2 years later, today at RSA, Microsoft announced not only that U-Prove technology will be incorporated into their upcoming identity platform technologies, but (more importantly for the identity community) that they are releasing it under its “Open Specifications Promise”, allowing anybody to use and incorporate the technology royalty-free. You can read more detailed analysis on the announcement by Kuppinger Cole analyst Felix Gaehtgens here. Suffice to say, those of us in the identity and privacy community are glad to see this day finally come.

By enabling truly minimal identity disclosure as part of trusted online transactions, the technology has the potential to open up the floodgates on a number of identity-based transactions that were previously considered onerous if not near impossible due to privacy concerns. Microsoft’s demo during the RSA keynote demonstrated one of the most obvious use cases: creating trusted online IDs that are based on, but don’t expose, authoritative government issued IDs. Think of it as being able to show the bartender your drivers license for age verification, but with everything except the date of birth blacked out, and the bartender still is assured that the information presented is accurate. This means big things for the advancement of claims-based identity transactions. Should be interesting.

Tags: Claims-based Identity, Privacy, RSA Conference, RSAC, U-Prove

Day 2: Lets get back to basics

The first half of Thursday was focused on enterprises looking for ways to achieve efficiencies and ROI through their IdM deployments, an outcome that had lost its relevance in the rush to achieve compliance objectives. But the current economic climate, and the slew of M&As (mainly As) and layoffs has brought this to the forefront once again, and sustained market interest in IAM when other initiatives are being pared back.

The day was a very good one for hearing about how customers were leveraging their IdM deployments in creative ways.

• I heard some interesting use cases of how Virtual Directory was being used to achieve efficiencies.
  • Companies are using Virtual Directory to expose the same identity data in different forms for different use cases.
  • The presenter from Sony talked about using Virtual Directory on top of geographically local LDAP servers to provide global access to data while satisfying their data compliance needs.
• There were a couple of sessions on managing UNIX infrastructure via AD (which is when I ducked into the cloud computing track).
• Wendy Booker of SunTrust Banks described how they used the cost savings (which they had to demonstrate and prove) from their IdM deployment to self-fund their project, which was a story I am sure more than a few attendees were interested in.

What I found really great was that a lot of the sessions were presented by organizations that had moved on to the 2nd or 3rd phases of their identity management program rollouts. This is quite different from all the previous conferences (Catalyst and others) I have been to, and speaks to the maturity of the market and some of these deployments.

The second half of the day was focused on identity transparency and governance. One of the most important points of the conference was made by Chris Howarth in his excellent kickoff talk, when he said that identity management must facilitate both hierarchical organizations that are necessary to implement enterprise controls, and social networks that are necessary for collaboration to take place. A lot of the discussion in the following talks were focused on the need to increase transparency with respect to how identity data is used, managed and secured to allow for accurate risk assessment and compliance to take place (echoing what was discussed in the cloud computing SIG). And increased transparency only works when complexity is reduced (preventing opacity from just being replaced by obscurity), an architectural requirement that aligns nicely with the identity services vision discussed on day 2.

Day 2 ended with the second night of hospitality suites, including Oracle. We got such a crowd in the Oracle suite that I barely managed to leave it for a few minutes to meet up with some old friends and colleagues in the other suites. And I made some good friends that day (and into the night – not a topic for this blog). I will say that celebrating Ian Glazer’s birthday at a speakeasy called Prohibition was very cool, even if they didn’t ask me for the password.

Day 3: Identity and Privacy are Blood Brothers

Day 3, while just a half day, still packed a solid punch with lots of intellectually stimulating discussion on the topic of privacy. Ian Glazer made a good point at the start of the conference when he said that the identity community is uniquely qualified to deal with the emerging privacy issues. And the sessions on Friday laid out exactly why. The key point made was that Security (making it difficult to get to something you shouldn’t have access to) should not be confused with Privacy (making it easy to get to something you should have access to). They are related, but not the same thing.

Robin Wilton gave an inspiring talk in which he laid out a framework for having productive privacy discussions with the multiple stake-holders involved. He arrived at this framework by analyzing the results of a series of round table discussions held around the globe as part of the Liberty Alliance Privacy Summit to get contextual understanding of privacy. Robin laid out a “Ladder” framework (Philosophy | Strategy | Implementation | Technology) that helps the parties involved focus on the use cases and issues to resolve. I hope he makes his presentation publicly available in some format in the future, because really is a great piece of work.

Bob Mocny, Director of the US-VISIT program, talked about some of the identity and privacy issues involved in running the single largest biometric authentication program in the world. One of the key takeaways from his and the follow-up sessions was the need for organizations to implement privacy audits as separate programs from their IT-Security audits.

Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ, gave an interesting talk about the lessons learned during Georgetown’s efforts to  handle a privacy breach. What I found fascinating was how they went about trying to create and enforce a policy on the use, collection and retention of SSNs. Their findings on how far the data was “leaking”, how hard it was to track down all the possible data flows, and how users went to great lengths to hide their mistakes were a lesson that every enterprise should be aware of. It also highlighted the challenges the extended enterprise, working with business and IT partners and services providers, faces in locking down privacy issues.

The day ended with Google talking about how they protect the privacy of their users. It may have only been a half-day, but the quality of content made it a fitting way to end a thought provoking conference. Look forward to what the next one has to bring.

Tags: Breach Remediation, Burton Catalyst Conference, Catalyst09, Identity Governance, Ladder Framework for Privacy, Privacy, Privacy Audits, Virtual Directory

Computer scientists Arvind Narayanan and Dr Vitaly Shmatikov have proven that the anonymized data sets that social sites sell to marketing firms are not really that anonymous. It is possible to reverse engineer these data sets and obtain actual names and addresses, by looking at the content and structure of the data (in their example, correlating data from Twitter with Flickr).

• BBC Coverage
• Detailed look by Ars Technica
• The paper: De-anonymizing Social Networks

This raises grave concerns about a practice that has becoming increasingly common as social networking sites seek ways to monetize their data. They routinely release social graphs from which a few bits of personally identifiable information (PII) has been stripped to interested parties – advertisers, third-party apps, government and academic researchers. Conventional thinking is that this is good enough to protect people’s identities.

But as the paper shows, this is nowhere near good enough. It’s an interesting study that essentially redefines the term PII, and could (should) have grave implications for social networks and their responsibility towards their users.

The lesson, as Ars Technica points out, is that “anonymity is not sufficient for privacy on the web”.

Tags: PII, Privacy, Social Graph, Social Networking

Privacy is a funny thing – most people assume they have it unless they explicitly do something to give it up, but in actuality, information about us is flowing all over the place without our knowing it. As Bob Blakley likes to say, “There are no secrets”. In the US (which is yet to ratify this convention), data about individuals is a commodity at the heart of many a business. And advancements in technology have opened the floodgates, with many of us contributing to the flow through our usage of social media. I’ve lost track of the number of articles I have read warning college students of the impact their Facebook activities could have on their job searches. Asking individuals to basically shrink away from communities in order to protect their privacy is not the right answer. We need to do more to enable privacy.

In honor of International Privacy Day, I thought I’d post a few links that provide some (essential/interesting/weird/amusing) perspectives and information on the topic of privacy as it is being talked about today.

• Proposed “Camera Phone Predator Alert” bill would require all cameraphones to make themselves heard
• One Man’s Experiment With a Location-Aware Lifestyle: An interesting post from the blog of the Privacy Commissioner of Canada
• More information on Data Privacy Day, thanks to Intel (see this interview with David Hoffman, Director of Security Policy and Global Privacy Officer at Intel as well)
• In the United States, the US Privacy Coalition (including EPIC) is launching a campaign to urge the US government to support the Council of Europe Privacy Convention
• Search Privacy Issue Goes Mobile
• Forrester Research Making the case for Data Masking
• A Move Toward More Privacy Online: Yahoo changes data retention policies
• Identity Governance Framework at Liberty Alliance
• Data Privacy Day Exhibit Differences in Approach from Google and Yahoo

If you are doing anything for International Privacy Day (and it isn’t private! – thanks @trevcook), or have links to interesting stories regarding privacy, please leave me some comments. And be sure to pass on the word. Request your government to support the Council of Europe Convention on Data Protection (No. 108) and to adopt comprehensive privacy legislation based on that standard.

Tags: Identity Governance Framework, IGF, International Data Privacy Day, International Privacy Day, Privacy

I found the conversation on anonymity particularly interesting. Those of us in the field of identity management tend to get hung up on terminology a lot. It’s an important aspect to any emerging field, as improperly used or appropriated terms tend to create confusion in the marketplace, and act as a barrier to productive engagements. It is with that in mind that I raised the question on the forum last week “Isn’t a pseudonym the same as a persona?”. Dave Kearns weighed in on my question in this weeks Network World IdM Newsletter.

Much of the conversation last week was on the nature of anonymity and, by extension, pseudonymity. One of the important ideas established is that they are transactional constructs, existing within the context of some identity-based interaction. My question was posed with that frame of reference.

True anonymity in the digital world is pretty hard. There is always some sort of trail (IP addresses, etc) that can lead back to the original user. So it would seem to me that all we have today is varying degrees of anonymity – starting from the barest minimum of information, ranging through being able to piece together a picture based on multiple interactions, having semi-anonymous interactions based on the establishment simply of a username, to a full-fledged fake identity being set up in a website. In other words, all that exists today is pseudonymity.

Does that mean that anonymity is simply an edge case of pseudonymity? I think not. Just because anonymity doesn’t exist today does not mean that we don’t want to achieve it. Therefore retaining the separation (that an anonymous interaction can never lead back to the originating identity, while a pseudonymous interaction is simply an imposed barrier between the interacting party and the originating identity) is important as a way of enabling us to work towards the technological solutions necessary to achieve anonymity in the digital world.

More interesting is where digital personas fit into this conversation. Look at the definition of a  Persona as defined in the ID Commons Lexicon, and in particular at comment 1:

A Persona is something put forward by a user, but how it is perceived, recognized, accepted, rejected, trusted, used etc. by a Relying Party cannot be specified or in any way implied.

Based on the underlined part, it seems to me that a pseudonymous identity is simply a persona. When a user sets up a persona, they specify the information they want to present through that persona. This information can be completely fake, as minimal as necessary, and set up solely for the purpose of interacting with that one party. In other words, the interaction using that persona is pseudonymous in nature. Since personas and digital pseudonyms seem to share the same characteristic of having a range with respect to amount and transparency of identifying information, it would seem to me that they are one and the same thing.

Understanding these constructs will be important as we move beyond identity management systems and start building persona management systems for use on the web. In particular, understanding the relationship between persona and pseudonymity will help frame the requirements for these systems as they help protect us in our online interactions.

Tags: Anonymity, Persona, Privacy, Pseudonymity

“…relative to the scale of implementation, few Identity Management issues actually occur. In general, both user and maintainer of the RFID settings perceive RFID merely as an electronic key or wallet. The reason for this can be twofold. First of all, in all the cases it is clear who maintains the data and needs to comply with the guidelines on data protection. Second, many systems currently only cover a small area of a specific setting and run parallel to legacy systems. The RFID systems therefore only disclose small fragments of their users’ identity, limiting the maintainers’ possibilities for control.”

2. But this is likely to change

“…citizens increasingly use RFID in daily life, leaving personal data in the system, trusting the maintainer of the system to handle this information with care, protected to some extent by the law. As both the threats and benefits of this increase in the processing of personal data are becoming visible, the public image of RFID risks being caught in the middle of two opposing camps.
On one side, there are pressure groups, journalists and members of the public predicting a dark future with a ‘Big Brother scenario’ unfolding. Their key words are: spy chips, privacy and surveillance. On the other side, there are the business promoters painting colourful pictures of a bright future in which everything is smart, safe and automated. Their keywords: solutions, innovation, efficiency, return on investment and usability.”

3. The challenge is finding the right balance

“Once RFID is used in more settings, exclusively and connected to each other and other technologies, digital footprints will provide a much broader picture of the users, opening up new opportunities for control by businesses and government. This is not just an issue of protecting privacy or personal data, but it is more about securing personal freedom and striking the right balance between choice, convenience and control.”

The report recommends that the solution will involve not just industry, government, privacy advocates and other campaign groups, but the consumers as well, who will have to start thinking about what we essentially call Personal Identity Management. The report seems to put the onus on consumers, asking them (us) to be proactive about understanding what identity data is being gathered, how it will be used, and appropriately authorizing or denying its use.

But as we all know, that is easier said than done. I commented in an aside on my post yesterday about the Facebook data sharing choice not really being a choice at all as it didn’t clearly state what data would be shared with the apps – an all or nothing binary choice. Even the report shares some interesting case study insight (emphasis is my own):

“Secondly, a maintainer of an RFID environment could, in principle, provide full insight into the purpose and process of data gathering, while making this virtually impossible in practice. Notorious examples are the user license agreements, which are very elaborate, unreadable and impossible to find. The Dutch Railways, for example, sent holders of seasonal tickets an RFID replacement of their card, accompanied with a letter stating that the act of use will be interpreted as an agreement with the terms stated on a website with a very long address. In case of the Italian SI Pass, the agreement literally states the data will be used for marketing. The agreement on the American version of the Exxon Mobile Speedpass informs about the marketing function too and even states the data can be sold to ‘any bidder’ and the agreement can be changed by the maintainer at any time without informing the users.”

Read the report if you have some time, as it makes for a fascinating read. The case studies focus on Europe, where RFID in the consumer space is in far greater use than here in the US, and are especially interesting. And draw your own conclusions as to whether we are ready for the 5 challenges the STOA outlines:

1. RFID users need to know what maintainers can and are allowed to do with RFID data.
2. RFID users should play a role in developing new RFID environments.
3. If personal data from different RFID settings are merged it should remain clear who is responsible form handling these data.
4. The Privacy Guidelines and the concepts of personal data and informational selfdetermination need to be reconsidered in the light of an increasingly interactive environment.
5. Governments should take a clear stance on whether RFID bulk data will be mined for investigation purposes.

Tags: Personal Identity Management, Privacy, RFID, User-Centric Identity

Wired news covered Lukas Grunwald’s exposure of security flaws that allow someone to steal and clone the fingerprint image stored on a biometric e-passport, and then manipulate the stolen image to attack, disable and potential misuse the e-passport readers that attempt to scan it. He successfully crashed two different readers by using a buffer-overrun exploit, a vulnerability that could potentially be used to inject malicious code into the readers, leading them to approve expired or fake passports.

RFID Passports have long been looked at with skepticism by the security community (if you search you will find a ton og blog posts lambasting the RFID passport idea, and even this article on “Feds rethinking RFID Passport“). It isn’t really the RF technology that is interesting here, it is the what and how of the data that the tag carries, protects and communicates. The article points out that the so-called security measure that is recommended (but not required) by the ICAO, called “Extended Access Control”, does little to alleviate the problem.

Grunwald will be discussing these vulnerabilities at the annual DefCon hacker conference in Vegas in a session interestingly titled “First We Break Your Tag, Then We Break Your Systems”.

Tags: Electronic Passports, Personal Identity Management, Privacy, RFID