Feds, states target Net auction scams

“Consumers and law enforcers believed the identity theft victims were the ones who had bilked the consumers out of their money,” the FTC said. A federal court in Chicago ordered a halt to the scam and froze the man’s assets so they can used to repay victims, the FTC said.

Music Industry Sends Warning to Song Swappers
As I've always maintained, online anonymity is a pleasant story people have told themselves, not a reality (emphasis mine):

"It appears that you are offering copyrighted music to others from your computer. ...When you break the law, you risk legal penalties. There is a simple way to avoid that risk: DON'T STEAL MUSIC either by offering it to others to copy or downloading it on a 'file-sharing' system like this. When you offer music on these systems, you are not anonymous and you can easily be identified."

PGP creator sees threat in Moore's law | CNET News.com
Phil Zimmerman sees a threat from Moore's law and the ability to increase surveillance technologies rapidly....quoting: "You can't encrypt your face."

Reflections on the 25th Anniversary of Spam
Just found this great essay on the history of spam (tks to Dan Gillmor for the link)....and here's the *really* interesting part:

However the spam problem is solved, or partially solved, it will remain fascinating as the internet community grapples with its first serious abuse issue from within. Most other abuse issues have involved outsiders, ranging from the religious conservatives trying to ban smut to the RIAA trying to stop file-sharing, trying to regulate the net. Spam has caused the network insiders themselves to seek to regulate it.

Ah, that's key -- it points to a significant turning point in the history of our electronic networks. Of course, we all know what that turning point is, right? ;-)

Here's the soon to be standard "privacy concerns" article surrounding Digital ID (not to say that there aren't privacy concerns, just that this type of article will become the most commonly written article). A quote:

One consumer advocacy group called for a boycott of Benetton, saying sensors hidden in the retailer's clothing could be used to create a global surveillance network. Another privacy advocacy firm started a campaign aimed at stopping retailers from selling consumer goods containing live tracking devices.

Microsoft's plug-and-play biometrics | CNET News.com

AuthenTec will create a reference driver that will be the example for other biometric hardware makers to follow in designing their own driver software. In addition, a new application programming interface (API) will allow software to access new hardware features made available through the drivers, said Michael Stephenson, lead product manager for Microsoft's Windows server group.

Precursor to a purchase? (truly, i know nothing -- i'm just keeping my tongue firmly implanted in my cheek after my previous "prediction.")

Q&A: Microsoft, Industry Partners Rallying to Combat Spam

We're focused on a number of efforts that will make it easier to distinguish "good" e-mail from unwanted e-mail in many different ways, such as investing in filtering capabilities and providing more reliable input to filtering technology and coming up with ways to verify whether the senders of messages are who they say they are.

DIDW note: Brian Arbogast will be one of the featured speakers at this year's Digital ID World conference.

This press release reports that Waveset is expanding to the UK and adding resellers and a large German financial sevices customer.

An interesting item in this release is the Frost & Sullivan estimate of the size of the European Identity Management marketplace at $877,000,000 by 2006. This seems a pretty exact number (why not $850 or $900?) given that most of the customers who will buy in 2006 still don't even know what identity management will do for them yet.

Estimating the size of a marketplace this early on is a necessary activity, but always remember that what actually happens will not listen to those who do the estimating...

Are file traders next? | CNET News.com

In fact, the ruling could accelerate the labels' plans to go after individual users, especially when coupled with a decision Thursday in a separate case that gives them more power to unmask the identity of individual file swappers. In that decision, a judge said Internet service provider Verizon had 14 days to turn over the name of a subscriber accused of offering music files for download using the Kazaa file-swapping service.

GPS satellites track grazing sheep in Ireland
Digital Identity comes to shepherding...

Linux founder opens door to DRM | CNET News.com
We've always maintained that DRM is really about Digital Identity, so this story has much interest for us. Linus seems to have taken a totally sensible stance on this one...

Sun tackles privacy, speech recognition | CNET News.com
Sun Micro takes another giant step toward the identity space with the "Virsona" (a virtual persona). After our discussions with the Sun identity folks at RSA, I am pretty confident in saying that these folks *really* understand the implications of what they're doing. And that level of understanding usually implies a strategic focus that may not yet be totally seen by the larger community.

Internet Fraud Complaint Center
I was just saying to someone yesterday that identity theft/fraud will hit 24Billion (with a B) this year, and that online fraud is 15 times higher than offline fraud.....and that amounts to a pressing need for digital identity.

This site falls in that general category.

Wired News: DNA Fingerprinting for All!

The database would carry a person's individual DNA profile and would certify their identity. "So it is not just a criminal investigation database but a personal security and assurance database as well," he said.

This Reuter's article is relatively free of bias on setting up the 321Software case that is going to trial. This is all about the DMCA law (as is nearly all of the copyright legal activity of he past two years), and this article lays out all the arguments farily well.

As those of you who read my weekly newsletter know (and those of you who don't can just go to the home page of DIDW and sign up now!) I have been hoping over the past year that this "scorched earth" battle can give way to a more reasoned conversation about how to deal with technology and Intellectual Property. It doesn't seem that the actual battles are any less destructive, but this type of overview again gives me hope that maybe we are nearing a point of productive conversation. Maybe...

Burton Group - Catalyst North America 2003 Agenda July 9, 2003
The agenda for Catalyst 2003 is out, and it looks good. If you haven't been to this show, you must go...

The paradox of privacy | CNET News.com
This is a nicely written article about the paradox of privacy in the electronic age.....

...and it all boils down to one simple question: Are you willing to restrict the capabilities of something like Google to protect your privacy? (ie, are you willing to begin to limit the inherit nature of the internet to protect your privacy)

Chew on that one for a bit.

Five steps to secure your environment - Computerworld
I'm posting this piece because I've recently come to know Roger, and Phaos Technology is pretty heavily involved in the Liberty Alliance...

Internet Week > Security > Identity Management Is The New Crown Jewel Of Novell > April 17, 2003

CRN: What is Novell's new crown jewel?

Stone: Nsure. It's growing 38 percent, and we've had some huge customer wins: Star Alliance, the city of New York, Lufthansa, the city of Los Angeles, Daimler Chrysler, Swedish Tax Authority ...

Internet Week > Microsoft Security > Microsoft 'Palladium' Security Plan Draws Criticism From Cryptographers > April 17, 2003
An article about En-scub (formerly Palladium) and some of the attending concerns. Microsoft intends to address much of this brouhaha at WinHEC (next month) -- as always, DIDW will be on the scene.

Phil and I are flying out this afternoon (as are many folks), as RSA begins to wind down.....its been a whirlwind few days, so on with some highlights:

1. The Liberty Press event: everything here went well; 4 interoperability demos and some decent questions from the attending press. The biggest story out of this is the submission of the Liberty 1.1 spec to the OASIS committee that is working on SAML 2.0.

2. The *perception* of a coming Holy War: (germinating into an article on this one) There seems to be a perception that is spreading that WS-Federation and the Liberty/SAML guys are about to diverge. Indeed, I've heard some talk around the halls that phrases this as a division of the world into "proprietary standards and open standards." We shall see -- my suspicion is that since the mainstream press are now finding it hard to write about the "liberty vs. passport battle" (because that's incorrect), they will soon switch to the "WS-F vs. Liberty/SAML" template.

3. (*eric plants tongue in cheek*) I'm starting a rumor: Microsoft buys a SmartCard company within 1 year. (please note this has no basis in fact, its simply my intuition.)

4. Plenty of interesting "smaller" companies (though some of them aren't very small) are developing in the identity space: Arcot, Trustgenix, Mycroft, Sigaba and Symlabs come to mind.

5. Dinners with the big guys yield several observations:

A. Microsoft (despite what everyone thinks about them) *is truly innovating* with their NGSCB (palladium) and Rights Management Services offerings.

B. SunMicrosystems *really* understands all of the implications of the federated identity model.

Much more to follow upon return to the Rocky Mountains....

Attended two great sessions this morning:

1. On the eGov and eAuthentication gateway project within the GSA: don't believe the hype my friends -- this project is proceeding (there isn't really a "funding" problem -- its one of those bureaucratic gov't things) and proceeding well. Actually, this project may end up being the poster child for my "this is the year of gov't and identity" statement, as they are driving this train *very* fast. As with the internet, the gov't will perform a de facto blessing of standards via usage. Thus, the GSA and DoD joining Liberty Alliance will be one of the truly important events in identity history (though it won't seem that way for quite some time).

Also of note: the GSA openly talks about using 3 products in their gateway -- Netegrity, Ntegrity (don't know them) and Entrust. Verrrry interesting.

2. The Burton Group presentation on federated identity (Dan Blum): A great overview of the trends in the identity industry, but the *truly* interesting thing at this track -- it was Standing Room Only. Identity is not only a curiousity, its becoming a must-know.

Several other briefings, most of which will get written up here over the next week or so.....all in all, a great show so far.....with one clear conclusion: the identity industry is really starting to accelerate.

The Liberty Alliance Project and OASIS today announced that the Liberty Alliance has contributed its version 1.1 federated network identity specifications to OASIS. The OASIS Security Services Technical Committee requested Liberty’s contribution to permit possible incorporation of Liberty version 1.1 specification features in future versions of the OASIS Open Standard Security Assertion Markup Language (SAML).

From the folks I've talked to, the purpose of this is to make sure that SAML and Liberty don't diverge as separate specifications going forward. Since Liberty feels that V1.1 is pretty mature and won't need much ongoing modification, they feel it is ready to go to a standards body. Liberty will now focus on the other specifications needed to flesh out their road map. ID-WSF looks to be the next focus, and it sounds like info on that will come out before this conference is over - stay tuned...

Phil and I (and assorted members of the DIDW staff) are now roaming the floors of the RSA Security conference, and, as expected, the show is bursting with identity themes.

Last night, we attended the opening reception (on the exhibition floor), and I think its safe to say that identity is now becoming integral to the stories and products of at least 50% of the exhibitors here. Two signs of this:

1. "Identity" is a buzzword -- one that is being used in disparate ways by various companies (IBM, Deloitte and Touche, Datakey, etc). Clearly, people are sensing that identity is something they should be involved with, but there is no *clear* consensus as to what that means.

2. Identity is visible by its code words: trusted computing, authentication, smart card, identity management, access control -- all of these words point to the larger identity story that is taking shape.

One notable phrase that I personally had never seen used in a product description: "identity life cycle management." Apparently, this phrase is replacing "provisioning" as the accepted term.

Summary number note: 200 registered press at the event; down from 350 last year.

More to follow.

Liberty turning first spec over to OASIS as turmoil brewing over identity management
I disagree with this statement:

The Liberty Alliance next week will announce two new draft specifications and for the first time turn over a portion of its work to a standards group providing the first evidence that efforts to create a standards-based identity management framework may be fragmenting.

Doesn't seem like fragmenting to me at all? Just an organization growing and maturing....

A representative of the TCG contacted me about the "why TCG instead of TCPA" question I asked. This is the response:

"In order to provide member companies the patent policy, voting structure and other benefits typical to industry standards bodies, it was best to create a new organization. One of the big changes was that in order for an organization involving several entities (such as the TCG) to collect dues, trademark a logo, and generally behave like a business, the group needed to become incorporated...which was much easier to do through the creation of a new group. Also, there was a switch to a majority rule voting and other fairly significant changes to the organization's internal structure and bylaws, as well as the broadening of the group from being very PC focused to touching on various computing devices (mobile devices, consumer electronics etc.). "

A new Trusted Computing Group has been formed by AMD, HP, IBM, Intel, and Microsoft "to create open standards that can be adopted for use in products and solutions across the spectrum of computing." Already Atmel, Infineon, National Semiconductor, Nokia, Philips, Phoenix Technologies, Sony, ST Microelectronics, VeriSign and Wave Systems have joined the group.

The group's web site is up at www.trustedcomputinggroup.org with more info.

This is an interesting development and one wonders why this separate group from the TCPA was needed to take "next steps" with the TCPA specifications. TCPA was formed by Compaq, HP, IBM, Intel and Microsoft (Compaq and HP are now merged) all of which are founding members of this new Trusted Computing Group. In fact, with the exception of Nokia, all of the members of this new group are also members of TCPA.

The press release indicates that TCG members have agreed to license each other necessary patents under RAND terms, that it's purpose is to "bring the industry together" to build standards accellerate adoption, etc. TCG explicitly is starting with the TCPA specifications, and it's announced intention is to extend those specifications - with a promise of backward compatibility to products already built on TCPA specifications, including interoperability. One clear new direction is the extension of trusted computing to non-PC devices.

This looks to be an interesting development in the trusted computing arena, and we will bring you more info as it becomes available.

InfoWorld: Entrust, Waveset partner for ID management: April 07, 2003: By Paul Roberts: Security

"We polled 1,200 of our customers and they all came back and said they were interested in identity management," Neville said.

Fretting about the future, lost liberty | CNET News.com
Declan is reflecting on the Computers, Freedom and Privacy conference from last week....most interesting quote:

Not only did Lessig's big-is-bad rhetoric go out of style back in the 1970s, but also, it's not even right. Compare the entertainment choices we have today with those of three decades ago, when it was mostly movie theaters, radio and three major TV networks. Now we have satellite TV, satellite radio, DVDs, CDs, video-on-demand, hundreds of cable channels, movie rentals and, of course, the Internet. Thanks in no small part to technology, culture is flourishing, not flagging.

Wow! I thought Larry was the patron saint, and here we have criticism. Talk about culture flourishing...

Update: Benetton backs away from 'smart tags' in clothing line - Computerworld

Fashion retailer Benetton Group SpA said today that it has no immediate plans to attach radio frequency identification (RFID) "smart tags" to its Sisley line of clothing to help track shipping, inventory and sales in the company's 5,000 stores around the world. But it left the door open to doing so in the future after further study.

webservices.xml.com: The Liberty Alliance [Apr. 01, 2003]
A more technical look at the Liberty version 1.1 specification (now called, "phase I").

InfoWorld: CTO Forum: Tackling identity: April 02, 2003: By Brian Fonseca: Web services

Unlike Microsoft’s Passport which has been criticized by some as a potential single point of failure for holding identity information in a central repository, Pugh pointed toward Liberty ’s mission to see a small collection of ID providers and relying parties, such as service providers, build a network over time to support a true federated ID model.

Jon Udell: Simon Pugh on identity management and Liberty Alliance

On Liberty vs. Passport: they are very different entities. Liberty is a framework for interop, not a product or a service. It anticipates federation of diverse emerging identity providers. "While Liberty is an interop system for connecting identity systems, it doesn't necessary mean that two participating services will share your identity, that's a function of the business relationship between the providers. The vision of "circles of trust" begins with individual relationships -- with airlines, with banks. Over time, you begin to link these together, under your control.

InfoWorld: At CFP, the devil is in the (technological) details: April 02, 2003: By Scarlet Pruitt: Security
Add together issues about computers, freedom & privacy and whadya get? Digital Identity. This looks like an interesting conference -- wish I was there...

Data thieves strike Georgia Tech | CNET News.com
Sick of this story yet? Don't worry, it only gets worse from here....