Ends and Means: Identity in Two Worlds
Jamie Lewis of The Burton Group has written a fabulous "reflection" on the divide that exists between certain identity camps. Like Jamie, I find myself straddling both camps -- confident in the idea that the "organic growth" (borrowed from Craig Mundie) of this space will connect the necessary dots (or ends).

Read this one -- it is well worth your time.

Face recognition gets lift, U.S. says | CNET News.com

The study, which matched 121,589 images of 37,437 people drawn from the State Department's Mexican nonimmigrant visa archive, evaluated how well the various commercially available systems verified identity, identified unknown faces and detected people on a "watch list."

The systems were able to verify a person's identity 90 percent of the time, with a 1 percent error rate. That's about as well as 1998 vintage fingerprinting technologies, NIST said.

The new study looked at demographic factors for the first time. Men were easier to identify than women, and older people easier than younger.

Another crucial variable turned out to be whether people were being identified indoors or outdoors. Indoor environments, where lighting is more easily controlled, provide results that are twice as reliable.

I woke up this morning reflecting on the discussions from PC Forum - and realized how far we've come.

Last year at this time, I would talk of the importance of digital identity and people would yawn. It seemed that vitrually no one got it. Now, even those that are adamantly against it get it; digital identity is important in the majority of tech thinker's minds. That's a huge change in one year.

Even further -- last year people didn't even know what "digital identity" meant. At least half of my conversations started with someone saying, "now what do you mean by digital identity?" That never happens anymore. People just know. And I don't think its a rational thing; I think its an intuitive thing. People are just "getting it."

I'm not quite sure *why* the progress has been made (i'd love to believe we've had a part in that), and I certainly think we're still early. The early tail of the bell curve seems to be "on board" (at least with the importance of the issue), but we're still a long way from it playing in peoria...

Why DRM will never work
This is a decent opinion piece on DRM, even if it misses the obvious identity connections. I admit to being horribly torn on DRM: on one side, I think the copyright laws today are pretty screwy; on the other side, I think the customer should be able to act under fair use. Either way, digital identity seems like it will come in to play. At the very least, it would allow for a plethora of options that do not currently exist today.

Windley's Enterprise Computing Weblog
Phil Windley blogging the conference that Phil Becker just spoke at....

ID theft costs banks $1 billion a year

Banks lost at least $1 billion to identity thieves last year, according to a report issued Tuesday by TowerGroup Inc. While only an estimate, it is one of the first attempts to put a detailed price tag on what has been called the nation’s fastest growing crime. What’s more, the report asserts, banks have no way of telling whether new customers applying for a loan or credit card are actually who they say they are.

Phone numbers are soon to go mobile
A whole article about number portability -- and it misses the point. I'll connect dots: Who does number portability? Neustar. Who is the main player in ENUM? Neustar. Who is a Liberty Alliance member? Neustar.

Starting to see the larger picture yet? ;-)

Microsoft has indicated it has scheduled an NGSCB coming out party for May at WinHEC.

"We will be having a big coming-out showing on NGSCB at WinHEC," says NGSCB group product manager Mario Juarez.

We've pounded Microsoft for months to tell us about the licensing structure of NGSCB, and despite promises to do so, we haven't yet heard any details. Juarez says here that "There will be some licensing issues involved (which we're focused on now), but we understand the importance of interoperability and we're dedicated to ensuring that NGSCB will interact with other operating systems."

That's what we've heard since last August, and we eagerly await specifics...

Bill gates said that dynamic mobile connectivity enabling devices will "probably will be the fastest growing of all of our businesses".

"Gates said the key to the strategy is devices in all form factors working together intelligently to create a rich user experience. That doesn't just mean PDAs and Smartphones, he said. It includes large-screen wall panels designed to be viewed from a distance and operated by remote control, the new Tablet PCs, watches, even desktops which can interact with Smartphones."

Now without a good standardized, interoperable, flexible digital identity infrastructure that can dynamically link, unlink, secure and manage these things as each user wishes, how far do you think this will get?

The U.S. Copyright office announced it will hold hearings in April and May on "on the possible exemptions to the prohibition against circumvention of technological measures that control access to copyrighted works." This will provide a forum for those who want to be heard to air their thoughts on the matter.

This article on News.com provides reactions from several who follow these issues. One interesting point is "The Copyright Office stresses that factual arguments are at least as important as legal arguments" indicating they are trying to learn what is real about this area of technology from technologists, not just hear legal theories and political points of view.

In the ongoing battle by the RIAA/MPAA to use courts to stem piracy, the RIAA has now sent a letter to businesses complaining about alleged acts of piracy and copyright infringement in their corporate computer networks and warning of possible fines.

This story has been bouncing around since Monday when Reuters got a copy of the letter, and indicates the RIAA is widening the scope of its "bludgeon 'em with lawsuits" war on piracy beyond Universities by attempting to intimidate corporations into also being a free police force for them.

I've taken criticism for calling this a scorched earth battle that will injure everyone involved before it is done, but this type of Soviet tactic certainly looks that way to me.

The old business model is unsustainable in the face of technology advances, and new ones need to be found and deployed. Distribution systems change when technology allows it, and you can't survive if all you do is fight it. Ask those who tried fighting distribution changes in retail and wholesale in other industries (can you say WalMart, Home Depot, etc.)?

Digital identity will create new options, the question is who will benefit from them and how much damage will be done in the meantime...

Surveillance Nation

Webcams, tracking devices, and interlinked databases are leading to the elimination of unmonitored public space. Are we prepared for the consequences of the intelligence-gathering network we’re unintentionally building?

CNN.com - Redesigning the Net to save it from spam - Mar. 17, 2003

Some experts advocate changes that would demand the identity of every mailer or an alternative mail system altogether that involves trusted, verified senders. And some have gone as far as to suggest requiring paid postage.

Wired News: Who's Winning Privacy Tug of War?

Privacy is set to become even more of a key issue for businesses and government over the next few months, as some firms fight to retain what they believe is a key provision of the Fair Credit Reporting Act, a federal law that restricts who can access credit information and how it can be used.

Internet Week > Spam > Spam's Being Used For Identity Theft And Blackmail, Symantec Says > March 13, 2003

Crooks are sending spam using the Symantec Corp. name to sell counterfeit software, engage in identity theft, steal credit card numbers, and even blackmail victims through the use of pornography, Symantec officials said.

InfoWorld: Bush administration blasted over privacy: March 14, 2003: By Grant Gross: Security
the debate continues to build about balancing privacy and security....

Student accused in Texas data heist | CNET News.com

The student, 20-year-old Christopher Andrew Phillips, turned himself in to the U.S. Secret Service and was scheduled to appear in federal court Friday. The charges stem from data, which included the stolen records, gleaned from the student's hard drives, the U.S. Attorney's Office for the Western District of Texas said in a statement.

Additionally, the University has set up a website for those that may be affected...

Burton Group Weblogs/Jamie Lewis
mandatory reading here folks -- Jamie Lewis, CEO of the Burton Group has a weblog....

Jamie is, without a doubt, one of the most thoughtful, penetrating and in-tune thinkers in the area of Identity (and i'm not just saying that to butter him up ;-).....his weblog is a must read on a daily basis.

WebServices.Org - The Web Services Industry Portal - Web Services Network: Creating trusted value chains

For trust to exist, there needs to be a link between trust and identity. Who do I trust, what is the identity of the trusted entity, and how is this identity the same over the length of the trust relationship.

Senate scrutinizes air travel database | CNET News.com

Citing concerns about privacy, the Senate Commerce Committee voted to increase congressional oversight of a secretive data-mining and passenger-profiling system under development at the Transportation Security Administration. Delta Air Lines plans to begin testing the system at three airports this month.

Password-stealing e-mails spread
...me, that is -- as I say, "here's another log on the fire for why we will bring identity to our networks of anonymity." ;-)

InfoWorld: File trading may fund terrorism: March 13, 2003: By Grant Gross: Networking
Here's another log for the fire that will quickly become, "why we need to bring identity to our networks of anonymity"......

Congress cracks down on P2P porn | CNET News.com
As Peter Biddle et al. at Microsoft detailed in their paper on "the darknet," the viability of a P2P network ultimately depends upon the identity of the end points.

This article is yet another example of some of the social forces that will bring identity to our networks of anonymity. It *is* the year of government and identity, my friends.

According to this article from Federal Computer Week and also the Washington Post, Mitch Kapor has resigned from the board of Groove Networks because of Groove's involvement in the Total Information Awareness project.

Kapor was co-founder of privacy advocate Electronic Frontier Foundation, and very sensitive to privacy issues. Kapor said only that it was a "delicate subject" and that he had resigned to pursue his interests in open-source software, according to the New York Times.

Benetton to track clothing with ID chips | CNET News.com

While the market for RFID chips is small now, their potential for improving visibility of inventory on an almost instantaneous basis is of significant value, said Karsten Ottenberg, senior vice president of Philips. This is especially true for retail businesses, which are consistently concerned with striking a good balance between supply and demand. Retailers want to make sure there are enough products on the shelves to meet demand but not so much that they are sitting in a warehouse taking up costly inventory space.

Liberty Alliance Identity Architecture
A new liberty press release that begins to outline some of the upcoming Liberty spec...which is now called, "Phase I" and "Phase II".....

InfoWorld: Forrester CEO: Web services next IT storm: March 10, 2003: By Joris Evers: Security
Interesting article about a recent speech by the Forrester CEO. I think he's right on -- except that I think the core is identity and the swirling storm that is enabled by that is web services.

The best line:

"The Web is dead and will be replaced by an executable architecture..."

Many identity infrastructure methods require PKI, and the discussion about federation vs. direct integration of systems is also ongoing. This article by Jamie Lewis, a Digital ID World Conference EAC member, really gets to the heart of what the issues are and how PKI, SAML, what is a certificate, etc. really come together in the identity conversation.

Highly recommended reading...

Feds Move to Secure Net
There's been a lot of talk about how identity will divide the Internet into the "private" and "public" net.....and while this project doesn't *appear* to have identity built into the network, it is an interesting step in that direction.

Pioneer Press | 03/05/2003 | Smarte Carte lockers reopen

White Bear Lake-based Smarte Carte can reopen some 3,300 airport lockers nationwide that were shut down after the September 2001 terrorist attacks, federal airport security officials say.

But the lockers, located at 41 major U.S. airports, first must be updated to include biometric technology that requires travelers to provide a fingerprint to rent and open a locker.

03/06/03
Herein is part of Visa's ongoing battle with identity theft...

InformationWeek > Security > Hackers Steal Names, Social Security Numbers From University Computer > March 6, 2003
So they got the SSNs (again).....

There was a bill in California that would make it illegal for businesses and schools to use the SSN as a personal identifier (an attempt to prevent the damage of precisely this act). Do you suppose that idea will now gain on the national stage?? How long before businesses and schools (ie, only the government) is allowed to use the SSN to identify you? Think of that kind of government mandated spending -- almost sounds like something that would kick start a slumping technology sector...

Data thieves nab 55,000 student records | CNET News.com

Online attackers stole information on more than 55,000 students and faculty from insecure database servers at the University of Texas at Austin, the school revealed on Wednesday.

This will be a long entry, but some things simply need to be said...

The Information Week article on the GSA and DoD Joining Liberty is better than most, but still can't quite see what's happening. The good news is that their reporting work is good and lets us see what the supposed experts think about Liberty and calibrate the tech industry awareness of identity a bit.

For example, "Gartner gives Liberty Alliance a 20% chance of success" and thinks that somehow pivots on "whether the feds will choose to use [Liberty] only for government employees or for providing all Internet services to citizens and businesses." A further example of how this analyst misses the point is that he bases his skepticism on the "the failure of Liberty member America Online to use the technology for its 35 million subscribers."

This analyst isn't stupid, he just misses where identity in general and Liberty specifically fits in the IT landscape. He's still stuck in the "Passport vs. Liberty" question which was always the wrong one.

One more time: Passport is a product, Liberty is a specification from which software is designed into many products and implemented by many vendors. Passport is a centralized authentication system, the use of which can be integrated into other companies' web sites. Liberty is a massively de-centralized technology to federate a variety of identity infrastructures and extend identity management across them to varying degress as required by various applications.

There are very few applications where both Passport and Liberty would be interchangeable choices, so you start off lost if you see them as competing for some given market and *very* lost if you see the market for digital identity as those few applications that both would satisfy.

Another analyst comments that ""Users will appreciate the added convenience of logging into multiple sites at once, but not at the price of more spam or invasions of their privacy." This comment indicates zero understanding of Liberty and it's another indicator of lack of understanding of what's going on here.

Comments like "concerns over whether the Liberty Alliance can build trust among online shoppers who would opt-in to the service" indicate little real understanding of how identity management really fits into infrastructure, and what its missions really are.

Again, these analysts aren't stupid. They reflect the fact that digital identity is very poorly understood even among those who spend a lot of time thinking about what is happening in computing, and thus not seen to be very important. I think that occurs because they can't quit thinking of identity as a product instead of an organizing construct that will be part of hundreds of products. Once they try to think of it as a product, they try to find "the audience" and "the customer base" for the product and they are doomed to miss the point.

Identity is Center, that's what you need to keep in mind. In the end, it will apply nearly everywhere to nearly everything that computers do - sort of like networking does...

News: Feds stand behind Sun's Liberty Alliance
Here's the ZDNet story on the DoD joining the Liberty Alliance....except someone needs to slap this reporter upside the head with a few facts!

Like this:

1. Headline: Feds stand behind Sun's Liberty Alliance.

comment from me: PUH-LEASE! Do people really still believe its "Sun's" liberty alliance? Here's a hint: its NOT.

2. Quote: "Liberty was launched in 2001 by Sun Microsystems as a way to thwart Microsoft's own authentication system, called Passport. "

comment: there *might* be a hint of truth buried somewhere deep in this statement, but its buried so deep that you'll need the entire cast from Six Feet Under to find it.

3. And the real ringer: "Like Passport, Liberty technology is meant to manage computer users' multiple online identities and information under a centralized sign-on system."

Comment: WHAT?! Has this guy bothered to learn anything? The liberty spec is the exact *opposite* of centralized. This is beyond a misunderstanding; its careless reporting -- and somebody should call the publication to task. (oh wait, I think I just did.)

Bottom line: 10minutes worth of concentration would have led to this guy getting the story right. Apparently, that was a bit much to ask. Ugh.

[Later: ZDNet/CNET has changed the story to correct the "centralized" error....Thank you very much.]

The Liberty Alliance announced today that the Dept. of Defense and the General Services Administration (GSA) have joined the Liberty Alliance.

The GSA runs the U.S. Government's E-Authentication project that is ultimately slated to grow to authenticate identity for all citizens and businesses that interact with the government over the internet. The DoD, through its DMDC runs many large projects such as the Common Access Card (CAC) and is also looking at creating a common authentication system for its automated power, personnel, training and financial databases.

In short, it is getting pretty close to "game over" for Liberty Alliance. As I've said from the start, Liberty is one of the most significant things happening in identity. This is because its self-contained structure assures proper motivations and that deployment will occur. Liberty is creating a specification that its members will consume (thus the real world requirements can't be lost), and its membership includes the vendors who will provide the software (so software to support the specification will be widely available), service providers to supply any services required, and enterprise customers who will deploy it.

With the Liberty Alliance membership reaching 160 companies and organizations - now including the U.S. DoD and GSA - those who don't yet see its importance are simply not paying attention.

Sutter Health CIO Discusses Single Sign-On
The 3rd part is an interview with Sutter Health's CIO. All in all, a nicely done series.

Whirlpool Cleans Up With Single Sign-On
The second article in their 3 part series...

Who's Who When
eWeek's running a series on ID management, and it includes the first time I've ever heard anyone talk about identity's necessary role in a computing paradigm shift (well, besides us, that is):

The identity management tools we looked at for this report are oriented almost exclusively toward human beings. In the coming year, Web services—and the need to authenticate and authorize other computers along with applications and services running in the network—will force a paradigm shift to encompass any computing resource.

Internet Week > Supply Chain > P&G Exec Says RFID's Time Is Almost Here > March 4, 2003

Of course, many issues remain to be worked out, from consumer privacy issues to questions about who will own the data to developing business cases within each business unit that will create pull for the technology from within a company, to agreement among companies on global standards. "Manufacturers, suppliers, and customers have to work together," P&G's David says. "You can't change the world by yourself."

Contactless Payment White Paper
I haven't gotten the chance to read this yet, but I will....Here's a quote from the intro page:

Multiple technologies may be used to implement a contactless payment system. Candidate technologies include radio frequency, infrared, carrier-based mobile and Bluetooth technologies. Three types of radio frequency technologies are currently used, including: 13.56 MHz contactless smart cards, low-frequency (100 to 500 KHz) devices and high-frequency (900+ MHz) transponders.

The choice of an appropriate technology is driven by issues such as what types of payment mechanisms the technology supports, whether the technology is commercially available and governed by standards, the amount of investment required, and how well the technology protects customer data and guards against erroneous transactions.

Security Is in the Smart Cards

News that a hacker recently accessed as many as 8 million Visa and MasterCard accounts would have been shocking if we weren't becoming so disturbingly numb to such break-ins. We really can't go on this way if retail e-commerce is to become a permanent, trusted part of our lives.

News: Expert: Router holes threaten Net
So often it is assumed that "digital identity" means only the kind that relates to people. Yet pretty early into this, we came to the realization that digital identity in its *largest* sense is a fundamental re-architecting of electronic networks -- from ones of anonymity to ones of identity. The reasons are myriad, this article highlights yet another:

However, a misconfigured router, or one that has been compromised by an online intruder, can cause chaos by advertising itself as the best path to an unrelated network. That's because routers using BGP implicitly trust their neighbors on the Internet--they don't ask for any sort of digital identification. Using such digital forgery could allow an attacker to redirect traffic, to wiretap data, to create an information "black hole" and even to masquerade as another server, Dugan said.