Below is a presentation created by Theresa Sterling in March, 2010 about online privacy, and what she refers to as your “digital dossier” that begins to be created at birth. The presentation is reasonably factual, without being overly alarming, and may help connect the dots for some people who aren’t steeped in the issues.
This Amazon review of “A Million Random Digits with 100,000 Normal Deviates” by RAND had me rolling on the floor:
1,294 of 1,356 people found the following review helpful:
1.0 out of 5 stars, July 27, 2005
By B. MCGROARTY (United States)
The book is a promising reference concept, but the execution is somewhat sloppy. Whatever algorithm they used was not fully tested. The bulk of each page seems random enough. However at the lower left and lower right of alternate pages, the number is found to increment directly.
That’s right up there with the review of how “The Story of Ping” is deft allegory about the UNIX utility.
Finally! It’s fantastic to see that I can now talk about what I do for a living with my friends and family. There’s nothing like a good popular culture comedy icon talking about your profession to catalyze the conversation. Now perhaps I won’t get blank stares when I tell them I work for ISOC along with my pals at the IETF, Kantara Initiative, and W3C on issues relating to online Identity and privacy…
One of the presentations at the Internet2 Advance CAMP included these photos referencing some major vendors (who recently merged). Very amusing.
… and it’s a great way to avoid running afoul of logo usage guidelines.
I’m often talking to people about how open Internet technologies enable emergent innovations… and Eric Fischer provided an excellent example of what you can do when you have free access to seemingly unrelated data sets.
To create this image of San Francisco (he’s currently posted 50 maps), he took the geo-tagged data from photos uploaded to Flickr and Picasa, then banged the locations against OpenStreetMap using Perl and Ghostscript to overlay travel vectors of the photographers. Specifically, he compared photos taken by the same photographer within 10 minutes and bounded by 3 miles to compute and plot their travel vector. The resulting map is color-coded to indicate black=walking (7mph), red=bicycling (19mph), blue=street vehicles (43mph), green=freeway vehicles or rapid transit (>43mph).
I’m not going to argue for/against the privacy issues embedded within geo-tagged photos. That’s a separate issue, but this does clearly illustrate that when people have free and open access to data, they’ll combine them in clever and unique ways to generate something entirely new (and potentially useful).
Provenance: I heard about this via a tweet from @PeteWright, read a blog post (including the comments by Eric explaining his process), and ended up at Eric’s Flickr page.
Many thanks to all who attended the Kantara Initiative Workshop at RSA this year. The room was packed (with standing room only at one point), and I heard a number of fantastic comments from attendees about the presentations… many who wanted more detail on some presentations.
Along those lines, many thanks to the many energetic and informative presenters and panelists we had on stage. Of course, PayPal’s Andrew “Rock Star” Nash was a crowd favorite, as was Google’s Eric Sachs (too bad Chris Messina was wrestled to the ground by the RSA registration system… ask him that story, it’s hilarious). Add Patrick Harding (Ping Identity) into the mix talking about securely federating clouds, and you’ve got an appetizer to his company’s all-out party the following night.
Rounding out our party was Matthew Gardiner from CA (who earns the dubious distinction of being the first person to utter the term “cloud” during the conference), as well as Chris Sharp from MEDecision who offered up a peek into how the real world deals with cloud identity.
We were also able to dive deeper into cloud services with Oracle’s Uppili Srinivasan and his panelists Gail Coury (Oracle), John Donovan (NetApp), and Archie Reed (HP). Adding to the panel party was Matthew Gardiner’s cross-cutting Identity Services Roadmap with Mark Coderre (Aetna), Debbie Bucci (NIH), and Todd Inskeep (Bank of America).
… and who could resist the Prezi(c) by Paul Madsen (NTT), representing his gold-hording country on stage (despite the fact he actually missed the final hockey game while in the air). Besides, who else would include in a presentation about the state of OpenID, SAML, InfoCard, and OAuth a slide depicting the dangers of incorrectly checking for dirty diapers?
Finally… much and many thanks to Dervla and Joni for rolling in early on Sunday to set up, and staying late on Monday to break down. Not to mention all the lead-up work they did (including hounding folks like me to get in our presentations). Thanks!
And in case you wanted to see the presentations:
- Kantara Initiative Overview (Trent Adams, Internet Society)
- Kantara Initiative Groups (Trent Adams, Internet Society)
- PayPal KI 2010 RSA 2010 IA and Real World (Andrew Nash, PayPal)
- CA KI Workshop 2010 RSA Conference (Matthew Gardiner, CA; Chris Sharp, MEDecision)
- NTT KI Workshop 2010 RSA Conference (via prezi.com) (Paul Madsen, NTT)
- Ping ID KI Workshop 2010 RSA Conference (Patrick Harding, Ping Identity)
- Oracle KI Workshop 2010 RSA Conference Customer Panel (Uppili Srinivasan, Oracle; Gail Coury, Oracle; John Donovan, NetApp; Archie Reed, HP)
- Google KI Workshop 2010 RSA Conference (Eric Sachs, Google)
It was at the last RSA where we announced the formation of the Kantara Initiative. One very strong (and busy) year down… and here’s to many more to come (hoping they get easier). Cheers!
Colin Wallis from the New Zealand Government’s Department of Internal Affairs joins this episode of the Identity Matters Podcast. As the Kantara Initiative eGovernment Work Group Chair, he provides an overview of what the group is doing. He talks about how the adoption of the initial eGov Profile has spurred on development of version 2. He also discussed how the eGov work dovetails with the Kantara Interoperability Review Board (IRB), as well as work taking place outside Kantara.
Currently in Development: eGov Profile 2.0
Identity Matters: eGovernment
Download MP3 | Episode Length: 0:15:10 | Filesize: 10 MB
NOTE: This podcast was produced in collaboration with the Kantara Initiative Identity Community Update Discussion Group.
In this episode of the Identity Matters Podcast, Eve Maler presents an overview of the User Managed Access (UMA) Work Group. Eve, the UMA WG chair, starts off with background of the group working within the Kantara Initiative and defines the problem space. She then provides an overview of the process the group is taking as well as where they are in their roadmap toward delivering a specification to the IETF.
From the UMA charter: The purpose of the UMA work at Kantara is to develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementations of these specifications by others.
Identity Matters: User Managed Access
Download MP3 | Episode Length: 0:27:41 | Filesize: 18.5 MB
NOTE: This podcast was produced in collaboration with the Kantara Initiative Identity Community Update Discussion Group.
It’s not a bad start to the new year (and decade) when a journal like Global Finance sees value in the work you’re doing. Their cover story on “A Wide Open World” just hit the stands and I’m pleased that some of my contributions made their way into the article. Specifically:
The ISOC’s Adams believes access to information will be a key driver of change. “Whereas today users generally manage data within the silo of single institutions—for example, individual bank, brokerage, or credit card companies—new capabilities will allow them to delegate access to and control authority over their data as it is shared across institutions,” he says.
While it wasn’t mentioned by name, I was referencing work being done by Eve Maler, Iain Henderson, Joe Andrieu and others in various Kantara Initiative working groups. Specifically in the User-Managed Access (UMA) and Information-Sharing groups. Too bad they weren’t included by name, but I hope this helps give them the recognition they (and their long list of collaborators) deserve.
They also reference my comments about “open trust frameworks” and the Kantara Identity Assurance Program, but reduced it to generalities. There’re a lot of amazingly dedicated folks working hard on open specifications in this area to help standardize a trusted model for information exchange. Even though they’re not named, this is a great example of their work starting to permeate the broader market.
Great job, folks. Keep it up!
(PS Many thanks to Greg and the ISOC communications team for facilitating my contribution to the article.)
Recent news about intrusions into the online accounts of public figures like U.S. presidential candidate Sarah Palin and prominent companies like Twitter remind me of the not-too-distant past. These appeaer to be bellwether events pointing out that the general public is starting to realize the protection of their identity starts with what they can (and should) control. It sometimes takes high profile cases like this to energize action, a cycle that appears to repeat itself.
About 8 years ago I took on the challenge of securing the digital borders around the e-commerce systems for the Kraft Group’s sports properties. At that time, I could see a storm cloud gathering on the networked horizon as we built a system to unify all of the current properties and set the foundation to build out a series of interconnected portal communities. Looking forward, I knew that it was only a matter of time before a major press-worthy event would raise everyone’s awareness regarding the protection of user privacy, in the form of personally identifiable information (PII), and associated payment information.
Our business strategy was to build a core commerce engine that could handle online transactions embedded within each separate portal. Key to our success was enabling users to have a persistent identity throughout their engagement with our products. In this way we could minimize the barriers to their interacting with our content, as well as streamlining the purchase pipeline. Essentially, once users logged into any of our portals (to access premium/personalized content, manage accounts, and purchase products), we were able to effectively cater to them by simplifying their experience.
The problem with this single-sign-on model was that if a user account was compromised, the intruder could have free reign over the victim’s PII and associated payment information. I had to make the case for going the extra mile(s) by designing strict access control procedures, knowing that something bad was going to happen to a company soon and that we should be ahead of any reactionary solutions imposed upon us. I had a feeling that after some bad press, the e-commerce industry would be pressured to lock down the porous borders that were relatively common at the time.
Just such a case occurred in 2004 when hackers were able to access an estimated 8 million credit card numbers from BJ’s Wholesale Club. It took a few years for details of the incident to emerge, but it was clear even then that there were two primary issues: insecure access points, and poor audit logging. Regardless of whether it was an inside job (as was initially assumed) or an outside hack (which it turned out to be), BJ’s (among other compromised companies) had poor access control and monitoring.
This, as well as other similar incidents, prompted the creation of the Payment Card Industry Security Standards Council, founded in 2006 by American Express, Discover, JCB, MasterCard, and Visa. The payment card industry thus began requiring strict practices and controls around systems that perform above a modest threshold of transactions. It was a strong move, in advance of looming legislation, that helped steer wayward companies toward better practices. Regardless of the critiques of their programs, it has succeeded in shining a light on many problems needing to be addressed.
Fortunately, by the time the PCI guidelines hit the market, we were able to breeze through their audits. The commerce engine we’d built was tighter than what they required. It’s rare that you can so easily point to a situation like this where the extra capital cost on the front end so clearly saved money that would’ve been required to retrofit a running system.
Now, here’s where the history lesson circles around to become informative for current events. We should learn from these cases of identity intrusion and address the core issues. The obvious lesson is not to be cavalier regarding the protection of your email accounts. After all, they are your core identity asset in today’s online world. Be careful when setting up your email account and follow common sense when selecting passwords and associated “remind me” features.
Beyond what you can do for yourself today, the industry needs to step up it’s game, too. Fortunately, there are a number of efforts currently under way to help protect your identity. They just need to be more whole-heartedly embraced and helped to mature by the major players in the market. What’s uniquely interesting about many of the emerging solutions is that they’re user-centric, rather than being centered around any one company’s digital security practices. This focus helps solve the root problems: privacy protection starts at home, and it’s not a simple matter of more/better cyber-security and encryption.
For more information, and to become involved, I highly recommend following the open standards development relating to user-managed identity:
And, of course, the Internet Society Trust & Identity Initiative. Tell them I sent you.