The devil is in the legals
Many of the identerati campaign on Twitter and on the blogosphere for a federated new order, where banks in particular should be able to deal with new customers based on those customer’s previous registrations with other banks. Why, they ask, should a bank put you through all that identity proofing palava when you must have already passed muster at any number of banks before? Why can’t your new bank pick up the fact that you’ve been identified already? The plea to federate makes a lot of sense, but as I’ve argued previously, the devil is in the legals.
Funnily enough, a clue as to the nature of this problem is contained in the disclaimers on many of the identerati’s blogs and Twitter accounts:
"These are personal opinions only and do not reflect the position of my employer".
Come on. We all know that’s bullshit.
The bloggers I’m talking about are thought leaders at their employers. Many of them have written the book on identity. They're chairing the think tanks. What they say goes! So their blogs do in fact reflect very closely what their employers think.
So why the disclaimer? It's a legal technicality. A company’s lawyers do not want the firm held liable for the consequences of a random reader following an opinion provided outside the very tightly controlled conditions of a consulting contract; the lawyers do not want any remarks in a blog to be taken as advice.
And it's the same with federated identity. Accepting another bank's identification of an individual is something that cannot be done casually. Regardless of the common sense embodied in federated identity, the banks’ lawyers are saying to all institutions, sure, we know you're all putting customers through the same identity proofing protocols, but unless there is a contract in place, you must not rely on another bank's process; you have to do it yourself.
Now, there is a way to chip away at the tall walls of legal habit. This is going to sound a bit semantic, but we are talking about legal technicalities here, and semantics is the name of the game. Instead of Bank X representing to Bank Y that X can provide the "Identity" of a new customer, Bank X could provide a digitally notarised copy of some of the elements of the identity proofing. Elements could be provided as digitally signed messages saying "Here's a copy of Steve’s gas bill" or "Here's a copy of Steve’s birth certificate which we have previously verified". We could all stop messing around with abstract identities (which in the fine print mean different things to different Relying Parties) and instead drop down a level and exchange information about verified claims, or "identity assertions". Individual RPs could then pull together the elements of identity they need, add them up to an identification fit for their own purpose, and avoid the implications of having third parties "provide identity". The semantics would be easier if we only sought to provide elements of identity. All IdPs could be simplified and streamlined as Attribute Providers.
See also An identity claims exchange bus and Identity is in the I of the beholder.
Posted in Trust, Internet, Federated Identity
Strippers are better off than Facebook users
Journalist Farhad Manjoo at Slate recently lampooned the privacy interests of Facebook users, quipping sarcastically that "the very idea of making Facebook a more private place borders on the oxymoronic, a bit like expecting modesty at a strip club". Funny.
A stripper might seem the archetype of promiscuity but she has a great deal of control over what's going on. There are strict limits to what she does and moreover, what others including the club are allowed to do to her. Strip club customers are banned from taking photos and exploiting the actors' exuberance, and only the most unscrupulous club would itself take advantage of the show for secondary purposes.
Facebook offers no such protection to their own members.
While people do need to be prudent on the Internet, the real privacy problem with Facebook is not the promiscuity of some of its members, but the blatant and boundless way that it pirates personal information. Regardless of the privacy settings, Facebook reserves all rights to do anything it likes with PI, behind the backs of even its most reserved users. That is the fundamental and persistent privacy breach. It's obscene.
Update 5 Dec 2011
Farhad Manjoo took me to task on Twitter and the Slate site [though his comments at Slate have since disappeared] saying I misunderstood the strip club analogy. He said what he really meant was propriety, not modesty: visitors to strip clubs shouldn't expect propriety and Facebook users shouldn't expect privacy. But I don't see how refining the metaphor makes his point any clearer or, to be frank, any less odious. I haven't been to a lot of strip clubs, but I think that their patrons know pretty much what to expect. Facebook on the other hand is deceptive (and has been officially determined to be so by the FTC). Strip clubs are overt; Facebook is tricky.
Manjoo blames the victims, saying that if people want privacy they shouldn't use Facebook at all. The headline on his article says users are as much to blame for Facebook's privacy woes as Mark Zuckerberg. This is just tacit acceptance of a Wild West, everyone-for-themselves morality that runs through so much of the Internet. We should debate the difference between what is and and what ought to be happening on the Internet, rather than accepting rampant piracy of PI and leaving hapless users to their own devices. The sorts of privacy intrusions that Facebook foists on its users are not intrinsic. Facebook doesn't have to construct biometric templates without the subjects' permission as soon as someone else tags them in photos, neither does it have to continuously run those biometric templates over third party photo data (probably uploaded for other reasons). Facebook could if it desired delete the biometric templates when users ask for tags to be removed, or at the very least alert users to what's going on in the backiground with photo tags. If photo tagging was just for the fun of the users, rather than commercial exploitation, Facebook would promise in its Privacy Policy not to put biometric templates to secondary purposes. But no, Facebook doesn't even mention these things in its Policy.
Some of us -- including both Manjoo and me -- have realised that everything Facebook does is calculated to extract commercial value from the Personal Information it collects and creates. But I don't belittle Facebook's users for falling for the trickery.
Posted in Social Networking, Social Media, Privacy, Internet, Culture
Fighting cyber crime like it really matters
It is no exaggeration to characterise the theft of personal information as an epidemic. Personal information in digital form is the lifeblood of banking and payments, government services, healthcare, a great deal of retail commerce, and entertainment. But personal records―especially digital identities―are stolen in the millions by organised criminals, to appropriate not just money but also the broader and fast growing intangible assets of “digital natives”. The Internet has given criminals x-ray vision into peoples’ details, and perfect digital disguises with which to defraud business and governments.
Credit card fraud over the Internet is the model cyber crime. Childs play to perpetrate, and fuelled by a thriving black market in stolen personal data, online card fraud represents 70% of all card fraud in Australia, continues to grow at 30-50% p.a., and here cost over A$120 million in 2010 (see http://lockstep.com.au/blog/2011/09/27/au-cnp-fraud-cy2010). The importance of this crime goes beyond the gross losses, for some of the proceeds are going to fund terrorism, as acknowledged by the US Homeland Security Committee.
Yet there is a deeper lesson in online card fraud: it needs to be seen as a special case of digital identity theft. ID theft is perpetrated by sophisticated organised crime gangs, behind the backs of the best trained and best behaved users, aided and abetted by insiders corrupted by enormous rewards. No amount of well meaning security policy or user awareness can defeat the profit motives of today’s online fraudsters.
As the digital economy is to the wider economy, so cyber crime is to crime at large. And yet the e-business environment remains stuck in a Wild West stage of development: it’s everyone for themselves! There is no consistency in the gadgets foisted upon consumers to access online businesses and services; worse, most are flawed and readily subverted by hackers. We could build security deep into our transaction platforms to prevent identity theft, phishing, web site spoofing and spam―the requisite building blocks like digital signature toolkits and personal smart devices are now ubiquitous―but instead, almost all attention turns to user awareness. Yet education has reached its use-by date, rendered utterly obsolete by the industrialisation of cybercrime (see also http://lockstep.com.au/library/online_banking_review/obr-lockstep-200810-many-hand.pdf). Most everyone now knows they need a firewall and anti-virus software but they're misguided measures when most identities are stolen in other channels utterly beyond the users' control. The predominant technology neutral policy position of government and the banking industry has not fostered market driven innovation as hoped but instead has created a leadership vacuum, leaving consumers to fend for themselves.
To really curtail cyber crime we need the sort of concerted and balanced effort that typifies security in all other walks of life, like transportation, energy and finance. Car owners don't fit their own seat belts and airbags as after-market nice-to-haves; bank customers don’t need to install their own security screens; bank robbers are not kept at bay by security audits alone. The time has come, now that we’re constructing the digital economy, to embrace intelligent security technologies that can actually prevent identity theft and cyber crime.
Pseudonyms are for everyone!
Too many analyses of Google's and Facebook's Real Names policy take a narrow view of pseudonyms, conceding only that they may benefit for example "[dissidents] in Egypt, China, colonial America [and] whistle-blowers inside corporations and labour unions" (see Berin Szoka's "What's in a Pseudo-name?").
There's evidently a belief that regular upstanding citzens have no need for pseudonyms, and a veiled suspicion that wanting one means you must have something to hide. Yet in truth, a great many ordinary Internet users have developed pseudonymous habits to protect themselves in the Wild West that is cyberspace today.
To frustrate the efforts of junk mailers and spammers, it's standard practice amongst many to use multiple e-mail addresses, or to fib about their location or their age when filling in forms. And where does the Real Names creed leave all the advice we've been giving our kids for years in social networking, to hide their age, their location and any identifying details?
It's important for everyone -- not just Mid-Eastern freedom fighters -- to have the autonomy to represent themselves how they like social settings.
What a twisted world is cyberspace these days! Think about it: Why the hell is the onus on users to defend their use of nicknames, when it ought to be the informopolies that justify imposing their self-serving rules on how we users refer to ourselves? We don't go around in public with our 'real names' tattooed on our foreheads! No "Social network" should be dictating how we socialise!
Posted in Social Networking, Privacy, Nymwars, Internet, Identity
Other thoughts on Real Names
I'm going to follow my own advice and not accept the premise of Google's and Facebook's Real Names policy that it somehow is good for quality. My main rebuttal of Real Names is that it's a commercial tactic and not a well grounded worthy social policy.
But here are a few other points I would make if I did want to argue the merits of anonymity - a quality and basic right I honestly thought was unimpeachable!
Nothing to hide? Puhlease!
Much of the case for Real Names riffs on the tired old 'nothing to hide' argument. This tough-love kind of view that respectable people should not be precious about privacy tends to be the preserve of middle class, middle aged white men who through accident of birth have never personally experienced persecution, or had grounds to fear it.
I wish more of the privileged captains of the Internet could imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. And as Identity Woman points out, we're not just talking about resistance fighters in the Middle East but also women in 21st century America who are pilloried for challenging the sexist status quo!
Some have argued that people who fear for their own safety should take their networking offline. That's an awfully harsh perpetuation of the digital divide. I don't deny that there are other ways for evil states to track us down online, and that using pseudonyms is no guarantee of safety. The Internet is indeed a risky place for conducting resistance for those who have mortal fears of surveillance. But ask the people who recently rose up on the back of social media if the risks were worth it, and the answer will be yes. Now ask them if the balance changes under a Real Names policy. And who benefits?
Some of the Internet metaphors are so bad they’re not even wrong
Some continue to compare the Internet with a "public square" and suggest there should be no expectation of privacy. In response, I note first of all that the public-private dichotomy is a red herring. Information privacy law is about controlling the flow of Personally Identifiable Information. Most privacy law doesn't care whether PII has come from the public domain or not: corporations and governments are not allowed to exploit PII harvested without consent.
Let's remember the standard set piece of spy movies where agents retreat to busy squares to have their most secret conversations. One's everyday activities in "public" are actually protected in many ways by the nature of the traditional social medium. Our voices don't carry far, and we can see who we're talking to. Our disclosures are limited to the people in our vicinity, we can whisper or use body language to obfuscate our messages, there is no retention of our PII, and so on. These protections are shattered by information technologies.
If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing peoples' names on their foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit.
Medical OSN apartheid
What about medical social networking, which is one of the next frontiers for patient centric care, especially of mental health. Are patients supposed to use their real names for "transparency" and "integrity"? Of course not, because studies show participation in healthcare in general depends on privacy, and many patients decline to seek treatment if they fear they will be exposed.
Now, Real Names advocates would no doubt seek to make medical OSN a special case, but that would imply an expectation that all healthcare discussions be taken off regular social circles. That's just not how real life socialising occurs.
Anonymity != criminality
There's a recurring angle that anonymity is somehow unlawful or unscrupulous. This attitude is based more on guesswork than criminology. If there were serious statistics on crime being aided and abetted by anonymity then we could debate this point, but there aren't. All we have are wild pronouncements like Eugene Kaspersky's call for an Internet Passport. It seems to me that a great deal of crime is enabled by having too much identity online. It's ludicrous that I should hand over so much Personal Information to establish my bona fides in silly little transactions, when we all know that data is being hoovered up and used behind our backs by identity thieves.
And the idea that OSNs have crime prevention at heart when they force us to use "real names" is a little disingenuous when their response to bullying, child pornography, paedophilia and so on has for so long been characterised by keeping themselves at a cool distance.
What’s real anyway?
What’s so real about "real names" anyway? It's not like Google or Facebook they can check them (in fact, when it suited their purposes, the OSNs previously disclaimed any ability to verify names).
But more's the point, given names are arbitrary. It's perfectly normal for people growing up to not "identify with" the names their parents picked for them (or indeed to not identity with their parents at all). We all put some distance between our adult selves and our childhoods. A given family name is no more real in any social sense than any other handle we choose for ourselves.
Posted in Social Media, Security, Privacy, Nymwars, Internet, Identity, e-health, Culture, Social Networking
Real names is real sly
In a favorite West Wing episode, the press secretary advises VP running mate Leo McGarry that he doesn't have to "accept the premise of the question". Let's remember this when engaging with the self-appointed social scientists and public policy makers at Google, Facebook et al who insist we use "real names" on the Internet.
It's terrific that Google’s Real Names policy has been soundly rebutted so widely, with earnest and worthy defences of the right to anonymity. I especially like the posts by Identity Woman, Dana Boyd, and Alexis Madrigal at The Atlantic who compellingly relates how his own position shifted on the questions as he thought them through.
But at the same time I am disappointed so many defenders of freedom have been drawn into arguing the pros and cons of "transparency". The Namesake infographic (which dates from May, before the Real Names furore broke out, and was reprised by Mashable last week) dumbs down the debate by accepting it as a fight between extremes. Frustratingly, it grants legitimacy to Zuckerberg’s mad ideas that having two identities shows a lack of integrity.
As an aside, using the label "transparency" sub-textually reframes identity with a pro-Real Names bias, especially when juxtaposed against "anonymity" which sounds shady. Is it really fair to call it "transparency" when forcing people to reveal more than is necessary about themselves when they’re socialising?
This issue is really not about transparency at all. Let’s say loud and clear: the Real Names policies of Facebook and Google+ are self-serving commercial tactics intended to maximise the commercial value of their networked stores of Personal Information.
Obviously these informopolies add more value to their network data when they can index it with precision. The use of multiple personae disaggregates the metadata held by OSNs and reduces its value to advertisers and all other PI pirates. In fact reserving the right for individuals to disaggregate their PI is one of the cornerstones of information privacy. Thus in Australia we forbid businesses from reusing government-issued identifiers like Medicare numbers and driver license numbers.
We should not accept the premise that a Real Names policy serves any user-positive purpose, like "transparency", or that it forces better integrity in how people conduct themselves socially. The idea that bloggers are less than honest when not named is, ironically, utterly devoid of social nuance. At every turn, we instinctively compartmentalise our personae, revealing what matters when we interact in different circles – home, work, social, medical – and instinctively holding back what doesn't.
"Online Social Networks" should not seek to change the way we socialise.
We must not allow gurus like Zuckerberg get away with self-serving philosophies like 'we all have one true identity'. He really has no deep insights into the human condition. What he has is a mind-boggling personal fortune based entirely on knowledge about people he has harvested on largely false pretences, and which is diluted when those people are allowed to name themselves socially as they do in real life.
Posted in Privacy, Nymwars, Language, Internet, Identity, Culture, Social Networking
A new Declaration of Identity
July 4th saw the release of the "Declaration of Identity". It's clever and emotive (at least for Americans). And maybe it's not supposed to be taken too seriously, but it seems to be another example of the complicating generalisations that I think distract from the real problem: How to make safe the perfectly good identities we already have when we go online?
The declaration asserts "sovereignty over free and independent determination and expression of innate identity".
Call me pedantic, but it's not quite right. Digital Identities are proxies for various relationships we have, each of which is almost always framed by the Relying Party, for it is the RP that wears most risk when identification goes wrong. Digital identity might be negotiable in some instances between Subject and RP/IdP, but it's just not the sort of stuff that belongs to an individual, let alone is "innate".
I just don't get Levels of Assurance
IDAM practitioners and government authentication policy makers have settled on a generic quaternary categorisation of transaction risk and of quality-of-enrolment. Let's recap: the idea is to characterise the seriousness of a transaction in terms of LOA 1/2/3/4 and then match the LOA of the party you’re planning to do business with. Quaternary LOA schemas are codified in NIST SP 800-63 and described more loosely in the Australian National Electronic Assurance Framework (NEAF).
The idea of LOAs came from risk management methodologies and standards like AS 4360 and now ISO 31000. These approaches involve gauging the severity and frequency of anticipated adverse events, and combining them to deduce a rolled-up risk rating for each event on an ordinal scale, like {Negligible, Low, Medium, High, Extreme}. Examples given in the NEAF documentation use consequence-severity tables lifted straight out of AS 4360.
A powerful feature of this approach is that each enterprise is empowered (in fact expected) to create its own internal calibrations of adverse events. Severity can be gauged in different ways, by referencing monetary losses, health consequences, political impact and so on, and the most appropriate frame will depend on the business environment. Organisations also set their own policies for what level of risk is acceptable for each anticipated threat. So some will not tolerate residual risks that are worse than Low, while others will live with Medium risks on a case-by-case basis with special contingency plans.
As a result, risk determinations made against ISO 31000 and the like are not transferable between organisations. Simply saying that a certain event (for example compromise to a user account) has a risk rating of “Medium” tells someone outside the organisation nothing at all about the details of the threat, its impacts, its expected likelihood, nor how it might be mitigated.
And yet the authentication LOA paradigm has us pick and choose externally issued identities based on a rolled up rating of LOA 1, 2, 3 or 4. There really cannot be any definitive assurance that all “LOA 3” credentials for instance issued by all IdPs are equivalent, nor that they will satisfy the detailed needs of all Relying Parties conducting “LOA 3” transactions.
The idea of quaternary LOAs was based on schemas that are used to communciate risk within organisations. They do not work for communciating about risk between organisations, and therefore the same approach is as useful for LOAs as it might first appear.
Posted in Internet, Identity, Fraud, Federated Identity, Security
Identity Evolves [AusCERT Conference Presentation Abstract]
This is the abstract for my paper that has been accepted in the main program at the AusCERT 2011 Conference.
Why Federated Identity is easier said than done
AusCERT2011 | "Overexposed" | 15th-20th May 2011
Royal Pines Resort | Gold Coast, Australia
http://conference.auscert.org.au/conf2011
Abstract
Why does digital identity turn out to be such a hard problem? People are social animals with deep seated intuitions and conventions around identity, but exercising our identities online has been hugely problematic.
In response to cyber fraud and the password plague, there has been a near universal acceptance of the idea of Federated Identity. All federated identity models start with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline registration, reduce costs, and open up new business channels. It’s a potent mix of supposed benefits, and yet strangely unachievable. True, we can now enjoy the convenience of logging onto multiple blogs and social networks with an OpenID or an unverified Twitter account. But higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.
This paper shows that Federated Identity is in fact a radical and deeply problematic departure from the way we do business. It complicates long standing business arrangements and exposes customers and service providers alike to brand new risks which existing contracts are unable to deal with. Federated identity naively fails to understand that identities are proxies for relationships we have in different contexts. Business relationships don’t easily “interoperate”. They can’t be arbitrarily tweaked to suit different contexts, because each relationship has evolved to fit a particular niche. While the term identity “ecosystem” is fashionable, genuine ecological thinking has been lacking. The alternative presented here is to faithfully conserve business contexts and replicate existing trusted identities when we go from real world to digital, without massively re-engineering proven business rules and risk management strategies.
A still unproven idea
The past decade is littered with earnest identity initiatives that failed to get off the ground (including at least three in Australia alone) and security industry consortia that over-promised and under-delivered. We’ve endured endless deconstructions of “trust” and theoretical dissertations on “identity” but none of this work has led to the sort of breakthrough that’s desperately needed. Online identity fraud continues to grow. The direct cost is hundreds of billions of dollars globally; the indirect cost includes a malaise inhibiting such truly transformative initiatives as e-health.
In spite of its conspicuous failures and the revolving door of technical working groups, Federated Identity has become an orthodoxy. The US federal government’s proposed National Strategy for Trust Identities in Cyberspace (NSTIC) takes federation as a given. Its central tenets such as the pigeonholing of identification risk into four generic “trust levels” have been standardised in SAML and productised, but not yet realised.
Hidden complexities
If we take a closer look, we can see that nothing like Federated Identity has ever been done before. The proposition that banks, telcos, universities and governments should act in the open as “Identity Providers” is not something these institutions have contemplated outside their own closed business contexts.
Most federation initiatives hold out self-evidently noble objectives like “interoperability”, “openness” and the eradication of “silos”. Yet these feel-good words don’t stand up to scrutiny. Federation implies widespread changes to business rules and risk management arrangements, which lawyers and legislators have yet to come to grips with. Consider that banks have long established (and highly regulated) protocols for identifying customers. Introducing new third party identity providers and new enrolment pathways is a true paradigm shift, demanding untold revision of conventions, contracts and legislation.
The benefits of decentralisation claimed of Federated Identity are largely illusory. It is good for privacy and security that federation generally deprecates any one master ID, but it introduces legally novel intermediaries and new aggregations of personal information. For instance, in order to provide for “verified anonymity”, Federated Identity has customers enrol with brand new Identity Providers, handing over bulk personal information to them, only so that it may be withheld from service providers.
A simpler way forward
It is often said that identity management is “not a technology issue”. The statement is both right and wrong. The biggest challenges in federated identity are certainly not technological; rather, they relate to risk allocation in an unprecedented joined-up matrix which changes the legal fundamentals of how we do business. On the other hand, the pressing problems of ID theft and fraud really are technologically straightforward.
We all agree that identities are context dependent; the deeper truth is that identities are proxies for complex relationships that have evolved to fit distinct niches in the identity ecosystem. As with real life ecology, characteristics that bestow fitness in one niche can work against the organism in another. Thus the derided identity “silos” are a natural and inevitable consequence of how business rules are matched to particular contexts.
We need to avoid complicated generalisations about identity, and instead focus on simplifying assumptions. The password plague is only a problem because traditional access control was devised for technicians; consumer authentication simply needs better human-machine interfaces.
The real problem lies not in existing identity issuance processes; it’s to do with the way perfectly good identities once issued are taken ‘naked’ online where they’re vulnerable to takeover and counterfeiting. If we focussed on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.
Posted in Smartcards, Security, Privacy, Internet, Identity, Fraud, Culture
Identities are brittle but crystal clear
This blog was updated and re-posted on 12 June 2012.
I have been blogging and commenting left and right that there is an alternative theory behind the woes of Cardspace and OpenID. Yes, vendor psychology, standardisation and commercial politics have frustrated progress on the "Identity Metasystem" but a less fashionable explanation is that it's just not as great an idea as first appears. The Identity Metasystem is way over-engineered. It tries to solve stranger-to-stranger "trust" (as did Big Fat PKI in the 1990s) and seeks to allow parties to confirm one another's unanticipated identity assertions.
These are almost academic problems. By far the most economically important transactions on the Internet occur between parties that already have their local "metasystem" in place. Payments, e-health, share trading, e-government etc. all take place within overarching risk management and legal arrangements involving specific registration protocols, formal credentials, terms & conditions, liability allocation etc. The analysis and design of business transaction systems anticipates the risks and responds with identification protocols and rules for participating. Parties in these different transaction contexts know precisely where they sit. They know their roles & responsibilities before they transact, even before they've installed whatever extra software and authentication devices are required according to the local risk analyses.
The "price" we pay for this level of crystalline certainty is that our different identities are brittle. They are highly context dependent, which is exactly what the Laws of Identity teach us.
On the other hand, the utopian Identity Metasystem tries to teach us to bend those identities, hopeful that a smaller number of them might be re-used cross-context. As if this will have a relatively minor impact on all those local risk management arrangements, and so reduce the total cost of ownership of IDs. Sorry, it just doesn't.