Category: Digital Rights

Age verification roundup

by Tateru NinoTateru Nino at Second Life Insider has done a roundup of age verification issues arising from Second Life's experiment in controlling access to adult content. 

There's a lot of talk about age/identity verification going on, so I've done a pile of reading of material and logs (thanks for everyone who has provided links, logs and other information to source from) and condensed them into a not inconsiderable bulleted list, below the fold.Longer than your hand, people. Grab a cup of coffee.

  • Credit cards do not provide proof of age. In some areas and with some card providers you can obtain a credit card compatible card before you can talk.
  • Verification costs. It will be available at a token fee for premium account holders, but the brunt of the verification costs apparently will be borne by basic account holders. Linden Lab is passing along the costs of verification.
  • Mobile phones do not provide proof of age. In the UK, more children under 12 possess a mobile phone than adults over 18. In the USA, almost 50% of children have a mobile phone.
  • Driver's licences are not as widely held as you might think. Particularly the old, infirm or handicapped may not possess them. Areas with highly developed public transport systems, or poorer nations may have low penetration of these credentials.
  • Online verification does not verify the person, only the validity of the documentation that person provides. The person need not provide their own documentation for verification to be successful. Therefore, this system can only realistically be used to shift blame and does not constitute a method of verification or trust.
  • The status of a minor who has provided false verification information can (apparently) no longer be contested. If it says they're of a certain age, would it be harassing behavior to attempt to challenge that?
  • Linden Lab is apparently wishes to use a third-party company to keep verification costs down, and to prevent access to or storage of verification information by Linden Lab employees.
  • The age at which you are considered to be permitted to access ‘adult content’ varies from country to country. In most, the age varies between 12 and 25. A very few jurisdictions do not permit it under any circumstances. In most US Jurisdictions the age for the apparent class of adult content Linden Lab intends to grant access to would be 21, not 18.
  • Having taken steps to attempt to verify the age of a user, and then granted them access to adult content, does Linden Lab them become liable if you are still not eligible to be transmitted adult content in your jurisdiction? Does it even matter if the age/identity is accurate or not?
  • The verification provider may not demand or require any information from you. However, they are under no obligation to provide verification for you if you do not willingly provide it.
  • Integrity Services was initially given as the verification provider, however there is good cause to believe that the provider will change before plans go ahead.
  • Merely requesting an SIN identification from a Canadian citizen constitutes a legal offense. This policy may extend to other forms of identifying information in various countries.
  • Linden Lab provides only very vague guidelines for what does and does not constitute ‘adult content’. These are “adult content is that which is overtly, graphically, or explicitly sexual in nature or intensely violent”, which obviously leaves a lot of open questions.
  • The guidelines of most nations are vague on what constitutes adult content. In some cases, certain kinds of political content may fall under this classification. In India, “scenes that are a threat to the integrity to the nation, and those which disturb the friendly peace between nations” are classifiable as adult content.
  • Flagging parcels that contain adult content is mandatory.
  • Adult content flagged parcels must be within Mature sims.
  • It is inevitable that the judgement of an individual based on their own society's and community's standards and norms will unintentionally disagree with the judgement of one or more other residents or Linden Lab staff members. What will happen then? Will Linden Lab exercise editorial control, or assign punishments or penalties?
  • Verification may not be accessible to Linden Lab or verification service employees but must be archived for a period of time that may changed or extended by law before that that period expires. Can it be extended by other means (eg: Company policy?).
  • Archived verification data may be accessed during an audit. Who can initiate an audit of this data, and under what circumstances?
  • Will this archived verification data be subject to the European Union's DPA legislation, as would be required if any EU citizen's data is stored/archived?
  • Do you know what your nation's policy is on providing your passport number to overseas third parties?
  • The Second Life website already requests that users state using a check box that they are over the age of 18. By checking this box, users are making a statement that may be held as truth in a court of law. In short, they can and will be held responsible if this statement is later shown to be untrue. Why is it necessary for Linden Lab to perform an expensive operation like this that appears to only increase their overall legal exposure? What are we missing?

The author concludes:

Whew. What did I miss?

Conciously false technology claims

My lawyer friends all know I am “legally challenged” – so don't take anything I say about legal issues as representing any particular expertise. 

But on the news today I saw a story about a drug manufacturer showing the consequences of making false technical claims like those I objected to here in other walks of life: 

NEW YORK (CNNMoney.com) — The maker of OxyContin, Purdue Pharma LP, agreed Thursday to a $600 million penalty as part of a plea deal with the Justice Department on a felony charge of misleading and defrauding physicians and consumers, the government said.

Three of the company's executives, including its CEO, general counsel and former chief medical officer, have separately agreed to pay $34.5 million in penalties. The company and the three men appeared in federal court Thursday to plead guilty.

The company also agreed to subject itself to independent monitoring and a remedial action program.

“Purdue … acknolwedged that it illegally marketed and promoted OxyContin by falsely claiming that OxyContin was less addictive, less subject to abuse and diversion, and less likely to cause withdrawal symptoms than other pain medications – all in an effort to maximize its profits,” said U.S. Attorney John Brownlee.

There should be accountability and penalties for those who consciously mislead people like the Marlin County school board, convincing them there is no risk to privacy by preying on their inability to understand technical issues.  It should be mandatory, when selling technology with potential privacy implications, to explain the threats and mitigations in an objective and public way.

Just lie so you can sell your product

David C pointed me to this document as being typical of how conventional biometrics are being sold to the schools.  It represents the minutes of a meeting of the Marlin County School Board in Stuart, Florida:

Members Present
Lorie Shekailo-Chair
Laurie Gaylord-Vice-Chair
Susan Hershey
Nancy Kline
Dr. Sara A. Wilcox, Superintendent
Doug Griffin, School Board Attorney

Members Absent
Dr. David Anderson

Staff Present
Hank Salzler, Ruth Pietruszewski, Cathleen Brennan, Kerry Lewis, Sean Lewis, Linda King, Ray Parrish, Steve Weil, Rae Hollenbeck, Deana Newson, Rodger Osborne, Teresa D’Albora, Willie Sauls, Jeff Haertjens, Gail Williams, Marilyn Gavitt, Kathy Ritch

Public
None

Press
PBPost – Rachel Simmonsen
Stuart News – No Representation

MCEA – No representation
AFSCME – No representation

Call to order by the Chairman and Pledge of Allegiance to the Flag of the United States.

1. Presentation on Biometric Finger Imaging (COPY ATTACHED)

Rae Hollenbeck, MCSD Director of Food and Nutritional Services, described a new technology called Biometric Finger Imaging that has only been available about six months. She showed a PowerPoint presentation. Finger images are scanned and stored on the computer network, so that children no longer need cards. Rae explained how children forget and lose cards as they run off to school in the morning. This backs up the lunch line and creates managerial time reprinting meal cards. Rae commented that already this school year 4,000 meal cards had been reprinted just at the middle schools. The cards become unsanitary, because the children put them in their mouths. To solve these problems, schools are using biometric scanners in the cafeteria. The student places their index finger on a scanner.

The Perfectmatch software extracts the small marks on their finger tip and creates a template. These marks are transformed into a binary number that is encrypted from the time it is captured to the time it is stored on the database, and the finger image is discarded. The binary number will become the student ID number. Only the numbers are retained and it is impossible to recreate a fingerprint image from this data. This is a closed system, and it is not accessible from the internet. The biometric images cannot be used by law enforcement for identification purposes. Only a mathematical algorithm remains in the system after registration, not finger images. Rae stated that she would like to pilot this program at Murray Middle School in January 2007.

The program would not be mandatory.  Parental choice would be offered if parents wanted to opt out of the program.

The hardware would run somewhere around $200 per line. The total cost of hardware and software would run about $1500.00 per cafeteria. The new technology would improve sanitation of the line, increase the speed of the serving lines, and reduce staff time dealing with missing and lost cards, forgotten ID numbers, and reprinting cards.

2. Open to the Public
No one from the public requested to speak.

Biometric Finger Imaging Workshop Minutes
Tuesday, October 17, 2006 – 6:00 p.m.
Page 2 of 2

3. Open to the Board
Lorie Shekailo suggested withholding “Open to the Board” and doing it at the Regular Board meeting which followed.
Board members agreed.

There being no further business to bring before the Board, the meeting was adjourned at 6:24 p.m.
_______________________________

CHAIR (Lorie Shekailo)
_______________________________

SECRETARY (Sara A. Wilcox, Ph.D)

The sanitation argument is new to me.  Imagine – stressing the sanitation benefits of   having every child in a middle school put his germy little finger on the same sensor as every other child…  Seems like a good way to isolate viruses, doesn't it?  A lot better than giving each child a paper card!

The idea of children putting their cards in their mouths sends chills down my spine.  In contrast, they would never stick their fingers in their mouths, and then swipe them on the finger print reader for distribution to all the other kids.  Talk about a shared secret!

But let's brush this aside and move on to the old saw – the lie:

The biometric images cannot be used by law enforcement for identification purposes. Only a mathematical algorithm remains in the system after registration, not finger images.

If you want to find out who owns a fingerprint, just convert the fingerprint to a template and do a search for the template in one of these databases.  Call the template a binary number if you want to.  The point is that all you need to save in the database is the number.  Later, when you come across a “fingerprint of interest”, you just convert it to a number and search for it.  Law enforcement can use this information – and so can criminals.

It drives me nuts that people can just open their mouths and say anything they want about biometrics and other technical matters without any regard for the facts.  There should really be fines for this type of thing – rather like we have for people who pretend they're a brain surgeon and then cut peoples’ heads open.

LeaveThemKidsAlone has an annotated commentary here.

And if you haven't see it yet, don't miss this little movie clip.  It will boggle your mind.

Age and identity verification in Second Life

Via Dennis Hamilton, a pointer to a new experiment at Second Life:

We will shortly begin beta testing an age and identity verification system, which will allow Residents to provide a one-time proof of identity (such as a driver’s license, passport or ID card) and have that identity verified in a matter of moments.

Second Life has always been restricted to those over 18. All Residents personally assert their age on registration. When we receive reports of underage Residents in Second Life, we close their account until they provide us with proof of age. This system works well, but as the community grows and the attractions of Second Life become more widely known, we’ve decided to add an additional layer of protection.

Once the age verification system is in place, only those Residents with verified age will be able to access adult content in Mature areas. Any Resident wishing to access adult content will have to prove they are over 18 in real life.We have created Teen Second Life for minors under the age of 18. Access to TSL by adults is prohibited, with minors not allowed into the rest of Second Life.

For their part, land owners will be required to flag their land as ‘adult’ if it contains adult content using the estate and land management tools provided to landowners. This flag will protect landowners from displaying inappropriate content to underage users who may have entered Second Life. Landowners are morally and legally responsible for the content displayed and the behavior taking place on their land. The identity verification system gives them new tools to ensure any adult content is only available to adults over 18 because unverified avatars will not have access to land flagged as containing adult content.

We hope you’ll agree that the small inconvenience of doing this once is far outweighed by the benefits of protecting minors from inappropriate content. Further, this system will assist landowners in engaging in lawful businesses.

The verification system will be run by a third party specializing in age and identity authentication. No personally identifying information will be stored by them or by Linden Lab, including date of birth, unless the Resident chooses to do so. Those who wish to be verified, but remain anonymous, are free to do so.

(Continues here…)

The idea of presenting a passport to get into an imaginary adult establishment strikes me as nutso.  I must be missing a gene.  It is certainly a conundrum, this virtual world. 

I think that rather than adopting this one-off inspector approach, outfits like Second Life and all the other big web sites should get together to accept registration claims from whatever identity providers would fully guarantee both accuracy and the anonymity of their users.  Information Cards combined with the anonymous credential technology developed by people like Stefan Brands would provide the ideal solution.

Privacy International global privacy invaders

Privacy International ran the first International Big Brothers Awards ceremony this week, focussing attention on what it called the most invasive companies, projects, officials, and governments at the ‘Computers, Freedom and Privacy’ conference in Montreal. A ‘special award’ for the ‘Lifetime Menace’ was also announced.  The detailed announcement is here:

PI's ‘Big Brother Awards’ have been running for nearly ten years, with events run in eighteen countries around the world. Government institutions and companies have been named and shamed as privacy invaders in a variety of countries and contexts.

This year was the first time that Privacy International ran an international event to identify the greatest invaders around the world. The event was hosted by ‘the pope’, as presented by Simon Davies in full regalia. Previous hosts include ‘Dr. Evil’ and ‘The Queen of England’.

Nominees and Winners

After reviewing the variety of nominations received from around the world, Privacy International and leading international privacy experts selected the following nominees and winners in the following categories:

Most invasive company

Nominees

  • Google, for their retention practices and their purchase of Doubleclick, an on-line marketing and profiling firm
  • Choicepoint, for their vast databases of personal data, sold to nearly anyone who wishes to pay
  • SWIFT, the international banking co-operative for sharing personal financial transactions with the U.S. government
  • Booz Allen Hamilton, the international consultancy, for taking the knowledge and contacts of their senior executives, mostly from U.S. intelligence agencies, to sell and share their experiences with firms and governments around the world

Winner: Choicepoint

Worst Public Official

Nominees

  • Tony Blair, Prime Minister of Britain, for his relentless work over ten years to expand the UK into the greatest surveillance society amongst democratic nations
  • Vladimir Putin, President of the Russian Federation, for returning the surveillance policies of his nation to the age of the Cold War
  • Stewart Baker, former general counsel for the National Security Agency and now undersecretary for policy at the Department of Homeland Security, behind and at the forefront of most disastrous U.S. surveillance policies, most recently the EU-U.S. agreement on Passenger Name Records transfers
  • Alberto Gonzales, current Attorney General for the U.S., for pushing expansive interpretations of the U.S. Constitution in order to create new powers for the Bush Administration without Congressional authorisation and judicial oversight

Winner: Stewart Baker

Most Heinous Government

Nominees

  • China, for implementing even greater surveillance policies and continues its oppression of various groups, and moves towards the international stage with the Beijing Olympics with additional surveillance schemes
  • The U.S., for leading the world down the path of greater surveillance and its disastrous influence on policy and technology
  • The United Kingdom, for being the greatest surveillance society amongst democratic nations, rivaling only Malaysia, China and Russia as it also leads other countries across the EU down its same path
  • Tunisia, for being stupid enough to have invasive and despotic practices even while hosting a UN summit on the information society, and then oppressing guests and groups from around the world while in the public eye
  • The European Union, for pretending to be founded upon a bedrock of civil liberties and fundamental rights but then spending decades establishing invasive policies without any democratic oversight

Winner: The United Kingdom (for more information please see Taking Liberties documentary (off-site))

Most Appalling Project or Technology

Nominees

  • U.S. Border Policy, and most recently the Western Hemisphere Travel Initiative, for fingerprinting visitors from around the world while hoisting fingerprinting and ID card programmes upon citizens around the world, including Americans
  • International Civil Aviation Organization, a UN agency, for implementing a variety of invasive policies behind closed doors, including the ‘biometric passport’ and passenger data transfer-deals
  • India's Ministry for Personnel, Public Grievances and Pensions for requiring government employees to disclose their menstrual cycles on job appraisal forms
  • the CCTV industry, for promoting a technologically ‘effective’ policy around the world despite all the evidence to the contrary

Winner: The International Civil Aviation Organization

Lifetime Menace Award

Nominees

  • The Biometrics Industry, for selling a limited technology to governments and public institutions around the world, promising much while delivering very little except for minimisation of personal privacy
  • The Military Industrial Complex, for being behind almost every invasive surveillance policy around the world, where we showed the example of General Dynamics, contractor to a variety of governments, who own companies such as Anteon (UK) who in turn own ‘Vericool’ (UK) who is responsible for selling surveillance technologies to schools that want to fingerprint their students to verify class registries, library privileges, and cafeteria purchases
  • The Intellectual Property Industry, for promoting and pushing invasive policies around the world in order to keep track of the habits of on-line users to pursue their agenda of ‘protecting’ content
  • Communitarianism and the proponents of the ‘Common Good’, because every bad policy around the world is justified based on the philosophy that is good for society and the individual must sacrifice his or her selfish rights in favour of the needs of the many

Winner: The ‘Common Good’

Privacy International said winners were given the classic BBA award (shown above), a golden statue of a boot stamping upon a human head, as promised by George Orwell in 1984 on a vision for the future.

I wonder who accepted on behalf of the “Common Good”?

Identity systems all about making claims

Network World's excellent John Fontana has written about an opening keynote I gave recently at the Directory Experts’ Conference (DEC).   I was talking about claims, trying to start a conversation that I will pursue on my blog over the next while.

Las Vegas — The traditional concepts of authentication and authorization will eventually give way to an inclusive identity system where users will present claims that answer who they are or what they can do in order to access systems and content or complete transactions, according to Microsoft’s identity architect.

“This is happening now and all it needs to do is gain momentum,” said Kim Cameron, Microsoft’s identity architect, who gave the keynote address Monday to open NetPro’s Directory Experts Conference. He said the transformation to a claims-based identity model is 18-24 months away.

Cameron said the flexible claims architecture, which is based on standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML) will replace today’s more rigid systems that are based on a single point of truth, typically a directory of user information.

“You need extroverted systems, not introverted,” said Cameron, who over the past few years has aligned Microsoft, its competitors and open source advocates around user-centric identity models.

He said identity systems that are rigid and cannot connect to other systems will become irrelevant and a competitive disadvantage.

“You may come with a claim that you are authorized to do something and it may not have any authentication [information] at all,” he said. “This tremendously important factor means we can have a consistent technology that goes between authentication and authorization. We don’t need all these different technologies and have all this new stuff to learn. It can all be done using the claims-based model.”

Cameron said this thinking is very different from a few years ago when authentication and authorization were thought of as entirely separate technologies that should never be confused.

He said the beauty of the claims model is that it can grow out of the infrastructure users have today, including PKI, directory services and provisioning systems.

The claims model, he said, is more flexible and based on components that can be snapped together like Lego blocks. Cameron called them Legonic Systems, which, he said, are agile and self-organizing much like service-oriented architectures.   (Continued here…)

Weaknesses of Strong Authentication?

Here is a piece by Robert Richardson from the CSI Blog .  He discusses what one of his colleages calls “some of the weaknesses or downright drawbracks of strong authentication methods”:

There's this author named Kathy Siena who's currently at the center of one of those firestorms that break out on the Web now and again. Some threatening material regarding her was posted on the Web, she blames some fairly prominent bloggers of being involved in one way or another, and the rest seems to be finger pointing and confusion.

One detail of the saga worth considering is that one of the implicated bloggers claims that actions were taken by someone using his identity and access to his passworded accounts (this is quoted from Kim Cameron's Blog):

I am writing this from a new computer, using an email address that will be deleted at the end of this.I am no longer me. My main machine despite my best efforts has been hacked, my accounts compromised including my email. and has been disconnected from the internet.

How did this happen? When did this happen?

This is, to be sure, something of doomsday scenario for an individual user–the complete breach of one's identity across all the systems one uses and cares about (I'm assuming that the person in question, Allen Harrell, is telling the truth about being hacked).

Kim Cameron writes this on his blog:

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets. This won’t extinguish either flaming or trolling, but it can sure make breaking in to someone’s site unbelievably harder – assuming we get to the point where our blogging software is safe too.

But I'm not convinced of this for a couple of reasons. First, Information Cards may or may not make breaking into someone's site unbelievably harder. Hackers sidestep the authentication process (strong or otherwise) all the time. Second, the perception of super-duper strong identity management may make it harder to prove that one's identity was in fact hacked.

InfoCard credentials are only more reliable if the system where they are being used is highly secure. If I'm using a given highly trusted credential from my system, but my system has been compromised, then the situation just looks worse for me when people start accusing me of misdeeds that were carried out in my name.

Many discussions about better credentialing begin from an underlying presumption that there will be a more secure operating system providing protection to the credentials and the subsystem that manages them. But at present, no one can point to that operating system. It certainly isn't Vista, however much improved its security may be.

Designing for Breach

I agree with Robert that credentials are only part of the story.  That's why I said, “assuming we get to the point where our blogging software is safe too.” 

Maybe that sounds simplistic.  What did I mean by “safe”? 

I'll start by saying I don't believe the idea of an unbreachable system is a useful operational concept.  If we were to produce such a system, we wouldn't know it.  The mere fact that a system hasn't been breached, or that we don't know how it could be, doesn't mean that a breach is not possible.  The only systems we can build are those that “might” be breached.

The way to design securely is to assume your system WILL be breached and create a design that mitigates potential damage.  There is nothing new in this – it is just risk management applied to security.

As a consequence, each component of the system must be isolated – to the extent possible –  in an attempt to prevent contagion from compromised pieces.

Security Binarism versus Probabilities

I know Robert will agree with me that one of the things we have to avoid at all costs is “security binarism”.  In this view, either something is secure or it isn't secure.  If its adherants can find any potential vulnerability in something, they conclude the whole thing is vulnerable, so we might as well give up trying to protect it.  Of course this isn't the way reality works – or the way anything real can be secured.

Let's use the analogy of physical security.  I'll conjure up our old friend, the problem of protecting a castle. 

You want a good outer wall – the higher and thicker the better.  Then you want a deep moat – full of alligators and poisonous snakes.  Why?  If someone gets over the wall, you want them to have to cross the moat.  If they don't drown in the moat, you want them to be eaten or bitten (those were the days!)  And after the moat, you would have another wall, with places to launch boiling oil, shoot arrows, and all the rest.  I could go on, but will spare you the obviousness of the excercise.

The point is, someone can breach the moat, but will then hit the next barrier.  It doesn't take a deep grasp of statistics to see that if there is a probability of breach associated with each of these components, the probability of breaking through to the castle keep is the product of all the probabilities.  So if you have five barriers, then even if each has a very high probability of breach (say 10%), the overall probability of breaking through all the barriers is just .001%.  This is what lies behind the extreme power of combining numerous defences – especially if breaking through each defence requires completely unrelated skills and resources.

But despite the best castle design, we all know that the conquering hero can still dress up as a priest and walk in through the drawbridge without being detected (I saw the movie).  In other words, there is a social engineering attack.

So, CardSpace may be nothing more than a really excellent moat.  There may be other ways into the castle.  But having a really great moat is in itself a significant advance in terms of “defence in depth”. 

Beyond that, Information Cards begin to frame many questions better than they have been framed in the past – questions like, “Why am I retaining data that creates potential liability?”

In terms of Robert's fear that strong authentication will lead to hallucinations of non-repudiation, I agree that this is a huge potential problem.   We need to start thinking about it and planning for it now.  CSI can play an important role in educating professionals, government and citizens about these issues. 

I recently expanded on these ideas here.

Personal data on 2.9 million people goes missing

Joris Evers at CNet has done a nice wrap-up on the latest identity catastrophy.  (Plumes of smoke were seen coming from the reactor, but so far, there has been no proof of radioactive particles leaking into the environment): 

A CD containing personal information on Georgia residents has gone missing, according to the Georgia Department of Community The CD was lost by Affiliated Computer Services, a Dallas company handling claims for the health care programs, the statement said. The disc holds information on 2.9 million Georgia residents, said Lisa Marie Shekell, a Department of Community Health representative.

It is unclear if the data on the disc, which was lost in transit some time after March 22, was protected. However, it doesn't appear the data has been used fraudulently. “At this time, we do not have any indication that the information on the disk has been misused,” Shekell said.

In response to the loss, the Georgia Department of Community Health has asked ACS to notify all affected members in writing and supply them with information on credit watch monitoring as well as tips on how to obtain a free credit report, it said.  [Funny – I get junk mail with this offer every few days – Kim] 

There has been a string of data breaches in recent years, many of which were reported publicly because of new disclosure laws. About 40,000 Chicago Public Schools employees are at risk of identity fraud after two laptops containing their personal information were stolen Friday.

Last week, the University of California at San Francisco said a possible computer security breach may have exposed records of 46,000 campus and medical center faculty, staff and students.

Since early 2005, more than 150 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.

Identity fraud continues to top the complaints reported to the Federal Trade Commission. Such complaints, which include credit card fraud, bank fraud, as well as phone and utilities fraud, accounted for 36 percent of the total 674,354 complaints submitted to the FTC and its external data contributors in 2006.

Beijing's new Internet identity system

According to the Financial Times, the Chinese government has clear digital identity ideas of its own. 

It's a simple solution, really.  Just make sure the government knows who everyone is and what they are doing all the time while they use the internet.  This applies as much to your identity as an “elf” as to your identity as a professional. 

Under a “real name verification system” to crack down on internet usage – and prevent internet addiction among the young – Chinese police are to check the identity card numbers of all would-be players of internet games.

While it is unclear how rigorously the system will be enforced, Monday’s move highlights Beijing’s desire to more closely regulate the internet and reduce the potential for anonymity…

The same crack down will help ensure Chinese bloggers aren't inconvenienced with the kinds of vexing issues we've faced here with the Sierra affair.

Chinese leaders recently announced a broad push to “purify” the internet of socially and politically suspect activity, and have been keen to push users to use their true identities online. Beijing is also looking at ways of implementing a “real name” system for bloggers to curb “irresponsible” commentary and intellectual property abuse.

It might sound a bit draconian to our ears, but Hu Qiheng of the China Internet Association said bloggers’ real names would be kept private “as long as they do no harm to the public interest”.  That's clearly benevolent, isn't it?  We all know what the public interest is.

According to FT: 

China’s 18-digit ID numbers are mainly based on place of birth, age and gender and are unique to each citizen, but widely available software can generate fake but plausible numbers.

Under the new system, Chinese police would check each number, a government official, Kou Xiaowei, said on Monday.

Players whose IDs showed they were under 18, or who submitted incorrect numbers, would be forced to play versions of online games featuring an anti-addiction system that encourages them to spend less time online, he said.

Minors who stayed online for more than three hours a day would have half of their game credits cancelled; those who played for more than five hours a day would have all of their credits taken away.

As far as I know, the proposal that age verification be used to combat addiction is entirely original (patented?)  The analysis of how this proposal stacks up against the Laws of Identity is left as an exercise for the reader.

More here…

Digital identity allows us to manage risk – not prove negatives

Jon's piece channeled below,  Steven O'Grady‘s comments at RedMonk and  Tim O’Reilly’s Blogger's Code of Conduct  all say important things about the horrifying Kathy Sierra situation.   I agree with everyone that reputation is important, just as it is in the physical world.  But I have a fair bit of trouble with some of the technical thinking involved.

I agree we should be responsible for everything that appears on our sites over which we have control.    And I agree that we should take all reasonable steps to ensure we control our systems as effectively as we can.  But I think it is important for everyone to understand that our starting point must be that every system can be breached.  Without such a point of departure, we will see further proliferation of Pollyannish systems that, as likely as not, end in regret.

Once you understand the possibility of breach, you can calculate the associated risks, and build the technology that has the greatest chance of being safe.  You can't do this if you don't understand the risks.  In this sense, all you can do is manage your risk.

When I first set up my blog to accept Information Cards, it prompted a number of people to try their hand at breaking in.  They were unable to compromise the InfoCard system, but guess what?  There was a security flaw in WordPress 2.0.1 that was exploited to post something in my name

By what logic was I responsible for it?  Because I chose to use WordPress – along with the other 900,000 people who had downloaded it and were thus open to this vulnerability?

I guess, by this logic, I would also be responsible for any issues related to problems in the linux kernel operating underneath my blog; and for  potential bugs in MySQL and PHP.  Not to mention any improper behavior by those working at my hosting company or ISP. 

I'm feeling much better now.

So let's move on to the question of non-repudiation.  There is no such thing as a provably correct system of any significant size.  So there is no such thing as non-repudiation in an end-to-end sense.  The fact that this term emerged from the world of PKI is yet another example of its failure to grasp various aspects of reality.

There is no way to prove that a key has not been compromised – even if a fingerprint or other biometric is part of the equation.  The sensors can be compromised, and the biometrics are publicly available information, not secrets.

I'm mystified by people who think cryptography can work “in reverse”.  It can't.  You can prove that someone has a key.  You cannot prove that someone doesn't have a key.  People who don't accept this belong in the ranks of those who believe in perpetual motion machines.

To understand security, we have to leave the nice comfortable world of certainties and embrace uncertainty.  We have to think in terms of probability and risk.  We need structured ways to assess risk.  And we then have to ask ourselves how to reduce risk. 

Even though I can't prove noone has stolen my key, I can protect things a lot more effectively by using a key than by using no key! 

Then, I can use a key that is hard to steal, not easy to steal.  I can put the lock in the hands of trustworthy people.   I can choose NOT to store valuable things that I don't need. 

And so, degree by degree, I can reduce my risk, and that of people around me.