Last week pii2010 (the PrivacyIdentityInnovation conference) was held in Seattle, Washington. For those of us in the identity verification business, many speakers and presentations reinforced our commitment to identity verification and building trust online. You can read extensive comments posted by Brian Rowe and videos of the conference at Brian’s blog site.

You might also take a look at the Cyberspace Bill of Rigths presented by Jeff Jarvis. In particular I find that the following 2 Rights resonate with what Trufina offers:

VI. We have the right to control our data.
VII We have the right to own our identity.

Identity verification was highlighted again during a Q&A session between CNET’s Declan McCullagh and Chris Kelly (Facebook’s former Chief Privacy Officer). During the live feed, broadcast at the conference, Chris expressed his conviction for the need and liklihood of a strong identity platform in the future of the web and social media.

The future is now! Trufina provides the platform. Do you see the need for building trust in the world of social communities by sharing verified identity information? Let us know.

Did you get a chance to read the draft version of the NSTIC , published by the White House, June 25? We sure did, and we’re hoping to be part of the community moving the national strategy forward. Here’s a quote from the introductory paragraph:

“Imagine a world where individuals can seamlessly access information and services online from a variety of sources – the government, the private sector, other individuals, and even across national borders – with reduced fear of identity theft or fraud, lower probability of losing access to critical services and data, and without the need to manage many accounts and passwords. Individuals can conduct a wide variety of transactions online and trust the identities of the entities with which they interact. Individuals know what information service providers are collecting about them and how they are using it. They have choice in the number and types of user-friendly identity credentials they manage and use to assert their identity online.”

Trufina has not only been imagining that world, we’ve been building it….read our initial comments, Enhanced Online Security, Reduced Fraud and Personal Privacy. Today! Take a few additional moments to register on the forum and vote “I agree” at the top of our post. With your support our views will get more attention.

If you have an opinion on the strategy, post your comments there as well. Let us know and we’ll link to them in this blog. It’s a good opportunity to tell the government, and the entire internet community what you think.

As the safe haven for your personal identity information, it is critically important that Trufina protects your information, and adheres to a very stringent privacy policy, mandating how that information is shared.

Every year we participate in TRUSTe’s certification program, allowing us to display their trustmarks, assuring you of our adherence to their highest standards. We’ve just been re-certified by TRUSTe and thought it a good occasion to remind everyone of the importance of such audits.

Look for the TRUSTe seal on all reputable websites. It is an indication of their commitment to customer privacy.

On September 23rd and 24th Harvard Law School’s Berkman Center hosted an Internet Safety Technical Task Force (ISTTF) open meeting, where 15 companies made presentations on technological solutions intended to help make the Internet safer for America’s youth. The Internet Safety Technical Task Force, you recall, was created in February 2008 by the Attorneys General Multi-State Working Group on Social Networking and MySpace.

Anyone following the public meetings should be interested in icouldbe.org’s recently published news story about their participation. Frankly, icouldbe.org’s presentation was the only one by a company fully committed to providing an absolutely safe environment for youth on the Internet. In fact, their existence depends on it. We’re grateful to have them as a partner on the development of Trufina’s Child Protection Suite.

The most informative presentation at the meeting might have been the one given by a few of the youth representing Teenangels.org, which is part of WiredSafety.org Teenangels is a group of 13-18 year-old volunteers that have been specially trained by the local law enforcement, and many other leading safety experts in all aspects of online safety, privacy, and security. The teenangels research indicated that children and youth feel that their biggest online threat was from cyberbullying, and that the most effective means for limiting cyberbullying would be to provide tools to identify offenders, to kick the
‘bad actors” off the hosting community sites, and to ban them thereafter. So if the technology companies were listening, the keys are:

- Apparent anonymity needs to be accompanied by tools to hold offenders responsible. The teenangels specified tools for identity verification, not just age specific verification, so that offenders can be identified.
-The identity tools need to allow the hosting website to remove the offenders quickly, and to ban them permanently. So the tools must prove uniqueness.

As in daily life, cyberbullying is perpetrated by a minority of the community. Once children and youth realize that they will be banned permanently from participation, their behavior will improve, or they will not be allowed to play in the digital playground created by the hosting community sites.

Not coincidentally, the tools for limiting cyberbullying are similar to the ones that should be used for keeping predatory adults from interacting with children. And guess what, the combination of anonymity through the use of pseudonyms, coupled with identity verification by a hosting web site, would provide the same benefit of cleaning up adult behavior on forums and blogs Internet wide. Is it possible that improved behavior by adults might influence the behavior of our youth?

I was really moved by the FrontLine news story – Growing Up Online , and found it incredibly insightful about todays internet and social interactions. It highlights MANY positive, as well as negative, ways people interact online. Some for the better and, in some cases, for the worse. One comment by Rachel Dretzin was most interesting – “… it became clear that the supposed anonymity and immediacy of the Internet had led him to say things he never would say in “real” life — and didn’t even mean. It was a game, an exercise, a way of trying on identities. …”

It is clear, not just from the above piece, but news stories to numerous to mention, that traditional forms of social interaction are being replaced by virtual socializing. We thought we were busy when we were kids, yet it seems to be so much faster these days, and given traditional human traits we tend to do the easy things first – and socializing online is one of those. It’s faster and it allows you to multitask while you’re doing it. It doesn’t replace traditional hanging out, but it does present our society with a new set of social norms and challenges
Trufina, and other companies like Naymz, TrustPlus, and initiatives like OpenID and CardSpace, can certainly help fill the void that exists today regarding virtual identity, but we’re only part of the solution. Some of the burden, or atleast responsibility, lies with the websites that give unlimited tools to people online, the media, as well as each individual, parent or child, to continually educate ourselves on our hyper evolving society.

As a follow on to the piece, the Washington Post published a discussion with the the producers which well worth reading, too.

I saw this post by Bob Blakley about the meaning of OpenID, and I thought it brought up some great questions. We, at Trufina, have been following OpenID, Cardspace, and various other ID initiatives, for a long time (in internet years), and hope these initiatives become widely adopted. Anyway, here is Bob’s post, and my comments follow: September 04, 2007

 

What is OpenID for?

 

 

Blogger: Bob Blakley

There’s been a bit of a dust-up over OpenID recently in the blogosphere.  First Eugene and Vlad Tsyrklevitch published a paper at BlackHat 2007 outlining a bunch of weaknesses in OpenID.  Then Stefan Brands amplified the critique in a long blog post.  David Recordon fired back in a post of his own, in which he expresses confidence that OpenID 2.0 will fix all of OpenID’s problems.  I have less confidence than David, but I’ll leave that topic for later.  What I’d like to do first is talk about getting the horse before the cart.

What I’d really like to see, as a security guy, is a problem statement and a risk analysis.  Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question:

1. What are the assets to be protected?

What do OpenID’s designers intend it to be used to protect?  Blog comment lists?  Blog entries?  Persistent consumer accounts on commercial servers?  Persistent employee accounts on corporate servers?

2. What are the services to be offered?

What services do OpenID’s designers intend it to offer?  Authentication of users as the legitimate possessors of OpenID URLs?  Linkage of OpenID URLs to user accounts on web-facing systems?  Linkage of OpenID URLs to user attribute information (e.g. Information Cards)?

3. What quality of protection is claimed for these services?

Is the OpenID protocol intended to protect against phishing?  Is it intended to protect against man-in-the-middle attacks?  Is it intended to protect against attempts by one OpenID party to induce another party to execute malicious code?  Is it intended to protect against session-splicing or session hijacking?  Is it intended to protect against active or passive wiretapping?

4. What is the threat model?

What threats is OpenID designed to protect against?  Accidental failures at a participating party?  Malicious behavior by users?  Malicious behavior by relying parties?  Malicious behavior by OpenID providers?  Wiretappers?  Hackers attempting to penetrate a relying party?  Hackers attempting to penetrate a provider?  Hackers attempting to penetrate a client system?  Cryptanalysts?

5. What is the trust model?

Who trusts whom to do what?  Does the user trust the OpenID provider to actually check his password?  Does the provider trust the relying party not to send maliciously constructed OpenID URL strings?  Does the relying party trust the provider not to reissue OpenID URLs to different parties at different times?  Does the relying party trust any particular OpenID provider to issue OpenID URL strings in a particular part of the namespace (e.g. “.gov�?) 

All the arguments about OpenID are entertaining, but the claims and counterclaims are very difficult to evaluate in the absence of a coherent problem statement which includes answers to questions like these.  The OpenID 2.0 Specification signally fails to address these issues; in this sense it’s a solution looking for a problem.

 This is my comment:

  Bob, great questions/suppositions… Please excuse some responses:1) is the answer SSO or more? It would seem that the 1.1 spec is intended for exactly that, and the 2.0 spec is out there still because (IMHO) the answer to your question has not been decided upon (please correct me if I’m wrong).  2) I’d say that’s a ‘yes’, 3) if the answer to 1) is right, I’d say no. if not, great question. 4) Humm, that’s a lot of different trust scenarios, but the first one is the question – what trust model does the community really believe OpenID will solve. 5) Seems that the only thing is that someone has been able to authenticate against a valid OpenID enabled URL.
I don’t think the 2.0 spec is a solution looking for a problem – the 2.0 spec solves a great many issues. To me the question is – whether or not the community wants to support the added complexity of the 2.0 spec to solve the problems it solves. the 1.1 spec is perfect for SSO scenario, with little or no trust model, IMHO.  

John Battelle blogged today about a topic he’s covered in the past, a Data Bill of Rights. He makes the case for greater transparency from search and other online service companies. And he outlines a list of terms for the use of consumer attention by these organizations.

- Data Transparency. We can identify and review the data that companies have about us. A sticky issue is whether we can also identify and review data that is made about us based on other data the company might have. (IE, based on your behavior, we at Amazon know you might also like….)
- Data Portability. We can take copies of that data out of the company’s coffers and offer it to others or just keep copies for ourselves.
- Data Editing. We can request deletions, editing, clarifications of our data for accuracy and privacy.
- Data Anonymity. We can request that our data not be used, cognizant of the fact that that may mean services are unavailable to us.
- Data Use. We have rights to know how our data is being used inside a company.
- Data Value. The right to sell our data to the highest bidder.
- Data Permissions. The right to set permissions as to who might use/benefit from/have access to our data.

While this isn’t directly in line with what Trufina does, it’s certainly in step with our corporate mission and our perspective that users should control their information, and should be able to protect their privacy online.

There’s at least one Dot-Org taking a look at this issue: AttentionTrust. The brainchild of one of the brainiest people I’ve ever known, Seth Goldstein, who’s launched several companies with the intention of shaping and monetizing the “attention economy�.

‘The recent spamacornucopia means more than $10 BILLION DOLLARS OF YOUR DATA IS BEING EXCHANGED AMONG BUYERS AND SELLERS THAT YOU DON’T CONTROL, starting with DoubleClick (and H&F their private equity owner) and Google, and then Right Media (Redpoint) and Yahoo!, and then 24/7 and WPP, and now aQuantive and Microsoft.’

Between recent ad network acquisitions, the report from Privacy International which ranked Google at the bottom of a list of major internet companies for privacy, and the Apples iTunes debate, the issue has become a hot topic again among professionals.

‘Privacy can be a touchy subject; generally people want their privacy maintained and yet the delivery of many services from Internet startups is dependent on personal data to deliver personalized content. It has long been known that Google gathers more personal data than any other company, yet Google’s growing marketshare would seem to indicate that people are willing to ignore these privacy concerns. From an industry perspective, personalization is a defining quality of the new Internet – without this data we would be winding the clocks back to 1999.’

It’s great to see some of the smartest people in our business thinking and talking about these issues. It would be just as interesting to hear what the rest of the community has to say about it. There are any number of companies, individuals and organizations committed to issues of consumer privacy protection. Beyond that, there are folks taking care of “family identity management� and using ecommerce and online services daily. We’d love to have greater insights into their needs and concerns.

There’s an active discussion among privacy and digital rights management groups about the recent disclosure that Apple is embedding some identifying information in songs purchased from iTunes. Apple is embedding its customers’ names and email addresses in the clear (e.g. without encryption) into files purchased from the iTunes Store. The ostensible rationale for this is to discourage people from sharing music purchased on iTunes via P2P networks.

Randy Picker of the University of Chicago Law School posted about this yesterday, with a thoughtful analysis from the legal perspective. He examines various possible justifications for this practice, and questions the need for open disclosure of the identification information, versus encryption. Picker concludes that Apple should tread carefully in this, and clarify its intent.

‘So far, Apple doesn’t seem to be saying much about what it is doing. It needs to be careful. As the Sony BMG fiasco—also discussed in the paper—emphasizes, content owners may not get that many opportunities to establish technological protection schemes. Each one they get wrong makes it that much harder to try another scheme later, given the adverse public relations fallout.’

The EFF reacted more stridently to the situation, saying that there was no justification for this undisclosed invasion of privacy.

‘But there is simply no good excuse here for Apple to embed PII in the clear into every song purchased from the iTunes Store. Especially when they didn’t inform customers that they were doing so.’

And even popular Apple blogs have questioned the rationale behind this approach to DRM.

‘The big question, of course, is what might Apple do with this information? Because it can be spoofed, it’s not exactly the best way to determine who is sharing music …’

We’re big fans of Apple here at Trufina. Most of us are devoted Mac users and we admire their insight into consumers and brilliant marketing and product design strategies. That’s why it’s truly strange they would begin such an anti customer-centric practice.

Apple isn’t saying much about this issue. I hope they clarify things soon. Piracy prevention is one thing. Privacy invasion is another.

Update:

Kim Cameron posted on this issue several times over the weekend. There’s not a tremendous amount of analysis, but he ends with one interesting question:

‘I would have thought that in light of their previous experience, Apple would have been very up front about the fact that they are embedding your name and email address in the files they give you. After all, it is PII, and I would think it would require your knowledge and approval.

I wonder what the Europeans will make of this?’

He’s right, that will be interesting.