Paul Madsen's ConnectID takes me to task in a piece called “If you prick us, do we not breed?” 

It seems Microsoft does not believe we Canadians have children.

Perhaps this is part of ‘the plan’, discourage non-Americans from population growth by turning off for us all software features that facilitate family-based identity management? Brilliant!

For myself, simply knowing that I'd be on my own in the raising of additional offspring makes me feel less inclined to do my “bit” for Canada.

Or maybe this is directly at Kim‘s instigation? Some long festering grudge against his homeland? Was he forced to go to the States for some two-tier medical procedure and carries his resentment to this day?

Some might have dismissed this complaint as a being merely specious, but out of completeness I did a search and found this shocking statistic:

Canada's birth rate fell two years ago to its lowest level since 1921, when the agency began keeping records, according to Statistics Canada.  The federal agency said on Monday that Canada's “crude birth rate,” which measures the number of live births per thousand Canadians, fell to 10.5 in 2002.

The rate declined by slightly more than a quarter in the decade between 1992 and 2002, according to the report.

In 2002 Canadian women gave birth to 328,802 babies, down 1.5 per cent from the year before. It was also the eleventh decline in 12 years.

Canadians, I am confident that it was not the conscious intent of my colleagues in Windows Live to further erode the Canadian birthrate.  And remember that the statistics cited date from before the NHL strike, which left the nation – rather, nations – with nothing to do on Saturday nights, meaning the situation may well be on the mend – even without my intervention.  None the less, I'll check into this and get back to you.  Personally I take it as a good sign that there is some differentiation between what is served up in the various markets.

Speaking of Windows Live ID, a lot of thinking and refinement has been going on there recently with respect to identity.  My colleagues have written a white paper which I'll share with you over the next few days.


From techworld.com, here is piece on a leading IBM researcher who has reached the same conclusions I have in evaluating the design of the current proposal for UK identity cards.  Putting privacy issues aside for a moment – as important as they no doubt are – he is repulsed by the design from a security point of view. 

He couldn't be more right.  My central “aha” in studying the British government's proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected in our technical systems.  A technology proposal that aims to eliminate compartmentalization rejects one of the fundamental protective mechanisms society has evolved.  The resulting central database, where everything is connected and visible to everything else, is as vulnerable as a steel ship with no compartments – one perforation, and the whole thing goes down.

The starting point for a security thinker is that there will be perforations.  In low value systems, the breach will come from neglect.  In a high value system, there will be conscious attacks mounted both from without and within, and one must assume that one of these will succeed.

Our art consists in reducing the frequency of such perforations, and – once a breach occurs – minimizing the damage that is done.  The current British proposal masterfully maximizes such damage, like a fire extinguisher full of gasoline.   

IBM researcher Michael Osborne, whose job is research into secure ID cards, slated the UK government's ID cards scheme on the grounds of cost, over-centralisation, and being the wrong tool for the job.

Based in Big Blue's Zurich research labs, where the scanning tunnelling microscope was invented and won its inventors a Nobel Prize, Osborne said that the problem is neither the cards nor the fact that the scheme is intended to use biometric technology.

The big issue is that the UK government, plans to set up a central database containing volumes of data about its citizens. Unlike other European governments, most of whom already use some form of ID card, the central database will allow connections between different identity contexts – such as driver, taxpayer, or healthcare recipient – which compromises security. Centrally-stored biometric data would be attractive to hackers, he said, adding that such data could be made anonymous but that the UK Government's plans do not include such an implementation.

Osborne added that biometric technology is still immature. “It's not an exact science”, he said. In real world trials, some 10 per cent of people identified using iris recognition failed to enrol – which means the system didn't recognise them. Even fingerprinting is no panacea, as four per cent failed to enrol. Scale that up to a whole population – the UK contains nearly 60 million people – and the problem of biometric identification becomes huge, he said.

Osborne also criticised the government for the potential cost of the system. He said that it will cost a lot more than anyone thinks, pointing out that a project of this size hasn't been tried before, so the government's projected costs are not necessarily accurate.

Finally, Osborne also used a dozen criteria, including whether or not such as system is mandatory or time-limited , to show that on all but two, the UK Government's scheme fails – even before controversial civil liberties issues are considered.

And as for whether ID cards are the right tool to defeat terrorists in the first place, security expert Osborne said: “ID cards won't solve the problem because terrorists don't care about identification – and they'll have valid IDs anyway. The issue is the central database.

“But no-one knows if it'll work, or if it'll be accurate enough – it's more about perceived security than actual security.”

Osborne suggested an alternative, which involved keeping the data on the card. With such a system, only the template is downloaded and identity processing happens on the card using Java and local data rather using centralised storage and processing.

He added that since terrorists wanted to be identified, having an ID card was unlikely to be a deterrent. “However, in some previous studies, some criminals were found to be deterred by the need to possess an ID card.”

Osborne's remarks were made in a personal capacity during a visit to the Zurich labs, and did not reflect IBM's corporate viewpoint.

Just by the way, I always have trouble with the “in a personal capacity” disclaimer.  Michael Osborne presumably says the same things about the matters in which he is expert whether at work or not.  IBM should just let him speak freely as the researcher that he is – and learn, as should we all, from what he says.



Via Paul Mooney at dotnetjunkies here's news about a free personal identity provider from Verisign.  It's great to see a bunch of talented people at Verisign throwing their weight behind Identity 2.0.  The identity metasystem can only result from the confluence of all of our efforts – and here I'm speaking not only of vendors, but of writers, architects, top management and technical leaders all across IT.

I had a nice chat with Mike Graves of VeriSign at the Syndicate Conference  yesterday. I've met many people who work for VeriSign, but this is the first time I talked to one with a blog.

Mike was part of the Authentication and Feeds breakout and I asked him if VeriSign would ever come out with a five dollar certificate – how about free – was his reply.

So I checked-out Mike's blog and found out about it:

Introducing the VeriSign Personal Identity Provider (PIP)You're invited to visit and try out a beta version of an identity service we've provided. It's called the VeriSign Personal Identity Provider

What Can I Do With The VeriSign PIP?

When you register at the VeriSign PIP, your user name is used to generate a unique URL for your profile. My username is “mgraves”, so my OpenID is “http://mgraves.pip.verisignlabs.com/. Now when you go to a site that supports OpenID, you can provide your OpenID, and use it instead of having to register separately for each site.

InfoCard will arive with Windows Vista, so PIP is an opportunity for us to get to learn about what's required for identity, trust and authentication.


Here is a story in CGN.com on a new report from Homeland Security on the privacy implications of RFID. 

The Homeland Security Department’s Privacy Office has issued a draft report from a technology analysis group that strongly criticizes the personal privacy and security risks of using radio frequency identification device units for human identification and says the technology offers little performance benefit over competing methods.

The Privacy Office is seeking comments on the report, which are due by May 22.

The department’s Emerging Applications and Technology Subcommittee of the Data Privacy and Integrity Advisory Committee prepared the report, which is titled “The Use of RFID for Human Identification.”

The critical report comes against the background of a continuing debate within the department over the security and privacy issues surrounding the use of RFID technology to identify people at border crossings.

State and DHS are considering the benefits of establishing a single RFID standard for an array of border-crossing credentials. They include:

  • The SENTRI and Nexus trusted traveler cards
  • The “laser visa” Mexican Border Crossing Card
  • The Free and Secure Trade card for truck drivers

The People Access Security Service card now being developed will comprise a “passport-lite.”

In addition, the U.S. Visit program is promoting the use of nonsecure RFID technology to identify foreigners carrying I-94 immigration forms as they leave the country.

But the draft report roundly condemns RFID technology, stating that it can be used to monitor human behavior. The report endorses the use of RFID for miners and firefighters in dangerous situations.

“Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example) but can in fact be used for monitoring human behavior,” the report states.

“For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings,” the report continues. “When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.”

The report goes on to specify various ways in which information stored on RFID tags can be compromised or improperly used for human surveillance. It notes that RFID units can slightly reduce the delay when people pass through checkpoints, but says “Against these small incremental benefits of RFID are arrayed a large number of privacy concerns.”

The report proposes methods to be used when deciding whether or not to use RFID technology and best practices to maintain privacy in RFID systems used to track humans.

Industry representatives have been at pains to distinguish between insecure RFID technology and the secure technology that they refer to as contactless smart cards. Both technologies use radio frequency transmission to transfer data.

Neville Pattinson, director of Technology & Government at Axalto Inc. of Austin, Texas, offered a representative comment from the smart-card industry. He welcomed the public comment period on the report.

“It’s inappropriate to use RFID technology for tracking and authenticating identities of people,” Pattinson said.

“You can think of RFID as an insecure barcode with an antenna. In contrast, not everything that uses radio frequencies is RFID,” Pattinson wrote in an e-mail comment on the report.

“Wireless computers and mobile phones use radio frequencies too, but they’re secure devices because they contain computers and are securely associated with individual identities over networks,” he wrote.

According to Pattinson, contactless smart-card technology is not the same as RFID. He compared contactless smart cards to secure wireless computers.

“Contactless smart cards are suitable for identifying individuals because the technology has all of the security features to protect the privacy of the individual and secure the identity of the individual in identification applications,” Pattinson wrote. “Contactless smart cards are the appropriate technology to uphold privacy and security.”

I have looked into the contactless cards and it appears they can be programmed to be compatible with the Laws, especially Law 4.   But as the industry moves towards contactless cards, their very flexibility will make it hard to discern which specific implementations obey the Laws, and which ones don't.  It's my view that we will need a set of objective criteria which contactless cards will have to meet in order to be deemed acceptable, and these criteria will have to be broadly vetted by the privacy community before moving forward.

This said, it is most encouraging to see Homeland Security paying so much attention to these issues, which deeply affect not only our privacy, but our individual security.


I always trust Dave Kearns to tell me what he really thinks, so this review of my InfoCard For PHP Tutorial is encouraging:

Finally got around to watching the tutorial, and it's a good one. Simple concept, easily grasped nothing too techy, but still not condescending.

If only the narator was a bit more enthusiastic!  🙂

I think it will really help you understand metasystem and InfoCard technology if you take a look.


Here's one conference I definitely won't miss.  I've been lucky enough to preview some of the papers.  I gurantee that if you want to deepen your understanding of privacy enhancing technology, you should see if you can get to Cambridge at the end of June: 

Robinson College, Cambridge, United Kingdom June 28 – June 30, 2006 http://petworkshop.org/2006/

Special Events:
* Keynote speaker: Susan Landau, Sun Microsystems Laboratories
  on “The Missing Link”, (Abstract at the end of the email.)
* PET Award 2006 ceremony and reception at Microsoft Research,

Co-located with:
* The Fifth Workshop on the Economics of Information Security
  (WEIS 2006), 26-28 June, http://weis2006.econinfosec.org/
* IAVoSS Workshop On Trustworthy Elections (WOTE 2006)
  29-30 June, http://www.win.tue.nl/~berry/wote2006/

Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior, and restricting the ability to publish or retrieve documents. Approaches to not only protecting individuals and groups, but also companies and governments, from such profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure.

This 6th workshop addresses the design and realization of such privacy and anti-censorship services for the Internet and other communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives.

Early registration by May 12 at:

Further local information on accommodation and travel is available on the PET workshop website (book accommodation early!):

Program Chairs:
* Philippe Golle, PARC
  (Philippe.Golle at parc com)
* George Danezis, K.U.Leuven
  (George.Danezis at esat kuleuven be)

General Chair:
* Richard Clayton, University of Cambridge
  (Richard.Clayton at cl cam ac uk)

Research Program:
(also at http://petworkshop.org/2006/program.html)

Privacy and the real world

    * One Big File Is Not Enough: A Critical Evaluation of
      the Dominant Free-Space Sanitization Technique
         Simson Garfinkel and David Malan
    * Protecting Privacy with the MPEG-21 IPMP Framework
         Nicholas Paul Sheppard and Reihaneh Safavi-Naini
    * Privacy for Public Transportation
         Thomas S. Heydt-Benjamin, Hee-Jin Chae, Benessa Defend, and Kevin Fu
    * Privacy Rights Management – Taming Cellphone Cameras
         Mina Deng, Lothar Fritsch and Klaus Kursawe
    * Ignoring the Great Firewall of China
         Richard Clayton, Steven J. Murdoch and Robert N. M. Watson
    * I Know What You Did Last Summer: Self-Awareness,
      Imagined Communities,and Information Sharing in an
      Online Social Network
         Alessandro Acquisti and Ralph Gross

Privacy policies

    * Enhancing Consumer Privacy in the Liberty Alliance
      Identity Federation and Web Services Frameworks
         Mansour Alsaleh and Carlisle Adams
    * Traceable and Automatic Compliance of Privacy
      Policies in Federated Digital Identity Management
         Anna C. Squicciarini, Abhilasha Bhargav-Spantzel,
         Alexei Czeskis and Elisa Bertino
    * Privacy Injector – Automated Privacy Enforcement through Aspects
         Chris Vanden Berghe and Matthias Schunter
    * A Systemic Approach to Automate Privacy Policy
      Enforcement in Enterprises
         Marco Casassa Mont and Robert Thyne

Anonymous communications

    * Improving Sender Anonymity in a Structured Overlay
      with Imprecise Routing
         Giuseppe Ciaccio
    * Selectively Traceable Anonymity
         Luis von Ahn, Andrew Bortz, Nicholas Hopper and Kevin O'Neill
    * Valet Services: Improving Hidden Servers with a Personal Touch
         Lasse Øverlier and Paul Syverson
    * Blending different latency traffic with alpha-mixing
         Roger Dingledine, Andrei Serjantov and Paul Syverson

Attacks: Traffic and Location analysis

    * Breaking the Collusion Detection Mechanism of MorphMix
         Parisa Tabriz and Nikita Borisov
    * Linking Anonymous Transactions: The Consistent View Attack
         Andreas Pashalidis and Bernd Meyer
    * Preserving User Location Privacy in Mobile Data
      Management Infrastructures
         Reynold Cheng, Yu Zhang, Elisa Bertino and Sunil Prabhakar
    * Location Access Effects on Trail Re-identification
         Bradley Malin and Edoardo Airoldi

Private muti-party computation, authentication, and cryptography

    * Private Resource Pairing
         Joseph A. Calandrino and Alfred C. Weaver
    * On the Security of the Tor Authentication Protocol
         Ian Goldberg
    * Honest-Verifier Private Disjointness Testing without Random Oracles
         Susan Hohenberger and Stephen A. Weis
    * A Flexible Framework for Secret Handshakes
         Gene Tsudik and Shouhuai Xu
    * Optimal Key-Trees for Tree-Based Private Authentication
         Levente Buttyan, Tamas Holczer and Istvan Vajda
    * Simple and Flexible Private Revocation Checking
         John Solis and Gene Tsudik

Keynote speaker:

               The Missing Link

               Susan Landau

In recent decades, we have seen significant progress in the development of tools to protect privacy.  We have similarly seen various policy developments, e.g., the 1980 OECD Guidelines on Privacy Protection and 1997 application to the Internet.  But

             Between the conception
             And the creation
             Between the emotion
             And the response
             Falls the Shadow.
                    (T.S. Eliot, “The Hollow Men.”)

One shadow is that while privacy policies abound, when data is collected, there are few or no rules governing its security (which is a crucial requirement for data privacy).  A current instance of this concerns the recent requirement for data retention by the European Union.

This talk discusses what is needed to get to:

             Between the conception
             And the creation
             Between the emotion
             And the response
             Falls the Action.


Phil Windley's piece on the Tuesday morning session at IIW includes this description of the fascinating work done by Chuck Mortimer (who had an entire InfoCard environment running inside FireFox) and by Gail-Joon Ahn.

The first session I went to was Gail-Joon Ahn from Univ. of North Carolina. Gail-Joon and his students built an open source implementation of InfoCards. They’re interested in creating potable, interoperable, and multi-modal identity card selectors (part of InfoCard).

Gail-Joon Ahn and students
Gail-Joon Ahn and students (click to enlarge)

Gail-Joon’s students demo’d a Java version of the InfoCard selector. The demo included logging into a site using a selected InfoCard, creating cards, and interacting with identity providers and relying parties in a couple of scenarios. All of the code is in Java. This is an impressive effort, but also illustrative of the fact that InfoCard

  1. doesn’t have to be just a .Net/Microsoft thing and
  2. is simple enough to allow multiple implementations.

Part of their work involves moving InfoCard beyond the desktop and to mobile devices. They demo’d what’s called an “i-button” that contains a secure token. The i-button could be on a ring or key fob. There was also a demo showing an InfoCard selector on a mobile phone. Chuck Mortimore did a 5-minute demo of a Firefox plugin he’s done for InfoCards. He created a card and then logged into Kim Cameron’s blog using the card. Pretty cool. Kim Cameron took over to show the code that Chuck was hitting on his blog. The relying party stuff he’s using is all written in PHP. Kim showed various debugging tools for seeing what’s going back and forth and demo’d the use of various InfoCard pieces from various players together.

I guess Phil turned his head for a moment, and in the general chaos that reigned all around us, missed Paul Trevithick's demonstration of early Higgins interoperability with InfoCard.  It brought about another round of whistles and applause, and I think represented one of the aha moments of the conference.

Paul, who has been a leader in the Identity Gang since day one – being instrumental in developing our shared vocabulary – and Anthony Nadalin, an inventor of WS-Trust and a leading identity thinker at IBM, were both 100% clear that their goal in Higgins was to produce an identity selector that would use the same InfoCards being employed in Microsoft's identity selector, and expose the user to a similar identity experience.  I think this clarity will be important in convincing the journalist community that we on the same identity train.

The demos made the growing momentum of the Identity Metasystem absolutely tangible.  People have now demonstrated all aspects of the metasystem running on both Windows and non-Windows platforms.  That's a real milestone.  Meanwhile, discussions about open source projects abound.  



Here's some of what Phil Becker had to say in the DIDW newsletter: 

This week I saw a significant “state change” occur in this year and a half “Identity Gang” evolution, and it tells me things are going to start to happen. Some of those involved will be happy this is so, others most likely won’t be. But for those not directly involved (i.e. most of the population) it was, in my opinion, a tremendously significant moment in the evolution of the identity conversation, and one that will have many significant ramifications going forward – though these will likely take another year to become clear to those not paying close attention.

They are working on the issues of what form identity must take to become ubiquitously deployable, become something that will be adopted comfortably by users, and how we can ever get there from here.

The first sign that the required significant shifts are occurring is visible in the titles of the sessions this un-conference produced on its first day. These titles have all subtly shifted in ways that indicate there is no longer any question that there is a single, over-arching story behind the identity conversation, and that the mission now is to figure out how to converge the many efforts that are underway.

These efforts were each begun with a very different mission and with a very different use/case and problem set driving them, and this has previously created division and competition. This time, however, it was clear that everyone was looking for where they should get on board, and how to avoid having their goals left out.


 Opinity's Tom Maddox has a bunch of podcasts lined up for us:

Sorry about the failure to do postings updating the Internet Identity Workshop 2006. Last heard from, I had finished eating my spinach on day one–listening through presentations on technical topics. 

Days two and three were very different, as advertised. “Open space,” “unconference”–what have you. There was a large open space, where at one end larger presentations could take place; otherwise tables were spread out across the space, and there were meeting rooms on both sides of it. What this means, practically speaking, is that the rooms and tables could be used for smaller sessions, and that the remaining tables could be used for ongoing conversations.

The sessions were actually seminars: topic-centered, with a more or less formal leader, a whiteboard, and a group of engaged participants.

In short, as Dave Winer has advocated often and well, the conference was able to engage the intelligence and kills of the participants. Insofar as I could tell, the results were excellent. That is, people knew they would have a chance to voice their concerns and to respond to whatever others said–whoever the others were, including technical or corporate bigshots.

Now, before someone reprimands me for implying that there were corporate or technical bigshots in attendance, let me clarify that one. There were, in fact, luminaries of various sorts participating: A-list bloggers, well-known corporate folks, technical experts working at the forefront of innovation in the field of identity mangement … people like that. However, and this is the point: they were not on stage, performing. They were at the tables and in the rooms, talking, listening, asking and answering questions. In terms of social interaction, the conference hierarchy was flat.

However, de gustibus non est disputandum, as the man saidwhich is to say, there's no accounting for taste. So some folks undoubtedly prefer the bright lights, big city ambience of big conferences. I prefer things this way.

But, you may ask, what were these people talking about? Well, I'll cue up the MP3s and show you as I get them edited. I did podcast interviews of varying lengths with several people:

  • Doc Searls, one of the workshop organizers–though, he says in the interview he's more of a liability than an asset as organizer
  • Dick Hardt, CEO of SXIP Identity
  • Phil Windley, another of the workshop organizers
  • Christine Herron, who blogged the hell out of the first two days of the workshop
  • Daniel Perry, a lawyer from Florida working on Internet issues, in conversation with Bill Washburn, from Opinity
  • “JB,” who'd ridden the train from Tennessee, where he is, among other things, a Christian radio broadcaster

So, here's the thing: I'm working on the audio from all of these and will get them all online as quickly and well as I can–emphasis on quickly because this stuff is timely and requires speed more than formal excellence, or so it seems to me.

Oh yes, I wanted to say that Eugene Kim owes me an interview. He periodically came up to the table where I and my fancy microphones –great stage props for signifying “I'm really serious about this podcasting stuff”–were ensconced and said, in effect, I'll be right there, hold on, but  apparently he then put a series of Sportsracer power moves on me so awesome they fogged my memory, because somehow, well, I'm not sure how it happened, but I don't have a KimCast. Hmph.

Tom's “Eating Spinach at the Internet Identity Workshop 2006” gives you a good feeling for what went on during the first day's level-set meeting.


Here is Kaliya's post, which unfortunately omits a discussion of Matisse's influence on the unconference: 

Facilitating the Internet Identity Workshop was a wonderful experience. I got to bring help the order emerge out of the chaos by leading Open Space. Many felt that it was

About two weeks ago I started making a map of the history of the community. This was in part because I knew a lot of new people were coming to the workshop and I wanted to be sure they had some context of who we were and where we had come from. I translated this into an interactive wall map that allowed people to add their own elements to the history.

On the timeline:

  • Yellow diamonds are protocols
  • Pink Trapazoids events that have happened on a timeline
  • Purple papers are Publications white papers
  • Purple 1/2 circles are podcasts.

Clusters (ot on the timeline):

  • Green Parallelograms are mailing lists
  • Blue pages are blogs

There are some good photos of this but I will be taking the results and putting them into Omnigraffle and then PDF too. 

Tuesday Morning we got to put together the agenda. It involves everyone who wants to present putting what they want to have a session about on a piece of paper. They speak their session title to the whole room and then post it on the wall.

It wasn’t until about mid day on Tuesday that I actually landed and was able to engage in the conference. The Planetwork folks talked a lot talking about the emerging 1society project.

Dinner both evenings was great. Monday was Italian and Tuesday was Thai.

The Identity Commons crowd moved things forward we have a follow up call next week.

At the very end watching and listening to Paul and Drummond go over the relationship between Higgins two projects and XRI / XDI was a great treat.

We concluded our day listening to Eugene Rant about Wikis at Wiki Wednesday. After dinner Meng told us he had founded the Reputation Gang and we invited him to be a part of the Identity Commons.

The highlight to get the essence of what happened is the closing session recorded. Here Tuesday and Wednesday.

I'm looking forward to seeing the map in digital form.