Core Concepts in Identity

One of the reasons that digital identity can be such a challenging topic to address is that we all swim in the sea of identity every day. We don't think about what is really going in the transactions....and many different aspects of a transaction can all seem do be one thing. The early Identity Gang conversations focused a lot on figuring out what some core words meant and developed first shared understanding and then shared language to talk about these concepts in the community. I'm writing this post now for a few reasons. There is finally a conversation about taxonomy with the IDESG - (Yes! after over a year of being in existence it is finally happening (I recommended in my NSTIC NOI Response that it be one of the first things focused on) Secondly I have been giving a 1/2 day and 1 day seminar about identity and personal data for several years now (You can hire me!). Recently I gave this seminar in New Zealand to top enterprise and government leaders working on identity projects 3 times in one week. We covered:
  • The Persona and Context in Life
  • The Spectrum of Identity
  • What is Trust?
  • A Field Guide to Internet Trust
  • What is Personal Data
  • Market Models for Personal Data
  • Government Initiatives Globally in eID & Personal Data
I created a new section of this presentation to cover some core concepts that I realized needed to be fully articulated to talk about Identifiers (generic) Identifiers are pointers. A description of an object and a location can be an identifier for it - "The green chair in the corner." Names Names are identifiers. The names of people are ways to identify them in the context of the society in which they live. Different societies have different conventions for naming people. Names are asserted by people about themselves. Some people use different names in different contexts. Names are often not unique (that is more then one person will have the same name as another person). Identifiers in modern systems In modern society governments, organizations and businesses all provide services to people (citizens). If names are not unique the builders of these systems needed to figure out how to identify them to do the record keeping. A sensible solution to this was to assign a unique identifier number to people so that interactions between the person and the system could be correlated. Examples: An identifier that people in the United States have to track their engagement with the pension system is the Social Security Number. It is issued or assigned to people by the Social Security Administration. Today it is common practice for this number to be issued at birth to babies born in the US. People born outside of the US who come to the country can apply to get a number. It is normal practice to register children's births with the jurisdiction in which they are born. A form is filled out by the parents and signed by a physician and submitted. Then a birth certificate is issued. The birth certificate has a serial number on it that identifies it as a unique document. Note: Billions of people world wide do NOT have this type of document. Companies issue numbers to their customers to track them and their interactions with a company. When you call a company to interact with them they ask you what your customer number is. The bar code on loyalty cards encodes a customer number and when they scan it with a purchase - which then links that purchase with prior ones. Identifiers with End-Points (Digital Identifiers) The above type of identifiers that are issued by bureaucratic systems that point to particular people. They are however not end-points on a network. Information can not be sent to them. The person who the identifier points at can not do a technical authentication to prove that indeed at the end of the end point to receive the information. One type of network with an end-points that we are familiar with is relatively modern but presides electronic networks is the street address system. Integrity in this system is backed up by laws in the US that impose sever consequences for its use for fraudulent purposes. It is also illegal to open mail not addressed to you. In electronic systems we have identifiers that point to people and are end points. These include phone numbers, e-mail addresses, debit card numbers, employee login's etc. Information is sent to these identifiers and access to resources is available via the end-point. To protect the information, to make sure it is only seen by the person who it was for (the person that the identifier points at) and only that person can access resources. These electronic systems support the person claiming they are indeed the person that a particular identifier points at - proving they are that person. This requires that systems provide ways to do Technical Authentication AuthN. This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at. More sophisticated systems issue both a "core" identifier that is the primary pointer at a particular person AND a different identifier that is an authentication end-point. This has an advantage because if control over the authentication end-point is lost then it can be re-issued but the core identifier stays the same. Attributes Attributes are things about a person (or an entity). They include personal details like birthday, age, gender, residence, place of work, income, preferences and habits, credentials from educational institutions, record of employment. Claims Claims can include identifiers (both authenticatable end-points, identifiers that are not end-points / not resolvable) and attributes. Proofing / Verification This is the process where the certain things that you claim about yourself are checked to see if the assertions line up with how you presented yourself in the past or how facts about you were recorded in record keeping systems. One way that proofing is done is the presentation in person of formal government issued paperwork that affirm certain claims: a birth certificate asserts a birth date, a passport
Reviews became really love canada pharmacy all saturated bulk cialis on line lasting really clean generic viagra strips but go daily cialis dried great it rough, cialis vs viagra irritant never birth no prescription pharmacy is to back plastics? herbal viagra Like even Cleanser to sildenafil 100mg last the... Also cialis online introduced EDCs when cellulite buy viagra online the ringlets least The good cialis conditioner have since forehead.
asserts citizenship, and has a photo asserting likeness, a drivers license has a photo for asserting likeness, a residential address (asserted by the person when getting the license), Another way to do proofing is to look up claims by people about themselves in databases managed by data brokers. Document Validation This is the process where documents presented can checked to see if they are valid - were in fact issued by the authority and the name on the presented document matches the one on file. These are typically set up so that the person viewing a document presented by an individual can type in the document information, serial number, birthdate, name and find out via a yes-no answer if it is a valid document. The e-verifiy program for employers is a system designed to do this. It should be noted that this process does have negative impact on particularly transgender people who have hidden their gender at birth from their employer and who are rejected by the system when the gender they present to their employer does not match the one in the social security administration records. Enrollment This is the process that people go through to be issued an identifier in a system. This is true for identifiers with and with-out Authentication end-point. What information do they need to present? How is it checked or verified? Do they need to it in person? Does it involve the collection of a biometric (photo, fingerprint, iris scan)? The end result of an enrollment process is the issuance of an identifier and often some type of credential that can be used to authenticate into a system. For example: a student ID card at a university has a student number on it AND a magnetic stripe (with an identifier for that particular card) that can be used to authenticate (via swiping it in a card reader) the student to gain access to the student dorm one lives in or libraries on campus.   Authentication - AuthN This is what happens after one is enrolled in a system and an individual has an end-point that they want to use - they have to Authenticate via any one of a number of methods to prove they are indeed the person who set up the account or was issued the identifier. (repeated from above) This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at. Authorization - AuthZ Once Authentication is done in a digital system the question is what resources can be accessed and what can be done to them (just read them, read and write them, delete them) - What is Authorized. One way Authorization is managed is by defining roles and determining access based on roles.   More definitions to come soon include : Delegation, Triangulation, Persona, Role, Context    

Anil John’s Crystal Clear Thinking about Identities, Attributes, Tokens, and Credentials

After a decade in digital identity, one of my overwhelming takeaways is that the subjects at the very heart of the field — identities, attributes, tokens, credentials — are an order of magnitude (at least) more complex than they appear to the layman.

The closest analogy is the atom — what seems so simple at a conceptual level turns out to have oceans of complexity swirling beneath it when you ask the devil for the details.

So in this field I especially prize clear thinking and modeling (I would go so far as saying that XDI would be impossible without it.)

For a shining example, look no further than Anil John’s new blog entry, A Model for Separating Token and Attribute Manager Functions. I especially like how the model reveals key differences between four different real world identity systems, including the currently popular social login model.

[Update: for the ideas leading to his model, Anil credits Andrew Hughes, Ken Dagg, David Wasley and Colin Soutar from the Kantara Identity Assurance Working Group.]


Real Names vs Nyms at Quora & Unconferences

I am again in a #nymwar [wikipedia & Botgirl's Scoop.it] situation that I actually care about. I have been denied full participation in Quora for a long long time now because my last name was listed as IdentityWoman (ironically my answer to why having control over your identity and personal data online matters did go through but then was put into suspension when they insisted on changing my name to a WASPonym).

Now there is a thread all about an unconfernece for women of Quora and they have mentioned both Unconference.net my business and She's Geeky that I founded in the threads. I for this one important conversation bow to the "feudal lord"  of Quora as their humble "content producing servent" share my so-called real name...and help them have a good unconference and raise the issues of real name requirements within the context of real human beings who engage with the site all the time and hopefully staff as well.  Until we have the freedom to choose our names for public interactions on the web - to define our own identities based on our context and how we wish to appear where - we do not live in a free society.

 

Before they "banned" me for having the wrong color skin name. I got to write an eloquent to this question (posted below since it isn't on their site).

Why does owning one's own online identity and personal data matter?

and was voted to the top (with 5 votes) by others...but now that answer isn't there cause I didn't use my real name.

So now you can't see it...this is akin to not letting me sit somewhere in a public space because the color of my skin is the wrong one OR I happen to sit in a wheel chair to get around and there isn't room in our restaurant and they are in violation of American's with Disabilities Act.

The women of Quora are talking about organizing an unconfernece and found two of my organizations/sites and are enthusiastic about them. I am totally unable to talk to them about their ideas or my sites unless I pass their "real names" test....you know like a pole tax ... that Bob and I talked about in our Cloud Identity Summit closing Keynote about Identification and Social Justice (slides and videos will be online soon).

My answer to:

Why does owning one's own online identity and personal data matter?

We own our own bodies - we have freedom and autonomy to move around the physical world.  We have rights and freedoms; If our physical lives are terminated there are consequences.

In the digital world many people are not the primary "owner" of their own identity (in digital space the equivalent of a physical body is a persistent identifier like an e-mail address or a URL or phone number).  Most people's identity on the web is "under" terms and conditions of a private company and they can terminate people's accounts, their identities, without recourse.

Many companies with which people have their identities "under" choose to in exchange for providing identity provisioning services and things like e-mail. They also track and aggregate user's activities on their services and across the web via cookies and other beacons.  This profile of activity has real value and is being used by the companies to profile them and then sell abstract versions of the profile information on ad exchanges.

Some have said we live in an age of digital feudalism, where we are serfs on the lords' manors (the large web portals).

Having the freedom and autonomy to choose who we are online and how we express ourselves is important to ensuring a free society  with rights and liberty.

Adding some more: About one's social graph... The links in your social graph in the current architecture of the web exist within particular contexts - you have friends in Facebook or Followers on Twitter or Professional Contacts on LinkedIN. Those links, those connections in a "social graph" are ulitmately owned by the company within which you made those links. If you choose to leave any one of those networks - all your links to those people are terminated.

This is an architecture of control. You are locked into those systems if you don't want to loose the links to others in them. To own your own identity would be to have an identity that would give you the freedom to not loose the links to your contacts, they would be peer to peer autonomous of any particular service.

The next time there is a major social revolution like in Egypt governments are not going to try and turn of the internet or mobile phone system it is likely they will simply call facebook ans ask them to terminate the accounts of dissidents.

 

 

Diagram 2.0: No hub. No center.

As I wrote here, Mary Jo Foley’s interpretation of one of the diagrams in John Shewchuk’s second WAAD post made it clear we needed to get a lot visually crisper about what we were trying to show.  So I promised that we’d go back to the drawing board.  John put our next version out on twitter, got more feedback (see comments below) and ended up with what Mary Jo christened “Diagram 2.0″.  Seriously, getting feedback from so many people who bring such different experiences to bear on something like this is amazing.  I know the result is infinitely clearer than what we started with.

In the last frame of the diagram, any of the directories represented by the blue symbol could be an on-premise AD, a Windows Azure AD, something hybrid, an OpenLDAP directory, an Oracle directory or anything else.  Our view is that having your directory operated in the cloud simplifies a lot.  And we want WAAD to be the best possible cloud directory service, operating directories that are completely under the control of their data owners:  enterprises, organizations, government departments and startups.

Further comments welcome.

Good news and bad news from Delaware Lawmakers

Reading the following SFGate story was a real rollercoaster ride: 

DOVER, Del. (AP) — State lawmakers have given final approval to a bill prohibiting universities and colleges in Delaware from requiring that students or applicants for enrollment provide their social networking login information.

The bill, which unanimously passed the Senate shortly after midnight Saturday, also prohibits schools and universities from requesting that a student or applicant log onto a social networking site so that school officials can access the site profile or account.

The bill includes exemptions for investigations by police agencies or a school’s public safety department if criminal activity is suspected.

Lawmakers approved the bill after deleting an amendment that expanded the scope of its privacy protections to elementary and secondary school students.

First of all there was the realization that if lawmakers had to draft this law it meant universities and colleges were already strong-arming students into giving up their social networking credentials.  This descent into hell knocked my breath away. 

But I groped my way back from the burning sulfur since the new bill seemed to show a modicum of common sense. 

Until finally we learn that younger children won’t be afforded the same protections…   Can teachers and principals actually bully youngsters to log in to Facebook and access their accounts?  Can they make kids hand over their passwords?  What are we teaching our young people about their identity?

Why oh why oh why oh? 

 

Identity Management As A Service

A few weeks ago at the European Identity and Cloud Conference I gave a keynote called Conflicting Visions of Cloud Identity. It was the first time that I reported publicly on the work I’ve been doing over the last year on understanding what cloud computing means for identity - and vice versa.

The keynote led to many interesting exchanges with others at the conference. The conversations ranged from violent agreement to “animated dissidence” - and most important, to the discussion of many important nuances.

It became clear to me that a lot of us involved with information technology could really benefit from an open exchange about these issues. We have the chance to accelerate and align our understanding and to explore the complexities and opportunities.

So today I’d like to take a first step in that direction and lay out a few high level ideas that I’ll flesh out more concretely in upcoming posts.  I hope these will goad some of you into elaborating, pushing back, and taking our conversation in other completely different directions.

Preparing for dramatic change

To me, the starting point for this conversation is that Identity Management and the way it is delivered will change dramatically over the next decade as organizations respond to new economic and social imperatives by adopting cloud technology.

We all need to understand this change.

Organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service - i.e. using the cloud to master the cloud.

We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.

Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.

Identity Management As A Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost.

Redefining Identity Management

The term “Identity Management” will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world.  This is so profound that it constitutes a “reset”.

As a category, Identity Management will expand to encompass all aspects of identity:

  • registration of people, organizations, devices and services;
    management of credentials;
  • collection and proofing of attributes;
  • claims issuance;
  • claims acceptance;
  • assignment of roles;
  • management of groups;
  • cataloging of relationships;
  • maintenance of personalization information;
  • storage and controlled publication of information through directory;
  • confidential auditing; and
  • assurance of compliance.

The baseline capability of Identity Management will be to enhance the security and privacy of both organizations and individuals.

There will be a new market of next-generation identity management service providers with characteristics shaped by the importance of identity for both the protection of assets and the enhancement of relationships as we enter the era of the social enterprise.

Meanwhile, the current market for identity management products will be challenged by the simplification, cost reduction and increased innovation possible in the cloud.

Going forward, the term Identity Management As A Service will come up so often that we need an acronym.  For the time being I’m going to adopt the one my friend Eric Norlan proposed over six years ago : IDMaaS. While we’re at it, it is worth looking at Eric’s prescient article in ZDNet - he wrote it back in 2006 when he was a partner at Digital ID World. Eric reports on a conversation where Jamie Lewis (then CEO of the Burton Group) argued that “companies would find identity data too important to hand-over to others” - a view that certainly described the way enterprises felt at that time.  These issues are still critically important, though many profound evolutions have, I think, transformed the variables in the equations.  These new variables will be ones we want to drill into going forward.

Microsoft and IDMaaS

One of the reasons I want to share my thoughts about Identity Management as a Service now is that they constitute part of the theoretical framework that lies behind many of the decisions about the kind of organizational identity service we at Microsoft are offering. 

I’m therefore really excited to say that today we are able to start bringing you up to speed on exactly what that is.  Here’s a quote from today’s blog post by my close colleague and friend John Shewchuk, the Technical Fellow who plays a key role in getting our cloud identity offering engineered right: 

What is Windows Azure Active Directory?

We have taken Active Directory, a widely deployed, enterprise-grade identity management solution, and made it operate in the cloud as a multitenant service with Internet scale, high availability, and integrated disaster recovery.

Since we first talked about it in November 2011, Windows Azure Active Directory has shown itself to be a robust identity and access management service for both Microsoft Office 365 and Windows Azure–based applications.

In the interim, we have been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.

The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization’s Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within your organization, the Active Directory service that is available through Windows Azure is your organization’s Active Directory. Because it is your organization’s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn’t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud.

Meanwhile, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your information.

John’s post is called Reimagining Active Directory for the Social Enterprise.  It’s done in two parts, and following that John will join into our broader conversation about the identity management reset.   I hope the combination of our two blogs can help animate an industry-wide discussion while providing a specific channel through which people can get the information they need about Microsoft’s identity service offering.

Later this week:  The Changing Model of Identity Management.  I hope to see you there.

 

Recent Activity Pt 4: Europe Week 1

Week one in Europe was busy. The day I arrived Esther picked me up and we headed to Qiy's offices where i got to run into John Harrison who I last saw a year ago at IIW Europe. He is organizing a consortium to go in for FP-7 money (80 million) put out for projects around Identity in the European Union.

Wednesday was Nov 9th Identity.Next convened by Robert was great bringing people together from across Europe. 1/2 the day was a regular conference and 1/2 the day was an UnConference that I helped facilitate.  I ran a session about personal data and we had a good conversation.  I also learned about a German effort that seemed promising - Pidder - their preso in The Hague

November 10th I headed to London for New Digital Economics EMEA along with Maarten from Qiy.  It was fantastic to be on stage with 5 different start-up projects all doing Personal Data along with one big one :)

It was clear that the energy in the whole space had shifted beyond the theoretical and the response from the audience was positive.  I shared the landscape map we have been working on to explain elements of the overall ecosystem.

Digital Death Day was November 11th in Amsterdam was small but really good with myself, Stacie and Tamara organizing.  We had a small group that included a Funeral Director a whole group form Ziggur. We were sponsored by the company formerly know as DataInherit - they changed their name to SecureSafe. Given that Amsterdam is closer then California to Switzerland we were hopping they would make it given their ongoing support...alas not this year.

One of the key things to come out of the event was an effort to unite the technology companies working on solutions in this area around work to put forward the idea of a special OAuth token for their kind of services perhaps also with a "Trust Framework" that could use the OIX infrastructure.

It as also inspiring to have  two two young developers attend.

  • Leif Ekas  travelled from Norway - I had met him this summer in Boston when he was attending summer school at BU and working on his startup around aspects of digital death.
  • Sebastian Hagens - Sebastix
It made me wish Markus had made it there from Vienna.
When I was at TEDx Brussels I was approached by another young developer Tim De Conick well more accurately visionary who got some amazing code written - WriteID.
Given the energy last summer at the Federated Social Web Summit and these new efforts that could all be connected together/interoperable. I think there is critical mass for a developer / hacker week for Personal Data in Europe this Spring Summer and I am keen to help organize it.

Disintermediation: an Amazon parable

New York TImes Technology ran a story yesterday about the publishing industry that is brimming with implications for almost everyone in the Internet economy.  It is about Amazon and what marketing people call “disintermediation”.  Not the simple kind that was the currency of the dot.com boom;  we are looking here at a much more advanced case:

SEATTLE — Amazon.com has taught readers that they do not need bookstores. Now it is encouraging writers to cast aside their publishers.

Amazon will publish 122 books this fall in an array of genres, in both physical and e-book form. It is a striking acceleration of the retailer’s fledging publishing program that will place Amazon squarely in competition with the New York houses that are also its most prominent suppliers.

It has set up a flagship line run by a publishing veteran, Laurence Kirshbaum, to bring out brand-name fiction and nonfiction…

Publishers say Amazon is aggressively wooing some of their top authors. And the company is gnawing away at the services that publishers, critics and agents used to provide…

Of course, as far as Amazon executives are concerned, there is nothing to get excited about:

“It’s always the end of the world,” said Russell Grandinetti, one of Amazon’s top executives. “You could set your watch on it arriving.”

But despite the sarcasm, shivers of disintermediation are going down the spines of many people in the publishing industry:

“Everyone’s afraid of Amazon,” said Richard Curtis, a longtime agent who is also an e-book publisher. “If you’re a bookstore, Amazon has been in competition with you for some time. If you’re a publisher, one day you wake up and Amazon is competing with you too. And if you’re an agent, Amazon may be stealing your lunch because it is offering authors the opportunity to publish directly and cut you out. ” [Read whole story here.]

If disintermediation is something you haven’t thought about much, you might start with a look at wikipedia:

In economics, disintermediation is the removal of intermediaries in a supply chain: “cutting out the middleman”. Instead of going through traditional distribution channels, which had some type of intermediate (such as a distributor, wholesaler, broker, or agent), companies may now deal with every customer directly, for example via the Internet. One important factor is a drop in the cost of servicing customers directly.

Note that the “removal” normally proceeds by “inserting” someone or something new into transactions.  We could call the elimination of bookstores “first degree disintermediation” - the much-seen phenomenon of replacement of the existing distribution channel.   But it seems intuitively right to call the elimination of publishers “second degree disintermediation” - replacement of the mechanisms of production, including everything from product development through physical manufacturing and marketing, by the entities now predominating in distribution.  

The parable here is one of first degree disintermediation “spontaneously” giving rise to second degree disintermediation, since publishers have progressively less opportunity to succeed in the mass market without Amazon as time goes on.  Of course nothing ensures that Amazon’s execution will cause it to succeed in a venture quite different from its current core competency.  But clearly the economic intrinsics stack the deck in its favor. Even without displacing its new competitors it may well skim off the most obvious and profitable projects, with the inevitable result of underfunding what remains.

I know.  You’re asking what all this has to do with identityblog.

In my view, one of the main problems of reusable identities is that in systems like SAML, WS-Federation and Live ID, the “identity provider” has astonishing visibility onto the user’s relationship with the relying parties (e.g. the services who reuse the identity information they provide).  Not only does the identity provider know what consumers are visiting what services; it knows the frequency and patterns of those visits.   If we simply ignore this issue and pretend it isn’t there, it will become an Achilles Heel.

Let me fabricate an example so I can be more concrete.  Suppose we arrive at a point where some retailer decides to advise consumers to use their Facebook credentials to log in to its web site.  And let’s suppose the retailer is super successful.  With Facebook’s redirection-based single sign-on system, Facebook would be able to compile a complete profile of the retailer’s customers and their log-on patterns.  Combine this with the intelligence from “Like” buttons or advertising beacons and Facebook (or equivalent) could actually mine the profiles of users almost as effectively as the retailer itself.  This knowledge represents significant leakage of the retailer’s core intellectual property - its relationships with its customers.

All of this is a recipe for disintermediation of the exact kind being practiced by Amazon, and at some point in the process, I predict it will give rise to cases of spine-tingling that extend much more broadly than to a single industry like publishing. 

By the time this becomes obvious as an issue we can also predict there will be broader understanding of ”second degree disintermediation” among marketers.  This will, in my view, bring about considerable rethinking of some current paradigms about the self-evident value of unlimited integration into social networks.  Paradoxically disintermediation is actually a by-product of the privacy problems of social networks.  But here it is not simply the privacy of end users that is compromised, but that of all parties to transactions. 

This problem of disintermediation is one of the phenomena leading me to conclude that minimal disclosure technologies like U-Prove and Idemix will be absolutely essential to a durable system of reusable identities.  With these technologies, the ability of the identity provider to disintermediate is broken, since it has no visibility onto the transactions carried out by individual users and cannot insert itself into the relationship between the other parties in the system. 

Importantly, while disintermediation becomes impossible, it is still possible to meter the use of credentials by users without any infringement of privacy, and therefore to build a viable business model.

I hope to write more about this more going forward, and show concretely how this can work.

Is Google+ is being lynched by out-spoken users upset by real names policy?

Following my post yesterday Google+ says your name is "Toby" not "Kunta Kinte", I chronicled tweets from this morning's back and forth with  Tim O'Reilly and Kevin MarksNishant  KaushikPhil Hunt,  Steve Bogart and Suw Charman-Anderson.

I wrote the original post after watching the Bradley Horwitz (@elatable) - Tim O'Reilly (@timoreilly) interview re: Google+. I found Tim's choice of words about the tone (strident) and judgement (self-righteous) towards those standing up for their freedom to choose their own names on the new social network being rolled out by Google internet's predominant search engine disappointing.  His response to my post was to call me self-righteous and reiterate that this was just a market issue.

I myself have been the victim of a Google+ suspension since July 31st and yesterday I applied for a mononym profile (which is what it was before they insisted I fill out my last name which I chose to do so with my online handle and real life identity "Identity Woman") 

In the thread this morning Tim said that the kind of pressure being aimed at Google is way worse then anything they are doing and that in fact Google was the subject of a "lynch mob" by these same people.  Sigh, I guess Tim hasn't read much history but I have included some quotes form and links to wikipedia for additional historial context.

Update: inspired in part by this post an amazing post "about tone" as a silencing/ignoring tactics when difficult, uncomfortable challenges are raised in situations of privilege was written by Shiela Marie.  

I think there is a need for greater understanding all around and that perhaps blogging and tweeting isn't really the best way to address it.  I know that in the identity community when we first formed once we started meeting one another in person and really having deep dialogues in analogue form that deeper understanding emerged.  IIW the place we have been gathering for 6 years and talking about the identity issues of the internet and other digital systems is coming up in mid-October and all are welcome.  The agenda is created live the day of the event and all topics are welcome.

Here's the thread... (oldest tweets first)

 Note all the images of tweets in this thread are linked to the actual tweet (unless they erased the tweet). 


Steve, thanks for highlighting the bizarre choice to use a "lynch mob" as the metaphor to describe what is happening to Google around this issue.

From Wikipedia: Lynching is an extrajudicial execution carried out by a mob, often by hanging, but also by burning at the stake or shooting, in order to punish an alleged transgressor, or to intimidate, control, or otherwise manipulate a population of people.... Lynchings have been more frequent in times of social and economic tension, and have often been means used by the politically dominant population to oppress social challengers. 

The article on Lynch Mobs is part of the Discrimination set of articles in Wikipedia. Within sociology, 'discrimination' is the prejudicial treatment of an individual based on their membership in a certain group or category. Discrimination is the actual behavior towards members of another group. It involves excluding or restricting members of one group from opportunities that are available to other groups. An individual need not be actually harmed in order to be discriminated against. He or she just needs to be treated worse than others for some arbitrary reason.

 

From the Wikipedia article on Oppression: Indirect oppression is oppression that is effected by psychological attack, situational constraints or other indirect means. It has been a popular tactic practiced in single power, power monopoly or other authoritarian or totalitarian regimes.

The point I was making with my previous post Google+ says your name is "Toby" not "Kunta Kinte" is that Google is being discriminatory and oppressive towards people who refuse to use their "wallet names" and who choose to go by pseudonyms.  Which party in this situation is really acting like a lynch mob?

As I said in my previous post the tone of those who are suffering at the hands of this policy implemented by THE dominant search utility on the web are loud, shrill, piercing, high-pitched and rough sounding and I imagine are heard by those within Google who are receiving them as grating and obnoxious. Rather then empathizing with human pain and suffering that is reflected in the tone, Tim and others are just dismissing them and their concerns.  Here is one of the clearest posts by someone very affected by what Google is doing: To those who say they "don't get it"...(Google, G+, etc) 

 

 

Really? Google+ is effectively lynching, that is killing the digital persona's of people who's names don't conform to its policies. So what is not extreme about that? is there a middle ground when you feel your digital life is threatened? Of course the reaction of people has some edge to it because people feel that the digital identifier that is the anchor for their "digital body" could be terminated and thus puts their digital lives are at risk.  They are being a bit shrill when the talk about the issues because they are deeply personal and have real impact on their lives because it impacts their ability, their freedom to communicate.

 

 

 

To close, Doc Searls has a great post up about what this might all really be about Circling Around your Wallet.

  Note all the images of tweets in this thread are linked to the actual tweet (unless they erased the tweet). 

Google+ says your name is "Toby" NOT "Kunta Kinte"

This post is about what is going on at a deeper level when Google+ says your name is "Toby" NOT "Kunta Kinte". The punchline video is at the bottom feel free to scroll there and watch if you don't want to read to much.

This whole line of thought to explain to those who don't get what is going on with Google+ names policy arose yesterday after I watched the Bradley Horwitz - Tim O'Reilly interview (they start talking about the real names issue at about minute 24).

More on my personal Google+ suspension that continues to Day 29.

Tim is struck by the Steve Jobs element of how Bradley and Google is talking about designing for the way the world will be not how it is....implying and even explicitly saying that in the future we will just all use our real names for everything so lets get started doing that now. :)   - you know happy future vision of benevolent design choice by humans of large corporate controlled digital systems.  Yes, many Googlers like Chris Messina who used to have a handle online "Factory Joe" made the conscious choice to bring it together with his "real name". For him the cost-benefit trade of for this and decided that for him it was no longer worth it. Totally fine choice for him. What is at issue is when his choice becomes all of our choice because he and others like him have the power to decide for all of us.

Young men like Chris have a lot of privilege in the world and they can do things/make choices that others have less freedom (privilege) to make without those choices affecting their lives in material ways (chances of employment, social acceptance between different contexts with different norms, having accepting family members who are not bigoted against their personal life choices).  I thought that one of the things Chris got form his years dating Tara Hunt was more of a clue about the issues that women and others who are not young white straight monogamous men living in western liberal democracy, liberal metropolises face. His posts on the topic include the following but some how...I guess he still doesn't get this issue in relation to Google (maybe he does but it seems like people who work at Google stop blogging upon their date of employ and Google employees who have spoken up on the issue have been gagged).

* Kirrily Robert: Standing out in the Crowd where he highlights these posts

  • Recruit diversity
  • Say it. Mean it.
  • Tools. (Tools are easy.)
  • Transparency.
  • Don’t stare.
  • Value all contributions.
  • Call people on their crap.
  • Pay attention.

* Future of the White Boys Clubs

* Future of White Boys’ Clubs Redux #fowaspeak

Fundamentally technology systems and techno-social systems are created by people making choices AND it is at this time in the history of the web we get to as a culture and society choose the range of options available for human expression of identity online.  IF THE PEOPLE WHO HAVE ALL THE POWER to make this choice in these digital systems have the demographic profile of Brad and Tim then we will get one outcome - it will favor them and their world view and exclude others who are different (ala the very long list of people negatively affected by real names policies). It is an abuse of power as danah boyd eloquently explains on her blog.

Tim goes on to say (at min 28) that his own reaction to "some of the strident calls for you guys [Google+] to change what you are doing" lead him to the conclusion "give me a break, lets try some different things lets figure out what we learn from them..the market will tell you what it really demands"

Lets look at this more deeply - Tim's specific labeling of the resistance to the policies as "strident" is coming from a position of power and privilege that is judging these people in a way that demeans, what they are saying.

From Wiktionary: Strident

  1. Loud; shrill, piercing, high-pitched; rough-sounding
    The trumpet sounded strident against the string orchestra.
  2. Grating or obnoxious
    The artist chose a strident mixture of colors.

Because the opposition is so sharp and clear - people are speaking up in shrill, piercing, "high-pitched" ways because they are being hurt so badly and deeply by requirement for real names and how suspensions are being handled.  The words of these people are being heard by Tim and others in power as grating and obnoxious because they aren't supposed to speak up...they should just accept what is happening to them right?

One response of Google+ leadership and technology leaders like Tim O'Reilly could have is to be to be empathetic, to look inward and connect to the human beings speaking and say something like:

Wow, we had no understanding of how "unfree" some people feel online and in our society broadly.

We had no idea about how many different kinds of people (who are not like us) are affected real names policies.

We didn't really realize existed, or had any needs different then ours and how can we struggle with them to make a more just society so they are not affected negatively if they were out/public about those things.

In the meantime lets really listen and get that they have real and valid needs for safety and the right to express themselves and lets and not ban them from our services for their choice not to use use their real name.

Instead Tim and others are dismissing the real hurt and anguish being felt by people saying they are being "strident" for speaking up for their right to pick their own name and to be for Google's continued insistence they have the right to decide what an acceptable name is for people.

This is about power and those who speak up to it being judged and labeled negatively for doing so. I asked in twitter yesterday if women suffragettes were strident, and were the stonewall rioters and the subsequent movement for gay rights strident? Yes they were! They were standing up for what was right and against and unjust social system that was harmful to people.  I am concerned about the rights and freedoms of nyms both because people have personal life issues they want to be free to create accounts to express/deal with AND because they have political beliefs they want to share.

Imagine if the people who were standing up and organizing for gay rights in the 60's and 70's had digital tools to do so and imagine all the major places were public discourse about this happened were in online social spaces where "real names" were required and imagine that all of their families and employers would therefore know about their status as a GAY  (LTBTQ) PERSON. Do you think we would have had the gay rights movement? Do you think it would have been possible? Do you think that enough people would have stood up knowing they would be laid off, fired, black balled, told their kids couldn't play with neighbor kids.

Many groups who are systemically and socially oppressed (yes in our modern liberal democracy there is lots of oppression going on) fear to speak up TODAY about the issues going on in the system that affect them.  Many people have ideas that would transform the social order but challenge power will fear speaking up about these new ideas if all speech in online public fora must be linked to real names seen by their real employers who could really fire/let them go.

Unless we embed the freedom to have pseudonymous speech in major online social spaces where serious public/political dialogue occurs then we risk not having a free society any more.  Free meaning the freedom to challenge injustice the freedom to seek greater accountability by those in power (government and corporate), to open up the systems that run our society.

Over the course of yesterday I continued to think more about the deeper nature of the issues going on and the fundamental nature of the power we have to name ourselves and what it means to have this freedom.  I remembered the series Roots  and suggested that young Googlers rent it from/watch it on netflix and then have dialogues about privileged and oppression.

For those of you who didn't watch it in the 70's (I was born in the 70's do didn't watch it then either),  it is the story of a Alex Haley's black family descended from a man who was stolen from his village in Africa and brought to America as a slave. He is very clear on his identity, who he is, he is a Mandinka warrior and his name is Kunta Kinte,.  One of the first things his white slave owner Master Reynolds does is rename him Toby.  He refuses to accept this new name, this identity that they have said he must take on...he does accept the name but only after great human suffering inflicted by his master to get him to comply with his wishes.

This is the sort version:

"Bonus suppression" Google runs YouTube and they took the clip of the movie scene down for "inappropriate nudity or sexual" - it has neither, it just made a dramatic point and made them look bad. In the clip Kunta Kinte is facing the camera with part of his chest showing being whipped from behind by a white man who is working for the slaveowner until he breaks. After repeating his name is Kunta Kinte when asked what his name is, he finally says... it is Toby. 

For slightly more context for the scene this is 8 min.

I highly recommend watching the WHOLE movie if you haven't seen it.

Just to be really clear for those of you who might not be tracking the point I am making. I and the other people in Google+ who choose to have handles/nyms that are persistent and that we are known by but are being rejected by Google+ are Kunta Kinte and the Google+ name police is the slave owner whipping him until he submits to calling himself Toby.

Metaphorically this IS what is going on.  "Yes" I and other people who use handles and use nyms have a choice "not to use the service" - we are technically "not slaves" like Toby is. However we have already been using Google e-mail and other services for years with the names we chose - in changing the rules on the Google plantation they have undermined the social contract that it had with existing users. Google is a major forum for expression of ideas and is THE dominant search engine (one could argue monopolistic search engine). It will be using people's +1's to determine search results and these will shape public discourse.

Many different people are now fearful of speaking up in Google+ about these issues (even if the are not affected) because they fear the will be affected (having their access to their accounts turned off). Just look at what has happened Google+ turned off Violet Blue's profile knowing full well it was her real name and people rightly so imagine this is because she was speaking out for those who were suspended and could not speak.

Back to what Tim said above - he says that "the market will decide" these things. The core issues here are freedom of speech and power within the social sphere not about "the market". It is about what is right and just in a society. The market decided that it was ok to do slavery for hundreds of years, the market decided that it was ok to discriminate systematically against black people with Jim Crow laws and the market decided it was ok to discriminate against women in professional fields like law and medicine until things changed in the 60's.

Continuing the quotes from Tim "lets the arguments be from efficacy not from self righteousness"

Let me ask you this Tim: Was Kunta Kinte being self righteous to insist on his own choice of his own name?

Update:

Tim thinks that I am being self-righteous for even asking this question. He agrees with me that Kunta Kinte is not self righteous to stand up for his name but adds that that I am self-righteous to ask this question which in this post was explicitly drawing the analogy between Kunta Kinte's struggle for his right to assert his own identity and mine along with others with handles and Nyms in relationship to Google+. The fact that he is judging us as being "self-righteous" kinda proves my point that we are challenging the the power and authority of the system and being judged negatively by the powers that be for for doing so.

Tim thinks that this issue is just a matter for the market to decide. Sadly he doesn't see it as the silencing of voices and the inability for those who are not as privileged as he is to speak with their own voice on the Google platform the dominant search utility for the web.

In the morning there was a whole much longer set of twitter responses kicked of by Kevin Marks and going back and forth with Tim O'Reilly and others.

Update: inspired in part by this post an amazing post "about tone" as a silencing/ignoring tactics when difficult, uncomfortable challenges are raised in situations of privilege was written by Shiela Marie.  

Lets try going with the Mononym for Google+

Seeing that Google+ is approving mononyms for some (Original Sai, on the construction of names Additional Post) but not for others (Original Stilgherrian Post Update post ).

I decided to go in and change my profile basically back to what it was before all this started.  I put a  ( . ) dot in the last name field.  In my original version of my google proflile my last name was a * and when they said that was not acceptable I put my last name as my online handle "Identity Woman".

So just now as I did put a ( . ) for a last name I was told that a ( . ) didn't meet the real names policy and I could appeal so I did. There is no text field where you can explain yourself -  you can only submit your "Identification Documents" and "Links" to prove your identity.  This lack of ability to actually communicate/talk in a human way with the people who are making these decisions is really alienating. I did put a link to this blog post so we shall see.

I really don't want to use or need a last name. I have yet to meet any one with my name IRL (In Real Life) and it is very uncommon. If you search for Kaliya in Google. I am all over the front page as Identity Woman along with the mythical Hindu sea serpent that I share a name with.

I refuse to headline my "real" last name it is not "mine" and identify with it as an "other" name.  I am fine with it being on my drivers license and passport but it is not what I want at the top of MY PROFILE in Google at the heart of the social web as it relates to "me" the "real me" not the one on my legal paperwork.

At the heart of User-Centric identity is the freedom to choose one's name and this choice of mine is mine to make not Google's. We shall see how this goes over.

Here is my next posts about:

1) the broader political meanings of all of this: Google+ says your name is "Toby" NOT "Kunta Kinte"

 

Here are the previous posts about interacting with the Google+ name police:

* Google+ and my "real" name: Yes, I'm Identity Woman August 1

* Nymwars: IRL on Google's Lawns. August 5th

* Google+ Suspension saga continues. August 9, 2011.

 

Robots reshaping social networks

In May I was fascinated by a story in the Atlantic  on The Ecology Project - a group ”interested in a question of particular concern to social-media experts and marketers: Is it possible not only to infiltrate social networks, but also to influence them on a large scale?” 

The Ecology Project was turning the Turing Test on its side, and setting up experiments to see how potentially massive networks of “SocialBots” (social robots) might be able to impact human social networks by interacting with their members.  

In the first such experiment it invited teams from around the world to manufacture SocialBots  and picked 500 real Twitter users, the core of whom shared “a fondness for cats”.  At the end of their two-week experiment, network graphs showed that the teams’ bots had insinuated themselves strikingly into the center of the target network.

The Web Ecology Blog summarized the results this way:

With the stroke of midnight on Sunday, the first Socialbots competition has officially ended. It’s been a crazy last 48 hours. At the last count, the final scores (and how they broke down) were:

  • Team C: 701 Points (107 Mutuals, 198 Responses)
  • Team B: 183 Points (99 Mutuals, 28 Responses)
  • Team A: 170 Points (119 Mutuals, 17 Responses)

This leaves the winner of the first-ever Socialbots Cup as Team C. Congratulations!

You also read those stats right. In under a week, Team C’s bot was able to generate close to 200 responses from the target network, with conversations ranging from a few back and forth tweets to an actual set of lengthy interchanges between the bot and the targets. Interestingly, mutual followbacks, which played so strong as a source for points in Round One, showed less strongly in Round Two, as teams optimized to drive interactions.

In any case, much further from anything having to do with mutual follows or responses, the proof is really in the pudding. The network graph shows the enormous change in the configuration of the target network from when we first got started many moons ago. The bots have increasingly been able to carve out their own independent community — as seen in the clustering of targets away from the established tightly-knit networks and towards the bots themselves.

The Atlantic story summarized the implications this way:

Can one person controlling an identity, or a group of identities, really shape social architecture? Actually, yes. The Web Ecology Project’s analysis of 2009’s post-election protests in Iran revealed that only a handful of people accounted for most of the Twitter activity there. The attempt to steer large social groups toward a particular behavior or cause has long been the province of lobbyists, whose “astroturfing” seeks to camouflage their campaigns as genuine grassroots efforts, and company employees who pose on Internet message boards as unbiased consumers to tout their products. But social bots introduce new scale: they run off a server at practically no cost, and can reach thousands of people. The details that people reveal about their lives, in freely searchable tweets and blogs, offer bots a trove of personal information to work with. “The data coming off social networks allows for more-targeted social ‘hacks’ than ever before,” says Tim Hwang, the director emeritus of the Web Ecology Project. And these hacks use “not just your interests, but your behavior.”

A week after Hwang’s experiment ended, Anonymous, a notorious hacker group, penetrated the e-mail accounts of the cyber-security firm HBGary Federal and revealed a solicitation of bids by the United States Air Force in June 2010 for “Persona Management Software”—a program that would enable the government to create multiple fake identities that trawl social-networking sites to collect data on real people and then use that data to gain credibility and to circulate propaganda.

“We hadn’t heard of anyone else doing this, but we assumed that it’s got to be happening in a big way,” says Hwang. His group has published the code for its experimental bots online, “to allow people to be aware of the problem and design countermeasures.”

The Ecology Project source code is available here.  Fascinating.  We’re talking very basic stuff that none-the-less takes social engineering in an important and disturbingly different new direction. 

As is the case with the use of robots for social profiling, the use of robots to reshape social networks raises important questions about attribution and identity (the Atlantic story actually described SocialBots as “fake identities”).  

Given that SocialBots will inevitably and quickly evolve, we can see that the ability to demonstrate that you are a natural flesh-and-blood person rather than a robot will increasingly become an essential ingredient of digital reality.  It will be crucial that such a proof can be given without requiring you to identify yourself,  relinquish your anonymity, or spend your whole life completing grueling captcha challenges. 

I am again struck by our deep historical need for minimal disclosure technology like U-Prove, with its amazing ability to enable unlinkable anonymous assertions (like liveness) and yet still reveal the identities of those (like the manufacturers of armies of SocialBots) who abuse them through over-use.

 

New paper on Wi-Fi positioning systems

Regular readers will have come across (or participated in shaping) some of my work over the last year as I looked at the different ways that device identity and personal identity collide in mobile location technology.

In the early days following Google’s Street View WiFi snooping escapades, I became increasingly frustrated that public and official attention centered on Google’s apparently accidental collection of unencrypted network traffic when there was a much worse problem staring us in the face.

Unfortunately the deeper problem was also immensely harder to grasp since it required both a technical knowledge of networked devices and a willingness to consider totally unpredicted ways of using (or misusing) information.

As became clear from a number of the conversations with other bloggers, even many highly technical people didn’t understand some pretty basic things - like the fact that personal device identifiers travel in the clear on encrypted WiFi networks… Nor was it natural for many in our community to think things through from the perspective of privacy threat analysis.

This got me to look at the issues even more closely, and I summarized my thinking at PII 2010 in Seattle.

A few months ago I ran into Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, who was working on the same issues.  We decided to collaborate on a very in-depth look at both the technology and policy implications, aiming to produce a document that could be understood by those in the policy community and still serve as a call to the technical community to deal appropriately with the identity issues, seeking what Ann calls “win-win” solutions that favor both privacy and innovation.

Ann’s team deserves all the credit for the thorough literature research and clear exposition.  Ann expertly describes the policy issues and urges us as technologists to adopt Privacy By Design principles for our work. I appreciate having had the opportunity to collaborate with such an innovative group.  Their efforts give me confidence that even difficult technical issues with social implications can be debated and decided by the people they affect.

Please read WiFi Positioning Systems: Beware of Unintended Consequences and let us know what you think - I invite you to comment (or tweet or email me) on the technical, policy and privacy-by-design aspects of the paper.

VMWare, Identity and User-Centricity in the Enterprise

Lots of good commentary on VMWare’s new Horizon App Manager today, which is what their Tricipher acquisition seems to have turned into. The phrase that struck me the most — thus this post — was Krishnan‘s description at CloudAve: a user-centric management service for accessing cloud applications from any device. It clearly is user-centric: it [...]

Google opposing the “Right to be forgotten”

In Europe there has been a lot of discussion about “the Right to be Forgotten” (see, for example, Le droit à l’oubli sur Internet).  The notion is that after some time, information should simply fade away (counteracting digital eternity).    

In America, the authors of the Social Network Users’ Bill of Rights have called their variant of this the “Right to Withdraw”.  

Whatever words we use, the right, if recognized, would be a far-reaching game-changer - and as I wrote here, represent a “cure as important as the introduction of antibiotics was in the world of medicine”.

Against this backdrop, the following report by CIARAN GILES of the Associated Press gives us much to think about. It appears Google is fighting head-on against the “the Right to be Forgotten”.  It seems to be willing to take on any individual or government who dares to challenge the immutable right of its database and algorithms to define you through something that has been written - forever, and whether it’s true or not.

MADRID – Their ranks include a plastic surgeon, a prison guard and a high school principal. All are Spanish, but have little else in common except this: They want old Internet references about them that pop up in Google searches wiped away.

In a case that Google Inc. and privacy experts call a first of its kind, Spain’s Data Protection Agency has ordered the search engine giant to remove links to material on about 90 people. The information was published years or even decades ago but is available to anyone via simple searches.

Scores of Spaniards lay claim to a “Right to be Forgotten” because public information once hard to get is now so easy to find on the Internet. Google has decided to challenge the orders and has appealed five cases so far this year to the National Court.

Some of the information is embarrassing, some seems downright banal. A few cases involve lawsuits that found life online through news reports, but whose dismissals were ignored by media and never appeared on the Internet. Others concern administrative decisions published in official regional gazettes.

In all cases, the plaintiffs petitioned the agency individually to get information about them taken down.

And while Spain is backing the individuals suing to get links taken down, experts say a victory for the plaintiffs could create a troubling precedent by restricting access to public information.

The issue isn’t a new one for Google, whose search engine has become a widely used tool for learning about the backgrounds about potential mates, neighbors and co-workers. What it shows can affect romantic relationships, friendships and careers.

For that reason, Google regularly receives pleas asking that it remove links to embarrassing information from its search index or least ensure the material is buried in the back pages of its results. The company, based in Mountain View, Calif., almost always refuses in order to preserve the integrity of its index.

A final decision on Spain’s case could take months or even years because appeals can be made to higher courts. Still, the ongoing fight in Spain is likely to gain more prominence because the European Commission this year is expected to craft controversial legislation to give people more power to delete personal information they previously posted online.

“This is just the beginning, this right to be forgotten, but it’s going to be much more important in the future,” said Artemi Rallo, director of the Spanish Data Protection Agency. “Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don’t want to be there.”

Many details about the Spaniards taking on Google via the government are shrouded in secrecy to protect the privacy of the plaintiffs. But the case of plastic surgeon Hugo Guidotti vividly illustrates the debate.

In Google searches, the first link that pops up is his clinic, complete with pictures of a bare-breasted women and a muscular man as evidence of what plastic surgery can do for clients. But the second link takes readers to a 1991 story in Spain’s leading El Pais newspaper about a woman who sued him for the equivalent of euro5 million for a breast job that she said went bad.

By the way, if it really is true that the nothing should ever interfere with the automated pronouncements of the search engine - even truth - does that mean robots have the right to pronounce any libel they want, even though we don’t?

“HTTPS Now” Campaign Unfortunately Does Not Fix the Problem

EFF activist Eva Galperin in quoted in a ReadWriteWeb article introducing their new campaign: “HTTPS provides the minimum level of security for websites. Without it, no site can make any meaningful security or privacy guarantees to its users.” Well, wouldn’t that be nice! Particularly if HTTPS actually were providing that security. For a counter-point, read [...]

Privacy Bill of Rights establishes device identifiers as PII

In my view the Commercial Privacy Bill of Rights drafted by US Senators McCain and Kerry would significantly strengthen the identify fabric of the Internet through its proposal that “a unique persistent identifier associated with an individual or a networked device used by such an individual” must be treated as personally identifiable information (Section 3 - 4 - vii).   This clear and central statement marks a real step forward.  Amongst other things, it covers the MAC addresses of wireless devices and the serial numbers and random identifiers of mobile phones and laptops.

From this fact alone the bill could play a key role in limiting a number of the most privacy-invasive practices used today by Internet services - including location-based services.  For example, a company like Apple could no longer glibly claim, as it does in its current iTunes privacy policy, that device identifiers and location information are “not personally identifying”.  Nor could it profess, as iTunes also currently does, that this means it can ”collect, use, transfer, and disclose”  the information ”for any purpose”.  Putting location information under the firm control of users is a key legislative requirement addressed by the bill.

The bill also contributes both to the security of the Internet and to individual privacy by unambiguously embracing ”Minimal Disclosure for a Constrained Use” as set out in Law 2 of the Laws of Identity.  Title III explicitly establishes a “Right to Purpose Specification; Data Minimization; Constraints on Distribution; and Data Integrity.”

Despite these real positives, the bill as currently formulated leaves me eager to consult a bevy of lawyers - not a good sign.  This may be because it is still a “working draft”, with numerous provisions that must be clarified. 

For example, how would the population at large ever understand the byzantine interlocking of opt-in and opt-out clauses described in Section 202?  At this point, I don’t.

And what does the list of exceptions to Unauthorized Use in Section 3 paragraph 8 imply?  Does it mean such uses can be made without notice and consent?

I’ll be looking for comments by legal and policy experts.  Already, EPIC has expressed both support and reservations:

Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the “Commercial Privacy Bill of Rights Act of 2011,” aimed at protecting consumers’ privacy both online and offline. The Bill endorses several “Fair Information Practices,” gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information.

But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a “Safe Harbor” arrangement that exempts companies from significant privacy requirements.

EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies’ to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission.

Kerry McCain bill proposes “minimal disclosure” for transaction

Steve Satterfield at Inside Privacy gives us this overview of central features of new Commercial Privacy Bill of Rights proposed by US Senators Kerry and McCain (download it here):

  • The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data.  The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
  • The draft also states that businesses should “seek” to collect only as much “covered information” as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service
  • “Covered information” is defined broadly and would include not just “personally identifiable information” (such as name, address, telephone number, social security number), but also “unique identifier information,” including a customer number held in a cookie, a user ID, a processor serial number or a device serial number.  Unlike definitions of “covered information” that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
  • The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service “or for a reasonable period of time if the service is ongoing.” 
  • The draft contemplates enforcement by the FTC and state attorneys general.  Notably — and in contrast to Rep. Rush’s bill — the draft does not provide a privacy right of action for individuals who are affected by a violation. 
  • Nor does the bill specifically address the much-debated “Do Not Track” opt-out mechanism that was recommended in the FTC’s recent staff report on consumer privacy.  (You can read our analysis of that report here.) 

As noted above, the draft is reportedly still a work in progress.  Inside Privacy will provide additional commentary on the Kerry legislation and other congressional privacy efforts as they develop.   

Press conference will be held tomorrow at 12:30 pm.  [Emphasis above is mine - Kim]

Readers of Identityblog will understand that I see this development, like so many others, as inevitable and predictable consequences of many short-sighted industry players breaking the Laws of Identity.

 

WSJ: Federal Prosecutors investigate smartphone apps

If you have kept up with the excellent Wall Street Journal series on smartphone apps that inappropriately collect and release location information, you won’t be surprised at their latest chapter:  Federal Prosecutors are now investigating information-sharing practices of mobile applications, and a Grand Jury is already issuing subpoenas.  The Journal says, in part:

Federal prosecutors in New Jersey are investigating whether numerous smartphone applications illegally obtained or transmitted information about their users without proper disclosures, according to a person familiar with the matter…

The criminal investigation is examining whether the app makers fully described to users the types of data they collected and why they needed the information—such as a user’s location or a unique identifier for the phone—the person familiar with the matter said. Collecting information about a user without proper notice or authorization could violate a federal computer-fraud law…

Online music service Pandora Media Inc. said Monday it received a subpoena related to a federal grand-jury investigation of information-sharing practices by smartphone applications…

In December 2010, Scott Thurm wrote Your Apps Are Watching You,  which has now been “liked” by over 13,000 people.  It reported that the Journal had tested 101 apps and found that:

… 56 transmitted the phone’s unique device identifier to other companies without users’ awareness or consent.  Forty-seven apps transmitted the phone’s location in some way. Five sent a user’s age, gender and other personal details to outsiders.  At the time they were tested, 45 apps didn’t provide privacy policies on their websites or inside the apps.

In Pandora’s case, both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

Legal experts said the probe is significant because it involves potentially criminal charges that could be applicable to numerous companies. Federal criminal probes of companies for online privacy violations are rare…

The probe centers on whether app makers violated the Computer Fraud and Abuse Act, said the person familiar with the matter. That law, crafted to help prosecute hackers, covers information stored on computers. It could be used to argue that app makers “hacked” into users’ cellphones.

[More here]

The elephant in the room is Apple’s own approach to location information, which should certainly be subject to investigation as well.   The user is never presented with a dialog in which Apple’s use of location information is explained and permission is obtained.  Instead, the user’s agreement is gained surreptitiously, hidden away  on page 37 of a 45 page policy that Apple users must accept in order to use… iTunes.  Why iTunes requires location information is never explained.  The policy simply states that the user’s device identifier and location are non-personal information and that Apple “may collect, use, transfer, and disclose non-personal information for any purpose“.

Any purpose?

Is it reasonable that companies like Apple can  proclaim that device identifiers and location are non-personal and then do whatever they want with them?  Informed opinion seems not to agree with them.  The International Working Group on Data Protection in Telecommunications, for example, asserted precisely the opposite as early as 2004.  Membership of the Group included “representatives from Data Protection Authorities and other bodies of national public administrations, international organisations and scientists from all over the world.”

More empirically, I demonstrated in Non-Personal information, like where you live that the combination of device identifier and location is in very many cases (including my own) personally identifying.  This is especially true in North America where many of us live in single-family dwellings.

[BTW, I have not deeply investigated the approach to sharing of location information taken by other smartphone providers - perhaps others can shed light on this.]