Opinity Weblog

From Kim Cameron, an announcement that Microsoft has published a white paper that takes a long look at how an "identity metasystem" enhances privacy. It's called "The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity," and from the executive summary, we see:

Just as individual identity is fundamental to our face-to-face interactions, digital identity is fundamental to our interactions in the online world. Unfortunately, many of the challenges associated with the Internet stem from the lack of widely deployed, easily understood, and secure identity solutions. This should come as no surprise. After all, the Internet was designed for sharing information, not for securely identifying users and protecting personal data. However, the rapid proliferation of online theft and deception and the widespread misuse of personal information are threatening to erode public trust in the Internet and thus limit its growth and potential.     

Microsoft believes that no single identity management system will emerge and that efforts should instead be directed toward developing an overarching framework that connects different identity systems and sets out standards and protocols for ensuring the privacy and security of online interactions. Microsoft calls this concept the Identity Metasystem. The Identity Metasystem is not a specific product or solution, but rather an interoperable architecture that allows Internet users to use context-specific identities in their various online interactions.

This paper ... will show how Microsoft’s contribution to the engineering of the Identity Metasystem—the Information Card technology—promotes privacy in three primary ways:

• First, it helps users stay safe and in control of their online identity interactions by allowing them to select among a portfolio of digital identities and use them at Internet services of their choice. These digital identities may range from those containing no or very little personal information (perhaps nothing more than proof of an attribute such as age or gender) to those with highly sensitive personal information needed for interacting with financial, health institutions, or obtaining government benefits. The key point is that a web site or service only receives the information it needs rather than all of the personal information an individual possesses.
• Second, it helps empower users to make informed and reasonable decisions about disclosing their identity information by enabling the use of a consistent, comprehensive, and easily understood user interface. Moreover, this technology implements a number of advanced security features that help safeguard users against identity theft by reliably authenticating sites to users and users to sites.
• Third, and more generally, Information Card technology is hardwired to comply with data privacy laws and conforms to key requirements in the European Union’s privacy regime, including legitimate and proportionate processing, security, and restraints on secondary use.

This is good stuff. This kind of thinking is precisely why Opinity is an early supporter of Microsoft's CardSpace (as well as OpenID and FOAF). I'd also note that it dovetails nicely with the recent mapping of privacy laws to Kim Cameron's 7 Laws of Identity done by Anne Cavoukian, Ontario's information and privacy commissioner. Good things are afoot in the realm of identity and privacy, and though the footprints are small and few at this point, they're headed in the right direction (good grief, that metaphor escaped from its cage).

You can download the full white paper here.

In Canada they take privacy seriously--even the government does. Canada has privacy commissioners: a national one, who reports to the Canadian parliament, and one for each province.

Ontario's information and privacy commissioner, Anne Cavoukian, recently unveiled a new way of looking at privacy, which is in the context of identity. Specifically, she took 7 Kim Cameron's Laws of Identity--which can be seen here--and adapted them as 7 Laws of Privacy.

I think this is a productive and cool thing to do. Since getting deeply involved in the issues surrounding identity and reputation management over the past year, I've come to believe--somewhat intuitively, rather than in some rigorously argued fashion--that privacy and identity online are bound together in interesting ways. Dr. Cavoukian's 7 Laws of Privacy gives substance to that intuitive notion.

You can find the laws, each one placed next to its Law of Identity counterpart, in a PDF here. Summarized, Cameron's 7 Laws are as follows:

1. Personal Control and Consent
2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties--"Need To Know" Access
4. Directed Identity--Protection and Accountability
5. Pluralism of Operators and Technologies
6. Human Integration
7. Consistent Experience Across Contexts

Cavoukian introduces them by saying:

We believe that privacy is woven throughout the 7 Laws, and that when the Laws are applied, exciting new privacy options will become possible. However, there is nothing inevitable about privacy-enhanced identification and authentication options - its development must be fostered and encouraged.
The missing ingredients are knowledge and desire. If privacy design options for identity systems can be identified early and strongly promoted, then it is possible that a universal identity system will emerge that has built-in respect for privacy and data protection, before it’s too late.

And here is the Achilles heel of all privacy (and identity) initiatives thus far: the "missing ingredients" of knowledge and desire. People have to learn about privacy enhancing technologies--in this context, privacy-enhanced identity management technologies--and to want them enough to adopt them, and so far, this hasn't happened en masse. The landscape of the dot-com bust is littered with the remains of various attempts to market privacy-enhancing technolgies, and people continue generally to be indifferent to the routine invasions of their privacy that often characterize transactions both online and offline.

Various attempts to scare folks into awareness through lurid tales of identity theft appear to have frightened people, contributed to a certain amount of legislative harumphing and cries of alarm, and apparently prevented some people from doing business online, but have done little to motivate people to learn about issues of privacy and identity, or to figure out strategies for protecting both.

But, these things being said, I am nonetheless delighted to see a Canadian provincial commissioner embrace Cameron's 7 Laws and apply them to privacy, thus generating some awareness of how we can and should go forward. Her doing so is yet another testimony to the broad worth of Kim Cameron's efforts in identity management generally and his 7 Laws of Identity specifically.

I'll forego any extended comparison between the treatment of privacy in Canada and in the U.S. To do so would be overly depressing.

From Ethan Zuckerman on WorldChanging.com, the story of an artist--he does installations and videos, among other things-- who has embraced a startling form of identity management:

Hasan Elahi is a conceptual artist whose life is an ongoing work about surveillance. He starts by telling us a chilling story - his detention by the INS at Detroit Airport after returning from a trip from overseas....
The FBI asked him about his whereabouts on September 12, 2001 - he was able to answer the questions by taking out his Blackberry and showing off his meetings. Over the course of questioning, it became clear that the reason he was being questioned was that he had a storage locker in Tampa, where he’d been teaching....
Elahi’s life for the next few months involved dozens of interviews with the FBI, finally culminating in nine back to back polygraphs, which finally “cleared” him....
For the next few months, every trip Elahi took, he’d call his FBI agent and give the routing, so he didn’t get detained along the way. He realized, after a point - why just tell the FBI - why not tell everyone?So he hacked his cellphone into a tracking bracelet which he wears on his ankle, reporting his movements on a map - log onto his site and you can see that he’s in Camden. But he’s gone further, trying to document his life in a series of photos: the airports he passes through, the meals he eats, the bathrooms he uses. The result is a photographic record of his daily life which would be very hard to falsify.

First, we have to note the extent to which many of us--especially anyone of Arab or could-be-Arab-who knows? descent--have become terrified of the U.S. government. Guantanamo, the Patriot Act, and now the Military Commissions Act of 2006 combine to raise a specter--one that I've never known before, and I'm an old guy--the specter of being suddenly, inexplicably, inarguably deprived of one's constitutional rights; the specter of disappearing into secret cells in the U.S. or Europe or Guantanamo like Dunbar was disappeared in Joseph Heller's Catch-22: just gone, nonexisting, without apparent cause or explanation.

But then we must note and applaud the Elahi's imaginative, transformative response. If you  want to surveil me, he says, don't bother; I'll surveil myself with a thoroughness you couldn't achieve. I will demonstrate ad absurdum that I am not a terrorist.

At this point you could argue that he has effectively exorcised the spectre, but I wouldn't go that far. I would argue, however, that he has discovered one of the binding principles of our era, that we must grasp our identities in the world of data gathering, transmission, storage, and analysis and present ourselves in order. Otherwise, others will see whatever distorted fragments of us appear out of vast fields of information. And as Hasan Elahi has discovered, these distorted fragments--call them anamorphia--can cause us actual harm.

This is one of those manage your own identity or have it manage you things. It's also about an emerging world in which we can all be made to stand in the full glare of exposure at any time over the entire course of our lives. The New York Times tells us:

In 41 states, people accused or convicted of crimes have the legal right to rewrite history. They can have their criminal records expunged, and in theory that means that all traces of their encounters with the justice system will disappear.

These rights embody a second chance, forgiveness, starting over, things that most of us could use at some point or another in our lives. (I don't know about you, but I don't want to bear the full burden of all of my own life's accumulated blunders forever.) That is, they manifest mercy.

However, mercy and forgiveness are such old-fashioned virtues. As the Times goes on to say:

But real expungement is becoming significantly harder to accomplish in the electronic age. Records once held only in paper form by law enforcement agencies, courts and corrections departments are now routinely digitized and sold in bulk to the private sector. Some commercial databases now contain more than 100 million criminal records. They are updated only fitfully, and expunged records now often turn up in criminal background checks ordered by employers and landlords.

Listen to a judge who deals with these matters:

Judge Stanford Blake, whose court often enters expungement orders, said his inability to make them effective had left him feeling frustrated and helpless.

“It’s a horrible situation,” said Judge Blake, the administrative judge of the criminal division of the Eleventh Circuit Court in Miami. “It’s the ultimate Big Brother, always watching you.”

Given the proliferation of databases, the cross-communication among them that has been become routine, their persistence over time even when supposedly expunged, and their inherent vice--that is, the fact that they're often inaccurate or obsolete--we now live in a world in which we need to stand up for, literally, our selves. Using every means at our command, we need to discover what is on record about us and to manage that information to the best of our ability.

Emerging identity services such as the ones provided by Opinity can serve as tools. Using them, we can try to reverse Gresham's Law, that is to use good information to drive out bad information, and in the process protect ourselves from the persistence of databases. I predict long, slow battles, with many reverses along the way.

In a Wired article, Bruce Schneier explains why everyone must be screened at airport security, including those folks with security clearances, top secret umbra or what have you. It's a really interesting article because it exemplifies so clearly why security issues don't yield nicely to common sense. Schneier begins:

Why should we waste time at airport security, screening people with U.S. government security clearances? This perfectly reasonable question was asked recently by Robert Poole, director of transportation studies at The Reason Foundation, as he and I were interviewed by WOSU Radio in Ohio.

Poole argued that people with government security clearances, people who are entrusted with U.S. national security secrets, are trusted enough to be allowed through airport security with only a cursory screening. They've already gone through background checks, he said, and it would be more efficient to concentrate screening resources on everyone else.

The first point Schneier makes is that "security is a system"--which means that there has to be an utterly reliable way in place that would allow airport security to verify someone's security clearance. Thus:

What starts out as a simple idea -- don't waste time searching people with government security clearances -- rapidly becomes a complicated security system with all sorts of new vulnerabilities.

Then there's the money:

We don't have infinite dollars to spend on security. We need to choose where to spend our money, and we're best off if we spend it in ways that give us the most security for our dollar.

Given that very few Americans have security clearances, and that speeding them through security wouldn't make much of a difference to anyone else standing in line, wouldn't it be smarter to spend the money elsewhere?

And there are other issues: what does it mean that a particular person has a clearance of some kind? Given the incompetence, general confusion, and, one assumes, cronyism surrounding the whole issue of security clearances in the federal government, we should expect some or many clearances to be paper-thin, lightweight, nearly meaningless.

In short, Schneier says, all these folks with whatever kinds of clearance just have to get in line and endure the same rituals because to do otherwise would create a whole new layer of problems--security problems.

Ed Cone at eWeek has an article about astroturfing, defined by Wikipedia as "formal public relations (PR) campaigns which seek to create the impression of being a spontaneous, grassroots behavior."

Cone tells about a recent astroturfing debacle:

The latest such endeavor to be exposed is a we-love-Wal-Mart blog called Wal-Marting Across America, written by a couple on a cross-country jaunt in an RV. Their raptures over the big-box retailer may be real, but their journey was underwritten by (as summed up by Online Media Daily after BusinessWeek broke the story) "Working Families for Wal-Mart (WFWM), an organization launched by Wal-Mart's public relations firm Edelman. WFWM paid for the RV and all travel expenses, rerouted the trip's original plan, and plastered a logo on the RV's side. Although the blog featured a link to WFWM, it did not identify the organization as a paid sponsor."

There are all sorts of issues here, to be sure, but I am, as usual, interested in questions surrounding identity and reputation. At root, astroturfing is a form of imposture, not in the sense of wearing a mask but in the sense of concealing one's intentions or true motivations. If Wal-Mart pays you to tell everyone how wonderful the company is and you disclose that fact, the rest of us can judge your statements accordingly. However, if Wal-Mart pays you to sing its praises, and you don't tell us, then you are deceiving us in a fundamental, pervasive, harmful fashion. You are both imposing and imposturing--you are rolling out the old astroturf.

Specifically regarding blogs, as Cone points out, "blogs are supposed to be authentic and personal, the voices of real people. Mess with that trust, and you may find yourself in a world of hurt." Indeed. So what as writers and readers of blogs should we do regarding astroturfing?

As writers, our credo here should be straightforward: when you have a vested interest in anything you are discussing, disclose it. For instance, this blog is published by Opinity and signals this fact in a number of ways; readers are free to draw their own conclusions about how this fact influences what I say.

As readers, we really mut pay attention to writers' identities. Particularly where advocacy and argument are rife, we should ask ourselves, who is saying this? Metaphorically speaking, look around to see if there is a curtained area, and if there is, find out who's behind the curtain.

One of our (generally implicit) standards at Opinity is authenticity: that is, we want to enable people to present their identities and reputations in an authentic fashion through technical and social means. If you have an Opinity profile--which can contain lots of information about you, depending on your choices, some of it authenticated--you can present a rich portrait of yourself, one with lots of context and detail. And if you're a blogger, you can use a widget on your blog to refer readers to your Opinity profile. In short, you can be quite forthcoming about who you are, what you do and have done. We think that's a very good thing.

Pete Rowley, using Firefox on Linux, takes Opinity to task for only supporting CardSpace through .Net and Internet Explorer. We agree that not only Linux and Firefox but also other browsers and operating systems should be supported. And we promise to embrace these possibilities as they develop and we can support them. But for the moment CardSpace is primarily a .Net and MSIE thing--which we've been saying everywhere we mention our CardSpace support--so that's where we are. Check back, Pete, and everyone else who's interested in this sort of thing.

It's a truism these days among folks who think about online identity and reputation that we don't own our reputations--that a reputation (or, in more extreme versions, even identity) is others' story about us, thus in principle something we can't own. Put this way the truism seems inescapable. However, what's overlooked here is that we can influence--even manage to some degree-our reputations to a significant extent.

Recent news from the HP front bears out this fact. Carly Fiorina and Patricia Dunn--ex-HP executives who were publicly and ritually stripped of their good reputations--have been striking back, using television, via "60 Minutes," to do so. (Fiorinia also has a new book on the stands, whcih can also function as an effective means of reputation management.)

Fiorina noted that if you have enough money and are willing to spend it, you can "buy and sell" someone's reputation. She also put forth an existence proof of the fact that if you have the right media access--either through public profile or money--you can fight back.

She fights back with a story, one in which Tom Perkins and Jay Keyworth colluded against her, got her fired, and arranged for her public humiliation. Is this true? I have no idea, but I do know that by getting herself interviewed on "60 Minutes," she has managed her reputation by telling a story about how it came to be lost--and, I would argue, has done so very effectively. Her story is plausible, interesting, and appeals both to our love of conspiracy and intrigue and our tendency to believe in the underdog.

These themes are continued in Patricia Dunn's telling--a story in which she's been made the scapegoat for the sleazy and probably illicit practices that characterized the investigation into HP board leaks. She even has the same two villains, Perkins and Keyworth, who in this chapter sought to protect Keyworth's identity as the leaker and destroyed Dunn at HP when she wouldn't go along with the plan. Again, who knows whether this is true? Certainly not me.

However, the point here is, I think, a powerful one. Fiorina and Dunn have been pretty thoroughly trashed in the media--albeit in very different ways--and they're striking back. I think they're setting an excellent example for the rest of us, unlikely as we are to be the subject of the kind of media attention they've gotten.

We can't own our reputations, but we can certainly work to manage them.

Let's consider a very simple model of identity online. Basically, we are online what we reveal ourselves to be. That is, our online identity comprises: the specific information we reveal about ourselves, such as IP address, username and password, real name and address, and bank or credit card information; the specific transactions we engage in, such as Web searches and purchases.

And, of course, that identity is revealed to the specific parties on the other end of a transaction. This is important because we often tell much more about ourselves than is strictly necessary or desirable in a given transaction. For instance, when I manage my online Amazon account, I reveal my username and password, which in turn reveals an extraordinary amount of accumulated information about my purchasing habits and browsing habits, and, if I make a purchase, my real name, at least one credit card number and its expiration date, and whatever other information the bank that issued the card and Amazon have decided to exchange about me, such as my present and past addresses.

When contemplated from the point of view of my privacy, it's all too much. And, in fact, it would make much more sense for me to have control of as much of that information as is reasonable. But let's back up a few steps and consider this: there is no reason for most of this information on Amazon to be connected to the real me.

When it comes time to make a purchase, I must reveal certain details about myself, and there is in fact a compulsory, startling intimacy in what I must reveal, but before that point, Amazon has no particular right to maintain my online history and to put it together from what databases and with what combinatory algorithms they're using these days.

It's valuable to them to do so, and it's sometimes convenient to me--though it's also sometimes annoying to me because I don't want to sift through an absurd conglomerate of "recommendations" based on my and my wife's searches, many of which were driven by immediate circumstances (such as finding a gift for a 12-year-old girl) and have little relevance for my (or my wife's) general interests.

In addition, as Michael Goldhaber, Steve Gillmor, and Doc Searls--among many others--have pointed out, this attention or data, these manifestations of my attention, these gestures, in Gillmor's word, should be under our control, not theirs, and we should share in the benefits inherent in maintaining and consulting this information store.

We could then decide to whom and under what circumstances we want to reveal what information about ourselves.

If we construct our online identity with a few more safeguards built in, we can continue to get what we want without being required to reveal all about ourselves in all transactions. If we use opaque pseudonyms to conduct much of what we do online and use anonymous proxy servers for Web browsing, especially about potentially sensitive or embarassing matters, we can prevent the kinds of stupid or casual data release done by AOL when it gave away user search data.

If we manage our identities through a trusted third party, we can bring an array of tools to bear in situations as we choose. And here's where I'll make my pitch for Opinity. We intend to put the user at the center of identity management and to offer the user whatever identity management tools emerge, under the user's control and to his or her benefit. We've begun with OpenID, CardSpace, and Opinity-specific options for authenticating identity information and revealing identity information only at the user's dictate.

The moral to this story? In this hypothesized future of the Internet, we either manage our identities or those identities--and our privacy--will be managed for us, almost certainly to the detriment of our privacy. Companies will profit in ever more complex ways from knowing about our lives in intimate detail, and governments will gather whatever information about us they wish, with ease.

The Register (UK) reports:

The leader of Bracknell Forest BC has suggested people who allow their data to be sold to marketing firms could receive council tax cuts.

Paul Bettison told a Conservative party conference fringe meeting that the information from the council's smartcard system could be sold if controls on government databases were loosened.
.....................................................................................................
He added that the data held by the council, such as library books borrowed, indications of income and family, could allow companies to target direct mail with enough accuracy to stop it being annoying, as it would present people with offers that were of genuine interest.

Mr. Bracknell appears to be quite the technological go-getter. He was quoted elsewhere as saying,  “We in local government must get to grips with e-government and transformational government using ICT tools. We are about modernising service delivery and using technology to help us deliver services in the most effective way.”

I'm of several minds about this one, as if I were afflicted with multiple personality disorder. On the one hand, this proposal resonates nicely with ideas of the attention (or intention) economy, but very much on the other, if this kind of personal information were to be handed over to local governments, we would need better assurances than we have that the data isn't also given out to whatever law enforcement agencies ask for it. And on yet another hand (which puts us in space alien species territory, but there you are), there's the vexing issue of secondary use--that is, would the "marketing firms" involved then be able to sell, give, or share the information they acquire with others?

Finally (abandoning the "other hand" metaphor entirely), I wonder, simply, whether governments, local or otherwise, should be in the business of acting as commercial go-betweens. Like state-sponsored lotteries--those regressive taxes on hope, poverty, and ignorance of statistics--this sort of thing could get out of hand.

Still, the idea is fascinating.