Equifax and Correlatable Identifiers

Summary: We can avoid security breachs that result in the loss of huge amounts of private data by creating systems that don't rely on correlatable identifiers. Sovrin is built to use non-correlatable identifiers by default while still providing all the necessary functionality we expect from an identity system.

Yesterday word broke that Equifax had suffered a data breach that resulted in 143 million identities being stolen. This is a huge deal, but not really too shocking given the rash of data breaches that have filled the news in recent years.

The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where Continue reading "Equifax and Correlatable Identifiers"

Daily Tab for 2016_06_07

away2remember2manytabsFor today’s entries, I’m noting which linked pieces require you to turn off tracking protection, meaning tracking is required by those publishers. I’m also annotating entries with hashtags and organizing sections into bulleted lists.
#AdBlocking and #Advertising

Have we passed peak phone?

2017-03-27_subwayphones I should start by admitting I shot this picture with my phone. Also that on my rectangle with the rest of these people through most of this very typical subway trip yesterday. I don’t know what they were doing, though it’s not hard to guess. In my case it was spinning through emails, texting, tweeting, checking various other apps (weather, navigation, calendar) and listening to podcasts. We shape our tools and then they shape us. That’s what Marshall McLuhan’s main point was. And then we shape society, policy and the rest of civilization. People won’t stop staring at their phones, so a Dutch town put traffic lights on the ground, Quartz reports. In less than two years, most of the phones used by people in this shot will be traded in, discarded or re-purposed as iPods or whatever. And most of us will be tethered to Apple, Google and
Continue reading "Have we passed peak phone?"

Exploring the business behind digital media’s invisibility cloaks

  amsterdam-streetImagine you’re on a busy city street where everybody who disagrees with you disappears. We have that city now. It’s called media—especially the social kind. You can see how this works on Wall Street Journal‘s Blue Feed, Red Feed page. Here’s a screen shot of the feed for “Hillary Clinton” (one among eight polarized topics): blue-red-wsj Both invisible to the other. We didn’t have that in the old print and broadcast worlds, and still don’t, where they persist. (For example, on news stands, or when you hit SCAN on a car radio.) But we have it in digital media. Here’s another difference: a lot of the stuff that gets shared is outright fake. There’s a lot of concern about that right now: fakenews Why? Well, there’s a business in it. More eyeballs, more advertising, more money, for more eyeballs for more advertising. And so on. Those ads are aimed
Continue reading "Exploring the business behind digital media’s invisibility cloaks"

A few words about trust

cropped-wst-logo-mainSo i was on a panel at WebScience@10 in London (@WebScienceTrust, #WebSci10), where the first question asked was, “What are two aspects of ‘trust and the Web’ that you think are most relevant/important at the moment?” My answer went something like this:::: 1) The Net is young, and the Web with it. Both were born in their current forms on 30 April 1995, when the NSFnet backed off on its forbidding commercial traffic on its pipes. This opened the whole Net to absolutely everything, exactly when the graphical Web browser became fully useful. Twenty-one years in the history of a world is nothing. We’re still just getting started here. 2) The Internet, like nature, did not come with privacy. And privacy is personal. We need to start there. We arrived naked in this new world, and — like Adam and Eve — still don’t have clothing Continue reading "A few words about trust"

The problem for people isn’t advertising, and the problem for advertising isn’t blocking. The problem for both is tracking.

Ingeyes Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking, @JuliaAngwin and @ProPublica unpack what the subhead says well enough: “Google is the latest tech company to drop the longstanding wall between anonymous online ad tracking and user’s names.” Here’s a message from humanity to Google and all the other spy organizations in the surveillance economy: Tracking is no less an invasion of privacy in apps and browsers than it is in homes, cars, purses, pants and wallets. That’s because our apps and browsers are personal and private. So are the devices on which we use them. Simple as that. (HT to @Apple for digging that fact.) To help online advertising business and the publications they support understand what ought to be obvious (but isn’t yet), let’s clear up some misconceptions:
  1. Tracking people without their clear and conscious permission is wrong. (Meaning The Castle Doctrine Continue reading "The problem for people isn’t advertising, and the problem for advertising isn’t blocking. The problem for both is tracking."

The Giant Zero

The Giant Zero

The world of distance

Fort Lee is the New Jersey town where my father grew up. It’s at the west end of the George Washington Bridge, which he also helped build. At the other end is Manhattan.

Even though Fort Lee and Manhattan are only a mile apart, it has always been a toll call between the two over a landline. Even today. (Here, look it up.) That’s why, when I was growing up not far away, with the Manhattan skyline looming across the Hudson, we almost never called over there. It was “long distance,” and that cost money.

There were no area codes back then, so if you wanted to call long distance, you dialed 0 (“Oh”) for an operator. She (it was always a she) would then call the number you wanted and patch it through, often by plugging a cable between two holes in a

Continue reading "The Giant Zero"

Some thoughts on privacy

Somebody280px-Do_not_disturb.svg on Quora asked, What is the social justification of privacy? adding, I am trying to ask about why individual privacy is important to society. Obviously it is preferable to individuals for a variety of reasons. But society seems to gain more from transparency. Rather than leave my answer buried there, I thought I’d share it here as well:
Society is comprised of individuals, and is thick with practices and customs that respect individual needs. Among these is privacy. All but those of us who live outside and walk around naked have a need for clothing and shelter, both of which are means of expressing and guarding spaces we call “private.” One would hardly ask to justify the need for privacy before the Internet came along; but it is a question now, because the Internet, like nature in the physical world, doesn’t come with privacy. We are naked by Continue reading "Some thoughts on privacy"

At last, Cluetrain’s time has come

While The Cluetrain Manifesto is best known for its 95 theses (especially its first, “Markets are conversations”), the clue that matters most is this one, which runs above the whole list:
we are not seats or eyeballs or end users or consumers.
we are human beings and our reach exceeds your grasp. deal with it.
  That was the first clue we wrote. And by “we” I mean Christopher Locke (aka RageBoy), who sent it to the other three authors in early 1999. At that time we were barely focused on what we wanted to do, other than to put something up on the Web. But that ur-clue, addressed to marketers on behalf of markets, energized and focused everything we wrote on Cluetrain site, and then in the book. But it failed. Are you hearing me, folks? It failed. For a decade and a half, Cluetrain succeeded as a book and as a meme, but
Continue reading "At last, Cluetrain’s time has come"

Talking customer power and VRM

I’ll be on a webinar this morning talking with folks about The Intention Economy and the Rise in Customer Power. That link goes to my recent post about it on the blog of Modria, the VRM company hosting the event. It’s at 9:30am Pacific time. Read more about it and register to attend here. There it also says “As a bonus, all registered attendees will receive a free copy of Doc’s latest book, The Intention Economy: How Customers Are Taking Charge in either printed or Kindle format.” See/hear you there/then.    

Separating advertising’s wheat and chaff

wheatAdvertising used to be simple. You knew what it was, and where it came from. Whether it was an ad you heard on the radio, saw in a magazine or spotted on a billboard, you knew it came straight from the advertiser through that medium. The only intermediary was an advertising agency, if the advertiser bothered with one. Advertising also wasn’t personal. Two reasons for that. First, it couldn’t be. A billboard was for everybody who drove past it. A TV ad was for everybody watching the show. Yes, there was targeting, but it was always to populations, not to individuals. Second, the whole idea behind advertising was to signal one message to lots of people, lots of times, whether or not the people seeing or hearing the ad would ever use the product. In their landmark study, “The Waste in Advertising is the Part that Works” (Journal of
Screen Shot 2015-08-12 at 11.01.20 AM
Continue reading "Separating advertising’s wheat and chaff"

We can all make TV. Now what?

meerkatLook where Meerkat andperiscopeapp Periscope point. I mean, historically. They vector toward a future where anybody anywhere can send live video out to the glowing rectangles of the world. If you’ve looked at the output of either, several things become clear about their inevitable evolutionary path:
  1. Mobile phone/data systems will get their gears stripped, in both directions. And it will get worse before it gets better.
  2. Stereo sound recording is coming. Binaural recording too. Next…
  3. 3D. Mobile devices in a generation or two will include two microphones and two cameras pointed toward the subject being broadcast. Next…
  4. VR, or virtual reality.
Since walking around like a dork holding a mobile in front of you shouldn’t be the only way to produce these videos, glasses like these are inevitable:


(That’s a placeholder design in the public domain, so it has no IP drag, other than whatever submarine patents already exist, and I am Continue reading "We can all make TV. Now what?"

T.Rob on the Samsung AdHub Privacy Policy – Have We Reached a Privacy Waterloo?

iopt-logoOne of my favorite bloggers in the Internet identity/security/privacy/personal data space, T.Rob Wyatt, just posted an expose of what the Samsung privacy policy really means when it comes to using Samsung devices and their integrated AdHub advertising network. I can tell you right now, I’ll never buy a Samsung smart-ANYTHING until that policy is changed. Full stop. If every prospective Samsung customer does the same thing—and tells Samsung this right out loud, like I’m doing right now—then we’d finally see some these policies changing. Because it would finally hit them in the pocketbook.

We must understand the past to not repeat it.

Please see the prior post and the post before about how we got to discussing this. We can not forget that the Holocaust was enabled by the IBM corporation and its Hollerith machine.  How did this happen? What were these systems? How did they work? and particularly how did the private sector corporation IBM end up working a democratically elected government to do very horrible things to vast portions of its citizenry? These are questions we can not ignore. In 2006 Stefan Brands gave a talk that made a huge impression on me he warned us and audience of very well meaning technologists that we had to be very careful because we could incrementally create a system that could lead to enabling a police state. It was shocking at the time but after a while the point he was making sunk in and stuck with me. He shared this
Continue reading "We must understand the past to not repeat it."

Facebook so called “real names” and Drag Queens

So, Just when we thought the Nym Wars were over at least with Google / Google+. Here is my post about those ending including a link to an annotated version of all the posts I wrote about my personal experience of it all unfolding. Facebook decided to pick on the Drag Queens – and a famous group of them the Sisters of Perpetual Indulgence.  Back then I called for the people with persona’s to unite and work together to resist what Google was doing. It seems like now that Facebook has taken on the Drag Queens a real version of what I called at the time the Million Persona March will happen. One of those affected created this graphic and posted it on Facebook by Sister Sparkle Plenty: MyNameIs Facebook meets with LGBT Community Over Real Name Policy  on Sophos’ Naked Security blog. EFF covers it with Facebook’s Real Continue reading "Facebook so called “real names” and Drag Queens"

What Happens to the Data

Summary: Metromile offers per-mile car insurance based on an OBD II device that plugs into the car and reports data about how the vehicle is used to the insurance company. This raises questions about where the data goes, how it's used, and who owns it. Even more important, it's a business model that promotes the creation of data silos. Silos de Trigueros Nathan Schor pointed me at an article about Metromile that appeared in TechCrunch recently. Metromile is a per-mile insurance company that uses a OBD II device that you plug in your car. It tracks your vehicle stats, similar to Fuse, Automatic, and other connected car services. The kicker is that it's free because Metromile is making money by selling per-mile insurance. The more users they have using their device the bigger their potential market for selling insurance. That is made evident by the fact that you can only get the free device if you live in a state where they offer insurance (currently CA, OR, and IL). Otherwise, get in line (until they come to your state, presumably). I don't know how Metromile is implemented, but I wonder what happens to the data. I'm pretty sure they're using a cellular device (rather than Bluetooth) so that the data is always transmitted to their system even if your phone's not in the car or connected. Does all the data about every trip go to the insurance company? Or some aggregation? What's the algorithm? These questions are relevant because it's unclear who ultimately owns this data. Users aren't paying for the device or the data, just the insurance. As I wrote in The CompuServe of Things, business models that connect devices to non-substituable services threaten to leave users with little control over the things they own and use. I believe users ought to be customers who own the data and control where and how it's used. That doesn't mean they can't choose to share it with the insurance company, but they ought to know what's being shared and even be able to substitute one insurance company for another. If every connected car device is associated with a different insuarance company, I can't switch without having to give up access to all the data that's been collected about my car and driving. Data silos with murky policies about data ownership are all too common. Unfortunately, they lead to a future I don't want to live in. And if you think about it, I'll bet you won't want to live there either. Tags:

On Names and Heterarchy

Summary: Heterarchical (non-hierarchical) naming systems are vital if we are to avoid the pitfalls and dangers of surrendering our rights and our privacy to a tyranny of connected computers and devices that intermediate our lives at every level based on centralized authority. This post explores names and alternatives to names, including the use of bitcoin as a distributed directory that is immune from the problems that hierarchical solutions impose.

Names not to be forgotten

When I first started using Unix, DNS was not widely used. Instead we FTP'd hosts files from a computer at Berkeley, merged it with a local hosts file, and installed it in /etc. Mail addresses had ! in them to specify explicit internal routing from a well-known host to the local machine. We had machine names, but no global system for dereferencing them.

DNS changed all that by providing a decentralized naming service that based lookup on a hierarchy starting with a set of well-known machines servicing a top-level domain (TLD), like .com. Nothing was more important than a great domain name with a .com at the end during the 90's. URLs, or Uniform Resource Locators, a global naming system for web pages, was based on DNS, so having a short, memorable domain name was, and still is, an asset.

Of course the good domain names were quickly all gone. I was lucky enough to own a few good ones over the years: superbowl.com, skiutah.com, shoppingcart.com, imall.com, and stuff.com. I was also early enough to get my name, windley.com. If you're just coming to this party, however, your name is long gone unless you want to use a TLD that no one has heard of and won't recognize. Anyone in the .pe namespace?


Names are used to refer to things. Without names, we'd constantly be describing people, places, and things to each other whenever we wanted to talk about them. You do that now when you can't remember someone's name: "You, know, the guy who was in the green shirt, with the beard, walking a dog?" Any given entity can have multiple names that all refer to the same thing. I'm Phil, Phillip, Phil Windley, Dad, and so on depending on the circumstance.

In computing, we use names for similar reasons. We want to easily refer to things like memory locations (variables), inodes (file names), IP addressed (domain names), and so on. Names usually possess several important properties, including:

  • Names should be unique within some specific namespace
  • Names should be memorable
  • Names should be short enough to type into computing devices by humans

As Crosbie Fitch points out in his excellent treatise on identity, names don't need to be globally unique, just unique enough. Names are identifiers we put on things that already have an identity. Names aren't the same thing as identity.

Do We Need Names?

Do we need names? At first blush everyone says "yes," but when you dig deeper there are lots of systems where we don't really need names at least not in the form of direct mapping between names and addresses.

The best example is the Web itself. URLs aren't names. They're addresses. While they are globally unique, they aren't memorable and most people hate typing them into things. If I'm looking for IBM, I'm happy to type ibm.com into my browser. But if I'm looking for a technical report by IBM from 2006? Even if I know the URL, I'm not likely to type it in, instead, I'll just search for it using a few key words. Most of the time that works so well that we're surprised when it doesn't.

There are several alternatives to globally unique names.


When we type keywords into a search engine we're using an alternative to names: discovery.

The World Wide Web solved several important problems but discovery wasn't one of them. As a result, Aliweb, Yahoo!, and a host of other companies or projects sprung up to solve the discovery problem. Ultimately Google won the search engine wars of the late 90s. People have argued that search and discovery are natural monopolies. Maybe. But there are heterarchical methods of finding things.

When I mention this to people, I often get asked "what do you have against Google?" Nothing specifically against Google. But I think the model of centralized discovery, mail, communication, and friendship has significant drawbacks. The most obvious one is the problem of having a single point of failure. All of these products and companies will eventually go away, whether your done using them or not.

A larger problem is censorship. Notice that while many despotic regimes will try to shut down Twitter or some other centralized service from time to time, they have a much tougher time restricting access to and use of the larger Web and more so the Internet (yeah, there's a difference despite the media's confusion).

Larger still is the privacy question. Twitter, Facebook, Google, and their ilk are the stuff of dreams for tyrants, bullies, corporate spies, and other who wish you harm. But it's more insidious than that. The issue of online privacy isn't limited to conspiracy theories about some hypothetical threat. The real threat to our privacy isn't the NSA, it's the retailers and others who want to sell you stuff. They employ centralized systems like Facebook and Google every hour of every day to use your personal information against you. They'd claim they're using your data to help you. Ask yourself what percentage of all the ads you see in a week you consider helpful.

Personal Directories and Introductions

Discovery isn't the only way to get around a lack of names. To see how, think about your house address. It's a long unwieldy string of digits and letters. Resolving a person's name to their address has no global solution. That is, there's no global directory (except maybe at Acxiom or the NSA) that maps names to addresses. Even the Post Office in over 200 years of existence hasn't thought "Hey! We need to create a global directory of names and addresses!" Or if they have, it didn't succeed.

So how do we get around ? We exchange addresses with people and keep our own directories. We avoid security issues by exchanging or verifying addresses out of band. For the most part, this is good enough.

Personal directories are largely how people exchange bitcoins and other cryptocurrencies. I give you my bitcoin address in a separate channel (e.g. email, my web site, etc.). You store it in a personal directory on your own system. When you want to send me money, you put my bitcoin address in your wallet. To make it even more interesting, since bitcoin addresses are just public-private key pairs, I can generate a new one for every person creating what amount to personal, peer-to-peer channels for exchanging money.

When we built Forever, we relied on people using email for introducing their personal clouds to another one. This introduction ceremony provided a convenient way to exchange the long addresses of the personal cloud and stored them away for future use.

So long as there is some trusted way to communicate with the party you're connecting to, long addresses aren't as big a problem as you might think. We only need to resort to names and discovery when we don't have a trusted channel.

Heterachical Naming Systems

The problem with personal directories is that they make global look up difficult. Unless I have some pre-existing relationship with you or a friend who'll do an introduction, a personal directory does me little good. One way to solve this problem is with systems that work like DNS, but are heterarchical.

I've recently been playing with a few interesting naming systems based on bitcoin. Whatever you may think of bitcoin as a currency, there is little doubt that bitcoin presents a working example of a global distributed consensus system.

Distributed consensus is the foundational feature of a heterarchical naming system. To understand why, think about DNS. DNS distributes the responsibility of assigning names, but it avoids the problem of consensus (agreeing on what names stand for what IP addresses) by creating single copy of of the mapping. This single copy presents a single point of failure and a convenient means of censoring or even changing portions of the map.

If we want to distribute the copy of the mapping and make everyone responsible for maintaining their own mapping between names and addresses, we need a distributed consensus system. Bitcoin provides exactly such a system in the form of a block chain, a cryptographic data structure with a functional means of validating updates.

Onename.io and Namecoin are examples of systems than use the block chain to map names to addresses in a heterarchical fashion. I have registered windley.bit using Namecoin. If you type it in your browser it won't resolve since your operating system only knows how to resolve names via DNS, but that's not a fundamental limitation, you can patch your OS to resolve names using alternative mappings like Namecoin. Your OS didn't understand TCP/IP either in the distant past. I used to regularly patch Windows 3.1 by adding a TCP/IP stack. Windows 95 included it due to popular demand. Right now, I'm using a browser plugin from FreeSpeechMe to resolve .bit domains for me.

What's the advantage of windley.bit over windley.com? Simply that the mapping is completely distributed. There is no single point of failure. You can turn off all the TLD servers and windley.bit will still work. One of the key provisions of the Stop Online Piracy Act (fortunately dead for now), would have used DNS to censor Web sites deemed to be infringing. Heterarchical directories would be immune from such silliness.

Aside: Namecoin is actually a general purpose distributed key-value store. So, domain names are just one thing you can do with it.


I'm very excited about heterarchical technologies coming into play. I believe the near future will incorporate computers into more facets of our lives than we can even imagine. If we're to trust those computers and avoid giving up autonomy to centralized authorities, heterarchical structures will be fundamental. I don't think it's going to far to say that our natural rights as human beings are based on a world that is heterarchical (at the global level) and that we are fooling ourselves if we believe we can engineer virtual systems that respect or protect those rights using hierarchies and centralized authorities.

Bonus link: Adriana Lukas has an excellent talk at TEDxKoeln on heterarchies and key principles.


Intention Generation: Fuse and VRM

One of the most influential books I've read in the last several years is Doc Searls' Intention Economy. The concept is simple: customer demand is the source of commerce and yet business has done a poor job of finding ways to understand customer intention. Doc's ideas have given rise to a movement called vendor relationship management or VRM. The term is a play off of CRM, and leads to a key idea: customers need tools to manage their interactions with the people who sell them products and services.

When I write about social products, I'm writing about one such tool. Describing one of our experiments in building social products, SquareTag, I wrote:

The owner's side looks and feels like a Facebook wall where messaging and other interactions happen in the context of the thing itself. Things have profiles that they share with other like things. The profile contains pictures, product Web pages, manuals, how to videos, and other useful information. But the product profile is individual—made for a single instance of the product. It also contains information specific to that thing such as custom configurations, serial numbers, purchase history, maintenance history, and relationships to anyone or anything that is relevant. One of the most interesting thing that the product profile holds is notifications, reminders, and other interactions with the things and people it has relationships with.
From Facebook for My Stuff
Referenced Thu Dec 12 2013 11:33:29 GMT-0700 (MST)

Of course, the intention economy depends on many of our intentions being generated automatically. A few years ago, we put together a business travel scenario showing how events could be used to automate many of the mundane activites associatd with planning and taking a business trip. Here's a video that describes it:

We no longer use some of the nomenclature in the video like "personal event network" but you can see how events described in the video are really encodings of intention—intentions turned into semantically consistent, structured data that computer systems can operate against. It's funny that when I made that screencast, I had no idea how a car might customize itself based on events. Now that we've started working on Fuse, it seems perfectly doable.

Fuse, our connected-car product is an intention generator. Here's a few examples:

  • When Fuse sees your gas tank is nearly empty it can generate an intention to buy gas.
  • When Fuse indicates it's time for an oil change or tire rotation, it can generate an intention to have the car serviced.
  • When the vehicle raises a diagnostic code, Fuse can generate an intention to get the car fixed.
  • When insurance is up for renewal, Fuse can generate an intention to solicit quotes for a new policy.
  • Geofences could be linked to intentions.
  • Even a crash, sensed by Fuse's accelerometers, is an intention to seek emergency services.

As an intention generator Fuse could be seen as a brand-new way for companies to spy on drivers. But we don't think it has to be that way. If Fuse is going to generate intentions that can be acted on while preserving owner choice and privacy, it must also provide owners with two things:

  1. A way to see, select, and interact with vendors—both those who the owner has an existing relationship with and those who might be good candidates for future purchases.
  2. A way to use intentions and the make the choices that only the owner can make. For example, when my insurance is due, Fuse needs to ask me if I'm happy with my current insurance before going out to solicit bids.

Both of these features are about providing owner choice and putting the owner in control. In the terminology of VRM, the thing providing these features is typically called the "4th party" and refers to the system that is acting on the customer's behalf. When I speak of social products, I'm really describing our particular approach to building a VRM tool that provides these two necessary functions.

I believe this concept and architecture is critical to building a future world we will all want to live in. I frequently hear people describe connected products that just increase customer surviellance in service of advertising and digital marketing. If a connected product isn't putting the owner in charge of who sees what signals and when, then it's spying, pure and simple.