Category Archives: identity

Loyality Oath

The HR department is administering the loyalty oath.  This is annual event.  We are requested to testify, via a form, to all our professional affiliations.  To a degree I am, of course, joking.  This invasion of our personal privacy is motivated by three concerns: concerns about possible conflict of interest (i.e. that the best interests of the employer might not be #1), concern that we might be not do what we are paid to do but rather work on some outside project, and finally that we might leverage the employer’s good name to the outsider’s benefit.  I gleaned that list from the sections of the policy manual the form points to.

Social networks are a particularly interesting test case for looking at issues of the multihoming since of course they are where you make you home.  I have account memberships in about a half dozen different social networking sites; but I don’t actually participate in any of them.  Though that all depends on your definition of social networking site.  If your more generous in your definition, including say all the on-line forums and mailing lists that include a social (v.s. purely on-topic) component then the number of sites I have accounts at explodes.  A quick review of my password wallet suggests the number gets up toward a hundred; the phrase ‘a gross’ seems useful at this point.  An then some percentage of the blogs I read have a social (or community) subtext.

Some of these places are quite social.  The shaving and diet forums for example. The Oil Drum and Crooked Timber are two nice examples of blogs that sustain a community around them.  Others are semi-social; the one for my PDA for example.  It’s worth noting in passing that the social can make it a bit tough to keep the sites useful for their nominal on-topic purpose.

Where you sit changes how you look at the question of multihoming and social networking sites.  If you have a large stake in one; owning LinkedIn for example but even if you have invested a lot of your social energy into a particular one your profession for example, then you are likely to be interested in ways of reducing the degree of multihoming.  There is certainly plenty of literature on how to execute on that.

Lots of people interested in knowledge flows have noticed that that individuals that cross between two social/professional networks often account for critical knowledge transfers.  So if your interested in encouraging that kind of thing then you might be interested in how to manage and enable increased multihoming.  I don’t think I’ve ever worked for employer who failed to consciously, though rarely conscientiously, encourage a modicum of that kind of thing.

Multiple social networks create some diversification, which in turn can be a buffer against various risks.  Two risks bear mentioning.  If a social network goes bad having other networks enables members to exit, but also it enable them to be critical and that critique can be key to fixing what going wrong.  Having multiple social networks also allows members to take risks, not just of criticism, but also to take risks that may do irredeemable damage to their reputation; such risks are much harder to take if there no other network to retreat into.

None of this helps to puzzle out the question of exactly how many of my ‘professional’ associations I should enumerate on this form.  I’m sorely tempted to enumerate the complete list of all the on-line forums I’m a member of to which I both feel some loyalty and have any overlap with my employer’s vast range of activities.  Just for fun.  Oh, but curiously I appear to be in a job category where they decided to wave the requirement.  Well golly, now my feelings are hurt – they don’t seem to care if I’m a two timing disloyal abuser of the brand!

Leveraging the Notaries

I’ll note that much as one can use an SMS infrastructure to assert that a person has at least temporary control of a mobile phone you could use the existing notary system.    A service provider prepares a document instructs the user to print it, have notarized, and return to the service provider.

I wonder if that could be done in a manner that avoids revealing to the service provider any information other than the information contained in the document.  For example, could you keep the user’s name out of the service provider’s hands.

Internet Identity & the Public Notary

Solving coordination problems, in this case the internet identity problem, always involves leveraging some existing coordination framework. For example the PGP signing scheme leverages the acquaintance network and the signers are encouraged to leverage the government issued identity cards. For example my local library asks to see a utility bill, and thus leverages the account relationship I have with the utility.

When your designing one of these internet identity schemes you thrash around looking for something you might tie your raft to. The IP address, the browser cookie, the confirmed email address, etc. There are lots of clever schemes. For example Paypal does, or at least used to, do a cute trick where they would confirm that you had access to a bank account by making some tiny random deposits and then asking you to confirm their amounts. These days it’s common to see SMS messaging used to confirm you have control, at least for a moment or two, of a particular mobile phone number. I haven’t personally experianced, but I presume somebody has built, the phone equivalent of confirming an email address.

As usual these examples have three parties: entity to be identified, entity that desires that, and some third party: i.e. the user, the service, and the identity provider. When you confirm an email address the identity provider is the email infrastructure; and the reason the service finds that useful is it trusts that infrastructure; at a least somewhat. When a service confirm a mobile phone number using a SMS the SMS infrastructure is filling the role of identity provider. When a bar-keep checks a driver’s license he’s trusting that infrastructure; and his ability detect fraud.

The driver’s license is what in the digital world we might call a capability; it’s a token that grant’s it’s holder the right to perform various activities. Including, surprisingly and ironically, the ability to order a beer. We can make quite robust capability tokens in the digital world; but we need to have somebody sign them.

In the off-line world we have institutional infrastructure to support such signing. Quite a few actually. Financial industry, for example, has something they call a bank signature and if you take a random piece of paper down to a bank where you have an account the branch bank officer will be happy to watch you sign it, then they they will first press a large 3 dimensional stamp into the paper and then over that they will sign the paper too. Notary publics perform analogous services.

So. Let’s say I want to organize a large group of volunteers to provide some service for the general public. Let’s imagine that as part of this service the volunteers will be sending email to members of the general public with whom they have zero existing relationship; so the volunteers are concerned that they will be accused of spamming; or worse might get used due to a security flaw to actually spam.

I think the volunteers’ concerns could be addressed if I could give them a signed note from the user that grants them permission to pass on the email associated with the service. I.e. a capability token. But who would sign it?

I don’t think I’ve previously seen the idea of mimicking the notary public architecture before. It is just what’s needed. The service community selects some number of their members and anoints them as notable. Any notable person may gin up capablity tokens for a user. Any user wishing to use the service must seek out a notable person, acquire a signed capability token. The user can then distribute that token as they see fit.

The volunteers in a service community would want the notables governed well. That means at least: they are easy to find, cheap to use, courteous and professional in their manner, etc. Much that’s wrong with the existing key signing schemes arises from breakdowns (aka rent seeking) at this level.

But today I’m thinking that the real breakdown in those schemes was the choice to follow commercial models for the governance of the notables; rather than professional or fraternal models. I.e. non-profit. Or possible we should leverage state licensed models. Aside: there are millions of notary publics in the US.
I’m particularly enjoying the idea of a fraternal orders of signers in the tradition of Friendly Societies like the Odd Fellows, or Service Clubs like the International Order of Twelve Knights and Daughters of Tabor. Who wouldn’t want to be IKK, BJ, GS; aka an Imperial Knight of the Key, Boston Jurisdiction, GPG Affiliate. It would certainly come with a funny hat and a lapel pin.

Accepting Gossip

Here’s a principle that I think the internet identity community needs to come to grips with.  Sites are going to talk about users behind their backs.  They are going to exchange information about users without the users explicit permission.  While strictly speaking the users permission for these exchanges may have been acquired the user will not fully comprehend that the he gave permission.

In any case I think it is dangerously nieve to attempt to design systems that take as their primary goal minimizing the amount of information about users that flows between the sites.  Not because it wouldn’t be wonderful to minimize those flows but because those flows take place already and they are not about to stop.

For example all the advertising networks (i.e. double click, google, etc) collect tremendous amounts of information about users.  Should we presume they don’t sell that information back to sites in one form or another?  The catalog, financial, medical, and insurance industries all pool customer data in ways that are analagous to what the advertising networks are doing.  Should we presume they don’t traffic in that information?
These pools of customer data are the elephant in room.  Some of them are held by consortium, like the health records, while the newer ones are held by single firms.  What Google knows about me, oh lord!  The majority of participants in the internet identity dialog appear to be ignoring that it is the legal responsibility of the owners of this data to milk the maximum value out of them.

So here’s a thought.  Maybe we shouldn’t be struggling quite so hard to minimize data flows.  Maybe we should be struggling to make the data flows more transparent.  If it’s necessary to accept that then it has consequences.

Any standard that is going to be widely adopted by sites must provide sufficient value to pay for the cost of adoption.  Today if a site wishes to know more about it’s users it can do that by paying for that information from the current operators of an existing data pool.  Any standard that hopes to displace these dominate players in the internet identity market will have to provide good value for reasonable adoption cost.  Designs the emphasis user privacy over other attributes are unlikely to strike the right balance to get the network effect to happen of both user adoption and site adoption.

I’m not sure I entirely like where this line of thinking is going; but I do know where it came from.

In my web logs most incoming visitor’s browsers politely tell me who reffered them to me.  I got to wondering if I ought to be thanking those nice sites that sent me these nice visitors.  Which lead to realizing that I have what the autistic b-school types call “a relationship” with those other sites.  Let’s call these other sites my partners.  When one of these visitors gets referred to me why can’t I discuss him with my partners?  Why is there no protocol for that?  Me: “Yo, partner, who is this dude?”  Partner: “Him? Don’t know much about him, but he’s got an account here; and it says his private information broker is .”

Of course that conversation appears pretty privacy invading.  So sites that want to do that are forced to go through a gossip broker.  I.e. their advertising network.  Which only leads to extremely strong network effects for one advertising network to dominate the others; because they accumulate a better model of these visitors.

Pretending that these data pooling gossip brokers are not part of the ecology isn’t working to their advantage.

OpenID += Microsoft, AOL

Nothing legitimizes a standard like usage.    What makes Microsoft Window’s a standard is those billions of transistors all over the planet are chewing way on it’s code.  What makes Google search a standard is that all those of searches are taking place.
In that sense of legitimate OpenID continues to struggle.  While usage remains the final arbiter there are other ways to achieve a bit-o-legitimacy.  Getting the blessing of the king is always good.  You can get a law passed; that worked for making curb cuts standard but it didn’t work for lowering the speed limit to 55mph.  You can get a large standards body to promulgate your standard.  That one is surprisingly ineffective. You can solicit players with large market share to give you the nod.

Each of those three (civil authorities, professionals authorities, market leaders) is legitimate because some legitimate process gave them their king like nature. Their blessings are market signals.  Other players in the market use them to manage the risks of adoption.  Interpretation of these signals is up for negotiation.  Consider a few of the big standards bodies – for example ANSI, EMCA IEEE, IETF, OASIS, W3, WS – each one has very different governance model.  That model affects the meaning of their blessing.

In the standards battle over internet indentity the Project Liberty folks ended up tainted by the way their governance, and hence their legitimacy, was weighted toward the account holders rather than the users.    I was involved in Liberty, and the governance was weighted toward account holders; the design emphasis wasn’t but that’s not my point today.

Microsoft and AOL’s recent signals of support for OpenID signal one thing.  That OpenID is good for them.  That does not mean good for you.  OpenID is very good for very large existing account holders, because those players are the most likely to hand out the vile globally unique identifiers around which the OpenID design based.

I tend to think that OpenID is going to capture a very large market share.  These signals of support reinforce that.    Not so much because they actually signal a change in that most important source of legitimacy, i.e. usage, but because they illustrate that at least one side (i.e. account holding institution) are starting to see that the design is good for them.  The other side (i.e. account holders) remain on the sidelines.

The question of what makes this standard’s bandwagon legitimate should remain open for negotiation.  The OpenID bandwagon looks to me like it’s in great shape.  That users haven’t climbed on board remains a challenge, but not an intractable one.  I continue to see this bandwagon as pretty illegitimate from a governance point of view.  Claiming to speak for users is damn sight easier to say than do.


Mike Neuenschwander’s Law of Relational Risk

“Contribution to the relationship that is not met proportionally by the other participants is a loss to the contributor.”

is perfectly fine but that it suffers from Asperger’s Syndrome. Relationships are not like accounting. Since there is no reserve currency for relationships it is impossible to balance the books. Since there is no accounting cycle when the books are required to be brought upto date any attempt to balance the books will fail. Their is no consensus about discount rates, they are unregulated. For example if something bad happens to me in a relationship I can, of my own free will, depreciate that into oblivion via forgiveness or I can compound the issue demanding increasing compensation.

Bearing that in mind the rest of his post is all good and useful fun. Mapping economic ideas into the rest of the social sphere is more than fun, it is deeply silly.

More presentation of self

Another addition to my collection of examples were members of a group sport something that reveals what others might tend to think of as private information. In this forum the members decorate their postings with information about their credit scores. Not unlike the folks that do the same thing with their due date or their weight loss progress

Here are three examples (at reduced size) of their badges.

Some people show a chart of how each of the credit tracking firms is summarizing their credit.


Some of them are using this service that provides them with a score card.


Others are using the same progress bar scheme seen on weight loss and event (wedding, pregnancy, etc.) forums.

Why can’t I feed my real time IQ into my IM status; or what my current credit card debt is?

open voice networks

Martian speaks wisely about why open voice networks aren’t a technology problem but a social entrepenural one.  At the same time he is also talking about a minor aspect of why internet identity isn’t a technology problem.

These days I find myself thinking that internet identity is hard because the gap between people’s intuitions and the technology substrate is so vast.  In the real world privacy tends to be the default; in the virtual world it’s the other way around.  Saying we lack a substrate for creating privacy in the net is the worst kind of understatement; it’s a bit like saying I lack x-ray vision.

As he says we lack good understanding of what makes an open v.s. closed network.  Capitalists care about that, since closed networks have the potential to generate great wealth.  I care because there is a huge swath of tiny groups that can’t get the benefits of adding a virtual aspect to their existence.  For example the 3rd grade parents can’t put their contact list on line.  Which is killing these groups and that’s very bad for the social network’s health.

Groups, id cards & hub failure

Thought provoking: my morning mail reports that the ID card servers at the university are down and that this effects “card readers” across campus.  Reminds one that hubs are a target for assorted criminal activity.  I wonder what boundry crossings people are discovering they can’t make right now?

Meanwhile I’m told we citizens get our new regional transportation passes at the end of the month so that getting on the bus and subway will involve bringing the card into physical proximity of the toll collecting gates.  RFID I presume.  So this morning I wonder if that system has a central point of failure?

When you work on standards it’s always interesting how one constituency has concerns that another constituency has to struggle to appreciate.  That’s the real work.  In the early days of the Liberty Alliance one of these was how extremely reluctant, to the point that it had the potential to be a deal breaker, the web site builders were to add anything that might effect their reliability.  That’s a severe barrier to adoption for any identity provider.  It is very difficult for an identity provider to guarantee that the system administrator’s bonus will never be adversely effected.

If I can’t get into the pool today who will compensate me?

Trait Transference

Consider this statement: “Alice says that Bob is lazy.” Is it better to summarize this as: “…Bob is lazy” or “Alice … is lazy”? The 2nd is very often better. Speakers mentions traits which reveal their own traits. What you say reveals your internal dialog.

So it’s with great amusement that I stumbled upon this paper. Trait Transference: Communicators take on the Qualities They Describe in Others. This paper makes a very similar argument, but the other way around. It argues that the dialog about others lays down the patterns that become the behaviors you yourself take on.

Who knows? Hard to run that controlled experiment! It’s a chicken and egg problem.

In either case, say nice things about other people – it will make you, or possible indicate you already are, a nicer person.

Meanwhile let me just say that you are very sexy!