A PricewaterhouseCoopers study reaffirms what has always been true, that insiders, not computer hackers are the biggest security risk. The study, titled "Trends in proprietary information loss," indicates that intellectual property and proprietary information are more at risk from ex-employees, foreign and domestic competitors and contractors working on-site than from computer hackers.

The study puts a value on the loss - concluding that U.S. companies suffered up to $59 billion in identifiable IP theft losses between July 2000 and June 2001.

Once again, an indication of the value that end-to-end identity solutions could provide, by allowing tracking and auditing of who had access to data under what conditions as well as providing security against theft from data interception.

But it also once again reminds us that people are the problem, not technology...

It's fascinating. I've been getting calls all day from people who have just realized that something extraordinary is about to happen mid-week next week.

Questions like "are all those speakers really showing up?" make me wonder if all the time we've been telling them what was coming, they just thought we were making it up or something....

I just posted an article in which I try to explain why the Digital ID World conference will be different, where I explain that since I'm an engineer, how I've engineered an extremely high-value outcome for those who attend.

It was my job today to proof the speaker bios for the show program, and I can tell you that it takes 48 pages to hold just the biographical information on who is speaking. And an all-star line-up it is - these guys have been responsible for an amazing number of things. ePresence, Microsoft, IBM, RSA, Oblix, Sun, Novell, HP, Critical Path, Groove Networks, Waveset, GeoTrust, @stake, ActivCard, Iridian, Identix, Morpheus, Authentec, Internet2, SIMC, OASIS, ISTPA, Deloitte & Touche, Burton Group, Glenbrook Partners, Carnegie Mellon, Identity Policy Manager of the GSA, CIO of the State of Utah and more...

And it's all heavyweights. If you're not a CxO, Sr. VP, Director or someone who runs the project, you're not on the list. Just reading through these bios reminds me how much anyone who doesn't come will miss. This much firepower in one place isn't your everyday occurrance (it's never happened before.) If this group can't get you clued in on the overall perspective of what digital identity means, I don't know what will.

And the event isn't populated with thousands of people, its a few hundred, so if you do show up, you'll get to talk to these folks in a way you'll never have a chance to any other time.

I go over most of this in the article, so I won't repeat it, but if any of you out there are wondering if you'll get your money's worth at the first Digital ID World conference, please call me (303-663-7317) and tell me what kind of information and networking resource do you imagine will ever be available at any price that you are waiting for?

TheStreet.com
I've spent some time this morning calling some friends in both the finance and business worlds. Bottom line: people are freaked out with fear. So, out of all this, a couple of observations from eric's crystal ball:

1. The market bottoms between here and 2003 -- most likely shortly after we attack Iraq (that happens no matter what, btw).

2. Once the market bottoms, there is no V-shaped recovery, but rather a long (multi-year) basing process that allows company earnings (quality and momentum) to come in line with perception.

3. This amounts to 2-3% economic growth in the US on a yearly basis for 2-3 years.

4. This also amounts to essentially a job-less recovery.

5. And the fed lowering rates again before 2003.

6. And, once the economy does start recovering, and interest rates start rising -- a pop in the housing bubble (think fall 2003) will be heard.

What does all of this mean for Digital Identity:

1. Corporate IT has become almost a pure cost center.

2. Just about the only IT efforts that are actually saving money (while increasing privacy and security) are identity management efforts.

3. ID Management will enjoy growth, while the rest of IT goes through a long, hard, cold winter (yeah, this is just the fall).

4. The reason is simple: identity (and all of the re-architecting and the acoutrements) is the only thing that is showing the promise of converting IT from a cost center to a profit center -- and over the next 2 years, that is ALL that will matter.

...and that's all I have to say about that...

In Washington, DC, the Secret Service patrols for open wireless networks. This is a classic case of people learning about a new technology, after all the same exact problem occurs with wireless telephones. The pentagon reacted to this same issue by banning wireless networks but that's obviously just a temporary solution.

Here at Digital ID World we see it as one more thing that proves the only long term answer to protecting confidential data is end-to-end identity based security. Until networking is re-architected around identity so that its data is secure "in the open" this story will be repeated in many places in many ways.

The whole point is that networking - by its nature - makes communications open and available to everyone, and only identity-based end-to-end security has a chance to re-establish control of data you care about protecting. But identity-based security has to become pervasive before we can quit worrying about policing our own personal circuits "by hand."

So until then, pass the Pringles and the chalk...

Reuter's carries a story on guilt-free music downloading. Two things strike me here. First, the tacit acknowledgement that there is some guilt amongst many who download copyrighted material. Second, the fact that new business models are being experimented with to try to find the consumer's real price point - the missing data point in the piracy debate.

I'm suspicious that this story is driven by the music industry as a way to take some of the heat off, but I have no confirmation of that. There is also a delicious "freudian typo" in this article as it states that the music industry has "blamed a year-long slump in music sales on mass online privacy."

This "mass online privacy" thing is likely news to many...

Microsoft bought the patents from Liquid Audio on their DRM technology for $7 million. Being the nice guys they are, Microsoft included a royalty-free license back to Liquid Audio to continue using them, for what that's worth (Liquid Audio is fighting to avoid becoming Liquidated Audio.)

This continues the clear trend showing Microsoft is serious about finding out what "DRM that works" looks like and being part of it, and this move adds portable devices to the mix...

InformationWeek > Supply-Chain Management > Pinpoint Control > September 27, 2002
A lot of folks don't associate RFID (radio frequency id tags) with digital identity, but it most definitely is a part of it. Digital identity can be the identity of things as easily as people.

A nice article on the coming widespread adoption by Procter and Gamble, Target, Unilever, Walmart, and (possibly) Home Depot sits behind this link...

IBM launches smart-chip consultancy - Tech News - CNET.com
I wish I had something witty to say about this one, but its pretty straight forward...

Eric is still expressing his reactions to Dewie, the Internet Safety turtle, but apparently at Privacy 2002 in Ohio, when FTC Commissioner Orson Swindle trotted Dewie out "after two days of stuffy panels with titles like "Studies in Implementing Your HIPAA Compliance and Auditing" and "Life after GLB: Case Studies in Compliance and Lessons Learned," Dewie's arrival at the conference was a welcome relief."

I guess so, but I don't think that makes Eric very wrong here. I just got off the phone with Kevin O'Neal, Exec. Dir. of ISTPA who attended the Privacy 2002 conference, and in an hour on the phone he never mentioned Dewie once. If Dewie was such a big hit, I guess I need better reporters!

As someone who has attended privacy conferences for some time, Kevin did lament that the state of the "privacy community" today is one of chaos, and "convergence" is happening far too slowly in his opinion. He indicated he's looking forward to what he expects to be the "refreshing experience" of the Digital ID World Conference where multiple "communities" will see and learn from each other and maybe make some progress on the privacy front.

I guess when you hear comments like "We're creating tens of millions of open sites, but the government is doing very little about it" from an Ohio State professor who served in the Clinton administration, you kind of see there is a long way to go yet in this part of the identity conversation. Maybe Dewie does have a place - with legislators and regulators.

I know I tout the ISTPA so much that I could be accused of being their shill, but it's because I see the work they are doing as crossing the boundaries between people and technology and bringing process to the act of assuring privacy in computing systems. It's a far cry from just talking about privacy to actually facing the issues that accumulating and handling identity information create. I see the ISTPA as a beacon in this arena, and they shouldn't be so alone...

I am reminded by the Honeynet Project (which is the logical extension of using a honeypot to fight spam) that it's always about people, not the technology, at the end of the day.

Digital Identity is all about letting the technology become more acquainted with the people using it so that less of this activity is manual, and more of it can be safely automated.

As you can see from this NetWorld article, the aggressors are people (not technology) - in many cases people who have made a business out of exploiting open network infrastructure. It's easy to lose perspective when focusing on security problems (usually the result of insufficient identity information in a transaction) but in the end it is the same problem that policing any human crime is.

Technology must evolve to assist this process, but we must always see what is happening for what it really is. Otherwise we run the risk of trying to force people into a world controlled by technology, rather than building technology to serve the people who use it.

Only when the technology can know who is who in a transaction will cyberspace stop being the Wild West and become a place where it will be safe to make real investment. As with the city vs. the frontier, it may be less exciting in certain extreme ways, but it will become a lot more robust and effective at providing value for society on all levels.

Of course, the countryside will always remain for those weekend vists to return to the wild...

I see that now PDFs pose threat to Unix, Linux. And I always thought PDFs were pretty docile creatures. Who would ever have guessed they'd mug a nice, friendly OS like Linux?

When will people learn that everything you do on the network either "is a threat" or "is threatened" (to use the journo's template) unless identity is integrated into it properly?

Of course I could go back on my journo rant, and say it isn't PDFs that pose the threat - it's the open source programs that run them - but I've already overdone that for now. This is really too bad, as PDF is one of the few data formats that is growing to allow identity as a construct into it.

The article does finally own up that it's just a three specific viewers, and it's only a problem if you open a file from the command line interface with them.

Bad malicious code, bad bad PDFs. Sigh...

I've had several emails since we opened the Editor's Roundtable asking if we have XML syndication feeds. We do, and my webmaster says they are "active, but a work in progress." So for those who wanted to know:

RDF Feed: http://blog.digitalidworld.com/index.rdf

Plain ole RSS: http://blog.digitalidworld.com/index.xml

Enjoy...

A Reuters story today is headlined "Record Labels Seek OK for Online Music Sabotage." I think that about sums up the "thought level" of this conversation.

Where is Ned Ludd when the music industry needs him?

As we talk about the "templates" that journos use to report stories they don't really know how to tell, one that is getting really old for me is the "make it scary" template. This, coupled with the "big company isn't perfect" template makes it very tough to see what a story really means.

For example, this morning there is a "security" story circulating in several pubs, about a Microsoft VPN security problem. It is variously headlined as:

VPN flaw puts internal networks at risk (pure "make it scary"),

Microsoft VPN flaw may open intranets to attack (big company has problem, plus make it scary - but really hedge 'cause we actually know the "may" isn't true),

Possible PPTP Flaw Could Leave VPNs Open (we have no ideas what this means, so we'll hedge on both templates - using a protocol as a proxy for the company name to wing them, and hedgey.)

This is a denial of service attack, but all the headlines make it seem as though "your secret data is at risk!"

My gripes: First, the journos can only see and report on identity issues indirectly through their symptoms of security loss and privacy violations. Second they can't really report on those symptoms either because they don't understand the picture.

So "yellow journalism" is all they have left. And they leave readers to imagine a story that isn't really what is going on...

Software security group launches - Tech News - CNET.com
....add it to Liberty and we look to be heading into the era of alliances, associations and organizations...

Reader Dan Combs, Director of Digital Government, State of Iowa emailed me to say he thinks our comments about an article on the role of driver's licenses weren't strong enough. He says:

I would state it a little differently: When the author states, "Identity verification, though currently a large hole in our nation's security net, is easy and inexpensive to fix", he is out of his(or her) mind.

Actually, that's pretty much what I thought too, I just didn't feel I should be quite so loud in print with my opinion. I will do better next time.

Mr. Combs continues...

The identity problem is monstrously complex and expensive to fix. Most of that cost and complexity will be due to human factors and not technology.

The AAMVA (the American Association of Motor Vehicle Administrators) as recently as 13 months ago had drafted legislation to restrict the use of driver's licenses to verification of right to drive. Since the events of 9/11 - and other entities' influences - that organization has reversed course and admirably accepted the role of providing an important identity indicator for the country.

Phil Windley is correct that the driver's license is destined to be a battleground as competitions arise around the technologies, uses and standards for that card.

The State of Iowa (and many other governmental organizations) and AAMVA (and related transportation departments amongst other government departments) are very aware that we are in the identity business. For a lot of us it is daily work. However, a great proportion of the individuals involved in that work do not understand how prevalent are the faulty underlying assumptions, how pernicious is the associated ignorance of the issues and how pervasive are the changes wrought by electronic interaction.

(Wow, that is one heck of a phrase whether or not it actually means anything :-).)

Understanding of the fact that "identity is center" comes hard to many people, but in the last 6 months there has been a sea change and folks seem much more prepared to hear the message.

I do like how Dan says "they don't have a clue" though...

Intel has discovered digital convergence and plans to own it if they can.

Wonder if they know that "the ability for any intelligent device to talk to and share data with any other intelligent device" leads directly to a requirement for digital identity? They hope to acheive the same "world domination of the electronic market" for these wireless devices that they did with Wintel.

If they follow the same model, they will need a partner who understands identity the way Microsoft understood operating systems 20 years ago.

Eric, on Dewey the E-turtle you ask if everyone on the Internet's 3 years old? I submit that the real question is "does the government think anyone is more than three years old."

There is a long history of the government being out of touch and taking an overly paternal attitude towards the populace. But I agree, this ranks high on both the "total stupidity" and "clueless" meters.

The problem is, these are the people making regulations and laws - and that's not funny!

In an interview RSA's CEO, Art Coviello, indicates that "Identity management is more than just the provisioning and creation of an identity." This may seem obvious, but I can tell you that a lot of the folks I talk to wouldn't say that.

His elevator speech boils it down, "It's obviously a heck of a lot more than just creating an identity. It's also more than creating a digital certificate. It's managing those identities, protecting those identities, and making sure that people can trust that that identity is really you. That's a heck of a lot of value to be able to add."

He does a fairly good job of delineating the difference between Identity Management and Identity usage. It is the latter category that will ultimately create the real value and technology ramp-up that digital identity promises.

It's good to read an interview with someone who understands a bit more of what's happening, and can express it so even a journo can tell the tale...

FTC unleashes Dewie the e-Turtle - Tech News - CNET.com
i'm sorry, is everyone on the internet in the 3rd grade?

In a KPMG Study of Digital Media they found (shock!) that the media companies prefer to talk about new things but keep doing business the old way. Example? How about Britney Spears gives her all to fight piracy? Or Stevie Wonder saying your fingertips should stay off his music?

This study puts numbers to what is obvious, the media companies have no idea what to do, can't imagine technology being part of the solution in a positive way, and as a result are just flailing.

DRM technology has a long way to go to deliver what it must, but this study shows that the media companies have zero vision on how to tap the online world. They throw lawsuits the way most people cover their face when they feel threatened.

Meanwhile, online users are just as firm in trying to ignore the problem and hope they can live in a "free is beautiful" utopia that exists only in their own minds.

Eric, you are so right on this one!

Amazon to revamp privacy policy - Tech News - CNET.com
prepare to get swamped by privacy news...

The new "copyspeak"
I find it just a touch frustrating that the argument always goes like this:

1. technology changed everything.

2. media companies must adapt to that technology.

3. end of story.

It never seems to include the obvious -- namely, that *technology* might begin to offer the solution...which, of course, puts us back at DRM systems and digital id.

Then again, admitting that technology might solve the dilemma means that we might change the ability to just download at will....and what fun would that be?

Technology is not a force that drives inexorably toward unfettered freedom and anarchy....it is a force that opens doorways to human interaction, or the control of it...

ID card program may be tested
identity continues to be the foundation of security...

What the Journos Will do...

Eric - you are right. I'd forgotten just how many brainless templates are left...

Now tell me again what the difference is between using these templates to write about a story without thinking about it, and willfully demagoging an issue is?

Oh Yeah, one is professional journalism...

With the release of Peter Gabriel's CD in downloadable form, DRM gets its next test. This will be the first time you can download an entire CD in 5.1 surround sound with a "try before you buy" feature. If you buy it, you can burn it directly to a Redbook CD on your computer.

This is clearly Microsoft testing consumer reaction to yet another way to package DRM. We'll see what they learn from it, and how they adjust. It's a long journey to get to DRM that works as it should, and how they will get identity and portability into it is what I'm really watching to see.

Meanwhile those who have gotten used to the fact that in the absence of digital identity infrastructure the Internet drives all intellectual property into the public domain, will have to tell us again how they are not stealing, it's just that they don't want people to quit giving them everything for free...

Digital ID World: Liberty to Interoperate with Passport
Phil -- the journos will now frame every identity story as "little guy vs. big bad privacy offending company"....alternatively, they'll use the "big brother" angle.

FTC Targets International Net Fraud - internetnews.com

They are trying to rip off our soldiers! Now they've made the FTC mad!

The FTC has just realized that "scam artists around the world are finding the Internet fertile new ground." I'm glad they are out there protecting us with those "online initiatives with international law enforcement agencies to root out cross-border fraud in health care and e-commerce."

Guess we can just abandon rebuilding the internet with digital identity at its center now - a few regulations and the problem's solved...

Eric, you are right that the "it will never happen" crowd is missing reality here, but the author of this article is off a bit too when he says:

"Identity verification, though currently a large hole in our nation's security net, is easy and inexpensive to fix."

The Driver's License is destined to be a battleground, and as Phillip Windley, CIO of the state of Utah, says so well, the states don't even see themselves as in the identity business.

I'm looking forward to his discussion of this issue, in conjunction with David Temoshok, Directory of Identity Policy for GSA (who's heading the massive E-Authentication progam) at the Digital ID World Conference. We'll see how some real federal/state discussion sounds...

Eric, in regards to Legislation attribute sharing the one thing you can always count on is big companies to run to the government to get their liability defined. What they want is a formula that insures them, so they don't have to think about the issue any more, and won't end up funding lawyers instead of shareholders.

Unfortunately, this one isn't so easy...

Now that Liberty will Interoperate with Passport, how will the mainstream journalists write about identity? All they've had is a fake competition to talk about, now that's gone. What will they do, what WILL they do...

Re: The NSF has contracted five universities to "develop a secure, decentralized Internet infrastructure." They got the name sort of right - Infrastructure for Resilient Internet Systems (IRIS) - wonder how long they can stare that in the face and miss the point that Identity is Center?

They are talking about stuff like Distributed Hash Tables, lookup algorithms, reducing vulnerability to viruses and worms, and of course that perenial favorite "robust."

I know! This is a test to see how long we can talk about identity without using the word...

Eric, It is true that "we all knew" that Michael Barret's Interim position at Liberty would be made permanent, but the announcement is still "news" to the normal journals. Formulas are formulas, cut 'em some slack - they have to earn food for their kids after all.

It's all they know, since they still haven't really figured out what Liberty is doing yet. Besides, the press release also added an "oh by the way" that there are 26 new members, including "boring companies" like banks, drug companies, utilities. It also quietly noted that HP has stepped up its interest in Liberty. Can you say momentum?

Universities tapped to build secure Net
maybe its just me, but "a lookup algorithm" that identifies where info is sounds like an identity-based internet.

Internet Week > Identity > Liberty Alliance Names AmEx Exec New President > September 24, 2002
I'm sorry, is this news? Didn't we all know this already? Or is that whole "phsyicists discover how to create anti-matter" thing opening up holes in my head?

Privacy bill not likely this year - Tech News - CNET.com

Stearns' bill, by contrast, has won the backing of many industry groups. It would require businesses to reveal how they handle customer information, and allow customers to prevent that information from being shared with others.

Businesses support the bill because it would shield them from consumer lawsuits and would override more stringent state laws.

Many privacy advocates oppose Stearns' bill for the same reason.

Solving security's not mission impossible - Tech News - CNET.com
A while back, Dana Blankenhorn wrote a column about why Americans will never accept a National ID system. I'm not so sure that's the case --- or, at least, something that *amounts* to a national id system...namely, the ability of states to authenticate the "source document" of the driver's license from another state. Americans will accept this -- especially if another terrorist attack happens (which it will). A quote:

The use of false IDs is reaching epidemic proportions. Last year, upwards of 10 million false IDs were confiscated across America. And don't think fake driver's licenses are just used by mischievous teenagers: More than 20 percent of false IDs confiscated every year belong to people between the ages of 35 and 45.

Digital ID World
okay, so this is a bit like a snake eating its own tail (i'm blogging the blog that i'm blogging on) -- but hey, you gotta start somewhere. Call it official, the DIDW blog is launched...