| ProfileThe Wandering MindPhotosBlogLists |  Tools  Help |
The Wandering Mindof James van Kessel
|
November 20 Digital Avatars and South ParkStumbled onto this strange but fun twist on the south-park world:
You can create your own south park character from many different items. Only thing that bites about it is it's flash and the only way to save your image is screenshots - not too much trouble but not exactly easy either.
Attached is one of myself as a South Park character. Maybe it'll be my new "Personal Avatar" on websites... :-) October 26 7-laws Privacy *Overlay*So I may have been wrong to call Dr. Cavoukian's whitepaper a list of corollaries for the 7-laws. Rather, they were a comparison and augmentation of the laws using the Fair Information Practices (FIPs).
What I see in Dr. Cavoukian's paper is an insightful review of the 7 laws in a different light: that of Privacy.
Her conclusion is that the privacy-embedded 7-laws, which are only slightly modified from the original, align well to the FIPs they correspond to.
What I found lacking in the paper was a description of where the FIPs go beyond what the 7-laws specified. What I would like to see from Dr. Cavoukian is what would be the privacy implications of an identity metasystem that ONLY adhered to the 7-laws without directly considering the FIPs separately? Would specific parts of the FIPs be neglected by focussing only on the 7-Laws, or are they sufficiently complete to address the FIPs completly?
Regardless, the one implication of this whitepaper that is clear: Identity implementations in the province of Ontario will be scrutinized under the FIPs but may also be called-out if they break the 7-laws, as Dr. Cavoukian is obviously a Kim Cameron fan. October 24 7 Laws Privacy Corollary from OntarioPerhaps it makes sense that it was the Ontario Privacy Commissioner who published and spoke on the privacy implications of the 7 Laws since the father of those laws, Kim Cameron is a Canuck!
See the Privacy Commissioner's Whitepaper here:
MP3 of her speech to a Toronto Privacy forum:
Coverage of her work on Kim's Identity Blog:
http://www.identityblog.com/?p=621
So why is this so exciting, you may be asking? It's because, although the internet identity world (Blogosphere) has been abuzz about the 7 laws for quite some time now, the rest of the world has gone on fairly well without much notice. This is a very public and published (Globe and Mail) discussion on these laws and what they mean to people on a very sensitive topic: Privacy. I look forward to much more public interest in what the 7 laws mean, not only on the internet, but where internet meets the offline world.
I won't say that I've read the paper in full yet but once I do, look forward to further reaction and thoughts. August 22 Knowledge Based AuthenticationIn reading about IDology's Knowledge-based Authentication on John's blog I am struck by an inconsistency. How is it that IDology can use
and claim that this is difficult for Criminals to use? if they're "Public Data Records" then a concerted criminal element can search them for the answers to the questions posed by IDology...
Hopefully John can shed some light or this might be simply a case of the old security adage "if they want it bad enough they will find a way to get it" and thus this is the accepted risk of KBA in general. July 17 After being away - the need for the Internet OracleI've been away a long time. Daddy time taking lots of focus these days.
Maybe that's why this article about My Space's Age Verification problem on Wired (an AP Article) struck a chord. It brought together two things that have a lot of my attention lately: child protection through identity, and Bob Blakely's idea of the Internet Oracle.
Bob presented a thought-inspiring presentation on why corporations can't be trusted in the way we, as humans, trust each other. The long-and-the-short of it is that the only Identity Management business model that's sustainably profitable is one that is successful by its non-disclosure of critical information accomplished by answering questions with metadata instead of data.
A common example is: the Oracle stores and protects my exact birthdate. I sign up for a site requiring me to be 18 and the site asks my designated Oracle "is he over 18?" which I allow it to answer with the metadata "Yes, he's over 18". Note my specific date of birth is the data which is not disclosed.
The tie to the article came for me when it said that there was a gap in the child age-verification space looking for a way to ensure proper age verification for adults and children. One of the challenges is the need to appeal to users' anonymous personality-portrayal but base a back-end on verifiable data for protection. An Identity Oracle paid by the user and the site to assure accurate data is used to answer critical questions. It protects the site from legal issues and protects the user's data from potential mis-use and gives them access to the site.
I think the Oracle model would be very applicable to the social verification scenario. Think of MySpace: People there want to portray themselves as whatever they want to be. Let's not take that away from them. Let them portray any age they want in a public profile, but don't use that age to make authorization decisions: use the authoritative Oracle-based data instead. That way you get your cake and eat it too!
Any takers on building a business model around this idea? June 16 Catalyst lives up to its nameThe Catalyst conference is pushing the envelope of IdM again. They have announced a Multi-Protocol Federation Interoperability demo at this years North America edition. What I want to know is if they will realize that they need a "Standard" way of interacting between "Standard" Identity Management protocols to be consistent. I think I remember Web Services relying on a WS-Trust framework to act as a Security Token Service, but that presupposes the originator of the Identity Token knows ebnough about the endpoint of the federated sign-on to generate the correct token. Might need an SP Discovery service for protocol format
May 30 Auto Identity theftPhil Becker's weekly DIDW newsletter had a gem in it which I think is especially relevant because of the TV special my wife and I watched just yesterday (it was an episode of "Marketplace") on how easily cars are stolen and how sophisticated some of the scams are getting. for those that don't know us, my wife is the automotive expert and i'm happy to leave that to her but this is the first time I've seen my work encroach on "her" industry. http://www.freep.com/money/autonews/autoscam23e_20050523.htm Anything with an identity is a potential identity theft target. The automobile VIN number is certainly an identity, and it turns out that thieves are now "cloning" automobile identities to allow the sale of stolen vehicles. Naturally, this is creating serious problems for the owners of those cars whose identity has been stolen, and it appears there is no easy way to tell who is the thief in many cases, creating a lot of agony. This article indicates that this form of identity theft is organized, international in scope, and growing rapidly. ----------------------------- California vs RFID: Round twoSo I read some of the bill on RFID use and it seems to me that the unauthorized use of RFID by non-official agents is the problem. Bascially if I pass you in the street I can initiate an RFID response from all of your RFID chips and read your identification number (or if the chip stupidly stores actual personally identifiable information - find out who you really are). So, why don't we have RFID-Wallets? Look, the reason we don't have our Drivers Licenses tied around our necks while driving is that we don't need to. We take it out of our wallet, within which it is concealed, to show it to whoever we trust to view it and use it for a legit purpose. So we should do the same with RFID tags: take them out when we need them! But, you might ask, how do we do this? Isn't RFID contactless on purpose? How can I avoid being "scanned" for an RFID chip? Simple! If I had a tin-foil wallet, or even better, a conductive bag like the ones that computer parts come in, then the RF signal could be blocked (basic EM theory here folks). So the same reason that we have wallets for our licenses is the same reason we should employ RFID wallets for our tagged Id. California vs. RFID: Round oneAccording to some news articles like this one in C-Net, California is trying to pass a bill takaing a firm stance against RFID in any state-issued identification. But hold on, what are they REALLY taking a stance against? Accroding to this article, the text of the bill states that what should be prohibited is:
To me it sounds more like the bill is about avoiding BAD identity management practices. In the short exerpt above it disallows the broadcast of personal information or allowing a scan of personal information remotely. Well then, make the RFID chip broadcast a pseudonymous number that is meaningless out of context but in the right system maps back to the holder's personal information. Make that remote system with the ID to user mapping require secure individual authentication and you have a winner. The bill really appears to be requiring good Identity management practices around the use of RFID, and if it is, it may be codifying in law some of the concepts that the 7 laws dictate (but I have to say that I haven't read the bill in detail yet so I may be jumping in too soon - I'll let you know if I am). I also suspect that if the journalists who wrote the above articles had read the 7-laws whitepaper, they would have a completely different take on the stories. May 25 The problem of identity verification and recognitionHere's an incomplete thought I've been mulling over for a while now... Online recognition with current technology is equivalent to recognizing someone's name in real life, except that in an online world the 'name' is more often an arbitrary identifier such as an ISP user ID or email address - it has very little to do with any 'real' or physically bound characteristics of the person involved. To build online identity recognition and verification based on something more than an arbitrary identifier we have to solve problems that still exist in the physical world. The digital world gives some advantages but suffers some disadvantages as well... I think this speaks to the problem that the 6th law. Of identity (human integration) presents: unambiguous individual recognition. I will think more on this before continuing... In the mean time, what do you think? |
||||||
Send a private message
Subscribe to RSS feed
Tell a friend
Add to My MSN
Add to your network
Sign up for alerts|
|
