Identity Woman

Independent Advocate for the Rights and Dignity of our Digital Selves

ID Topics

I own my own Attention. Do you?

· · Leave a Comment

This week I joined Attention Trust. Steve Gilmore is the president and Mary Hodder is the Chair of the advisory board. It seems like a great application for the Identity systems we are working on.
What Matters?

What does matter is a pool of attention metadata owned by the users. This open cloud of reputational presence and authority can be mined by each group of constituents. Users can barter their attention in return for access to full content, membership priviliges, and incentives for strategic content. Vendors can build on top of that cloud of data with their own special sauce–the newbie crowd of MyYahoo, the pacesetter early adopters of Diller/Ask/Bloglines, the social attention farm of RoJo, and Google’s emerging Office service components orchestrated by the core GMail inforouter. And the media, which now includes publishers, analysts, researches, rating services, advertisers, sponsors, and underwriters, can use the data as a giant inference engine for leveraging the fat middle of the long tail.

Nick Bradbury puts it this way:

I want personalized search. I want my attention data to help tools and services find the stuff that matters to me so I can cut down on information overload. But I only want this if:
1 It’s done in a way that protects my privacy
2 The service that collects my attention data lets me get it back, so I can share it with other services

Aldo agrees

Much of what they have to say jibes with my thoughts on digital identity and new collaborative finance models and reputation systems and all that abstract stuff that is still too messy for me to explain with much clarity…..I’ll continue to work on that….in the mean time please read Nick’s piece.

Technorati Tags: , , , ,

Women in Open Source

· · Leave a Comment

There was a great panel on Women in Open Source at OSCON. It raised some very interesting issues including the open question of why there is 10x fewer women in Open Source then in the regular tech industry (as programmers and technical roles). Worth thinking about more and I hope that O’Reilly and others can continue the inquiry within its events.

R0mL..as I was saying

· · Leave a Comment

Ok in the treasure trove of yet to be posted posts is this gem from OSCON. R0ml gave an amazing (part II) of his talk that he did not complete last year. He will likely give part three the conclusion next year. The audience will be eagerly anticipating it. Here is the summary as best I can (his words are in italics). I must preface this by saying that words in text form are a poor representation of this man’s work as he takes presentation very seriously as a form of performance art.
He began with … as I was saying
Semasiology is the science of the meanings or sense development of words; the explanation of the words.
I wonder if we can collectively do a Semasiology of Identity perhaps that is a topic we can invite R0ml to consider with us since Optaros is considering and ‘identity’ practice.
He returns to a quote from the princess Bride where the guy says Inconceivable ‘I do not think it means what you think it means’
Summarizes last year’s talkwhere he made the point that the source of open source was not ‘code’ but instead was the requirements.
PART II – Really it was all about the CODE

Programs must be written for poeple to read, and only incidentially for machines to execute.

APL progammling language by Kenneth Iverson it was ‘easy to read’ and designed for Notation an a Tool of Thought.

(check out what it really looks like – totally not ‘easy to read’)
Why read?
70-80% of all “software development is maintenance
70-80% of all maintenance is reading old code and understanding
49-64% of the cost of CODE
WEB originates from this work Literate Programming by Donald Knuth. It is a method of composing programs. He felt the time was ripe for significantly better documentation of program and saw them as Works of Literature. He was an essayist whose main concern is with exposition and excellence of style.
With Literate Programming there are two steps
Tangle (create the code)
Weave (create the documentation)
Hence the aphorism: Given one Literate eyeball, most bugs are shallow.
This language and its associated programs have come to be known as the WEB system.

He said: I chose the name WEB partly becasue iftwas one of the fe three-letter words of the Engligh lanauge not applied to computers
We can also invite some other words to describe the programming process from this set of words.
SPIN (create requirements) …a ask in spining a yarn
Knit (create the test cases)

Fashion (generate the models)
We might wonder how good our spinning, knitting and fashioning are going in the identity space. Hopefully the IIW in October can help with all three.
Warning this next section has a lot of free association
Steven Roger Fischer wrote A History of Reading

How many people are computer literate?
The census bureau says there are 600,000 programmers in the US.
If you include other professions that also would read code as part of their job you reach about 1.9 million which is less then one percent. It is about 16 million people world wide which is 1/6th of one percent world wide.
Where does reading come from? All early reading involved simple code recognition very task oriented.

Sumarian writing developed
Enheduanna was the first poet in 2285 BC. and was the daughter of Kin Sargon.
Ada Byron – first programmer Countess of Lovelase is the daughter of a poet.

In Sumaria at the time this poem was written only 1% of population knows how to read in the Great City of UR.
Around 500BC.. Athenians 5% could read.
This was the Dark Ages 500 AD at it was asserted that what writing made presnet to reader pictures make present ot the illiterate.

That is the GUI…(Graphical USer interface)

Words were written down for Public Performance:

scripta manet verba volat

script remains verbal is volitle
writing is eternal, talk is ephemeral


This phrase did not mean this
To ‘read’ was to transmit, not to receive. Things written were written as memory aids.
To read was to speak…because of not for orators…
So this phrase really meant:

Writing reposes, speaking soars


Writing isn’t any good unless you read it out loud. Existance of the book meant that the speaker could be anybody.
GPL3 – GPL is a copyright.
Copyright protects against unauthorisze copying derivation, distribution or publicly performance.
What does it mean to publically perform software?
It means to ‘run the code’

The purpose of the code is to be performed.

GPL defines source code’s preferred form of the work for making modifications to it.
Refrain
Voices of the Absent
The spanish theologian – Isidor of Seville (560-636 BC) – praised silent reading, too, for being without effort, reflecting on the which has been read rednering their in.

In 1999 St Isidore was named the patron saint of programmers
Why?
He wrote a treatise – Etymologiae (source) or Origines as sometimes called.
He compiled it – all existing knowledge and literature.

Authorship does not matter the collection of knowledge matters.

What happen next? In the early middle ages changes our understanding of authorship changed. Integrity of the Authors Source Code
Something changed meaning of word to read… it was now possible to read in silence…

789 Admonitio Generalis no standards improve aimed specifically at educaiton reading and writing.
Carolingian Minuscurle brought some standards in.
Alcuin of York 798-804
Words are separated use a blank space.
What 0 did for math the space di for reading.
Irish scribes created the fullstop, comma, semicolon
Standards emerged for heights (m) ascenders (b) decenders (g)
Reading went form public act to private act – reader is no longer shared the text with others.

Reading and writing was collaborative and became individual.
Reusable Software is collaborative.
will it become individual?
Readable software needs typography.
If you write scripts they will need maintenance.
If you write readable code they will soar.

Writing reposes, speaking soars
scripta manet verba volat

Programming is literature.
Reading is not performance.
Two gods of literature the reader and writer.
Rewriting of what the author has originally authored.
Moving away from respect to original author when writing became a silent and private act.
Intellectual Property is invented in 1251
So we flip back to authorship…

In antiquity we gave credit to original author because failure to respect honored ancestor.
Post renaissance -> more about legal requirement.
Couple hundred years 40-50% will read can read CODE.
When this happens will the collaborative nature dissipate?
Power of collaboration is essence of what it is about now but it may become a private act.
Symbolic manipulation skill.
Extent to writing skill – literary skill.
We have done this before.
Speaking venacular of that people are talking.
Semiotic agreement about core set of concepts.
Be liberal in what you understand.
Be strict in what in what you are trying to say.
Poetry is obfuscated.
Poetry is set in LINE.
The white space is significant.
Prose it is not.

Come to OSCON for Part III next year.

Announcing The Virtual Rights Symposium on Digital Identity & Human Rights

· · Leave a Comment

This is the first of what we hope to be an annual event about Digital
Identity and Human Rights covering social issues, policy and
legislation in this arena.
The goal is to foster international cooperation on virtual rights
through high quality dialogue and deliberation between legislators,
researchers, service providers, and citizens.
The symposium will begin in September with interaction online both
synchronous and asynchronous. It will peak with a meeting in Costa Rica November 17-18th and continue online afterwards.
Virtual Rights Association is organizing the event in cooperation with Costa Rica University and the Berkman Center. Chair Jaco Aizerman please contact him at =jaco or http://public.xdi.org/=jaco
Please go to thewebsite at Virtual Rights to see the current version of the agenda.

Revolutionizing Marketing: The Business Case for XRI/XDI

· · Leave a Comment

Dear Marketing: An Open Letter From Your Customer
by Chris Maher of Fosforus
Opening:

Over the years, I have had an uneasy relationship with you. I’ve not cared one bit for being your prospect. And, as it seems that being your customer is just an extension of a permanent, unrelenting and ever-more-intrusive marketing campaign, I’m not nuts about being your customer, either.

He quotes David Glen Mick from a paper Searching for Byzantium: A Personal Journey into Spiritual Questions that Marketing Researchers Rarely Ask

Another set of spiritual questions we seldom ask ourselves concerns the effects of marketing and consumption on human character. By character I do not mean human values, but rather our psychological temperament as we go about our daily activities. What kind of person does marketing and consumption encourage or discourage?

Mick’s answers include examples of qualities of temperament that are, in his opinion, encouraged by marketing and consumption: impatience, incivility, judgmentalism and distrust.

He continues to articulate the problems with marketing and gets to the heart of the matter by offering a new model.

What I’m recommending is the creation of (what I will call) a “custnomer”: a data alias or new “name” for that me that gets profiled by your computer systems.
At a minimum, this will mean that my customer records and data won’t have my real name appended to them. There are too many thieves and scammers out there who are seeking to use my good name and the records attached to it. Grab your nearest CIO and Chief Privacy Officer (and maybe the Chief Security Officer, though that person is probably on Zoloft at present) by their lapels and strongly encourage them to begin in-depth research into the promising work on Extensible Resource Identifiers (XRI) and XRI Data Interchange (XDI).
The Daddy of XRI, Drummond Reed, is someone I consider a friend …is, without question, the darned nicest and most patient technology visionary that you will ever come across. There isn’t an ounce of ego in his dealings with us woefully common folk.
Warning: XRI/XDI is not some obscure, trivial “tech thing” that will only be meaningful to those who mumble to themselves and spend half their lifetimes slaughtering innocents and evil-doers… virtually, that is. XRI/XDI has encoded within it is a simple, powerful idea that will come true over time and will change your business: “My private data is mine.”

He goes on to highlight data anonymity and the work of Latanya Sweeney, Assistant Professor, Institute for Software Research International at Carnegie-Mellon University.
Here’s how Sweeney describes what she does:

Perhaps the biggest clash between technology and society involves privacy. The task of maintaining privacy and confidentiality in a globally networked, technically empowered society is quite difficult, tricky and fun.
Data privacy (or more precisely, data anonymity) is emerging as a new study within computer science that is the study of computational solutions for releasing information about entities (such as people, companies, governments) such that certain properties (such as identity) are controlled while the data remain practically useful. While these problems have been studied, in part, by statisticians and earlier computer scientists, their solutions have been rendered insufficient in today’s technically empowered society. So, in data anonymity, we develop new approaches and tools for today’s computational environment.
My colleagues and I (in the Laboratory for International Data Privacy, for which, I am the director) take a two-prong approach to data anonymity. On the one hand, we work as data detectives and on the other hand, we also work as data protectors.”

The best part is he finished up with the new business model.

I’m thinking that there’s probably some trustworthy business entity—although, I’m hard-pressed to figure out which it might be—that could serve as my proxy. (Now, banks and/or credit card companies, before you leap to any conclusions, take a long look at your information assurance practices and see the part of this article about the Trusted Computing Group.)
I would willingly provide just enough information, credentials and data that authenticate who I am and which, say, establish my credit-worthiness to a “trusted relationship proxy”: some government-certified, insured, audited, secure entity that would establish and manage the data version of “me” and would become the “gateway” to all (or many) of my most important business relationships. Think of this proxy as an agent who serves as a buffer between me and you.

TSA data cloud searching – Flights today, Subways tomorrow?

· · Leave a Comment

This article was slashdotted today.

TSA had promised it would only use the limited information about passengers that it had obtained from airlines. Instead, the agency and its contractors compiled files on people using data from commercial brokers and then compared those files with the lists.
The GAO reported that about 100 million records were collected.
The 1974 Privacy Act requires the government to notify the public when it collects information about people. It must say who it’s gathering information about, what kinds of information, why it’s being collected and how the information is stored.
And to protect people from having misinformation about them in their files, the government must also disclose how they can access and correct the data it has collected.
Before it began testing Secure Flight, the TSA published notices in September and November saying that it would collect from airlines information about people who flew commercially in June 2004.
Instead, the agency actually took 43,000 names of passengers and used about 200,000 variations of those names – who turned out to be real people who may not have flown that month, the GAO said. A TSA contractor collected 100 million records on those names.

It brings up some serious concerns about how information collection and validation is done by the TSA for airline passengers. How can we trust governments to collect this much information about us just because we travel.
This week I wonder why care about airlines passengers because security is so tight that airlines do not seem to be a place where the next round of attacks will be. If London is any indication it will be on mass transit. Given the level of police/security presence on the transit systems in the Bay Area this week is certainly seems like there is some concern that mass transit will be attacked. They have started random searching of bags to get on the NYC subway. One wonders if they will start issuing ‘identity passes’ to get on such systems.

On the city subways, which are used by 4.5 million people on the average workday, the inspections started on a small scale Thursday afternoon and were expanded Friday.
The New York Civil Liberties Union opposed the searches, saying they violated the Fourth Amendment. Mayor Michael Bloomberg said he hoped the NYCLU would recognize that the city had struck the right balance between security and protecting constitutional rights. He said the bag-checking program is part of a policy to “constantly change tactics” and “may, or may not, be there tomorrow.”

Index Finger Scanning at Disney World + FastTrack Scanning

· · Leave a Comment

This article was Slashdotted…

Tourists visiting Disney theme parks in Central Florida must now provide their index and middle fingers to be scanned before entering the front gates.
The scans were formerly for season pass holders but now everyone must provide their fingers, Local 6 News reported. They have reportedly been phased in for all ticket holders during the past six months, according to a report.
I think it’s a step in the wrong direction,” Civil Liberties Union spokesman George Crossley said. “I think it is a step toward collection personal information on people regardless of what Disney says.

I think this is self explanatory in terms of why it is concerning. It seems to goes along with what is now happening with FastTrack passes (automatic toll readers) that I heard about last night at the Hillside Club CyberSalon where Esther Dyson was speaking. I googled the phenomena and here are some excerpts of what I found.

In New York State, readers have been multiplying ever since September 1997, when the New York Police Department (NYPD) used E-Z Pass toll records to locate and track the movements of a car owned by Nelson G. Gross, a New Jersey millionaire who had been abducted and murdered. The NYPD had neither a subpoena nor a warrant to obtain those records; the police simply asked the Metropolitan Transportation Authority (MTA), and the MTA complied. This set a very bad precedent. Though Gross wasn’t alive to complain about it, his privacy had been violated. Access to those toll records also permitted access to all sorts of sensitive information, including his billing address, his credit card number, his license plate number and his Social Security number.

In February 1998, the MTA announced that — near the Tappan Zee Bridge (the site of the first reader in New York State, installed in 1993) — it had just concluded a successful “experiment” with readers that could detect and extract information from transponders even though the cars to which they were attached didn’t slow down. These “high-speed readers” were only three-feet tall and could be placed just about anywhere. As a result, they permitted the ETC system to do something it was never intended to do: namely, collect truly huge amounts of information about such non-toll related phenomena as traffic flows, speeds, densities and delays (all of which, incidentally, can be videotaped by either flow monitoring or security cameras that have been automatically activated by the readers).

Since then, high-speed readers have been installed along a great many State-owned roads and highways; they’ve also been installed atop many residential buildings in New York City.

Catalyst: Logic of Identity – Bob Blakley Chief Scientist IBM

· · Leave a Comment

This is a summary of Bob Blakley’s talk at Burton Catalyst:
Opening – Sermon on Laws

Laws of Planetary Motion
Kim’s Laws what happens to Identity if you make stupid or subtle mistakes
Newtons Law – gravity
Why things happen
Introduction – Looking Back Digital Signatures
A while back we decided we needed non-repudiation and did digital signatures by issuing certificates.
We forgot to figure out why do signatures work in the real world.
So, we got how they worked wrong in the technical world.
Having signatures not work is bad looking forward having privacy not work is bad.
Body of Talk
Definition:
Identity is a collection of attributes by which a person or thing is generally recognized or known
Identity Relativity
The Identity of X according to Y: The set of attributes believed by Y to be true of X.
Axiom: Utility
An identity attribute has value if and only if knowing that attribute reduces risk for some party
Reducing one party’s risk often creates risks for other parties.
Consequence: Identification is Power
Identity allocates risk.The ability to create or eliminate a risk for another confers power over the other.
Axiom: Contention
Because identity claims allocate risks, they will be disputed.
Identity Attributes

  • Commercial Interest – Convenience
  • Government Interest – Security
  • Individual interest – Privacy

Definition
Privacy: is the ability to lie about yourself and get away with it.
Axiom: Subjectivity
People disagree about one anothers identity attributes
In general, there’s now easy way to tell who’s right and who’s wrong
Axiom: Temporality
The name that can be named is not enduring and unchanging name. All identity attributes change over time.

  • Prince -> symbol
  • Michael Jackson Black -> Plastified

Axiom: Obscurity
Identity attributes can be

  • what you know – you can lie
  • what you have – loose / leave
  • what you are – alter disguise

Axiom: Publicity
Identity attributes cannot be secret
By definition attributes aren’t observable can’t be used to use attributes
Axiom: Contextually
Identity is inherently subject to effect of scale.
Brandon Mayfield – guy who did not blow up trains
His finger print matched one at Madrid Bombing (it was not an accurate assertion)
Large databases -> not completely reliable
To scale identity information one needs to collect — more information
Consequence: Powerlessness
Identity is in they eye of the beholder – subjectivity.

  • You can’t control what other people think or say about you.
  • You can’t even know who knows what about you.
  • Can control what you tell people but not what people find out

Consequence: Privacy Erosion
Scale requires distinguishing between lots of individuals which requires lots of information.
In a sufficiently large population the commonly agreed to be public attributes will not distinguishing individuals well enough.
So information about sensitive attributes will be collected.
In the UK they are look at putting in scanners (QinetiQ) while entering the subway to detect knives but what about creep in the use of other things identifying tatoos?
People push back against government identification.

Consequence: Due Process
Because identity is subjective, contextually, contention and obscurity and temporality.
IDENTIFICATION REQUIRES DUE PROCESS
But due process undermines the business case for identity. Due process requires transparency. Transparency reveals how identity attributes are collected and synthesized to make judgment. Collection and Synthesis are the only sources of completive value.
They do it because they like costumer intimacy.
Supply and Demand mismatch between favorable and unfavorable information.
Favorable information is easy to get.
The subject is happy to give it to you and the subject is happy to help you authenticate it. Therefore the supply is large and the value is low. But it’s worse: Demand is also low! Because favorable information is less likely to reduce another party’s risk. Especially the case when the other party has lots of potential customers.
The business case fore identity service provider infringes privacy.
The business of identity service providers is risk reduction withholding adverse information decrease the value of business.
Collecting more adverse information makes more.
Identity and Privacy are Incompatible.
Adverse information has positive identity value but negative privacy value.
Favorable information has zero identity value and zero privacy value.
Fable about MARIA
Recent guatemalan immigration
she has AIDS and she doesn’t want anyone to know. The health insurance company wants to know this information because it is a $180,000 not to know this.

Catalyst: Government Adoption of Federated Identity

· · Leave a Comment

This is drawn from David Temoshok’s Talk. He is the Director of Identity Policy and Management GSA Office of Government Policy
Homeland security directive 12
“Policy for Common Identification Standard For Federal Employees and Contractors” – August 2004
HSPD 12 Requirements
1. Secure and reliable forms of personal identification that are:

  • Based on sound criteria to verify an individual employee’s identity
  • Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
  • Rapidly verified electronically
  • Issued only by providers whose reliability has been established by an official accreditation process

2. Applicable to all government organizations and contractors except National Security Systems
3. Used for access to federally-controlled facilities and logical access to federally-controlled information systems
4. Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure
5. Implemented in a manner that protects citizens’ privacy
Expanding Electronic Government
Needing Common Authentication Services for

  • 280 million Citizens
  • Millions of Businesses
  • Thousands of Government Entities
  • 10+ Million Federal Civilian and Military Personnel

You can learn more on the GSA website – http://www.gsa.gov/aces

Documents for the Undocumented

· · Leave a Comment

This week the cover of Business week is Embracing Illegals. The frame is about how businesses see the 11 million+ ‘illegal immigrants’ as a great market opportunity. To function economically in western capitalism you need identity documents to be part of the ‘representation system‘ that enables trusted value generation and exchange.
It dives into detail about how ‘undocumented immigrants’ get documents to basically function as normal US residents.

Guided by friends and family, the couple soon discovered how to navigate the increasingly above-ground world of illegal residency. At the local Mexican consulate, the Valenzuelas each signed up for an identification card known as a matrí­cula consular, for which more than half the applicants are undocumented immigrants, according to the Pew Hispanic center, a Washington think tank. Scores of financial institutions now accept it for bank accounts, credit cards, and car loans. Next, they applied to the Internal Revenue Service for individual tax identification numbers (ITINS), allowing them to pay taxes like any U.S. citizen — and thereby to eventually get a home mortgage.

The corporate Establishment’s new hunger for the undocumenteds’ business could have far-reaching implications for America’s stance on immigration policy, which remains unresolved. Corporations are helping, essentially, to bring a huge chunk of the underground economy into the mainstream.


The political implications are less clear-cut. Further integration of illegals into the U.S. could help President George W. Bush in his uphill struggle over the past two years to launch a guest worker program. His plan would provide a path to amnesty and full legalization for many unauthorized residents. Companies are taking a position similar to the President’s, in effect saying: There’s no point in pretending that millions of people aren’t here, so let’s find ways to deal with them.
It quickly became apparent. Largely via word of mouth in Hispanic neighborhoods, Wells Fargo has opened 525,000 matrícula accounts, which now represent 6% of the bank’s total. It opens 800 new accounts a day across the 23 states in which it does business.
The success of the matrí­cula has encouraged the expansion of other financial products, such as home mortgages, using the ITIN. Created for people such as foreigners with U.S. investments who aren’t eligible for a Social Security number but still may owe U.S. income taxes, the agency issued 900,000 ITINs last year and a total of 8 million since 1996. In Chicago, Second Federal Savings has 620 ITIN loans worth $90 million.

Meta-data, collaborative filtering and identity

· · Leave a Comment

Collaborative Filtering and Identity from John Udell. A use case we should be thinking about.

What if one would create a crawler application that, using all of these sources, could compine a complete “view” of my digital online self?
The problem though, is that “social” internet tools, that effectively visualize this stuff, are not all that common yet. Bloglines, Del.icio.us, and Flickr, and a few others, are still few and far between.
And then there is privacy. Now personally, I have no problem sharing all this metadata about myself. I would not even mind my browsing habbits being monitored to service the “social” metaspace like I do with the above-mentioned services, provided I had complete and transparent control over when what was monitored.
Wouldnt it be kinda creepy, once we indeed had a centralized match-and-compare system for all of this data, if you where to run into another person online that mirrored you and your interestes in every way? And online doppelganger, so to speak.

Canada has some crazy laws too.

· · Leave a Comment

Canada has some crazy laws too. I kind of was thinking of Canada where I was born as the ‘friendly’ nation to the north but it seems not to be true :(.

Before privacy laws or the Charter, there was little if anything to stop police or national security operatives from cajoling or coercing information from private sector organizations. A civic-minded government department or company could blab all it wanted about its customers or employees.
Our privacy laws changed this, although they didn’t really try to put a stop to it. In BC, our public sector privacy law gives public bodies discretion to disclose personal information for law enforcement purposes, without warrant, but there are (some would argue, weak) constraints on this. The same can be said for our private sector privacy law. Still, these laws, together with the Charter, have until recently insulated against over-enthusiastic private sector co-operation with all and sundry state inquiries. Is this still true? If it is, how long will this last?
After the 9/11 attacks, governments everywhere felt compelled to act, and to be seen to act. This was in an important sense responsible of government. It was also mandated by political Darwinism. But a profoundly important aspect of the post-9/11 changes is the blurring of lines between collection and use of personal information for law enforcement purposes under criminal and other penal laws and use for national security purposes. A defining characteristic of police states is the blurring of distinctions between law enforcement and national security functions, the danger being that the rule of law eventually gives way to arbitrary decision-making by law enforcement authorities and the rights of ordinary citizens lose meaning. Democracies depend on clear and effective rules suited to the state activities that the rules are intended to govern and that reflect the essential values of a free society.

In Canada, post-9/11 amendments to the Customs Act and regulations authorize officials to require private sector organizations to provide border officials with extensive advance information about arriving passengers. These changes expanded the federal government’s ability to use and share that information, not only for national security purposes, but also for ordinary law enforcement and other purposes, including (according to government statements in 2002) public health surveillance. The information-sharing authority includes a broad ability to share personal information about Canadians and others with foreign governments. The amendments don’t restrict information-sharing arrangements to national security uses they could easily include ordinary law enforcement or other purposes defined on a case-by-case basis or in an agreement with another nation.
Also, Public Safety Act amendments to the Aeronautics Act allow the RCMP Commissioner to require any air carrier or operator of an air reservation system to, for the purposes of transportation security, disclose specified information in its control to any person the Commissioner designates. Despite the Public Safety Act reference to transportation security, the amendments allow this data to be matched with other data and to be disclosed to assist in executing certain outstanding arrest warrants. This effectively compels the private sector to assist the state, in the absence of a warrant or court order, in surveillance of all air travellers for the broader general purposes of both national security and ordinary law enforcement.
Consistent with these powers to conscript the private sector into both national security and law enforcement activities, Public Safety Act amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) permit private sector organizations to collect personal information without an individual’s knowledge or consent in circumstances that amount to an invitation to, and in some cases compulsion of, the private sector to assist the state in surveillance for both general national security and ordinary law enforcement purposes.

The Public Safety Act also amended the Proceeds of Crime (Money Laundering) and Terrorist Financing Act to authorize the Financial Transactions and Reports Analysis Centre of Canada to collect information it considers relevant to money laundering or financing of terrorist activities from publicly available information, including commercially available databases. FINTRAC is also authorized to obtain, under information-sharing agreements, information maintained by federal or provincial governments for law enforcement or national security reasons.
FINTRAC expanded powers point to the fact that, when it comes to co-opting the private sector, 9/11 can’t be blamed for everything. Laundering of dirty money was of sufficient concern before 9/11 to lead to extensive transaction-reporting requirements for banks and others. You can easily find other examples of legislative responses to individually pressing policy challenges that draft private sector organizations into state service in the name of public safety or order. One example is the current federal government lawful access proposals, some of which would apparently require ISPs to hand over at least identifying customer information and perhaps more on simple request by state officials, and for a pretty broad range of uses.

Also, at the local level, at least in BC, we see more and more local government bylaws compelling businesses to hand customer information over to police for a variety of reasons. Pawnshop reporting requirements have been around for a long time, but now were seeing bylaws requiring businesses to regularly give police information, without request, in a variety of situations (such as information who’s been buying pepper spray, hydroponic supplies or chemicals that could be used to make drugs and who’s been renting mailboxes at commercial mailbox centres).
And governments are now large purchasers of personal information from the private sector. So far this is being seen mostly in the US think of Total Information Awareness, MATRIX, Secure Flight and so on but to think that our own governments will ignore the expanding private sector trove of electronic personal information much longer.
As databases proliferate, become more comprehensive and become lifelong, it’ll be harder and harder to resist those who say that, since the information is out there, the state should be able to use it. Time and time again over the last six years I’ve been told by middle-aged, middle class Caucasian males that they have nothing to hide, so why should anyone else feel differently? Let the government have the information it needs to protect us, they say.
Now, I don’t doubt the good faith of BC’s police agencies not for a minute. But, thinking thirty or fifty years down the road to a time when the lines between national security and law enforcement have blurred to vanishing, will there be any meaningful rules? If not, will our belief in the good faith of state officials, set adrift without guiding rules, be enough to sustain our privacy and other rights?

Farming the Net or the Earth??

· · Leave a Comment

Farmers in third world countries leaving the land to ‘farm’ for gold in online games to sell to other avatars (digital identities of a type). The virtual ‘sweatshop labour’. I hope the college activists turn there attention to this issue too.
Net heads may think this is cool and those enamored with the over taking of the real world with the digital. I think it is really freaking and we should figure out how to pay people who farm the land get paid well. We can not as Bruce Sterling so aptly put in his Planetwork 2000 address – dive into our computer screens and survive. He was talking about escaping from the greenhouse effect – seems like having food to eat is equally applicable.

The lesson here is not that atomic scientists are gutless eggheads. Einstein and Sakharov weren’t gutless: these people are colleagues of Einstein and Sakharov. The true lesson of Los Alamos is that there’s no ivory tower to hide in. You can have the biggest supercomputers on earth and a broadband video feed. If a Greenhouse monsoon rolls in, you’re gonna have live video feed of your supercomputers washing downriver.
What are you gonna do when the sky turns black over your town? Are you gonna jump inside your laptop screen? Where you gonna hide, console cowboy? If it gets hotter, you can click up the AC like we do in Texas, but the Greenhouse Effect is an extremely intimate disaster. You’re breathing it right now. The planet’s entire atmosphere from pole to pole has been soiled with effluent from smokestacks. Too much carbon dioxide. It’s in every single breath you take, it fills this very room. You don’t get to pick and choose. There’s no pull-down menu for another atmosphere. The sky is full of soot. Everywhere. There’s soot in Yosemite. There’s soot at the source of the Nile. There’s soot in Walden Pond and soot in the Serengeti. There is no refuge. It’s not imaginary, it’s here.
Yet it’s nothing compared to what is coming. Whatever sins of omission and comission we may have committed environmentally, they are the small ones, they are the beginner steps. Look at the curves, do some of the math. We’re in deep already, but these are just harbingers. The real trouble lies ahead.

MS/HP – National Identity System Kim does it Follow the Laws?

· · Leave a Comment

So I wondered reading the below quote if the MS/HP National Identity System followed the Identity Laws that Kim has authored. The frame of this Techsploits column Hot for Data By Annalee Newitz does not make it sound like it does.

I was particularly squicked to hear about a new product from Hewlett-Packard and Microsoft that is designed to be an integrated identity-tracking suite for repressive government regimes.

It seems that virtual rights surrounding identity and the Kim’s Identity Laws surrounding proper use should be universal not just something US Citizens and perhaps Canadians enjoy. It is clear the web is global and thus the nature of the laws of identity for use in digital systems using the web also must be. I am wondering what Kim and others at Microsoft are doing to ensure the emergence of systems that are not going to be used by oppressive regimes.

Called the National Identity System, the product is touted for its ability to create smart ID documents, which can be checked at borders or across entire regions. It also has the fun ability to add biometric data to each identity profile. It’s plug-and-play surveillance! Now you don’t need to build your own repressive state apparatus, because HP has done it for you. Plus HP and Microsoft promise to set up training centers all over the world to help governments implement the system.
Luckily, it’s Windows-based, so my favorite hackers will be exploiting the hell out of it as soon as it gets widely deployed. I can’t wait for the underground how-to book to come out—they can call it National Identity System Hacks.

Belgium Identity Cards

· · Leave a Comment

From ID Corner comes this story about Belgium Identity Cards.
The card provides strong security against traditional outsider attacks, but unfortunately has not been designed with privacy in mind. In fact, it features one of the worst privacy designs imaginable. Two glaring problems:

The citizen certificates on each ID chipcard contain the cardholder’s name and RRN (the œrijksregistratienummer,” a single government-wide identification number for each natural person). The name and RRN are disclosed whenever a card is used at a relying party. The RRN (which has a simple structure based on the citizen’s birthday) serves as the key to numerous databases containing citizen information; on the basis of this number, all cardholder actions and movements with the eID chipcard can be electronically traced and linked (not merely by the government itself!).

The eID card specifies the following information, both visibly on the card itself and stored within the card’s chip: cardholder’s photo, surname and first names, gender, nationality, place and date of birth, signature, RRN, and the validity period of the card. In addition, the chip also stores the cardholder’s current address. Some of this information is privacy-sensitive, yet the cardholder has no control over its disclosure. (Historically, this is the same information as has always been on Belgium identity cards, and so arguably this does not constitute a reduction in privacy; however, in most countries around the world an information-rich national identity card would not pass in the first place.)

The privacy problems do not stop here. Each eID chip contains two X.509v3 identity certificates (each specifying the citizen’s name and RRN number, one for authentication and one for digital signing), as well as a basic signature key to authenticate the card with respect to the RRN. The certificates and public keys, which are assigned by the central issuing authority, by themselves serve as “omni-directional” identifiers that are globally unique. For a detailed account on the various privacy problems caused by this use of PKI, see, for instance, here.

Identity and Gaming

· · Leave a Comment

To prepare to talk with Susan Crawford I thought I would scan her three year old blog for any menitons of Identity. It turns out that Susan has done some extensive thought about identity and in particular in the context of online gaming. She has a link to a paperWho’s in Charge of Who I am?: Identity and the Law Online. Here are some good quotes…

Online identities are emergent. Identity is by definition a group project, something created by the context in which the identified operates.
Online walled gardens will be come more prevalent, as concerns about security, viruses, spam and the unknown increase, as valuable content is made accessible only to those who have been permissioned to see it, and as hardware and software systems made available to the masses increasingly taken on “trusted” aspects. Online games are precursors of these future more serious, walled garden online worlds. Key characteristics of both games and walled worlds are limited access, clear boundaries, rules, roles/players, and feedback mechanisms that create reputation. … These characteristics of games make them ideal laboratories for experimentation with rulesets.

This is a great mention of the word – rulesets. I have been thinking a lot about them ever since I read Thomas Barnett’s book – The Pentagon’s New Map. How we as a society and how institutions that govern us determine what the ruleset’s are is important to think about. With the complexifying world we live in – robust, legitimate and fair systems to create good rulesets are needed. This is particularly true in the online space that is really built by and for us. I hope that all the effort that has gone into creating the Identity Commons structure can be just such a place.
Back to Susan…

Who owns identity? who owns reputation? From the intermediary’s perspective, software creates rules that control what social context can be moved elsewhere. Your identity is “really” a database entry, and the intermediary can argue that your identity is their intellectual property, not yours. You may attach great importance to it, but this identity (and its reputation) will not as a practical matter survive outside the world in which it was formed. Walled world designers have incentives to raise switching costs and capture all the vale of this reputation. In other words, controllers of online worlds are gods. But users may defect from environments and attempt to constrain them in how persistent their reputations and identities are. The difficult task for developers/intermediaries is how much freedom to give their users. This takes us from the realm of risks to the realm of opportunities.
AS real work becomes a more common online activity, identity created in connection with groups will be more and more meaningful.
Human nature will always tend toward group-ness.

  • What would be made visisble? The fact that someone’s identity has been taken away, and the reasons why? Or speech-related actions of the intermediary that have an impact on identity (but are less then “disappearing” someone?)
  • What about reputation? Is it right that a user must leave her reputation behind when she leaves a particular online world? Is “reputation portability” possible? Or is reputation so context-dependent that the online world should be permitted to own it? And what does the online world own exactly? A group-created construct?
  • Is this entire problem avoided by staying out of “walled gardens” and maintaining our own domains? Will this be possible, as online worlds become more and more attractive, and as hardware and software increasingly intertwine?

In the end, it boils down to the fact that the best government is the one that you can trust, which will be the one you know personally: the people close to you in your virtual community, who are held accountable precisely because of community ties. Your best government is going to be each other, because the man behind the curtain isn’t going to know any more than you know him.
Conculusion:
We are still in the early stages of the first two steps dealing with any technology: fear and opportunism. Enlightenment is not far away. I want to suggest that we skip quickly through the fear, linger on the opportunism, and move on to human betterment. This social benefit may come (as so many things do) from playfulness. Games have a great deal to teach us about how we establish and maintain identity. Now we need to consider who is in charge of these identities. It may be, in the end, that we are.
We need to forge a direct link between how we live and work online (especially within walled gardens) and how we structure control over online resources. If the new mode of work online is collaborative peer-production of resources, who will own a shared online space of identities? This ownership may have to be collective. The fundamental problem that is yet to be address is that while reputations and identities are group projects, legal ownership of collectively-created intangible identities currently appears to reside (by default) in online intermediaries. We may need to make some noise about this and ensure a better fit. Perhaps the game should belong to the players.

She raises some interesting questions for us to think about. I think looking at the governance and how to actualize that – this is what the distributed governance form of Identity Commons is designed to do. I didn’t really realize that she was involved with XNSORG several years back. She really liked you all and mentioned Bill Washburn and Drummond Reed by name.
While talking with her about identity and her paper she mentioned her connection to the State of Play conferences. The third one is coming up this fall and is entightled Social Revolution. Two panels look very relevant:

  • Collective Action in the Metaverse: Groups, Community and Power
  • Identity in the Metaverse: On-Line Identity in Virtual Worlds

It is the day after Web 2.0 but might be worth the trip 🙂

BrandX and Identity Implications

· · Leave a Comment

I had dinner with Susan Crawford this week (btw: she says hi to all you XNS guys 🙂 We talked about the lesser talked about Supreme Court Decision this week BrandX. Basically the FCC can now impose “social policies” which can be very onerous and costly. They could effectively kill VoIP services. It also seems that it has implications for our work building an identity meta-system on the net. If it classified as an information service? Any lawyers in the crowd who want to help us identity folk figure this out?

In BrandX, Justice Thomas gets very confused about the internet and ends up essentially announcing that everything a user does online is an “information service” being offered by the access provider. DNS, email (even if some other provider is making it available), applications, you name it — they’re all included in this package. And the FCC can make rules about these information services under its broad “ancillary jurisdiction.”
This is very very big. This means that even though information services like IM and email don’t have to pay tariffs or interconnect with others, they may (potentially) have to pay into the universal service fund, be subject to CALEA, provide enhanced 911 services, provide access to the disabled, and be subject to general consumer protection rules — all the subjects of the FCC’s IP-enabled services NPRM. I’ve blogged about this a good deal, and now it’s coming true: the FCC is now squarely in charge of all internet-protocol enabled services.

Evolving self moderation

· · Leave a Comment

On Identity and privacy and self moderation. How digital identity and what persistence means over time.
Kids don’t expect privacy these days, they put everything up there. We are all aware that the computer doesn’t’ have the same kind of memory as humans have, it archives things whereas people forget. So what’s going to happen in 20 years when they are going on job interviews?
Lili: Self-moderation evolves over time. And it’s cultural, so different countries evolve differently.
Mena: There’s going to be a point where there are going to be more complex permissions, so you can control who sees what.
Amy Jo: When people get a phone for the first time, they get very excited about it, and they go through an arc. Start off over enthusiastic and then they moderate themselves. Same with social networks. So often opening everything up is often a phase, not somewhere people stay. And it’s a function on where you are in your life and what you are doing.