The voting so far

The people working on a Social Network Users’ Bill of Rights have done another interesting eThing:  rather than requiring people to express support or rejection holus-bolus they've decided to let us vote on the individual rights proposed.  Further, Jon Pincus has shared the early results on his Liminal States blog.  He writes:

The SXSW panel got a decent amount of attention, including article by Helen A. S. Popkin’s Vote on your ‘Social Network Users’ Bill of Rights’ on MSNBC’s Technolog, Kim Cameron’s post on the Identity Weblog, and a brief link from Mark Sullivan of PC World. Here’s the voting so far

  1. 41 yes 0 no Honesty: Honor your privacy policy and terms of service
  2. 41 yes 0 no Clarity: Make sure that policies, terms of service, and settings are easy to find and understand
  3. 41 yes 0 no Freedom of speech: Do not delete or modify my data without a clear policy and justification
  4. 33 yes 4 no Empowerment : Support assistive technologies and universal accessibility
  5. 35 yes 2 no Self-protection: Support privacy-enhancing technologies
  6. 37 yes 3 no Data minimization: Minimize the information I am required to provide and share with others
  7. 39 yes 1 no Control: Let me control my data, and don’t facilitate sharing it unless I agree first
  8. 39 yes 1 no Predictability: Obtain my prior consent before significantly changing who can see my data.
  9. 38 yes 0 no Data portability: Make it easy for me to obtain a copy of my data
  10. 39 yes 0 no Protection: Treat my data as securely as your own confidential data unless I choose to share it, and notify me if it is compromised
  11. 36 yes 2 no Right to know: Show me how you are using my data and allow me to see who and what has access to it.
  12. 24 yes 13 no Right to self-define: Let me create more than one identity and use pseudonyms. Do not link them without my permission.
  13. 35 yes 1 no Right to appeal: Allow me to appeal punitive actions
  14. 37 yes 1 no Right to withdraw: Allow me to delete my account, and remove my data

So it’s in general overwhelmingly positive: five rights are unanimous, and another eight at 89% or higher.  The one exception: the right to self-define, currently at about 65%.  As I said in a comment on the earlier thread, this right is vital for people like whistleblowers, domestic violence victims, political dissidents, closeted LGBTQs.   I wonder whether the large minority of people who don’t think it matters are thinking about it from those perspectives.

The voting continues at http://SNUBillOfRights.com.  Please voice your opinion!

The voting on individual rights is still light.  Right 12 clearly stands out as one which needs discussion.

I expect most people just take a quick look at the bill as a whole, say “Yeah, that makes sense” and move on.  The “pro” and “against” pages at facebook ran about 500 to 1 in favor of the Bill when I looked a few days ago.  In this sense the Bill is certainly right on track. 

But the individual rights need to be examined very carefully by at least some of us.  I'll return to Jon's comments on right 12 when I can make some time to set out my ideas.

Social Network Users’ Bill of Rights

The  “Social Network Users’ Bill of Rights” panel at the South by Southwest Interactive (SXSW) conference last Friday had something that most panels lack:  an outcome.  The goal was to get the SXSWi community to cast their votes and help to shape a bill of rights that would reflect the participation of many thousands of people using the social networks.

The idea of getting broad communities to vote on this is pretty interesting.  Panelist Lisa Borodkin wrote:

There is no good way currently of collecting hard, empirical, quantitative data about the preferences of a large number of social network users. There is a need to have user input into the formation of social norms, because courts interpreting values such as “expectations of privacy” often look to social network sites policies and practices.

Where did the Bill of Rights come from?  The document was written collaboratively over four days at last year's Computers, Freedom and Privacy Conference and since the final version was published has been collecting votes through pages like this one.  Voting is open until June 15, 2011 – the “anniversary of the date the U.S. government asked Twitter to delay its scheduled server maintenance as a critical communication tool for use in the 2009 Iran elections”.  And guess what?  That date also coincides with this year's Computers, Freedom and Privacy Conference.

The Bill – admirably straightforward and aimed at real people – reads as follows:

We the users expect social network sites to provide us the following rights in their Terms of Service, Privacy Policies, and implementations of their system:

  1. Honesty: Honor your privacy policy and terms of service
  2. Clarity: Make sure that policies, terms of service, and settings are easy to find and understand
  3. Freedom of speech: Do not delete or modify my data without a clear policy and justification
  4. Empowerment : Support assistive technologies and universal accessibility
  5. Self-protection: Support privacy-enhancing technologies
  6. Data minimization: Minimize the information I am required to provide and share with others
  7. Control: Let me control my data, and don’t facilitate sharing it unless I agree first
  8. Predictability: Obtain my prior consent before significantly changing who can see my data.
  9. Data portability: Make it easy for me to obtain a copy of my data
  10. Protection: Treat my data as securely as your own confidential data unless I choose to share it, and notify me if it is compromised
  11. Right to know: Show me how you are using my data and allow me to see who and what has access to it.
  12. Right to self-define: Let me create more than one identity and use pseudonyms. Do not link them without my permission.
  13. Right to appeal: Allow me to appeal punitive actions
  14. Right to withdraw: Allow me to delete my account, and remove my data

It will be interesting to see whether social networking sites engage with this initiative.  Sixestate reported some time ago that Facebook objected to requiring support for pseudonyms. 

While I support all other aspects of the Bill, I too think it is a mistake to mandate that ALL communities MUST support pseudonymity or be in violation of the Bill…  In all other respects, the Bill is consistent with the Laws of Identity.  However the Laws envisaged a continuum of approaches to identification, and argued that all have their place for different purposes.  I think this is much closer to the mark and Right 12 should be amended.  The fundamental point is that we must have the RIGHT to form and participate in communities that DO choose to support pseudonymity.  This doesn't mean we ONLY have the right to participate in such communities.

Where do the organizers want to go next? Jon Pincus writes:

Here’s a few ideas:

  • get social network sites to adopt the concept of a Bill of Rights for their users and as many of the individual rights as they’re comfortable with.   Some of the specific rights are contentious  — for example, Facebook objected to in their response last summer.  But more positively, Facebook’s current “user rights and responsibilities” document already covers many of these rights, and it would be great to have even partial support from them.  And sites like Twitter, tribe.net, and emerging companies that are trying to emphasize different values may be willing to go even farther.
  • work with politicians in the US and elsewhere who are looking at protecting online, and encourage them to adopt the bill of rights framework and our specific language.  There’s a bit of “carrot and stick” combining this and the previous bullet: the threat of legislation is great both for encouraging self-regulation and getting startups to look for a potential future strategic advantage by adopting strong user rights from the beginning.
  • encourage broad participation to highlight where there’s consensus.  Currently, there are a couple of ways to weigh in: the Social Network Users’ Bill of Rights site allows you to vote on the individual rights, and you can also vote for or against the entire bill via Twitter.  It would be great to have additional voting on other social network sites like Facebook, MySpace, Reddit to give the citizens of those “countries” a voice.
  • collaborate with with groups like the Global Network Initiative, the Internet Rights and Principles Coalition, the Social Charter, and the Association for Progressive Communications that support similar principles
  • follow Gabrielle Pohl’s lead and translate into multiple languages to build awareness globally.
  • take a more active approach with media outreach to call more attention to the campaign.  #privchat, the weekly Twitter chat sponsored by Center for Democracy and Technology and Privacy Camp, is natural hub for the discussion.

Meanwhile, here are some ways you can express your views:

 

Touch2Id Testimonials

Last summer I wrote about the British outfit called touch2id.  They had developed a system that sounded pretty horrible when I first heard about it – a scheme to control underage drinking by using peoples’ fingerprints rather than getting them to present identity cards.  I assumed it would be another of the hair-brained biometric schemes I had come across in the past – like this one, or this, or these.

But no.  The approach was completely different.  Not only was the system popular with its early adopters, but its developers had really thought through the privacy issues.   There was no database of fingerprints, no record linking a fingerprint to a natural person.  The system was truly one of “minimal disclosure” and privacy by design:

  • To register, people presented their ID documents and, once verified, a template of their fingerprint was stored on a Touch2Id card that was immediately given to them.  The fingerprint was NOT stored in a database
  • When people with the cards wanted to have a drink, they would wave their card over a machine similar to a credit card reader, and press their finger on the machine.  If their finger matched the template on their card, the light came on indicating they were of drinking age and they could be served.

A single claim:  “Able to drink“.  Here we had well designed technology offering an experience that the people using it liked way better than the current “carding” process – and which was much more protective of their privacy.  “Privacy by design” was delivering tangible benefits.  Merchants didn’t have to worry about making mistakes.  Young people didn’t have to worry about being discriminated against (or being embarassed) just because they “looked young” or got a haircut.  No identifying information was being released to the merchants.  No name, age or photo was stored on the cards.  The movements of young people were not tracked.  And so on.

Today touch2id published Testemonials – an impressive summary of their project consisting of reviews by individuals involved.  It is clear that those who liked it loved it.  It would be interesting to find out to what extent these rave reviews are typical of those who tried the system.  

At any rate, it's instructive to compare the positive outcome of this pilot with all the biometric proposals that have crashed onto the shoals of privacy invasion.

ZIP ruled personally identifying in California

From CNN this surprising story:

California's high court ruled Thursday that retailers don't have the right to ask customers for their ZIP code while completing credit card transactions, saying that doing so violates a cardholders’ right to protect his or her personal information.

Many retailers in California and nationwide now ask people to give their ZIP code, punching in that information and recording it. Yet California Supreme Court's seven justices unanimously determined that this practice goes too far.

The ruling, penned by Justice Carlos Moreno, overrules earlier decisions by trial and appeals courts in California. It points to a 1971 state law that prohibits businesses from asking credit cardholders for “personal identification information” that could be used to track them down.

While a ZIP code isn't a full address, the court's judgment states that asking for it — and piecing that 5-digit number together with other information, like a cardholder's name — “would permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly, (therefore) ‘end-running'” the intent of California state laws.

“The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction,” the decision states. “We hold that personal identification information … includes the cardholder's ZIP code.”

Bill Dombrowski, president of the California Retailers Association, said it is “ironic” that a practice aimed partly at protecting consumers from fraud is being taken away.

“We think it's a terrible decision because it dramatically expands what personal information is, by including a ZIP code as part of an address,” Dombrowski said. “We are surprised by it.”

The court decision applies only in California, though it reflects a practice that is increasingly common elsewhere. It does not specify how or if all businesses that take credit cards, such as gas stations, would be affected — though it does state that its objection is not over a retailer seeing a person's ZIP code, but rather recording and using it for marketing purposes.

The discussion began with a June 2008 class-action lawsuit filed initially by Jessica Pineda against home retailer Williams-Sonoma.

In her suit, Pineda claimed that a cashier had asked for her ZIP code during a purchase — information that was recorded and later used, along with her name, to figure out her home address. Williams-Sonoma did this tapping a database that it uses to market products to customers and sell its compiled consumer information to other businesses.

Pineda contended the practice of asking for ZIP codes violates a person's right to privacy, made illegal use of her personal information and gave a retailer, like Williams-Sonoma, an unfair competitive advantage.

Williams-Sonoma claimed that a ZIP code doesn't constitute “personal identification information,” as stated in the 1971 state law.

The state supreme court ruling, only addressing the “identification information” issue, determined that a ZIP code should be protected, since the law specifically mentions protecting a cardholder's address. The court concluded requesting a ZIP code is not much different than asking for a phone number or home address.

It is not illegal in California for a retailer to see a person's ZIP code or address, the ruling notes: For instance, one can request a customer's driver's license to verify his or her identity. What makes it wrong is when a business records that information, according to the ruling, especially when the practice is “unnecessary to the sales transaction.”

In reversing the Court of Appeals judgment, the supreme court remanded the case back to a lower court to order specific changes and policies “consistent with this decision.”

The important thing here is that the Court understood a very nuanced technical point: although the ZIP is not in itself personally identifying, when used with other information such as name, the ZIP becomes personally identifying.  Understanding the privacy implications of such information combinations is key. I think there is much wisdom in the Court recognizing that this is a defining issue.

In terms of industry reaction, the notion that recording our ZIP protects us is totally ludicrous and shows to what extent we are in need of stronger privacy-protecting identity solutions like U-Prove. The logic of the California Retailers Association is pathetically convoluted – will someone please give these people a consultant for Christmas?

My thanks to Craig Wittenberg for the heads up on this story. He saw it as a sign that minimal disclosure laws already exist in the US…

That's an interesting idea. One way or the other, it is extremely important to get harmonization on this kind of question across business jurisdictions.  Looking at cases like this one, I have a feeling harmonization might possibly take “quite a while” to achieve…

The Clay Feet of Giants?

Over at Craig Burton, the marketing guru who put Netware on the map and later formed the Burton Group with Jamie Lewis lets loose with a passionate fury that couldn't care less about who has deployed what:

It’s been a week since Microsoft announced that it was never going to release the next version of CardSpace. The laughable part of the announcement is the title “Beyond Windows CardSpace” which would leave you to believe that Microsoft has somehow come up with a better architecture.

In fact Microsoft announced its discontinued development of CardSpace with absolutely no alternative.

Just further evidence of just how irrelevant Microsoft has become.

The news that Microsoft had abandoned CardSpace development is not news to those of us who watch this space, Microsoft hasn’t done Jack with CardSpace for over two years.

It’s just that for some reason Microsoft PR decided to announce the matter. Probably so the U-Prove group could get more press.

Well, that's a bit harsh. Identity selectors like CardSpace only make sense in the context of the other components of the Identity Metasystem – and Microsoft has done a lot over the last two years to deliver those components to customers who are doing successful deployments on a massive scale all over the world.  I don't think that's irrelevant, Craig.

Beyond that, I think Craig should look more closely at what the U-Prove agent actually does (I'll help by putting up a video). As I said here, the U-Prove agent doesn't do what CardSpace did. And the problems CardSpace addressed DO remain tremendously important.  But while more tightly scoped, for the crucial scenario of sensitive claims that are privacy protected the U-Prove agent does go beyond CardSpace.  Further, protecting privacy within the Identity Metasystem will turn out, historically, to be absolutely relevant.  So let's not hit on U-Prove.

Instead, let's tune in to Craig's “Little History” of the Identity Metasystem:

In early 2006, Kim Cameron rolled out the Laws of Identity in his blog. Over next few months as he rolled out each law, the impact of this powerful vision culminating in the release of the CardSpace architecture and Microsoft’s licensing policy rocked the identity community.

Two years earlier Microsoft was handed its head when it tried to shove the Passport identity initiative down our throats.

Kim Cameron turned around and proposed and delivered an Identity Metasystem—based on CardSpace—that has no peer. Thus the Identity Metasystem is the industry initiative to create open selector-based digital identity framework. CardSpace is Microsoft’s instantiation of that Metasystem. The Pamela Project, XMLDAP, Higgins Project, the Bandit Project, and openinfocard are all instantiations in various stages of single and multiple vendor versions of the Identity Metasystem.

Let me clear. The Identity Metasystem has no peer.

Anything less than a open identity selector system for claims-based digital identity is simply a step backwards from the Identity Metasystem.

Thus SAML, OpenID, OAuth, Facebook Connect and so on are useful, but are giant steps back in time and design when compared to the Identity Metasystem.

I agree that the Identity Metasystem is as important as Craig describes it, and that to reach its potential it MUST have user agents. I further agree that the identity selector is the key component for making the system user centric. But I also think adoption is, ah, essential… We need to work out a kink or two or three. This is a hard problem and what we've done so far hasn't worked.

Be this as it may, back at Craig's site he marches on in rare form, dissecting Vendor Speak as he goes.  Mustering more than a few thrusts and parries (I have elided the juicier ones), he concludes:

This means there is an opening for someone or some group with a bit of vision and leadership to take up the task…

But mark my words, we WILL have a selector-based identity layer for the Internet in the future. All Internet devices will have a selector or a selector proxy for digital identity purposes.

I'm glad to finally see this reference to actual adoption, and now am just waiting for more discussion about how we could actually evolve our proposals to get this to happen.

 

A “change in user behavior”

Farhang Kassaei is lead architect for platform and systems at eBay Inc and blogs at Software For All Seasons.  He makes a great point about one key factor that blocked CardSpace deployment:

Having worked on a authentication concept with MSFT for eBay sellers, I had mixed feelings about this [Microsoft's decision not to ship CardSpace 2.0 – Kim]. On one hand I was on the record not supporting the use of CardSpace for eBay sellers (or buyer). On the other hand I am concerned that technical community discounts the significance of Claim Based identity altogether and concludes that “FaceBook Conncet” is all we'll ever need.

There is a good reflection (from an insider's point of view) on Card Space here. (courtesy Gunnar Peterson)   My personal view (and the reason I didn't support the adoption of Card Space at eBay) though centers around the challenges of “Change of Behavior” required by Card Space.

Basically, CardSpace failed b/c it requied uses to change their behavior. See, the “User name and password” protocol (a simple challenge and response) IS a protocol, one where a human being (a normal user) is a participant in. It has taken about 20-30 years (depending on how you count) to train users what to do when they see a “login panel” , the “login panel” contract is so widely understood that despite all of its short coming is the most viable remote authentication protocol we have today. It is flawed, it is costly, it is not secure, but it is a widely understood by users on the other end of the protocol. CardSpace, despite all its advantages, was not understood, would (and did) make people confused, they did not know what to do when the CardSpace screen popped up … a technology whose adoption depends on change of a strongly learned behavior is unlikely to succeed (or at least I didn't think eBay sellers – not the early adopters of technology – would learn and accept it).

It also didn't help that a lot of browsers didn't support it (installing a plug-in does not count), and the fact that developers didn't know how to issue cards (or validate, update or revoke them).

Having said that, I did like the idea of decentralized identity provider and not having any one identity provider to be THE identity provider that everyone else had to rely on (putting user in control of their own identity). Compare this with a world where one identity provider (be it facebook or Google or twitter or anyone else) is the dominant identity provider because it is easy for RPs to embed a simple button  and for users to click on it.

Reading Farhang's post, here's what I find most interesting.  It was never that users decided they didn't want “a change of behavior” around passwords.  Instead it was web properties like eBay (and a thousand others) who came to this conclusion.  Many of the people designing those properties worried that providing users the option of changing their behavior was too dangerous – especially since it was not essential… 

In the history of computing there have actually been plenty of cases where users DID change their behavior – even though at first only a few people could understand or use the new alternatives.  But those “early adopters” were able to try the new inventions on their own.  They didn't need anyone else to approve something or decide they would like it first.  Once convinced, they could show the new ideas to others.

When Visicalc appeared, I don't know how many people in IT would have bet that every accountant in the world would soon be throwing out his pencils and starting to use spreadsheets for things no one can even now believe are possible!  The same is true for a thousand other applications people came to love. 

But because authentication doesn't stand on its own, users never got the chance to start using Information Cards “just because they felt like it”.  They needed web sites to make the same bet they did by implementing Information Card support as an option.  

Web sites didn't want to bet.  They wanted to keep to “the matter at hand” and prevent their users from getting lost or distracted.  The result: a preemptive chill settled over the technology, and we never really got to see what users would make of it.

My conclusion:  regardless of what new features they support, user centric identity solutions need to be built so they work with as many existing web sites as possible.  They can't require buy-in from the all the big web sites in order to be useful. 

I think we should have included a way for Information Cards to support password-based sites.  It was possible.  I personally avoided it because I was worried it would be unreliable and not work at all sites.

Yet a lot of password managers do this, and Dick Hardt's SXIP system combined this approach with support for new protocols.  I think that aspect of his work was probably right.

 

Change will come: the present is untenable.

Gunnar Peterson at 1 Raindrop adds his own thoughts about CardSpace and Claims:

The official announcements from Microsoft on Cardspace have led to a lot of reflection in the identity community. From the core team, Mike Jones described what he considered some of the important barriers:

  • Not solving an immediate perceived problem: In my extensive experience talking with potential adopters, while many/most thought that CardSpace was a good idea, because they didn’t see it solving a top-5 pain point that they were facing at that moment or providing immediate compelling value, they never actually allocated resources to do the adoption at their site.
  • Not drop-dead simple to use: Users were often confused by their first encounter with CardSpace; many didn’t succeed at the task at hand. Indeed, many saw it as something complicated getting in the way of what they were actually there to do.

The first of these issues is one I am always trying to be cognizant of. From the 90s, a Bill Joy quote that stuck with me was when he described why JINI never took off – “we were solving problems that people did not know they had yet.” Its an every day occurrence to manage this reality-perception gap in infosec both from a business risk standpoint; as well as given the myriad of architectural opportunities for improvement (aka problems) which ones and where do you want to invest your time in strengthening your systems?

But from an industry perspective, there is a positive way to look at Bill Joy's quote – the word “yet.” Just a few years after JINI failed to launch, Web services took off like gangbusters and there is no end in sight.

As Howard Marks says in investing, sometimes being early is indistinguishable from being wrong, but that is a temporary thing, and a longer term view is in order. Jeremy Grantham (GMO) got out of tech stocks in the 90s bubble, his clients thought he was crazy and he lost half his business. Grantham called this taking career risk.

Another great value investor, Jean Marie Eveillard said about this episode – I would rather lose half my clients than lose half my client's money.

Everyone could see the tech bubble was out of control in the 1990s but very few investment managers were willing to take the career risk to themselves to protect their client's assets. 

Today everyone can see that our Internet identity technology is woefully inadequate, but very few are willing to push through comprehensive approaches towards addressing them.

Being early is not necessarily being wrong, but when coupled with a new usage paradigm, its more problematic. Farhang Kassaei discussed what the view looked like from the point of a consuming company looking to develop on Cardspace.

The Cardspace team has many talented people and freely published more in depth thinking on identity than anyone else in the industry. These lessons won't be forgotten and the future for Claims based access control is bright, in fact its just beginning. We may look back in a few years time and think of Cardspace like JINI and see tidal wave stack of CBAC/ABAC/Selectors/U-Prove that powered up huge new parts othe industry the same way Web services played out.

In fact I bet that we do. 

What's the other option? Living with a ridiculous patchwork approach to identity?

No one writes there own crypto, security people are good at getting this message across – but what do you bootstrap your crypto off of? Identity! And people write identity, authN, authZ, provisioning, from scratch all the time – where is the logic? 

Gunnar continues with an interesting reference to the behavioral economist Dan Ariely before concluding:

There is too much fraud, crime, malfeasance and threats to keep rolling out the same old same old identity. Change will come if for no other reason than the present is untenable.

Cardspace was like the first Marines trying to take the beach and some got cut down, but much has been learned in the process and the beach has to be taken; there are waves of identity and access improvement coming right now.

Rest in Peace Cardspace. Long Live Claims Based Access Control!

From CardSpace to Verified Claims

Last week Microsoft announced the availability of Version 2 of the U-Prove Technology Preview.

What’s new about it?

The most important thing is that it offers a new, web-oriented user experience carefully tailored to helping people control the release of “verified claims” while protecting their privacy.  By verified claims I mean things that are said about them as flesh-and-blood people by entities that can speak, at least in certain contexts, with authority. By protecting privacy I mean keeping information released to the minimum necessary, and ensuring that the authority making the claims – for example a government – is not able to track and profile the way your information is used.

The system takes a number of the good ideas from CardSpace but is also informed by what CardSpace didn’t do well. It doesn’t require the installation of new components on your computer. It works on all the major browsers and phones. It roams between devices. Sites don't have to worry about users “getting a card” before the system will work. And it allows claims providers and relying parties to shape and brand their users’ experiences while still providing a consistent interface for claims approval.

In other words, it represents a big step forward for protecting privacy using high value credentials to release claims.

A focused approach

When it comes to verified claims, the “U-Prove Agent” goes beyond CardSpace.  One way it does this is by being highly focused and integrated into a specific type of identity experience. I’ll be posting a video soon that will help you get a concrete sense of why this works.

That focus represents a change from what we tried to do with CardSpace.   One of the key goals of CardSpace was to provide a “generalized solution” – an alternative to the “patchwork quilt” of what I called “identity kludges” that characterize peoples’ experience of identity on the Internet.

In fact I still believe as much as ever that a “generalized solution” would be nice to have. I would even go so far as to say that a generalized solution is inevitable – at some point in time.

But the current chaos is so vast – and peoples’ thinking about it so fractured – that the only prudent practical approach is to carve the problem into smaller pieces. If we can make progress in some of the pieces we can tie that progress together. The U-Prove Agent for exchange of verified claims is a good example of this, making it possible to offer services that would otherwise be impossible because of privacy problems.

What about CardSpace?

Because of its focus, the U-Prove agent isn’t capable of doing everything that CardSpace attempted to do using Information Cards.

It doesn’t address the problem of helping users manage ALL their identities while keeping them separate. It doesn’t address the user problems of password fatigue, phishing and pervasive “secret questions” when logging into consumer web sites.  It doesn’t solve the famous “home realm discovery problem” when using federation. And perhaps most frustrating when it comes to using devices like phones, it doesn’t give the user a simple way to pick their identities from a set of visual representations (icons or cards).

These issues are all more pressing today than they were in 2006 when CardSpace was first proposed. Yet one thing is clear: in five years of intensive work and great cross-industry collaboration with other innovators working on Apple and Linux computers and phones, we weren’t able to get Information Cards onto the radar of the big web properties users depend on.

Those properties had other priorities. My friend Mike Jones put it well at Self-Issued:

“In my extensive experience talking with potential adopters, while many/most thought that CardSpace was a good idea, because they didn’t see it solving a top-5 pain point that they were facing at that moment or providing immediate compelling value, they never actually allocated resources to do the adoption at their site.”

Regardless of why this was the case, it explains why last week Microsoft also announced that it will not be shipping CardSpace 2.0.

In my personal view, we all certainly need to keep working on the problems Information Cards address, and many of the concepts and technologies used in Information Cards should be retained and evolved. I think the U-Prove team has done a good job at that, and provides an example of how we can move forward to solve specific problems. Now the question is how to do so with the other aspects of user-centric identity.

Over the next while I’m going to do a series of posts that explore some of these issues further – drawing some lessons from what we’ve learned over the last few years.  Most of all, it is important to remember what great progress we’ve made as an industry around the Identity Metasystem, federation technology, and claims-based computing. The CardSpace identity selector dealt with the hardest and most forward-looking problems of the Metasystem:  the privacy, security and usability problems that will emerge as federated identity becomes a key component of the Internet.  It also challenged industry with an approach that was truly user centric.

It's no surprise that it is hardest to get consensus on forward-looking technologies!  But meanwhile,  the very success of the Identity Metasystem as a whole will cause all the issues we’ve been working on with Information Cards to return larger than life.

 

A Privacy Bill of Rights proposed for the US

The continuing deterioration of privacy and multi-party security due to short-sighted and unsustainable practices within our industry has begun to have the inevitable result, as reported by this article in the New York TImes.

A Commerce Department task force called for the creation of a ‘Privacy Bill of Rights’ for online consumers and the establishment of an office within the department that would work to strengthen privacy policies in the United States and coordinate initiatives with other countries.

The department’s Internet Policy Task Force, in a report released on Thursday, said the “Privacy Bill of Rights” would increase transparency on how user information was collected online, place limits on the use of consumer data by companies and promote the use of audits and other forms of enforcement to increase accountability.

The new protections would expand on the framework of Fair Information Practice Principles that address data security, notice and choice — or the privacy policies many users agree to on Web sites — and rights to obtaining information on the Internet.

The simple concept of notice and choice is not adequate as a basis for privacy protections,” said Daniel J. Weitzner, the associate administrator for the office of policy analysis and development at the Commerce Department’s National Telecommunications and Information Administration [emphasis mine – Kim].

The article makes the connection to the Federal Trade Commission's “Do Not Track” proposal:

The F.T.C., in its report on online privacy this month, also called for improvements to the practice principles, but focused on installing a “do not track” mechanism that would allow computer users to opt out of having their information collected surreptitiously by third-party companies.

That recommendation caused concern in the online advertising industry, which has said that such a mechanism would hamper the industry’s growth and could potentially limit users’ access to free content online.

[The prospect of an online advertising industry deprived of its ability to surreptitiously collect information on us causes tears to well in my eyes.  I can't continue!  I need a Kleenex!]

The proposed Privacy Policy Office would work with the administration, the F.T.C. and other agencies on issues surrounding international and commercial data privacy issues but would not have enforcement authority.

“America needs a robust privacy framework that preserves consumer trust in the evolving Internet economy while ensuring the Web remains a platform for innovation, jobs and economic growth,” the commerce secretary, Gary F. Locke, said in a statement. “Self-regulation without stronger enforcement is not enough. Consumers must trust the Internet in order for businesses to succeed online.”

All of this is, in my view, just an initial reaction to behaviors that are seriously out of control.  As information leakage goes, the surreptitious collection of information” to which the NYT refers is done at a scale that dwarfs Wiki Leaks, even if the subjects of the information are mere citizens rather than lofty officials of government.

I will personally be delighted when it is enshrined in law that a company can no longer get you to click on a privacy policy like this one and claim it is consent to sell your location to anyone it pleases.

Gov2.0 and Facebook ‘Like’ Buttons

I couldn't agree more with the points made by identity architect James Brown in a very disturbing piece he has posted at The Other James Brown

James explains how the omnipresent Facebook  widget works as a tracking mechanism:  if you are a Facebook subscriber, then whenever you open a page showing the widget, your visit is reported to Facebook.

You don't have to do anything whatsoever – or click the widget – to trigger this report.  It is automatic.  Nor are we talking here about anonymized information or simple IP address collection.  The report contains your Facebook identity information as well as the URL of the page you are looking at.

If you are familiar with the way advertising beacons operate, your first reaction might be to roll your eyes and yawn.  After all, tracking beacons are all over the place and we've known about them for years.

But until recently, government web sites – or private web sites treating sensitive information of any kind – wouldn't be caught dead using tracking beacons. 

What has changed?  Governments want to piggyback on the reach of social networks, and show they embrace technology evolution.  But do they have procedures in place that ensure that the mechanisms they adopt are actually safe?  Probably not, if the growing use of the Facebook ‘Like’ button on these sites demonstrates.  I doubt those who inserted the widgets have any idea about how the underlying technology works – or the time or background to evaluate it in depth.  The result is a really serious privacy violation.

Governments need to be cautious about embracing tracking technology that betrays the trust citizens put in them.  James gives us a good explanation of the problem with Facebook widgets.  But other equally disturbing threats exist.  For example, should governments be developing iPhone applications when to use them, citizens must agree that Apple has the right to reveal their phone's identifier and location to anyone for any purpose?    

In my view, data protection authorities are going to have to look hard at emerging technologies and develop guidelines on whether government departments can embrace technologies that endanger the privacy of citizens.

Let's turn now to the details of James’ explanation.  He writes:

I am all for Gov2.0.  I think that it can genuinely make a difference and help bring public sector organisations and people closer together and give them new ways of working.  However, with it comes responsibility, the public sector needs to understand what it is signing its users up for.image

In my post Insurers use social networking sites to identify risky clients last week I mentioned that NHS Choices was using a Facebook ‘Like’ button on its pages and this potentially allows Facebook to track what its users were doing on the site.  I have been reading a couple of posts on ‘Mischa’s ramblings on the interweb’ who unearthed this issue here and here and digging into this a bit further to see for myself, and to be honest I really did not realise how invasive these social widgets can be.

Many services that government and public sector organisations offer are sensitive and personal. When browsing through public sector web portals I do not expect that other organisations are going to be able to track my visit – especially organisations such as Facebook which I use to interact with friends, family and colleagues.

This issue has now been raised by Tom Watson MP, and the response from the Department of Health on this issue of Facebook is:

“Facebook capturing data from sites like NHS Choices is a result of Facebook’s own system. When users sign up to Facebook they agree Facebook can gather information on their web use. NHS Choices privacy policy, which is on the homepage of the site, makes this clear.”

“We advise that people log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer.”

I think this response is wrong on a number of different levels.  Firstly at a personal level, when I browse the UK National Health Service web portal to read about health conditions I do not expect them to allow other companies to track that visit; I don't really care what anybody's privacy policy states, I don't expect the NHS to allow Facebook to track my browsing habits on the NHS web site.

Secondly, I would suggest that the statement “Facebook capturing data from sites like NHS Choices is a result of Facebook’s own system” is wrong.  Facebook being able to capture data from sites like NHS Choices is a result of NHS Choices adding Facebook's functionality to their site.

Finally, I don't believe that the “We advise that people log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer.” is technically correct.

(Sorry to non-technical users but it is about to a bit techy…)

I created a clean Virtual Machine and installed HTTPWatch so I could see the traffic in my browser when I load an NHS Choices page.  This machine has never been to Facebook, and definitely never logged into it.  When I visit the NHS Choices page on bowel cancer the following call is made to Facebook:

http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.nhs.uk%2fconditions%2fcancer-of-the-colon-rectum-or-bowel%2fpages%2fintroduction.aspx&layout=button_count&show_faces=true&width=450&action=like&colorscheme=light&height=21

 

AnonFacebook

So Facebook knows someone has gone to the above page, but does not know who.

 

Now go Facebook and log-in without ticking the ‘Keep logged in’ checkbox and the following cookie is deposited on my machine with the following 2 fields in it: (added xxxxxxxx to mask the my unique id)

  • datr: s07-TP6GxxxxxxxxkOOWvveg
  • lu: RgfhxpMiJ4xxxxxxxxWqW9lQ

If I now close my browser and go back to Facebook, it does not log me in – but it knows who I am as my email address is pre-filled.

 

Now head over back to http://www.nhs.uk/conditions/cancer-of-the-colon-rectum-or-bowel/pages/introduction.aspx and when the Facebook page is contacted the cookie is sent to them with the data:

  • datr: s07-TP6GxxxxxxxxkOOWvveg
  • lu: RgfhxpMiJ4xxxxxxxxWqW9lQ

FacebookNotLoggedIn

 

So even if I am not logged into Facebook, and even if I do not click on the ‘Like’ button, the NHS Choices site is allowing Facebook to track me.

Sorry, I don't think that is acceptable.

[Update:  I originally misread James’ posting as saying the “keep me logged in” checkbox on the Facebook login page was a factor in enabling tracking – in other words that Facebook only used permanent cookies after you ticked that box.  Unfortunately this is not the case.  I've updated my comments in light of this information.

If you have authenticated to Facebook even once, the tracking widget will continue to collect information about you as you surf the web unless you manually delete your Facebook cookies from the browser.  This design is about as invasive of your privacy as you can possibly get…]