Last week pii2010 (the PrivacyIdentityInnovation conference) was held in Seattle, Washington. For those of us in the identity verification business, many speakers and presentations reinforced our commitment to identity verification and building trust online. You can read extensive comments posted by Brian Rowe and videos of the conference at Brian’s blog site.

You might also take a look at the Cyberspace Bill of Rigths presented by Jeff Jarvis. In particular I find that the following 2 Rights resonate with what Trufina offers:

VI. We have the right to control our data.
VII We have the right to own our identity.

Identity verification was highlighted again during a Q&A session between CNET’s Declan McCullagh and Chris Kelly (Facebook’s former Chief Privacy Officer). During the live feed, broadcast at the conference, Chris expressed his conviction for the need and liklihood of a strong identity platform in the future of the web and social media.

The future is now! Trufina provides the platform. Do you see the need for building trust in the world of social communities by sharing verified identity information? Let us know.

Did you get a chance to read the draft version of the NSTIC , published by the White House, June 25? We sure did, and we’re hoping to be part of the community moving the national strategy forward. Here’s a quote from the introductory paragraph:

“Imagine a world where individuals can seamlessly access information and services online from a variety of sources – the government, the private sector, other individuals, and even across national borders – with reduced fear of identity theft or fraud, lower probability of losing access to critical services and data, and without the need to manage many accounts and passwords. Individuals can conduct a wide variety of transactions online and trust the identities of the entities with which they interact. Individuals know what information service providers are collecting about them and how they are using it. They have choice in the number and types of user-friendly identity credentials they manage and use to assert their identity online.”

Trufina has not only been imagining that world, we’ve been building it….read our initial comments, Enhanced Online Security, Reduced Fraud and Personal Privacy. Today! Take a few additional moments to register on the forum and vote “I agree” at the top of our post. With your support our views will get more attention.

If you have an opinion on the strategy, post your comments there as well. Let us know and we’ll link to them in this blog. It’s a good opportunity to tell the government, and the entire internet community what you think.

As the safe haven for your personal identity information, it is critically important that Trufina protects your information, and adheres to a very stringent privacy policy, mandating how that information is shared.

Every year we participate in TRUSTe’s certification program, allowing us to display their trustmarks, assuring you of our adherence to their highest standards. We’ve just been re-certified by TRUSTe and thought it a good occasion to remind everyone of the importance of such audits.

Look for the TRUSTe seal on all reputable websites. It is an indication of their commitment to customer privacy.

We have just added Employment, Education & Professional License Verification (Beta)

In response to comments from our members and partnering websites, Trufina has expanded our services to include employment, education and professional license verifications. As online transactions between otherwise unrelated individuals increase on the Internet, there is a growing need to increase trust and reduce fraud by providing people the tools to prove that they are who they say they are and to prove that their claimed credentials are real as well. And, to ask others to share their verified information.

Many of you have asked “when can I verify my employment history?” Well the time is NOW. Imagine adding your employment and education history to an ID Card and then sharing it with a prospective new employer. Pretty cool. Remember you are still always in control of what gets shared, and who you share it with.

Trufina provides a secure repository for personal information, and the tools for securely sharing those attributes, under the complete control of the Trufina member. It’s your information. You determine who gets to see it, and when. Rather than entering personally identifiable information at every site
you choose to participate in, Trufina offers the possibility of managing that dissemination from one, secure, manageable location.

We’re always interested in hearing how you’re using your Trufina verified identity information. Let us know. If there are websites that you’d like us to partner with, or if you would like some help showing your verification on a site, please let us know that as well.

- The Trufina Team

Just a quick note – we noticed that Linkedin has added a cool new Group feature, and we asked Linkedin to create a group for Trufina. If you want to join the group, check out the section of our web site where have examples on how to include your Trufina ID at various sites. A request will be sent to Trufina, and we’ll verify you are a member, and add you to the group.

It’s pretty way of creating a directory of verified individuals. Please let us know if you have any questions or ideas…

One of our folks pointed out that you can go to the below link and, for a $1 charge on your credit card, change your address online with no other verification being done. Seems quite scary – if someone steals (or buys on the internet) your credit card information, they can have all your mail forwarded to them. Another area in which personal identity management, Trufina, or other verified ID Cards (Cardspace comes to mind) could be very useful…

https://moversguide.usps.com/

I went to their comments/contact us section and wrote the following question:

It seems as though a valid credit card is all I would need to change my address – How is this considered secure? If someone steals my credit card they will be able to change my address with the USPS. There are hundreds of locations on the internet that buy/sell credit cards, from what I’ve heard. How can this be considered secure? I ask partly to see if the USPS would be interested in using a more sophisticated solution. Our company, Trufina, would offer the USPS the same solution, but with a much higher level of identity verification.

www.trufina.com

Chris Madsen

Update: I just received the following email reply, and it seems like the USPS is definitely trying to do right by providing a convenience to the US public, but it still seems dangerous to allow a credit card to authenticate oneself. To me the question is how much is good enough, does the proof of knowledge of a credit card number, prove you are the true owner of that card (even with the CVC2/CID code) and the associated identity?

Here is their response:

Dear Postal Customer,

In efforts to provide you with a secure online transaction, there is a
$1.00 authentication processing fee .

When you enter your credit card information the information is used to
validate your transaction by verifying that the address you provided
matches the billing address for your credit card.

If you choose not to use your credit card to submit your change of
address electronically, please feel free to select the print and mail
option on the site.

Sincerely,
USPS MoversGuide Technical Support Group

I saw this post by Bob Blakley about the meaning of OpenID, and I thought it brought up some great questions. We, at Trufina, have been following OpenID, Cardspace, and various other ID initiatives, for a long time (in internet years), and hope these initiatives become widely adopted. Anyway, here is Bob’s post, and my comments follow: September 04, 2007

 

What is OpenID for?

 

 

Blogger: Bob Blakley

There’s been a bit of a dust-up over OpenID recently in the blogosphere.  First Eugene and Vlad Tsyrklevitch published a paper at BlackHat 2007 outlining a bunch of weaknesses in OpenID.  Then Stefan Brands amplified the critique in a long blog post.  David Recordon fired back in a post of his own, in which he expresses confidence that OpenID 2.0 will fix all of OpenID’s problems.  I have less confidence than David, but I’ll leave that topic for later.  What I’d like to do first is talk about getting the horse before the cart.

What I’d really like to see, as a security guy, is a problem statement and a risk analysis.  Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question:

1. What are the assets to be protected?

What do OpenID’s designers intend it to be used to protect?  Blog comment lists?  Blog entries?  Persistent consumer accounts on commercial servers?  Persistent employee accounts on corporate servers?

2. What are the services to be offered?

What services do OpenID’s designers intend it to offer?  Authentication of users as the legitimate possessors of OpenID URLs?  Linkage of OpenID URLs to user accounts on web-facing systems?  Linkage of OpenID URLs to user attribute information (e.g. Information Cards)?

3. What quality of protection is claimed for these services?

Is the OpenID protocol intended to protect against phishing?  Is it intended to protect against man-in-the-middle attacks?  Is it intended to protect against attempts by one OpenID party to induce another party to execute malicious code?  Is it intended to protect against session-splicing or session hijacking?  Is it intended to protect against active or passive wiretapping?

4. What is the threat model?

What threats is OpenID designed to protect against?  Accidental failures at a participating party?  Malicious behavior by users?  Malicious behavior by relying parties?  Malicious behavior by OpenID providers?  Wiretappers?  Hackers attempting to penetrate a relying party?  Hackers attempting to penetrate a provider?  Hackers attempting to penetrate a client system?  Cryptanalysts?

5. What is the trust model?

Who trusts whom to do what?  Does the user trust the OpenID provider to actually check his password?  Does the provider trust the relying party not to send maliciously constructed OpenID URL strings?  Does the relying party trust the provider not to reissue OpenID URLs to different parties at different times?  Does the relying party trust any particular OpenID provider to issue OpenID URL strings in a particular part of the namespace (e.g. “.gov�?) 

All the arguments about OpenID are entertaining, but the claims and counterclaims are very difficult to evaluate in the absence of a coherent problem statement which includes answers to questions like these.  The OpenID 2.0 Specification signally fails to address these issues; in this sense it’s a solution looking for a problem.

 This is my comment:

  Bob, great questions/suppositions… Please excuse some responses:1) is the answer SSO or more? It would seem that the 1.1 spec is intended for exactly that, and the 2.0 spec is out there still because (IMHO) the answer to your question has not been decided upon (please correct me if I’m wrong).  2) I’d say that’s a ‘yes’, 3) if the answer to 1) is right, I’d say no. if not, great question. 4) Humm, that’s a lot of different trust scenarios, but the first one is the question – what trust model does the community really believe OpenID will solve. 5) Seems that the only thing is that someone has been able to authenticate against a valid OpenID enabled URL.
I don’t think the 2.0 spec is a solution looking for a problem – the 2.0 spec solves a great many issues. To me the question is – whether or not the community wants to support the added complexity of the 2.0 spec to solve the problems it solves. the 1.1 spec is perfect for SSO scenario, with little or no trust model, IMHO.  

John Battelle blogged today about a topic he’s covered in the past, a Data Bill of Rights. He makes the case for greater transparency from search and other online service companies. And he outlines a list of terms for the use of consumer attention by these organizations.

- Data Transparency. We can identify and review the data that companies have about us. A sticky issue is whether we can also identify and review data that is made about us based on other data the company might have. (IE, based on your behavior, we at Amazon know you might also like….)
- Data Portability. We can take copies of that data out of the company’s coffers and offer it to others or just keep copies for ourselves.
- Data Editing. We can request deletions, editing, clarifications of our data for accuracy and privacy.
- Data Anonymity. We can request that our data not be used, cognizant of the fact that that may mean services are unavailable to us.
- Data Use. We have rights to know how our data is being used inside a company.
- Data Value. The right to sell our data to the highest bidder.
- Data Permissions. The right to set permissions as to who might use/benefit from/have access to our data.

While this isn’t directly in line with what Trufina does, it’s certainly in step with our corporate mission and our perspective that users should control their information, and should be able to protect their privacy online.

There’s at least one Dot-Org taking a look at this issue: AttentionTrust. The brainchild of one of the brainiest people I’ve ever known, Seth Goldstein, who’s launched several companies with the intention of shaping and monetizing the “attention economy�.

‘The recent spamacornucopia means more than $10 BILLION DOLLARS OF YOUR DATA IS BEING EXCHANGED AMONG BUYERS AND SELLERS THAT YOU DON’T CONTROL, starting with DoubleClick (and H&F their private equity owner) and Google, and then Right Media (Redpoint) and Yahoo!, and then 24/7 and WPP, and now aQuantive and Microsoft.’

Between recent ad network acquisitions, the report from Privacy International which ranked Google at the bottom of a list of major internet companies for privacy, and the Apples iTunes debate, the issue has become a hot topic again among professionals.

‘Privacy can be a touchy subject; generally people want their privacy maintained and yet the delivery of many services from Internet startups is dependent on personal data to deliver personalized content. It has long been known that Google gathers more personal data than any other company, yet Google’s growing marketshare would seem to indicate that people are willing to ignore these privacy concerns. From an industry perspective, personalization is a defining quality of the new Internet – without this data we would be winding the clocks back to 1999.’

It’s great to see some of the smartest people in our business thinking and talking about these issues. It would be just as interesting to hear what the rest of the community has to say about it. There are any number of companies, individuals and organizations committed to issues of consumer privacy protection. Beyond that, there are folks taking care of “family identity management� and using ecommerce and online services daily. We’d love to have greater insights into their needs and concerns.

There’s an active discussion among privacy and digital rights management groups about the recent disclosure that Apple is embedding some identifying information in songs purchased from iTunes. Apple is embedding its customers’ names and email addresses in the clear (e.g. without encryption) into files purchased from the iTunes Store. The ostensible rationale for this is to discourage people from sharing music purchased on iTunes via P2P networks.

Randy Picker of the University of Chicago Law School posted about this yesterday, with a thoughtful analysis from the legal perspective. He examines various possible justifications for this practice, and questions the need for open disclosure of the identification information, versus encryption. Picker concludes that Apple should tread carefully in this, and clarify its intent.

‘So far, Apple doesn’t seem to be saying much about what it is doing. It needs to be careful. As the Sony BMG fiasco—also discussed in the paper—emphasizes, content owners may not get that many opportunities to establish technological protection schemes. Each one they get wrong makes it that much harder to try another scheme later, given the adverse public relations fallout.’

The EFF reacted more stridently to the situation, saying that there was no justification for this undisclosed invasion of privacy.

‘But there is simply no good excuse here for Apple to embed PII in the clear into every song purchased from the iTunes Store. Especially when they didn’t inform customers that they were doing so.’

And even popular Apple blogs have questioned the rationale behind this approach to DRM.

‘The big question, of course, is what might Apple do with this information? Because it can be spoofed, it’s not exactly the best way to determine who is sharing music …’

We’re big fans of Apple here at Trufina. Most of us are devoted Mac users and we admire their insight into consumers and brilliant marketing and product design strategies. That’s why it’s truly strange they would begin such an anti customer-centric practice.

Apple isn’t saying much about this issue. I hope they clarify things soon. Piracy prevention is one thing. Privacy invasion is another.

Update:

Kim Cameron posted on this issue several times over the weekend. There’s not a tremendous amount of analysis, but he ends with one interesting question:

‘I would have thought that in light of their previous experience, Apple would have been very up front about the fact that they are embedding your name and email address in the files they give you. After all, it is PII, and I would think it would require your knowledge and approval.

I wonder what the Europeans will make of this?’

He’s right, that will be interesting.