29.01.2013 by Dave Kearns
Over 25 years ago I started in the networked computer field worrying about authentication, usernames and passwords. And despite all the weeping and wailing about passwords in the intervening years, I still spend an inordinate amount of time thinking, writing and speaking about them.
Just last week, Oracle’s Mike Neuenschwander (formerly with The Burton Group) organized a lively tweet chat on authentication issues (search Twitter for #authchat to see what’s left of the thread) which showed surprising agreement about the future of passwords for authentication.
The week before, Google had announced what the press called a “war on passwords,” when they rolled out a beta project to use Yubikey hardware tokens in a Near Field Communication (NFC) system for authentication. My colleague Martin Kuppinger looked at this possibility just the other day, and liked it – with cautions.
The thing is, most analysts, IT execs, security professionals and others with a stake in authentication services agree that passwords should be removed from the process. They’re inherently insecure, someone recently speculated that the “secure lifespan” of a new password (the time it would take to crack it) is down to less than a second, on average.
The hundreds of data breaches in just the past year unveiled hundreds of thousands of passwords. While many bemoaned the simplicity of the passwords people choose (“password,” “qwerty,” “12345,” “monkey”) and demand more complexity others note that the more complex the password the more often a user will write it on a sticky note attached to their monitor.
It was just over a year ago I suggested going to a Privileged Management (PxM) system, called by some Privileged User Management (PUM), and by others Priveleged Account Management as sort of an SSO on steroids answer to the password problem.
The basic idea is that passwords are here to stay, and all we can hope to do is to reduce our dependence on them or reduce their exposure. By configuring the PxM-SSO system to reset passwords after every use; to use complex combinations of letters, numbers, upper/lower case and other marks; and to never reveal the password chosen that we increase significantly the amount of time needed to break the password. In other words, if we make it more expensive to break in to the system then the value derived from the break-in we reduced the incentive for the cracker. As the old proverb goes, when a group is being chased by a bear you don’t have to be the fastest runner just faster that the slowest.
Of course, as many have pointed out, that “solution” doesn’t remove passwords at all. That’s very true, but also well beside the point. There is no solution that, in the foreseeable future, will remove all reliance on passwords, especially when we speak about the mobile market.
Ever since Apple acquired AuthenTec (maker of 2D finger print sensors), there’s been talk that the next iPhone (either the 6 or the 5S) will include a fingerprint reader. I’ve been waiting for that development for four years, sBut as one wag commented, most smartphones have shiny surfaces which any thief should find to be very thick with fingerprints that could be lifted and reused .
Whether or not that development leads to a use of biometrics rather than a PIN to unlock a smartphone is still problematic. Too many people seem to make a living out of denigrating biometrics for authentication. Lurid tales of people having their digits cut off to fool fingerprint readers are scary, if not very truthful.
Near Field Communications (NFC), used in devices such as the Yubico Yubikey being looked at by Google, is simply a refinement of RFID with a much smaller range. In this case, smaller is supposedly better. RFID has been criticized for broadcasting data too far, allowing the nefarious to “eavesdrop” on communications and harvest all sorts of interesting “stuff”. But NFC devices still have the same flaw, what could be the same fatal flaw, that RFID devices have. It’s the device itself that’s being authenticated no matter who is in possession of it. No matter what form factor the NFC device takes – the credit card sized bit of plastic that Martin favors or the wearable ring that Google is talking about – it’s still quite possible for it to fall into the hands of the cracker with no need for lopping off fingers.
Proponents of NFC devices say that multi-factor authentication is the key. Invariable, this leads us back to a password, a PIN, a passphrase or other shared secret. Well, for many it does. I still prefer a biometric as the second factor. But those who feel a password can be used frequently call for a one-time password (OTP) distributed out-of-band (perhaps by SMS message). The recent Eurograpper exploit should give us pause when considering that solution.
Last week’s #authchat tweet chat pretty much concluded in general consensus about two things: 1) password authentication is bad; 2) passwords are going to be around for a long time, although perhaps in a diminished role.
Winston Churchill once said: “democracy is the worst form of Government except for all those other forms that have been tried from time to time.” Could we paraphrase that and say passwords are the worst form of authentication except for all those other methods that have been tried from time to time? And if we will continue to use passwords, in one way or another, which is the best way? Should we have one strong password we use for all authentications? Different strong passwords for each authentication? A combination where an SSO/PAM handles different strong passwords for each authentication while being accessed by one strong password at initialization?
Here’s the question I want to leave you with today: if you want to protect your eggs, do you hide them – individually – all over the farm or do you put them all in one basket and hide it under a hay rick?
In my days as a network manager I learned that there’s always a bottleneck in the network where traffic slows. When you fix that, then another place becomes the bottleneck. It’s the same with authentication – we can always identify the weak point, but when we fix it doesn’t something else become the weak point?
15.01.2013 by Dave Kearns
Last time out, I ended by saying “Next time we’ll take a look at two ideas that, hopefully, will be the talk of 2013.” I lied. Depending on how you look at it, it’s either four ideas – or one idea. And there’s sure to be a buzzword/phrase/abbreviation/acronym or two coming about from it – or them.
I do know that there are four concepts, known fairly well within the identity community, that need to coalesce to create a grand scheme which can be turned into a buzz phrase and picked up by the general media so let’s take a look and see how they’ll fit together.
At the root of the grand idea is The API Economy. There’s much more about this in our Advisory note, “The Open API Economy,” but here’s a quick run-thru:
“The core thesis of this document is that the entire industry is moving towards exposing core competency to programmers, partners, customers and other constituents through APIs. The trend is so important to the current and future success of organizations that it is referred to in this document as an “economy”. The word “open” is often added in front of API and the API economy. Open does not mean “free” necessarily, but is intended to mean “accessible.” Accessibility is measured by both availability and how well it is documented for use.”
With the number of available APIs for services growing at an exponential rate, the second component of the grand idea can become more than just an abstract concept.
The personal data ecosystem (PDE) is an idea we’ve kicked around in one form or another for over a decade. As Ottawa Privacy Commissioner Anne Cavoukian has defined it:
“The Personal Data Ecosystem (PDE) is the emerging landscape of companies and organizations that believe individuals should control their personal data, and who make available a growing number of tools and technologies to enable this. Aside from legal requirements, the starting premise of the PDE is that individuals control the sharing of their own ‘official record,’ (also called a ‘golden record’) and set the rules as to who can access and use their personal information for what purposes. In this way the individual becomes the central point of data integration, and individuals always have the ability to extract their data and take it wherever they wish.”
But suppose you could take charge of not only distributing your “official record” (from the PDE) but also building and storing it? The API Economy makes that possible. I’ll show you how in a moment.
The third component of the grand idea is enhanced privacy. When you have control over storage and distribution of your personal information, such that other parties don’t need to store data, nor acquire more information then they need, that really enhances the privacy of your information. Let’s take a look at a fairly common example.
You’re thirsty, and head into the pub for a beer. As things work today you’ll most likely need to show some form of government identity document (which includes your birth date) to the server. But that document also includes your name, address, and perhaps other personal information. Many women have found themselves subject to unwanted stalking after showing a driver’s license to a bartender on the make.
But let’s say you could send a message to an identity provider (IdP) who could vouch for the fact that you are of age to order a drink – or simple vouch for the fact that you are “over 18” or “over 21” (no need for the IdP to know where you are). The IdP checks with the source of authority for your age (most likely a government agency) and is assured you are “over 21”. The IdP sends you a message and an encrypted URL which you transfer to the pub’s authorization system which verifies that the answer is “over 21” and that it comes from a legitimate authority. So the pub knows you’re of legal age, but nothing else, and the IdP knows only that you asked a question and they answered it. That’s enhanced privacy.
So how do we get there?
That brings us to the fourth concept of the grand idea – a trust framework. The IdP needs to trust that you are who you say you are; the government agency needs to trust that the IdP is legitimate (as does the pub). All of this will be possible through the use of a trust framework to which all of the parties are subscribed.
Put all these parts together – API economy, personal data store, enhanced privacy, trust framework – and you’ve got what we at KuppingerCole call a Life Management Platform.
For a very detailed look at what we mean see Martin Kuppinger’s advisory note: “Life Management Platforms: Control and Privacy for Personal Data,” but here’s what we’re talking about in a nutshell:
“Life Management Platforms will change the way individuals deal with sensitive information like their health data, insurance data, and many other types of information – information that today frequently is paper-based or, when it comes to personal opinions, only in the mind of the individuals. They will enable new approaches for privacy and security-aware sharing of that information, without the risk of losing control of that information. “
Martin particularly notes that “Obviously, Life Management Platforms are far more than Personal Data Stores. They not only support a secure store for sensitive personal information. They allow making a better use of that information.”
In fact, a Life Management Platform that combines an API economy, a personal data store, enhanced privacy, and one or more trust frameworks is how we will manage our information and our lives in the years to come.
There’ll be a lot more about this – both the Life Management Platform and all of its components – at the European Identity and Cloud Conference in May and I fully expect (“predict” isn’t the word I want to use here) that the main stream media will be talking about Life Management Platforms by the end of the year – but I can’t foretell what terms, or buzz words, they might use!
02.01.2013 by Dave Kearns
Happy New Year everybody! I’m sure your in-boxes, RSS readers, Linked-in groups, Twitter feeds, magazines and other periodicals are all filled right now with predictions for IT in 2013. I’ll have a couple of those myself, but only as they relate to what were the hot buzz topics of 2012.
Each year there are a couple of technologies, catch phrases, acronyms or abbreviations that catch the fancy of the non-technical press and become the “IT buzz words” of the year. Those of us in technology try to do our best to either explain what the buzz words really mean or throw up our hands and nod whenever they are uttered. For example, in 2011 “Cloud computing” was such a buzz phrase. The general press became enamored with the concept and every software vendor (and even some hardware vendors) took it up as a way to sell whatever they were selling. The cloud is now considered ho-hum, even passé, by the general press while we’re still left with implementing cloud-based solutions and strategies.
In 2012, there were two related buzz abbreviations I want to talk about – BYOD (Bring Your Own Device) and MDM (Mobile Device Management).
BYOD wasn’t a new phenomenon, however. I first encountered it 25 years ago when my then VP of marketing came into my office just after New Year’s Day to ask if he could bring his new computer into the office to use on the network rather than the IBM PC (with the “green screen”) that he currently had. His new computer had color and cool games. I had to assure him that his Commodore 64 couldn’t be attached. (Some years later, though, some enterprising Danes created an Ethernet card – and NetWare driver – for the C64. But by then I had moved on, so perhaps someone else hooked up that device.)
RIM Blackberries have been around for a number of years and many a sales and/or marketing person has requested that they be able to access their corporate email & calendar on one. Still, the rise of the iPhone, Android devices and numerous tablets has led to a far bigger clamor for employee access to corporate assets on “their” current “new” platform. And that’s what we need to remember – it’s all about enabling different platforms.
At one time, it was about attaching MACs to the PC network, or Linux devices to the Unix workgroup. But it’s been almost 10 years since Vintela (now part of Dell via Quest) and Centrify solved that problem. Indeed, Centrify has now come on to include many mobile platforms in the mix it can authenticate to Active Directory and extended its coverage to cloud-based services.
And, really, that’s the point. While the mass media moan and groan about mobile devices accessing corporate information the real problem is being able to control authentication, authorization and governance on all platforms that could attach to corporate resources – both in the data center and in the cloud. That brings us to the second buzz phrase and abbreviation – MDM.
MDM, Mobile Device Management, is supposed to be the “solution” to BYOD. Well, as long as the “D” is a mobile platform. And it’s quite true that the mobile device is different from, say, the desktop device. But we’ve known that for over 20 years, also. It was 1991 when I acquired my first “portable” (more correctly, luggable) PC. I could take it with me anywhere and – using the built-in 2400 baud modem – connect to the servers and other devices on my corporate network from almost anywhere in the world. I continued to be able to do that with laptops, notebooks, netbooks down to the tablets and smartphones that make up my current traveling devices. Who knows, maybe in a couple of years I’ll only need my Google Glasses! But the bottom line is that we should be talking about device management as a unified technology, not a hodge-podge of separate management solutions for different platforms. My colleague Martin Kuppinger went into this in more detail recently.
AS a corollary to BYOD, many of my technoholic peers have been gushing about BYOI – Bring Your Own Identity. This theory proposes that employees will want to access platforms (particularly cloud platforms) for corporate data using the authentication credentials they’ve used for personal data on those same platforms. But this is a no- brainer. The answer to the question “can I use my personal sign-on for enterprise resources?” is an unqualified “no, you can’t do that.” The enterprise, through its IT department, needs to keep total control of access (and authorization) to the information that is the organization’s “crown jewels”. Without the ability to instantiate, maintain, modify and remove that access you might just as well drop all authorization and the let the world and it’s uncle have unfettered access to your assets. Martin Kuppinger has pointed out to me that, in the past, we’ve agreed that everything around authentication and authorization will become (a) versatile and especially context/risk-based and (b) sort of “unified”. I still agree. Risk/context based authentication and authorization are still the goal I’d like us to aim for. But in my mind, the enterprise needs to be the Identity Provider (IdP) and not the Relying Party (RP) with the sole exception of those instances where one or more 3rd party IdPs has a contractual commitment to the enterprise guaranteeing the authentications and with strong penalties for failure.
As many of you are aware, my colleague Craig Burton created a firestorm late last spring when he announced that SAML was dead – and wrote its obituary. As he, Martin and I all later explained we weren’t announcing an end to the use of SAML – indeed we all pointed out niche areas where it continues to be the best solution – but an end to further development using SAML. I wish I’d thought to pronounce “LDAP is dead” ten years ago before that useful protocol was stretched and twisted beyond anything it was intended for – or was capable of.
So there you have the bottom line for 2012 – stop developing with only SAML in mind (Oauth and OpenID Connect are the future, at least for now) and forget you ever heard BYOD, BYOI or MDM. Tried and true traditional identity protocols and management scenarios will continue to be your best choice in the new year. Fads and buzz words will continue to come and go (mostly go) and their proliferation throughout mass media will continue to add to IT’s burden, but if we all stick to our guns and deliver the goods we know will not only protect the enterprise’s information but will also contribute to a better bottom line then it will be both a happy and a prosperous new year. We here at KuppingerCole will do our best to help you out. Next time we’ll take a look at two ideas that, hopefully, will be the talk of 2013.
18.12.2012 by Dave Kearns
If you’ve never really thought about it, you should realize that the Christmas season is a wonderful time to reflect on identity issues.
As a young child, I wondered why there seemed to be so many Santa Clauses – all the stores seemed to have one in a “grotto,” while every street corner had one ringing a bell and collecting money in a cauldron.
the only other people I’d ever seen (in books) with a cauldron were witches – but I didn’t make a connection.
It never occurred to me – we didn’t even know the term then – was that it might be a massive case of identity theft, or identity fraud as I like to call it. Still, it didn’t appear that anyone was being defrauded by all of these “Santa’s helpers” who were scattered throughout the city – in fact, throughout every city, at least in North America.
We didn’t know about identity theft/fraud in those days – but was it really Santa’s assets these people posing as St. Nick were after?
They did fit the description of Santa, at least as it was written down by Clement Moore in “The Night before Christmas” –
“He was dressed all in fur, from his head to his foot…
His eyes-how they twinkled! his dimples how merry!
His cheeks were like roses, his nose like a cherry!
His droll little mouth was drawn up like a bow,
And the beard of his chin was as white as the snow.
The stump of a pipe he held tight in his teeth,…
He had a broad face and a little round belly,
That shook when he laughed, like a bowlful of jelly!
He was chubby and plump, a right jolly old elf”
So it was really Santa’s attributes that were taken – dress, hair, skin tone, stature, shape, etc. But why? Well, in a word, trust. The people who put these ersatz Santa’s on the street (and in the shops) wanted us to trust him, just as we had trusted the “real” Santa to deliver the goods on Christmas morning. Those Santas were, in fact, a precursor to the phishing expeditions that are so prevalent today – emails purportedly from our banks and other institutions in whom, presumably, we have trust looking to deprive us of our money, usually – just like the Santa with the cauldron. There’s a lesson to be learned there.
Outside of North America, though, were there Santas and Santas’ helpers? Were the children who lived in those places deprived? Did they get presents on Christmas morning? The answer is an unequivocal “maybe.”
While I did wonder – in an abstract, theoretical way – how Santa could be in so many places in the city, I really wondered how he could get to every child in the world between midnight and dawn on December 25th. “That’s just six hours,” I thought. Later, after learning about time zones, I realized it could stretch to 30 hours. Still, an awfully short time. Then I realized that not everyone followed the Christian tradition – not all children waited for Santa Claus to visit – certainly not the Jewish, Muslim, Hindu, Buddhist and other non-christian believers. I did know some equivocating atheists, though.
Further study led me to the realization that, in fact, Santa didn’t travel the whole world in one night. Children got gifts on a schedule spread out over a month – from Dec. 6 (the feast of St. Nicholas) through to Twelfth night – Jan 6, the feast of the Epiphany. But why didn’t I know this sooner?
It all has to do with “persona”. Santa Claus is, in fact, just one of the personas of the historical St. Nicholas, bishop of Myra in Greece (now Turkey) during the third century of the current era. There are more than 60 different personas for St. Nicholas, each having the attribute of delivering gifts to good little girls and boys. But they have different descriptions and – most importantly – deliver the goods on different days/nights of the year. The different personas vary from country to country, from ethnicity to ethnicity and are often modified to fit different religious (although mostly Christian) and pagan beliefs.
Juelie “Santalady” McLean has compiled a list of all of the gift givers associated with the Christmas season and provided a list by country:
ARMENIA – Gaghant Baba
AUSTRIA –Christkind, Niklo
AUSTRALIA – Santa Claus, Father Christmas
AZERBAIJANI – Shakhta Babah
BELGIUM – Saint Nicholas, Christkind, Kerstman
BRAZIL – Papai Noel, Vovo Indo
BULGARIA – Diado Coleda
CANADA – Santa Claus, Santa Clause, Belsnickel
CHINA- Dun Che Lao Ren, Shengdan Laoren
COLOMBIA – El Nino Jesus
COSTA RICA – El Nino Jesus
CZECH REPUBLIC – Svaty Mikulas, Cert (helper)
DENMARK – Julemanden, Julemand, Juul Nisse (helpers), Julenisse, Julinisse
ENGLAND – Father Christmas
ESTONIA – Jouluvana
FINLAND – Joulupukki, Christmas Bock
FINLANDSSVENSKAR (Swedish speaking Finns) – Julgubben
FRANCE – lePetit, Le Petit Jesus, Aunt Airie, Tante Aria, Mother Air, Père Noël, Pére Noel, Pre Fouettard (helper)
GERMANY Pelze-Nicol, Pelznickel, Fur Clad Nicholas, Christkind, Weihnachtsmann, Kriss Kringle, Shaggy Goat, Rider, Nicholas with Ashes, Ashenclos, Belsnickle, St. Nicholas, Klaasbuur, Burklaas, Rauklas, Bullerklaas, Sunnercla, Bartel (helper), Swart Peter (helper)
GERMANY Northern – Weinacht (holly night)
GERMANY Northwest – Pelzebock (helper), Gumphinkel (helper)
GERMANY Rhineland – Hans Muff (helper)
GERMANY Southern – Knecht Ruprecht (helper), Krampus (helper)
GREECE – Agios Vassilios, Hagios Nikolaos
HAWAII – Kanakaloka
HINDU – Ganesha
HOLLAND – Sinterklaas, SinterKlass, Zwarte Pieten (helper), De Kerstman
HONG KONG – Sing dan lo ian
HUNGARY – Karácsony Apó, Télapó
ICELAND – Jolasveinn
IRELAND – Santy, Santa Clause
ITALY – La Befana, Befano, Babbo Natale
INDIA – Ganesha
JAPAN – Santa Kurohsu, Hoteisho, Hoteiosho, Jizo, Santa no ojisan
LATVIA – Ziemmassve’tku veci’tis, Winter Holiday Old Man, Santa Klausam
LIBERIA – Black Peter
LITHUANIA – Kaledu Senis
MEXICO – El Nino Jesus, Three Kings, Black Peter
NETHERLANDS – Sint Nikolass, Zwart Piet (helper), Black Pete, Kerstman
NEW ZEALAND – Santa Claus, Father Christmas
NORWAY – Julenisse, Julenissen, Julebukk
PALESTINE – La Befana
PERU – Papa Noel
POLAND – Star Man, Wise Man, Swiety Mikolaj, Gwiazdor
PORTUGAL – Menino Jesus, Pai Natal, Pia Natal
PUERTO RICO – Three kings
ROMANIA – Mos Craciun
RUSSIA – St. Nicholas, Father Frost, Ded Moroz, Grandfather Frost, Snegurochka, Snow Maiden, Babouschka
SERBO-CORATIAN – Bozic Bata
SCANDINAVIA – Juleniss, Oden
SCOTLAND – Santa Clause
SICILY – St. Lucia
SLOVENIA – Bozicek, Miklavz, Jezuscek, Dedek Mraz
SPAIN – Papa Noel, Los Reyes Magos (Magic Kings-Three Wise Men – Melchor, Gaspar and Baltasar), Olentzero
SWEDEN – Tomte, Jultomten, Tomten, Julbocken, St. Lucia
SWITZERLAND – Samiclaus, Samichlaus, Schmutzli (helper)
TURKEY – St. Nicholars, St. Nick
URUGUAY – Feliz Navidad, Jolly Old Elf, The Magi
UNITED STATES – Santa Clause, Santa Claus, Kris Kringle
VENEZUELA – San Nicol‡s, Ni–o Jesœs
WALES – Ilwyd, Sion Corn
YUGOSLAVIA – Deda Mraz
Hopefully he (she?, they? – check those names carefully!) doesn’t need to remember a different password for each, although juggling all those passports could be a problem.
So different personas come at different times during the gift giving season but by keeping each in a national or ethnic “silo” no one realized that they could attempt to compound their gift receiving by, for example, writing a letter to a few different personas.
So that’s the take-away this holiday season – identity is bound-up in trust while personas are attempts to compartmentalize our lives. Two ideas we’ll be taking up again in the new year – Happy Holidays!
04.12.2012 by Dave Kearns
Back in August (“Open Source IAM – is it right for you?”) I wrote about my friend Brad Tumy’s Open Source Identity Solutions list and spent a paragraph or two on ForgeRock OpenAMб which, I told myself, I’d try to get back to with more information for you. So recently I chatted with ForgeRock’s John Barco (director of product marketing) and Jamie Nelson (Vice President of Engineering), both of whom I’d first met when they were at Sun Microsystems. John & Jamie filled me in and what’s happening with ForgeRock, and I’d like to pass that information along to you. First, though, I want to talk about a surprise I had recently.
It’s a new book on an Identity subject! It’s been a number of years since I’ve seen a new, “dead trees”, tome about Identity but here was one. It has the less-than-catchy title of Microsoft Forefront Identity Manager 2012 R2 Handbook. On the other hand, you know right away what it’s about. And that’s everything you need to know about FIM 2012R2. Published by the UK’s Packt Publishing Co., and written by Kent Nordström, a sub-contractor to Microsoft Consulting Services, the book, while dry, is far from the mind-numbing handbooks we were familiar with in the 90’s. Instead, it is presented as a (fictional) case study of a company implementing FIM 2010R2. It’s detail-rich, but quite readable cover to cover as well as being easy to use as a post-implementation reference. If you’re interested in Forefront Identity Manager, this is a good bet for you.
Now back to ForgeRock.
John & Jamie reminded me that the world, and the world of Identity, had changed considerably from the one we talked about when we’d first met a decade ago. Today’s Identity stack needed:
- To support enterprise, social, mobile & cloud environments
- Lightweight APIs for easy, accessible adoption
- To play well with others – developers, partners, competitors
- Internet Scale
Fortunately, they said that ForgeRock had these characteristics:
- Unified platform (Not a marketing bundle)
- Identity Everywhere – Enterprise, Cloud, Social & Mobile
- Simple, lightweight, developer friendly API
- Internet Scale for big data identity transactions
The three major modules (OpenAM, OpenIDM, OpenDJ), they told me, were developed together, not bolted on to one another as some other Identity stacks are. They share a common API, common modules and a common user interface.
OpenAM (Access Management) they consider the first “All-in-One” Access Management solution delivered as a single, unified product. It includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security in a single, unified product.
OpenIDM (provisioning) they referred to as “Lightweight Provisioning at Internet Scale.” They contend that it is the only User Administration and Provisioning solution purpose-built to manage user access and accounts across enterprise, cloud, social, and mobile environments.
OpenDJ (directory services) is not your father’s directory. With OpenDJ, according to Nelson, you no longer need to be an LDAP expert; you can choose either LDAP or REST to access identity data using a single solution that can replicate data across on and off-premise applications. That’s important to today’s software developers I’m told.
I can’t hope to go into all of the relevant details here so you should check the website, download the data sheets and see if there’s a good fit for what you want to do. Meanwhile, I’ll continue with what John, Jamie and I talked about.
The software is being used in over 130 countries worldwide with North America and Europe having relatively equal shares of almost 50%. What didn’t surprise me was learning that over 50% of the company are former Sun Microsystem employees including almost all of the executive staff.
I did wonder about scalability, not something open source products are usually known for. Barco noted that one client using OpenAM (a telecommunications giant) had over 40 million user accounts in play and implied that hardware, not software, was the only bottleneck they’d encountered.
As you should know, here at KuppingerCole we’re very much in favor of Identity as a Service (IDaaS) and I was pleased to learn that the OpenForge Identity Stack was ready to go for any service provider wishing to offer a cloud-based identity solution. The guys explained:
- Multi-tenant architecture enables a single instance of OpenAM to serve multiple organizations (tenants)
- Designed for a service provider to virtually partition data across multiple customer environments, and configured for a secure, customized virtual instance
- Dynamically scales as needed, with the ability to add and remove capacity if and when it is required
From the user’s perspective, OpenAM is as easy to use as IDaaS as it is as a traditional desktop system:
- Enables users to sign in once and launch their web applications by simply clicking an icon in the Cloud Dashboard
- Cloud Dashboard login increases user productivity and significantly strengthens security by hiding the complexity of URLs, passwords, and usernames unique to each service
- Admins can easily create federated SSO connections with SaaS apps via the GUI-based wizard or can use Salesforce.com, Google Apps, or WebEx connectors provided out of the box
All-in-all, the OpenForge Open Identity Stack is a worthy opponent to the high-flying corporate Identity Suites on the market today and well deserves a look-in from you. Scott McNealy, former CEO of Sun and an advisor to ForgeRock recently said ““Knowing who’s who, what’s what and who gets access to what is the holy grail of web and cloud computing.” I couldn’t have said it better myself.
20.11.2012 by Dave Kearns
SWIFT, the Society for Worldwide Interbank Financial Telecommunication was created in 1973 as a cooperative within the financial community with the mission of creating a shared worldwide data processing and communications link and a common language for international financial transactions. It should need stating, but I will: this activity involves the secure exchange of proprietary data while ensuring its confidentiality and integrity. Through the end of September this year, SWIFT had handled 3,424,307,411 messages – that’s over 18 million a day, and the totals continue to grow.
In 2009, SWIFT Launched Innotribe to enable collaborative innovation in financial services. Innotribe brings together strategists, business and technology leaders, trend-setters and trend-watchers, and thinkers interested in taking action and shaping the future. Innotribe events facilitate collaborative innovation – exploration and understanding of new trends and their impacts, as well as idea generation and solutions shaping.
Every year Sibos, facilitated and organized by SWIFT for the SWIFT community, brings together influential leaders from financial institutions, market infrastructures, multinational corporations and technology partners to do business and shape the future of the financial industry. Sibos Osaka was held at the end of October this year.
At the Osaka meeting, Innotribe unveiled the results of the Digital Assets Grid (DAG) project, a project to bring the institution-to-institution messaging of SWIFT down to a peer-to-peer system. The project was undertaken with the cooperation of the Respect Network (mentioned in the last issue, and winner of the EIC Privacy award in 2011), Ctrl-Shift and Kynetx. Phil Windley, CEO of Kynetx (and co-founder of the Internet Identity Workshop) gave one of the best explanations of the work:
“While many of us share digital assets every day and store them on various Web sites, these are, for the most part, assets of low value or low consequence. Few of us would feel safe conducting a complex banking transaction on Twitter or Facebook. In contrast, the DAG would provide a way of conducting transactions involving any high-consequence digital asset on the open Internet but with Swift-grade security and privacy. The DAG is conceived as a set of services built on top of the open, standards-based Internet. Swift is working on the DAG to position banks as platforms upon which online services can be built.”
Innotribe also commissioned a video, called “Slices of Life,” which shows how the DAG could affect real people in their daily lives. You should take a look. I’ll wait until you’re finished.
Finished? Great, now you understand how transformative this project can, and will, be. Will be, because the trust necessary for it to be successful is ingrained in SWIFT, an organization who perfected risk management before we had a term for that practice.
Respect Networks CEO Gary Rowe (formerly president of the Burton Group) said of the project: “The Respect Network’s mission of building a trusted network for personal data exchange and SWIFT’s vision for the Digital Asset Grid for safe sharing of all types of digital assets are perfectly aligned.” Respect Networks founder Drummond Reed offered a presentation of a DAG prototype project, the “Forever cloud address book,” as part of the introduction at Sibos. Again, you ought to watch this, it’s important.
Respect Networks was involved in another introduction at Sibos when Dr. Ann Cavoukian, Ontario’s Privacy Commissioner, released a new white paper, “Privacy by Design and the Emerging Personal Data Ecosystem.” It features case studies of the personal data vault (PDV) and platform of Washington D.C.- based Personal Inc., and the personal data network of Respect Networks and was specifically released in conjunction with the announcement of the Digital Assets Grid. You can watch Dr. Cavoukian’s presentation here.
The Personal Data Ecosystem (PDE) goes hand-in-glove with the emerging API economy which my colleague Craig Burton has written about so extensively (see, for example, “Identity in a Post-PC Era”).
AS Dr. Cavoukian describes it:
“The Personal Data Ecosystem (PDE) is the emerging landscape of companies and organizations that believe individuals should control their personal data, and who make available a growing number of tools and technologies to enable this. Aside from legal requirements, the starting premise of the PDE is that individuals control the sharing of their own ‘official record,’ (also called a ‘golden record’) and set the rules as to who can access and use their personal information for what purposes. In this way the individual becomes the central point of data integration, and individuals always have the ability to extract their data and take it wherever they wish.”
It’s nice when others climb on the bandwagon with you – even if it’s been 10 years since I climbed aboard (but I did get to pick the best seat!). Back in 2002, in a column called “The need for a personal directory,” I wrote:
“What I’m envisioning is something like the personal directory, stored and controlled by each user on their own platform, but linked to the larger, worldwide directory tree (or trees, using some sort of federated technology). Access controls – just like those on the objects and attributes on existing directory trees – would be used to determine which information was shared and with whom it was shared.
Through the use of encryption technology, the information could be replicated to one or more storage areas throughout the network so that the user could access it from any platform.
Secure encryption would insure that the actual storage sites wouldn’t matter – only the user could unlock the data. There’d also be no need for Internet vendors to keep data such as shipping and billing addresses, or credit card numbers because these would be instantly available with each new order – and would be (hopefully) more correct and up to date than information stored at the vendor’s site for months or years.”
The personal directory, the API economy, the Persona Data Ecosystem and the Digital Assets Grid. As it says in the Old Testament (Ecclesiastes 1:9): “What has been will be again, what has been done will be done again; there is nothing new under the sun.”
06.11.2012 by Dave Kearns
In our last outing about trust (“Who do you trust?”), I concluded:
“In the end, we know that Trust is a binary condition which has attributes – you trust “an entity” for “a task”. Trust on-line can be calculated by doing a risk assessment (amount of loss times probability of loss) and seeing if the product of that assessment is lower than your pre-set “trust threshold”. Calculating the probability of loss involves factoring in experience or reputation. So, when you get to the bottom of it, trust is inextricably tied up with reputation.”
But how can we assess or calculate reputation? And does it matter? Joan Jett sang “An’ I don’t give a damn ’bout my bad reputation Oh no, not me” but do you?
Pay close attention, this could get convoluted.
There’s an old proverb which says that character is the story you write about yourself, reputation is the story others write about you. Reputation, then, is what other people think about you. And the more people who “think” something – that is, they hold the same opinion about something, such as you – then the stronger the reputation is. It doesn’t matter if it’s true, false or somewhere in between – once that reputation is fixed in people’s minds it’s very hard to change.
The EU’s “Right to be forgotten” does bring up the possibility of at least minimally being able to control our own reputation, but that’s a topic for another day.
One way we use to determine the reputation of something is through reviews. Newspapers and magazines (yes, I know about on-line – we’ll get to that in a moment) often contain reviews of restaurants, movies, music, theater, etc. But can a single review tell us if we would like the thing being reviewed? It could, provided we knew the reputation of the reviewer. That reputation is simply our opinion of the reviewer based on reading numerous reviews by them and comparing those to our personal experience of the thing being reviewed. Knowing the reviewer’s reputation, we can read each review as if through filtered glasses to see it skewed to fit our judgment of what the reviewer likes and dislikes. Can we do that on-line?
Well, yes, Those same reviews are published on-line. But there’s also a wealth of other reviews, by people who aren’t “professional” reviewers and who may review only one or a handful of things. Let’s look at one web site as an example.
TripAdvisor says of itself that it offers “trusted advice from real travelers” – and it enjoys a fairly good reputation among travelers and tourists. If you’ve not used the site, a brief description: generally, you will search for a country, city, town or village. Within each you can find lists ranking hotels, restaurants, attractions and more as well as travel guides and “tips” from locals as well as frequent visitors. The rankings are compiled by ratings and reviews given by people who have been to the particular hotel, restaurant, attraction, etc. If we pick a city, say Munich, Germany, we see that the Mandarin Orientale is the top rated hotel. 264 out of 297 reviews have rated it with 5 stars, 20 with 4 stars, 10 with 3 stars and none lower. Compare with the Hotel Blutenburg which is ranked #361 – it had 2 reviews with 3 stars and 2 with 2 stars. It might be a decent place to stay, but there aren’t enough reviews to draw a good conclusion. This is a result of what James Surowiecki calls “Coordination of behavior” in his famous book “The Wisdom of Crowds,” and he even includes an example which shows optimization in the utilization of a popular bar. The idea, for TripAdvisor, is that the more people who review a place, the more likely that the sum of their opinions will reflect a true picture of the place – in short, the better formed is that story that is the place’s reputation.
Still, if you read enough hotel reviews and if you know what YOU want in a hotel, then even the minimal four reviews for the Hotel Blutenburg can be telling. For example, one of the 2 star reviews noted that the hotel was downgraded because “My biggest problem was the wifi connection, present but not included and quite expensive.” And “Breakfast included is barely ok, not so many choices.” If wifi and breakfast are important to you, than you should give this review more weight. Otherwise, the reviewer said, “My room was big and quiet enough, with a nice big balcony away from the main road. For the rest, it was a normal room.” So if you don’t need wifi and don’t care about breakfast this could be a good choice for you. I always make it a point to read the reviews to discover, if I can, the reasons behind the ratings. I once read a review of a restaurant by a woman who downgraded the place severely because the waiter placed a dinner roll upside-down on her bread and butter plate!
Besides review sites, such as TripAdvisor, we also consider reputations when we buy things on-line. Amazon, eBay and other retail sites also provide ratings and reviews of their merchants so that we can gauge their reputations and decide on a “trust factor” for them. But what about people – how do those web sites decide to trust us, and how can we decide to trust someone else?
First, some words of caution. Remember that reputation is a factor in assessing risk, and trust is granted when the risk assessment is below our trust threshold, so trust is dependent on reputation. Keep that in mind as we go forward. Also, neither trust not reputation is transferable: if a trusts b and b trusts c, it does not follow that a should trust c simply because b does, a needs to form their own opinion of c’s reputation. Od course, if b has a reputation as an excellent judge of character, then a might rely on b’s trust of c to also trust c – at least in a specific area. Remember, a reputation in one area does not imply a similar reputation in another: I may, for example, be known as an excellent dinner table companion because of my extensive knowledge of wine and my ability as a raconteur to keep you entertained with interesting stories (there’s also my humility!). But that reputation doesn’t mean that you should rely on my statements of directions for navigating the back roads of Manitoba (where I’ve never been). Reputation must be fixed to a fairly well defined and fine-grained area.
In the off-line world we make these judgments about people all the time. How can we do that in cyberspace, though?
At the 2011 European Identity and Cloud Conference, the Privacy award (and, remember, we got to reputation by starting at privacy) was given to connect.me and the Respect Trust Framework for a “new approach to building a personal trust network by layering on top of social networks and using peer-to-peer vouching”. Vouching is, in effect, reputation or trust transference – if a vouches for b as a thoughtful analyst, and a has a good reputation with c as a judge of analysts than c will accord trust to b in an analytical situation. Follow that? That’s exactly how connect.me works. If you are unfamiliar with the service, see “How it Works” for the details. Essentially, it’s a reputation service for the Respect Trust Framework – together they bring reputation, trust and privacy to the on-line world through five principles: A promise of permission, protection, portability, and proof. It is self-described as “a network-wide reputation system with four escalating levels of trust as the primary enforcement mechanism for compliance with the trust framework. This unique form of self-regulation provides a strong incentive for every member of the network to ‘do the right thing’ with personal data and communications.”
Learn more at the framework’s web site.
Recently, the Founding Partners of the Respect Network, the SWIFT Innotribe Incubation Fund’s Digital Assets Grid and our old friend Dr. Ann Cavoukian, Ontario’s Privacy Commissioner all came together in Japan for what could be a breakthrough on the privacy, trust and reputation fronts. See how it all comes together in the next issue.
23.10.2012 by Dave Kearns
Trust. Most people understand the concept of “trust”, but most people are also at somewhat of a loss for words when asked to define that concept, especially in terms of on-line transactions and digital identities.
I mentioned recently that I’m involved with the Identity Ecosystem Steering Group (IdESG), part of the US government’s National Strategy for Trusted Identities in Cyberspace (NSTIC). What’s startling, when I think about it, is that the concept of “trust” hasn’t been discussed – or even alluded to – in the approximately 4 to 6 hours per week of meetings I’ve participated in over the past two months.
So, just what is “trust”?
Merriam-Webster on-line defines it as “Trust: assured reliance on the character, ability, strength, or truth of someone or something.” Most of us might agree with that, at least as we use the term “trust” in our daily, not-on-line life.
But currently, for the IdESG, the US National Institute for Standards and Technology (the government caretaker for NSTIC) has a more internet-oriented definition: “Trust: A characteristic of an entity that indicates its ability to perform certain functions or services correctly, fairly, and impartially, along with assurance that the entity and its identifier are genuine.” [NIST SP 800-130]
In life outside the ‘net, the concept of identity assurance of those entities we trust rarely comes up. We know and recognize our friends, relatives and institutions (bank, post office, workplace, church, school, etc.) because we see them, or visit them, frequently enough. On-line, though, it’s different – as New Yorker Magazine cartoonist Peter Steiner so famously pointed out back in 1993.
So people who are on line want to be able to instantly “trust” a web site they connect to. And the web sites want to instantly “trust” the people who connect to them. The Holy Grail of the internet is finding a way to indicate that that instant trust is warranted.
There are two attributes of trust that we should consider at this point, one is readily understood while the second is more honored in the breach.
First, trust is binary – either you trust someone or something or you don’t. There’s no partial trust. But, secondly, trust is not absolute – there are parameters, filters, boundaries to that trust. Often these are implied by the context in which you use the word “trust”. For example, you might say to your friend Jane: “would you pick up a housewarming present for Alice? I trust you implicitly.” What you’re trusting is: a) Jane’s taste in gifts is similar to your own; and 2) Jane knows Alice well enough to know what she would like. You’re not implying, though, that you would trust Jane to watch your plants/pets while you go away, have an intimate meal with your boyfriend, or write the report your boss is expecting tomorrow. Jane isn’t you and she won’t do everything exactly the way you would (well, except maybe that boyfriend dinner – but that wouldn’t be what you want, either!). The point is that there are limits on the trust we have in other entities.
Another example: when I go to the Post Office and hand a letter to the clerk, I trust it will be delivered to the addressee in a timely fashion, consistent with the class of service I’ve chosen. But I wouldn’t hand the clerk some money and ask him to pick out a birthday card, sign my name and send it to Bill.
One more example: when I go to the jewelry store I’ll often find the door is locked and I need to press a button to ring a bell. After a moment, the door unlocks and I enter – the jeweler has decided to trust that I will not try to rob him. This is much closer to what we’re looking for on the web.
It really isn’t “trust” – it’s risk assessment. The jeweler has watched me, seen my appearance and body language and decided that I am “trustworthy” or, at least, a low risk. It may be that my race, hair and dress meet some pre-conceived notion of trustworthy in his mind (i.e., what we call a prejudice), but that is how he evaluates risk.
Finally, when I go to the bank to take out a loan, the banker will examine my banking history, my credit score, perhaps Google my name to see what news or gossip is available about me – in a word, he looks at my reputation. From this he decides whether or not to issue the loan, that is, whether or not he believes I will repay the loan. It’s really another form of risk assessment.
Trust begins with risk management. At KuppingerCole, we’ve written quite a bit about risk management – from the recent posting by my colleague Martin Kuppinger, to an extensive report describing our view on a GRC (Governance, Risk and Compliance) Reference Architecture, so I won’t go into detail on that, but will say a bit more about the relationship of Risk Management and Trust.
Risk Management is an analog function – the amount of risk varies along a line. Trust, as we noted above, is a binary function – either you trust or you don’t. So how can we connect the two? It’s not really difficult. Risk assessment, according to Wikipedia, is “the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur.” While it may seem simplistic to reduce risk to a mathematical function, this does in fact lend itself well to computational “trust”. It simply means setting the “trust threshold” as a number – if the calculated risk is below that number then Trust is extended. If not, then not.
See how easy that is?
Well, that is easy. But calculating “p”, the probability that a loss will occur, is the hard part. Yet we do it all the time in non-cyberspace. In the examples above, when I ask Jane to pick a gift for Alice I know approximately how much she’ll spend (L – the potential loss) and, based on previous experience, I know that the probability that the loss will occur is extremely small. Let’s say L = $50 and p = 1% so my risk would be (.01 x 50), 50 cents, well below my trust threshold.
When I visit a new website that asks for personal information, what’s the value of my potential loss? And how do I judge the probability of that loss? With Jane, I based the probability on experience, in other words on reputation. Can I form an opinion on the reputation of the website? Possibly – by visiting other web sites which review sites, rate sites or provide badging for sites. For example, go to Maimeo’s Memories, scroll down and on the bottom left click on the “upfront” button. You’ll see a popup with relevant information about the site and know that it’s been verified by “The Find,” an internet shopping and badging authority. Of course, if you aren’t familiar with The Find’s “Upfront” program, then the badge may mean nothing at all to you.
What’s it all mean?
In the end, we know that Trust is a binary condition that has attributes – you trust “an entity” for “a task”. Trust on-line can be calculated by doing a risk assessment (amount of loss times probability of loss) and seeing if the product of that assessment is lower than your pre-set “trust threshold”. Calculating the probability of loss involves factoring in experience or reputation. So, when you get to the bottom of it, trust is inextricably tied up with reputation.
But how can we assess or calculate reputation? Well, that’s a story for another day.
09.10.2012 by Dave Kearns
In my last posting, I stated that “privacy is not anonymity”. I received a few questions about that, so today I want to elaborate on the subject.
Let’s get something out of the way right off the bat – there is not, nor can there be, true “anonymity” on the internet – or almost anywhere else, for that matter. Someone, or something, knows who you are – even if they don’t know your “real” name.
Here’s an illustration from real life.
A man walking his dog, we’ll call him “Mr. A”, gets into an altercation with another man (Mr. B) and knocks him down, then runs away. Speaking to the police, Mr. B describes his attacker as six feet tall, reddish hair, goatee wearing a denim jacket and carrying a Starbucks cup, and his dog was a black Labrador.
The police head to the nearest Starbucks and ask if someone matching that description had been in that morning. “Oh sure,” the barista answers, “he comes in most mornings.” But he always pays cash so the Barista doesn’t know his name or where he lives. “But he calls the dog “swarzie” and has an accent. The brighter police officer recognizes the term as possibly “schwarze,” German for black. He instigates a house-to-house search looking for a German immigrant with a black Labrador and is told that “the man in the first floor apartment speaks German and has a black Lab.”
So without ever knowing the suspect’s name, the police can track him down because a relatively unique set of attributes (description, dog, accent, etc.) identifies the individual who committed the crime. What, on the face of it, would be considered an “anonymous attack” was, in reality, anything but.
On the internet, every computing device that’s connected is identified by a unique number – it’s IP (Internet Protocol) address. This number must be unique so that data can find the device, whether it’s a web page, an email, a tweet or some other form of transaction. Not all IP addresses are fixed for all time, though. Most of us connect through an Internet Service Provider (ISP) who gives us a locally unique IP address which can change every time the connection is renewed. Here’s an example: the router I connect to at my ISP’s site has an IP address of 188.8.131.52, and this is the address it shows to the internet. My connection is given the locally unique identifier of 184.108.40.206 and the router knows my device and can correctly route traffic coming from the internet to that device without actually revealing my (locally unique) IP address. But that router does know that address and – more importantly – who it was assigned to at a given time.
But suppose I don’t use MY computing device – there’s internet cafes, public libraries, and other places. But each of those has other people around who can “identify” me (i.e., give a complete description) or require me to use some form of ID token (credit card, library card, etc.). Using a smartphone or tablet is tracked by the service provider so I can be billed properly. In those instances where I don’t have to be identified by name, the same scenario as the dog-walking Starbucks customer cited above still works.
There really is no true anonymity.
There is, though, relative anonymity or pseudonymity. Pseudonyms have a long history, especially among writers (where they may be known as “pen names” or “noms de plume”). The English author we call George Elliott (“The Mill on the Floss,” “Silas Marner,” “Middlemarch”) was actually a woman named Mary Ann Evans. She used the pen name because, at that time, it was nearly impossible for a woman to be published. The mystery author Ellery Queen was actually a collaboration between two men, Frederic Dannay and Manfred Lee. Even stranger, both of those names are pseudonyms: Dannay was actually Daniel Nathan and Lee was legally Manford Lepofsky!
On the internet, pseudonyms are normally referred to as personas or “digital identities” and people can have many of them. Why? Here’s a scenario:
Samantha Smith teaches first grade at the Houston Christian Day School. As such, she’s agreed to behave in such a way as to not reflect badly on the school. But Ms. Smith does like to flirt and does like to read and write “adult” material. So she has joined an on-line forum for folks with similar tastes where she is known by the handle “NaughtyGirl”. No one on the forum knows her real name and no one at the school knows about her on-line persona. NaughtyGirl is just as much a real identity as Samantha Smith. Whenever NaughtyGirl posts to the forum all the other users recognize her as that user – she’s authenticated herself in order to access the forum.
Now it is still possible for someone (probably in law enforcement) to trace the postings by NaughtyGirl back to Samantha Smith’s computer. But – unless she breaks some law – the likelihood of that is exceedingly small.
This is the identity distinction which baffled Google (and continues to baffle Facebook) known as the “nym wars”. The name on your birth certificate, your driver’s license, your national health card or even your passport isn’t the name that most people know you by. The best example is my friend Kaliya, better known as “Identity Woman”. Officially she is Kaliya Hamlin – her married name put on her official documents when she married her now ex-husband. But still legally her name. Some people know her by that name, a lot fewer by her birth, or maiden, name. Thousands upon thousands, though, know her as Identity Woman. Yet she had to fight, tooth and nail, with Google to use that identifier with Google+ who insisted that only “real names” could be used. I’d guess they’d only allow accounts for Daniel Nathan and Manford Lepofsky, rather than for Frederic Dannay and Manfred Lee – Ellery Queen wouldn’t stand a chance!
Facebook created a torrent of objections (what, again?) recently when they showed users a picture from a friend’s account and asked the user to verify the friends “real” name. As this story in Forbes notes:
“Like the bar Cheers of television fame, Facebook wants to be a place where everybody knows your name. Your real name. Not your nickname. Not a fake name you’ve created to protect your privacy. Not your Wiccan name. Your real name… and has tried to force at least one prominent user — Salman Rushdie — to go by the name on his passport on the site.”
These so-called “social networks” don’t seem to understand that in real life (“meat space” as opposed to cyberspace) people do keep their social networks separate – work, home, school, church, activities (wine tasting, book clubs, sexual activity, volunteerism, etc.) – in large part from a wish to protect the privacy of their words and actions.
The bottom line is that I don’t believe true anonymity is available anywhere any longer (if it ever were available) but that pseudonymity is something to be desired, promoted, wished for and encouraged so that people feel safe and protected – and feel their privacy is protected – whenever they speak out. There’s a great marketing opportunity here for a new “social network” which preserves privacy but which can also be a commercial success. I’ll let you know if I find one.
25.09.2012 by Dave Kearns
Way back in 1999, Scott McNealy – then the chief executive officer of Sun Microsystems – famously said that consumer privacy issues are a “red herring.” He went on to say: “You have zero privacy anyway, get over it.”
Yet just in the past two weeks privacy has been much in the news on many counts.
- A French court ruled that pictures of Kate, the Duchess of Cambridge, sunbathing topless were an invasion of her privacy since there was a reasonable expectation that she would be unobserved while poolside at a private residence hundreds of meters from a public vantage point. (The photographer evidently used one of the largest telephoto lenses available)
- A candidate for the US presidency (former Massachusetts governor and 2002 winter Olympics honcho Mitt Romney) was secretly taped while addressing a small group of very wealthy supporters. His remarks, disparaging of many non-wealthy Americans, have placed him in a decidedly negative light with just a few weeks until election day. His campaign says that the remarks were intended for a private audience and should not have been used outside of that context.
- Microsoft recently announced that its Internet Explorer browser would support by default the privacy-enhancing “Do Not Track” option when the next version is released. Google has also announced that they will have an option of “Do Not Track” in their Chrome browser, but it will need to be actively turned on by the user.
- Microsoft also launched an ad campaign for its Bing search engine to attract users of Apple’s Safari browser citing the large fine imposed on Google for ignoring that browser’s privacy settings.
- The US Federal Trade Commission has announced proposed changes to the interpretation of the Children’s Online Privacy Protection Act (COPPA) which could severely impact all web sites and, ironically, lead them to collect more data thus actually reducing their users’ privacy. See this article on Ars Technica for the details.
Now it’s possible that I was especially tuned in to these stories because I recently became involved with the Privacy Standing Committee of the Identity Ecosystem Steering Group (IdESG) set up under the US’s National Strategy for Trusted Identities in Cyberspace (NSTIC) – but I don’t think so. Certainly I couldn’t visit a news web site, open a newspaper or watch a news program on TV without at least being made aware that there were “naughty” pictures of the Duchess of Cambridge circulating on the internet and in print in a French magazine. The Mitt Romney quotes were all over the US news outlets as well as those in other countries that cover international stories. The other privacy issues may have garnered a small note in the general media but would have been prominent for the Technorati and the Identorati. So 13 years after Scott McNealy said that we have zero privacy – why are we still talking about it? More importantly, why are we still trying to device ways to protect it?
What is privacy, and how important is it? Ayn Rand, in The Fountainhead, said: “Civilization is the progress toward a society of privacy. The savage’s whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men.” While Isaac Asimov (in Foundation’s Edge) has one character say: “It seems to me, Golan, that the advance of civilization is nothing but an exercise in the limiting of privacy.”
G.B. Shaw, the great Irish playwright is quoted as saying “An American has no sense of privacy. He does not know what it means. There is no such thing in the country.” But US Supreme Court justice William O. Douglas opined “We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times.” So did the US ever have privacy or not?
There is indeed a lot of confusion about the subject, but there are two key phrases to remember when talking about privacy:
- Privacy is not anonymity
- Privacy is not secrecy
On the first point, in a long response to a discussion of anonymity and privacy I noted that if I live in a small town, then there are many people whom I know and many who know me. And those two sets are not equivalent. But that doesn’t mean that all of those people – or even some of those people – know everything I do nor do I know everything they do. Privacy – which is very important – is not the same as anonymity. But it’s easy to paint it as such.
On the second point, Bob Blakley – then with the Burton Group, now a VP at Citicorp – said “As long as your personal information is secret, you don’t even have a privacy problem. It’s only when somebody else knows your personal information that you have a privacy problem. In other words, privacy is the problem you have after you share sensitive information.”
Blakley also once defined privacy as “the ability to lie about yourself and get away with it.” What he meant was that whenever you make a personal statement, no one in the audience for that statement can contradict you because they don’t know the details which (until that point, possibly) are private.
The Right to Privacy then isn’t about someone else knowing a detail about you. It’s about that person or entity sharing that detail with a third party without your permission. Your medical record is shared between you and your medical providers (doctors, hospitals, nurses, pharmacists, insurance company) but it’s still private, and those people shouldn’t be sharing it with others (employers, pharmaceutical companies, even others in your family) without your specific permission.
There’s also the expectation of privacy, which means that you couldn’t foresee that an outside observer might see what you are doing and try to turn that activity to their advantage. This applies to paparazzi (See Duchess of Cambridge note above), employees of a private facility used for an activity (the likely source of the Mitt Romney problem) or even (in some countries) to the activities of law enforcement. In the US there is a prohibition against unwarranted searches, but the law and the courts are just now catching up with the technology such as heat sensors (that can “see” through walls) and unmanned drone aircraft (that can overfly private property).
In Europe, there is also the “right to be forgotten”, which seeks to take public information and make it, once more, private. (There’s a fascinating article about this, and what’s being said about it, on the National Public Radio web site). In short, you could petition for websites to remove data about you (a boon to college graduates now looking for jobs!)
So what does it all mean?
Thirteen years after McNealy’s proclamation we still are trying to keep at least some parts of our lives private. We also seem to believe that there is a technological solution that will help us maintain our privacy. That’s not going to happen. Get over it. In fact, technology is a greater aid to those looking to violate our privacy than to those looking to protect it.
What we can do is strengthen and modernize the laws concerning privacy. The Duchess of Cambridge found recourse through the French courts – and won. It might still be possible for her to have the pictures (or links to the pictures) removed via “right to be forgotten” laws. Mr. Romney might learn from his opponent, President Obama, who routinely has cellphones checked at the door when holding so-called private events in order to prevent the sort of leaks that damaged Romney.
On the other hand, draconian fiats such as the extension of COPPA can actually lead to less privacy. In general, privacy law – at least as regards the internet – shouldn’t be written by lawyers and politicians. That’s one of our hopes within IdESG – to craft a framework for internet identity that favors privacy without hog-tying business, government, education and ordinary users so that interactions become impossible. It won’t be an easy task, and we’ll need lots of help doing it. So if you have any ideas – or you want to help – drop me a note and share.