Monday, May 25, 2009

(3) comments

It's OK, we're co-related

In responding to my "violent agreement" post, Kim Cameron goes a long way towards beginning to define the parameters for correlating data and transactions. I'd urge all of you to jump into the discussion.

But - and it's a huge but - we need to be very careful of the terminology we use.

Kim starts: "Let’s postulate that only the parties to a transaction have the right to correlate the data in the transaction, and further, that they only have the right to correlate it with other transactions involving the same parties."

Which would mean, as I read it, that I couldn't correlate my transactions booking a plane trip, hotel and rental car since different parties were involved in all three transactions!

But he goes on to say: "...the individual would have the right to correlate data across all the parties with whom she interacts."

So which is it - do the parties have the right to create correlations among all partners, or not? Remember that, at least according to US law, a corporation is treated as "an individual."

In the end, it isn't the correlation that's problematic, but the use to which it's put. So let's tie up the usage in a legally binding way, and not worry so much about the tools and technology.

In many ways the internet makes anti-social and unethical behavior easier. That doesn't mean (as some would have it) that we need to ban internet access or technological tools. It does mean we need to better educate people about acceptable behavior and step up our policing tools to better enable us to nab the bad guys (while not inconveniencing the good guys).

Labels: , ,

Saturday, May 23, 2009

(0) comments

Kim Cameron: secret RIAA agent?

Kim has an interesting post today, referencing an article ("What Does Your Credit-Card Company Know About You?" by Charles Duhigg in last week’s New York Times.

Kim correctly points out the major fallacies in the thinking of J. P. Martin, a "math-loving executive at Canadian Tire", who, in 2002, decided to analyze the information his company had collected from credit-card transactions the previous year. For example, Martin notes that "2,220 of 100,000 cardholders who used their credit cards in drinking places missed four payments within the next 12 months." But that's barely 2% of the total, as Kim points out, and hardly conclusive evidence of anything.

I'm right with Cameron for most of his essay, up til the end when he notes:

"When we talk about the need to prevent correlation handles and assembly of information across contexts (for example, in the Laws of Identity and our discussions of anonymity and minimal disclosure technology), we are talking about ways to begin to throw a monkey wrench into an emerging Martinist machine. Mr. Duhigg’s story describes early prototypes of the machinations we see as inevitable should we fail in our bid to create a privacy enhancing identity infrastructure for the digital epoch."
Change "privacy enhancing" to "intellectual property protecting" and it could be a quote from an RIAA press release!

We should never confuse tools with the bad behavior that can be helped by those tools. Data correlation tools, for example, are vitally necessary for automated personalization services and can be a big help to future services such as Vendor Relationship Management (VRM) . After all, it's not Napster that's bad but people who use it to get around copyright laws who are bad. It isn't a cup of coffee that's evil, just people who try to carry one thru airport security. :)

It is easier to forbid the tool rather than to police the behavior but in a democratic society, it's the way we should act.

Labels: , ,

Wednesday, November 19, 2008

(1) comments

Please show me your identity

In today's newsletter I alluded to a language problem in an IBM press release, intending to delve deeper in the next issue. I'm not going to be able to do that but still wanted to point out the egregious error, so I'll do that here. In talking about IBM's partnership with multi-factor, strong authentication partners (Arcot, Gemalto, and L-1 Identity Solutions ), the release states:
"Billions of identities used in business and social networking environments – ranging from passwords, employee badges, driver’s licenses and stronger forms of authentication – are used each day to complete various types of transactions both on-line and in-person, granting individuals a wide range of physical and digital access privileges."

Passwords, employee badges, and driver’s licenses aren't identities! They're credentials. They're offered as proofs of identity claims, but that's all. Calling them identities is like calling a key a "lock." In fact, they are usually offered, in a digital context, as authentication to an account (not an identity) since one identity (you) can have multiple accounts using one or more credentials, and one account can be accessed by multiple people (or, identities) just as one key can open multiple locks, and one lock can be opened by multiple keys.

If those of us "inside" can't get the terms right, how can we ever expect the end-users to do so?


Tuesday, September 16, 2008

(0) comments


Pam Dingle has a bit of a rant today about the term "user-centric." Well, not about the term itself but about people's desire (e.g., the entire Burton Group) to get away from it.

"Sure, there are a few blind worshippers of the cult of user-centric out there, but I firmly believe that common sense has to win out in deployment scenarios, and that various technologies should and will be used where applicable to solve problems. "

"If, on the other hand, all this is about is finding a positive, all-encompassing touchy-feely name to give to the systems-formerly-known-as-user-centric so that isn’t all about conflict, fine — pick a new name already. I only ask that if you’re going to diss the current buzzword, can you please at least supply an alternative suggestion. Otherwise we end up in limbo where nobody wants to use the old term, but nobody has a new term either, making us all look like indecisive idiots."

I think it's about more than just a term, more than just a feel-good quality, Pam. The "User-centric" term was coined, initially, to try to differentiate internet-based individual identity protocols from those used within the enterprise. But it's really all identity, and there doesn't need to be a distinction. That's why I wrote, last month, "Why there's no 'user-centric' or 'enterprise-centric' identity," where I said:

"Enterprise-centric identity management, we postulated, is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form; while user-centric identity is about keeping various parts of your online life totally separated so that they aren't accessible and no report can be drawn.
So how do we have a framework that allows for both tying together all of a user’s activities (enterprise-centric) while at the same time allowing distinct separation of activities as decided by the user?
We start by defining identity as a group of “personas” (see 'Defining identity, persona, role'). Any persona can be made up of a group of personas or roles. Each of those personas can be linked, or separated, as the entity identified by them wishes. One of those personas is (or, rather, could be) an 'enterprise persona.' That one brings together '…all the activities and attributes of a single entity' performed for or related to that enterprise '...into a readily accessible (and reportable and auditable) form.'
So there is no 'user-centric' or 'enterprise-centric' identity. There is just an entity with AN identity made up of various personas some of which may be controlled or limited in some way by an outside organization – not only by the enterprise but also by governments, social organizations, etc. The ability to keep these personas separate, where legally able to do so, must be a given. Each persona will have different identity needs and requirements, of course, but that’s what will drive the 'identity economy' as vendors seek to satisfy those needs and requirements in accordance with the laws. The government’s laws, the enterprise’s 'laws', the fraternal and social organization’s 'laws' and the Laws of Identity as laid down by [Kim] Cameron. "

Labels: , , , , , , ,

Sunday, August 10, 2008

(0) comments

"We have met the enemy..."

OpenID's leading lights appear to be down on the technology, it seems. After last week's note about Dick Hardt's seemingly wistful look at OpenID (" wonders if the identity opportunities of OpenID have passed.") comes today's note from Scott Kveton (chair of the OpenID Foundation board). Reacting to a Randy Stross' New York Times piece highly critical of OpenID, Kveton says: "The OpenID community has identified two key issues it needs to address in 2008 that Randy mentioned in his column; security and usability."

If usability is bad (and the discussions on the OpenID email discussion lists support that notion), and security is a problem - what, exactly, does it have going for it?

Is it, perhaps, time for the leading lights to move on to a user-centered technology which does show promise of being an identity provider that is very usable and also quite secure? As Mr. McGuire might have said to Ben in The Graduate:
Mr. McGuire: I just want to say one word to you - just one word.
Ben: Yes sir.
Mr. McGuire: Are you listening?
Ben: Yes I am.
Mr. McGuire: 'Zermatt.'
Ben: Exactly how do you mean?
Mr. McGuire: There's a great future in Zermatt.
Think about it.
Will you think about it?
Ben: Yes I will.
Mr. McGuire:> Shh! Enough said. That's a deal.

Or, as Eddie said to Saffie: Just put me through to Zermatt!

Labels: , , , , , ,

Friday, February 15, 2008

(0) comments

Off Course-On Target

Wayne Hodgins blog is called "Off Course-On Target" and subtitled "Where unexpected paths lead to great discoveries." Today he took a look at digital identity and fretted over the lack of uniform standards. But it's the analogy and stories Wayne tells - especially about how the shape of screw threads could have lost World War II for the allies - that make it such fascinating reading.

And the moral - perhaps best stated as "the perfect is the enemy of the good" - is something the entire IdM community should take to heart. Consensus and compromise should be our watchwords.

Labels: , , , ,

Tuesday, October 30, 2007

(0) comments

The Peter Principle of Protocols

A good Post today from Eve Maler reminding us that it's not just people, and it's especially not just on-line people, that have identity issues.

"I realize that the description I’m after is more like 'human-centric identity'. It comes with both online and offline scenarios and still needs to allow for (real-time or not) informed consent and attribute exchange."
This might be a good time to, once again, plump for "persona" as the term for what many call "on-line identity" so that we can keep straight what a real identity is.

She also alludes to the fact that not all identity protocols need to be able to do everything.
There's still room for lightweight, on-line digital person identity systems (vide OpenID) to be used within limited situations. It's not a criticism of OpenID to suggest that it only be used in low-value transactions. What is wrong is to apply a sort of "Peter Principle of Protocols" to OpenID, extending the original Peter Principle (formulated by Laurence J. Peter almost 40 years ago) thru the "Generalized Peter Principle" promulgated by Dr. William R. Corcoran: "anything that works will be used in progressively more challenging applications until it causes a disaster." Let's keep, and improve, OpenID for the things it does best. Let's not try to teach that pig to sing.

Labels: , , , ,

Wednesday, September 05, 2007

(1) comments

Sanity check for OpenID

Bob Blakley offers a wisp of sanity for the, often cantankerous, debate over the formats, uses, security and usefulness of OpenID. As it puts it, there are all sorts of answers flying about - but it might be best to first form the appropriate question! In his own words:

"What I’d really like to see, as a security guy, is a problem statement and a risk analysis. Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question..."

In particular, Bob wants answers to these questions (and he goes on to elaborate on them):

1. What are the assets to be protected?
2. What are the services to be offered?
3. What quality of protection is claimed for these services?
4. What is the threat model?
5. What is the trust model?
Perhaps, before Digital ID World at the end of this month (and the accompanying Identity Open Space meeting), some folks will be prepared with cogent answers.

Labels: , ,

Thursday, August 30, 2007

(0) comments

Where's my data?

Dale Olds had an interesting post today ("The physical location of data matters") and Vikram Kumar had an interesting commentary ("Data location matters").

Dale states his thesis:
"The problem is that there can be very subtle problems in these systems based on where a policy is actually stored, who can access the policy, what is the security for retrieving the policy, etc.

And the slogan sounds very silly. It is 'the physical location of the data matters'."

And Kumar injects that:
"For many non-Americans top of mind when they think about the physical location of their data is the USA Patriot Act. This law presents two particularly thorny issues regarding their data stored in the US."

We sometimes lose sight of these issues as we strive to make data access as seamless as possible. From the beginnings of the virtual directory a dozen years ago to today's meshed software and mashed up services, the actual location of the data doesn't matter to the operation, to the transaction, to the application, to the service. But it terms of security and privacy (and even intellectual property) it might make a great deal of difference where the actual data resides.

Something to take into consideration.

Labels: , ,

Monday, August 27, 2007

(1) comments

Open source vaults?

Someone who styles himself "Ant" has posted a note which, while not adding anything really new to the "portable identity" debate still is important if only to show what an intelligent, if not totally informed, user might be thinking. And I certainly can't disagree when he says:
"I believe collectively we're searching for a repository for the many facets of my digital ID, constructed with an open standard. A database and application that lives on my own server with an API that allows organizations and companies to access the sets of information about me that I explicitly allow. This information doesn't get stored by these organizations or companies, because its mine. They can access it whenever they need it, but I manage it and can cut them off whenever I choose. I want my identity under my control and not in the hands of corporations and organizations who may or may not be obliged to do the right thing with it."

But - and it's a big but - I have to shake my head at comments such as "my personal data is not for a corporation to charge me for the right to use." Yeah. And we'll have open source public data vaults right about the time we have free and open banks! (and I'd trust them just as little...)

Labels: ,

Thursday, August 16, 2007

(0) comments

Identity as a service

An interesting post today, from Jonathan Penn at Forrester. For the most part he's quoting his fellow analyst, Andras Cser, but does through in his own two cents worth in agreeing with Cser's definition of Identity as a Service (IDaaS):

"...implementing identity and access management functionality predominantly as Web services in a service oriented architecture within the enterprise. Various line of business applications, policy management applications, and other services then call these IM Web services either autonomously or in an choreographed manner."

I also would like to jump in with a big "+1" for this definition. It's what I was thinking of when I said about Microsoft's CardSpace: "I'm addressing the enterprise market, which needs to pay attention to CardSpace right now. Many of your in-house developers are already using the .Net framework and Microsoft's Visual Studio to create and maintain your in-house apps and services. Handling authentication, though, has been difficult at best. Now a hero has ridden forth."

Software as a service (SaaS) is going to come first to the enterprise, and IDaaS is going to be a major enabler of that technology. And CardSpace (and the associated iCard open source technology) will be the major building block of that foundation.

Labels: , , ,

Thursday, January 04, 2007

(3) comments

Throwaway identities?

dana boyd recently took note of a phenomena she claims is rampant among, at least, teenage girls - and is contrary to what we all believe that web site users want.

"Many teens are content (if not happy) to start over with most of their accounts in most places. Forgot your IM password? Sign up again. Forgot your email address? Create a new one. Forgot your login? Time for a change.

While adult bloggers talk about building an identity through extended blogging, i keep finding teens who got locked out of Xanga and responded by making another Xanga (or a Blogger or a LiveJournal). They have expressions scattered across numerous services with numerous handles. Some teens chew through IM handles like candy; their nicks are things like "o-so-funny" rather than the first name, last name standard that seems to pervade professional worlds. It's not seen as something to build an extensive identity around, but something to use to talk to friends in the moment.

Teens are not dreaming of portability (like so many adults i meet). They are happy to make new accounts on new sites; they enjoy building out profiles. (Part of this could be that they have a lot more time on their hands.) The idea of taking MySpace material to Facebook when they transition is completely foreign. They're going to a new site, they want to start over.

Could it be that the whole thrust of SSO, self-service password reset, federation, etc. - the areas we in IdM seem to spend all of our time - will have little meaning to the next generation of business users?

Or is it possible that these teens are way out in front of us on the use of multiple personas, multiple "digital identities" to express themselves? Perhaps - some time in the not so distant future - they'll be clamoring for a way that they can unite all of their "identities" - but only if they can guarantee that they alone can see the consolidated material. Food for thought, and for endless discussion while we wait to see what the users actually do!

Labels: ,

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]