Government

Identiverse Session on Historical Self-Sovereign Identity

Ali · May 23, 2023 ·

At Identiverse in 2022 I presented this paper about Understanding SSI in historical context.

The Presentation’s Key Highlights

Developers and policymakers often overlook the historical context of social and technological systems. They perceive them as fixed and granted in the present moment.
The presentation highlights the historical trajectory of two distinct identity systems: computer-based systems and state-issued administrative identities in Europe.
Starting with computers, the presentation traces the development of identity systems from mainframes to the present day. It showcases the advancements in technology and the changing paradigms of digital identity.
Throughout this historical journey, it becomes evident that computer-based identity systems have been influenced by technological capabilities, market demands, and user requirements, which results in diverse system designs and approaches.
On the other hand, the presentation explores the history of state-issued administrative identities in Europe. It emphasizes how these systems have evolved and the principles underlying their design.
State-issued administrative identities have typically been based on centralized, hierarchical models, where the government plays a central role in issuing and managing identities for its citizens.
These administrative identities have often been tied to specific rights, privileges, and responsibilities within a nation-state, reflecting historical norms and legal frameworks.
The presentation acknowledges that the designs and principles of computer-based identity systems and state-issued administrative identities are not necessarily comparable due to their distinct historical trajectories.
However, the presentation’s conclusion argues that Self-Sovereign Identity (SSI) technologies offer a digital identity system that aligns with the historical norms of state-issued administrative identities.
SSI technologies empower individuals with control over their digital identities and allow them to manage and share their personal information securely and selectively.

To see the full video of the session, click here.

To read out the full relevant paper, click here.

My Data, My Value: 6 Sense Making Diagrams

Kaliya Young · October 18, 2016 ·

I was invited to present in the Personal Data Track at the Cloud Identity Summit, 2016 in New Orleans.
This is the talk I gave. It also came with a two sided 11×17 sheet with all 6 diagrams (just below).

My Data, My Value: 6 Sense Making Diagrams from the Personal Data Ecosystem. from Kaliya "Identity Woman" Young

Diagrams for My Data, My Value: 6 Sense Making Diagrams from the Personal Data Ecosystem from Kaliya "Identity Woman" Young

Faith and the IDESG

Kaliya Young · November 9, 2014 · Leave a Comment

Since becoming involved in the IDESG, I have become concerned that we do not have people of religious faith – with that as their primary “identity” within the context of participating in the organization. Let me be clear about what I mean, we have many people of many faiths involved and I am not disrespecting their involvement. We also don’t have people who’s day job is working for faith institutions (that they would take time out from to “volunteer” on this effort to explicitly bring in a faith perspective). Someone from say the National Council of Churches would not be a bad thing to have given that one of groups of people who today have consistently sue against “identity systems” are Christians objecting to ID systems put into public schools to track children students. With this proactive faith stance involved the systems we are seeking to innovate reduces the risk of rejection via law suite. I also think the views of those from Jewish, Muslim Sikh, Budhist, Hindu and other faiths should be proactively sought out.
Another Tweet from the Tampa meeting….

We must understand the past to not repeat it

Kaliya Young · November 9, 2014 · 1 Comment

Please see the prior post and the post before about how we got to discussing this.
We can not forget that the Holocaust was enabled by the IBM corporation and its Hollerith machine. How did this happen? What were these systems? How did they work? and particularly how did the private sector corporation IBM end up working a democratically elected government to do very horrible things to vast portions of its citizenry? These are questions we can not ignore.
In 2006 Stefan Brands gave a talk that made a huge impression on me he warned us and audience of very well meaning technologists that we had to be very careful because we could incrementally create a system that could lead to enabling a police state. It was shocking at the time but after a while the point he was making sunk in and stuck with me. He shared this quote (this slide is from a presentation he gave around the same time)

It is the likability that is the challenge.
We have to have the right and freedom NOT to be required to use our “real name” and birthdate for everything.
This is the defacto linkable identifier that the government is trying to push out over everything so they can link everything they do together.
Stephan proposes another Fair Information Principle.

I will share more of Stephan’s slides because I think they are prescient for today.
Stephan’s slides talk about User-Centrism technology and ideas in digital identity – ideas that have virtually no space or “air time” in the NSTIC discussions because everything has been broken down (and I believe intentionally so) into “security” “standards” “privacy” “trust frameworks” silos that divide up the topic/subject in ways that inhibit really tackling user-centrism or how to build a working system that lives up to the IDEALS that were outlined in the NSTIC document.
I have tried and tried and tried again to speak up in the year and a half before the IDESG and the 2 years since its existence to make space for considering how we actually live up to ideals in the document. Instead we are stuck in a looping process of non-consensus process (if we had consensus I wouldn’t be UN-consensusing on the issues I continue to raise). The IDESG are not taking user-centrism seriously, we are not looking at how people are really going to have their rights protected – how people will use and experience these large enterprise federations.
Yes everyone that is what we are really talking about…Trust Framework is just a code word for Enterprise Federation.
I went to the TSCP conference a big defence/aerospace federation (who was given NSTIC grants to work on Trust Framework Development Guidance) where this lovely lady Iana from Deloitte who worked on the early versions of NSTIC and potential governance outlines for IDESG – she said very very clearly “Trust Frameworks ARE Enterprise Federations” and it was like – ahhh a breath of fresh clear honest air – talking about what we are really talking about.
So back to the Stephan Brands re-fresher slides on user-centric ID so we don’t forget what it is.

Stefan2

Stefan2

Look at these, take them seriously.

BC Government Innovation in eID + Citizen Engagement.

Kaliya Young · April 6, 2014 · Leave a Comment

I wrote an article for Re:ID about the BC Government’s Citizen Engagement process that they did for their eID system.
Here is the PDF: reid_spring_14-BC
BC’S CITIZEN ENGAGEMENT:A MODEL FOR FUTURE PROGRAMS
Because of my decade long advocacy for the rights and dignity of our digital selves, I have become widely known as “Identity Woman.” The Government of British Columbia invited me to participate as an industry specialist/expert in its citizen consultation regarding the province’s Services Card. I want to share the story of BC’s unique approach, as I hope that more jurisdictions and the effort I am most involved with of late, the U.S. government’s National Strategy for Trusted Identities in Cyberspace, will choose to follow it.
The Canadian Province of British Columbia engaged the public about key issues and questions the BC Services Card raised. The well-designed process included a panel of randomly selected citizens. They met face- to-face, first to learn about the program, then to deliberate key issues and finally make implementation recommendations to government.
[Read more…] about BC Government Innovation in eID + Citizen Engagement.

The Trouble with Trust, & the case for Accountability Frameworks for NSTIC

Kaliya Young · July 31, 2011 · 3 Comments

There are many definitions of trust, and all people have their own internal perspective on what THEY trust.
As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.
I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.
However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.
When spoken of in every day conversation trust is most often social trust.
[Read more…] about The Trouble with Trust, & the case for Accountability Frameworks for NSTIC

Alignment of Stakeholders around the many NSTIC Goals

Kaliya Young · July 31, 2011 · 1 Comment

The Many Goals for the Identity Ecosystem & NSTIC Governance

The NSTIC governance NOI articulates many key activities, qualities and goals for a governance system for NSTIC. NSTIC must:

convene a wide variety of stakeholders to facilitate consensus
administer the process for policy and standards
development for the Identity Ecosystem Framework in accordance with the Strategy’s Guiding Principles
maintain the rules of participating in the Identity Ecosystem
be private sector-led
be persistent and sustainable
foster the evolution of the Identity Ecosystem to match the evolution of cyberspace itself.

Achieving these goals will require high-performance collaboration amongst the steering group and all self-identified stakeholder groups. It will also require earning the legitimacy from the public at large and using methods that surface their experience of the Identity Ecosystem Framework as it evolves.
[Read more…] about Alignment of Stakeholders around the many NSTIC Goals

Ecosystems Collaborate using Shared Language – NSTIC

Kaliya Young · July 31, 2011 · 2 Comments

Collaboration is a huge theme in NSTIC. Below is the initial approach to collaboration in the document:

The National Strategy for Trusted Identities in Cyberspace charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions.

Collaboration, as defined by Eugene Kim, a collaboration expert and the first Chief Steward of Identity Commons, occurs when groups of two or more people interact and exchange knowledge in pursuit of a shared, collective, bounded goal
To achieve the challenging goals set out in NSTIC, such as raising trust levels around identities, high performance collaboration is required. Both shared language and shared understanding are prerequisites for high-performance collaboration.
This is a powerful excerpt from Eugene Kim’s blog about two experiences from technical community participants (including Drummond Reed from the user-centric identity community) that paints a clear picture of the importance of time for, and the proactive cultivation of, shared language:
[Read more…] about Ecosystems Collaborate using Shared Language – NSTIC

Ecosystem as the frame for NSTIC

Kaliya Young · July 31, 2011 · Leave a Comment

What is an Ecosystem?
The National Strategy for Trusted Identities in Cyberspace paints a broad vision for an Identity Ecosystem. The strategy author’s choice to name the big picture vision an “ecosystem” is an opportunity not to be lost. An Identity Ecosystem construct will inform the choice of processes and structures appropriate to govern it.

An ecosystem is a biological environment consisting of all the organisms living in a particular area, as well as all the nonliving, physical components of the environment with which the organisms interact, such as air, soil, water and sunlight.

This definition reminds us that the context of an Identity Ecosystem is broad and goes beyond just the identities of people and devices but extends to the contexts in which they operate and interact, the network and indeed the wider world. When we discuss a person’s digital identity it should not be forgotten that we are each fundamentally biological beings living in complex social systems composed of groups, organizations and businesses, all socially constructed and embedded in a larger context, the biosphere surrounding the planet earth.
An overall Identity Ecosystem is needed because small islands of identity management online are working, but they have not been successfully woven together in a system that manages the tensions inherent in doing so to ensure long term thrivability of the overall system. [Read more…] about Ecosystem as the frame for NSTIC

NSTIC Response by Identity Woman

Kaliya Young · July 31, 2011 · 2 Comments

Context for my response to the NSTIC Governance NOI
Table of Contents to Blog Posts of My Response
My Complete Response in PDF form Kaliya-NSTIC-NOI
Introductory Letter of the Response.

Context for my NSTIC NOI response
I surprised myself when writing my response to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Governance NOI (Notice of Inquiry). I wasn’t sure exactly what I was going to say because the questions seemed like they were way ahead of where they should be interms of where things were. I decided to begin by sharing important Context, Frames and Terms that were important before getting to the Questions of Governance and what should be done now.
I began with the word Ecosystem – what it meant and that a system was at the heart of this strategy not something simple or easily actionable.
I touched on the history of the Identity Community and how much conversation and intensive dialogue happened amongst that early community to get to a place where collaboration was natural and “easy”. A huge amount of effort went into developing shared language and understanding then and this is needed once again. The range of self identified stakeholders for NSTIC is quite large (the range of not self identified stakeholders it could be said is everyone on the planet or at least all those with a digital connection (via phone or interent).
I put forward two different methods/tools/processes that could be used to form shared language and understanding across this stakeholder community Polarity Management and Value Network Mapping.
I suggest that the governance structure proposed a “steering group” actually have a mandate to regularly listen to and act on the recommendations of the system that are generated via 3 different well established dialogic processes (Creative Insight Council, World Cafe and Open Space Technology [What we use at IIW]. I then answer the NOI questions referencing the ideas above.
I am going to be posting the whole of my Response in a series of posts and linking them all from there.
I began with one earlier last week which is focused on “trust” both as an emergent property of the overall system AND as the current name of technology and policy/legal frameworks for identity creation.

Links to NSTIC Response Posts:
[Read more…] about NSTIC Response by Identity Woman

Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.

Kaliya Young · January 10, 2011 · 2 Comments

This is cross posted on my Fast Company Expert Blog with the same title.

I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us. Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.
I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to. I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”), support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.
Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.
The National Institutes of Health is a massive granting institution handing out billions of dollars a year in funding. In the process of doing so, it interacts with 100,000’s of people and does many of those interactions online. Many of those people are based at institutions of higher learning. These professors, researchers, post-docs and graduate students all have identifiers that are issued to them by the institutions they are affiliated with. NIH does not want to have the expense of checking their credentials, verifying their accuracy and enrolling them into its system of accounts, and issuing them an NIH identifier so they can access its systems. It wants to leverage the existing identity infrastructure, to just trust their existing institutional affiliation and let them into their systems. In the United States, higher educational institutions have created a federation (a legal and technical framework) to accept credentials from other institutions. The NIH is partnering with the InCommon Federation to be able to accept, and with that acceptance to trust, identities from its member institutions and thus reduce the cost and expense of managing identities, instead focusing on its real work: helping improve the health of the nation through research.

The NIH also has a vast library of research and information it shares with the general public via the internet. Government sites are prohibited from using cookie technology (putting a unique number in your browser cookie store to remember who you are) and this is a challenge because cookies are part of what helps make Web 2.o interactive experiences. So say that your mom just was diagnosed with breast cancer and you want to do a bunch of in-depth research on breast cancer treatment studies. You go to the NIH and do some research on it, but it really requires more then one sitting, so if you close your browser and come back tomorrow, they don’t have a way to help you get back to the place you were.

The NIH doesn’t want to use a cookie and doesn’t want to know who you are. They would like to be helpful and support your being able to use their library over time, months and years, in a way that serves you, which means you don’t have to start from scratch each time you come to their website. It was fascinating to learn about the great lengths to which government officials were going to adopt existing standards and versions of those standards that didn’t link users of the same account across government websites (see my earlier post on Fast Company). They proactively DID NOT want to know who users of their library were.

One more use case from the NIH involves verified identities from the public. The NIH wants to enroll patients in ongoing clinical trials. It needs to actually know something about these people – to have claims about them verified, what kind of cancer do they have, where are they being treated and by whom, where do they live, etc. It wants to be able to accept claims issued by third parties about the people applying to be part of studies. It does not want to be in the business of verifying all these facts, which would be very time consuming and expensive. It wants to leverage the existing identity infrastructures in the private sector that people interact with all the time in daily life, and accept claims issued by banks, data aggregators, utility companies, employers, hospitals etc.

These three different kinds of use cases are similar to others across different agencies, and those agencies have worked to coordinate efforts through ICAM which was founded in September 2008 (Identity, Credential and Access Management Subcommittee of the Information Security & Identity Management Committee established by the Federal CIO Council). They have made great efforts to work with existing ongoing efforts and work towards interoperability and adopting existing and emerging technical standards developed in established industry bodies.

Let’s continue exploring what an identity ecosystem that really works could mean. The IRS and the Social Security Administration would each like to be able to let each person it has an account for login and interact with it online. We as those account holders would like to do this – it would be more convenient for us – but we want to know that ONLY we can get access to our records, that that they won’t show our record to someone else.
So let’s think about how one might be able to solve this problem.
One option is that each agency that interacts with anywhere from thousands to millions of citizens issues their own access credentials to the population it serves. This is just a massively expensive proposition. With citizens interacting with lots of agencies, they would need to manage and keep straight different IDs from different agencies. This is untenable from a end-user perspective and very expensive for the agencies.

Another option is that the government issues one digital ID card to everyone ,and this one ID could be used at a bunch of different agencies that one might interact with. This is privacy-invasive and not a viable solution politically. No one I have ever talked to in government wants this.

So how to solve this challenge – how to let citizens login to government sites that contain sensitive personal information – whether it be tax records, student loan records, Department of Agriculture subsidies, or any other manner of government services, and be sure that it really is the person via an Identity Ecosystem.
Secretary Locke’s Remarks: The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.
What does a private sector service provider use case look like in this ecosystem?

When we open accounts, they are required to check our credentials and verify our identities under know-your-customer laws. People have bank accounts and use them for many years. They know something about us because of their persistent ongoing relationship with us: storing our money. Banks could, in this emerging identity ecosystem, issue their account holders digital identity credentials that would be accepted by the IRS to let them see their tax records.

The private sector, for its own purposes, does a lot to verify the identities of people, because it has to do transactions with them that include everything from opening a bank account, to loaning money for a house, to setting up a phone or cable line, to getting a mobile phone, to a background check before hiring. All of these are potential issuers of identity credentials that might be accepted by government agencies if appropriate levels of assurance are met.

What does is a public service provider look like in this ecosystem?
The Federal Government does identity vetting and verification for its employees. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors directs the implementation of a new standardized identity badge designed to enhance security, reduce identity fraud, and protect personal privacy. To date, it has issued these cards to over 4 million employees and contractors.
These government employees should in this emerging ecosystem be able to use this government-issued credential if they need to verify their identities to commercial entities when they want to do business with in the private sector.

There is a wide diversity of use cases and needs to verify identity transactions in cyberspace across the public and private sectors. All those covering this emerging effort would do well to stop just reacting to the words “National” “Identity” and “Cyberspace” being in the title of the strategy document but instead to actually talk to the the agencies to to understand real challenges they are working to address, along with the people in the private sector and civil society that have been consulted over many years and are advising the government on how to do this right.

I am optimistic that forthcoming National Strategy and Program Office for Trusted Identities in Cyberspace will help diverse identity ecosystem come into being one that reduce costs (for governments and the private sector) along with increasing trust and overall help to make the internet a better place.

[Read more…]

Thoughts on the National Strategy for Trusted Identities in Cyberspace

Kaliya Young · June 25, 2010 · 1 Comment

Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.
Here is my answer to the NSTIC Governence Notice of Inquiry.
And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.
Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.

This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

Open Identity for Open Government Explained

Kaliya Young · September 9, 2009 · 7 Comments

Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.
This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:

Top-down support for open government
The proliferation of social media
The availability of open identity technologies

The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.
Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.
The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.
So how will these technologies work?
Those already familiar with OpenID know that typically when users login with it they give their own URL – www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.
Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.

In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.

Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.

The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP). A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.
Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.
There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.
Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.

Identity & Gov and & Open Standards

Kaliya Young · August 17, 2009 · Leave a Comment

I am really happy to let you all know about this forth coming OASIS ID-Trust Identity Management 2009 event September 29-30.

The theme of the event will be “Transparent Government: Risk, Rewards, and Repercussions.”

The U.S. National Institute of Standards and Technology (NIST) will be hosting it in Gainthersburg, Maryland.

In the why attend the reference part of a directive by Barack Obama to the National Security Council and Homeland Security Council.

“to defend our information and communications infrastructure, strengthen public/private partnerships, invest in cutting edge research and development and to begin a national campaign to promote cyber-security awareness and digital literacy.” The U.S. federal government aims to accomplish all of this while becoming increasingly open and transparent.

The program is now available – and looks quite good.

There is a discount available until August 31. There are special registration proceedures for non-US citizens.

Great Identity News

Kaliya Young · August 11, 2009 · Leave a Comment

Yesterday the Government hosted a workshop in DC: Open Government Identity Management Solutions Privacy Workshop.
The OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.
Drummond Reed and Don Tibeau announced their paper Open Trust Frameworks for Open Government.
Quiet and intense work has been going on since just before the last IIW on all this, so it is great to see it begin to see the light of day.
The OpenID Foundation had a wonderful new redesign that Chris Messina announced. This page really made me smile: Get an OpenID – Surprise! You may already have an OpenID.
Axel did a Wordle of it:

SSN's can be guessed

Kaliya Young · July 6, 2009 · Leave a Comment

This just in from slashdot:

“The nation’s Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person’s Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003.

This is from the Wired coverage:

By analyzing a public data set called the “Death Master File,” which contains SSNs and birth information for people who have died, computer scientists from Carnegie Mellon University discovered distinct patterns in how the numbers are assigned. In many cases, knowing the date and state of an individual’s birth was enough to predict a person’s SSN.

“We didn’t break any secret code or hack into an undisclosed data set,” said privacy expert Alessandro Acquisti, co-author of the study published Monday in the journal Proceedings of the National Academy of Sciences. “We used only publicly available information, and that’s why our result is of value. It shows that you can take personal information that’s not sensitive, like birth date, and combine it with other publicly available data to come up with something very sensitive and confidential.”

Basically it means we shouldn’t be honest about our date of birth and home town on Facebook (or any other social network) or we are making ourselves vulnerable to discernment of our SSN’s. I wonder if they can figure out mine? I received my as an adult when I was attending college in California.

I decided to poke around and see what Facebook had up about Identity Theft. I did find a link to this study that created a profile by “Freddi Stauer,” an anagram for “ID Fraudster,”.

Out of the 200 friend requests, Sophos received 82 responses, with 72 percent of those respondents divulging one or more e-mail address; 84 percent listing their full date of birth; 87 percent providing details about education or work; 78 percent listing their current address or location; 23 percent giving their phone number; and 26 percent providing their instant messaging screen name.

Sophos says in most cases, Freddi also got access to respondents’ photos of friends and family, plus a lot of information about personal likes and dislikes, and even details about employers.

Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his mother’s maiden name—the old standard used by many financial and other Web sites to get access to account information.

Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.

According to Sophos, the results of what it calls its Facebook ID Probe has significance for the workplace as well as personal life because businesses need to be aware that this type of social-networking site may pose a threat to corporate security.

I have tried to search the Facebook blog to see what they have to say about identity theft and apparently they haven’t mentioned it.

On Gaza

Kaliya Young · January 3, 2009 · 2 Comments

I don’t write about politics on my blog that much but have spoken up about some of my travels in the world and what I have seen.
I thought with all the twitter blips going by about “the ground invasion in gaza beginning I wanted to share what I wrote about in the summer of 2006 my own personal visit to Gaza in the summer of 2000.
This is the last 1/2 of a post a post called “Security theater and the “real” threats – inhuman conditions“.

Speaking of ‘they’ – who are they? I just watched a film from Netflicks – Death in Gaza. It was of two documentary film makers one of whom died while shooting the film. I spent the summer of 2000 in Jerusalem for 10 weeks I lived and worked there and did what I call “NGO tourism”. I worked at one of the worlds foremost human rights organizations – BTselem the Israeli Information Center for Human Rights in the Occupied Territories and then also worked at the PCATI the Public Committee Against Torture in Israel (while there I got my education in what torture is going on and how it affects people – really awful).
My fellow international interns and I would spend our weekends traveling about going through the Westbank and up to Nazareth, and Haifa over to Televiv down to Hebron. [[you can read what I wrote about Hebron here]]

One time we got to go to Gaza for 2 days. One of the interviewers for B’Tselem was traveling there so the two of us got to go with him. We got hooked up with two guys who worked in an NGO in Gaza and went on a tour for a day… from one end to the other … inside the camps and everything. It was amazingly powerful. Just like in the movie I saw the little kids the ones who are 5 and 6 happily playing away not really knowing there life circumstances yet. Then the older boys would glare glints of anger in there eyes. They are 10-13 years old knowing what they don’t have. The get that it is not normal to have open sewers in the streets. It is not normal to have 10 people living in one room. It is not normal to be growing bunnies up stairs that you kill to have food or a donkey living in your living room. Why do they know this…there are satalite dishes…basically everyone has a TV and can see what life is like in Isreal, and America and the rest of the normal arab world. When you think about that maybe some of this makes a bit more sense. It is not normal to feel like going to school you could get killed (as they young girl in Death in Gaza talks about). It is not normal to have your school playmates killed by gunfire (like the little boys have happen to them in the movie). Or bulldozers coming to plow your house down in the middle of the night (like threatens to happen in the movie ) How can you feel peaceful in this kind of environment?
I know after witnessing what I did that day I was shaken. I really felt my soul had been shaken up like my body was still and it was moving. It was eerily like the feeling I had after exiting the memorial museum at Hiroshima. The thing was…what I had witnessed that day was happening to real people ‘now’ not a historical event from 60 years ago. The depth of suffering is quite intense and the failure to connect with people as people and to really resolve the conflict continues to cause suffering. More bombs and planes and threats of nuclear weapons going off doesn’t make the situation better. It makes it worse. Send in armies of compassionate empathetic listeners. Make public peoples family stories and histories. Find some way through. There are some amazing stories of reconciliation that have happened in Israel/Palestine. They prove it is possible. I do have hope but not if everyone just sees an enemy instead of people, families and societies with real human and community needs.
I was sorting through my stuff over the weekend and found something from B’Tselem. They still send me the reports the write. It was a 11×17 fold over about the wall situation in Jerusalem. Just really disruptive to normal peoples lives. The whole of the Westbank is oriented around the trade flows through main cities. The most main one being East Jerusalem. The fact that they want to cut the Palestinians off from their main economic hub is just mean. People don’t like people who do mean things. Why is this so hard to understand!

It makes me very sad to hear there is a war happening. There has been a war on the Palestinian people for a long time.
Some elements that are not obvious to people is the depth of connection to land and history that is present along with the really bad living conditions.
* In the refugee camps villagers who fled their villages together – still live together 50 years later – they have a sense of identity as people of a place (a place that only the oldest people alive still remember) but that the young people feel they belong to too.
* The number of people and the conditions of living are very hard to imagine – they have the density of New York – but all in cement block houses that have tiny rooms 9×9. 1200 people a km.
* They don’t have electricity in the winter because the wiring is so ad-hoc that it is to dangerous to run in the winter.
* They don’t have sewage systems – other then the ones that run in the street.
* When the Israelis had a presence in Gaza they had their own roads – the good ones – that Palestinians could not drive on. (I was driving around with palestinians so we were on the “bad” roads).
* They have families of 10 living in one room houses.
* They have families that have a donkey’s living with them in their one room too.
These are extreme living conditions and the reason they voted for Hamas has to do with the fact that the islamic organization the religious arm of the political organization actually helps poor (as they are called to by their religious texts) impoverished people by feeding them. If you lived in these kinds of conditions wouldn’t you vote for the group that on the ground in practical reality actually helped you a bit.
There are some other interesting things to know about the Palestinian people… How do I know all this – yes I visited the territories but I wrote my senior thesis 40 pages on “The Lost Opportunity for Sustainable Development in Palestine” – 10 of them specifically about demography.
* They have HIGH levels of basic education Palestinians have the highest levels literacy in the arab world.
* They have a lot of higher educational institutions.
* They have the highest level of educational attainment of women in the arab world (normally educated women cut back on the number of children they have).
* Even though the women are relatively very educated – they are very committed to having children and lots of them
Women living in Palestine have a total fertility rate (TFR) of 5.6 children—significantly higher than women in other countries that have similar levels of education and access to health services. (Women in Gaza have 6.6 births, on average, while women in the West Bank (including East Jerusalem) have an average of 5.2 births.) they are clear they are fighting a long term demographic “race” with Israel. More palestinians means more votes and more bodies to resist the injustice they have suffered.
* They have a very young population (in 2005 – 18% was below the age of 5, 45% was below the age of 15) this means that is lots of young men of marriageable age and seeking work.
So you put all this together
1. a population that watches TV from around the world on satellite dishes,
2. that lives in abject poverty
3. That is highly educated and mostly in the arts (political science, economics, english, comparative literature etc…)
4. Young men without an economic opportunities compounded by the fact that without this they can’t marry and thus can’t have sex. THEY ARE FRUSTRATED.
They know – they see every day on TV what they don’t have. We live in a globalized world and it is not just about ‘us’ those in North America and Europe knowing about the rest of the world – the rest of the world has the same tools too. They see the gap – with their own eyes and it makes them angry.
I don’t want to be all down on this post. This went by on twitter a few days ago It is about a contributor/admin on WikiHow (the wiki for how too manuals) and it made me cry – it is why I love the internet and the power it has to connect people and give people meaningful ways to contribute and help one another.

Many of you know that the dedicated wikiHowian and new admin, VC, lives in Gaza. (Actually VC is only a new admin on the English wikiHow. He has been an admin on Arabic wikiHow for a while.) And everyone knows that there is currently a war in Gaza right now. Even before the recent fighting started, VC suffered from sporadic internet access caused by electrical outages. So I felt lucky to get this email reply when I asked how he was surviving the war:
Quote:
It is terrible indeed, however, it is kind people like yourself and other wikiHow editors that keep me going on, sane and to some extent even happy that I have friends who really care about me without even really ever seeing me. Thank you very much for asking and checking on me. I’m safe and sound and so is my family and my friends. The circumstances however are hard on the children, but with some tenderness, love and patience, they’ll get through it (or so I hope). The area where I live in Gaza is considered relatively safe as it is the center of the city.
It is in rough and extremely hazardous situations like these that we usually need something to hold on to … to believe in. wikiHow and its community has been that and more to me. It was and still is what I turn to so as to find comfort and peace of mind. The wikiHow community members are so supportive and kind. When I set at the computer and start doing anything related to wikiHow, it is currently my only escape outlet where I can, for some sweet moments, forget about the war, the harsh circumstances and the suffering all around me. And when I see a message by one of the editors, whether discussing some wikiHow related matter or simply saying “hi, how are you”, it makes me feel … alive, not cutoff of the world outside … having what I call a “universal family” that cares and comforts me.
For all of that Jack, I’d like to thank you for founding this wonderful family, making it possible for me and many others to feel at home no matter what.

Web Mobs and Proposition 8

Kaliya Young · November 20, 2008 · 14 Comments

I am Canadian so you can probably guess how I would have voted if I could have on Proposition 8 (the California constitutional amendment to define marriage as only between a man and a woman).
My views are not the point of this post. I am very concerned about what is playing out – online and in real life between the two sides of this issues following the passage of the amendment.
First of all we live in a democracy – the people of California voted for it – albeit by a small percentage but that was the will of the people.
When I look at this I think well the way the NO side wins is by doing all the work the YES side did last time – only better. They go and put an amendment to the constitution on the ballot and then build support for it.
The NO campaign assumed it couldn’t loose, was badly organized, didn’t have a comprehensive strategy for building support for its side across diverse communities throughout California. (The YES campaign was on the ground engaging with the black church community for example – they never saw anyone from the NO side come to their communities to engage them on the issue).
As the vote approach the NO side in a final very flawed move started attacking in television adds those who funded the YES side of the proposition and in particular the Mormon Church.
It was this turn of events that has lead into quite disturbing actions and behaviors by the NO campaign post election.
The blacklisting and subsequent public harassment and targeting of specific people and specific religious groups for their beliefs and support of YES on prop 8 is wrong.

I take this personally, I have and do work with people who are Mormon – (When I played water polo in university and in the Identity field). I respect the LDS church and the people in it – they have good values. Their religion is a very American one too (like Christian Science its origins are on this continent). Watch the Frontline/American Experience 4 hour documentary on the history of the church and their experience as a people/religious group.
A close personal family member I know also voted YES and for all I know could have donated.
When mobs start appearing at places of residence of YES contributors and their businesses. It makes me worried.
I thought about this issue earlier in the campaign when I wrote this post There are a lot of donkey’s in my neighborhood (and I know who they are)
From The Hive:

because she did about 60 gay ‘activists’ went to her restaurant and strong armed her in a scene reminiscent to Nazi Germany. They went down a list of people who gave as little as 100 dollars to boycott, harrass and attack them. They went there to ‘confront’ her for giving a measley hundred bucks based on her personal faith that she has had since childhood. They argued with her and it was reported by local news reporters was a “heated” confrontation.
So is this the America we want? Where if a private citizen wants to participate in the governmental process that they be harrassed and acosted. Their freedom of speech chilled by thugs.

From the NY Times:

The artistic director, Scott Eckern, came under fire recently after it became known that he contributed $1,000 to support Proposition 8…
In a statement issued on Wednesday morning, Mr. Eckern said that his donation stemmed from his religious beliefs — he is a Mormon — and that he was “deeply saddened that my personal beliefs and convictions have offended others.”

From the SF Chronicle:

Phillip Fletcher, a Palo Alto dentist who donated $1,000 to the campaign, is featured prominently on a Web site listing donors targeted for boycott. He said two of his patients already have left over the donation.

This is the site of the Anti Gay Blacklist Then there is a blog called Stop the Mormons.
The night Obama won and there was a party in the main street 6 blocks from my house – I had a moment of insight into the future. This was a happy celebratory Mob – it was basically safe. People were texting their friends and telling them where it was inviting them to join. I Tweeted about it so 900 people knew about it and where it was. I also knew that this new technology of texting and presence based real time information creates an increased capacity for mob formation. It made me wonder about the cultural skills and capacities we need to develop to interrupt mob behavior turning bad.
I think what is going on with the blacklists – that are directly targeting people in their private life is wrong. I think targeting specific religious institutions for protest is wrong.
These people and these religious institutions are not propagating HATE they are just not agreeing that marriage can be between a man and a man or a woman and a woman. This is a cultural difference of opinion.
I “get” where many of the gay activists are coming from – but it is not a place that will get them what they want. Many “fled” to the Bay Area to find a community and place where they could be who they were (gay, lesbian, queer, transgender etc). They were raised in conservative churches in other parts of the country that may have been explicitly anti-gay. They likely have strong feelings against these institutions and similar ones. It does not make it OK to the hate these people and act out against them. (If they want to proactively work on cultural change within these communities – Soul Force is doing a good job using nonviolence to work on change.)
We in the identity community need to understand what has unfolded here. The No on Prop 8 groups are using publicly available information. However this used to be information you could get if you went and asked for the paper versions from the court house. So it was public but with high friction to get the information. The web lowers the cost of getting this information (close) to zero – Daniel Solove writes about the change in publicly available information in the Digital Person.
I wonder about how we can balance the need to know who has contributed to political campaigns and propositions while at the same time prevent harassment and the emergence of negative physical and cyber mobs.

bill to tie financial Aid to 'anti-piracy measures'

Kaliya Young · November 12, 2007 · Leave a Comment

mm…big brother continues to creep into college.

“The MPAA is applauding top Democratic politicians for introducing an anti-piracy bill that threatens the nation’s colleges with the loss of a $100B a year in federal financial aid should they fail to have a technology plan to combat illegal file sharing. The proposal, which is embedded in a 747-page bill, has alarmed university officials. ‘Such an extraordinarily inappropriate and punitive outcome would result in all students on that campus losing their federal financial aid — including Pell grants and student loans that are essential to their ability to attend college, advance their education, and acquire the skills necessary to compete in the 21st-century economy,’ said university officials in a letter to Congress. ‘Lower-income students, those most in need of federal financial aid, would be harmed most under the entertainment industry’s proposal.'”

US collecting detailed data on regular citizens who travel

Kaliya Young · September 22, 2007 · Leave a Comment

From the Washington Post:

The U.S. government is collecting electronic records on the travel habits of millions of Americans who fly, drive or take cruises abroad, retaining data on the persons with whom they travel or plan to stay, the personal items they carry during their journeys, and even the books that travelers have carried, according to documents obtained by a group of civil liberties advocates and statements by government officials.
Officials yesterday defended the retention of highly personal data on travelers not involved in or linked to any violations of the law. But civil liberties advocates have alleged that the type of information preserved by the department raises alarms about the government’s ability to intrude into the lives of ordinary people

From Slashdot: Most Scary to Least Scary

Kaliya Young · July 14, 2007 · Leave a Comment

FBI datamining for more then just terrorists:
“Computerworld reports that the FBI is using data mining programs to track more than just terrorists. The program’s original focus was to identify potential terrorists, but additional patterns have been developed for identity theft rings, fraudulent housing transactions, Internet pharmacy fraud, automobile insurance fraud, and health-care-related fraud. From the article: ‘In a statement, Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, said the report [on the data mining] was four months late and raised more questions than it answered. The report “demonstrates just how dramatically the Bush administration has expanded the use of [data mining] technology, often in secret, to collect and sift through Americans’ most sensitive personal information,” he said. At the same time, the report provides an “important and all-too-rare ray of sunshine on the department’s data mining activities,” Leahy said. It would give Congress a way to conduct “meaningful oversight” he said.'”
from the just-forward-your-mail-to-homeland-security dept:
“You probably already knew that the FBI was data mining Americans in the “search” for potential terrorists, but did you know that they’re also supposed to be looking for people in the U.S. engaged in criminal activity that is not really supposed to be the province of the federal government? Now the feds are alleged to be data mining for insurance fraudsters, identity thieves, and questionable online pharmacists. That’s what they’re telling us now. What else could they be looking for that they are not telling us about?”
From the is-that-anything-like-the-lime-in-the-coconut dept:
“The kernel meets The Colonel in a just-published Microsoft patent application for an Advertising Services Architecture, which delivers targeted advertising as ‘part of the OS.’ Microsoft, who once teamed with law enforcement to protect consumers from unwanted advertising, goes on to boast that the invention can ‘take steps to verify ad consumption,’ be used to block ads from competitors, and even sneak a peek at ‘user document files, user e-mail files, user music files, downloaded podcasts, computer settings, [and] computer status messages’ to deliver more tightly targeted ads.”
From the how much can you remember department:
The research reveals that the average citizen has to remember five passwords, five pin numbers, two number plates, three security ID numbers and three bank account numbers just to get through day to day life.
Six out of ten people claimed that they suffer from “information overload,” stating that they need to write these numbers down in order to remember them.
However, more than half of the 3000 people surveyed admitted to using the same password across all accounts, leaving them at risk of potentially severe security breaches.
Professor Ian Robertson, a neuropsychology expert based at Trinity College Dublin who carried out the study, said: “People have more to remember these days, and they are relying on technology for their memory.
“But the less you use of your memory, the poorer it becomes. This may be reflected in the survey findings which show that the over 50s who grew up committing more to memory report better performance in many areas than those under 30 who are heavily reliant on technology to act as their day to day aide memoir.”
Who ownes that copy?:
‘Copyfraud is everywhere. False copyright notices appear on modern reprints of Shakespeare’s plays, Beethoven’s piano scores, greeting card versions of Monet’s Water Lilies, and even the US Constitution. Archives claim blanket copyright in everything in their collections. Vendors of microfilmed versions of historical newspapers assert copyright ownership. These false copyright claims, which are often accompanied by threatened litigation for reproducing a work without the owner’s permission, result in users seeking licenses and paying fees to reproduce works that are free for everyone to use…'”
Second Life – the real picture emerges:
The LA Times is running a story today saying that marketers are pulling out of Second Life, primarily because — surprise, surprise — the ‘more than 8 million residents’ figure on the game’s Web site is grossly inflated. Also, as it turns out, the virtual world’s regular visitors — at most 40,000 of them online at any time — are not only disinterested in in-world marketing, but actively hostile to it, staging attacks on corporate presences such as the Reebok and American Apparel stores.
THIS IS FUN:
RunBot Robot Walks:
“The basic walking steps of Runbot, which has been built by scientists co-operating across Europe, are controlled by reflex information received by peripheral sensors on the joints and feet of the robot, as well as an accelerometer which monitors the pitch of the machine. These sensors pass data on to local neural loops – the equivalent of local circuits – which analyse the information and make adjustments to the gait of the robot in real time.”
THIS IS GODO NEWS:
from the free-at-last dept:
“IBM is making it easier to utilize its patented intellectual property to implement nearly 200 standards in the SOA, Web services, security and other spaces. Under a pledge issued by the company Wednesday, IBM is granting universal and perpetual access to intellectual property that might be necessary to implement standards designed to make software interoperable. IBM will not assert any patent rights to its technologies featured in these standards. The company believes its move in this space is the largest of its kind.”