Kim Cameron's Identity Weblog

According to an article this week in PC World, it seems the US Passport Office is tuning in to the Fourth Law of Identity. We may not be out of the woods yet, but it it is encouraging to see that the Passport Office is listening to concerns by privacy experts and technologists about how Passport RFID, badly implemented, could cause many more problems that it solves. A number of us have been concerned that the original proposal offered new high tech weapons to terrorists and organized crime.

‘By October 2006, the U.S. government will require nearly all of the passports it issues to include a computer chip containing the passport holder's personal information, according to regulations published this week.

‘Starting in early 2006, the U.S. Department of State will begin issuing passports with 64-kilobyte RFID (radio frequency identification) chips that will contain the name, nationality, gender, date of birth, and place of birth of the passport holder, as well as a digitized photograph of that person.

‘The chip's contents will match the data on the paper portion of the passport, improving passport security by making it more difficult for criminals to tamper with passports, backers say. U.S. government efforts to make passports harder to forge began in response to the terrorist attacks on the United States on September 11, 2001.

‘Opposition

‘After the State Department proposed last February to include RFID chips in passports, privacy groups such as the American Civil Liberties Union and the Electronic Frontier Foundation expressed concern. Because some RFID chips can be scanned remotely, criminals may be able to covertly scan groups of passport holders at airports, the EFF said in April. RFID passports could thus act as “terrorist beacons,” as well as indiscriminately exposing U.S. residents’ personal information to strangers.

For the record, I could not agree more with those expressing these concerns. It is a key responsibility of technologists to consider how what they are building can be misused by those with criminal intent. But so far, we don't seem very good at taking this responsibility. Our knee-jerk reaction is to label critics as lunatics in tinfoil hats. We should be learning about how to do a privacy threat analysis from the ACLU and EFF so we don't propose goofy technologies in the first place. And I for one applaud them for going to the mat on this issue.

‘In a letter commenting on the State Department proposal, the EFF argued that the agency lacked congressional authority to require RFID chips in passports.

‘”RFID in passports is a terrible idea, period,” said EFF senior attorney Lee Tien, in a posting to the EFF's Web site. “But on top of that, the State Department is acting without the appropriate authority and without conducting any form of credible cost-benefit analysis. It's asking Americans to sacrifice their safety and privacy ‘up front’ for a dangerous experiment that it hasn't even bothered to justify.”

‘The State Department received 2335 public comments on its February proposal to introduce electronic passports. More than 98 percent of the comments were negative, the State Department said, and most of them raised issues about security and privacy.

Note for others involved in similar schemes: If the Passport proposal had taken the Fourth Law of Identity into account from the get-go, most of these 2288 negative comments wouldn't have landed at their door.

‘Security Precautions

‘In the passport rules it released Tuesday, the State Department said that it was taking several security precautions. The RFID chips will use encrypted digital signatures to prevent tampering; and they will be so-called passive RFID chips, which do not broadcast personal information unless within inches of an RFID reader machine. To protect against data leaks, the e-passports will come with an “antiskimming” material that blocks radio waves on the passport's back and spine, the State Department notice said.

‘The new passports would comply with an International Civil Aviation Organization specification on e-passports, the State Department said.

‘Though the State Department moved away from its earlier proposal of a self-powered RFID chip in favor of a passive one that relies on a reader machine's power, privacy concerns remain, said Barry Steinhardt, director of the ACLU's Technology and Liberty Program. Steinhardt called the State Department's security measures a “step forward,” but he said bar codes could be used to match electronic data with paper data on passports.

“It still raises the question [of] whether or not this is an appropriate technology,” Steinhardt said. “There are still some essential concerns about whether this is secure or not.”

I agree with Barry that we need more technical analysis by radio experts to know the extent to which these initiatives address the problem. But having scrapped the active tags and included the shielding, we know the scheme is qualitatively less dangerous than it was six months ago. Still, I would like to see the passport information protected from improper release through cryptography.

Neville Pattinson, director of technology and Government affairs for Texas RFID card vendor Axalto, praised the State Department's changes, including the passive chips and antiskimming materials. “This is a fine example of the government listening to public opinion and adopting technology that protects citizen's privacy,” he said. “With the changes, information cannot be extracted from it.”

I agree that the Passport Office already deserves credit for listening, unlike some more stubborn entities in various national governments who don't seem to care at all about the dangers of their proposals. It seems like the scheme is becoming a lot safer – and I hope the improvement can continue.

Companies like Axalto have such great technology that they could make a passport chip that would not respond unless triggered by a reader with a valid “inquiry coupon”. In fact, they may already have such capabilities. What would an inquiry coupon look like? It would be cryptographically signed by the US State Department and grant the operator of a reader permission to query American passports. This kind of a system would really bring the system into accord with the Fourth Law.

Of course a proposal like this would require an upgrade to the International Civil Aviation Organization specification on e-passports. The sooner we get to this, the sooner we can move toward real, long term, solutions.

I've been traveling way too much recently. And when you do too much of something, you can get too nonchalant about it.

For example, this week, not only did I take a “multi-destination” flight, but I rebooked part of it at the last minute so I could adjust my schedule when a meeting was cancelled. Abnormal behavior, right? Apparently.

I guess everyone will feel safer knowing that my deviation from a conventional “pre-booked return” travel profile alerted American West to put me through special screening – both on my way from San Francisco to Vegas, and on my way from Vegas back to Seattle. One marvels at the integration of artificial intelligence (in the true sense of the first word) into the ticketing system.

Giant imprints reading ‘SSSS‘ appeared in enormous boldface type both on my eTicket and the attached stub – a novel mechanism that unambiguously identifies a suspect to security line attendants in both cities.

All of this was fascinating, but nothing compared to what I went through once I was identified as what the transport security industry calls a “selectee”.

Instead of the conventional “pat down”, I was forced to experience first-hand two implementations of a new explosive-sniffing device called a “puffer”. Reading the sites of puffer manufacturers, you get the impression that their use with “selectees” is just a prelude to universal screening. According to one travel industry article, the machines are in place as part of a test by Safe Skies. According to a spokeswoman (whose dress seems to have been permanently puffed by the GE machine, as shown below):

Safe Skies tests equipment with “real people, real lighting conditions, real architecture,” but does not disclose results. The technology receiving the most buzz now in aviation circles is a walk-through portal made by GE Ion Track in Wilmington, Massachusetts. Affectionately called “the puffer,” the portal has a hood that captures the plume of heat that naturally rises off a person's body; it then puffs jets of air which shake loose particles. The machine vaporizes the particles, gives them a charge, and measures how fast the ions are traveling. Using that speed, screeners can identify the presence of banned substances, such as explosives.

According to a blurb at the GE site:

GE Ion Track's revolutionary walk-through portal quickly screens people for contraband without physical contact. Thanks to our patented Ion Trap Mobility Spectrometer (ITMS®) technology, EntryScan3 detects a wider range of explosives and narcotics with unprecedented sensitivity. It is the ideal complement to X-ray and metal detectors.

For higher throughput, visible and audible commands streamline checkpoints by automatically directing passengers to enter or leave the portal. If traces of explosives or narcotics are detected-or a person leaves before being prompted-EntryScan3 instantly sounds an alarm to facilitate rapid containment.

What's it like?

People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt.

I had been told there would be “puffs of air”, but these were not, by any definition, puffs.

“Puffs” make me think of cigar smoke. Or “Puff the magic dragon”. Puffs of wind. But these were hurricane strength blasts.

Meanwhile the machine barks orders like a concentration camp commandant. Where did they get the voice? It speaks in a chilling metallic imperative borrowed from a really bad science fiction movie. In fact it was barely believable that adults would unleash this contraption on anyone.

On the way back from Vegas, I was put through a different puffer, this time the Sentinel II manufactured by Smiths. In the large sense, it is just as invasive. But the difference between this machine and the GE machine is astounding. The Smiths machine speaks in a voice no more unreasonable than any amusement park ride, and, as the company says, “Gentle puffs of air dislodge any particles trapped on the body, hair, clothing and shoes.” And the puffs are gentle – a completely different experience from the horror devised by the idiots at GE. Further, the machine doesn't produce the sense of being trapped.

Apparently you can select a traditional “pat down” rather than going through these devices, but I was only told about that after expressing my dismay about being subjected to the vile GE contraption. This machine should be destroyed before it is foisted on the traveling public.

If I were GE, I would get my logo off this device as fast as I could. In fact, I would pull the machine back into the lab for a serious rethink, and apologize.

After successfully avoiding the hurricane in Cancun, I came home to find a potential tempest gathering on the googlegroups idworkshop list dedicated to the identity metasystem. My friend Johannes Ernst, trying to ward off any misunderstandings, had written:

Just received — as you probably have — an e-mail invitation to the upcoming “Digital Identity World/Financial Services Conference” that features the following talk:

11:15AM – 11:45AM: Implications of the Microsoft Identity Metasystem for Strong Authentication Microsoft – Mike Jones (InfoCards)

Arising from unusually open conversations, and based on the laws of identity developed by Kim Cameron through these conversations, Microsoft will be releasing a cross-platform identity metasystem and InfoCard user interface with Windows Vista. This system takes a quite different approach to identity and authentication, allowing many new approaches to solving this problem at scale.

Mike Jones will detail the identity metasystem, and highlight its implications for the problems faced by financial services.

So Microsoft will be releasing the identity metasystem with Windows Vista? And it will be the “Microsoft Identity Metasystem” per title of this talk? Can somebody from Microsoft clarify whether this is indeed the way you position it, or whether this was just the work of an overzealous copy editor somewhere? If that's how you present it, do we — i.e. everybody who is not releasing an identity metasystem with Windows Vista because we are not Microsoft — need a different name for what we are all striving for? The NetMesh Identity Metasystem and the SXIP Identity Metasystem, perhaps?

Or do we need the Identity Meta-meta-system? 😉

I think the question of whether there'll be one identity metasystem everybody participates in — equally? — or whether it is controlled/branded/ perceived to be owned/wanted to be owned by one vendor remains a fairly confused subject.

[This is not meant to be an attack or anything like it, but I really think we need to put this issue to bed. It has been discussed over and over without ever really being resolved, and it's not that hard to resolve … can I encourage Microsoft's powers-that-be to just pick one definition vs the other and stick with it. I'm fine with either choice, I just want to know what the term means…]

So let me provide some definitive and public answers that represent my thinking as Microsoft's Architect of Identity – thinking which I have already articulated in the Laws of Identity; which has been clearly stated in the Microsoft Vision for an Identity Metasystem document; and which Mike Jones, Andy Harjanto, John Shewchuk, and all the rest of us from identity land at Microsoft see as self-evident:

No one can own the identity metasystem – that would be a silly goal by any standards.

We need to work together to create an identity metasystem, and we are doing that – across the industry, and beyond it. We are trying to create and ride a wave. A unique opportunity. There are people with many different skills who are becoming involved with this. We are brought together through our understanding of what digital identity (or the lack of it) means to the future of the virtual and mortar worlds, and trying to push our understanding of these critical issues to the limit.

We at Microsoft are trying to do our part to contribute metasystem components – but we are fully aware that the metasystem has to reach across platforms and technologies (law 5). We have the greatest respect for everyone who is on this expedition. We hope, working with them, to build a ubiquitous unifying fabric, just like TCP/IP.

As for the passage Johannes quotes, it is not our intended message. We've talked about Microsoft's Vision for an Identity Metasystem, but never implied we “owned” the system.

The conference brochure in question was put together at DIDW by people racing against the clock to include InfoCards in a really interesting identity conference for the financial sector (more in an upcoming piece). They did the best they could given that we hadn't sent them a written blurb. In this regard I take responsibility for any ambiguity.

As usual, the DIDW conference organizers were more than responsive when I contacted them. Within minutes the text had been edited to remove any ambiguity of the sort Johannes worried about.

Now the line in question reads:

Microsoft will be releasing the InfoCard user interface for a cross-platform WS-Trust based identity metasystem with Windows Vista.

All said and done, experience tells me there will be lots of things written that do not reflect our – or anyone's – intended messages! That is just the nature of a free-thinking press – and of a technology tornado (read technology hurricane!) As far as I'm concerned, we want both.

[tags: Identity Metasystem, DIDW, Tornado, Johannes Ernst]

I've always thought Andy Dale was a very interesting person, but somehow missed out on the fact that he has been putting together a major body of work on his blog at xditao. In case it's not obvious, the name combines XDI as in xdi.org, and tao as in what makes the world go round. I found it informative to go through the archives – you really get an outstanding grasp of what XDI can do for us. Here's a sample – and presto, you understand Link Contracts.

I have talked a lot about Link Contracts lately, so why stop now. As I have said, Link Contracts are composed of several, signed, parts. Some of the parts are network enforceable and some are not. The non-network enforceable bits are meant to be enforced in some social system of accountability. These non-network enforceable bits are what I refer to as the ‘Terms and Conditions’ of the data sharing. The bit that says “You may not sell my data. You may not use my data for any purpose other than the original purpose of this agreement”, that kind of stuff. The problem with these terms and conditions is, they aren’t meant to be network enforceable or, therefore, machine understandable.

So if we don’t do this right this is what happens:

I address an email to you with your i-name. My email client asks your authority for your current email address. Your authority returns a response that says; you can have that info if you agree to these terms and conditions. My client is meant to sign these terms and conditions and return them to your authority in order to get the data I require. SO, the problem is; I don’t want to read some terms and conditions every time I do anything that involves someone else’s data. You know I’m not going to read it anyway, but I don’t even want to have to do that extra click. I mean, who knows what’s in those terms and conditions? What’s to stop you from adding some line 20 pages down that says “By signing this agreement you agree to pay me $500”. If this is how it worked, the Dataweb would be broken before it even started.

So… what do we do?

Rather than us all writing and using our own DSA (Data Sharing Agreements; terms and conditions) we will use ones provided by ‘trusted third parties’. I can read IDC (Identity Commons) Standard DSA #5 once and setup a preference that I am always willing to accept data under those terms. So in future when I ask for your email, you will say “under IDC DSA #5 (version 1.3)” my email client will simply sign the contract and send it back.

Now, the reality is, I’m probably not even going to read the IDC DSAs but that’s the point of having it provided by an organization that is ALL about trust. I know that if IDC publishes this DSA under their name… it must be ok. Ultimately there may be other organizations that provide DSAs that we can all trust, or at least use; Visa, HIPAA, SEC, etc…

For now we need to bootstrap this ecosystem. I have worked with Owen of IDC to outline three basic DSAs that can get us started;-

1. Basic – This one will put some simple constraints on the consumer of the data to ‘respect’ the owner’s privacy. This is the first real step toward giving the individual some control over their virtual self. It will include:

• No selling my data
• No giving my data away
• Only use my data in the context in which this agreement was forged
• Upon request or discontinuation of this agreement you will anonymize or remove my data, remove all PII (Personally Identifying Information) and any contact channel information (address info). I call for anonymization as an option as companies must have the ability to execute their operational reporting and auditing.

2. Wild West – This is for the organization that wants to take advantage of the higher quality data source that the Dataweb provides, but cannot, for technical, business or other reasons, conform to the restrictions of the Basic DSA. Accepting this agreement would be no different from filling out a registration form at a service today, just easier for all concerned.

3. Full Empowerment – This agreement is for the truly forward thinking organization. Under this agreement the requester of the data offers reciprocation. They say they will give you a copy of your transaction records in exchange for having access to your data. In practice this would mean that I give netflicks access to my contact info and they will, automatically, programmatically, give me a copy of the list of movies I have rented ( and how much I spent, and how long I kept them and all that good stuff). When the contract ends, I still have a copy of that information that I can take with me to my new movie rental provider.
I characterize option 1 as individuals having privacy statements instead of organizations. Option 2 as, status quo and option 3 as the next step in the evolution toward a fully empowered consumer.

Ultimately, I believe, option 3 evolves to a point where vendors simply use our repositories as the place that they keep the data about us. By giving us that level of control, and trust, and respect; why would we go to another vendor?

Please let me know if you think we need another DSA, or that I am totally off base!!

People who saw Adele and me on TV over the last few days have been writing to ask if we're OK – they saw us lined up at the Cancun airport trying to “escape hurricane Wilma.”

Thanks to everyone who has expressed their concern. We are fine!

It's funny how TV works. The image and interview became part of the Wilma system. They were replayed day after day as Wilma stalled and mercilessly bashed the Yucatan.

The truth is, I had registered for Cancun weather notifications prior to starting my vacation. Monday morning, I received this email:

The tropical depression # 24 was upgraded this morning to Tropical Storm Wilma and it was located this morning at 502 miles east southeast of Cancun, Mexico. Interests in Cancun, Isla Mujeres, Cozumel, Puerto Morelos, Playa del Carmen, Puerto Aventuras, Akumal, Tulum and the Costa Maya area must monitor the development of Wilma over the next few days.

To see the most complete information about the storm please go to: http://www.cancun.bz/cancunweather.htm

The tropical storm names for this hurricane season has been depleted, this happened only in 1933 and Wilma ties that record.

I checked the site periodically. Tuesday evening the storm suddenly developed into a category 5 hurricane coming straight towards us.

As I told the TV crew, “I've been in a hurricane before, and don't want to be in another one.” Visions of holding out in an emergency shelter with no air conditioning spurred me to lay down my Margarita and get to my feet.

Again using the Internet, I bought tickets on a flight the next morning to Puerto Vallarta. That's another beautiful Mexican town, far from Cancun on the Pacific side of Mexico, where the sun was still shining and the dolphins still playing.

Only thirty-six hours before the eye of the storm hit Cancun, we drove to the airport on an empty road. Many of the local Mexicans, veterans of endless minor hurricanes, were skeptical that this one would hit them head on. Our ticket agent told us we were crazy to leave – he said we should go back to our hotel, where “recreation directors would be throwing hurricane parties in the ballrooms.” Tourists weren't aware of what was coming either. When I was interviewed by the TV crew, the only reason I was in a lineup at all was because I had accidentally joined a group of French tourists who were clogging the checkin lane waiting for their tour guide to arrive. The airport was no busier than it normally is.

Whatever the explanation, it all made for a good visual. And apparently got replayed many times.

The images coming back from Cancun and the Riviera now are more than frightening. The devastation is terrible. My heart goes out to the local people, who I have always found to be endlessly friendly and helpful. They know a lot about how to handle hurricanes, and I'm sure they'll recover as quickly as anyone could.

As for me, I count myself super lucky to have had access to information and mobility. It's another example of how much is changed by the Internet.

[tags: Wilma, Hurricane, Cancun, Puerto Vallarta]

Kris Magnusson, who was open source program manager at Novell, pinged me recently to tell me about his new blog called http://planetary.net. I see postings like this:

Yes, I Am. . . an advocate for the Identity Metasystem. Craig Burton convinced me for reasons he didn't know about and reasons I didn't explain to him.

The big reason I believe in it was that it fit my criteria for becoming Internet infrastructure, with an exception that I think can be rectified over time, namely that multiple reference open source implementations don't currently exist. However, the Metasystem is young and these things will most certainly change.

Everything else about the Metasystem is right. It doesn't displace any existing infrastructure, requiring only a simple plugin for web sites to interoperate with the Metasystem. The InfoCard system is a great way to put users safely in control of their own identity claims, and it looks like it will find its way into alternative browsers like Firefox and Safari, making it ubiquitous.

I really have a distaste for silos now that I've experienced the openness of the Metasystem. You'll have to pardon me if I seem too hard on them, especially Sxip, who have their heart in the right place by putting claims back in the hands of users, more or less. It's just that having worked with Dr. Marshall T. Rose and having had a taste of what standardizing Internet infrastructure is all about, and having had exposure to the Metasystem's openness, I don't want to go backward to silos and proprietary networks.

My gosh: Marshall T. Rose – author of the Open Book and the Little Black Book and grand savant of OSI. That brings back memories. Anyway, moving on, I continue to hope that sxip and lid and other emerging systems will develop implementations that are part of the proposed identity metasystem.

In his email, Kris sets up a direct question for me:

My hope is that the metasystem will become true internet infrastructure in the same way dns/bind or http is currently. I think in order for this to happen that multiple open source reference implementations have to be developed. I don't think Microsoft can go it alone. Moving the WS* specs through OASIS is fabulous, as is getting support from IBM and hopefully later from Sun, but open standards are not sufficient to make a software system internet-standard. Ubiquitous implementation is key. So i'm hoping that someone will step up to the plate and develop an open source implementation of the metasystem for non-windows platforms. What do you think about this?

I totally agree. I have heard Craig's recording of “I, I, I cry ubiquity…” and thought it pretty much catches the spirit of the times. Hard-wiring is fading fast, and we will need identity metasystem capabilities in every nook and cranny of the Internet.

[tags: Identity Metasystem, Craig Burton, Planetary]

Jerry Fishenden, who is Microsoft's National Technology Officer for the UK, just contributed this first rate piece to the Scotsman:

A WELL-DESIGNED UK national identity card could help tackle many problems, including the upward trend in identity fraud and theft. But important technical, security and privacy issues need to be tackled to ensure its success.

One major challenge is that no computer system is 100 per cent secure. We've seen various prosecutions arising from unauthorised access to computer systems such as the Police National Computer and DVLA. Putting a comprehensive set of personal data in one place produces a “honeypot” effect – a highly attractive and richly rewarding target for criminals. Forty million users’ personal credit card records were compromised recently in the US – highlighting the very real risks such systems face.

We should not be building systems that allow hackers to mine information so easily. Putting all of our personal identity information in a single place is something that no technologist would ever recommend: it leads to increased and unnecessary risk. And it is poor security and poor privacy practice. Inappropriate technology design could provide new hi-tech ways of perpetrating massive identity fraud on a scale beyond anything we have seen before: the very problem the system was intended to prevent.

The UK identity card also intends to exploit advanced biometrics – technology for measuring and analysing human body characteristics (such as scans of your face, fingerprints and retina). Correctly used, biometrics can provide a useful additional technology to assist with identification – acting as a cross-reference when you need to authenticate yourself.

But as the British Computer Society has commented: “No scheme on this scale has been undertaken anywhere in the world and the technology envisioned is to a large extent untested and unreliable on such a scale. Smaller and less ambitious systems have hit technological and operational problems that are likely to be amplified in a large-scale national system.”

The security and privacy implications of storing biometrics centrally are enormous. Unlike other forms of information such as credit card details, if core biometric details such as your fingerprints are compromised, it is not going to be possible to provide you with new ones.

The ID card itself also needs to be carefully designed to ensure it doesn't add to identity fraud problems by carelessly “broadcasting” personal information every time it's used. Using the same identifiers wherever we present the ID card is a highly risky technical design. Would you be happy if online auction sites, casinos or car rental company employees are given the same identity information that provides you with access to your medical records? It's unnecessary: we can already design systems that ensure the disclosure of personal information is restricted only to the minimum information required (a pub landlord, for example, needs only to know that you are over 18). Keeping identity information relevant to the context in which it is used is both good privacy and good security practice.

The US government has already started to re-think the way it approaches some of their large-scale government IT systems: for example, they actively encourage IT privacy and security experts to attempt to find flaws in their new electronic passport system so that it can be improved.

This is proving a successful model that should be more widely adopted, to the benefit of the UK identity card.

A well designed identity card could help simplify our interactions with public services, provide additional protection from identity fraud and improve public service delivery. But we need to ensure technology industry expertise and successful models, such as that being adopted for the US e-Passport programme, become an integral part of projects such as the UK identity card. There is no need to contemplate designing a system embodying so much risk when the same results can be achieved without any risk at all.

After all, if someone were proposing to build the most ambitious bridge the world had ever seen and engineers could see that it would fail, and suggest ways in which it could be improved, we would expect their views to be taken into account.

This is a great article and I hope it will get discussion going about other ways to approach the problems the card is meant to address. Jerry speaks for most of us when he points out the unnecessary and troubling risks of the proposed system. And his analogy with a misdesigned bridge could not be more apt.

I've received a number of notes from investigators and Ph.D. candidates in North America and Europe who want to focus on “digital identity management”. I think this is one more indicator that the importance of digital identity is permeating the intelligentsia. If I'm right about this, let the bells ring and the banners fly… How can we nurture their interest?

Academic research represents a great opportunity in our quest to “get identity right”.

We need the participation of the university. We need unimpeded research, review and contemplation. We need the next generation, born nearer to the world of virtual reality than many of us were, to start looking at identity technology as one of the key mechanisms for shaping and controlling a world which, no matter what, will be startlingly different from this one.

Jamie Lewis has generalized the idea of “cross-cutting concerns” used in aspect-oriented programming and applied it to digital identity. Refracting this into academia we can see that the study of digital identity should be cross-disciplinary.

So let's brainstorm. What about Identity Studies? Does it already exist? If not, I predict it will. We can be certain that software, robots, agents, avatars and many aspects of the built environment will learn to adapt to those who interact with them. At some point it will become obvious that we need people who understand the many implications of such technological innovations. Here's a first sketch…

Identity Studies: the discipline that grasps how who we are both changes and reflects the behavior of the world we inhabit – a theory of praxis, but one reaching beyond philosophy. It extends from understanding the mechanisms through which identity is acquired and transformed, to a theory of its protection, transmission, reception and perception. It looks at how different kinds of systems respond to – and evolve – through this perception, ultimately resulting in feedback and the transformation of identity itself.

Identity Studies will be founded by computer scientists, information theorists, cryptographers, privacy and security experts, semiologists, psychologists, sociologists, philosophers, architects and designers, lawyers, criminologists, political scientists, and policy researchers. All of these disciplines have important insights to contribute.

There are already programs at innovative universities which could evolve in the direction of this new discipline.

Several people have asked me to give “guidance on sub-areas of DIM that, based on your experience, you will recommend for research”.

In subsequent postings I'll suggest a couple of specific projects. But before I do, I'm going to give a better answer: set up Identity Labs and drop your preconceptions. Ask what happens when your environment has been programmed to respond to you. What is that you? What is that programming? What assumptions drive the interrelationships? Will you be able to alter your environment's view of you? How?

Identity Blog has been selected as one of CNET's top 100 blogs. More info here. And here's how CNET describes what they have tried to do:

With more than 14 million blogs in existence and another 80,000 being created each day, how is a person supposed to find the ones worth reading?

That is the question CNET News.com is attempting to answer with our first Blog 100 list. This effort adds to features such as News.com Blogs, Extra, My News, TalkBack, Newsburst, and Blogma, in which News.com editors and reporters are helping find the best news and views on the Web for the convenience of our readers.

Blogs have become an important source of information, but the signal-to-noise ratio makes it hard to find the gems. In our pursuit, we spent weeks checking out technology-oriented blogs based on the recommendations from our reporters and readers.

Of course, such a list is bound to generate vigorous agreement and vehement dissent. It's impossible to even get universal agreement on the definition of a blog.

For our search, we decided to be very liberal. You'll find blogs produced by a single person and others that have grown to include a staff of contributors. Some are associated with major news outlets, while some are published by large companies. The bottom line is that they all are produced by passionate people who have a wealth of information about their corner of the tech world.

After defining the types of blogs that could be considered for our list, the next question was to determine just what constitutes a “good” blog.

There are a lot of reasons people find particular blogs worthy of their time. Some are valued solely for their aggregation of pertinent news, while others have formed a devoted following based on the robust and educated comments of their readers. Still others have become popular because of their humor or for the biting tone of their writers’ opinions.

Feel free to send us feedback on our list, which we intend to regularly update as blogs change in quality. With a blog being created about every second, there are bound to be a few more good ones. And we'll help you find them.

I hope I can use this opportunity to bring identity issues to the attention of a larger audience.

Those of us in the identity community are lucky to have committed journalist colleagues like those at CNET who take the time to understand our complex issues – and who are able to explain them to a wide audience.

[tags: Digital Identity, Identity, CNET, Blogging]

Bruce Schneier just published this beautiful piece on identity theft in Wired News:

Last week California became the first state to enact a law specifically addressing phishing. Phishing, for those of you who have been away from the internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info — passwords, mostly. When this is done by hacking DNS, it's called pharming.

Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers — they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers’ assets. Unfortunately, the California law does nothing to address this.

The new legislation was enacted because phishing is a new crime. But the law won't help, because phishing is just a tactic. Criminals phish in order to get your passwords, so they can make fraudulent transactions in your name. The real crime is an ancient one: financial fraud.

These attacks prey on the gullibility of people. This distinguishes them from worms and viruses, which exploit vulnerabilities in computer code. In the past, I've called these attacks examples of “semantic attacks” because they exploit human meaning rather than computer logic. The victims are people who get e-mails and visit websites, and generally believe that these e-mails and websites are legitimate.

These attacks take advantage of the inherent unverifiability of the internet. Phishing and pharming are easy because authenticating businesses on the internet is hard. While it might be possible for a criminal to build a fake bricks-and-mortar bank in order to scam people out of their signatures and bank details, it's much easier for the same criminal to build a fake website or send a fake e-mail. And while it might be technically possible to build a security infrastructure to verify both websites and e-mail, both the cost and user unfriendliness means that it'd only be a solution for the geekiest of internet users.

These attacks also leverage the inherent scalability of computer systems. Scamming someone in person takes work. With e-mail, you can try to scam millions of people per hour. And a one-in-a-million success rate might be good enough for a viable criminal enterprise.

In general, two internet trends affect all forms of identity theft. The widespread availability of personal information has made it easier for a thief to get his hands on it. At the same time, the rise of electronic authentication and online transactions — you don't have to walk into a bank, or even use a bank card, in order to withdraw money now — has made that personal information much more valuable.

The problem of phishing cannot be solved solely by focusing on the first trend: the availability of personal information. Criminals are clever people, and if you defend against a particular tactic such as phishing, they'll find another. In the space of just a few years, we've seen phishing attacks get more sophisticated. The newest variant, called “spear phishing,” involves individually targeted and personalized e-mail messages that are even harder to detect. And there are other sorts of electronic fraud that aren't technically phishing.

The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it's easy to make a transaction, open an account, get a credit card and so on. For years I've written about how economic considerations affect security problems. They can put security countermeasures in place to prevent fraud, detect it quickly and allow victims to clear themselves. But all of that's expensive. And it's not worth it to them.

It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims. And in one in four cases, the victims have not been able to completely restore their good name.

In economics, this is known as an externality: It's an effect of a business decision that is not borne by the person or organization making the decision. Financial institutions have no incentive to reduce those costs of identity theft because they don't bear them.

Push the responsibility — all of it — for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud — because the companies won't stand for all those losses.

If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses — they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work.

Bruce is right. Let me put it this way. Sites must move as quickly as they can towards what Toby Stevens calls “Data Rejection“, minimizing retention of individually identifying information. They must ensure that PII which needs to be retained is encrypted, decipherable only through systems which are quaranteened from the Internet and have the proper operational controls.

The InfoCard system has been devised to allow companies to practice Data Rejection. It uses cryptography to recognize digital relationships so personal identifying information can be made available to an internet site while a transaction is in progress but not be stored there – except, perhaps, in encrypted audit logs.