasp was finally dispatched to insect heaven but not before some people had formed the view that this was all an ingenious and pre-meditated campaign strike against the passport office.

Interestingly, once all the wasp-induced chaos had settled, the officials refused to renew his passport. They said it was “damaged” because a little of the laminate on the data page was lifting. What a surprise for a ten-year old paper document.

Anticipating possible problems establishing his identity, Davies had with him a dozen identity documents, including his LSE card, bankcards, bank statements and utility bills and a three-inch thick pile of newspaper stories with his photo — including articles in the Daily Mail which showed his passport photograph and others from the Sunday Times and the Guardian with his current photo. It was to no avail. He was told that these were all unacceptable as a means of establishing that he was who he said he was. His current passport was not an acceptable form of identity either.

Whether Simon brought a trained wasp into the passport office is something we may never be able to verify, but in the end the Home Office got their own back. He now cannot attend the United Nations Internet Governance Forum in Athens next week, at which he was scheduled to speak.

There may be some who wonder at Ian's complete objectivity.  But let's not dwell on minutae.  I hope Britain will find some way that the visionary Simon Davies can address the upcoming United Nations conference.

 

First Law of Identity

Here is the First Law of Identity as expressed by Anne Cavoukian, Privacy Commissioner of Ontario. The “technology” law is on the left; the “privacy-embedded” form is on the right:

USER CONTROL
AND CONSENT  Technical identity systems must only reveal information identifying a user with the user's consent.
PERSONAL CONTROL
AND CONSENT   

Technical identity systems must only reveal information identifying a user with the user's consent. Personal control is fundamental to privacy, as is freedom of choice. Consent is pivotal to both.>Consent must be invoked in the collection, use and disclosure of one's personal information. Consent must be informed and uncoerced, and may be revoked at a later date.   

    

 I'll be publishing Dr. Cavoukian's version of all the laws over the next little while.  Readers new to this discussion might want to take a look at the Laws of Identity, a technology paper which I think rings increasingly true and provides context about the intersection between identity and virtual reality.  Amongst other things, it posits a model in which the user is an active and central participant. 

In the brochure published by the commissioner, my original statement of each law appears on the left page, while the “privacy embedded” version appears on the right.  It is kind of Talmudic (or should I say McLuhanesque?), and demonstrates the intersection of the purely technical with a policy-oriented view.  I'm very excited by this work, which clearly takes the Laws of Identity forward.

The full title of the brochure is, “7 Laws of Identity – The Case for Privacy-Embedded Laws of Identity in the DIgital Age” (the illustration above is taken from that publication). 

The Privacy Commissioner's Whitepaper is an equally important document that drills into the notion of an Identity Metasystem and is intended to bring about collaboration between the privacy community and identity technologists as we build it.  

The paper version of the brochure is really a beautiful production.  It can be ordered by calling 1-416-326-3333 / 1-800-387-0073 or by writing to publicat@ipc.on.ca. Beyond that, here is the press statement issued to announce Anne's work, along with the powerpoint of her presentation to the IAPP.

What a powerhouse she is.  She is the thing history is made of.

Privacy czar pushing for better ID protection

Anne Cavoukian's remarkable speech to the International Association of Privacy Professionals is available here  in MP3 (total time: 23 minutes) .  

It's a ground-breaking speech.  It defines a new intersection between the privacy community and those of us who've been working in the blogosphere to understand and advance identity. 

It represents a substantial widening of the discussion we've been having in these pages. 

Dr. Cavoukian and her team have come up with a version of the Laws of Identity that teases out the privacy implications and articulates them with reference to the privacy discourse that has emerged over the last decade. 

I'll be publishing Anne's version so everyone can ponder the implications.

Here's how the CTV national televison network described Anne's initiative:

Ontario's information and privacy commissioner says she supports a new global online identity system to protect consumers.

Dr. Anne Cavoukian said there are currently few ways for online consumers to tell the good guys from the bad guys.

“The existing identity infrastructure of the Internet is no longer sustainable,” she said. “Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise.”

The solution lies in the global online identity system based on seven “privacy-embedded” laws, she said.

“The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud,” said the release.

As a result, people are subject to new crimes like “phishing,” in which people are fooled into sending key information to what they think is a trustworthy business, but is actually an identity theft criminal.

The seven laws would create an “identity layer” for the Internet that would guard against such acts.

The “laws,” or principles, are:

  1. Personal control and consent
  2. Minimal disclosure for limited use: data minimization
  3. Justifiable parties: “need to know” access
  4. Directed identity: Protection and accountability
  5. Pluralism of operators and technologies: minimize surveillance
  6. The human face: Understanding is key
  7. Consistent experience across contexts: Enhanced user empowerment and control

The benefit of law 1 would be that an Internet user would store their identity credentials rather than in a centralized online database.

Law 2 would help by minimizing the amount of information given out for a given transaction — and that only the right information be given.

“In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one's age?” Cavoukian said.

These laws grew out of a global, blog-based dialogue amongst security and privacy experts, she said.

With the next generation of Web-based services (“Web 2.0”) emerging, more identity credentials and more trust will be required to make it work, she said.

Microsoft — proprietor of the Windows operating system, the fundamental software that allows a computer to run — is obviously a major player in personal computing security.

Cavoukian said Microsoft's next-generation operating system, called Vista, has some features that will help protect identity.

Vista, which is set for release in January, will introduce a technology called Cardspace. The system will use “infocards,” which will allow websites to verify a customer's identity without receiving or keeping personal or financial information.

Banks could function as middlemen in online purchases, sending payment confirmation to a retailer without sending the person's credit card number.

There would also be different infocards for different applications, much as people have different cards in real life for different purposes.

At a news conference on Wednesday, Kim Cameron, Microsoft's chief identity architect, said Cardspace is a start. He also said it can't just be a Microsoft thing.

“It has to work across Microsoft, Linux, Apple, every possible permutation and combination. It has to work on computers, it has to work on cellphones so it's really a very all embracing thing.”

Some companies have agreed to start accepting infocards, but Cameron wouldn't name the firms.

Both Cameron and Peter Cullen, Microsoft's chief privacy strategist, said another advantage of this coming system is it will allow users to avoid “password fatigue.”

Currently, people need to pick a user name and password when they register at an Internet website.

Because it's difficult to remember a large number of passwords, some use the same password for all websites, which creates a security risk.

 

A Merit Badge That Can't Be Duplicated

From the Los Angeles Times

Boy Scouts can earn badges for woodcarving, raising rabbits and firing shotguns.

But in the Los Angeles area, Scouts will now be able to earn their stripes by proselytizing about the evils of copyright piracy.

Officials with the local Boy Scouts and the Motion Picture Assn. of America on Friday unveiled the Respect Copyrights Activity Patch — emblazoned with a large circle “C” copyright sign along with a film reel and musical notes.

The 52,000 Scouts who are eligible may earn the patch by participating in a curriculum produced by the MPAA. To earn the badge, Scouts must participate in several activities including creating a video public-service announcement and visiting a video-sharing website to identify which materials are copyrighted. They may also watch a movie and discuss how people behind the scenes would be harmed if the film were pirated.

But will the patch be a badge of honor or a scarlet letter of uncoolness?

Richie Farbman, 13, is raring to go, eager to warn others about the dangers of illegal downloading while adding to his more than 20 activity badges.

“I think it's really good to get the message out that it's bad,” said the Redondo Beach Scout. “You can see your friends doing it and tell them why it's bad. I think if you're a role model, you can stop people.”

But Richie said he knew his perspective wasn't shared by many of his classmates. “A lot of people don't think they're going to get in trouble,” he said, “so they do it anyway.”

Other teenagers say Richie and his Scouting buddies face an uphill battle. “Everyone knows it's illegal already, but they do it anyway,” said Kevin Tran, a senior at Taft High School in Woodland Hills. “They can't afford to buy CDs and DVDs, and they see it [on the Internet] for free, so why not do it?”

Officials at the Scouts’ Los Angeles Area Council said they approached the MPAA with the idea nine months ago, emphasizing that the entertainment industry lobbying group did not make financial donations to secure the badge program.

The inspiration for the new badge came from Hong Kong, where the local Boy Scouts organization had its members pledge not to use or buy pirated materials. In addition, the Scouts agreed to search Internet file-sharing sites and turn in sites and users they see violating the law. The campaign was launched at a stadium before a slew of pop stars where the so-called “youth ambassadors” pledged to stem the rise piracy.

The move raised concerns from civil libertarians, who feared the group was creating thousands of young spies to snitch on copyright abusers.

Victor Zuniga, a spokesman for the Scouts’ Los Angeles Area Council, said his group decided on a less aggressive approach: The Scouts won't be asked to police the Internet for pirates.

“Our program is educational,” Zuniga said, adding that the badge probably would be offered elsewhere if was successful here.

Stephanie Scott, a mother of two Boy Scouts, said the anti-piracy badge has something other Scouting activities lack. “This one is tailor-made for the city boy in L.A.,” she said. “Scouts may just as soon go for this one rather than Wilderness Survival.”

MPAA Chairman Dan Glickman said partnering with the Boy Scouts made sense because so much of the pirating was being done by teenagers. “The truth is: So many kids today are savvy with computers and Internet technology and can download anything,” he said.

Although teenagers might roll their eyes at the new badge, some technology-industry analysts said it was a good idea.

“It's actually an incredibly savvy recognition that all the legal and legislative protection, all the technological intervention is clearly not enough to shut dA fown the Internet,” said Eric Garland, an analyst with BigChampagne, which tracks file-sharing networks. “You have to go after the will of the people. Make it an ethical issue.”

But to many teens, it's not so much about ethics as it is money. “Sure [Scouts] should learn downloading is illegal. But if you can't afford to buy it, then they're going to do it anyway,” said Kevin Nguyen, 16, Chatsworth High. “There's no way to control it.”

To quote Slate:

A mom's take: “This one is tailor-made for the city boy in L.A.” As long as the L.A. city boy is an aspiring studio hack.

A friend tells me various youth organizations are working on “Downsizing” and “Outsourcing” badges as well.  The boys have to convince a company of their choosing to adopt a program resulting in a pre-negotiated reduction in salaries and benefits.  There has been talk of offering a supplementary badge for eliminating women staffers.