About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« February 2011 | Main | April 2011 »

3 posts from March 2011

Two-faced, at the least

By Dave Birch posted Mar 22 2011 at 12:23 PM

The end of privacy is in sight, isn't it? After all, we are part of a generation that twitters and updates its path through the world, telling everyone everything. Not because Big Brother demands it, but because we want to. We have, essentially, become one huge distributed Big Brother. We give away everything about ourselves. And I do mean everything.

Mr. Brooks, a 38-year-old consultant for online dating Web sites, seems to be a perfect customer. He publishes his travel schedule on Dopplr. His DNA profile is available on 23andMe. And on Blippy, he makes public everything he spends with his Chase Mastercard, along with his spending at Netflix, iTunes and Amazon.com.

“It’s very important to me to push out my character and hopefully my good reputation as far as possible, and that means being open,” he said, dismissing any privacy concerns by adding, “I simply have nothing to hide.”

[From T.M.I? Not for Sites Focused on Sharing - NYTimes.com]

We'll come back to the reputation thing later on, but the point I wanted to make is that I think this is dangerous thinking, the rather lazy "nothing to hide" meme. Apart from anything else, how do you know whether you have anything to hide if you don't know what someone else is looking for?

To Silicon Valley’s deep thinkers, this is all part of one big trend: People are becoming more relaxed about privacy, having come to recognize that publicizing little pieces of information about themselves can result in serendipitous conversations — and little jolts of ego gratification.

[From T.M.I? Not for Sites Focused on Sharing - NYTimes.com]

We haven't had the Chernobyl yet, so I don't privilege the views of the "deep thinkers" on this yet. In fact, I share the suspicion that these views are unrepresentative, because they come from such a narrow strata of society.

“No matter how many times a privileged straight white male tech executive tells you privacy is dead, don’t believe it,” she told upwards of 1,000 attendees during the opening address. “It’s not true.”

[From Privacy still matters at SXSW | Tech Blog | FT.com]

So what can we actually do? Well, I think that the fragmentation of identity and the support of multiple personas is one good way to ensure that the privacy that escapes us in the physical world will be inbuilt in the virtual world. Not everyone agrees. If you are a rich white guy living in California, it's pretty easy to say that multiple identities are wrong, that you have no privacy get over it, that if you have nothing to hide you have nothing to fear, and such like. But I disagree. So let's examine a prosaic example to see where it takes us: not political activists trying to tweet in Iran or Algerian pro-democracy Facebook groups or whatever, but the example we touched on a few weeks ago when discussing comments on newspaper stories: blog comments.

There's an undeniable problem with people using the sort-of-anonymity of the web, the cyber-equvalent of the urban anonymity that began with the industrial revolution, to post crap, spam, abuse and downright disgusting comments on blog posts. And there is no doubt that people can use that sort-of-anonymity to do stupid, misleading and downright fraudulent things.

Sarah Palin has apparently created a second Facebook account with her Gmail address so that this fake “Lou Sarah” person can praise the other Sarah Palin on Facebook. The Gmail address is available for anyone to see in this leaked manuscript about Sarah Palin, and the Facebook page for “Lou Sarah” — Sarah Palin’s middle name is “Louise” — is just a bunch of praise and “Likes” for the things Sarah Palin likes and writes on her other Sarah Palin Facebook page

[From Sarah Palin Has Secret ‘Lou Sarah’ Facebook Account To Praise Other Sarah Palin Facebook Account]

Now, that's pretty funny. But does it really matter? if Lou Sarah started posting death threats or child pornography then, yeah, I suppose it would, but I'm pretty sure there are laws about that already. But astrosurfing with Facebook and posting dumb comments on tedious blogs, well, who cares? If Lou Sarah were to develop a reputation for incisive and informed comment, and I found myself looking forward to her views on key issues of the day, would it matter to me that she is an alter-ego. I wonder.

I agree with websites such as LinkedIn and Quora that enforce real names, because there is a strong "reputation" angle to their businesses.

[From Dean Bubley's Disruptive Wireless: Insistence on a single, real-name identity will kill Facebook - gives telcos a chance for differentiation]

Surely, the point here is that on LinkedIn and Quora (to be honest, I got a bit bored with Quora and don't go there much now), I want the reputation for work-related skills, knowledge, experience and connections, so I post with my real name. When I'm commenting at my favourite newspaper site, I still want reputation - I want people to read my comments - but I don't always want them connected either with each other or with the physical me (I learned this lesson after posting in a discussion about credit card interest rates and then getting some unpleasant e-mails from someone ranting on about how interest is against Allah's law and so on).

My identity should play ZERO part in the arguments being made. Otherwise, it's just an appeal to authority.

[From The Real “Authenticity Killer” (and an aside about how bad the Yahoo brand has gotten) — Scobleizer]

To be honest, I think I pretty much agree with this. A comment thread on a discussion site about politics or football should be about the ideas, the argument, not "who says". I seem to remember, from when I used to teach an MBA course on IT Management a long time ago, that one of the first lessons of moving to what was then called computer-mediated communication (CMC) for decision-making was that it led to better results precisely because of this. (I also remember that women would often create male pseudonyms for these online communications because research showed that their ideas were discounted when they posted as women.)

It isn't just about blog comments. Having a single identity, particularly the Facebook identity, it seems to me, is fraught with risk. It's not the right solution. It's almost as if it was built in a different age, where no-one had considered what would happen when the primitive privacy model around Facebook met commercial interests with the power of the web at their disposal.

that’s the approach taken by two provocateurs who launched LovelyFaces.com this week, with profiles — names, locations and photos — scraped from publicly accessible Facebook pages. The site categorizes these unwitting volunteers into personality types, using a facial recognition algorithm, so you can search for someone in your general area who is “easy going,” “smug” or “sly.”

[From ‘Dating’ Site Imports 250,000 Facebook Profiles, Without Permission | Epicenter | Wired.com]

Nothing to hide? None of my Facebook profiles is in my real name. My youngest son has great fun in World of Warcraft and is very attached to his guilds, and so on, but I would never let him do this in his real name. There's no need for it and every reason to believe that it would make identity problems of one form or another far worse (and, in fact, the WoW rebellion over "real names" was led by the players themselves, not privacy nuts). But you have to hand it to Facebook. They've been out there building stuff while people like me have been blogging about identity infrastructure.

Although it's not apparent to many, Facebook is in the process of transforming itself from the world's most popular social-media website into a critical part of the Internet's identity infrastructure

[From Facebook Wants to Supply Your Internet Driver's License - Technology Review]

Now Facebook may very well be an essential part of the future identity infrastructure, but I hope that people will learn how to use it properly.

George Bronk used snippets of personal information gleaned from the women’s Facebook profiles, such as dates of birth, home addresses, names of pets and mother’s maiden names to then pass the security questions to reset the passwords on their email accounts.

[From garlik - The online identity experts]

I don't know if we should expect the public, many of who are pretty dim, to take more care over their personal data or if we as responsible professionals, should design an infrastructure that at least makes it difficult for them to do dumb things with their personal data, but I do know that without some efforts and design and vision, it's only going to get worse for the time being.

"We are now making a user's address and mobile phone number accessible as part of the User Graph object,"

[From The Next Facebook Privacy Scandal: Sharing Phone Numbers, Addresses - Nicholas Jackson - Technology - The Atlantic]

Let's say, then, for sake of argument, that I want to mitigate the dangers inherent in allowing any one organisation to gather too much data about me so I want to engage online using multiple personas to at least partition the problem of online privacy. Who might provide these multiple identities? In an excellent post on this, Forum friend Dean Bubley aggresively asserts

I also believe that this gives the telcos a chance to fight back against the all-conquering Facebook - if, and only if, they have the courage to stand up for some beliefs, and possibly even push back against political pressure in some cases. They will also need to consider de-coupling identity from network-access services.

[From Dean Bubley's Disruptive Wireless: Insistence on a single, real-name identity will kill Facebook - gives telcos a chance for differentiation]

The critical architecture here is pseduonymity, and an obvious way to implement it is by using multiple public-private key pairs and then binding them to credentials to form persona that can be selected from the handset, making the mobile phone into an identity remote control, allowing you to select which identity you want to asset on a per transaction basis if so desired. I'm sure Dean is right about the potential. Now, I don't want to sound the like grumpy old man of Digital Identity, but this is precisely the idea that Stuart Fiske and I put forward to BT Cellnet back in the days of Genie - the idea was the "Genie Passport" to online services. But over the last decade, the idea has never gone anywhere with any of the MNOs that we have worked for. Well, now is the right time to start thinking about this seriously in MNO-land.

But mark my words, we WILL have a selector-based identity layer for the Internet in the future. All Internet devices will have a selector or a selector proxy for digital identity purposes.

[From Aftershocks of an untimely death announcement | IdentitySpace]

The most logical place for this selector is in the handset, managing multiple identities in the UICC, accessible OTA or via NFC. I use case is very appealing: I select 'Dave Birch' on my hansdset, tap it to my laptop and there is all of the 'Dave Birch' stuff. Change the handset selector to 'David G.W. Birch' and then tap the handset to the laptop again and all of the 'Dave Birch' stuff is gone and all of the 'David G.W. Birch' stuff is there. It's a very appealing implementation of a general-purpose identity infrastructure and it would a means for MNOs to move to smart pipe services. But is it too late? Perhaps the arrival of non-UICC secure elements (SEs) mean that more agile organisations will move to exploit the identity opportunity.

It all comes back to liability

By Dave Birch posted Mar 14 2011 at 2:23 PM

I posted about the silo-style identity and authentication schemes we have in place at the moment and complained that we are making no progress on federation. Steve Wilson posted a thoughtful reply and picked me up on a few points, such as my "idea" (that's a bit strong - more of a notion, really) of developing an equivalent of creative commons licences, a sort of open source framework. He says

CC licenses wouldn't ever be enough. Absent new laws to make this kind of grand identity federation happen, we will still need new contracts -- brand new contracts of an unusual form -- struck between all the parties.

[From comment on Digital Identity: The sorry state of id and authentication]

But isn't that what CC licences solve?

It's complicated by the fact that banks & telcos don't naturally see themselves as "identity providers", not in the open anyway

[From comment on Digital Identity: The sorry state of id and authentication]

Well, I'm doing what I can to change that (see, for example, the Visa/CSFI Research Fellowship), but on the main point I happened to be reading the notes from the EURIM Identity Governance Subgroup meeting on 23 February 2011, talking about business cases for population scale identity management systems. The notes say that

It is alleged that the only body with the remit, power and capability needed for assuring and recording a root identity through a secure and reliable registration process is Government.

The notes then go on to talk about case studies such as the Nordic bank-issued eIDs though. These arguments are to some extent circular, of course, because the e-government applications in the Nordics are using bank-issued eIDs, but the only reason that the banks can issue these eIDs is because they are using government ID as the basis for KYC. In the discussion about this at a recent roundtable in that Visa/CSFI "Identity and Financial Services" series, someone made a comment in passing (and I'm embarrassed to say that I can't remember who said this, because I noted the comment but forgot the commenter) that all of this takes places in a model absent liability. That is, as far as I understand what was said, the government accepts no liability from the banks, and vice versa. So if the bank opens an account for me Sven Birch, using a government "Sven Birch" identity, but it subsequently transpires that I am actually Theogenes de Montford, then the bank cannot claim against the government. Similarly, if I used my bank eID "Sven Birch" to access government services, but it subsequently transpires that I am actually Theogenes, then the government has no claim against the bank. (If this isn't true, by the way, I would appreciate clarification from a knowledgeable correspondent.)

So what is the situation? Must we have a liability model, or can we all agree to get along without one. Or do you have to a have a more consensual society, or perhaps one with fewer lawyers per head of population?

The sorry state of id and authentication

By Dave Birch posted Mar 9 2011 at 8:03 PM

I had a problem with my PayPal account: I used it in China, and it got blocked as the result of some kind of fraud screening.

I ended up having to promise the guys at Bike Beijing that I will sort this out when I get back to the UK and then send them their money.

[From Digital Money: Holding court]

They still haven't got their money. In order to unblock the account, you had to log in to your account and then have a code sent via your home telephone number. I clicked, the phone rang, I punched in the number and hung up. Nothing. I clicked again, the phone rang, I punched in the number and waited. Nothing. I clicked again, the phone rang, I punched in the number. After a while, I got an e-mail telling me that the authentication process had failed and so PayPal would send a letter containing some kind of code to my home address and that I could then use this code to unblock my account. It mentioned that the letter might takes six weeks to arrive.

So the nice guys at Bike Beijing still don't have their money and I'm still embarrassed.

Now, all the time that this nonsense about codes and letters was going on, I had on my desk a Barclays' PINSentry (which I can't even use to log on to Barclaycard, let alone PayPal) and a O2 mobile phone (I've been with O2 for two decades and have a billing relationship with them - their system knew that I was in China) and a keyring OTP generator that we used for our corporate VPN. Any one of these could provide a better solution then messing about typing in code numbers, but they all sit in their own silos and don't provide the kind of general-purpose services that they should.

What should have happened, of course, is that I should have been able to log in to PayPal using OpenID and then logged in to a 2FA OpenID using my (say) PINSentry. So now PayPal knows that I have been 2FA logged in from an "acceptable" source (ie, Barclays Bank) and we could move on. So why doesn't this happen? Is it because OpenID has failed?

But if OpenID is a failure, it’s one of the web’s most successful failures. OpenID is available on more than 50,000 websites. There are over a billion OpenID enabled URLs on the web thanks to providers like Google, Yahoo and AOL. Yet, for most people, trying to log in to every website using OpenID remains a difficult task, which means that while thousands of websites support it, hardly anyone uses OpenID.

[From OpenID: The Web’s Most Successful Failure | Webmonkey | Wired.com]

It can't be that. OpenID has plenty of support, and even the US government got behind it.

Who would have predicted say, 5 years ago, that you would some day be able to use commercial identities on government websites? Evidently, this raises questions about privacy and security but if these initiatives can garner enough public support, government validation of open identity frameworks could be a boon for the ecosystem of the open, distributed web. Plus, it can make dealing with the government a lot easier for you, too.

[From US Government To Embrace OpenID, Courtesy Of Google, Yahoo, PayPal Et Al.]

It's not about the technology. I make no judgement as to whether OpenID is the best technology or not (although it does actually exist, which is a good start), but the truth is that it simply doesn't matter whether it is or it isn't.

The unresolved business and legal challenges implicit in federated identity are to blame for the under-delivery of OpenID

[From OpenID, Successful Failures And New Federated Identity Options | Forrester Blogs]

Indeed they are. So the problem isn't really anything to do with OpenID, or any other framework that might come along in cyberspace, but the legal framework that it has to sit inside. This is where we need the breakthrough. We need potential identity providers (eg, Barclays, O2) to be able to set up OpenID responders for their customers inside a well-known and well-understood legal framework. Now, you can do this contractually (as IdenTrust has done), but to scale to the open web, we need something more than that, perhaps an equivalent of the "creative commons" licences that are used for content but for credentials.

Even then, would someone like PayPal rely on them? Or would it only rely on identities from regulated financial institutions in the EU? Or only such institutions that met some minimum authentication standard? We're a long way from fixing my Chinese problem, despite having all of the technology needed to do so.