I’ve sometimes been of two minds about OpenID.  I’ve always seen it as alluring because of its simplicity and openness.  It seemed perfect for simple web applications.

But in my darker moments, I worried about some of the system’s usability and security issues.  In particular, I was concerned about how easy it would be for an “evil site” to trick users into going to a web site that looks identical to their OpenID provider, convincing them to log in, and then stealing their credentials.  If this were to happen, everything that is good about OpenID would turn into something negative.

OpenID has become a key part of the Identity Metasystem

I think many of us involved with the OpenID community came to the same conclusions, but felt that if we kept trying to move adoption forward, we’d be able to figure out how to solve the problems.  In the last year, OpenID has without doubt become the most widely adopted system for reusable internet identity.  Adoption by destination sites continues to grow dramatically: approximately 50,000 sites as of July 1, 2009.  The big Internet properties like Google, Yahoo, AOL, MySpace, and Windows Live have become (or are becoming) OpenID Providers.   As a result, the vast majority of the online US population has an account that can be used to log in at the growing number of destination sites. 

Maybe even more important, some of these sites are of the kind that can quickly change perception and behavior. 

Most notable is Facebook, which took a huge step forward when it started accepting OpenIDs for login - blowing away the old saw that “no one wants to be a relying party”. 

Now, the US Government has decided to adopt OpenID as one of the identity protocols for citizen interaction - again, as Relying Party, not Identity Provider.

Sea Change

There is a sea-change here.  I strongly believe the right thing to do is get  behind OpenID as part of the Identity Metasystem, help promote adoption, and work with the community to make it safer and easier to use.  What is encouraging is that the community has repeatedly shown its ability to evolve as it deploys, and has been able to rapidly extend the standard from the inside.   It has now become widely recognized in the industry that active client software (also called an “Identity Selector”) for OpenID could solve most of its problems, given some minor revisions or additions to the protocol.  By remembering the identities you use, this kind of software can address two sets of issues:

• Usability:  Lets you bring your identities with you to the site, rather than the site having to guess what identities you have
• Security:  Protects you from being sent to a malicious site impersonating a real site that would steal your password

New prototype at IIW

Yesterday at the OpenID Summit hosted by Yahoo, Microsoft’s Mike Jones and Ariel Gordon  showed some of the work their team has been doing to help figure out how this kind of capability could work.  What’s cool is that the client they were showing is completely optional - without it, OpenID continues to work as it currently does.  But with it, experience improves and the dangers are greatly reduced.  I agree with them that demand for a better and safer OpenID user experience will drive selector adoption, which will in turn enable scenarios at higher levels of assurance than are possible with OpenID today.

Ariel Gordon, the main UX designer, told me, “I see it as a starting point for joint work with others in the community - definitely not a finished solution or product.”

It is consistent with the Information Card metaphor:

• Your OpenIDs are shown as visual cards
• You select an OpenID by clicking
• The OpenID last used at the site is the default selection

New OpenIDs can be added on the fly, by picking one from a list suggested by the site, or by typing the provider’s URL.

Mike made a good point about what this means for people who use smaller OpenID providers:  “The cool thing is that it remembers the OpenIDs you’ve used and where you used them […] With a web-based Nascar user interface, Arizona Sate University users will never get the same user experience that Google.com users get […]”

Good Tweets

Unfortunately I couldn’t attend the meeting in person but remained wired to the tweets.  Summit host Allen Tom from Yahoo said, “Showing already used OpeniIDs is a great protection against phishing: if a rogue RP tries to send the user to ‘fake yahoo.com’, a regular Yahoo user will click on his Yahoo button in the selector and won’t even see the fake yahoo link.”

He added, “The prototype selector goes in the right direction by offering a better experience when present, while not preventing users to access their favorite sites from any computer.”

Google’s Eric Sachs saw value too. “…And a fake yahoo tile would say “never used here” so that’s even more information to help protect the user.”

Bringing our perceptions together from different organizations with different missions and  vantage points is what can make all of this succeed. The partnering is the key.

So one of the best things about the prototype, in my view, is that it has already demonstrated collaboration between a whole set of really experienced community members:

• Relying Parties: JanRain, Plaxo, Deutsche Telekom
• OpenID Providers: Yahoo, Google, JanRain
• Identity Selectors: Microsoft, Deutsche Telekom
• Enhancing Specifications: Microsoft, Facebook, Yahoo. 

Today, the same prototype was presented to the influential Internet Identity Workshop .  I’ll add to my growing lis of IOU’s a promise to do a screen capture of how the prototype works so everyone can take a look.

John Fontana writes about the SAML interoperability test in ComputerWorld, turning quite a bit of his attention to Microsoft:

“Microsoft completed its first SAML interoperability test and the results are in: Active Directory Federation Services 2.0 software received a passing grade.

“Microsoft’s federated identity platform passed its first SAML 2.0 interoperability test with favorable marks, signaling the end to the vendor’s standoff against the protocol.

“The eight-week, multivendor interoperability workout conducted by the Liberty Alliance and the Kantara Initiative also resulted in passing marks for two other first-time entrants – SAP and Siemens. Return testers Entrust, IBM, Novell and Ping Identity also passed. Results were announced Wednesday.

“The Liberty Interoperable testing was a great opportunity to verify that Active Directory Federation Services (AD FS) 2.0 is interoperable with others’ SAML 2.0 implementations. This should give our customers confidence that their federation deployments using ADFS will ‘just work,’” says Conrad Bayer, product unit manager for federated identity at Microsoft.

“In the past, Microsoft has been dismissive of the Security Assertion Markup Language (SAML), a standard protocol for exchanging authentication and authorization data between and among security checkpoints, preferring the WS-Federation and other protocols it helped develop. The company previously supported the SAML token, but never the transport profiles of the protocol…

As much as I love John, I don’t think ”dismissive” really describes our attitude - at least I hope it doesn’t.  It is true that our initial thinking was that the world would be a ”tidier place” if people used one single protocol that worked both for “Active Clients” (e.g. applications that run on your PC or phone) and “Passive Clients” (web pages served up in a browser).  We saw WS-Federation as a way to achieve that technical symmetry.  But I and others have also said for several years that we saw much of what people were doing with SAML as being innovative and positive.  And we have made it very clear that an Identity Metasystem means “no silos”.  

Today you can see the results of this thinking in our new product.  ADFS V2 does everything it can to conform with the Identity Metasystem idea.  That means supporting SAML as well as the other Federation and Claims Transformation protocols (e.g. WS-Trust and WS-Federation). I think the synergy will be great for our customers and the industry.

John goes on to say: 

“Full matrix” testing means all participants must test against each other. The test was conducted over the Internet from points around the globe using real-world scenarios between service providers and identity providers as defined by the SAML 2.0 specification.

Microsoft participated in the testing with Active Directory Federation Services 2.0 (formerly code-named Geneva), which is slated to ship later this year. ADFS 2.0 is part of a larger identity platform that includes Windows Identity Foundation and Windows Cardspace.

Microsoft said earlier this year it would have SAML 2.0 certification before it released Geneva. The SAML profiles ADFS 2.0 supports cover the core features of federation.

ADFS 2.0 provides identity information and serves as a Security Token Service (STS), a transformation engine that is key to Microsoft’s identity architecture. ADFS lets companies extend Active Directory to create single sign-on between local network resources and cloud services.

[Read more here]

The success of the Identity Metasystem depends heavily on having products available from multiple vendors that are proven to interoperate and ready to deploy.  Kantara Initiative and Liberty Alliance have contributed significantly to this by helping test products against specific profiles.  Kudos to everyone involved with the definition, organization and testing of the eGovernment SAML 2.0 profile v1.5.  This represents a real step forward given the diversity of products involved.

SAN FRANCISCO, Sept. 30  – Kantara Initiative and Liberty Alliance today announced that identity products from Entrust, IBM, Microsoft, Novell, Ping Identity, SAP and Siemens have passed Liberty Interoperable(TM) SAML 2.0 interoperability testing. These vendors participated in the third Liberty Interoperable full-matrix testing event to be administered by the Drummond Group Inc., and the first event to test products against the new eGovernment SAML 2.0 profile v1.5 recently released by Liberty Alliance. Web-based full-matrix testing allows vendors to participate from anywhere in the world and features rigorous processes for ensuring products meet SAML 2.0 interoperability requirements for open, secure and privacy-respecting federated identity management.

“The summer 2009 full-matrix testing event included more vendors than ever before, reflecting the worldwide demand among enterprises and governments for SAML 2.0 identity-enabled solutions that have proven to interoperate,” said Roger Sullivan, president of the Kantara Initiative Board of Trustees, president of Liberty Alliance and vice president, Oracle Identity Management. “Organizations can count on Liberty Interoperable for products that have proven to meet interoperability requirements today and over the long-term as the program moves to expand within Kantara Initiative to test against additional identity standards and protocols.”

This year’s program featured enhanced SAML 2.0 testing scenarios between Service Provider (SP) and Identity Provider (IdP). The eGovernment SAML 2.0 profile and its requisite test plan have been developed by Liberty Alliance with input from the Danish, New Zealand and US governments. Testing processes for the eGovernment profile included multiple SP logout scenarios, requested authentication context comparisons, and other aspects of SAML 2.0 necessary to meet interoperability, privacy, security and transparency requirements in the global eGovernment sector. A review of the SAML 2.0 v1.5 eGovernment profile is available here.

“SAML 2.0 is the most popular federation protocol in the industry and utilized by commercial, educational, and government institutions around the globe,” said Gerry Gebel, VP and service director at Burton Group. “Federated single sign-on demand is growing, spurred by broad adoption of SaaS applications and the general increase in collaboration among business partners in every industry. The Liberty Interoperable program is instrumental to sustaining successful deployments in advanced federation scenarios where multiple products are in use.”

During the July 14 - September 4, 2009 testing event, the following products demonstrated interoperability based on a variety of SAML 2.0 conformance modes. A detailed list outlining what each vendor passed is available at http://tinyurl.com/yahs2u8

Entrust – Entrust IdentityGuard Federation Module 9.2 is a part of Entrust’s versatile authentication platform, supporting numerous authentication methods in one cost-effective solution. Organizations are empowered to choose the right authentication method(s) for their users accessing enterprise, consumer, government or mobile applications. Entrust IdentityGuard includes support for username & password, IP-geolocation, device-ID, questions and answers, out-of-band OTP soft tokens (via voice, SMS, e-mail), grid and eGrid cards, digital certificates and a range of hardware OTP tokens. Entrust IdentityGuard enables rapid deployment, centralized policy management, and an easy integration into the enterprise. Entrust IdentityGuard also includes the ability to apply transaction digital signatures for increased confidence in online transactions. Entrust IdentityGuard serves as a certified SAML 2.0 identity provider, providing standards-based interoperability to organizations. Combined with Entrust’s zero-touch fraud detection solution, Entrust IdentityGuard provides a powerful risk-based solution for authenticating users.

Entrust – Entrust GetAccess 8.0 delivers a single entry and access point for user authentication and authorization across multiple Web portal applications. The solution delivers full service provider (SP) capabilities and provides organizations with security, flexibility and performance to personalize the user experience of a Web portal through the following key services: flexible authentication, including seamless integration with Entrust IdentityGuard for step-up authentication; proven authentication interoperability via standards such as SAML, Kerberos, X.509 and others; SSO to Web and non-Web applications via SAML; authorization including fine-grained access control to online resources; rich policy management capabilities, allowing controlled access based on environmental considerations (e.g. authentication method used, physical location, TOD, external data sources); centralized session management; personalization of content; integration with leading application and portal vendors; web-based tools for business administration and operational control.

IBM – IBM Tivoli® Federated Identity Manager (TFIM) 6.2 provides a full featured web access management solution for managing identity and access to resources that span companies or security domains. Rather than replicate identity and security administration across companies, Tivoli Federated Identity Manager provides a simple, loosely coupled model for managing trusted identities and providing them with access to information and services including SaaS and cloud-based deployments. For companies deploying Service Oriented Architecture (SOA) and Web Services, TFIM provides a centralized identity mediation services for federated Web services identity management across multiple domains (e.g. Java, .NET and mainframe). TFIM supports the following standards: SAML Protocol 1.0/1.1/2.0, OpenID Authentication 1.1/2.0 - OpenID Simple Registration Extension 1.0, Information Card Profile, WS-Federation Passive Requestor Profile, Liberty ID-FF 1.1/1.2, WS-Trust 1.2/1.3.

Microsoft – Microsoft Active Directory Federation Services (AD FS) 2.0 enables Active Directory to be an identity provider in the claims based access platform. AD FS provides end users with a single sign-on experience across applications, platforms and organizations and simplifies identity management for IT Pros. AD FS 2.0 is part of the Windows Server platform, and supports both on-premises and cloud solutions.

Novell – Novell Access Manager 3.1 simplifies and safeguards online asset-sharing, helping customers control access to Web-based and traditional business applications. Trusted users gain secure authentication and access to portals, Web-based content and enterprise applications, while IT administrators gain centralized policy-based management of authentication and access privileges. What’s more, Novell Access Manager supports a broad range of platforms and directory services, and it’s flexible enough to work in even the most complex multi-vendor computing environments. Novell Access Manager makes administration easy. You can use it to centralize access control for all digital resources, and it eliminates the need for multiple software tools at various locations. One access solution fits all applications and information assets. In addition, Novell Access Manager includes support for major federation standards including Security Assertions Markup Language (SAML), WS-Federation and Liberty Alliance.

Ping Identity – PingFederate v6.1 is an Internet Identity Security platform that delivers an enterprise-class, scalable, cost effective and standards-based software solution for enabling Internet Single Sign-On, Identity-Enabled Web Services and Internet User Account Management. PingFederate provides a centralized platform for managing all of your external identity connections with customers, Software-as-a-Service (SaaS) and Business Process Outsourcing (BPO) providers, partners, affiliates and others. Your organization can have Internet SSO and Identity-Enabled Web Services connections in days with point and click connection configuration, out-of-the-box integration capabilities, multi-protocol support, and automated user account management. Over 350 enterprises and service providers worldwide base their Internet identity security strategy on PingFederate.

SAP – The next release of SAP NetWeaver Identity Management 7.2 is planned for the second quarter 2010. SAP plans to significantly enhance the product with an Identity Provider (IdP) and Secure Token Service (STS) to support web-based Single Sign-On via SAML 2.0 assertions, identity federation and Single Sign-On for web services. The existing features to centrally administrate and provision users — provided by the Identity Center and Virtual Directory Server components — will be extended and allow for integrated scenarios with the IdP. The new IdP and STS will add access management features to the SAP NetWeaver Identity Management and allow the solution to be integrated into an Enterprise Single Sign-On environment reducing TCO and administrative effort.

Siemens – DirX Access V8.1 is a comprehensive solution that integrates access management, entitlement management, identity federation, Web services security, and Web Single Sign-on in one single product to protect your web applications and web services from unauthorized use. DirX Access provides for the consistent enforcement of business security policies through external, centralized, policy-based authentication and authorization services, enhances Web user experience through local and federated single sign-on and supports regulatory compliance with audit and reporting both within and across security domains.

About the Liberty Interoperable Program

The ongoing success of the Liberty Interoperable program is demonstrated by the wide scale deployment of SAML 2.0 products and the increasing number of businesses and governments such as the US GSA, now requiring vendors to pass Liberty Alliance testing. With nearly seven years of testing products for true interoperability of identity specifications, Liberty Alliance expects to expand the Liberty Interoperable program within Kantara Initiative to reflect growing momentum for proven interoperable multi-protocol identity solutions. More information about the program, including a list of all vendors who have passed Liberty Alliance testing, is available here.

Enterprises and governments are going to be able to do important projects and derive tangible benefits very quickly using this cross-vendor family of products.   That’s really important.  Of course, there’s more to identity than browser-based federation…  But one of the most encouraging signs is that the same kind of progress we see in the Kantara announcement is being made with the user-centric and privacy-enhancing technologies that many of us are working on to complement the SAML technology.

Back from vacation and catching up on some blogs I found this piece by Felix Gaehtgens at Kuppinger Cole in Germany:  

A good year ago, Microsoft acquired an innovative company called U-Prove. That company, founded by visionary Stephan Brandt, had come up with a privacy-enabling technology that effectively allows users to safely transmit the minimum required information about themselves when required to – and for those receiving the information, a proof that the information is valid. For example: if a country issued a digital identification card, and a service provider would need to check whether the holder over 18 years of age, the technology would allow to do just that – instead of having to transmit a full data set, including the age of birth. The technology works through a complex set of encryption and signing rules and is a win-win for both users who need to provide information as well as those taking it (also called “relying parties in geek speak”). With the acquisition of U-Prove, Microsoft now owns all of the rights to the technology – and more importantly, the associated patents with it. Stephan Brandt is now part of Microsoft’s identity team, filled with top-notch brilliant minds such as Dick Hardt, Ariel Gordon, Mark Wahl, Kim Cameron and numerous others.

Privacy advocates should (and are) happy about this technology because it effectively allows consumers to protect their information, instead of forcing them to give up unnecessary information to transact business. How many times have we needed to give up personal information for some type of service without any real need for this information? For example, if you’re not shipping anything to me… what’s the point of providing my home or address? If you are legally required to verify that I’m over 18 (or 21), why would you really need to know my credit card details and my home address? If you need to know that I am a customer of one of your partner banks, why would you also need to know my bank account number? Minimum disclosure makes transactions possible with exactly the right fit of personal details being exchanged. For those enterprises taking the data, this is also a very positive thing. Instead of having to “coax” unnecessary information out of potential customers, they can instead make a clear case of what information they do require for fulfilling the transaction, and will ultimately find consumers more willing to do business with them.

So all of this is really great. And what’s even better, Microsoft’s chief identity architect, Kim Cameron has promised not to “hoard” this technology for Microsoft’s own products, but to actually contribute it to society in order to make the Internet a better place. But more than one year down the line, Microsoft has not made a single statement about what will happen to U-Prove: minimum disclosure about its minimum disclose technology (pun intended!). In a post that I made a year ago, I tried making the point that this technology is so incredibly important for the future of the Internet, that Microsoft should announce its plans what do with the technology (and the patents associated for it).

Kim’s response was that Microsoft had no intentions of “hoarding” the technology for its own purposes. He highlighted however that it would take time to do this – time for Microsoft’s lawyers, executives and technologists to irk out the details of doing this.

Well – it’s been a year, and the only “minimum disclosure” that we can see is Microsoft’s unwillingness to talk about it. The debate is heating up around the world about different governments’ proposals for electronic passports and ID cards. Combined with the growing dangers of identity theft and continued news about spectacular leaks and thefts of personal information, this would really make our days. Unless you’re a spammer or identity thief of course.

So it’s about time Microsoft started making some statements to reassure all of us what is going to happen with the U-Prove technology, and – more importantly – with the patents. Microsoft has been reinventing itself and making a continuous effort to turn from the “bad guys of identity” a decade (in the old Hailstorm days with Microsoft Passport) into the “good guys” of identity with its open approach to identity and privacy protection and standardisation. At Kuppinger Cole we have loudly applauded the Identity Metasystem and Infocards as a ground-breaking innovation that we believe will transform the way we use the Internet in the years to come. Now is the time to really start off the transformative wave of innovation that comes when we finally address the dire need for privacy protection. Microsoft has the key in its hands, or rather, locked in a drawer. C’mon guys, when will that drawer finally be opened?

Kuppinger Cole has been an important force in creating awareness about the role of an Identity Metasystem. It has also led in stressing the importance of minimal disclosure technology. I take Felix’s concerns very seriously. He’s right - I owe people a progress report.

This said, there is no locked drawer. Instead, Felix gets closer to the real explanation in his first paragraph: “the technology works through a complex set of encryption and signing rules.”

The complexity must be tamed for the technology to succeed. There is more to this than brilliant formulas or crypto routines. We need to understand not only how minimal disclosure technology can be used - but how it can be made usable.

There are different kinds of research. Theoretical research is hugely important. But applied research is just as key. Over the last year we’ve moved from an essentially theoretical grasp of the possibilities to prototypes that demonstrate the feasibility of deploying real, large-scale distributed systems based on minimal disclosure.

I don’t have much time for standards and protocols that are NOT built on top of experience with implementation. And if you don’t know what your standards and implementations might look like, you can’t define the intellectual property requirements.

So we’ve been working hard on figuring this stuff out. In fact, a lot of progress has been made, and I’ll write about that in my next few posts. I’ll also reach out to anyone who wants to become more closely involved.

Here’s the most beautiful take yet on the Seven Laws of Identity - put together by Karon and Katrika, who even saw how the Laws connect with the Perception of Ailatan.  In the past people have asked why I didn’t do a Laws of Identity poster - this must be it.  Click to view full size.

One of the people whose work has most influenced the world of security - a brilliant researcher who is also gifted with a sense of irony and humor - received this email and sent it on to a group of us.   He didn’t specify why he thought we would find it useful…  

At any rate, the content boggles the mind.  A joke?  Or a metaspam social engineering attack, intended to bilk jealous boyfriends and competitors? 

Or… could this kind of… virus actually be built and… sold?  

Subject: MMS PHONE INTERCEPTOR - THE ULTIMATE SPY SOLUTION FOR MOBILE PHONES AND THE GREAT PRODUCT FOR YOUR CUSTOMERS

MMS PHONE INTERCEPTOR - The ultimate surveillance solution will enable you to acquire the most valuable information from a mobile phone of a person of your interested.

Now all you will need to do in order to get total control over a NOKIA mobile (target) phone of a person of your interest is to send the special MMS to that target phone, which is generated by our unique MMS PHONE INTERCEPTOR LOADER. This way you can get very valuable and otherwise un-accessible information about a person of your interest very easily.

The example of use:

You will send the special MMS message containing our unique MMS PHONE INTERCEPTOR to a mobile phone of e.g. your girlfriend

In case your girlfriend will be using her (target) mobile phone, you will be provided by following unique functions:

• In case your girlfriend will make an outgoing call or in case her (target) phone will receive an incoming call, you will get on your personal standard mobile phone an immediate SMS message about her call. This will give you a chance to listen to such call immediately on your standard mobile phone.
• In case your girlfriend will send an outgoing SMS message from her (target) mobile phone or she will receive a SMS message then you will receive a copy of this message on your mobile phone immediately.
• This target phone will give you a chance to listen to all sounds in its the surrounding area even in case the phone is switched off. Therefore you can hear very clearly every spoken word around the phone.
• You will get a chance to find at any time the precise location of your girlfriend by GPS satellites.

All these functions may be activated / deactivated via simple SMS commands.

A target mobile phone will show no signs of use of these functions.

As a consequence of this your girlfriend can by no means find out that she is under your control.

In case your girlfriend will change her SIM card in her (target) phone for a new one, then after switch on of her (target) phone, your (source) phone will receive a SMS message about the change of the SIM card in her (target) phone and its new phone number.

These unique surveillance functions of target phones may be used to obtain very valuable and by no other means accessible information also from other subjects of your interest {managers, key employees, business partners etc, too.

I like the nostalgic sense of convenience and user-friendliness conjured up by this description.  Even better, it reminds me of the comic book ads that used to amuse me as a kid.  So I guess we can just forget all about this and go back to sleep, right?

I’ll lose a few minutes less sleep each night worrying about Electronic Eternity - thanks to the serendipitous appearance of  John Markoff’s recent piece on Vanish in the New York Times Science section:

A group of computer scientists at the University of Washington has developed a way to make electronic messages “self destruct” after a certain period of time, like messages in sand lost to the surf. The researchers said they think the new software, called Vanish, which requires encrypting messages, will be needed more and more as personal and business information is stored not on personal computers, but on centralized machines, or servers. In the term of the moment this is called cloud computing, and the cloud consists of the data — including e-mail and Web-based documents and calendars — stored on numerous servers.

The idea of developing technology to make digital data disappear after a specified period of time is not new. A number of services that perform this function exist on the World Wide Web, and some electronic devices like FLASH memory chips have added this capability for protecting stored data by automatically erasing it after a specified period of time.

But the researchers said they had struck upon a unique approach that relies on “shattering” an encryption key that is held by neither party in an e-mail exchange but is widely scattered across a peer-to-peer file sharing system…

The pieces of the key, small numbers, tend to “erode” over time as they gradually fall out of use. To make keys erode, or timeout, Vanish takes advantage of the structure of a peer-to-peer file system. Such networks are based on millions of personal computers whose Internet addresses change as they come and go from the network. This would make it exceedingly difficult for an eavesdropper or spy to reassemble the pieces of the key because the key is never held in a single location. The Vanish technology is applicable to more than just e-mail or other electronic messages. Tadayoshi Kohno, a University of Washington assistant professor who is one of Vanish’s designers, said Vanish makes it possible to control the “lifetime” of any type of data stored in the cloud, including information on Facebook, Google documents or blogs. In addition to Mr. Kohno, the authors of the paper, “Vanish: Increasing Data Privacy with Self-Destructing Data,” include Roxana Geambasu, Amit A. Levy and Henry M. Levy.

[More here]

I’m writing this post in case your version of my email address has “windows.microsoft.com” in it.

The “windows.microsoft.com” domain is being repurposed for some higher good.  So going forward, please write to me with the usual address (same local-part) but at ”@microsoft.com” instead of “@windows.microsoft.com”).

From the Useful Spam Department :  I got an advertisement from a robot at “complianceonline.com” that works for a business addressing the problem of data retention on the web from the corporate point of view. 

We’ve all read plenty about the dangers of teenagers publishing their party revels only to find themselves rejected by a university snooping on their Facebook account.  But it’s important to remember that the same issues affect business and government as well, as the complianceonline robot points out:

“Avoid Documentation ‘Time Bombs’

“Your own communications and documents can be used against you.

“Lab books, project and design history files, correspondence including e-mails, websites, and marketing literature may all contain information that can compromise a company and it’s regulatory compliance. Major problems with the U.S. FDA and/or in lawsuits have resulted from careless or inappropriate comments or even inaccurrate opinions being “voiced” by employees in controlled or retained documents. Opinionated or accusatory E-mails have been written and sent, where even if deleted, still remain in the public domain where they can effectively “last forever”.

“In this electronic age of My Space, Face Book, Linked In, Twitter, Blogs and similar instant communication, derogatory information about a company and its products can be published worldwide, and “go viral”, whether based on fact or not. Today one’s ‘opinion’ carries the same weight as ‘fact’.”

This is all pretty predictable and even banal, but then we get to the gem:  the company offers a webinar on “Electronic Eternity”.  I like the rubric.  I think “Electronic Eternity” is one of the things we should question.  Do we really need to accept that it is inevitable?  Whose interest does it serve?  I can’t see any stakeholder who benefits except, perhaps, the archeologist. 

Perhaps everything should have a half-life unless a good argument can be made for preserviing it. 

China Daily posted this opinion piece by Chen Weihua that provides context on how the Green Dam proposal could ever have emerged.  I found it striking because it brings to the fore the relationship of the initiative to the First Law of Identity (User Control).  As in so many cases where the Laws are broken, the result is passionate opposition and muddled technology.

The Ministry of Industry and Information Technology’s latest regulation to preinstall filtering software on all new computers by July 1 has triggered public concern, anger and protest.

A survey on Sina.com, the largest news portal in China, showed that an overwhelming 83 percent of the 26,232 people polled said they would not use the software, known as Green Dam. Only 10 percent were in favor.

Despite the official claim that the software was designed to filter pornography and unhealthy content on the Internet, many people, including some computer experts, have disputed its effectiveness and are worried about its possible infringement on privacy, its potential to disrupt the operating system and other software, and the waste of $6.1 million of public fund on the project.

These are all legitimate concerns. But behind the whole story, one pivotal question to be raised is whether we believe people should have the right to make their own choice on such an issue, or the authorities, or someone else, should have the power to make such a decision.

Compared with 30 years ago, the country has achieved a lot in individual freedom by giving people the right to make their own decisions regarding their personal lives.

Under the planned economy three decades ago, the government decided the prices of all goods. Today, the market decides 99 percent of the prices based on supply and demand.

Three decades ago, the government even decided what sort of shirts and trousers were proper for its people. Flared trousers, for example, were banned. Today, our streets look like a colorful stage.

Till six years ago, people still needed an approval letter from their employers to get married or divorced. However bizarre it may sound to the people today, the policy had ruled the nation for decades.

The divorce process then could be absurdly long. Representatives from trade union, women’s federation and neighborhood committee would all come and try to convince you that divorce is a bad idea - bad for the couple, bad for their children and bad for society.

It could be years or even decades before the divorce was finally approved. Today, it only takes 15 minutes for a couple to go through the formalities to tie or untie the knot at local civil affair bureaus.

Less than three decades ago, the rigid hukou (permanent residence permit) system didn’t allow people to work in another city. Even husbands and wives with hukou in different cities had to work and live in separate places. Today, over 200 million migrant workers are on the move, although hukou is still a constraint.

Less than 20 years ago, doctors were mandated to report women who had abortions to their employers. Today, they respect a woman’s choice and privacy.

No doubt we have witnessed a sea of change, with more and more people making their own social and economic decisions .

The government, though still wielding huge decision-making power, has also started to consult people on some decisions by hosting public hearings, such as the recent one on tap water pricing in Shanghai.

But clearly, some government department and officials are still used to the old practice of deciding for the people without seeking their consent.

In the Green Dam case, buyers, mostly adults, should be given the complete freedom to decide whether they want the filtering software to be installed in their computers or not.

Respect for an individual’s right to choice is an important indicator of a free society, depriving them of which is gross transgression.

Let’s not allow the Green Dam software to block our way into the future.

The many indications that the technology behind Green Dam weakens the security fabric of China indicates Chen Weihua is right in more ways than one. 

Just for completeness, I should point out that the initiative also breaks the Third Law (Justifiable Parties) if adults have not consciously enabled the software and chosen to have the government participate in their browsing.

The Chinese Government’s Green Dam sets an important precedent:  government trying to achieve its purposes by taking control over the technology installed on peoples’ personal computers.  Here’s how the Chinese Government’s explained its initiative:

‘In order to create a green, healthy, and harmonious internet environment, to avoid exposing youth to the harmful effects of bad information, The Ministry of Information Industry, The Central Spiritual Civilization Office, and The Commerce Ministry, in accordance with the requirements of “The Government Purchasing Law,” are using central funds to purchase rights to “Green Dam Flower Season Escort”(Henceforth “Green Dam”) … for one year along with associated services, which will be freely provided to the public.

‘The software is for general use and testing. The software can effectively filter improper language and images and is prepared for use by computer factories.

‘In order to improve the government’s ability to deal with Web content of low moral character, and preserve the healthy development of children, the regulation and demands pertaining to the software are as follows: 

1. Computers produced and sold in China must have the latest version of “Green Dam” pre-installed, imported computers should have the latest version of the software installed prior to sale.
2. The software should be installed on computer hard drives and available discs for subsequent restoration
3. The providers of “Green Dam” have to provide support to computer manufacturers to facilitate installation
4. Computer manufacturers must complete installation and testing prior to the end of June. As of July 1, all computers should have “Green Dam” pre-installed.
5. Every month computer manufacturers and the provider of Green Dam should give MII data on monthly sales and the pre-installation of the software. By February 2010, an annual report should be submitted.’

What does the software do?  According to OpenNet Initiative:

Green Dam exerts unprecedented control over users’ computing experience:  The version of the Green Dam software that we tested, when operating under its default settings, is far more intrusive than any other content control software we have reviewed. Not only does it block access to a wide range of web sites based on keywords and image processing, including porn, gaming, gay content, religious sites and political themes, it actively monitors individual computer behavior, such that a wide range of programs including word processing and email can be suddenly terminated if content algorithm detects inappropriate speech [my emphasis - Kim]. The program installs components deep into the kernel of the computer operating system in order to enable this application layer monitoring. The operation of the software is highly unpredictable and disrupts computer activity far beyond the blocking of websites.

The functionality of Green Dam goes far beyond that which is needed to protect children online and subjects users to security risks:   The deeply intrusive nature of the software opens up several possibilities for use other than filtering material harmful to minors. With minor changes introduced through the auto-update feature, the architecture could be used for monitoring personal communications and Internet browsing behavior. Log files are currently recorded locally on the machine, including events and keywords that trigger filtering. The auto-update feature can used to change the scope and targeting of filtering without any notification to users.

How is it being received?  Wikipedia says:

Online polls conducted by leading Chinese web portals revealed poor acceptance of the software by netizens. On Sina and Netease, over 80% of poll participants said they would not consider or were not interested in using the software; on Tencent, over 70% of poll participants said it was unnecessary for new computers to be preloaded with filtering software; on Sohu, over 70% of poll participants said filtering software would not effectively prevent minors from browsing inappropriate websites.  A poll conducted by the Southern Metropolis Daily showed similar results.

In addition, the software is a virus transmission system.   Researchers from the University of Michigan concluded:

We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC [my emphasis - Kim].

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

There is no doubt that government has a legitimate interest in the safety of the Internet, and in the safety of our children.  But neither goal can be achieved with any of the unfortunate methods being used here. 

Rather than so-called “blacklisting”, the alternative is to construct virtual networks that are dramatically safer for children than the Internet as a whole.  As such virtual networks emerge, technology can be created allowing parents to limit the access of their young children to those networks.

It’s a big job to build such ”green zones”.  But government is the strong force that could serve as a catalyst in bringing this about.   The key would be to organize virtual districts and environments that would be fun and safe for children, so children want to play in them.

This kind of virtual world doesn’t require the generalized banning of sites or ideas or prurient thoughts - or require government to “improve” the nature of human beings.

Enhanced driver’s licences too smart for their own good appeared in the Toronto Star recently.  It was written by Roch Tassé (coordinator of the International Civil Liberties Monitoring Group) and Stuart Trew (The Council of Canadians’ trade campaigner). 

A common refrain coming out of Homeland Security chief Janet Napolitano’s visit to Ottawa and Detroit last week was that the Canada-U.S. border is getting thicker and stickier even as Canadian officials work overtime to implement measures that are meant to get us across that border more efficiently and securely.

One of those measures –  ”enhanced” drivers licences (EDLs) now available in Ontario, Quebec, B.C. and Manitoba – has been rushed into production to meet today’s implementation date of the Western Hemisphere Travel Initiative. This unilateral U.S. law requires all travellers entering the United States to show a valid passport or other form of secure identification when crossing the border.

But as privacy and civil liberties groups have been saying for a while, the EDL card poses its own thick and sticky questions that have not been satisfactorily answered by either the federal government, which has jurisdiction over privacy and citizenship matters, or the provincial ministries issuing the new “enhanced” licences.

For example, why introduce a new citizenship document specific to the Canada-U.S. border when the internationally recognized passport will do the trick?

Or, as even the smart-card industry wonders, why include technology used for monitoring the movement of livestock and other commodities in a citizenship document?

More crucially, why ignore calls from Canada’s federal and provincial privacy commissioners, as well as groups like the civil liberty groups to put a freeze on “enhanced” licences until they can be adequately debated and assessed by Parliament? It’s not as if there’s nothing to talk about.

First, the radio frequency identification devices (RFID) that will be used to transmit the personal ID number in your EDL to border officials contain no security or authentication features, cannot be turned off, and are designed to be read at distances of more than 10 metres using inexpensive and commercially available technology.

This creates a significant threat of “surreptitious location tracking,” according to Canada’s privacy commissioners. The protective sleeve proposed by several provincial governments is demonstrably unreliable at blocking the RFID signal and constitutes an unacceptable privacy risk.

Facial recognition screening of all card applicants, as proposed in Ontario and B.C. to reduce fraud, has a shaky success rate at best, creating a significant and unacceptable risk of false positive matches, which could increase wait times as even more people are pulled aside for questioning.

Recently, a journalist for La Presse demonstrated just how insecure Quebec’s EDLs are by successfully reading the number of a colleague’s card and cloning that card with a different but similar photograph. It might explain why, when announcing Quebec’s EDL card this year, Premier Jean Charest could point only to hypothetical benefits.

Furthermore, the range of personal information collected through EDL programs, once shared with U.S. authorities, can be circulated excessively among a whole range of agencies under the authority of the Department of Homeland Security. It’s important to note that Canada’s privacy laws do not hold once that information crosses the border.

So while the border may appear to be getting thicker for some, it is becoming increasingly permeable to flows of personal information on Canadian citizens to U.S. security and immigration databases, where it can be used to mine for what the DHS considers risky behaviour.

Some provincial governments have taken these concerns seriously. Based on the high costs involved with a new identity document, the lack of clear benefits to travellers, the significant privacy risks, and the lack of prior public consultation, the Saskatchewan government suspended its own proposed EDL project this year. The New Brunswick and Prince Edward Island governments, citing excessive costs, have also abandoned theirs.

The Harper government owes it to Canadians to freeze the EDL program now and hold a parliamentary hearing into the new technology, its alleged benefits and the stated privacy risks.

Napolitano has repeatedly said that from now on Canadians must treat the U.S. border as any other international checkpoint. It might feel like an inconvenience for some who are used to crossing into the U.S. without a passport, but the costs – real and in terms of privacy – of these provincial EDL projects will be much higher.

My main problem with this article is the title, which should have been, “Enhanced driver’s licenses too stupid for their own good”. 

That’s because we have the technology to design smart driver’s licenses and passports so they have NONE of the problems described - but so far, our governments don’t do it. 

I expect it is we as technologists who are largely responsible for this.  We haven’t found the ways of communicating with governments, and more to the point, with the public and its advocates, about the fact that these problems can be eliminated. 

From what I have been told, the new German identity card represents a real step forward in this regard.  I promise to look into the details and write about them.

Britian’s Enterprise Privacy Group is starting a new series of workshops that deal squarely with ethics.  While specialists in ethics have achieved a signficant role in professions like medicine, this is one of the first workshops I’ve seen that takes on equivalent issues in our field of work.  Perhaps that’s why it is already oversubscribed… 

‘The continuing openess of the Internet is fundamental to our way of life, promoting the free flow of ideas to strengthen democratic ideals and deliver the economic benefits of globalisation.  But a fundamental challenge for any government is to balance measures intended to protect security and the right to life with the impact these may have on the other rights that we cherish and which form the basis of our society.
 
‘The security of cyber space poses particular challenges in meeting tests of necessity and proportionality as its distributed, de-centralised form means that powerful tools may need to be deployed to tackle those who wish to do harm.  A clear ethical foundation is essential to ensure that the power of these tools is not abused.
 
‘The first workshop in this series will be hosted at the Cabinet Office on 17 June, and will explore what questions need to be asked and answered to develop this foundation?

‘The event is already fully subscribed, but we hope to host further events in the near future with greater opportunities for all EPG Members to participate.’

Let’s hope EPG eventually turns these deliberations into a document they can share more widely.  Meanwhile, this article seems to offer an introduction to the literature.

Since one of my goals is to introduce people to Information Cards - and because I used to get mountains of spam comments and worse (!) - I require people to either write to me or use an Information Card when leaving comments on my blog. 

(This blog is hosted for me by Joyent, and it runs on open source software (WordPress, PHP, MySQL, Apache, OpenSolaris).  For Information Card support, it uses Pamelaware, an open-source project offering an Information Card plugin for Wordpress and other popular programs.)

Information Cards use an “identity selector”.  Vista has the CardSpace V1 selector built right in.   (If you  don’t use Vista please continue here.   Also, if you are wondering about our new beta of Windows CardSpace Geneva - V2 if you want - I’ll deal with that in a separate post.)

How you register at my site

1. Click the Information Card logo or the “LOG IN” option in the upper right hand corner of the blog.  (Clicking the logo saves you the step where you can learn about Information Cards).

2. If you clicked the logo, go to step 3.  If you have clicked “LOG IN”, you will see this page and can explore the ‘Learn More’ and other tabs.  When ready, click on the Information Card logo to proceed.

3. CardSpace will start (it may be a bit slow the first time it loads).  It will verify my site’s certificate, and present it t you so you can decide whether or not to proceed.  Click “Yes, choose a card to send”.

4.  If you are trying CardSpace for the first time, you don’t have a “Managed” card yet.  So just create a “Personal Card” that serves a bit like a username / password - except it can’t be phished and protects your privacy by automatically using a different key at every site. 

5. You’ll be asked to create a Personal card.  Name it with something you’ll recognize, and I recommend you put a picture on it (the picture will never be sent).  The name and picture prevent many attacks since if someone tries to fool you with a CardSpace “look-alike”, they won’t know what your Cards look like and you will immediately notice your cards aren’t present! 

Use an email address that you control - you will have to respond to a confirmation email.  Then click SAVE.

6.  Now you’ll see your saved card, and click SEND.

7.  The information from your card will be used to log in to my site, but I’ll notice you haven’t been here before and send you an email that you must click on to complete registration (I want some way to prevent spammers from bothering me).

8.  The email I send looks like the one below.  IMPORTANT NOTE:  this email might be “eaten” by your spam protection software (!) , so don’t overlook your spam folder to find it.  (On Hotmail, it doesn’t ever get delivered - haven’t sorted that out yet.  It doesn’t seem to like my little mail server.)  

9.  When you click the embedded link you’ll be taken back to my blog as a verification step.  Click on the Information Card logo to log in.

10.  CardSpace will come up, and will recognize my site.  Just click send.

11.  Et voila…

Press “Go to Blog” and you can leave your comment.

In the future, logging in will just be a two-step process.  Click on the CardSpace logo, click on your personal card, and you will be logged in.  No password to remember.

The Proposal for a Common Identity Framework begins by explaining the termnology it uses.  This wasn’t intended to open up old wounds or provoke ontological debate.  We just wanted to reduce ambiguity about what we actually mean to say in the rest of the paper.  To do this, we did think very carefully about what we were going to call things, and tried to be very precise about our use of terms.

The paper presents its definitions in alphabetical order to faciliate lookup while reading the proposal, but I’ll group them differently here to facilitate discussion.

Let’s start with the series of definitions pertaining to claims.  It is key to the document that claims are assertions by one subject about another subject that are “in doubt”.  This is a fundamental notion since it leads to an understanding that one of the basic services of a multi-party model must be ”Claims Approval”.  The simple assumption by systems that assertions are true - in other words the failure to factor out “approval” as a separate service - has lead to conflation and insularity in earlier systems.

• Claim:  an assertion made by one subject about itself or another subject that a relying party considers to be “in doubt” until it passes “Claims Approval”
• Claims Approval: The process of evaluating a set of claims associated with a security presentation to produce claims trusted in a specific environment so it can used for automated decision making and/or mapped to an application specific identifier.
• Claims Selector:  A software component that gives the user control over the production and release of sets of claims issued by claims providers. 
• Security Token:  A set of claims.

The concept of claims provider is presented in relation to “registration” of subjects.  Then claims are divided into two broad categories:  primordial and substantive…

• Registration:  The process through which a primordial claim is associated with a subject so that a claims provider can subsequently issue a set of claims about that subject.
• Claims Provider:  An individual, organization or service that:

1. Registers subjects and associates them with primordial claims, with the goal of subsequently exchanging their primordial claims for a set of substantive claims about the subject that can be presented at a relying party; or
2. Interprets one set of substantive claims and produces a second set (this specialization of a claims provider is called a claims transformer).  A claims set produced by a claims provider is not a primordial claim.

• Claims Transformer:  A claims provider that produces one set of substantive claims from another set.

To understand this better let’s look at what we mean by  “primordial” and “substantive” claims.  The word ”primordial” may seem a strange at first, but its use will be seen to be rewardingly precise:  Constituting the beginning or starting point, from which something else is derived or developed, or on which something else depends. (OED) .

As will become clear, the claims-based model works through the use of “Claims Providers”.  In the most basic case, subjects prove to a claims provider that they are an entity it has registered, and then the claims provider makes ”substantive” claims about them.  The subject proves that it is the registered entity by using a “primordial” claim - one which is thus the beginning or starting point, and from which the provider’s substantive claims are derived.  So our definitions are the following: 

• Primordial Claim: A proof – based on secret(s) and/or biometrics – that only a single subject is able to present to a specific claims provider for the purpose of being recognized and obtaining a set of substantive claims.
• Substantive claim:  A claim produced by a claims provider – as opposed to a primordial claim.

Passwords and secret keys are therefore examples of “primordial” claims, whereas SAML tokens and X.509 certificates (with DNs and the like) are examples of substantive claims. 

Some will say, “Why don’t you just use the word ’credential’”?   The answer is simple.  We avoided “credential” precisely because people use it to mean both the primordial claim (e.g. a secret key) and the substantive claim (e.g. a certificate or signed statement).   This conflation makes it unsuitable for expressing the distinction between primordial and substantive, and this distinction is essential to properly factoring the services in the model.

There are a number of definitions pertaining to subjects, persons and identity itself:

• Identity:  The fact of being what a person or a thing is, and the characteristics determining this.

This definition of identity is quite different from the definition that conflates identity and “identifier” (e.g. kim@foo.bar being called an identity).  Without clearing up this confusion, nothing can be understood.   Claims are the way of communicating what a person or thing is - different from being that person or thing.  An identifier is one possible claim content.

We also distinguish between a “natural person”, a “person”, and a “persona”, taking into account input from the legal and policy community:

• Natural person:  A human being…
• Person:  an entity recognized by the legal system.  In the context of eID, a person who can be digitally identified.
• Persona:  A character deliberately assumed by a natural person

A “subject” is much broader, including things like services:

• Subject:  The consumer of a digital service (a digital representation of a natural or juristic person, persona, group, organization, software service or device) described through claims.

And what about user?

• User:  a natural person who is represented by a subject.

The entities that depend on identity are called relying parties:

• Relying party:  An individual, organization or service that depends on claims issued by a claims provider about a subject to control access to and personalization of a service.
• Service:  A digital entity comprising software, hardware and/or communications channels that interacts with subjects.

Concrete services that interact with subjects (e.g. digital entities) are not to be confused with the abstract services that constitute our model:

• Abstract services:  Architectural components that deliver useful services and can be described through high level goals, structures and behaviors.  In practice, these abstract services are refined into concrete service definitions and instantiations.

Concrete digital services, including both relying parties and claims providers, operate on the behalf of some “person” (in the sense used here of legal persons including organizations).  This implies operations and administration:

• Administrative authority:  An organization responsible for the management of an administrative domain.
• Administrative domain:  A boundary for the management of all business and technical aspects related to:

1. A claims provider;
2. A relying party; or
3. A relying party that serves as its own claims provider 

There are several definitions that are necessary to understand how different pieces of the model fit together:

• ID-data base:  A collection of application specific identifiers used with automatic claims approval
• Application Specific Identifier (ASID):  An identifier that is used in an application to link a specific subject to data in the application.
• Security presentation:  A set consisting of elements like knowledge of secrets, possession of security devices or aspects of administration which are associated with automated claims approval.  These elements derive from technical policy and legal contracts of a chain of administrative domains.
• Technical Policy:  A set of technical parameters constraining the behavior of a digital service and limited to the present tense.

And finally, there is the definition of what we mean by user-centric.  Several colleagues have pointed out that the word “user-centric” has been used recently to justify all kinds of schemes that usurp the autonomy of the user.  So we want to be very precise about what we mean in this paper:

• User-centric:  Structured so as to allow users to conceptualize, enumerate and control their relationships with other parties, including the flow of information.

Today I am posting a new paper called, Proposal for a Common Identity Framework: A User-Centric Identity Metasystem.

Good news: it doesn’t propose a new protocol!

Instead, it attempts to crisply articulate the requirements in creating a privacy-protecting identity layer for the Internet, and sets out a formal model for such a layer, defined through the set of services the layer must provide.

The paper is the outcome of a year-long collaboration between Dr. Kai Rannenberg, Dr. Reinhard Posch and myself. We were introduced by Dr. Jacques Bus, Head of Unit Trust and Security in ICT Research at the European Commission.

Each of us brought our different cultures, concerns, backgrounds and experiences to the project and we occasionally struggled to understand how our different slices of reality fit together. But it was in those very areas that we ended up with some of the most interesting results.

Kai holds the T-Mobile Chair for Mobile Business and Multilateral Security at Goethe University Frankfurt. He coordinates the EU research projects FIDIS  (Future of Identity in the Information Society), a multidisciplinary endeavor of 24 leading institutions from research, government, and industry, and PICOS (Privacy and Identity Management for Community Services).  He also is Convener of the ISO/IEC Identity Management and Privacy Technology working group (JTC 1/SC 27/WG 5)  and Chair of the IFIP Technical Committee 11 “Security and Privacy Protection in Information Processing Systems”.

Reinhard taught Information Technology at Graz University beginning in the mid 1970’s, and was Scientific Director of the Austrian Secure Information Technology Center starting in 1999. He has been federal CIO for the Austrian government since 2001, and was elected chair of the management board of ENISA (The European Network and Information Security Agency) in 2007. 

I invite you to look at our paper.  It aims at combining the ideas set out in the Laws of Identity and related papers, extended discussions and blog posts from the open identity community, the formal principles of Information Protection that have evolved in Europe, research on Privacy Enhancing Technologies (PETs), outputs from key working groups and academic conferences, and deep experience with EU government digital identity initiatives.

Our work is included in The Future of Identity in the Information Society - a report on research carried out in a number of different EU states on topics like the identification of citizens, ID cards, and Virtual Identities, with an accent on privacy, mobility, interoperability, profiling, forensics, and identity related crime.

I’ll be taking up the ideas in our paper in a number of blog posts going forward. My hope is that readers will find the model useful in advancing the way they think about the architecture of their identity systems.  I’ll be extremely interested in feedback, as will Reinhard and Kai, who I hope will feel free to join into the conversation as voices independent from my own.

The recent European Identity Conference, hosted in Munich by the analyst firm Kuppinger Cole, had great content inspiring an ongoing stream of interesting conversations.   Importantly, attendance was up despite the economic climate, an outcome Tim Cole pointed out was predictable since identity technology is so key to efficiency in IT.

One of the people I met in person was James McGovern, well known for his Enterprise Architecture blog.  He is on a roll writing about ideas he discussed with a number of us at the conference, starting with this piece on use of Information Cards in industry verticals.  James knows a lot about both verticals and identity.  He has started a critical conversation, replete with the liminal questions he is known for:

‘Consider a scenario where you are an insurance carrier and you would like to have independent insurance agents leverage CardSpace for SSO. The rationale says that insurance agents have more personally identifiable information on consumers ranging from their financial information such as where they work, how much they earn, where they live, what they own to information about their medical history, etc. When they sell an insurance policy they will even take payment via credit cards. In other words, if there were a scenario where username/passwords should be demolished first, insurance should be at the top of the list.’

A great perception.  Scary, even.

‘Now, an independent insurance agent can do business with a plethora of carriers who all are competitors. The ideal scenario says that all of the carriers would agree to a common set of claims so as to insure card portability. The first challenge is that the insurance vertical hasn’t been truly successful in forming useful standards that are pervasive (NOTE: There is ACORD but it isn’t widely implemented) and therefore relying on a particular vertical to self-organize is problematic.

‘The business value - while not currently on the tongues of enterprise architects who work in the insurance vertical - says that by embracing information cards, they could minimally save money. By not having to manage so many disparate password reset approaches (each carrier has their own policies for password history, complexity and expiry) they can improve the user experience…

‘If I wanted to be a really good relying party, I think there are other challenges that would emerge. Today, I have no automated way of validating the quality of an identity provider and would have to do this as a bunch of one offs. So, within our vertical, we may have say 80,000 different insurance agencies whom could have their own identity provider. With such a large number, I couldn’t rely on white listing and there has to be a better way. We should of course attempt to define what information would need to be exposed at runtime in order for trust to be consumed.’

This raises the matter of how trust would be concretized within the various verticals.  White listing is obviously too cumbersome given the numbers.  James proposes an idea that I will paraphrase as follows:  use claims transformers run by trusted entities (like state departments of insurance) to vet incoming claims.  The idea would be to reuse the authorities already involved in making this kind of decision.

He goes on to examine the challenge of figuring out what identity proofing process has actually been used by an identity provider.  In a paper I collaborated on recently (I’ll be publishing it here soon) we included the proofing and registration processes as one element in a chain of factors we called the “security presentation”.  One of the points James makes is that it should be easy to include an explicit statement about the “security presentation” as one element of any claim-set being submitted (see Jame’s post for some good examples).  Another is that the relying party should be able to include a statement of its security presentation requirements in its policy.

James concludes with a set of action items that need to be addressed for Information Cards to be widely usedl in industry verticals:

‘1. Microsoft needs to redouble its efforts to sell information cards as a business value proposition where the current pitch is towards a technical audience. It is nice that it will be part of Geneva but this means that its capabilities would be fully leveraged unless it is understood by more than folks who do just infrastructure work.

‘2. Oasis is a wonderful standards organization and can add value as a forum to organize common claims at an industry vertical level. Since identity is not insurance specific, we have to acknowledge that using insurance specific bodies such as ACORD may not be appropriate. I would be game to participate on a working group to generate common claims for the insurance vertical.

‘3. When it comes to developing enterprise applications using the notion of claims, …developers need to do a quick paradigm shift. I can envision a few of us individuals who are also book authors coming up with a book entitled: Thinking in Claims and XACML as there is no guide to help developers understand proper architecture going forward. If such a guide existed, we… (could avoid repeating) …the same mistakes of the past.

‘4. I am wildly convinced that industry analysts are having the wrong conversations around identity. Ask yourself, how many ECM systems have on their 2009 roadmap, the ability to consume a claim? How many BPM systems? In case you haven’t figured it out, the answer is a big fat zero. This says that the identity crowd is evangelizing to the wrong demographic. Industry analysts are measuring identity products what consumers really need which is to measure how many existing products can consume new approaches to identity. Does anyone have a clue as to how to get analysts such as Nick Malik, Gerry Gebel, Bob Blakely and others to change the conversation.

‘5. We need to figure out some additional identity standards that an IDP could expose to an RP to assert vetting, attestation, indemnification and other constructs to relying parties. This will require a small change in the way that identity selectors work but B2B user-centric approaches won’t scale without these approaches…’

I know some good work to formalize various aspects of the “security presentation” has been going on in one of the Liberty Alliance working groups - perhaps someone involved could post about the progress that has been made an how it ties in to some of James’ action items. 

James’ action items are all good.  I buy his point that Microsoft needs to take claims beyond the current “infrastructure” community - though I still see the participation of this community as absolutely key.  But we need - as an industry and as individual companies - to widen the discussion and start figuring out how claims can be used in concrete verticals.  As we do this, I expect to see many players, with very strong participation from Microsoft,  taking the new paradigm to the “business people” who will really benefit from the technology.

When Geneva is released to manufacturing later this year, it will be seen as a fundamental part of Active Directory and the Windows platform.  I expect that many programs will then start to kick in that turn up the temperature along the lines James proposes.

My only caution with respect to James’ argument is that I hope we can keep requirements simple in the first go-around.  I don’t think ALL the capabilities of claims have to be delivered “simultaneously”, though I think it is essential for architects like James to understand them and build our current deliverables in light of them. 

So I would add a sixth bullet to the five proposed by James, about beginning with extremely simplified profiles and getting them to work perfectly and interoperably before moving on to more advanced scenarios.  Of course, that means more work in nailing the most germane scenarios and determining their concrete requirements.  I expect James would agree with me on this (I guess I’ll find out, eh?…)

[By the way, James also has an intriguing graphic that appears with the piece, but doesn't discuss it explicitly. I hope that is a treat that is coming...]

Dave Kearns continues to whack me for some of my terminology in discussing data correlation.  He says: 

‘In responding to my “violent agreement” post, Kim Cameron goes a long way towards beginning to define the parameters for correlating data and transactions. I’d urge all of you to jump into the discussion.

‘But - and it’s a huge but - we need to be very careful of the terminology we use.

‘Kim starts: “Let’s postulate that only the parties to a transaction have the right to correlate the data in the transaction, and further, that they only have the right to correlate it with other transactions involving the same parties.” ‘

Dave’s right that this was overly restrictive.  In fact I changed it within a few minutes of the initial post - but apparently not fast enough to prevent confusion.  My edited version stated:

‘Let’s postulate that only the parties to a transaction have the right to correlate the data in the transaction (unless it is fully anonymized).’

This way of putting things eliminates Dave’s concern:

‘Which would mean, as I read it, that I couldn’t correlate my transactions booking a plane trip, hotel and rental car since different parties were involved in all three transactions!’

That said, I want to be clear that ”parties to a transaction” does NOT include what Dave calls “all corporate partners” (aka a corporate information free-for-all!)  It just means parties (for example corporations) participating directly in some transaction can correlate it with the other transacitons in which they directly participate (but not with the transactions of some other corporation unless they get approval from the transaction participants to do so). 

Dave argues:

‘In the end, it isn’t the correlation that’s problematic, but the use to which it’s put. So let’s tie up the usage in a legally binding way, and not worry so much about the tools and technology.

‘In many ways the internet makes anti-social and unethical behavior easier. That doesn’t mean (as some would have it) that we need to ban internet access or technological tools. It does mean we need to better educate people about acceptable behavior and step up our policing tools to better enable us to nab the bad guys (while not inconveniencing the good guys).’

To be perfectly clear, I’m not proposing a ban on technology!  I don’t do banning!  I do creation. 

So instead, I’m arguing that as we develop our new technologies we should make sure they support the “right to correlation” - and the delegation of that right - in ways that restore balance and give people a fighting chance to prevent unseen software robots from limiting their destinies.

While I was working on the last couple of posts about data correlation, trusty old RSS brought in a  corroborating piece by Colin McKay at the Office of the Privacy Commissioner of Canada.   Many  in the industry seem to assume people will trade any of their personal information for the smallest trinkets, so more empirical work of the kind reported here seems to be essential.

‘How comfortable, exactly, are online users with their information and online browsing habits being used to track their behaviour and serve ads to them?

‘A survey of Canadian respondents, conducted by TNS Facts and reported by the Canadian Marketing Association, reports that a large number of Canadians and Americans “(69% and 67% respectively) are aware that when they are online their browsing behaviour may be captured by third parties for advertising purposes.”

‘That doesn’t mean they are comfortable with the practice. The same survey notes that “just 33 per cent of Canadians who are members of a site are comfortable with these sites using their browsing information to improve their site experience. There is no difference in support for the use of consumers’ browsing history to serve them targeted ads, be it with the general population, the privacy concerned, or members of a site.”’

If only only 33% are comfortable with using browsing information to improve site experience, I wonder how many will be comfortable with using browsing information to evaluate terminating of peoples’ credit cards (see thread on Martinism)?  Can I take a guess?  How about 1%?  (This may seem high, but I have a friend in the direct marketing world who tells me 1% of the population will believe in anything at all!)  Colin continues:

‘But how much information are users willing to consciously hand over to win access to services, prizes or additional content?

‘A survey of 1800 visitors to coolsavings.com, a coupon and rebate site owned by Q Interactive, has claimed that web visitors are willing “to receive free online services and information in exchange for the use of my data to target relevant advertising to me.”

‘Now, my impression is that visitors to sites like coolsavings.com - who are actively seeking out value and benefits online - would be predisposed to believing that online sites would be able to deliver useful content and relevant ads.

‘That said, Mediapost, who had access to details of the full Q Interactive survey, cautions that users “… continue to put the brakes on hard when asked which specific information they are willing to hand over. The survey found 77.8% willing to give zip code, 64.9% their age and 72.3% their gender, but only 22.4% said they wanted to share the Web sites they visited and only 12% and 12.1% were willing to have their online purchases or the search history respectively to be shared …” ‘

I want to underline Colin’s point.  These statistics come from people who actively sought out a coupon site in order to trade information for benefits!  Even so, we are talking about a mere 12% who were willing to have their online purchases or search history shared.  This empirically nixes the notion, held by some, that people don’t care about data correlation (an issue I promised to address in my last post.

Colin’s conclusions seem consistent with the idea I sketched there of defining a new “right to data correlation” and requiring delegation of that right before trusted parties can correlate individuals across contexts.

‘In both the TNS Facts/CMA and Q Interactive surveys, the results seem to indicate that users are willing to make a conscious decision to share information about themselves – especially if it is with sites they trust and with whom they have an established relationship.

‘A common thread seems to be emerging: consumers see a benefit to providing specific data that will help target information relevant to their needs, but they are less certain about allowing their past behaviour to be used to make inferences about their individual preferences.

‘They may feel their past search and browsing habits might just have a greater impact on their personal and professional life than the limited re-distribution of basic personal information by sites they trust. Especially if those previous habits might be seen as indiscreet, even obscene.’

Colin’s conclusion points to the need to be able to “revoke the right to data correlation” that may have been extended to third parties.  It also underlines the need for a built-in scheme for aging and deletion of correlation data.

Dave Kearns’ comment in Another Violent Agreement convinces me I’ve got to apply the scalpel to the way I talk about correlation handles.  Dave writes:

‘I took Kim at his word when he talked “about the need to prevent correlation handles and assembly of information across contexts…” That does sound like “banning the tools.”

‘So I’m pleased to say I agree with his clarification of today:

;”I agree that we must influence behaviors as well as develop tools… [but] there’s a huge gap between the kind of data correlation done at a person’s request as part of a relationship (VRM), and the data correlation I described in my post that is done without a person’s consent or knowledge.” (Emphasis added by Dave)’

Thinking about this some more, it seems we might be able to use a delegation paradigm.

The “right to correlate”

Let’s postulate that only the parties to a transaction have the right to correlate the data in the transaction (unless it is fully anonymized).

Then it would follow that any two parties with whom an individual interacts would not by default have the right to correlate data they had each collected in their separate transactions.

On the other hand, the individual would have the right to organize and correlate her own data across all the parties with whom she interacts since she was party to all the transactions.

Delegating the Right to Correlate

If we introduce the ability to delegate, then an individual could delegate her right for two parties to correlate relevant data about her.  For example, I could delegate to Alaska Airlines and British Airways the right to share information about me.

Similarly, if I were an optimistic person, I could opt to use a service like that envisaged by Dave Kearns, which “can discern our real desires from our passing whims and organize our quest for knowledge, experience and - yes - material things in ways which we can only dream about now.”  The point here is that we would delegate the right to correlate to this service operating on our behalf.

Revoking the Right to Correlate

A key aspect of delegating a right is the ability to revoke that delegation.  In other words, if the service to which I had given some set of rights became annoying or odious, I would need to be able terminate its right to correlate.  Importantly, the right applies to correlation itself.  Thus when the right is revoked, the data must no longer be linkable in any way.

Forensics

There are cases where criminal activity is being investigated or proven where it is necessary for law enforcement to be able to correlate without the consent of the individual.  This is already the case in western society and it seems likely that new mechanisms would not be required in a world resepcting the Right to Correlate.

Defining contexts

Respecting the Right to Correlate would not by itself solve the Canadian Tire Problem that started this thread.  The thing that made the Canadian Tire human experiments most odious is that they correlated buying habits at the level of individual purchases (our relations to Canadian Tire as a store)  with  probable behavior in paying off credit cards (Canadian Tire as a credit card issuer).  Paradoxically, someone’s loyalty to the store could actually be used to deny her credit.  People who get Canadian Tire credit cards do know that the company is in a position to correlate all this information, but are unlikely to predict this counter-intuitive outcome.

Those of us prefering mainstream credit card companies presumably don’t have the same issues at this point in time.  They know where we buy but not what we buy (although there may be data sharing relationships with merchants that I am not aware of… Let me know…).

So we have come to the the most important long-term problem:  The Internet changes the rules of the game by making data correlation so very easy.

It potentially turns every credit card company into a data-correlating Canadian Tire.  Are we looking at the Canadian Tirization of the Internet?

But do people care?

Some will say that none of this matters because people just don’t care about what is correlated.  I’ll discuss that briefly in my next post.