EU har i adskillige år væltet sig rundt i fine (og dyre) forskningsprojekter om trusler og muligheder for privatlivets fred i en digitaliseret verden. Og oftest med hån tilovers for de tilsvarende aktiviteter – eller mangelen på dem – i resten af verden og specielt USA.

Men nu har USA fået en regering der specielt på IT-området har fokus på er erstatte mange af nutidens store og kluntede IT-systemer med mere lavpraktiske og innovative letvægtsløsninger. Som interesseret i privacy og IT-sikkerhed har jeg spændt ventet på hvordan dette ville udmønte sig på identitetsområdet. Ville det resultere i løsninger, vi i Europa kunne forarges over – eller noget som kan anvendes til inspiration.

De første specifikationer for borgerinteraktion med regeringssites i USA er nu kommet på banen i forbindelse med Gov2.0 Summit 9-10. september.

Og det er blevet til en glædelig overraskelse både fra et privacy synspunkt og ud fra den støtte det vil give til at styrke og fokusere den videre udvikling af OpenID og Information Card.

Hvor man i lande som Danmark er startet med at etablere et monopol (en analog til Nationalbanken for identitet) og fokusere på statens sikkerhed frem for borgernes i de tekniske løsninger, har man i USA valgt at tage udgangspunkt i lavrisikotransaktioner, men med en grundlæggende arkitektur, der gør det muligt at øge sikkerhedsniveauet og anvendelserne i takt med de praktiske erfaringer og den teknologiske udvikling. Løsningen er decentral, d.v.s. at man selv vælger hvem man vil betro sine identitetsoplysninger på samme måde som man selv kan vælge hvilken bank, man vil anbringe sine penge i. Det sidste kan vi jo endnu også gøre i Danmark.

Principperne er klare for den første udgave, hvor målet klart har været at beskytte borgerne mod staten:
1. Brugeren vælger selv sin OpenID provider (OP) blandt de, der opfylder kriterierne
2. Brugeren indestår selv for de oplysninger han beder OP’en videregive til .gov sitet
3. OP’en skal primært dokumentere at sikkerhedskravene til login er overholdt
4. Der kan kun anvendes “directed identity” – altså ét unikt handle pr. OP-RP relation
5. Der skal være sikkerhed mod at brugeren ved en fejl kommer til at opgive en almen OpenID identitet.

Hvordan dette initiativ kan sætte skub og fokus på den videre udvikling af OpenID, vil helt sikkert blive et af emnerne på den næste Internet Identity Workshop 3-5. november i Mountain View, hvor der også ventes afklaring omkring den længe ventede OpenID 2.1 og en række usability aspekter.

Forhåbentlig kan det også sætte skub i udviklingen i Danmark og Europa til gavn for både forbrugere, erhvervsvirksomheder og diverse medlemsorganisationer.

Ashish Jain fra Paypal har lavet et blogindlæg med en række relevante links til OpenID for OpenGov
Kaliya Hamlin, a.k.a. IdentityWoman opridser baggrunden og perspektiverne for OpenID for OpenGov

Comments No Comments »

- nu kan du bl.a. logge ind på Facebook

Den halvårlige Internet Identity Workshop (IIW) er fortsat stedet hvor nyheder lanceres og kimen lægges til de næste skridt i udviklingen af såvel OpenID som Information Cards og Vendor Relation Management.

Et synligt bevis på at disse teknologier nu står foran et gennembrud fremgår af deltagerlisten, som omfattede Google, Microsoft, Apple, Oracle, Yahoo, Facebook, Myspace, Amazon, Paypal, LinkedIN, Symantec, HP, Nokia, AOL, Cisco m.fl. Og der var denne gang klart mere fokus på at løse praktiske problemer i fællesskab fremfor at promovere egne fortrin.

Et stort og endnu ikke løst problem for OpenID er “Nascar”-problematikken, hvor man vil undgå at websider, der accepterer OpenID ender med at blive totalt overklistret med logoer for de forskellige OpenID udbydere. På den anden side er det en fordel at login kan ske ved et enkelt klik på et ikon fremfor indtastning af hele OpenID udbyderens domænenavn eller brugerens komplette OpenID-adresse.

Sålænge dette problem ikke har fundet en løsning, vil OpenID-udbredelsen hæmmes af den nuværende meget forskelligartede brugeroplevelse på de sider, der accepterer OpenID brugeroprettelse og login.

På workshoppens førstedag kunne Facebook annoncere OpenID support på en måde, der undgår “Nascar”-problematikken ved login på brugerens “normale” PC. Samtidigt hjælper det Facebook i kampen mod phishing, som er et stort problem for alle populære websider. Der logges simpelthen automatisk ind på Facebook, når brugeren i forvejen er logget ind på sin foretrukne OpenID-udbyder. Det er en god men ikke generelt dækkende løsning, så “Nascar” er stadig #1 på problemlisten.

Ved de tidligere workshops har der desværre ikke været generel forståelse for problematikkerne i forbindelse med logout fra OpenID. Single logout, som det kendes fra bl.a. SAML2 understøttes ikke af OpenID, hvilket betyder at brugere uforvarende kan være logget ind på deres OpenID-udbyder selv om de er logget ud fra de tjenester, de har besøgt – eller omvendt. Men bl.a. Google, Microsoft og Facebook erkender imidlertid nu problemet, så der skulle være en rimelig sandsynlighed for at få løst det i en kommende opdatering.

Microsoft kunne præsentere en ny og hurtigere udgave af deres Info-kort teknologi Cardspace, som nu udvikles i samarbejde med Infocard Foundation, der også tæller Google, Intel m.fl. Der er også et forbedret samarbejde mellem OpenID Foundation og Infocard Foundation og det er formentlig kun et spørgsmål om tid før vi vil se Apple springe på vognen og lancere OpenID-support via Info-kort på deres Iphone.

Den alternative Info-kort teknologi Higgins har samtidigt udmøntet sig i de første kommercielle anvendelser, hvor der bl.a. blev demonstreret et eksempel på hvordan AAA (USA’s pendent til FDM) kunne få profileret sine rabatordninger.

Endelig tyder det på at OpenID kan spille en væsentlig rolle i forbindelse med VRM (“Vendor Relation Management” = forbrugernes svar på virksomhedernes “Customer Relation Management”). De luftige koncepter som Doc Searls introducerede første gang for et par år siden er nu ved at konkretisere sig til konkrete projekter og begynder derfor også at stille konkrete udfordringer for potentielle OpenID-udbydere. Der arbejdes nu mange steder konkret med implementering af “Personal Information Stores”, som giver forbrugeren kontrol med og overblik over brugen af personlige oplysninger.

Comments No Comments »

Det første regulære valg til OpenID Foundation er nu igang og åbent frem til 24. december.

OpenID foundation, der står for standarder og rettigheder i relation til OpenID har en to-delt bestyrelse. Dels en “Corporate” del med fem medlemmer fra IBM, Microsoft, Google, Yahoo og Verisign. Og dels en “Community” del på syv medlemmer, som indtil nu har talt nogle af de “græsrødder” og “entusiaster”, som har startet OpenID bevægelsen.

Det er hele community-delen af bestyrelsen, der nu er på valg og ialt 17 personer kandiderer til de 7 pladser. Og som jeg vil forsøge at anskueliggøre er det er langtfra ligegyldigt hvem, der bliver valgt ind. Når man så samtidigt tager i betragtning at OpenID Foundation primo november havde under 50 stemmeberettigede medlemmer bør det nok overvejes om det ikke er nu man bør melde sig ind i OpenID Foundation, hvis man har ønsker og forhåbninger til fremtiden for OpenID. Et års medlemsskab, hvor man kan deltage fuldt ud i aktiviteterne koster sølle 25 USD for individuelle medlemmer, men fra 500 USD for virksomheder afhængig af medarbejderantallet.

Alle 17 kandidater har på den elektroniske valgside afgivet forklaringer på hvad de har gjort og hvad de agter at gøre for OpenID. Som medlem kan du stemme på op til 7 kandidater. Her er et kondensat af dette samt mine personlige – måske lidt subjektive – kommentarer:

Hvis du ønsker at OpenID får global udbredelse – ikke blot til kommentarer i blogs, men også på kommercielle sites – kommer du ikke uden om Nat Sakimura fra Japan, der står bag organiseringen af OpenID Japan. Her kan man ikke blot anvende OpenID på landets førende sociale netværk “Mixi”, men også til online betaling samt til bestilling af hotelophold m.m. hos partnervirksomheder til Japan Airlines. Antallet af brugere, der kender til og anvender OpenID er stormet frem til niveuer, der ikke tilnærmelsesvis ses andre steder i verden. Se Nat’s præsentation på slideshare.com

Hvis du vil have en europæisk stemme i bestyrelsen for OpenID er din eneste mulighed Snorri Giorgetti fra Frankrig. Det er i helt overvejende grad Snorri, der har tegnet OpenID Foundation i Europa. Bl.a. har han sørget for at samle varemærkerettigheder og en del nationale openid-domæner i Europa for at donere disse til OpenID Europe Foundation, som repræsenterer OpenID Foundation i Europa.

Hvis du drømmer om kompatibilitet eller sammensmeltning mellem OpenID og Facebook Connect
bør du nok stemme Luke Shepard fra Facebook ind i bestyrelsen. Luke, der netop har lanceret Facebook Connect skriver i sin præsentation at han vil arbejde for udbredelsen af OpenID både generelt og inden for murene hos Facebook. Med Luke i bestyrelsen vil det klart blive sværere for Google, Microsoft, Yahoo m.fl at anvende OpenID i magtkampen mod Facebook fremfor at samarbejde om udbredelsen.

I det resterende felt finder man dels repræsentanter for de traditionelle “græsrødder” og “evangelister”, men også et pænt antal kandidater fra Google, Yahoo og Microsoft, som jo ellers har deres specielt reserverede “Corporate” bestyrelsespladser.

Corporategruppen omfatter bl.a. Allen Tom og Eran Hammer-Lahav fra Yahoo, Eric Sachs fra Google samt (noget overraskende) Dick Hardt fra Microsoft. Man kan bestemt ikke udsætte noget på deres baggrund og kvalifikationer, men man kan gøre sig sine overvejelser om konsekvenserne ved at en lille håndfuld virksomheder får bestemmende indflydelse i bestyrelsen. Det er det man ellers i vedtægterne har ønsket at modvirke gennem et krav om at der altid skal være flere “Community”- end “Corporate”-pladser i bestyrelsen.

Evangelisterne tæller bl.a. Johannes Ernst, Chris Messina, David Recordon, Joseph Smarr (står for Plaxo, en af de hidtil største OpenID relying parties – kendt for både at tænke og tale hurtigere end nogen af de øvrige kan opfatte), Martin Atkins, John Bradley (også aktiv med SAML og XRI under OASIS) samt Scott Kveton (tidligere JanRain, nu Vidoop)

Hvis du vil præge den fortsatte udvikling af OpenID ved at støtte nogle af kandidaterne, kan du starte her.

Comments 1 Comment »

Many have predicted 2008 to be the year where internet identity management would finally take off. Based upon what has happened so far, it it very likely that this prediction will be fulfilled.

In February Google, IBM, Microsoft, Yahoo and Verisign all demonstrated their support of OpenID by joining the board of the OpenID Foundation. In Europe and Japan there are also strong efforts to promote OpenID. I am looking forward to participate in these efforts as of today I have become the OpenID Europe Danish Representative.

Another indicator of the expectations to the identity management market are the aquisitions that took place in March. Ping Identity aquired Access Manager from Sxip, that will now focus on the consumer market. In the enterprise segment IBM aquired Encentuate. But probably most important for the future development of identity management was Microsofts acquisition of Credentica with its patented privacy technologies “U-prove”, that Microsoft intends to integrate with its Cardspace technology.

As important as Microsofts acquisition of Credentica may seem from a theoretical standpoint, it is still doubtful whether it will have any real impact on consumer privacy during the next 10 years. Linkable attributes as email addresses, phone numbers and postal addresses do not disappear overnight. Neither does third party tracking of cell phone locations. But the mere availability of this privacy technology with a powerful industry player may spur the discussion of privacy issues and facilitate relevant legal initiatives. This may in turn lead to changes in vendor and consumer attitudes and behaviour.

In theory U-prove provides an edge compared to other solutions in managing information on a “need to know” basis. But this author is convinced that the major potential for privacy enhancements lies in reducing the perceived “need” by changing current business practices and consumer attitudes. We will probably witness several initiatives in this area during 2008, while it may take years for most vendors and consumers to adopt such new practices.

Comments No Comments »

Differences in legal framework, payment and logistics solutions are important barriers to crossborder trade in Europe. At an FDIH conference last October  Susanne Czech, secretary general of the European Distance Selling Organisation EMOTA stated that it may take 10-20 years to completely harmonize the legal framework. An analysis shows that the lack of harmonization results in serious distrust in crossborder trade among citizens.

One way to overcome the slow convergence of the countries legal frameworks is to add a voluntary agreement layer to level out the national differences. You may think of it as the legal equivalent to the IT-professionals JAVA Virtual Machine. It was suggested that this approach could be marketed through the implementation of a European Trust Mark to supplement the national trustmarks already implemented in several countries.

While such trustmarks are valuable as marketing vehicles to promote the use of best practices, they are of little value in widespread markets where effective reputation systems are not in place. If a traditional local shop violates best practices it will soon be judged by its customers and face the need for a costly move to another location. Currently even national trustmarks fail to provide merchants with a similar incentive to abide by the rules associated with the trustmark.

The problem will remain as long as trustmarks are based on bilateral agreements between individual merchants and the organisation representing the trustmark. A recent ruling from the Danish National Court shows that a merchants use of trustmarks do not have any legal impact on the relation between the merchant and the customers visiting his website. In the actual case the merchants use of the trustmark was both unauthorized (no agreement signed) and expressly disapproved by the organisation owning the trustmark.

This is where the upcoming identity providers will play an important role. In a previous entry I have mentioned Vendor Relation Management, which aims at placing vendors and customers on an even playing field. The relationship starts when the customer registers with the IDP. By managing and documenting this agreement process, the IDP may ensure that the mutual agreement between vendor and customer contains appropriate obligations for both parties as well as clearly defined sanctions and procedures for dispute resolution. Therefore it is important for entrants in this field to establish relations to consumer and trade organisations and/or develop federation terms which are aligned with existing “best practices”.

In a dynamic marketplace vendors may change their terms from moment to moment. Hence, without instantly recording any page visited, it can be difficult for a customer to proove which particular version of the terms he was exposed to. The above ruling also shows that such logging is the responsibility of the site visitor rather than the merchant. Just as payment transaction companies like Paypal and DIBS now act as trusted intermediaries with respect to the payment transfer, we will see identity providers filling the need for third party management and documentation of the various elements of any purchase and other agreements entered between the two parties.

Documented agreements is also a prerequisite for serious reputation management. So there is definitely some catching up to do for Internet Identity Management while the efforts to establish an open interoperable reputation management framework take shape.

Comments No Comments »

… is much more difficult than learning and doing things right in the first place. One of my aspirations for 2008 is to promote the unlearning of bad habits in the area of digital identity.

The missing identity layer of the internet has led people to a digital behaviour completely different from the physical world. Even though proper identity management is now becoming available, it may take years to circumvent what has become normal practice in the digital domain during the past 5-10 years.

In the physical world you typically build trust with your friends over time, gradually sharing more and more personal information.

When you are shopping for a specific piece of commodity, your are only concerned with the quality of the item relative to the amount payed. And the shop basically cares about optimizing its overall profit from its encounter with you. So the discussion will be about your needs, the products ability to satisfy these, and ultimately the price and payment terms.

A few days ago I got some comments on Net-Safe from a guy running a local internet community. His suggested to me that it might be better to position the new identity management technology as a tool to provide shops with more (accurate) information, while relying on more subtle validation of participants in C2C communities.

In my opinion it would be a fatal mistake to use the new technology to extend current practices rather than to challenge and circumvent them.

Let us take the shopping case. Why should the shop know my name, age, and address? Rather than just asking for information related to my specific product preference and some unique token to recognize me on return? The payment transfer industry has already adressed part of the problem by letting dedicated payment processors handle the payment card details, well consealed form the merchant.

Hence I regard it a major challenge for the evolving identity management industry to collaborate with the transportation industry and others to offer a similar level of privacy for the transfer of the invoice and the goods. This is primarily a behavioral rather than a technical challenge. Following this path consumers will eventually be able to accumulate and leverage their personal (incl. commercial) information for effective vendor relation management (VRM).

Currently most community sites – including the one being run by the person triggering this post – are asking new users for personal details such as name, birthday, gender, and zipcode. If filled in correctly this information allows any company with proper resources to uniquely establish the identity of the person. As the information is not validated, however, it also allows people to invent virtual identities which do not relate to any real person.

This practice is not only beneficial for various types of criminals, but a totally unnecessary risk for all users providing correct information. Their information is freely open to misuse by the site owner and anyone else who lawfully or not gets access to the data. Identifiers such as email-addresses and user names further assists the criminals in aggregating user data from more sources.

I can think of several valid reasons for a community site to gather information about its users:

  • To promote accountability in the way users interact with each other on the site
  • To allow users to regain access to the site after loosing their login details
  • To provide potential advertisers with general user demographics
  • To let users release information or delegate authority to other users.

But what is then the purpose for a community site to maintain a database where only part of the records point to real persons? While the remaining records are useless for any of the purposes above? It may not only be a bad idea! At least in Denmark it is a direct violation of the personal privacy act which expressly requires appropriate validation and updating of such information (see §5, sect. 4).

So for community sites the basic lesson to be learned is: Don’t ask for any information that you do not presently need and do not intend to validate.

Both community sites and upcoming identity providers (IDP) should develop their sites and technologies in a way that support the release of information on a fine grained need to know basis. With the emerging single signon and authorization protocols the 4 objectives above may be realized while keeping users in charge of their information and comfortable in their interaction with other users.

The alternative – continuing and developing todays community site practices – seems to me a scary vision for the future of identity theft

Comments No Comments »

What could be a better occasion for starting a new blog on user centric identity than last weeks IIW 2007b unconference at the Computer History Museum in Mountain View?

150 participants representing companies of all sizes from prospective startups to Yahoo, Microsoft and Google witnessed the official release of new protocol specifications for XRI, OpenID and OAuth as well as the presentation of new ambitious projects within the realms of reputation and self-management of profile data.

It is amazing to see how self funded enthusiastic individuals and companies in the US have developed these technologies over the last couple of years.

As a european citizen it is equally sad to realize that the European Union has wasted millions of Euro on fancy projects, that will never get traction in the marketplace.

Yet, as a citizen of Denmark, I see several unique options for employing and combining multiple identity related technologies to the benefit of both individuals and visionary companies. So this blog will be a place to watch for thoughts on the nuts and bolts as well as the incentives to build innovative user centric services.

My Technorati Profile

Comments No Comments »