Take the case of my Health Insurance provider. Casually talking to a girl on the help line informing her of our new postal address, I mentioned enjoying pre-retirement here in the French country side.  She only needed that one verbal cue to inform me that my policy was no longer valid and I was not insured (read the small print about being in full-time employment, she said. But who does?).

As an aside, a replacement private policy would quadruple my monthly payments.  “What, even though I now lead a much less stressful life”, I replied? It seems European governments force these insurance companies to provide so-called social healthcare policies for the working classes, heavily regulated  on a minimum cost-plus basis. So it seems they must screw all their profits out of the fortunate few that can say goodby to working life before their state pension kicks in.  And here it was me thinking, insurance companies calculate their premiums based on risk! Gardening must be more dangerous than being in a stressful office  job! Give the help line operator her dues, she said the company would refund my voluntary premium payments from the day I quit work.

Now move the scene to the department that wants to pay me back about five months worth of premiums. It writes to my new unverified address that it needs to verify my bank details. A simple mail from my verified email address all the sudden isn’t good enough. But it is OK to email them scanned copies of my passport and a scanned bank statement showing my account number and my new address.

Am I the only person thinking how stupid is that?  To make my point I searched on Google Image search for an example of a bank statement which I soon found and downloaded from MattsBits blog. A hacker with bad intentions would probably find one in your waste paper bin and scan that in.  I used the bog standard program ‘Paint’ from Microsoft, to be found on every Windows computer, used an electronic  rubber and changed the address and bank account number on Matt’s statement to illustrate my point. The result is displayed below:

Doctored pro forma statement using 'paintbrush' from Microsoft

Now it seems that today I could send this as a bona fide scanned copy in an attachment to the healthcare provider and they now think/pretend they have covered their arse?

How stupid is that? Who are they kidding? Is this secure identity management in the year 2011?  Shame on Microsoft for pulling the plug on Information Cards. Shame on the the likes of Verizon, Deutsche Telecom, Orange, the banks of this world even Google!  Why will no-one step up to the plate and give us secure Identity Verification Services to replace this pretense?  Why do Relying Parties lull themselves to sleep by allowing hackers to fool them with easily doctored scans of utility bills etc? It seems we are back in the 1950′s days of simple checkbook fraud as illustrated so well in the film ‘Catch me if you can’.

First I must say I enjoyed  Alex Massie’s comment in the Spectator : “Sir Humphrey would be proud” he said and allso called the news a “grubby little piece of u-turning”. Say one thing, do completely the opposite and in ‘Yes minister’ style claim no one is lying! Innocent people’s DNA profiles won’t be deleted after all it seems. Or is a double U-turn on already on the way? 

Others have commented that the timing of the Telegraph article is ‘suspicious’. They argue the paper has been making a mountain out of a molehill and distracting from the real issue which is the retention of photographs and PNC/PND records of these same innocent people, which may not be addressed in the current bill. The timing of this news is viewed as weird/suspicious as well as the article was placed several weeks after Brokenshire’s letter was made public.

Not unusual in Home Office/ACPO circles, a lot of woolly language is being used by civil servants to obfuscate the issue.  Compliance to Human Rights to privacy and Data Protection Principles depends, it seems, on the exact definition of what exactly constitutes a DNA profile that needs to be erased and what is  Personally Identifiable Information (PII) in relation to the physical DNA sample wrongfully taken from a person by the police at the time of his/her arrest. 

Sir Humphrey would like Home Office minister James Brokenshire to believe that only some links between computer records are at stake here and need to be deleted on the orders of the ECtHR when a person is proven innocent after a wrongful arrest. They also would have him believe a ‘DNA profile’ could be considered as just a string of numbers connected to  a record of arrest in police computers. Not unlike a postcode points to an address. NDAD apologists will often argue that such strings of numbers say nothing ‘private’ about individuals and certainly would not reveal sensitive information about sex, race or other information about our genetic make up. Strictly speaking this is of course correct, but like usual the devil is in the implementation detail. Not only is this abstract number illegally stored by the UK state in a bout a million cases, but also the original samples from which the sequence of numbers was derived are illegally stored by the commercial labs that did the analysing and sequencing. Therein lies the rub for many privacy advocates. The Strasburg verdict explicitly orders the UK state to delete the DNA ’samples’ of Marper and S. Leaving them intact in these fridges can’t be right! The discredited ACPO ‘exceptional procedure’ also claims to delete them, unless of course police are economical with the truth here as well?

It is clear that campaigners on the Reclaim your DNA on FaceBook pages and other civil rights organisations don’t give a hoot about the distinction between the profile sequence number and the physical sample from which it was derived. They want everything deleted and destroyed that according to them never should have been unlawfully taken, often under false pretences and with the flimsiest of pretexts. Many distraught victims of this abuse of power by the UK Police don’t even realise bits of their personal DNA are stored in industrial fridges in commercial labs around the country, courtesy of their local constabulary!  They also will also be blissfully unaware that their genetic information has been used for 20 academic studies into criminal and racial profiling and that the private firm analysing the samples has secretly kept copies. Who else will the police sell this information too?

A DNA profile is in a sense nothing but a string of numbers, representing peaks on a bar chart. Imagine this chart printed on one of those X-ray photos or transparencies doctors like to use.

If you super impose the bar chart of DNA found on a crime scene, with that of a ‘suspect’ on a data base and you see a lot of overlap in the peaks and troughs, there is a high chance that DNA evidence found at a crime scene is related to the ‘suspect’ in one way or another. However to prove someone guilty, a lot more is involved like establishing means, motive and opportunity. But when the only evidence in a foul crime is a DNA match and the tabloid press invokes a public outcry, police can get sloppy and start to cut many corners! Sometimes they can even selectively turn deaf and blind, ignoring evidence that points in a different direction! 

A DNA profile is in fact just an encrypted set of 20 numbers plus sex indicator, that reflect a person’s unique DNA makeup. In fact so unique it can practically be used as a person’s identifier. Using a string of numbers rather than an actual photo of the DNA chart enables a computer to do the comparing instead of an expensive geneticist, who would perform this task by using his trained eyes and experience. However the computer only can determine if a number falls within a pre-determined range and so determine a ‘DNA match’. The computer program doesn’t add the usual cautions that a biometrics expert might add in court. It just compares if the resemblance is between two arbitrarily set minimum and maximum values used for eliminating false positives or incorrect negatives. PC plod, who is not scientifically trained and often lazy or over worked however thinks: “Better lift that person out of their bed for questioning, coz he/she ‘must-a-dunnit’. Computer says so!” 

So what seems to be the current problem around DNA erasure as promised by the UK Government? 

Sir Humphrey (with the ACPO IT lobby giving him ear ache no doubt) this week said in a written answer to parliament that deleting the physical samples (the little q-tip swabs they took) transferred to little glass laboratory vials might prove tricky. It turns out one of each two samples is stored in big trays, labelled by bar codes, in big expensive industrial fridges in private labs alongside the millions of vials of the real convicted culprits and perps. Lifting the million innocents’ vials (swab -B) out of these batches, while leaving the four million they are allowed to keep in situ, is turning out to be very expensive Sir Humphrey claims! But he will smash up all the trays with samples ‘A’ for the tabloid press, so it looks like the Police are doing the right thing and nobody will ask any questions about the second samples.

And.. says Sir Humphrey, if on the computer we simply erase the name pointers linked to the bar codes we have in fact achieved our purpose and compliance by anonymising the tubes so they never can be linked back to an ‘innocent’. This is where the deceit kicks in, because it seems that, depending who you talk to, there are ways to connect the bar coded vials back to an innocent individual en restore the link in these computer databases. Just think of the countless back-up tapes made over the years. Do we, who worked all our lives in IT, really think all these  back-up media will all be erased or cleansed? Dream on!

The obvious question here is of course: “Why did they think it was necessary to keep all these physical DNA samples/vials with swab B in the first place?” Just ask the labs to smash the whole tray of vials, innocents and guilty, after they have extracted the required profile numbers! Ah…. says Sir Humprey….. We need to keep these physical samples so we can…  Ehrr..in the near future re-profile all these samples again with more sampling points and greater accuracy, because Ehrr.. as the data base grows, we are already getting more and more ‘False Positives’ and ‘False Negatives’ as any biometric expert could have predicted at the start of this sorry saga.

Written evidence submitted by Professor Peter Gill to UK parliament said thatUK national DNA database (NDNAD) is now ‘out-of-date’. New genetic markers have been developed that give greater accuracy, which of course you will need if you fill up a crime data base with millions of innocents or would like to expand to Europol levels! Witness the rise of a whole new industry in Europe where theUK is lagging behind because we jumped on the bandwagon too soon! Invented in theUK, perfected abroad. A bit like our transport systems really. 

Minister Brokenshire, had he been properly briefed, should at this point have pointed out that if we had followed the Scottish model and only stored the DNA of convicted criminals, we wouldn’t be in this mess! We also might have money left over to do things right! 

One dry comment on the Telegraph page reads: “Home Office spokesman says within individual police systems, profiles are recorded in batches and it is not possible to delete one without affecting the rest, including convicted offenders? Tough! Delete or do something useful like resigning!”

Article links:

http://www.spectator.co.uk/alexmassie/7131780/uturns-in-the-governments-dna.thtml

http://www.phgfoundation.org/news/9312/

http://www.techeye.net/business/government-does-double-u-turn-on-dna-database

http://www.telegraph.co.uk/news/uknews/law-and-order/8660821/Innocent-peoples-DNA-profiles-wont-be-deleted-after-all-minister-admits.html

http://www.deferolaw.com/profiles/blogs/police-retain-dna-records

http://www.homeoffice.gov.uk/publications/about-us/legislation/protection-freedoms-bill/

http://en.wikipedia.org/wiki/DNA_profiling

http://www.publications.parliament.uk/pa/cm201011/cmselect/cmsctech/writev/forensic/m19.htm

http://www.facebook.com/topic.php?uid=199558802231&topic=11934#!/group.php?gid=199558802231

http://www.istockanalyst.com/business/news/5302086/cameron-s-links-to-phone-hacking-scandal-make-his-position-untenable

http://www.parliament.uk/deposits/depositedpapers/2011/DEP2011-1082.zip

I wondered if this latest set of identity commandments from the Jericho Forum added any new insights or critical success factors for ‘would be’ Identity Providers(IdP).
I wondered if similar exercises by governments or supra-national organisations added any value or if they just use legalese terms to preach exactly the same gospel. Are such directives complementary or perhaps incompatible?  So here is a list of what I looked at:

• The Laws of Identity , Kim Cameron and others 05/11/2005.
• The EU Commission’s communication about a new comprehensive approach on personal data protection in the European Union, Brussels, 04/11/2010.
• The Fair Information Practice Principles (FIPPs) as highlighted once more
   in the US National Strategy for Trusted Identities in Cyberspace (NSTIC), April 2011.
• The JerichoForum Identity, Entitlement & Access Management Commandments (IdEA), May 2011.

Please let me know if I missed a more important set of rules. I would be especially interested in reading similar documents from the non-western world. It seems there are some universal laws most of us can agree on, unless maybe you are one of the few tin pot dictators or communist regimes that are still left after recent ‘spring’ uprisings and like. 

The following table tries to highlight the corresponding principles from the above mentioned documents and point towards broad agreement and common language used.

Different laws, commandments or government intentions compared side by side

Studying the above table reaffirms my impression that at least the civil servants and private sector staff that have contributed to the above documents seem to have attended the same Identity Management and Privacy conferences and picked up the same buzz words.  But the commercial organisations building the actual identity eco system, do they actually pay attention to these lofty data protection and privacy principles, or do they pay a mere lip service to them while in fact often doing the opposite? 

The most sinned against identity law and privacy principle is probably that of minimal disclosure of Personally Identifiable Information (PII) for a constrained use. In a previous blog post I cited the case of janrain and the increasing popularity of the NASCAR approach of social network logins. The sucking dry by Relying Party (RP) web sites of the unsuspecting FaceBook users’ profiles at the first opportunity is probably a relic of the past when similarly 80% of the registration attributes required for a new account on any service provider web  site seemed to offer no other business justification than collecting as much ‘nice to have’ user marketing information as possible. The cheeky ‘what income bracket are you in’ question will be familiar to most of us and if given a chance we all probably have deliberately ticked the wrong box meaning to say:”none of your business!” 

A second observation that I made from studying these lofty ideals side by side is that the Laws of Identity and the Jericho Commandments seem to be much more radical and uncompromising in its proscriptive language of do’s and don’t or must and mustn’t than some of the public sector directives.  It seems that in the case of the EU and US government documents for example, the lobbyist working for multi national firms have been very successful in making sure self-regulation gets a chance before onerous laws are passed, whereas the ‘Jericho Commandments’ have been drawn up by ’dyed in the wool’ Chief Information Security Officers from companies that take security very serious indeed. Just like it is the lobbyists aim to take the bite out of privacy legislation by removing as many teeth as possible, these industry security experts know full well that fuzzily worded security policies are just an opportunity to ignore or circumvent them. 

The more I study the new Jericho Commandments, the more I start to appreciate the document as a very useful new blueprint for success and one that perhaps can be put more easily and directly into practice than other more ‘high level’ and loftier missives.  

The document is mercifully short (4 pages), but precise and to the point. What is nice is that it starts to make a link between Identity Management and Entitlement Management. These are after all two sides of the same coin. 

The Jericho Commandments can easily be represented in a diagram visualising the relationships between the various components of the identity meta system. Below is my own attempt at this. The blue lines represent one way links (or a one way trust) in a relational data base implementation, or if you prefer an LDAP directory, you could represent the same as an inverted tree from the Core root Identity down, a root that must never be disclosed or compromised.   

The dotted lines below represent contextual trust; for example linkage to government issued attributes / identifiers which the receiving Relying Party (RP) can validate with a relevant attribute provider using their trust relationship with that provider. The OASIS SAML and WS-* family of web service standards, provide ways by which such trust relationships can be technically implemented using attribute queries. 

A pictorial representation of the Jericho Commandments

So in conclusion: What I like about the Jericho Identity Commandments is that they provide potential Identity Providers (IDP) with a real benchmark to test what engineers have actually built in reality from what may have started as a lofty and ideal design.

When asked about ‘informed user consent’ in OpenID Connect Dave replied: “We have extensive privacy protection options available. The user is very much ‘in control’ by clicking his/her desired privacy settings. Is that before or after clicking on the FaceBook login button I wondered?

Just think of it like this, said Google’s Eric Sachs: “Every Oauth enabled login is one less clear text Username and password transmitted over the Internet and one more vector of phishing attack removed.” OAuth provides a method for users to grant third-party access to their resources without sharing their passwords. It also provides a way to grant limited access (in scope, duration, etc.).

The Oauth 2.0 logo

Luck would have it that Larry Drebes, founder of Janrain, had taken the place of the FaceBook representative. So with my previous blog post in mind I went straight for the jugular with a question for Larry asking him: “If people complain about privacy intrusion by FaceBook and Google, wasn’t his company evil squared?

Let me remind you that janrain offers Relying Party web sites technology that makes it possible to collect and join together  pieces of social data from different sources in order to build a more comprehensive profile of unwitting users, even if they themselves try to spread their love around by clicking on different NASCAR log-in buttons whenever possible.

Larry responded that the social network authentication brokerage service they offer actually doesn’t store any data. The user’s information is only fleetingly used and held in virtual memory only for as long as the Oauth transaction takes to complete. From that point of view there are no negative privacy implications of course.

On the other hand janrain do offer Relying Party Service Provider customers a tool kit that allows RPs to accept social logins and automatically store the user’s associated profile data in a lightweight database they can host themselves if they like. 

Isn’t that a bit like the manufacturer of anti-personnel land-mines saying it’s not them laying the mine field?

My main take away message from the conference is that privacy advocates like me should not despair, even if in their own companies they are sometimes viewed as the lone prophet’s voice.

Privacy Protection is what one day will set Identity Service Providers apart and become a critical success factor rather than a ‘pain in the neck’.

Linking a User's Social Network Accounts to Relying Party Web Sites

Even big daily newspapers like the New York Times and Los Angeles Times have recently picked up on this phenomenon. I have often wondered what economic laws drive this rapid adoption and why isn’t there a huge backlash against the privacy implications in all of this?

I remembered Gresham’s Law from my business school days explaining why ‘bad’ money drives out good money. In essence when governments reduced the amount of copper in the pennies they produced, we learned that the public hoarded copper pennies and only spent the lightweight ones. It struck me that ever since FaceBook relentlessly started pushing their lightweight (in terms of security) solution to the perennial WEB single sign-on problem; it has been difficult to sell more solidly engineered solutions to our customers.
It seems bad identity, like bad money, drives out good identity.

Why am I concerned? David Recordon tells us in his blog: “We’ve finally convinced businesses – which serve normal people – that having their users sign in with existing accounts is better.” But I am thinking: “Where is informed user consent in all of this?”

It may be a cultural thing, but in Europe we seem to abhor the relentless invasion of our privacy, powered by OpenID connect. At the same time, in the USA,  companies like janrain are extolling the virtues of collecting a richer, more complete set of data and social graphs on users, claiming  they can link together information about us that we perhaps would rather keep separated within different Identity Providers’ compartiments.

What prompted me to blog this post? Maybe is was watching ‘Erasing David’ yesterday night on Belgium TV. I was rather disappointed, but at the same time the film reminded me how difficult it already was in 2009 to push this particular genie back in the bottle.

Building a better solution is what motivates me every day working for Verizon Business, working on a better ‘safer’ solution. Of course at the end of the day my company is not a charity and we will have to show additional business benefits for our customers besides enhanced security. I think this added value can be achieved by putting our users ‘in control’ of their identities; by sharing the rewards of their explicit consent in opening their personal profiles to Relying Party businesses and not by treating our users’ growing profile value as just another ‘product’ to sell.

Yesterday I attended a cabinet office briefing on eID Identity Assurance, part of the
G-Digital project.  Anything with the word identity is a political hot potato in the UK after the new Tory-LibDem coalition government literally ‘crushed’ Labour’s National eID card scheme. I wondered why apparently it’s one of the deadliest of privacy sins in the UK to suggest using the same unique identifier in one’s dealings with different government departments. Just rename NI Number to ‘Citizen Service Number’ like the practical Dutch did with their SOFI number and Bob’s your uncle. Isn’t this what governments have been happily practicing in Sweden and most other EU countries for decades? In the UK it seems this is a ‘no-go’ area because of the implied impact on citizen’s privacy. God forbid that someone in the DWP’s Child Support Agency could easily trace a deadbeat father in a HM Treasury system and find out that he can easily support his children after all. Or god forbid that someone claiming housing benefit from his local council could be found out actually owning six properties in the next town. That kind of joined-up government ‘just wouldn’t be cricket’ in the UK. 

Damian Green feeds a hard disk into a crushing machine

Data Protection in the old days

When I took up my first job in the UK as ‘Master Data Controller’ for Philips Business Systems, my employer made sure I was well trained and fully aware of my responsibilities under the new Data Protection Act. This act and the European Directive on which it was based is now of course hopelessly ‘out of date’ in our Google and FaceBook era. In the old days we worried mainly about enterprise and government data bases being misused.  iPhones recording your every move without your knowledge were not yet on the horizon.

Apart from my honour bound duty to keep  Personally Identifiable Information (PII) private and safe, the main things I fondly remember today are the carefully drafted Data Protection Principles. One that was particularly etched on my consciousness was the third principle that said: “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”. This important principle is also reflected in the second Law of identity shortened to the head line: ‘Minimal Disclosure for a Constrained Use’. In the explanatory notes of Kim Cameron’s master piece it is explained that it is wrong to keep personal Information “just in case it might one day be required”.

In the UK ‘privacy’, like ‘beauty’, seems to be in the eye of the beholder. If it’s good or bad depends if it was the other political party who came up with the idea in the first place. Wouldn’t it make more sense to just stick to the EU rules the UK signed up to?

NDAD

So let’s look at another UK example, where trampling on privacy rights by the state seems to be ‘not a problem’ because it’s for the ‘common good’.  The UK now stores the DNA profiles of more than a million innocent people on a crime data base “just in case” they might one day turn into criminals and provide a match with DNA found at some future crime scene. The Minority Report nightmare in other words.

The UK was quite rightly convicted over this data protection violation and human rights breach at the European Court of Human Rights (ECtHR) in the case of S. and Marper. The culprit actually was the Chief Constable of South Yorkshire Police as officer with data protection responsibility for his force, but you can only take states to the ECtHR, not individuals.

On the 4^th of December 2008 the ECtHR unanimously ruled:
“In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society”

Incredibly UK Police forces up and down the country are today still adding thousands of ‘innocents’ DNA profiles to this data base every week and are refusing to honour appeals of citizens that protest that their Human Rights and privacy is still being violated, well over three years after the Police were convicted.

When challenged, their legal representatives often will write back ACPO drafted obfuscating letters stating that forces are still ‘bound’ by the discredited and overturned decision of the house of lords in R (Marper) v Chief Constable of South Yorkshire Police [2004] and that this somehow gives them the fig leave of an excuse to hang on to all this DNA information for dear life. This is of course a gross distortion of natural justice and hides what is really happening here.

In my opinion the UK Police are in effect behaving like the pigs in George Orwell’s Animal farm. Remember the Seven Commandments of Animalism? “No animal shall sleep in beds” is changed to “No animal shall sleep in beds with sheets” when the pigs are discovered to have been sleeping in the old farmhouse. “No animal shall drink alcohol” is changed to “No animal shall drink alcohol to excess” when the pigs are discovered drinking the old farmer’s whisky.

In the same vein, no doubt after a huge lobby from the Association of Chief Police Officers, a new section was quietly slipped into the Police and Criminal Evidence Act (PACE) by the Criminal Justice Act 2003.  A simple paragraph update ( approved in some committee, not in the House) now suddenly states that a non-intimate sample ‘may’ be taken from an individual without the appropriate consent and no senior police officer needs to be present. DNA taking is now an official crime fighting activity police officers can be targetted on just like the number of speeding tickets issued. Note however, that in no way this simple word ‘may’ implies an ‘obligation’ on the part of the police to take the DNA of anyone who passes through their doors under false pretenses. But this is todays reality for over a million innocent people in the UK: Because somewhere in 2003 the law makers used the word ‘may’ this gives the police today a fig leave of an excuse to keep violating Human Rights and Data Protection Principles ‘at will’, even though Labour lost an election, partly over this specific issue of erosion of civil liberties and the UK Supreme Court has now ruled “the retention of the DNA samples of these appellants was
unlawful”. How arrogant is that?

With hindsight using this sloppy wording could be compared to giving vampires the key to the NHS blood bank and telling them they can have the occasional sip if they are feeling a bit faint. The police was quick to abuse their new found powers. Having been told a national DNA data base was politically untenable, they decided to build one by stealth. UK NDAD is now the largest of such databases in the world. The ACPO IT lobby practices and propaganda techniques are copied in every state in America and far beyond. Look! Another horrible crime solved using DNA! Let’s collect more!

Like the Chief pig in Animal farm abuses the animals’ poor memory and invents numbers to show the improvement in their safety. Notice how Chris Sims, the Association of Chief Police Officers forensic science spokesman, in his testimony for the House of Commons committee discussing the Protection Of Freedoms Bill used an arbitrary number of DNA matches rather than any extra convictions obtained in court by keeping the wrong people on the DNA data base?

This relentless propaganda is why police men and women up and down the UK are now more familiar with the much abused caution quoting ‘necessity for a prompt arrest’ (so they can take your DNA at Police HQ) than the famous words ‘anything you say may be taken down and given in evidence in a court of law’.

Innocent until proven guilty now means innocent until the next time the Police determine a match with your DNA (or even that of a distant relative) with any dirt that is dropped and subsequently swept up at a future crime scene, that is of course, if there is any manpower budget left to do so, after overspending on all these surveillance cameras, facial and number plate recognition systems and other IT gadgets of course.

Debra Orr commented dryly in the Independent newspaper: “Then suddenly it becomes clear. A society in which the police sit around, [behind their computer screens no doubt]waiting for crimes to be committed that would fit the profile of their ever-growing pool of suspects ….. is just a lazy, dumb and prejudiced society”.

Kim sort of burries this important news, which must not have been pleasant for him, somewhere between the lines of a post titled “From CardSpace to Verified Claims ” posted on Monday February 21st of this year. 

Regardless of why this was the case, it explains why last week Microsoft also announced that it will not be shipping CardSpace 2.0.

I was once credited by Alex Barnett for being the first IAM blogger to get a scoop on Information Cards and let the wider world know about Microsoft’s CardSpace initiative with a report from an EEMA Identity conference in Paris in March 2004. With such a history of involvement you can imagine I find myself in a bit of a quandry right now.  Only last year I persuaded my company to join the ICF and OIX initiatives as a board member!

Why such an important announcement in such an obscure place? Signed by who at Microsoft? Who takes responsibility for the killing of a goose with the potential to lay so many golden eggs for Microsoft?

Craig Burton echoed the sentiments of many when he wrote in his blog http://www.craigburton.com/

Let me prove my point about how poorly Microsoft behaves concerning this matter. Microsoft and other vendors put hundreds of thousands of dollars into a non-profit organization—the Information Card Foundation—to independently promote the use of the Identity Metasystem. Yet, Microsoft didn’t even bother to let the ICF board know it was going to announce the discontinued development of CardSpace until AFTER the press release was distributed. Now that’s leadership?

But Let’s look forward on a positive note from Craig:

But mark my words, we WILL have a selector-based identity layer for the Internet in the future. All Internet devices will have a selector or a selector proxy for digital identity purposes.

A tractable identity selector—with its accompanying metasystem—is most likely to appear from where it now lives—from the edge. 

 I hope to pen a new blog soon titled ‘Information Cards are dead – Long live information Cards!’ I also hope to prove Greg Burton wrong that the next spurt forwards will come from ‘the edge’. I have said before that the essential attributes to become one of the defacto Identity Service providers for the internet are not those prevalent in small innovative start-ups. Don’t look to to the edge, look to the core of the network where you will find Verizon Business!

What most analysts seem to agree on, is that just like with PKI, the ‘user experience’ proved to be CardSpace’s Achilles heel. “You just can’t change the user” said one commentator. Users want that ‘one click’ experience. In fact you could state that users needn’t be constantly reminded they are using a trusted piece of middleware. We can educate the user, for instance by providing explanatory pop-ups on first use, but equally we must provide a tick box not to be reminded so every time we use a trusted Identity Provider.

From the Relying Party end, if we look for instance to Government as an organisation that should be queuing up for this stuff, they never were all that enamoured of having sensitive credentials stored on unsecured desktops like Personal Computers or smart phones. It was not for nothing that the UK’s Technology Strategy Board published a competition for R&D funds called ‘Trusted Services’.

So where do we go from here? Microsoft has proven twice they cannot provide a lead here. Dave Kearns also said: “We’ll be watching to see if anyone picks up the torch”. Surely the torch must point to the Middleware battleground where a few Identity Providers with a trusted public profile must come up with real innovative solutions to give the users that ‘one click solution’ that will take away their security head aches and identity theft worries.

Is it possible that here in Europe our users may accept and  go for that one extra click and for that bit of extra peace of mind involved in first opening a trusted cloud wallet before asserting our Identity? After all we are already used to it when it comes to safe Internet Banking?

What information cards on a mobile device could look like one day.

Mobile Wallet Evolution.
In App Invocation of Wallet: top-up, fund

Some authors/architects seem to think Jo Public is not interested in such details and we just have to concentrate on ‘ease of use’ and ‘choice’ while hiding all the complexity from the user and bury it somewhere in the network.

The National Strategy for Trusted Identities in Cyberspace introduces a new role of Attribute Provider (AP), who in the identity eco system is responsible for the processes associated with establishing and maintaining identity attributes.

See, I don’t like where this is going, because to me that’s too much like going behind the user’s back in profiling the user. This reminds me of the tactics of the search engine providers and the credit rating agencies. ”To them you are the product, not a customer” it is often joked.

I would like the user himself to manage his/her claims and so I introduced in one of my blogs the concept of ‘trust provider’ to back up those claims. Simple example: In my professional identity I may like to put forward the claim, that I have an MBA degree and will authorise my identity provider to verify that claim with the Rotterdam School of Management (RSM).  When I want to proof residency in order to obtain a residents’ parking permit my utilities could vouch they deliver services to my address and that the accounts are in my name.

In the illustration below I tried to make a mock-up, of what such a dashboard transaction could look like. In it I link my identity to one of my utility providers Britsh Gas.  It is the equivalent of my bank asking me to bring a utility bill as part of their ‘Know your customer’ identity verification process. Only in my portal it is all done on-line  from my comfortable chair sitting with my laptop. With each relationship I prove in such a way my trustworthiness bar goes further ‘in the green’. This untill I reach a certain level of verification that can be readily accepted by most relying parties I deal with.

• My name is…….
• I have lived at this address for > 10 years (30 points)
• EON is supplying me electricity (10 points)
• British Gas is Supplying me with  gas (10 points)
• Anglian Water is supplying me with water and sewerage.
• My Passport number is ( 25 points)
• My Drivers License no is ( 5 points)
• I bank with Barclays Bank (20 points)
• I have never been declared ‘Bankrupt’ ( 5 points)
• I have not been banned from public office ( 5 points)