Mereja

Author: Kaliya Hamlin

  • Bending the Identity Spectrum: Verifiable Anonymity at RSA

    guest_spectrum_front.jpgToday at the RSA security conference in San Francisco, Microsoft’s Corporate VP of Trustworthy Computing, Scott Charney, spoke – opening his talk with this question: “Do you want anonymity or accountability? YES!”

    But how can you have both? I created a spectrum of identity to help understand the different forms that exist on the internet. On one end is Anonymous Identity. Basically you use an account or identifier every time go to a Web site – no persistence, no way to connect the search you did last week with the one you did this week.

    Sponsor

    This guest post was written by Kaliya Hamlin, also known as Identity Woman, who has been working on cultivating open standards for user-centric identity since 2004. She co-founded, co-produces and facilitates the Internet Identity Workshop, the primary venue for collaboration on identity standards amongst large Internet portals, large enterprise IT companies and small innovators.

    Pseudonymous Identity is where over time you use the same account or identifier over and over again at a site. It usually means you don’t reveal your common or real name or other information that would make you personally identifiable. You could use the same identifier at multiple sites thus creating a correlation between actions on one site and another.

    Self-Asserted Identity is what is typical on the Web today. You are asked to share your name, date of birth, city of residence, mailing address, etc. You fill in forms again and again. You can give “fake” information or true information about yourself – it is up to you.

    Verified Identity is when there are claims about you that you have had verified by a third party. So for example if you are an employee of a company, your employer could issue a claim that you were indeed an employee. Or you might have your bank verify for your address.

    guest_spectrum_large.jpg
    guest_spectrum_small.jpg

    A Linear Spectrum?

    It seems like the two ends of this spectrum can’t go together. You can’t be anonymous and verify yourself by sharing all of the details on a credential from a government issuer who has asserted they have checked these things are true.

    Microsoft demonstrated today how you can achieve anonymity and identity verification together at the same time, giving you verified anonymity. This technology (that relies on some pretty complex cryptography) lets you prove things without giving away too much information about yourself. For example:

    • Proving you are over 21 without giving away your actual birth date
    • Proving you live in a certain congressional district and are a registered voter but not having to give away your name or address
    • Proving you are a kid at a middle school in San Jose without giving away which school or which grade you attend

    Two years ago Microsoft surprised a lot of people with the purchase of Stefan Brands’ company Credentica and its product U-Prove. It promised to open up the intellectual property and make it available for everyone. Finally, two years later, it is opening it up under the Microsoft Open Specification Promise. If you want to understand the crypto you can watch an hour-long video of Dr. Stefan Brands explaining it .

    Microsoft is releasing the reference SDK’s in source code (a C# and Java version) under the BSD open source software license. The goal is to enable the broadest audience of commercial and open-software developers to implement the technology in a way they see fit.

    At the last Internet Identity Workshop there was a lot of conversation about Active Clients for all identity protocols: OpenID , SAML, WS-*, Information Cards, etc. Active clients support end users – regular people managing their different identities and credentials (like an over-21-verified, but anonymous ID). One way to make them usable is to map the underlying id management tools available online to real world metaphors – like the cards you find in your wallet. Information Cards are digital cards that are selected as one needs them to present online via a selector. The community has developed an open standard for exchanging information in this format in the IMI (Identity Metasystem Interoperability) Technical Committee,and is at OASIS.

    Microsoft is releasing more IP under the OSP for the integration of U-Prove technology into “identity sectors” that other companies are developing. This includes the Higgins Project, which has the main open-source information card selectors.

    As for its own products, the company is releasing to the public the Community Technology Preview (CTP) of the U-prove technology (as per the crypto spec), with Microsoft’s identity platform technologies (Active Directory Federation Services 2.0, Windows identity federation, and Window’s CardSpace v2). This video gives you a developer’s perspective of the U-Prove technology from the guys who have been building it for years.

    The underlying cryptography, open standards used to exchange information, and the client-side tools to support end users will enable more Web services to take advantage of the full range of identities on the spectrum – not just the socially verified ID’s that services like Facebook or Twitter provide.

    Discuss


  • Fed Up With Facebook Privacy Issues? Here’s How To End It All

    guest_facebooksuicide.jpg

    There isn’t a mass exodus from Facebook over the privacy settings, but it is responding with messages like this sent to users to assuage their fears: “Worried about search engines? Your information is safe. There have been misleading rumors about Facebook indexing all your information on Google. This is not true…”

    Several thoughtful Web 2.0 users have blogged about their decision in the last week to leave Facebook and two different “suicide” sites exist.

    Sponsor

    This guest post was written by Kaliya Hamlin, also known as Identity Woman, who has been working on cultivating open standards for user-centric identity since 2004. She co-founded, co-produces and facilitates the Internet Identity Workshop, the primary venue for collaboration on identity standards amongst large Internet portals, large enterprise IT companies and small innovators.

    This thoughtful post written by Nick Barron, who is based in the Washington D.C. area, talks about meeting Facebook in college and falling in love and understanding this new form of communication in social networks would be transformative for people and business. He believed, “at the end of the day, that Facebook was here for you and me. It was our social network, and while technically being a large company, it was a company of people just like us who wanted a more advanced way of building and maintaining relationships.

    “I feel there are no good alternatives for me, except going along with whatever scraps of privacy Facebook is graciously willing to hand me from their table… Facebook has me by the balls. They have you, too, and they know it. They know you have too many friends and family, photos and videos, games and other applications on Facebook for you to leave now. And where would you go? Where would I go?… I am not committed to Facebook anymore. I am looking for a way out, while still being able to do my job. Can a social media pro leave Facebook? We may soon find out.”

    Others are more blunt:

    “Simply put, I don’t trust my information being on Facebook anymore. I have deleted the Facebook app from my iPhone and I will shut down the page in about a week.” I’m Leaving Facebook by Steve Scherer.

    “I am not a privacy hawk, nor a fear-monger, nor a neo-luddite; in fact, those of you who know me well know that I am a technology enthusiast and a generally a booster of any technology related solutions that could potentially make our lives easier.

    In this instance I’m morally and intellectually opposed to Facebook’s cavalier attitude with what amounts to, for some of us, data that relates to a significant portion of our (online) lives.

    See also: Why Facebook Changed Its Privacy Policies

    A visit to the privacy settings pages and FAQs reveals a great many soothing platitudes. While these may fulfil their legal obligations it is ultimately disingenuous for Facebook to suggest that anyone actually reads any of these when in reality the vast majority of users likely accept the default “Everyone” setting. ““Why I’m Hitting the “Delete” Key on Facebook” by Narain Jashanmal.

    Early adopter and tech journalist Dan Gilmor is among those who have committed “suicide.” He started a new account with his old Facebook URL and checked out the new default privacy settings that he describes as “un-private.” He highlights the conflict as, “What’s in the corporate interest, however, doesn’t necessarily match what’s in my interest, or yours.”

    If you want to commit “Facebook suicide” you have two options. One is Seppukoo.com, which likens the act of killing your digital self to:

    Discover what’s after your Facebook life. We assist your virtual suicide.

    You are more then your virtual identity. Pass away and leave your ID behind.

    Seppukwho? Testimonials and Frinds. Discover who has committed seppukoo.

    Impress your friends, disconnect yourself. Join the world wide suicidal network.

    The site was created by Les Liens Invisibles, which creates playful 2.0-style media artworks. Two people make up this imaginary art group, Clemente Pestelli and Gionatan Quintini. You can see Gionatan’s RIP memorial on the site; it highlights friends that have joined him in the Facebook afterlife along with those still left.

    guest_facebooksuicide2.jpg

    The process works like this: 1) you give the site your login credentials, 2) you create last works and a skin for your customized memorial page, 3) you enjoy your Sepppukoo – the platform will send all your friends your last words and customize your memorial page – and 4) you get a score – every friend you convince to Seuppukoo will increase your score on the site.

    This version of Facebook suicide is not permanent – you can just login to Facebook.

    Sepppukoo does have a cease and desist from Facebook, although dated Dec. 16. One of the main points is that they “collect Facebook’s users’ content or information using automated means such as scripts or scrapers without Facebook’s permission”

    guest_facebooksuicide3.jpg

    The Web 2.0 Suicide Machine offers “suicide” for Facebook, Myspace and Linkedin. It highlights its time saving nature taking just under one hour vs. over nine hours to go through the process manually with 1,000 Facebook friends.

    The tool lets you watch your “virtual suicide” as it happens.

    They have 134 people they say have committed suicide using their tools. You can see the list along with their last words and how many friends they lost.

    You can see a video by Moddr_ of it in action. “Liberate your newbie friends with a Web2.0 suicide! This machine lets you delete all your energy sucking social-networking profiles, kill your fake virtual friends, and completely do away with your Web 2.0 alterego.” He say in the video, “my interent life is dying and my real life is starting,” and closes with” Get your life back – sign-out forever”

    Their FAQs are great.

    If I start killing my 2.0-self, can I stop the process? No!

    If I start killing my 2.0-self, can YOU stop the process? No!

    What shall I do after I’ve killed myself with the Web 2.0 suicide machine? Try calling some friends, talk a walk in a park or buy a bottle of wine and start enjoying your real life again. Some Social Suiciders reported that their life has improved by an approximate average of 25%. Don’t worry, if you feel empty right after you committed suicide. This is a normal reaction which will slowly fade away within the first 24-72 hours.

    Why do we think the Web 2.0 suicide machine is not unethical? Everyone should have the right to disconnect. Seamless connectivity and rich social experience offered by web2.0 companies are the very antithesis of human freedom. Users are entraped in a high resolution panoptic prison without walls, accessible from anywhere in the world.

    Whatever you think about the bleak humor of a Facebook “suicide, those who’ve left – or are thinking about leaving – are talking about their decision in terms of freedom.

    “I made the decision yesterday to ditch Facebook. Their privacy options are too intrusive. Glad twitter isn’t like that.” @ReetaLuthra

    “I actually feel more wholesome after leaving Facebook. I didn’t expect that.” @sansian

    “I think it’s the feeling of loss of control that I don’t like, that something is set in such a way that I can’t reset it myself, and thus info is getting out/posted online/is otherwise being used in such a way that I don’t want. I’ll have to think about it… I’m just tempted to take what seems to be the path of least resistance and just ditch Facebook entirely. I’ll have to think about it… “Considering Leaving Facebook

    We even found a Muslim perspective (translation) on the virtues of leaving the virtual world for the real world.

    This recently popped up: Facebook is hiring for its Advertising Privacy Counsel to work on a “cross-section of fascinating legal issues”. I am wondering if maybe they should have done more hiring before they changed privacy policies, which may have broken the law and and has lead the Electronic Privacy Information Center to file a complaint with the FTC.

    Face book photo by Massimo Barbieri.

    Discuss