Dynamite interview with Latanya Sweeney

Scientific American has published a must-read-in-its-entirety interview with Carnegie Mellon computer scientist Latanya Sweeney. She begins by showing that privacy is not a political issue, but an animal need:

“We literally can't live in a society without it. Even in nature animals have to have some kind of secrecy to operate. For example, imagine a lion that sees a deer down at a lake and it can't let the deer know he's there or [the deer] might get a head start on him. And he doesn't want to announce to the other lions [what he has found] because that creates competition. There's a primal need for secrecy so we can achieve our goals.”

Then she ties privacy to human ontogenesis – again, a requirement for the existence of the species: 

Privacy also allows an individual the opportunity to grow and make mistakes and really develop in a way you can't do in the absence of privacy, where there's no forgiving and everyone knows what everyone else is doing. There was a time when you could mess up on the east coast and go to the west coast and start over again. That kind of philosophy was revealed in a lot of things we did. In bankruptcy, for example. The idea was, you screwed up, but you got to start over again. With today's technology, though, you basically get a record from birth to grave and there's no forgiveness. And so as a result we need technology that will preserve our privacy.

Continue reading Dynamite interview with Latanya Sweeney

Linkage with CardSpace in Auditing Mode

As we said here, systems like SAML and OpenID work without any changes to the browser or client – which is good.  But they depend on the relying party and identity provider to completely control the movement of information, and this turns out to be bad. Why? Well, for one thing, if the user lands at an evil site it can take complete control of the client (let's call this “extreme phishing”) and trick the user into a lot of evil.

Let’s review why this is the case.  Redirection protocols have two legs.  In the first, the relying party sends the user’s browser to the identity provider with a request.  Then the identity provider sends the browser back to the relying party with a response.   Either one can convince the user it's doing one thing while actually doing the opposite.

It’s clear that with this protocol, the user’s system is “passive”. Services are active parties while the browser does what it is told.  Moreover, the services know the contents of the transaction as well as the identities and locations of the other service involved.  This means some classes of linkage are intrinsic to the protocol, even without considering the contents of the identity payload.

What changes with CardSpace?

CardSpace is based on a different protocol pattern in which the user’s system is active too.  Continue reading Linkage with CardSpace in Auditing Mode

Burton Group reports on user-centric interop

The Burton Group has posted its evaluation of the user-centric interopathon held at this year's Catalyst. The analyst is Bob Blakley, now with Burton and previously chief scientist for Security and Privacy at IBM Tivoli Software. 

Bob writes, “Prior to the event, there were some specifications, one commercial product, and a number of open-source projects.  After the event, it can accurately be said that there is a running identity metasystem.” Continue reading Burton Group reports on user-centric interop

The Biometric Dilemma

Vision researcher Terrence E. Boult has identified what he calls the “Biometric dilemma” – the more we use biometrics the more likely they will be compromised and hence become useless for security.   

This is a hugely important observation – the necessary starting point for all thinking about biometrics.  I'd even call it a law.

Terrence was responding to a piece by Sean Convery that picked up on my post about reversing biometric templates.  Terrence went on to call our attention to more recent work, including some that details the reversibility of fingerprint templates. Continue reading The Biometric Dilemma

Boys scrap over Facebook

 Jason Calacanis, CEO of Weblogs  and Master of New Media, took the lid off a noisy can of worms this week when he declared Facebook Bankruptcy, exhausted by his facebook chores of responding to endless invitations, requests and guilt trips.  In sum, he says, “Folks have just opted in to another out of control inbox…. I'm opting out.”

This was all too much for Scoble,  whose river of crocodile tears led to “Calacanis can't keep up with Facebook“.  Scoble apparently manages more than 4,000 Facebook friends (including me – I'm down here somewhere) compared to Jason's mere 395, saying, “More of the best names in tech are on Facebook than any other social network I’m on.” and “Facebook is the new business card”.  He sees Facebook as new age marketing.  (Is this why half my homepage consists of Scoble videos? Just kidding…) 

Nestled between the extremes is a piece by Rex Hammock, who I think gets it right when he says, “Facebook is a sandbox I’m playing in — but it has a long way to go before it can hope to be the world I live in.”  Continue reading Boys scrap over Facebook

Time: no one knows you're a CEO

 Lev Grossman's The Price of Anonymity in this week's Time Magazine is interesting partly because of his unforgettable portrait of John Mackey as Marie Antoinette.  But it veers to a draconian conclusion:

As far back as the 1980s, the Internet has been an electronic masked ball, a place where people can play with new identities and get off on the frisson of being somebody else. MIT sociologist Sherry Turkle has argued that this kind of identity-play even has therapeutic value. You certainly can't ascribe a plausible financial motive to Mackey–rahodeb's postings weren't moving stock prices around. This was about just being naughty: picture Mackey chortling as he played the regular rube, like Marie Antoinette dressing up as a peasant and milking cows on the fake farm she built near Versailles. (Mackey was even in drag, sort of–rahodeb is an anagram of his wife's name, Deborah.) Continue reading Time: no one knows you're a CEO

Paper argues biometric templates can be “reversed”

Every time biometrics techology is sold to a school we get assurances that the real fingerprint or other biometric is never stored and can't be retrieved.  Supposedly the system just uses a template, a mere string of zeros and ones (as if, in the digital world, there is much more than that…)  

It turns out a Canadian researcher has shown that in the case of face recognition templates a fairly high quality image of a person can be automatically regenerated from templates.  The images calculated using the procedure are of sufficient quality to  give a good visual impression of the person's characteristics.  This work reinforces the conclusions drawn earlier by an Australian researcher, who was able to construct fingerprint images from fingerprint templates.  Continue reading Paper argues biometric templates can be “reversed”

Guess what? Rabodeb is not his “real” name

A rivetting “natural” story of pseudonymity has risen to prime time in America's financial press – partly because government prosecutors have entered the fray. We're not talking here about a teenager, novelist, or garret inhabitant. This involves a corporate executive – John P. Mackey, co-founder of Whole Foods Market, who we have just found out goes by the name of “Rahodeb“. Continue reading Guess what? Rabodeb is not his “real” name

Introduction

This blog is about building a multi-centered system of digital identity that its users control.  All kinds of things pass themselves off as “digital identity”, so I want to start by pruning enough trees that we can see a forest.

Basic ideas

In these pages, I'll make it clear that digital identity can't be confused with “a unique identifier” like an SSN or a biometric like DNA.  In fact, digital identity can often just convey that you are a member of some group, or possess some characteristic (for example, your profession, employer, citizenship, role or age).  Similarly, it can indicate that you are the same person who visited a site previously – without conveying any personally identifying information.

In other words, digital identity has a complex relationship with flesh-and-blood identity, which I'll call natural identity.  Sometimes we want digital identity to correspond to natural identity, and sometimes we want the two to be isolated, or the knowledge of the connection to be highly controlled.  This has become necessary because the digital world has its own “physics” that is quite different from that of the natural world.  Here space becomes more or less irrelavent and isolation very difficult to achieve, while “now” extends through great slices of time.  The result is not only that our friends and loved ones are closer:  so is every actor, good and bad, and every monitoring device in the world.

This leads us to conclude that digital identity must embrace both being public and being private.  It must provide both anonymity and pseudonymity.  It must embrace being public and being private.  It always exists in a context, and we expect the context to have the same degree of separation we are used to in the natural world, even though space and time no longer serve as insulation.

I'm interested in history and philosophy, and realize philosophers have had much to say about identity, but don't discuss these issues on this blog.  I stick to matters of technology, with the express goal of creating a digital world in which none of the richness of our natural world is lost, so that everything that can be expressed there can be expressed digitally.

A matter of urgency

The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet.

As a result, I have undertaken a project to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail in various contexts, expressed as the Laws of Identity. Taken together, these laws define a unifying identity metasystem that can offer the Internet the identity layer it so obviously requires.  They also provide a way for people new to the identity discussion to understand its central issues.  This lets them actively join in, rather than everyone having to restart the whole discussion from scratch.

Those of us who work on or with identity systems need to obey the Laws of Identity.  Otherwise, we create a wake of reinforcing side-effects that eventually undermine all resulting technology.  The result is similar to what would happen if civil engineers were to flaunt the law of gravity. By following them we can build a unifying identity metasystem that is widely accepted and enduring.

Reading these Laws will give you the introduction you need to understand the rest of this site.  They are available in five formats:

Browser versionPrintable PDF.  WordDIDW powerpoint

If you can't read the paper, you can look at  the laws in point form – as long as you promise to remember that you won't understand what I'm saying without returning to the paper when you have time.