Now that Google is a massive rolling juggernaut of publicly traded cash - I'm wondering, what's their identity strategy and do they "get it."

Phil Windley has begun to ruminate on these questions as well. Quoting:

With the release of GTalk this week, the blogosphere has been talking about what it all means. In fact, there's been way more talk than "yet another messaging system," in world with 3 or 4 too many already, deserves. Clearly, Google is positioning itself as an Internet operating system capable of displacing Microsoft as the integration point (to use a Clayton Christensen term).

To do that, Google needs an identity strategy. My guess is they've got one, although they haven't come right out and said that. GMail created unique user IDs on the Google network, which GTalk leverages. I've started calling them GIDs. The GTalk announcement extends that and strengthens it.

Flickr is the photo-sharing service that was recently acquired by Yahoo!. Now comes word that flickr users will need to migrate to a Yahoo account - and the backlash ensues.

All of this, of course, is part of the larger problems of identity silos. Doc Searls has addressed this topic in a keynote at Digital ID World since we first began.

The identity community is making progress on this problem (especially with the identity metasystem), but this incident highlights how far behind many companies are in their identity thinking. It also highlights how much identity is a business/people problem as much as a technological one.

NGSCB was one of the most ambitious projects Microsof ever started. This is a good article about the Secure Startup feature that has made it into Vista. In doing so, the article describes the adoption of TPM:

According to IDC, about 25 million PCs will ship this year with TPM chips in them. Next year, the research firm predicts, about 60 million computers will ship with the security chip. By 2010 essentially all portable PCs and the vast majority of desktops will include a TPM chip, according to IDC.

I love Cory Doctorow's writing, but put him within throwing distance of the topic of DRM and the hyperbole-meter goes through the roof. Witness:

"DRM doesn't sell hardware, software, or movies. The only reason to build DRM is to trade your users' freedoms for a bit of favor from the entertainment companies..."

The "only" reason? Wow. What a stunningly myopic view of what DRM does.

The EFF's (via Doctorow) stance on this is now nearing ridiculous.

DRM and Nuance -- apparently never the two shall meet (at least in some minds).

Doc has posted a great blog entry about the rise of Splogs (spam blogs) and what it means for "content."

In essence, Doc sees a possible world in which sites like Google allow "passport like" sign on to paid content that is free of splogs and comment spam, thus relegating the "rest" of the web into something similar to what some Microsoft guys once called the "darknet."

His question to us identity folk has been - "can the identity metasystem solve this?" The answer of course (theoretically) is yes.

What's fascinating about this is that identity is on both possibles of this equation:

1. in the proliferation of the Darknet, identity enables the walled gardens of paid content to develop, while the rest of the net languishes in identity-poverty like the poor living outside the castle wall.

2. in the brighter future, identity isn't a divisive "enabler" but an underlying infrastructure for the entire Net.

I'm betting that #2 brings about more innovation and economic opportunity, as it fosters a more open and efficient marketplace.

Clearly, we've got some work to do. And clearly there are some bumps in the road and dark days ahead.

This interests not so much because PassMark now has a "multi-channel authentication platform", so much as because I'm wondering if one smaller company buying another smaller compay is somehow indicative of the identity marketplace....

sidenote: PassMark's CTO is Louie Gasparini - who I haven't seen in a while, but used to come to the conferences back when he worked identity for Wells Fargo....Louie- how are you? ;-)

Chris Anderson of Wired has written a n interesting blog entry about why some amount of piracy is economically optimal -- and thus, "uncrackable" DRM is economically suboptimal.

Quoting:
Instead, efficient software and entertainment markets should exhibit just enough piracy to suggest that the industry has got the balance of control about right: not too loose and not too tight. That number is not zero percent (which requires protection methods so invasive they kill demand), and it's not 100% (which kills the business). It's somewhere in-between.

Jonathan Schwartz made the news with his announcement of the Open Media Commons, but it appears now that he's making the news for something he said in the context of that announcement -- namely, saying that the federal government should be involved in setting the standards around DRM; comparing it to how the government stepped in during the railroad buildout to make all rails the same width, etc.

I guess I'm curious - was Mr. Schwartz actually trying to say the Feds should get involved in the copyright mess, or was he actually implying the Feds should step in and regulate a DRM standard?

If the latter, then why wasn't the same thing sought for the Liberty Alliance?

This is an important article about the whole TPM - Apple OS/X - DRM dust up. Important in several respects:

1. Its technically accurate (a rarity in TPM articles).

2. It points out that the Infineon TPM chip that Apple was experimenting with does NOT itself perform any DRM at all.

3. In fact, disabling the TPM is *easy*, as it was not built to protect against "user-hacks".

4. Rather, the trick comes in the software Apple will ship - as that software will call the TPM....ie, if you disable the TPM and Apple software calls it, then the software will not work.

Quoting:
The TPM does not control program execution or block execution based on signature, revocation lists or any "approved" lists. While application software can perform all of the just-mentioned blockade functions, it's not the TPM that does it; it's the software.

Finally, some truth amidst the hysteria....

We've been hearing rumblings of this for quite some time now, but I guess this makes it official -- Sun has launched the Open Media Commons, a consortium focused an open source standard for DRM.

Quoting:
Sun President Jonathan Schwartz announced the long-brewing project, called the Open Media Commons, at the Progress and Freedom Foundation's Aspen Summit on Sunday. The software the company hopes will be employed for digital rights management (DRM) is coming from Sun Labs and is called Dream (DRM everywhere available).

Dream is open-source software governed by Sun's Community Development and Distribution License--the same license it uses to cover its OpenSolaris operating system. Dream's components include software for letting different DRM systems interoperate based on credentials held by individuals, not by particular devices; server software for delivering streaming video; and Java software for managing video streams.

As anyone who reads us regularly knows, we've been writing about DRM as an identity technology for years. I've also written in the past that Sun needed to realize it was actually an identity company -- this moves them one step closer to doing so. In fact, (in the identity space) Sun seems to be on a roll since they acquired Waveset and their folks several years ago.

In any case, we'll see if this gains mass like Liberty did. I think its a bit more tenuous, if only because open sourcers tend to argue against *any* DRM at all.

The Identirati seem to take IT culture for granted -- you know, everyone assumes that the cultural assumptions underneath The Cluetrain Manifesto and Kim's laws just *hold* somehow......

And the comes this article that reminds us just how different some cultures are from our Western one (quoting):

All Malaysians over 12 must carry the card, nicknamed "Mykad." It stores thumbprints, a digital photo and basic information on the cardholder, including religion for the major ethnic group, the Malays. But the card also serves as a driver's license, passport and, under government plans, the national health card. And cardholders can use it to pay for purchases, withdraw money from ATMs, cover transit fares, pay road tolls and digitally sign documents on their PCs.

Wow. That's a different world right there...

Phil Windley (longtime friend of DIDW) has posted a piece on what he's calling IMA (or Identity Management Architecture) over at O'Reilly.

Phil's been in the identity game for a long time -- as the CIO for the State of Utah, in the private sector, and now as a professor of Computer Science....good stuff.

Maybe its time for me to roll out an "open letter" series. Speculation abounds about what Google is up to these days - and heck, why shouldn't I be part of the fun?

Think of the identity thread running through Google:
1. gmail
2. social networks
3. blogs
4. pictures
5. personal mapping
6. local search
7. indexing of personal information on the web
8. Google Wallet

hmmm - now what if they bought a small end-user focused identity company (Sxip), or just utilized an open source project (Passel), or even just built their own....

I used to jokingly posit "Norlin's Maxim" - that the internet is a force that drags information into the public domain, and the rate at which is it dragged is directly correlated to the factor of how much that information touches the 'Net.

My proof was googling yourself over time.

Maybe I should stop joking about that one. Maybe Google is building a web infrastructure with an identity layer. I wonder if Kim is talking to them about the Identity Metasystem....

This is a fascinating comparison chart of the proposed draft legislation from the American Banker's Association.

Fun reading on a Friday! ;-)

Here's the standard CNet Piece about how Universities are attractive targets for ID theft. As the article points out, half of the recent incidents have been at Universities -- and then compares them to financial institutions as targets.

They may be analogous - but I have a hard time seeing a Dean being sent to jail under the new proposed data broker legislation. ;-)

Think blog comment spam isn't an identity problem?

Dick Hardt and the folks over at Sxip seem to think it is....

Check out Sxore

Phil Windley and Kim Cameron each have some interesting posts on their blogs....

Phil has a pointer to an interview with Scott Chasin, CTO of MXlogic about the spam problem. Surprise - identity can help!

Kim is talking about the new "TSIK" work that is being done at the Apache Software Foundation. This is a *huge* development for the identity metasystem that Kim has been working on -- as it begins to address the cross-environment concerns.

Jon Udell is writing about the ceremony of using tokens. Quoting:

But in any of these scenarios, giving someone a token is (or should be) the kind of ceremony that Kim Cameron describes in his sixth law of identity. Yes, it's a bureaucratic procedure, but it's also a social ceremony, the psychological value of which was stressed by several of the identity administrators I spoke with. A certificate stored in your browser, on one or more computers, is just an abstraction. A token nails down the abstraction. "People find them easier to deal with than soft keystores," one fellow told me. "With a token in hand, you have something concrete you can hang the concepts on." It tangibly represents the social contract between the token issuer and the token holder.

I would call the technologies described in this USA Today article brute force identity-based DRM -- by that i mean, someone *hands* you a key with an e-book that expires -- i.e., the "identity-based" is them handing you the key.

What I find more interesting is that the identity technology articles on USA Today seem to be picking up in pace -- 2 in 2 days. Is this indicative of something? We'll see....

Here's a suprisingly non-alaramist article from USA today about the evolution of the "Registered Traveler" program and the accompanying biometric technology.

Kim Cameron has responded to my open letter to Bill G. and Microsoft -- and has been far too kind in the process.

A few comments on Kim's comments:
1. To Kim's point about the world not being a single thing: yup, I agree, Kim. Clearly an article like this is necessarily an over-simplification - and (with my head) I tend to focus on messaging as much as anything -- like all good marketing types my mantra is "perception is reality."

2. Re: my depiction of microsoft technologies as "silos": Kim - I struggled with this one, as well. I know the technologies *aren't* silos - I just couldn't find a good way to depict that....and I hope hoping the presentation layer on up (to the web services layer) would convey some of it.

Kim's comments are more than interesting (as usual) - they're challenging. I'll be curious to see how Microsoft the organization responds to identity in the coming months and years.

Mary Jo Foley comments on how Microsoft's Vista is well-positioned to take advantage of a coming explosion in the population of TPM-enabled PCs...

I just saw a TV piece (I like to watch CNBC while I work) about the use of RFID in Vegas. Here's how it works:

Every chip is RFID'd, and registered to players.

Every table is is a sensor that reads the RFID chips.

Additional sensors sit throughout the casino.

Now the operators can:
1. prevent chip switching scams.
2. know - in real time - the specific bets being made by individuals at tables.
3. provide CRM accordingly.
4. guard against employee theft.

Imagine watching every chip in play *live* on a wall of monitors. That's something I'd like to see.....and a far cry from Benny Siegel's initial vision.

Jon Udell, one of the original attendees of the Digital ID World conference, reports on PKI deployments from Datrmouth College's annual gathering.

I've been digging into the roots of the TCG lately - and kicking around in PKI as a result...the roots of identity, they do run deep.

A good piece that looks at the ROI of RFID in Gillette's recent deployment.

Quoting:
Using RFID, both the retailer and Gillette were able to track the time elapsed between events and strategize how to reduce the pain points the next time. If Gillette can move product so it gets where it needs to be when it needs to be there, it means products are on the shelf when consumers want to buy them — a major step forward.

This isn’t hype. This is reality.

I'm guessing that alternative payment systems (all of which are identity-based in some fashion) are beginning to catch on. I say that because Forbes has run an article talking about how "Jetsons" it all is....

...and Forbes tends to be behind the actual curve. Hence...

CNet has a really well written article about how email is failing - and the proposed solutions like SenderID.

Quoting:
"There is an identity crisis for e-mail right now," said Samantha McManus, a business strategy manager at Microsoft. "The e-mail infrastructure was built in a different era, when you actually knew who was sending you e-mail and you did not have to worry."

Phishing uses spam e-mail with a forged sender name and a link to a fraudulent Web site in an attempt to trick the victim into giving up sensitive personal information such as passwords. That fraud scheme and other cyberthreats are taking a toll on consumer confidence that will inhibit e-commerce growth in the United States by up to 3 percent in the next three years, Gartner predicted in June. In the same survey, the research firm found that more than 80 percent of online consumers in the United States distrust e-mails from individuals or consumers they don't know.

Phil Windley has posted some Identity Policy Templates that accompany his upcoming book on digital identity. They look helpful...

Okay - I wasn't there, but my sources ;-) tell me that identity was one of the big topics at OScon --- Dick Hardt, CEO of Sxip gave a keynote, LID presented, as did Passel.

Nice to see identity get the attention of the open source world...

Stephen Levy's most recent Newsweek column covers the launch of Vista (formerly Longhorn) - with the note that the majority of the improvements are in the area of security.

Its of interest that Levy talks about the transformation of users from 1995 to today - and how beleagured the average net user has become. I would allege (of course) that this is primarily an identity problem.

I jokingly wrote "Norlin's Maxim" several years ago -- namely, that the Net drags everything it touches increasingly into the public domain (business process, personal info, media, etc). And that the only viable protection for the things that the net touches is an identity-based solution.

Along those lines, Vista is getting there - though i fear that the top-level at Microsoft does not see identity as the unifying thread (that's just a gut-level hunch).

I think I feel an article coming on....

This story from CNET pretty much expemplifies everything that is wrong with the current round of coverage of the "Apple is using a Trusted Computing Chip - Grab Your Pitchforks and Do Something to Stop it!" controversy. Eric is doing a lot of research right now to discern the "true facts" of the case, but articles like this one look like they will proliferate before anyone learns what is happening.

Several things occur to me when reading it, among them:

1. The *first* reaction is that the reason Apple is "doing this" is so that people can't run their X86 OS on non-Apple machines. I guess all I can say here is I find many things about this being the first reaction both strange and interesting...

2. An example of the totally emotional and non-thinking nature of the reaction is the person this article cites who says he'll "remove his Apple tattoo should the company include the security chip in its new Macintosh products, which are expected to be on sale by next summer." I'm sure Steve Jobs is already rethinking his strategy based on this "customer feedback."

3. That the people panicing have no real understanding of what a TPM is can be found in the remark "the TPM could compromise the privacy of users because of the identifying number built into the chip." This is a fear that harkens back to the Intel CPU serial number controversy of several years ago. However TPMs have no such "identifying number" because they work in a very different way based on digital certificates, encryption, etc. And they can protect privacy every bit as much as compromise it depending on how they are used. In fact, if incorrectly used, they can make things so private that even the owner can't get to it!

Several years into the trusted computing saga, I had hoped that the fact that several million computers equipped with TPM chips are in everyday use might have gotten us past this Luddite reaction of fear of technology that isn't understood. Apparently we still have to go through it a few more times.

But is it too much to ask that at least *the journalists who report on it* learn enough of what they are talking about that they not spread misinformation to feed the panic?

Blogs are, of course, now ubiquitous. Still, it is a bit rare to find a company blog that's informative, interesting, personable, etc.....

As it turns out, we have one in our own industry (and I'm not talking about Jonathan Schwartz's blog) - Trusted Network Technologies' Know Identity is an interesting collection of thoughts, ponderings, anecdotes and concerns (such as when their CEO and family was in London during the recent blasts). All in all - lotsa fun - and a read i recommend.

Now I'm digging into the TPM/Apple controversy -- specifically, trying to clear up the confusion on what is what is what (ie, "Palladium" is not TPM - its actually much more and much different).

To that end, a pile of links that I'm sorting through:

Clarifying Misinformation about TCPA - a really thorough explanation of why DRM, "Palladium" and TPM are *not* the same thing.

Against the TCPA - this is almost funny, if only because the site claims that computers and the internet *gave* me my freedom --- see, and I always thought those rights were inalienable ;-)

A Matter of Trust - TPM in the context of SOA.

TCG Home - home of the Trusted Computing Group

Infineon's TPM site - Infineon's explanation of their TPM chip.

More to follow...

Later:
A report on Open for Business reports that Apple is *not* including the TPM in their Intel chip architecture.

Don't worry, I'm still going to write this article - namely to dispel things like this:

"Earlier reports circulating around the Internet concerning Apple's inclusion of a Trusted Platform Module (TPM) chip in Intel-based Macs were incorrect, OfB has learned. News of the inclusion of the chip, based on the technology formerly known as Palladium..."

That was written by this site's Editor in Chief. Please note: the TPM has *never* been based on technology formerly known as Palladium (now NGSCB).

Perhaps there's a larger issue here - a philosophical one that surrounds the FUD being fostered against TPM.

Dave Kearns of NetworkWorld has a good post highlighting the attention that user-centric identity is getting lately. Quoting:

Most identity theft is accomplished through old-fashioned fraud or new-fashioned dumpster-diving followed by authentication fraud. It's just a modern twist on the old bunko, a con game with a wider range of victims. Putting users in control of their own data, and needing to approve and verify it's dispersal, could cut a majority of this fraud. Making lending and credit-granting institutions verify their applicants through authoritative sources with the consent of the user could wipe out most of the rest of this fraud.

User-centric identity is an idea whose time has come, it's time that the corporate world recognized it.

Phil Windley has announced the Internet Identity Workshop (IIW 2005) at the end of October on the campus of Stanford.

Phil has been a long-time friend of DIDW (he was at our first show), and I'm quite glad to see him launch this (I will be there)....

Slashdot hysteria seems to be running as usual - as they post the horrifying idea the Apple's intel chip may have TCPA in it (picture women and children screaming as Godzilla destroys a city).

For those that need the refresher - TCPA is the work of the Trusted Computing group. It has been shipping in IBM thinkpads and HP laptops for over 12 months now -- and the primary application is to secure the bootup process and password access for remote computers in a *corporate* environment.

It is radically different from the concept of DRM - and the idea that a slashdotter would call it that is clearly either A) ignorance or B) an attempt to bring FUD to a crowd that is quick to FUD.

Furthermore, TCPA is not like the "palladium" work that Peter Biddle's group has been working on at Microsoft. Ugh - I can't stand this kind of confusion around what is a really good group of people doing really good work.

I can see a TCPA article in my future....