Vittorio's new book is a must-read

Vittorio's new bookIf you are a programmer interested in identity, I doubt you'll find a more instructive or amusing video than this one by Vittorio Bertocci.  It's aimed at people who work in .NET and explores the Windows Identity Foundation.   I expect most programmers interested in identity will find it fascinating no matter what platform they work on, even if it just provides a point of comparison.

And that brings me to Vittorio's new book:  Programming Windows Identity Foundation.  I really only have one thing to say about it:  you are crazy to program in WIF without reading this book.  And if you're an architect rather than a coder – but still have a sense of reading code – you'll find that subjects like delegation benefit immensely from the concrete presentation Vittorio has put together.

I have to admit to being sufficiently engrossed that I had to drop everything I was doing in order to deal with some of the miniature brain-waves the book induced.  

But then, I have a soft spot for good books on programming.  I'm talking about books that have real depth but are simple and exciting because the writer has the same clarity as programmers have when they are in “programming trance”.  I used to even take a bunch of books with me when I went on vacation – it drove my mother-in-law nuts.

I'm not going to try to descibe Vittorio's book – but it really hangs together, and if you're trying to do anything original or complex it will give you the depth of understanding you need to do it efficiently.  Just as important, you'll enjoy reading it.

Remembering Andreas Pfitzmann

Andreas Pfitzmann, head of the Privacy and Data Security Research group at Technische Universität Dresden, has died.  For more than 25 years he worked on privacy and multilateral security issues.  As Caspar Bowden puts it, “Andreas was the eminence grise of serious PET research in Europe, an extraordinarily decent person, and massively influential in the public policy of privacy technology in Germany and Europe.”

Those not familiar with his work should definitely read and use A terminology for talking about privacy by data minimization – a great contribution that gives us clearly defined concepts through which scientific understanding of privacy and multilateral security can move forward.

The obituary posted by Germany's Chaos Computer Club  reveals his impact on a community that extended far beyond the walls of the university:

The sudden and unexpected death of Professor Andreas Pfitzmann on 23rd September 2010 leaves a huge gap in the lives of all who knew him. Through both his work and approach, Prof. Pfitzmann set measurably high standards. He was one of a small group of computer scientists who always clearly put forward his soundly based and independent opinion. In his endeavours to foster cross-discipline interaction, he proved instrumental in shaping both technical and political discourses on anonymity and privacy issues in Germany – thus ensuring him a well-deserved international reputation. He always managed to cross the boundaries of his discipline and make the impact of technology comprehensible. His contributions to research in this regard remain eloquent and courageous, and his insistence on even voicing inconvenient truths means he will remain a role model for us all.

In his passing we recognise and mourn the loss of an outstanding scientist, unique in his stance as a defender of people’s basic rights of anonymity and the administration of information pertaining to themselves – both of which are basic prerequisites for a thriving democracy. None of us will ever forget his rousing lectures and speeches, or the ways he found to nurture experimental, enquiring thought amongst an audience.

In Andreas Pfitzmann, too many of our members have lost a dear friend and long-term inspirer. Our thoughts are firmly with his family, to whom we extend our deepest and most profound condolences.

 I too will miss both Andreas Pfitzmann and the great clarity he brought to any conversation he participated in.

U-Prove honored by International Association of Privacy Professionals

There was great news this week about the growing support for U-Prove Minimal Disclosure technology:  it received the top award in the technology innovation category from the International Association of Privacy Professionals – the world's largest association of privacy professionals.

BALTIMORE — September 30, 2010 — Winners of the eighth annual HP-International Association of Privacy Professionals (IAPP) Privacy Innovation Awards were recognized today at the IAPP Privacy Dinner, held in conjunction with the IAPP Privacy Academy 2010.  The honorees include Symcor, Inc., Minnesota Privacy Consultants, and Microsoft Corporation.

The annual awards recognize exceptional integration of privacy and are judged from a broad field of entries. This year’s winners were selected by a panel of private and public sector privacy experts including Allen Brandt, CIPP, Corporate Counsel, Chief Privacy Official, Graduate Management Admission Council; Joanne McNabb, CIPP, CIPP/G, Chief, California Office of Privacy Protection; Susan Smith, CIPP, Americas Privacy Officer, Hewlett-Packard Company; and Florian Thoma, Chief Data Protection Officer, Siemens AG.

“On behalf of more than 7,000 privacy professionals across 50 countries, we applaud this year’s HP-IAPP Privacy Innovation Award winners,” said IAPP Executive Director Trevor Hughes.  “At a time when privacy is driving significant conversation and headlines, this year’s results show how protecting privacy and assuring organizational success go hand-in-hand.”

“HP is pleased to sponsor an award that advances privacy worldwide,” said Hewlett Packard Company Americas Privacy Officer Susan Smith.

In the Large Organization category (more than 5,000 employees), Symcor, Inc. won for its “A-integrity Process,” which is designed to manage and protect sensitive financial information that is ultimately presented to customers in the form of client statements. As the largest transactional printer in Canada, Symcor provides statement-to-payment services for some of Canada’s major financial, telecommunications, insurance, utility and payroll institutions. A-integrity established a new standard in data protection with an industry-leading error rate of less than one per million statements produced. Symcor has been improving on this rate each year.  A robust privacy incident management process was also developed to standardize error identification and resolution. Symcor’s dedicated Privacy Office provides overall governance to the process and has instilled a deep culture of privacy awareness throughout the organization.

The winner in the Small Organization category (fewer than 5,000 employees), is Minnesota Privacy Consultants (MPC). MPC helps multinational corporations and government agencies operationalize their governance of personal data. The organization won for its Privacy Maturity Model (PMM), a benchmarking tool that evaluates privacy program maturity and effectiveness. Using the Generally Accepted Privacy Principles (GAPP) framework as the basis but recognizing that the GAPP does not provide for degrees of compliance and maturity of a privacy program, MPC cross-referenced the 73 subcomponents of the GAPP framework against the six “maturity levels” of the Capability Maturity Model (CMM) developed by Carnegie Mellon University. From this, the Privacy Maturity Model (PMM) was developed to define specific criteria and weighting to various control areas based on prevailing statistics in the areas of data breaches and security enforcement actions worldwide. The Innovation Award judges recognized MPC for its successful and sophisticated approach to a very difficult problem.

Microsoft Corporation received the honor in the Technology category for “U-Prove”, a privacy-enhancing identity management technology that helps enable people to protect their identity-related information. The technology is based on advanced cryptographic protocols designed for electronic transactions and communications. It was acquired by Microsoft in 2008 and released into Proof of Concept as well as donated to the Open Source community in 2010. U-Prove technology has similar characteristics of conventionally used technologies, such as PKI certificates and SAML tokens, with additional privacy and security benefits. Through a technique of minimal disclosure, U-Prove tokens enable individuals to disclose just the information needed by applications and services, but nothing more, during online transactions. Online service providers, such as businesses and governments that are involved in transactions with individuals cannot link or collect a profile of activities. U-Prove effectively meets the security and privacy requirements of many identity systems—most notably national e-ID schemes now being contemplated by world governments. U-Prove has already won the Kuppinger Cole prize for best innovation in European identity projects and is now this year’s recipient of the HP-IAPP Privacy Innovation Award in technology.

About the IAPP
The International Association of Privacy Professionals is the world's largest association of privacy professionals with more than 7,400 members across 50 countries. The IAPP helps to define, support and improve the privacy profession globally through networking, education and certification.  More information about the IAPP is available at www.privacyassociation.org.

Android OEMs will need to use Google Location Service

Over at Daring Fireball, John Gruber tells us about Google's approach to controlling content on Android, quoting a brief by Skyhook Wireless in the “complaint and jury demand” they filed against Google recently.

John discusses a couple of aspects of the filing, which he describes as “not long, and… written in pretty straightforward plain language, regarding Google’s control over which devices have access to the Android Market”.   In particular he calls our attention to the way Google is tying Android to it's location service – the one made famous during the StreetView WiFi scandal:

23. On information and belief, Google has notified OEMs that they will need to use Google Location Service, either as a condition of the Android OS-OEM contract or as a condition of the Google Apps contract between Google and each OEM. Though Google claims the Android OS is open source, by requiring OEMs to use Google Location Service, an application that is inextricably bundled with the OS level framework, Google is effectively creating a closed system with respect to location positioning. Google’s manipulation suggests that the true purpose of Android is, or has become, to ensure that “no industry player can restrict or control the innovations of any other”, unless it is Google.

He bookends this with an ironic quote from Vic Gundotra, Google's Vice-President for Engineering:

If you believe in openness, if you believe in choice, if you believe in innovation from everyone, then welcome to Android.

If Google is actually forcing OEMs to hook their users into its world-wide location database it adds one more sinister note to the dark architecture of StreetView location services.

[Thanks to Cameron Westland for the heads up]

A confused critique of identity federation

in a recent piece at The Federal Circle, Earl Smith II, managing partner, comes out “all guns blazing” against identity federation and the “weird and wonderful” Laws of Identity. 

Earl wishes he could “simplify” digital identity, rejecting identity federation as being too abstract to solve digital identity problems.  Unfortunately, his view of things mixes up architecture and the way real live systems are deployed, and he creates a straw man out of particular deployment assumptions.  The resulting explanation demonstrates that once confused about this, things can look stranger and stranger: 

All such “federated identity” models start with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline processes, reduce costs, and open up new business channels.  It’s a potent mix of supposed benefits, and yet strangely unachievable.

True, we can now enjoy the convenience of logging onto multiple blogs and social sites with an OpenID, or an unverified Twitter account.  But higher risk services like banking, e-health and government welfare stand apart, still maintaining their own identifiers and sovereign registration processes.

To my mind, the fashionable open identity approach is ironically lumbered with the same lofty ambitions that killed off traditional Big PKI.  The express aim is to create “trust frameworks” sufficient to enable business to be conducted amongst strangers.  To this end, federated identity proponents implore banks and government agencies to re-invent themselves as “Identity Providers” in accordance with the weird and wonderful Laws of Identity.

The Laws of Identity embody some powerful ideas, especially the view that when we go about our business, each of us exercises a plurality of virtual identities.  In different settings we present different identities, each standing as a proxy for a complex and bounded relationship.  We have different relationships with various entities and services: banks, government agencies, health services, employers, stores, professional associations, social networks and so on.  Each identity is context dependent, and can lose its meaning when taken out of context…

But for the most part, the Laws of Identity and the new ecosystem model are chockfull of unfamiliar abstractions.  They deconstruct identities, attributes and services, and imagine that when two parties meet for the first time with a desire to transact, they start from scratch to negotiate a set of attributes that confer mutual trust.  In practice, it is rare for parties in business to start from such a low base.  Instead, merchants assume that shoppers come with credit cards, patients assume that doctors come with medical qualifications, and banks assume that customers have accounts.  If you don’t have the right credential for the transaction at hand, then you simply can’t play (and you have to go back, out of band, and get yourself appropriately registered).

Perhaps the most distracting generalisation in the new identity ecosystem is that Service Providers, Identity Providers and Attribute Providers are all different entities.  In reality, these roles are all fulfilled simultaneously and inseparably by banks, governments, social networks and so on.

To put order into this nest of ideas, let's begin with what Earl calls “the most distracting generalization in the new ecosystem”:  that Service Providers, Identity Providers and Attribute Providers are all different entities. 

In fact, Earl, I made no such statement in the Laws of Identity or anywhere else, despite my support for an identity ecosystem.  

The Laws of Identity refers to an Identity Provider as issuing “claims”, a Relying Party as “depending on” claims, and a Subject as “presenting” claims, but makes no statement that if you do one you can't do the others.  Why?  Identity Provider, Subject and Relying Party are architectural roles.  A single entity can play any combination of those roles.  One particular combination is complete separation of the roles, but in most cases every entity plays more than one.     

For example, today's large web sites (like the MSN's, Googles and Yahoos) are composed of thousands of individual services.  Without having to be conscious of it, people log in to a site's Identity Provider service, which issues claims that are consumed by each of the composite Relying Party services that make up the site.  So the “decomposition” which Earl sees as “deconstructed unfamiliar abstractions” is, at the architectural level, a MUST in order to have large scalable sites, and this is as key to the current web as to the metasystem model which is just standardizing and extending it. 

I refer Earl and others to the User-Centric Identity Metasystem paper for more details.  Section 6.2 states:

6.2 ACTORS PARTICIPATING IN THE METASYSTEM

The actors participating in the Identity Metasystem can be classified by role, taking into consideration that any individual actor or set of actors can play multiple roles (both at the same time and at different times).

(6.2 goes on to define roles such as Subject, Claims Issuer, Relying Party, etc).

That paper is not simple-minded in its presentation, but its goal is to lay out a model for precisely understanding the way identity systems actually work and can work in the future, not to do mass pedagogy.  People using Facebook or Google or Windows Live never think about the decomposition of services within the identity fabric, yet depend every day on that very decomposition.

Continuing to unwind Earl's comments, let's factor out what he says about Trust Frameworks.  Here I'm not unsympathetic to the points he is making, though I think they are only part of the story.  I agree that most initial usage of the architecture is, as in the examples I've given here, within tightly bounded trust contexts. But I also think that once the technology framework is in place (e.g. now…) we will see more and more examples of federation within wider contexts where it makes sense.  The question is simply, “what makes sense”?

If I could use my banking identity to log into the IRS, would that make sense to me?  Yes, because I don't access the IRS site often enough that I can ever remember an IRS credential.  Would it make sense to Earl?  Maybe not.  So that very potential divergence leads us to posit the need for an ecology with choices – one of which would be the IRS itself for those who don't relate to bridging of contexts.

Earl calls upon us to agree on a few simplifying assumtions:

  • There aren’t many strangers in real life business
  • Relying Party and “Identity Provider” are often the same
  • There are no surprise credentials

These are all good points, but don't diminish the utility of federation.  For example, in the case of using a banking identity to access the IRS, I'm not a stranger to the IRS, nor is the bank.  And my banking credential is not a surprise.  I just don't want the IRS to make me manage an extra credential for once-a-year use.  Requiring me to do this is not a simplifying assumption!

Paradoxically the next piece by Earl at The Federal Circle is called Will Cost Savings Continue to be a Significant Driver for Cloud Computing?  But Earl never asks how an enterprise or government organization that runs some of its services in the cloud handles the resulting identity problems without increasing its costs… 

Would he suggest two credentials, one for inside the enterprise and one to get to the cloud?  Two helpdesks?  Two authorization systems?  Or would he agree we should be able to reuse a single credential across these two contexts? 

Bingo.  Wouldn't it be nice if Cloud services could rely on (dare I say be a Relying Party for) identities provided by the enterprise or government?   The point is that if I build my identity systems today in keeping with an architecture that allows various roles to be played wherever it makes most sense, I set myself up for a future that is unfolding in ways I can't always predict. 

I hope that as someone advising people on how to grow and future-proof their organizations, Earl looks at the issues involved in federation one more time.  The ability to cross technological and organization boundaries – which is called federation – is central to our ability to evolve with the agility Earl rightly sees as necessary. 

Once Earl comes to see that federation architecture is completely consistent with the assumptions he puts forward, I have the feeling he will have an interesting perspective on the kinds of cross-context claims that make sense in various business and government contexts. 

Kim Komando on location services

Kim Komando has a great piece at USA Today where she explains geotagging through the experiences of two women who also happened to be using the foursquare location service.  This article is one of the first of what I expect will become a torrent as the media learns the implications of geolocation:

Sylvia was dining out with a friend. The restaurant manager interrupted her dinner to tell her she had a phone call. It was from a complete stranger who tracked her online. He had described her to the manager.

Louise was at a bar with colleagues. A stranger began talking to her. He knew a lot about her personal interests. Then, he pulled out his phone and showed her a photo. It was a picture of Louise that he found online.

Both of these stories are true. And they're very unnerving. There is also a common thread. The women were tracked by something known as “geotagging.”

Geotagging adds GPS coordinates to your online posts or photos. You may be exposing this information without even knowing it. Geotagging is particularly popular with photos; many smartphones automatically geotag photos.

Photos can be plotted on a map for easy organization and viewing. But if you post photos online, and you could reveal your home address or child's school. You've given a criminal a treasure map.

Layers of information

A geotagged photo is the most obvious threat to your privacy and safety. But, in Louise's and Sylvia's cases, there was more going on. Both used the location-based social-networking service Foursquare.

Location-based social-networking services are designed to help you meet up with family and friends. When you're out and about, you check in with the site. At the coffee shop? Check in so friends nearby can find you.

Unless you have a stalker, these services aren't particularly dangerous on their own. You need to think about the layers of information you leave online. As you use more services, it's easier for criminals to track you.

Let's say you post a photo of your new house to a photo site. The photo is geotagged. You've linked your photo account to Facebook. And you use Foursquare or Twitter on the go; updates are sent to your Facebook account.

One night you go to the movies. You send a tweet as you wait in line. When you get home, you discover you've been robbed. The burglar used your photo to find your address. He learned more about you on Facebook. Your tweet tipped him off to your location.

Thanks to a movie site, he knew exactly how long the movie ran. He scoped out your house and neighborhood on Google Street View. He devised a plan to get in and out fast and undetected.

Protecting yourself

If you use these services, protect yourself. Use a little common sense. First, don't geotag photos of your house or your children. In fact, it's best to disable geotagging until you specifically need it.

On the iPhone 4, tap Settings, then General, and then Location Services. You can select which applications can access GPS data. These options aren't available in older iPhone software, so tap Settings, then General, then Reset. Tap Reset Location Warnings. You'll be prompted if an application wants to access GPS data. You can then disallow it.

In Android, start the Camera app and open the menu at the left. Go into the settings and turn off geotagging or location storage, depending on which version of Android is on your phone. On a BlackBerry, click the Camera icon. Press the Menu button and select Options. Set the Geotagging option to Disabled. Save your settings.

You can also use an EXIF editor to remove location information from photos. EXIF data is information about a photo embedded in the file. Visit www.komando.com/news for free EXIF editors.

Don't check in on Foursquare or similar sites from home. And make sure your Twitter program is not including GPS coordinates in your tweets.

For many people, Facebook ties everything together. Reconsider linking other accounts to Facebook. Pay close attention to your privacy settings. Only trusted friends should know when you are or aren't at home. Finally, if you have contacts you don't fully trust, it's time to do a purge.

[Kim Komando hosts the nation's largest talk radio show about computers and the Internet. To get the podcast or find the station nearest you, visit www.komando.com. To subscribe to Kim's free e-mail newsletters, sign up at www.komando.com too. Contact her at C1Tech@gannett.com. ]

It is well worth reading Foursquare's privacy policy – which is well thought out and makes Foursquare a paragon of virtue when compared to the contract with the devil you sign when you install iTunes, for example.  I'll explore this more going forward.

Non-Personal Information – like where you live?

Last week I gave a presentation at PII 2010 in Seattle where I tried to summarize what I had learned from my recent work on WiFi location services and identity.  During the question period  an audience member asked me to return to the slide where I recounted how I had first encountered Apple’s new location tracking policy:

My questioner was clearly a bit irritated with me,  Didn’t I realize that the “unique device identifier” was just a GUID – a purely random number?  It wasn’t a MAC address.  It was not personally identifying.

The question really perplexed me, since I had just shown a slide demonstrating how if you go to this well-known web site (for example) and enter a location you find out who lives there (I used myself as an example, and by the way, “whitepages” releases this information even though I have had an unlisted number…).

I pointed out the obvious:  if Apple releases your location and a GUID to a third party on multiple occasions, one location will soon stand out as being your residence… Then presto, if the third pary looks up the address in a “Reverse Address” search engine, the “random” GUID identifies you personally forever more.  The notion that location information tied to random identifiers is not personally identifiable information is total hogwash.

My questioner then asked, “Is your problem that Apple’s privacy policy is so clear?  Do you prefer companies who don’t publish a privacy policy at all, but rather just take your information without telling you?”  A chorus of groans seemed to answer his question to everyone’s satisfaction.  But I personally found the question thought provoking.  I assume corporations publish privacy policies – even those as duplicitous as Apple’s – because they have to.  I need to learn more about why.

[Meanwhile, if you’re wondering how I could possibly post my own residential address on my blog, it turns out I’ve moved and it is no longer my address.  Beyond that, the initial “A” in the listing above has nothing to do with my real name – it’s just a mechanism I use to track who has given out my personal information.]

Nice twitter

I had a tiny and unobtrusive little “privacy experience” today with Twitter that gives the lie to the idea that privacy makes things complicated and unruly.

Someone had tried to locate me using my email address. My privacy settings did not allow this (not sure if it was because Twitter's privacy policy had changed or because of my initial choices). No matter, Twitter sent me a one-sentence email that explained the situation, and when I clicked on the link allowed me to change my options with a single button press. End of story.

The whole process was low friction and – being tied to someone's attempt to get in touch with me – had a “pay-as-you-go” appeal. This wasn't some indigestible abstract policy – and I wasn't being misled by burying information on page 37 of a legal statement.  The whole UI experience made it clear that policy settings can be tied into their context in a way that is helpful and unobtrusive.

Stephan Engberg on Touch2ID

Stephan Engberg is member of the Strategic Advisory Board of the EU ICT Security & Dependability Taskforce and an innovator in terms of reconciling the security requirements in both ambient and integrated digital networks. I thought readers would benefit from comments he circulated in response to my posting on Touch2Id.

Kim Cameron's comments on Touch2Id – and especially the way PI is used – make me want to see more discussion about the definition of privacy and the approaches that can be taken in creating such a definition.

To me Touch2Id is a disaster – teaching kids to offer their fingerprints to strangers is not compatible  with my understanding of democracy or of what constitutes the basis of free society. The claim that data is “not collected” is absurd and represents outdated legal thinking.  Biometric data gets collected even though it shouldn't and such collection is entirely unnecessary given the PET solutions to this problem that exist, e. g chip-on-card.

In my book, Touch2Id did not do the work to deserve a positive privacy appraisal.

Touch2Id, in using blinded signature, is a much better solution than, for example, a PKI-based solution would be.  But this does not change the fact that biometrics are getting collected where they shouldn't.
To me Touch2Id therefore remains a strong invasion of Privacy – because it teaches kids to accept biometric interactions that are outside their control. Trusting a reader is not an option.

My concern is not so much in discussing the specific solution as reaching some agreement on the use of words and what is acceptable in terms of use of words and definitions.

We all understand that there are different approaches possible given different levels of pragmatism and focus. In reality we have our different approaches because of a number of variables:  the country we live in, our experiences and especially our core competencies and fields of expertise.

Many do good work from different angles – improving regulation, inventing technologies, debating, pointing out major threats etc. etc.

No criticism – only appraisal

Some try to avoid compromises – often at great cost as it is hard to overcome many legacy and interest barriers.  At the same time the stakes are rising rapidly:  reports of spyware are increasingly universal. Further, some try to avoid compromises out of fear or on the principle that governments are “dangerous”.

Some people think I am rather uncompromising and driven by idealist principles (or whatever words people use to do character assaination of those who speak inconvenient truths).  But those who know me are also surprised – and to some extent find it hard to believe – that this is due largely to considerations of economics and security rather than privacy and principle.

Consider the example of Touch2Id.  The fact that it is NON-INTEROPERABLE is even worse than the fact that biometrics are being collected, since because of this, you simply cannot create a PET solution using the technology interfaces!  It is not open, but closed to innovations and security upgrades. There is only external verification of biometrics or nothing – and as such no PET model can be applied.  My criticism of Touch2Id is fully in line with the work on security research roadmapping prior to the EU's large FP7 research programme (see pg. 14 on private biometrics and biometric encryption – both chip-on-card).

Some might remember the discussion at the 2003 EU PET Workshop in Brussels where there were strong objections to the “inflation of terms”.  In particular, there was much agreement that the term Privacy Enhancing Technology should only be applied to non-compromising solutions.  Even within the category of “non-compromising” there are differences.  For example, do we require absolute anonymity or can PETs be created through specific built-in countermeasures such as anti-counterfeiting through self-incrimination in Digital Cash or some sort of tightly controlled Escrow (Conditional Identification) in cases such as that of non-payment in an otherwise pseudonymous contract (see here).

I tried to raise the same issue last year in Brussels.

The main point here is that we need a vocabulary that does not allow for inflation – a vocabulary that is not infected by someone's interest in claiming “trust” or overselling an issue. 

And we first and foremost need to stop – or at least address – the tendency of the bad guys to steal the terms for marketing or propaganda purposes.  Around National Id and Identity Cards this theft has been a constant – for example, the term “User-centric Identity” has been turned upside down and today, in many contexts, means “servers focusing on profiling and managing your identity.”

The latest examples of this are the exclusive and centralist european eID model and the IdP-centric identity models recently proposed by US which are neither technological interoperable, adding to security or privacy-enhancing. These models represent the latest in democratic and free markets failure.

My point is not so much to define policy, but rather to respect the fact that different policies at different levels cannot happen unless we have a clear vocabulary that avoid inflation of terms.

Strong PETs must be applied to ensure principles such as net neutrality, demand-side controls and semantic interoperability.  If they aren't, I am personally convinced that within 20 or 30 years we will no longer have anything resembling democracy – and economic crises will worsen due to Command & Control inefficiencies and anti-innovation initiatives

In my view, democracy as construct is failing due to the rapid deterioration of fundamental rights and requirements of citizen-centric structures.  I see no alternative than trying to get it back on track through strong empowerment of citizens – however non-informed one might think the “masses” are – which depends on propagating the notion that you CAN be in control or “Empowered” in the many possible meanings of the term.

When I began to think about Touch2Id it did of course occur to me that it would be possible for operators of the system to secretly retain a copy of the fingerprints and the information gleaned from the proof-of-age identity documents – in other words, to use the system in a deceptive way.  I saw this as being something that could be mitigated by introducing the requirement for auditing of the system by independent parties who act in the privacy interests of citizens.

It also occured to me that it would be better, other things being equal, to use an on-card fingerprint sensor.  But is this a practical requirement given that it would still be possible to use the system in a deceptive way?  Let me explain.

Each card could, unbeknownst to anyone, be imprinted with an identifier and the identity documents could be surreptitiously captured and recorded.  Further, a card with the capability of doing fingerprint recognition could easily contain a wireless transmitter.  How would anyone be certain a card wasn't capable of surreptitiously transmitting the fingerprint it senses or the identifier imprinted on it through a passive wireless connection? 

Only through audit of every technical component and all the human processes associated with them.

So we need to ask, what are the respective roles of auditability and technology in providing privacy enhancing solutions?

Does it make sense to kill schemes like Touch2ID even though they are, as Stephan says, better than other alternatives?   Or is it better to put the proper auditing processes in place, show that the technology benefits its users, and continue to evolve the technology based on these successes?

None of this is to dismiss the importance of Stephan's arguments – the discussion he calls for is absolutely required and I certainly welcome it. 

I'm sure he and I agree we need systematic threat analysis combined with analysis of the possible mitigations, and we need to evolve a process for evaluating these things which is rigorous and can withstand deep scrutiny. 

I am also struck by Stephan's explanation of the relationship between interoperability and the ability to upgrade and uplevel privacy through PETs, as well as the interesting references he provides. 

Blizzard backtracks on real-names policy

A few days ago I mentioned the outcry when Blizzard, publisher of the World of Warcraft (WoW) multi-player Internet game, decided to make gamers reveal their offline identities and identifiers within their fantasy gaming context. 

I also descibed Blizzard's move as being the “kookiest” flaunting yet of the Fourth Law of Identity (Contextual separation through unidirectional identifiers). 

Today the news is all about Blizzard's first step back from the mistaken plan that appears to have completely misunderstood its own community.

CEO Mike Morhaime  seems to be on the right track with the first part of his message:

“I'd like to take some time to speak with all of you regarding our desire to make the Blizzard forums a better place for players to discuss our games. We've been constantly monitoring the feedback you've given us, as well as internally discussing your concerns about the use of real names on our forums. As a result of those discussions, we've decided at this time that real names will not be required for posting on official Blizzard forums.

“It's important to note that we still remain committed to improving our forums. Our efforts are driven 100% by the desire to find ways to make our community areas more welcoming for players and encourage more constructive conversations about our games. We will still move forward with new forum features such as the ability to rate posts up or down, post highlighting based on rating, improved search functionality, and more. However, when we launch the new StarCraft II forums that include these new features, you will be posting by your StarCraft II Battle.net character name + character code, not your real name. The upgraded World of Warcraft forums with these new features will launch close to the release of Cataclysm, and also will not require your real name.”

Then he goes weird again.  He seems to have a fantasy of his own:  that he is running Facebook…

“I want to make sure it's clear that our plans for the forums are completely separate from our plans for the optional in-game Real ID system now live with World of Warcraft and launching soon with StarCraft II. We believe that the powerful communications functionality enabled by Real ID, such as cross-game and cross-realm chat, make Battle.net a great place for players to stay connected to real-life friends and family while playing Blizzard games. And of course, you'll still be able to keep your relationships at the anonymous, character level if you so choose when you communicate with other players in game. Over time, we will continue to evolve Real ID on Battle.net to add new and exciting functionality within our games for players who decide to use the feature.”

Don't get me wrong.  As convoluted as this thinking is, it's one big step forward (after two giant steps backward) to make linking of offline identity to gaming identity “optional”. 

And who knows?  Maybe Mike Morhaime really does understand his users…  He may be right that lots of gamers are totally excited at the prospect of their parents, lovers and children joining Battle.net to stay connected with them while they are playing WoW!  Facebook doesn't stand a chance!