Identity Woman

Independent Advocate for the Rights and Dignity of our Digital Selves

Publications

Participation in the IIW Episode on the Rubric Podcast

· ·

I participated in the Internet Identity Workshop Episode of the Rubric Podcast, a casual chat on DIDs and DID methods. Basically, the conversation was mostly with the Internet Identity Workshop’s original organizers and creators.

A Brief Introduction to the Rubric

A rubric is a standard tool for evaluating subjects. In the context of Decentralized Identifiers (DIDs), Legendary Requirements developed two key rubrics published by Rebooting the Web of Trust and the World Wide Web Consortium. You can see the DID Method Rubric here. The Rubric podcast explores this further while introducing listeners to the people and technologies behind Decentralized Identity, including DID Methods, which determine how DIDs are created, read, updated, and deactivated.

DIDs enable powerful identity services without a trusted third party and offer a flexible alternative to traditional centralized authentication. They can be used by anyone, anywhere, for any purpose. Each DID carries information about its method to ensure secure interactions. The Rubric also interviews creators and users of different DID Methods and thus sheds light on their performance, security, and privacy tradeoffs. Also, it helps users choose the DID Method that best suits their needs.

Highlights of the Conversation in the IIW Episode

In the IIW Episode of the Rubric podcast, the following subjects were discussed.

Understanding Identity & SSI in the Course:

Kaliya shared about her new SSI course written with her business partner Lucy. The first half of the course on understanding identity in general before delving into the technologies around Self-Sovereign Identity (SSI). This framing is essential as SSI as an innovation would not make sense without understanding how identity functioned in the past.

Creation of a Wiki with Newsletter Information:

Kaliya also shared mentioned a grant from the Filecoin Foundation & Unfinished to pull two years of newsletter information into a wiki. The information has been compiled into a spreadsheet to create Jekyll pages. It supports knowledge discovery within the community.

Development and Standardization of DIDs:

DIDs (Decentralized Identifiers) is undergoing development, with a 1.0 version published. There’s a focus on standardizing various aspects like DID resolution and iteration of the DID course specification.

Emphasis on DID Resolution:

DID resolution, the process of turning a DID into its associated document, was identified as a key aspect needing more discussion. Standardizing this part of DIDs was considered an open and important question for the community.

Favorite DID Methods – Peer DIDs and DID Web:

The speakers discussed their favorite DID methods while highlighting Peer DIDs for peer-to-peer interaction. DID Web was mentioned as an interesting method, despite some concerns due to its dependence on the DNS system.

Challenges in Rotating the DID Itself:

The conversation raised an interesting question about rotating underlying keys for a DID and rotating the DID itself. This aspect of transitioning DIDs, from DID Web to another method was considered an unresolved challenge.

Shameless Plugs for Various Projects and Conferences:

The participants used the platform to promote various projects, like the “Pico” programming system, “did directory.com,” and the “Rebooting the Web of Trust” conference. These plugs showcased innovations, resources, and events within the DID community.

Identitywoman.net and Links to Resources:

I pointed to my URL, “identitywoman.net,” as a place to connect with my work and access resources like the book, newsletter, and hosting events. It’s presented as a hub for those interested in identity and related events.

Humor and Lighthearted Interaction:

The conversation was sprinkled with humorous and lighthearted moments, like comparing the hosts to the two old Muppets on the balcony. The element added a relaxed and engaging tone to the discussion and enhanced the listening experience.

To learn more about the podcast, click here.

Podcast with NEWFORUM comparing Web3 and Decentralized Identity

· ·

In a podcast hosted by NEWFORUM and centered on the topic of Web3 vs Decentralized Identity, I discussed a variety of topics, including open standards for digital identity, the benefits and drawbacks of using standards for digital identity, the confluence between web3 and decentralized identity, and many more.

About NEWFORUM

NEWFORUM is a podcast exploring the future of human interaction, economics, and the emerging Internet, including innovators, entrepreneurs, and investors. It helps promote research-driven conversation and hence encourages collaborative value creation.

Discussion Split Into Various Sections

How did I get started in the field of identity? I shared my journey into the identity field, focusing on how personal experiences and the potential impact of digital identity solutions on people’s lives inspired my career choice.

The importance of using open standards. The discussion highlighted the value of adopting open standards, which promote interoperability, collaboration, and innovation in the digital identity ecosystem.

Decentralized identifiers. This section explored the concept of decentralized identifiers (DIDs) and their role in providing unique, persistent, and secure identifiers that individuals control.

What is a decentralized identifier? I clearly defined a decentralized identifier, explaining its purpose and how it functions in the context of decentralized identity systems.

Differences between decentralized identity and web3. The conversation emphasized the distinctions between decentralized identity, which gives individuals control over their data, and web3, which revolves around decentralized applications and blockchain technologies.

Verifiable credentials never go on a blockchain. The podcast emphasized that verifiable credentials are not stored on a blockchain but are shared securely between parties, ensuring privacy and reducing the risk of sensitive data exposure.

Overlapping Opportunities between web3 & SSI. I discussed the areas where web3 and self-sovereign identity (SSI) technologies intersect, offering possibilities for collaboration and innovation in the digital world.

Accountability & Anonymity in virtual worlds. The final section discussed the challenges of balancing personal anonymity and accountability in virtual environments and how decentralized identity solutions could address these issues.

Click here to find the complete podcast.

Decentralized Identity: Keynote Panel at Hyperledger Global Forum

· ·

At the Hyperledger Foundation conference last year in Dublin, I participated in a keynote panel discussion regarding decentralized identity, the level of adoption among companies and customers, and the factors that will ultimately lead to ecosystem acceptance.

We had myself Heather Dahl from Indicio, Marie Wallace who was at IBM at the time (now she is at Accenture), Drummond Reed from Avast (now GenDigital).

Here is the video and the summary.

The Main Points from the Panel

The keynote discussion focused mostly on the concept of decentralized identity, namely where we are and where we are headed.

Based on the keynote discussion, the following topics were discussed:

  1. Role of Government in Promoting Innovation: The panelists discussed how the government can be an engine for helping private enterprises drive innovation. They highlighted examples of Canada, British Columbia (BC), and the government of Aruba using decentralized identity during the COVID-19 pandemic.
  2. Decentralized Identity Solutions: The discussion included the adoption and development of decentralized identity solutions in various regions of the world, particularly in the Caribbean, Latin America, and Europe. The panelists also discussed the trusted digital ecosystem developed during the COVID pandemic and how it was designed to scale for other use cases.
  3. Building and Deploying Technological Solutions: The panelists emphasized the importance of building and deploying technology solutions. They discussed the challenges in working with different stakeholders, including governments, agencies, and private sector entities like hotels, nightclubs, or casinos.
  4. Organization-Wide Deployment: There was a discussion about how successfully deploying a technology solution affects all parts of an organization, including marketing, communications, legal, HR, and the C-suite.
  5. Digital Green Cards and Verifiable Credential Standards: The U.S. Immigration Services’ announcement of issuing digital green cards using verifiable credential standards was discussed.
  6. Market-Driven Approach: The panelists stressed the need for a market-driven approach, listening to the needs of businesses and making space for business leaders in the development of open standards and open-source code.
  7. Realistic Conversations About Technology: There was a discussion about the importance of having real conversations about what the technology can do and not pursuing purist approaches that may not be consumable by the market.
  8. Identifying Business Cases: The panelists discussed the need to identify business cases for the technology and solve problems that make the investment worthwhile for business decision-makers.
  9. Adoption of Decentralized Identity: The discussion also covered the adoption of self-sovereign identity (SSI) and decentralized identity by large companies like Norton LifeLock, Apple, Google, and the focus of the EU on their digital identity wallet initiative.
  10. Community Involvement and Learning Resources: The panelists shared resources about SSI, such as community meetings, pieces of training, meetups, and courses. They also suggested engaging with communities like Trust over IP, the Internet Identity Workshop, and Hyperledger.
  11. The Future of Digital Identity: The panelists discussed the future of digital identity, digital wallets, and digital credentials. They mentioned the growing interest in this space and the need to protect digital identities.

Click here and find the complete keynote video!

Questions Asked at Exploring the Future of Digital Identity: Insights from Better Identity Coalition Day

· ·

This post highlights the two questions I asked during the event of Better Identity Coalition Day on the 25th of January, 2023.

Short Preamble to the Event

The Better Identity Coalition is dedicated to working closely with policymakers to advance digital security, privacy protections, and user-friendliness for all individuals. The coalition is made up of some of the most successful companies worldwide, and its purpose is to encourage education and collaboration on securing identities online.

They are exploring innovative solutions to allow people in the United States to take control of their identities and operate their businesses online in a risk-free and protected environment.

During the Event, I Posed Two Questions

On January 25, I went to the Better Identity Coalition Day, and while there, I asked two questions. 

1st Question:

I questioned whether or not they are aware that the federal government of the United States is going to issue secure digital IDs to a certain demographic. For instance, the United States Citizenship and Immigration Services (USCIS) is going to start issuing digital green cards soon, utilizing the format of verifiable credentials.

Click here for the detailed conversation on the 1st question.

– Kaliya asking Congressman Bill Foster if he was familiar with the SVIP Program

2nd Question:

I also questioned a recent conspiracy theory involving Phyto that suggests Apple, Google, and Microsoft are involved in a scheme to grant the NSA access to cloud data. While I was not asking for a response to this theory, I wanted to bring attention to the issue of conspiracy theories within the Meta industry. As a leader, I was curious to know what steps they and other leaders in the room were taking to collectively address this problem.

Click here for the detailed conversation on the 2nd question.

– Kaliya asking a question of the ED of the FIDO Alliance about conspiracy theory

Forbes Quotes me on Social Media’s Future considering Safety & Identity

· ·

I was cited in an article that was published in Forbes. The article was part of a series that was assessing the activities of 2022 on Twitter, the crazy policies of a new CEO, and the ramifications on the future of social media.

The article’s central emphasis was on the question of whether or not, in the near future of social media, users can feel secure while maintaining their individual identities.

I was quoted in the following lines as part of a discussion on the pros and cons of maintaining anonymity and pseudonymity online:

“Kaliya Young, Identity Woman, recalls an incident with Kathy Sierra, a female blogger and game developer, who in 2007, experienced death threats online and finally gave up her tech career, withdrew from the blogosphere and from online life. Following that incident there were calls to create blogger codes of conduct to stop this online violence against women.”

“’Look, if the first bad instances of online violence against women were treated seriously and the perpetrators that were not known were held to account then we would be in a different place [today]. They were not.’ Weeve, the pseudonym, of the hacker and self-described neo-Nazi and white supremacist responsible for posting false information about Sierra, had gone unpunished. As per Young, ‘He should have gone to prison for that. I was at the conference when they got up and said Kathy isn’t here because of death threats! It affected my life as a woman working in technology. Instead, he was left alone and went on to commit more acts of terrorism.’”

About the other side, you may find me in the following lines, where I’m contributing to a discussion regarding the importance of transparency and verification:

“Young stresses that it will take ‘time, rigour, investment and a proportionate approach’ to see the payoff. She points out that there is also a middle ground and it’s possible to implement speed bumps to make it less appealing for bad actors to exploit a poorly designed platform. ‘Designing a social media platform with possible consequences including, but not limited to privacy and security risks in mind (like One Dot Everyone, a consequence scanning tool), can improve the design while exploring alternatives to identity verification. Privacy Impact Assessments and Human Rights Impact Assessments will also go a long way to mitigate risks.’”

“Young questions the process for verification. Who will decide a person is who they say they are? Given her work in the Identity space, development of a trust framework should be leveraged to deal with the complexities of identity verification. But it continues to call into question what individuals or groups are responsible for defining the rules for verification?”

“Young professes that Identity has its place online but argues that the systems including the governance layers need to be in sync. ‘So men like Galloway and Haidt can go on about this ‘real name’ stuff all they want. Until the systems they built actually work as claimed and that men who use their real names and are known will be held to account, then what business do they have suggesting that?’”

Now, the purpose of this section is to provide a response to the following question: will technology save us? In the passage that follows, I am referenced as follows:

“Social media accounts have been around for a long time and Young makes clear they are, for the most part, run and managed by real people, attached to other real identities online that have more credibility: I think that analog is the new digital – meaning people will seek out and connect and value time with each other in person.”

Lastly, I am cited in the following lines on the remark that identity verification on social networks does not compute or make sense:

“As per Young, identity needs careful and thoughtful consideration:

There is a difference between the platform knowing who someone is and the whole world knowing the same. Who is enforcing what type of ID? Like Doctor, Young signals the marginalized, and those who have been suffering the abuse on the platform for over a decade. The rules for verification need to incorporate the varying definitions of identity that include cultural, general and local perspectives.”

You can read the full article here: https://www.forbes.com/sites/hessiejones/2023/01/04/will-the-future-of-social-media-mean-the-coexistence-of-safety-and-identity/?sh=5851ac587fba

Quoted in IEEE article about Worldcoin and their shift to Digital ID.

· ·

I was asked to offer my perspective on the risks associated with the biometric data of Worldcoin, which was included in an article Spectrum IEEE published.

A crypto currency, Worldcoin, aspires to become the most globally and uniformly distributed cryptocurrency ever by allocating the same modest number of coins to every individual on Planet. The business has spent the last year creating a system that allows other parties to utilize its vast registration of “unique humans” for various identity-focused applications.

However, Worldcoin’s biometrics-focused approach is being greeted with widespread concerns regarding privacy, security, and transparency.

Here is the section of the article where I was mentioned about the possible risks posed by Worldcoin’s biometric data.

“It’s also questionable how useful the concept of ‘unique humanness’ really is outside of niche cryptocentric applications, says Kaliya Young, an identity researcher and activist. Identity plays a broader role in everyday life, she says: ‘I care what your university degrees are, where you were born, how much money you make, all sorts of attributes that PoP doesn’t solve for.'”

Another one:

“Worldcoin’s biggest challenge may not be the functionality of its technology but questions of trust. The central goal of blockchains is to avoid relying on centralized authorities, but by using complex, custom hardware to recruit users, the company is setting itself up as a powerful arbiter of digital identity. ‘Worldcoin posits that everyone in the world should have their eyeball scanned by them and they should be the decider of who’s a unique human,” says Young. ‘Please explain to me how that’s not ultracentralized.‘”

You may read the complete article by clicking on the following link: https://spectrum.ieee.org/worldcoin

The Future of You Podcast with Tracey Follows

· ·

I was invited to discuss self-sovereign identity on Episode 7 of The Future of You Podcast with the host, Tracey Follows, and a fellow guest, Lucy Yang.

On this podcast, we discussed digital wallets, verifiable credentials, digital identity, anonymity and self-sovereignty.

  • Why digital identity is so important and how it differs from the physical realm
  • Tools currently in development to enable self-sovereign identities
  • Whether anonymity or pseudonymity is feasible while maintaining accountability
  • How digital wallets might evolve and consolidate across the public and private sector
  • The principles of physical identity that must carry over into a digital solution and the importance of Open Standards

Listen online: https://bit.ly/3w1cxbu

Listen on Spotify: https://spoti.fi/3vIB9qK

Listen on Apple: https://apple.co/3w3fqbN

Listen on Google Podcasts: https://bit.ly/3w0hWQ1

Listen on Amazon Podcasts: https://amzn.to/3KBBC29

Is it all change for identity?

· ·

Opening Plenary EEMA’s Information Security Solutions Europe Keynote Panel

Last week while I was at Phocuswright I also had the pleasure of being on the Keynote Panel at EEMA‘s Information Security Solutions Europe [ISSE] virtual event. We had a great conversation talking about the emerging landscape around eIDAS and the recent announcement that the EU will work on a digital wallet and open standards for Europe.

Here is a link to the video if the embed isn’t working.

ISSE Opening Plenary

Cohere: Podcast

· ·

I had the pleasure of talking with Bill Johnston who I met many years ago via Forum One and their online community work. It was fun to chat again and to share for the community management audience some of the latest thinking on Self-Sovereign Identity.

Click on the image to get to episode

Kaliya Young is many things: an advocate for open Internet identity standards, a leader in the identity space – including hosting the Internet Identity Workshop, a published author, and a skilled Open Space facilitator.

On this episode of the Cohere podcast, Kaliya joins Bill to discuss the history of online identity, what events led us to the consolidation of identity into a few centralized platforms, and what steps we need to take to recover and protect our online identities.

Grace Hopper Celebration and Presentation – Ethical Market Models.

· · Leave a Comment

In mid-October I had the opportunity to attend the Grace Hopper Celebration for Women in Computing for the first time.
Here is a link to the paper that I presented – MarketModels-GHC Here are the slides

I also had the pleasure of working on a Birds of a Feather Session with Roshi from Google – she works on their identity team and was the one who asked me work on the session with her along with encouraging me submit a proposal for a lighting talk.
We had a great discussion about the internet of things and considering various ideas about what internet of things things…we might invent and how we might identify ourselves to them.
The conference is really a giant job fair for undergaduate women CS majors. There is not a lot there for mid-career women, all of the ones I spoke to felt this way.  I realize if I was a young woman….at a CS department where most everyone is a man.  Attending this event would make me feel like the whole world opened up…and anything was possible.
The event made me more committed to putting energy into helping She’s Geeky expand and serve more cities and more women and particularly those who are at high risk of leaving the industry – those who have been in the industry for around 10 years.

Field Guide to Internet Trust Models: Introduction

· · 12 Comments

This is the first in a series of posts that cover the Field Guide to Internet Trust Models Paper. The paper was presented at the University of Texas at Austin ID360 Conference in 2013.
This paper was collaboration between myself and Steve Greenberg. I had an outline of all the Trust Models and worked with Steve Greenberg for several months to shape it into the paper.
The full papers is downloadable TrustModelFieldGuideFinal (see the bottom of this post for a link to a post on each of the models).
The decreasing cost of computation and communication has made it easier than ever before to be a service provider, and has also made those services available to a broader range of consumers. New services are being created faster than anyone can manage or even track, and new devices are being connected at a blistering rate.
In order to manage the complexity, we need to be able to delegate the decisions to trustable systems. We need specialists to write the rules for their own areas and auditors to verify that the rules are being followed.
This paper describes some of the common patterns in internet trust and discuss some of the ways that they point to an interoperable future where people are in greater control of their data. Each model offers a distinct set of advantages and disadvantages, and choosing the appropriate one will help you manage risk while providing the most services.
For each, we use a few, broad questions to focus the discussion:

  • How easy is it for new participants to join? (Internet Scale)
  • What mechanisms does this system use to manage risk? (Security)
  • How much information the participants require from one another how strongly verified?

(Level of Assurance -not what I think assurance is…but we can talk – it often also refers to the strength of security like number of factors of authentication )
Using the “T” Word
Like “privacy”, “security”, or “love”, the words “trust” and “identity”, and “scale” carry so much meaning that any useful discussion has to begin with a note about how we’re using the words.
This lets each link the others to past behavior and, hopefully, predict future actions. The very notion of trust acknowledges that there is some risk in any transaction (if there’s no risk, I don’t need to trust you) and we define trust roughly as:
The willingness to allow someone else to make decisions on your behalf, based on the belief that your interests will not be harmed.
The requester trusts that the service provider will fulfill their request. The service provider trusts that the user won’t abuse their privileges, or will pay some agreed amount for the service. Given this limited definition, identity allows the actors to place one another into context.
Trust is contextual. Doctors routinely decide on behalf of their patients that the benefits of some medication outweigh the potential side effects, or even that some part of their body should be removed. These activities could be extremely risky for the patient, and require confidence in the decisions of both the individual doctor and the overall system of medicine and science. That trust doesn’t cross contexts to other risky activities. Permission to prescribe medication doesn’t also grant doctors the ability to fly a passenger airplane or operate a nuclear reactor.
Trust is directional. Each party’s trust decisions are independent, and are grounded in the identities that they provide to one another.
Trust is not symmetric. For example, a patient who allows a doctor to remove part of their body should not expect to be able to remove parts of the doctor’s body in return. To the contrary, a patient who attempts to act in this way would likely face legal sanction.
Internet Scale
Services and APIs change faster than anyone can manage or even track. Dealing with this pace of change requires a new set of strategies and tools.
The general use of the term “Internet Scale” means the ability to process a high volume of transactions. This is an important consideration, but we believe that there is another aspect to consider. The global, distributed nature of the internet means that scale must also include the ease with which the system can absorb new participants. Can a participant join by clicking “Accept”, or must they negotiate a custom agreement?
In order to make this new world of user controlled data possible, we must move from a model broad, monolithic agreements to smaller, specialized agreements that integrate with one another and can be updated independently.
A Tour of the Trust Models
The most straightforward identity model, the sole source, is best suited for environments where the data is very valuable or it is technically difficult for service providers to communicate with one another. In this situation, a service provider issues identity credentials to everyone it interacts with and does not recognize identities issued by anyone else. Enterprises employing employees, financial institutions, medical providers, and professional certifying organizations are commonly sole sources. Because this is the most straightforward model to implement, it is also the most common.
Two sole sources might decide that it’s worthwhile to allow their users to exchange information with one another. In order to do so, they negotiate a specific agreement that covers only the two of them. This is called a Pairwise Agreement and, while it allows the two parties to access confidential resources, the need for a custom agreement makes it difficult to scale the number of participants. This is also a kind of federated identity model, which simply means that a service accepts an identity that is managed someplace else.
As communication technology became more broadly available, the number of institutions who wanted to communicate with one another also increased. Groups of similar organizations still wanted to issue their own identities, but wanted their users to be able to interact freely with one another. The prospect of each service having to negotiate a custom agreement with every other service was daunting, so similarly chartered institutions came up with standard contracts that allow any two members to interact. These groups are called Federations, and there are several different kinds. Federation agreements and membership are managed by a Contract Hub.
When the federation agreement limits itself to policy, governance, and common roles, but leaves technical decisions to the individual members, it’s referred to as a Mesh Federations. Individual members communicate form a mesh, and can communicate directly with one another using whatever technology they prefer.
Alternatively, a Technical Federation defines communication methods and protocols, but leaves specific governance and policy agreements to the members. In some cases, the technical federation may also route messages between the members.
As the number of services has increased, so has the problem of managing all of those usernames and passwords. Users might decide to reuse an existing identity rather than creating a new one. In recent years, some organizations have made identities that they issue available to other services. Service providers accept these identities because it lowers the cost of user acquisition. When the same entity provides identities for both the requester and the service provider, it is referred to as a Three Party Model.
If the requester and the service provider have provider have separate but compatible identity providers, it is called a Four Party model. This is present in highly dynamic models, such as credit card processing,
Peer-to-peer networks are for independent entities who want to identity assurance, but who lack a central service that can issue identities to everyone. To get around this, the participants vouch for one another’s identities.
Individual contract wrappers are an innovation to enable complex connections between services where the terms and conditions of using the data are linked to the data.
Common Internet Trust Models
Sole source: A service provider only trusts identities that it has issued.
Pairwise Federation: Two organizations negotiate a specific agreement to trust identities issued by one another.
Peer-to-Peer: In the absence of any broader agreement, individuals authenticate and trust one another.
Three-Party Model: A common third party provides identities to both the requester and the service provider so that they can trust one another.

“Bring your Own” Portable Identity: In the absence of any institutional agreement, service providers accept individual, user-asserted identities.

“Winner Take All” Three Party Model: Service provider wants to allow the requester to use an existing identity, but only accepts authentication from a single or very limited set of providers.

Federations: A single, standard contract defines a limited set of roles and technologies, allowing similar types of institution to trust identities issued by one another.

Mesh Federations: These share a common legal agreement at the contract that creates permissible interoperability.

Technical Federations:  These share a common technical hub responsible for making the interoperability happen.

Inter-Federation Federations: This is what happens when one federation actually inter-operates with another federation.

Four-Party Model: An interlocking, comprehensive set of contracts allows different types of entity to trust one another for particular types of transaction.
Centralized Token Issuance, Distributed Enrollment: A shared, central authority issues a high-trust communication token. Each service provider independently verifies and authorizes the identity, but trusts the token to authenticate messages.
Individual Contract Wrappers: Manage how personal data is used rather than trying to control collection. Information is paired contract terms that governs how it can be used. Compliance is held accountable using contract law.
Open Trust Framework Listing: An open marketplace for listing diverse trust frameworks and approved assessors.
 

Personal Data Ecosystem Videos from Telco 2.0

· · Leave a Comment

I had a great week at Telco 2.0 the week before IIW.   STL partners has been running Telco 2.0 events for a few years focused on new business models for that industry.   They have honed in on the potential to provide services to people to collect and manage their own data.   This week they published interviews from three of the key speakers all of whom who also attended IIW the following week.  Much of the focus for both events was on the emerging Personal Data Ecosystem.
I recommend the content on the Telco 2.0 site and if you are interesting in visiting interesting innovative parts of the Telco world they have great events for that.
AT&T: to be a ‘Personal Information Agent’
Von Wright, VP Cloud & Wholesale Services, describes how AT&T plans to put consumers in control of their own data, and take the role of an agent or broker for their Personal Information

Google: Strategic ‘Co-opetition’ with Telcos on Consumer Data
The ‘Personal Information Economy’ will see a higher intensity of strategic co-opetition between Google and telcos according to Google’s Eric Sachs.

Microsoft: Why Telcos Must Act Now or Lose The Opportunity
Marc Davis, formerly Yahoo! Mobile’s Chief Scientist, now at Microsoft, and a key collaborator with both Telco 2.0 and the World Economic Forum’s ‘Re-Thinking Personal Data’ initiative, gives his unique perspective on the ‘Gold Rush’ for personal information, and why telcos must act now or lose the opportunity to take a valuable role in it.

We are not at War

· · 4 Comments

I was the first person Van asked to speak at the Community Leadership Summit West Ignite talks. I was the last person to submit my slides. I have a lot to say about community but I had a hard time figuring out exactly what to say. I knew I wanted to talk about the identity community and our success in working together. Robert Scoble’s quote really got me going and I decided to use the talk to respond to the comment that was catalyzed by his facebook post/tweet “Who is going to win the Identity War of 2010”
This is completely the wrong frame to foster community collaboration.

Thoughts on the National Strategy for Trusted Identities in Cyberspace

· · 1 Comment

Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.
Here is my answer to the NSTIC Governence Notice of Inquiry.
And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.
Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.

This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

[Read more…] about Thoughts on the National Strategy for Trusted Identities in Cyberspace

IIWX Internet Identity Workshop 10, Introductory Talk

· · Leave a Comment

I gave this talk at the 10th Internet Identity workshop reviewing the shared history, language, understanding and work we have done together over the last 6 years of community life.

Internet Identity Workshop 10 – Introduction to the User-Centric Identity Community

Part of this presentation touched on a timeline of events in the community. Those and more are reflected on this timeline that is beginning to be developed here. IIW11 will be November 9-11 in Mountain View, CA The first ever IIW outside the Bay Area will be happening September 9-10 in Washington DC following the Gov 2.0 Summit with the theme Open Identity for Open Government. The first IIW in Europe will be happening in London likely October 9-10 (dates still to be confirmed) prior to RSA Europe. If you would like to know about when the next IIWs have registration open please join this announce list. TheIdentity Gang is the community mailing list where conversations are ongoing about identity. You can follow modest updates about IIW on twitter via our handle – @idworkshop You can see IIW 10 attendees on our registration page.

FastCo Post on Governemnt Experiments with Identity Technologies

· · Leave a Comment

This is cross posted on Fast Company.

The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and video casts. Today there are over 500 government Web sites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government Web sites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.

Yesterday the United States Government in collaboration with industry announced a few pilot projects using emerging open identity technologies for citizens to use when interacting with government sites. I use the word interacting very deliberately because the government doesn’t want to know “who you are” and has gone great lengths to develop their implementations to prevent citizens from revealing personally identifiable information (name, date of birth etc).

How would you use this?–well imagine you are doing an in depth search on an NIH (National Institute of Health) Web site–and you went back to the site many times over several months. Wouldn’t it be great if the site could “know” it was you and help you resume your search where you left off the last time. Not your name and where you live but just that you were there before.

The Identity Spectrum helps us to understand how it all fits together.

Spectrum of IDAnonymous Identity is on one end of the identity spectrum–basically you use an account or identifier every time go to a Web site–no persistence, no way to connect the search you did last week with the one you did this week.

Pseudonymous Identity is where over time you use the same account or identifier over and over again at a site. It usually means you don’t reveal your common/real name or other information that would make you personally identifiable. You could use the same identifier at multiple sites thus creating a correlation between actions on one site and another.

Self-Asserted Identity is what is typical on the Web today. You are asked to share your name, date of birth, city of residence, mailing address etc. You fill in forms again and again. You can give “fake” information or true information about yourself–it is up to you.

Verified Identity is when there are claims about you that you have had verified by a third party. So for example if you are an employee of a company your employer could issue a claim that you were indeed an employee. You might have your bank verify for your address. etc.

The government pilot is focused on supporting citizens being able to have pseudonymous identities that function only at one Web site–the same citizen interacting with several different government Web sites needs to use a different identifier at each one so their activities across different government agencies do not have a correlation.

It is likely that some readers of this blog know about and understand typical OpenID. Almost all readers of this blog do have an openID whether they know it or not because almost all the major Web platforms/portals provide them to account holders–MySpace, Google, Yahoo!, AOL etc.

So how does this work with OpenID?

Typical OpenIDTypically when logging in with OpenID on the consumer Web you share your URL with the site you are logging into–they redirect you to where that is hosted on the Web–you authenticate (tell them your password for that account) and they re-direct you back to the site you were logging in. (see this slide show for a detailed flow of how this works). Using OpenID this way explicitly links your activities across multiple sites. For example when you use it to comment on a blog– it is known your words come from you and are connected to your own blog.

Using the OpenID with Directed identity–de-links your the identifiers used across different sites but still lets you use the same account to login to multiple sites.

Directed IdentityWhen you go to login to a site you are asked to share not “your URL” but just the name of the site where your account is–Yahoo! or Google or MySpace etc. you are re-directed to that site and from within your account a “directed identity” is created–that is a unique ID just for that Web site. Thus you get the convenience of not having to manage multiple accounts with multiple passwords and you get to store preferences that might be shared across multiple ID’s but you don’t have identifiers that correlate–that are linked across the Web.

How does this work with Information Cards?

This is a complementary open standard to OpenID that has some sophisticated features that allow it to support verified identities along with pseudonymous & self asserted identities. It involves a client-side piece of software called a selector–which selector helps you manage your different identifiers using a card based metaphor, with each digital “card” representing a different one. Citizens can create their own cards OR get them from third parties that validate things about them.

The government is creating a privacy protecting “card profile” to be used in the pilot program. It is NOT issuing identities.

Trust Framework are needed to get it all to work together.

From the press release yesterday:

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon–it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

The OpenID Foundation and Information Card Foundation wrote a joint white paper to describe how they are working on developing this. From the abstract:

[They] are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

These frameworks, based on the model developed by the InCommon federation for higher education institutions, will enable government Web sites to accept identity credentials from academic, non-profit, and commercial identity providers that meet government standards. These standards are critical as they represent the government’s resolution of the challenging and often competing issues of identity, security, and privacy assurance. Open trust frameworks not only pave the way for greater citizen involvement in government, but can enable even stronger security and privacy protections than those typically available offline.

These are all exciting developments but there is much more to do.

Looking (far) ahead there may be the opportunity to do selective disclosure–combining anonymity with verified identity.

How do these go together–you can take a verified identity claim say your birth date then using cryptography strip the specifics away and just have a claim that says you are “over 21”. Then using an anonymous identifier you have selectively disclosed your age without giving away your date of birth.

You could imagine this would be handy for citizens wanting to communicate their opinions to their member of congress without revealing their actual name and address – they could “prove” using a verified claim they live in the district but not reveal who they are. This aspect of what is possible with the technology is VERY forward looking and will take many years to get there. There is enormous potential to evolve the Web with this emerging identity layer.

I would like to invite all of you interested in being involved/learning more to attend the Internet Identity Workshop in Mountain View California November 3-5. I have been facilitating this event since its inception in 2005. It is truly amazing to see how far things have progressed from when we were 75 idealistic technologist talking about big ideas. at the Hillside Club in Berkeley. It is also some what daunting to think about how much farther we have to go.

Identity for Online Community Managers

· · Leave a Comment

I was asked by Bill Johnson of Forum One Networks to kick off the discussion on the next Online Community Research Network call this week with the topic Identity for Online Community Managers – drawing on the presentation that I put together for the Community 2.0 Summit. I cover the basics of how OpenID, OAuth and Information Cards work, who is “in” terms of supporting the projects and what community managers/platforms can do. We will discuss the implications of these new identity and data sharing protocols on the call.

Online Identity for Community Managers: OpenID, OAuth, Information Cards

View more documents from Kaliya Hamlin.
I will also be attending the Online Community Summit in October Sonoma and will be sharing about these and other technologies there.

Freedom to Aggregate & Disaggregate oneself online.

· · Leave a Comment

I presented this slide show at the Oxford Internet Institute meeting in April that considered A Global Framework for Identity Management.

You could sum it up this way – “stuff happens in peoples lives and the need the freedom to go online and get support for those things and not have it all linked back to their “real identity.”

The slides are moving (drawing from post secret post cards) and it is worth watching if you don’t think people need this freedom.

Freedom to Aggregate, Freedom to Disaggregate

View more documents from Kaliya Hamlin.

its that SXSW picking time of year

· · Leave a Comment

200908181123.jpg

This year there are 2200 panels submitted for 300 slots. It is great they are going with community generated ideas for the conference. It is also hard to tell what will be happening in our fast moving industry 7 months from now. PLEASE go to SXSW create an account and then vote for these two 🙂

I put a lot of thought in to what to put forward this year knowing it would be 9 months out. One of the trends that is just starting to emerge is identity verification – my hunch is that by March this will be a topic getting a lot of attention and worth exploring at SXSW.

Who are you? Identity trends on the Social Web.

“On the Internet Nobody Knows You’re a Dog” Is this famous New Yorker cartoon still true? Twitter is doing verified accounts. Facebook claims everyone using their “real name” gives strong social validation ‘proof’. Equifax is validating age with information cards (digital tokens). We will explore the current trends and their implications for the future.

  1. What is identity?
  2. Why are people doing identity validation?
  3. Who is doing identity validation?
  4. Why are websites seeking people who have had their identities validated?
  5. Is identity validation improving the web?
  6. What are the current open standards in this space?
  7. Are approaches by men and women different about idnetity presentation and validation?
  8. What kinds of businesses are requiring online identity validation for customers?
  9. Is identity validation going to squish “free speech”?
  10. How is this trend changing the web?

With my She’s Geeky hat on: What Guys are Doing to Get More Girls in Tech!

The point of this is to get beyond the women say there are issues in the field and guys say there isn’t – to have guys who know there is an issue and are proactively doing constructive stuff to address it.

Many tech fields have a low percentage of women. If you are a guy do you wonder what you can do about it? Learn about successful strategies and proactive approaches for supporting women you work with and participate in community with. We will even cover some well-intentioned efforts that have gone awry.

  1. How many women by percentage participate in different technical fields?
  2. Why does it matter that they are underrepresented in these fields?
  3. What are the cultural norms that men and women have about performance and self-promotion?
  4. What is Male Programmer Privilege?
  5. What can a guy do who has a sister that is math/science inclined but being steered away from the field?
  6. How have the men on the panel improved things in their workplaces?
  7. How have the men on the panel addressed the challenges that arise in open communities? (that is where you don’t have a boss that fires people for inappropriate behavior/comments)
  8. What are the qualities of a workplace that is friendly for women?
  9. How to go beyond tokenism in workplaces, communities and conferences?
  10. How to encourage women more?

Other interesting Preso/panels covering Identity topics:

The Politics & Economics of Identity Put forward by my friend Liza Sabature of Culture Kitchen and the Daily Gotham Identity Politics” has always been left to the realm of feminist, civil rights activists, aka “minority politics”. This panel will explore the social and political ramifications of the business of identity and reputation. We will talk about the good, the bad and the ugly and what social entrepreneurs, businesses and digital activists are doing to impact this new economy.

  1. What is identity?
  2. What is reputation?
  3. What is privacy?
  4. How have big business historical monetized privacy?
  5. How social media works on identity and reputation?
  6. Online surveillance in the US : DMCA, FISA, Patriot Act
  7. Facebook BEACON : a study on how not to spy on people for fun and profit
  8. Google Adsense or Spysense?
  9. What are Vendor-Relationship Management systems?
  10. Will we need “Identity Management Systems” instead of VRMs?

Distributed Identity: API’s of the Semantic Web Without much conscious thought, most of us have built identities across the web. We fill in profiles, upload photos, videos, reviews and bookmarks. This session will explore the practical use of Social Graph API and YQL to build new types of user experience combining identity discovery and data portability.

Online Gatekeeping: Who Died and Made You King? by Liz Burr As the web becomes more open via social networks, we’re adopting new rules of communication. But who creates these rules? How much does class, race and gender figure into social media policing? We’ll discuss how identity affects social networks, as well as look at how online communities police themselves as participation expands.

  1. Which groups are in control of what is worth sharing via social media?
  2. Are the under-25 community using social media differently?
  3. How do we recognize and confront social media ‘gatekeepers’?
  4. Is our behavior in online communities merely a reflection of offline stereotypes and experiences?
  5. What is the impact of the amplification of social stereotypes online on under-represented groups?
  6. How do we integrate previously, under-represented groups into this more social world?
  7. Is there really such a thing as a “digital ghetto”? If so, is it our responsiblity to combat it?

OpenID: Identity is the platform is put forward by Chis Messina.
I have to say it is really great to have this be put forward so plainly and simply – to “get religion” about user-centric tdentity and its central role in shaping the fugure the social web.

Ignore the hype over social networking platforms and web OS’s! The platform of the social web is identity. Facebook and Twitter Connect are just the beginning of the era of user-centric identity. I’ll go beyond the basics of OpenID and learn how to effectively incorporate internet identity into your apps.

Your Online Identity After Death and Digital Wills

If you died tomorrow, would someone take care of your internet accounts? How do you tell subscribers the blogger has died? Every day people die and no one can access their email. Let’s explore what can be done to manage your online identity after you pass on.

  1. What usually happens to email accounts when a person dies? Policies for Gmail, Yahoo, Hotmail and AOL
  2. What about WordPress.com and Blogger for digital policies concerning the death of a blogger?
  3. Do You have a digital will setup?
  4. Products and services to manage digital wills, electronic correspondence after death and auto replies.
  5. Grief, “You Have Mail” and online memorial services.
  6. Who owns blog content after the death of a blogger?
  7. How to calculate the worth of your website or blog.
  8. How can you manage your online accounts and passwords for easy access after you pass?
  9. What are some recent legal examples of online account ownership disagreements?
  10. How to keep your passwords safe?

How to Benefit from 1-Click Identity Providers by Luke Shepard from Facebook.

Sites across the Web are opening up to support open identity platforms, such as OpenID. How can companies at scale and those with large user bases successfully work with open standards including OpenID, Activity Streams and new social markup language specs? Can companies survive the challenges of incorporating OpenID into their websites?

  1. Are there any success stories with OpenID?
  2. What does the OpenID user experience look like?
  3. Who has implemented OpenID?
  4. What have been some of the failures of OpenID?
  5. What is OpenID?
  6. What are the user benefits of OpenID?
  7. How can websites educate users about open protocols?
  8. What are the privacy concerns around OpenID?
  9. What kind of user data is made available to sites when they implement OpenID?
  10. What will it take for OpenID to become mainstream?

Crime Scene: Digital Identity Theft


Kaliya's the shit. Be there or be square.Enlighten yourself through her