Interview: Sun targets customer needs

Fowler: Yes, we're looking at security, we're looking at Liberty and ebXML -- a collection of different standards efforts. We literally just joined, so we're sorting out how to actually do that. But Liberty is a real obvious example of one that we'd like to bring in there and get a good discussion around. Liberty is a particularly interesting organization because it's a little different than WS-I. WS-I is really [about] vendors. Liberty is dominated by customers, and so they bring a really interesting perspective to standards.

Internet Week > Privacy > TRUSTe Offers International Privacy Certification > November 27, 2002

Internet Week > Security > Security Experts Say Identity Theft Scams Likely To Get Worse > November 27, 2002

Privacy czar says Romanow idea for Web-based health records terrifying

News.com reports that "A California woman has been sentenced to nine years in prison for software piracy, in what may be the longest sentence ever given to a first-time felon in a software counterfeiting case."

As I said, this one is racheting up and about to get very ugly as the fully polarized positions are tested in the mandatory power struggle that preceeds any actual agreement to have a truce and talk it over. It may already be too late to avoid "scorched earth" here...

USATODAY.com - Act now to prevent identity theft
What a misnomer -- you can't "prevent" it today....even Eric Raymond can't (he doesn't use credit cards)....we simply don't have the technology in place to do so.....and that technology will demand some sacrifice of anonymity (see below).

The Miami Herald | 11/25/2002 | In digital world, you must protect your privacy rights
Anonymity is about to become the biggest issue/problem/advantage/opportunity that the Net will have to solve....

Feds crack huge identity theft ring
Truly -- this is only the beginning.

This Reuter's article describes an industry initiative to create a policy on when the use of "web bugs" that track users must be disclosed. The FTC is apparently also interested in this effort.

This is one more instance where the currrent technological structure of the Internet works against your ability to know what's going on. Those who think digital identity won't empower and benefit the user should pay attention...

The DRM "discussion" surfaces at COMDEX. Products for copying were widely shown, while many keynotes and panels discussed the issues. Even George Lucas of Star Wars fame took the stage to lament that piracy hurts the creators more than anyone else.

This one is getting ready to move to a new level in the next year...

The U.S. Naval Academy seized computers of students to check for bootleg music and video according to a Reuters story.

"Cadets could face court martial or expulsion if investigators find digital songs or other copyrighted material on their hard drives."

Huge ID theft ring exposed

New agency raises privacy concerns

As the Marines roll out PKI it is clear that PKI is still hard to implement and have happy customers.

PKI is an area where clever methods to reduce the number of client certificates, ease the enrollment load in general procedurally, etc. are desparately needed. Like all trust infrastructure methods devised so far, PKI makes it tough to take the first step. Some of this is inherent in building trusted systems - it seems no one has figured out a way to avoid the requirement of a metaphorical DMV somewhere in the system. And that makes deployment require a lot of pressure.

We're sure the Marines are tough enough to get this job done, but if it stays this tough to do, how many others will be up to it?

Shirky: DNA, P2P, and Privacy

New technology brings new challenges however, and in the database world the new challenge is not a single unified database, but rather decentralized interoperability, interoperability brought about by a single universally used ID. The ID is DNA. The interoperability comes from the curious and unique advantages DNA has as a primary key. And the effect will put privacy advocates in a position analogous to that of the RIAA, forcing them to switch from fighting the creation of a single central database to fighting a decentralized and interoperable system of peer-to-peer information storage.

Verizon sues to halt privacy rules in Wash. state

"No recognized privacy interest is served by restricting the ability of telecommunications carriers to speak with their own customers about improvements to existing services or new communications-related services," Verizon said in the lawsuit, which was filed in the U.S. District Court for the Western District of Washington State.

As this article indicates, this round of the copyright battle is heating up as congress adjourns with no laws passed about the subject. The following pretty well sums up the state of the fight as the bell sounds to end this round...

Despite a lot of sound and fury, not to mention a raft of competing and conflicting legislation, the 107th Congress ultimately passed no laws to resolve the long-running and bitter digital copyright feud...

and:

Events outside Capitol Hill, however, are pushing the issue to an acrimonious brink with lawsuits stacking up like cordwood in the courts and lobbyists for both sides already preparing battle plans for the 108th Congress which convenes on Jan. 7.

Battles like this typically take 5 - 7 years to see resolution, and by my reckoning we're about two years into this phase (some would say only one). So this topic will be hot for some time yet, and how it will resolve is not only not yet clear, the forces which will affect that resolution have likely not yet made their moves...

Privacy is a two-edged sword as indicated in this article about Verizon suing Washington State over its privacy laws. The suit charges that the privacy laws would remove Verizon's ability to serve customers and create new products those customers want.

Whether it's true in this specific case or not, it is true that "total privacy" prevents capabilities from being developed that people want, and this is just one of the many issues surrounding digital identity. There is a lot to be learned and negotiated here, as "total privacy with no fair use" is just as absolutist a stand as "Perpetual Copyright owner control of DRM with no fair use."

In cyberspace, just as in the real world, full anonymity must be compromised when value is exchanged or when trust is required. How much, and in what form, that compromise must happen is the understanding that must be developed.

And that's what demonstrates that the privacy discussion has many more subtle layers that are not often talked about, and also makes that discussion more interesting and important that the normal polarizing and extreme castings of it would indicate...

Pentagon drops plan to curb Net anonymity - Tech News - CNET.com

"We were intrigued by the difficult computing science research involved in creating network capabilities that would provide the same level of accountability in cyberspace that we now have in the physical world..."

A good summary of the issues and principles involved in the copyright battles is provided in this article by John Bloom of UPI.

The Eldred Supreme Court case he cites is the one that was argued by Larry Lessig, and which Lessig has written a lot about. However, Lessig is so close to the case, and so involved in it, it can be hard for him to simplify the discussion enough for those who are just starting to look at it to understand.

This article lays it all out, from the concepts of Hamilton, Jefferson, and Madison which made copy rights some of the few that were specifically enumerated in the constitution, to how they have been extended - first to protect widows and orphans, later to rebuild exactly the type of guild control of content that the founders had lived under and wanted to avoid.

An easy read that provides the background you need to follow (and participate in) this critical debate...

Looks like technology and Hollywood lobbyists will talk Friday about digital copyright. The Center for Democracy and Technology (CDT) is hosting the meeting to try to find some common ground for copyright legislation.

The CDT has been maligned by advocacy purists because it accepts funding from industry, but I've always felt it had a more practical outlook on trying to find an answer that wasn't at either extreme before the pressure causes some extreme (and bad) outcome to occur. This move seems to confirm that outlook, although it may be getting too late to find that common ground.

I hope that it is true that "all sides would prefer to reach a compromise at the bargaining table than risk the political uncertainty of committee votes, legislative delays, and last-minute amendments to bills. " But color me skeptical...

Identity thieves find eBay attractive and have for some time. This is a new identity scam, where a stolen credit card is used to buy an "untraceable, official sounding" domain name to trick naive innocents into handing over their info. While this particular identity theft trick has made the government's ID Theft web site, the number of variations on this one theme is limitless. We are reaching an inflection point where knowledge of the net is reaching the lawless, so you can expect a rapid rise in such lucrative trickery.

Without digital identity, cyberspace is an alien and barbaric frontier that only appears cuddly and friendly. In fact, it is a place where almost nothing is what it appears, and without any way to identify sites and who runs them, fraud and fakery will increase dramatically as thieves figure out the pickin's are easy here.

Self defense requires an equalizer that gives the average user a fighting chance. Digital identity will be part of that equalizer when it is finally found.

Jon's Radio
"One way or another, we're in for a privacy/identity arms race."

I couldn't agree more.

IBM's ex-honcho Lou Gerstner is on a book tour touting "Who Says Elephants Can't Dance?" his obligatory "I just left a big job so I'll write a book" book. While it is, of course, a bit self-serving, he makes some points that should be mandatory reading for those in the industry today.

This article from Infoworld reports that Gerstner said that "the Internet saved IBM" because after losing the PC market, IBM was "was a deer caught in headlights" and "the company needed a 'moon shot' to gather around or it faced crumbling apart."

In today's environment, many companies again need this type of visionary goal to rally their efforts and avoid "crumbling apart." It seems that the three that are readily available are "On demand computing", "Web Services", and "Identity". Since on demand computing and web services require identity, it looks like identity is center in the "big vision" thing today too - what a surprise...

One interesting note from Gerstner is about mainframe sales. While he was reorganizing IBM around the new network computing vision and expanding the integration side of things, he lowered the price of mainframes every year -- and last year IBM sold more mainframes than ever before. He said "It was an extraordinary piece of mythology created in the '80s, that PCs would take over for mainframes."

In other words, even as the great new vision is true (PCs and networked computing) it doesn't mean that everything we did before disappears. That can grow too, but it must be integrated into the "new thing" (or vice versa) and priced appropriately...

The comment period for changes to the Digital Millenium Copyright Act opened yesterday and you may submit comments here until December 18, 2002 (the link has details of the format your comments must be submitted in.) The specific focus of this inquiry is:

The Copyright Office is preparing to conduct proceedings mandated by the Digital Millennium Copyright Act, which provides that the Librarian of Congress may exempt certain classes of works from the prohibition against circumvention of technological measures that control access to copyrighted works. The purpose of this rulemaking proceeding is to determine whether there are particular classes of works as to which users are, or are likely to be, adversely affected in their ability to make noninfringing uses due to the prohibition on circumvention.

So far two exemptions have been made to the act, but they are very narrow. This hearing is the chance for input from those who feel they can make the case that the act is harmful as currently written.

InformationWeek > Privacy > The Push For Privacy > November 14, 2002

Comdex: Panel predicts biometrics shakeout

Comdex: Open Mobile Alliance to announce eight mobile specs
I just learned of this group a few weeks ago -- and it seems to me that they are pretty important to folks like Liberty, WS-I, etc. We have entered the age of the de facto standards orgs...

Liberty Alliance updates Net identity spec
If you're a digital identity junkie (like some of us), this doesn't really count as news...but, for those who aren't...

Microsoft's Federated Security and Identity Roadmap
A good document on Msft's view of the space...

Death by Spam - The e-mail you know and love is about to vanish. By Kevin Werbach
I keep waiting for some young, enterprising identity company to solve this spam/email thing --- Plaxo, are you out there?

Like it or not, the only way to kill spam is for an element of e-mail to die as well. There's always been something charming and casual about e-mail. The informality comes through in the style people use to write messages, but also in where they send them. You've probably sent an e-mail to someone you'd never call on the phone, approach in person, or even write a letter to. Losing this aspect of e-mail is a shame, but it's inevitable. E-mail will become more like instant messaging, with its defined "buddy lists."

E-mail's openness is doomed when faced with massive traffic and a few bad actors. The next time you try to reach out and touch someone electronically, you may need to know who that person is. Otherwise, you might be reaching out to no one.

Comdex: Microsoft execs speak on Trustworthy Computing

Speaking about Microsoft's ongoing "Palladium" effort to build hardware and software-based security features into the Windows operating system, Peter Biddie, Palladium product manager, said that the project represented an effort by Microsoft to redesign its operating system from the ground up, with security as an essential component.

Tech News - CNET.com -- Turning up the heat on Web Privacy

The New Buzzword for Airport Security
"In the recent Corporate Air Travel Survey by the International Air Transport Association, which represents the world's airlines, 81 percent of business travelers said they supported use of advanced biometric technology at airport security points."

Trust Networks on the Semantic Web (draft)
....to augment my recent "Taxonomy of Trust" piece....thanks to Byran for the link.

Perspective: Say hello to Big Brother - Tech News - CNET.com
"For instance, President Bush's Critical Infrastructure Protection Board is also charged with developing a plan to secure the Internet, which could presage a turf battle between the new department and the White House. "

....that would actually be entertaining -- watching the government attempt to "secure the internet"...

CW360° - Article Page

As a result, the Financial Services Roundtable's technology group, the Banking Industry Technology Secretariat (BITS), said that it wanted the W3C "to state explicitly" that machine-readable P3P statements were not legally binding documents.

Forbes.com: Homeland security bill raises Net privacy issues

But buried deep in the 500-page bill are several provisions that could have lasting effects on computer security and Internet privacy.

Balancing biometrics and privacy: An opinion

Study: Parents more likely to use Net
At the DIDWcon2002, Craig Mundie introduced a whole slew of parental control plans for Passport. I heard a lot of talk from attendees about "not caring" about parental controls. Being my argumentative self, I of course argued that Ma and Pop in Nebraska count a helluva lot more than business folks and developers at a Digital Identity conference.

This study backs up Microsoft's move -- Parents are more likely to use the Internet than any demographic group. Sure, I know you can make philosophical arguments about *how* to best raise children, but bottom line: Microsoft is doing the smart thing in this area -- playing the "making the internet safe for the kiddies" game.

Gates' address accentuates the positive - Tech News - CNET.com
From note taking to the personalized alarm clock - identity constructs run throughout Microsoft's envisioned future...

W3C defines Web services - Tech News - CNET.com

For those who are unaware of Poindexter's "Total Information Awareness" project, this link takes you to the Information Awareness Office's site. As you can see, they aren't hiding anything about what they intend to do. Other than the mis-direction that this will somehow only affect you if you are a terrorist, it's quite clear what their goals are. This August Wired Article may give you a starting point that is a bit more accessible.

As William Safire indicated in the NYT article cited by Eric below, this is a case where a political issue is posing as a technology issue. You owe it to yourself to learn all about it.

CBC News: Minister calls for debate on national ID cards

You Are a Suspect

Even the hastily passed U.S.A. Patriot Act, which widened the scope of the Foreign Intelligence Surveillance Act and weakened 15 privacy laws, raised requirements for the government to report secret eavesdropping to Congress and the courts. But Poindexter's assault on individual privacy rides roughshod over such oversight.

Question...
Grounds for Identity
Let me make this perfectly clear: I don't disagree with *anything* that Doc says (with the lone exception of him having to push to speak at DIDW). But that still leaves me with one question: if venture capital has dried up, and the open source community doesn't set about doing this out of the good of their hearts, and its going to happen (it already is) -- then how is someone supposed to support their family writing the protocols he's talking about?

just a simple question....if nobody gets paid, the corps will do it; and if VCs ain't supporting innovation and the open source community doesn't step up and do it for free, how does it happen?

Sony and Philips Join in the Acquisition of InterTrust
say what you want about the economy -- some areas seem to be surviving just fine...

Wired News: Napster Co-Founder's New Venture
Andre Durand (co-chair of the conference) get quoted in regards to the Napster guy's new venture -- looks like their "hush hush" tone is all about identity. Go figure.

What Sun is attempting with N1 is a grand effort of the type the tech industry used to be renowned for. It is also one of the largest efforts at directly re-architecting computing around identity that anyone has announced -- only IBM is in the ball park with their grander if somewhat less-focused effort.

On one hand, it was the exhaustion of their other approaches to computing that led Sun to focus on N1, but on the other hand N1 gives Sun a legitimate chance to reconstruct themselves around a mission that has the potential to rebuild their former glory. The odds of success today are lower than they might have been because Sun let the damage build so far before they took these steps, but they now seem fully focused and there is more strength remaining at Sun than is commonly believed.

The big question is can Sun convert themselves from a chip and hardware company to a software, systems, and services company? History argues against it, but if they do, it will be the stuff of legend. And they are contributing greatly to our understanding of what has happened to computing since we succeeded at networking everything...

Why do I feel like University authorities are about to become punching bags over the issue of file swapping on the Internet? Maybe its letters like these from EPIC and RIAA that put them squarely in the middle of something they really should have nothing to do with.

This is yet another case where those who COULD monitor networks are in danger of being REQUIRED to monitor them (and take on massive new liability as a result) all because technology hasn't been built with identity in mind.

The unintended consequence here is clear, those caught in such traps will simply cease providing the service that put them there rather than take on liability far in excess of any reward they could ever get. Do we really want to start making the Internet unavailable in many places just because we don't know what else to do, and we can't control the lawyers?

Edge: 10 THINGS YOU SHOULD KNOW ABOUT SECURITY, PRIVACY AND ENCRYPTION
just found this....some interesting identity statements from a privacy advocate.

Pentagon Plans a Computer System That Would Peek at Personal Data of AmericansWe first told you about TIA back in July/August....the NYT just discovered the story. (hear that? Its our own horn tooting ;-)

Sun readies new server software for N1
This kind of stuff fascinates me....it is about re-architecting IT around identity concepts on a meta level.

Appliance Makers Face Privacy Concerns

Scores of privacy bills are in the pipeline in Congress and state legislatures. States and even counties have passed legislation, creating predicaments for companies that already are grappling with disparate regulations set by foreign governments. In September, Wells Fargo Bank and the Bank of America sued Daly City and San Mateo County in California for requiring banks to get explicit permission from customers before sharing information, laws that are more restrictive than the National Bank Act.

An article in Federal Computing Weekly gives another "indicator" of the growing maturity of biometrics. When technology matures, it begins to deploy beyond early adopters, and it begins to be considered for use in much larger ways outside of niches. At that point the technology appears to most of the world to "come from nowhere" and the issues it raises are "suddenly discovered."

This is all part of a healthy process of technology and policy evolving together. The key issue raised here is that "there are few judicial developments regarding collection of biometric identifiers, even as public policy debates have swelled over their use and their potential to invade people's privacy."

In plain language, that means that we don't have any idea where liability for misuse and identity spills lie, or even a much of an idea of what proper use and misuse are. As was pointed out in many sessions at the recent Digital ID World conference, digital identity crosses the boundaries of technology and regulatory/legislative policy. There are many issues to be considered, debated, tried out and refined, to discover society's tradeoff desires and how technology can minimize risks.

It's good to see that this discussion is entering a more mature phase - but there is a long way yet to go...

If you think spam is bad now, just wait! A new audio watermarking technology promises to transparently bury encrypted data in audio.

Naturally the first uses of the technology that are imagined, having your cell phone "hear" the data, and having toys follow behavior of TV program characters, conjure up images of "push technology" and mega-spam.

Is this technology of interest? Probably, as it's an alternate wireless local area networking technology, even if the return path is a bit undefined so far. But digital identity will clearly be needed here too - no surprise!

Eric,

The article in CNET on Trusted computing is important for two reasons. First, it pretty well summarizes the feelings the "techno-class" and "chattering class" have about it - one I'd summarize as "can't this just be killed and made to go away?", and second because it indicates that trusted computing is finally surfacing in places and ways that make it clear that the answer to the first question is "no!"

Trusted computing has been developed from the security angle for some time now, but it needs a lot of thoughtful input about how it should be packaged to transition to the enterprise and ultimately the consumer marketplaces. This article indicates that awareness is dawning that trusted computing technology will not "go away" and while we'll have a few more "anger tantrums" before we settle down to the serious thought work required, the transition is at hand.

As with many digital identity issues, it is time for people to decide if they want to consider Trusted Computing rationally and contribute to its understanding and useful, productive development, or consign themselves to the next group of people who complain about and resist technological evolution and become increasingly irrelevant artifacts of history...

Note: For those who attended the Digital ID World conference, and who want to understand what Trusted computing is all about, I highly recommend the slides and audio of Lark Allen's "Understanding Trusted Computing" technology and appliation overview session and also John Manferdelli's "Building a Trusted Computing Platform" session which details Palladium and how it fits into Microsoft's plans. Use your attendee access code and pasword to access them.

Privacy group fights P2P crackdown - Tech News - CNET.com

Health check: it's time to get serious over privacy - smh.com.au

Trust or treachery? - Tech News - CNET.comTitled: "Security technologies could backfire against consumers" -- you guess the slant...

Homeland Security CIO wants 'network of networks'

An interesting article updates the status on the battle between .NET and Java in the PDA and mobile phone arena.

PDAs and Mobile Phones will be a major area of identity computing in the future, so how software and architecture evolve in this arena matter.

It looks like once again, Microsoft is playing tortise to Java's hare. But while viewing today's status, don't forget how the fable tells us this type of race can turn out...

OASIS approved the SAML 1.0 standard. That isn't a big surprise to many, but now that it's official, things like Liberty, Shibboleth, WS-Security and other standards that rely on it are free to move forward without worry that SAML will change under them. So even if it's been expected for some time, it's a big moment in the evolution of the digital identity industry.

Court rules against AOL on Net privacy - Tech News - CNET.com

The Virginia Supreme Court ruled against America Online in its efforts to protect the identity of one of its 35 million subscribers by asking the court to quash a subpoena calling for the member's name in an issue that goes to the heart of the anonymity of the Internet.

Online job listing an ID theft scam

It looks like Movielink is getting closer to its eventual deployment. It is clear that Hollywood will have to fail here first in order to learn the lessons needed to create a business and technology model that satisfies consumers.

The question is, will they use the eventual failure of Movielink to try to devalue the entire concept of online content delivery, pulling further back into their bunkers, or will they use this venture to learn what is really needed in the way of a new business model?

Guess I know how I think this works out, but it's a big chance to learn a lot if they want to.

Nokia tweaks cell phones for businesses - Tech News - CNET.com
very interesting stuff -- as nokia (via liberty and these efforts) appears hell-bent for serious identity work....

Quoting: "
Some of the new tools from the Finnish cell phone maker are designed to enhance security for workers connecting to corporate networks remotely; other products are intended to help manage privacy. "

Groove Networks has indicated how it will integrate identity into Pocket PCs. Grove has travelled an interesting identity journey, one which started when Lotus inventor Ray Ozzie bumped up against identity in Lotus Notes development.

The use of Web Services protocols to "lighten" the client and WS-Security as the "identity pipe" to extend the Groove shared space to the Pocket PC should be viewed as an early indicator of how many identity problems will be addressed to create interoperability and cross-platform capability. This article by Jon Udell gives a lot of "thought food" for those trying to see how all these pieces will fit together, and what identity really means...

The Pinch of Piracy Wakes China Up on Copyright Issue
...more identity and piracy news...(free registration required)

This is more like the beginning than the end of the privacy wars, but an interesting news report about Avenue A settling all privacy related class action suits (state and federal) against it for $925,000 may indicate how one aspect of the privacy wars will play out.

At Digital ID World we tend to focus on technology and architectural solutions to privacy and security, because the problems can be (and we feel should be) dramatically reduced by such technology. But it is important to remember that some solutions will always be based on policy and the development of "standard industry practices" rather than technology. In this settlement the concept of having annual audits arises again, and we can expect this to become more common, especially as "standard industry practice" becomes more well defined.

So we can assume that lawsuits and settlements will likely be part of the identity conversation for some time to come yet...