Interesting piece here about Cory Doctorow’s search for a solution to the problem of what to do with your “digital legacy”. Now that so much of our lives is lived/captured/stored digitally, it’s far more likely that our executors and relatives will need to unlock a laptop, disk drive or a file than a desk drawer or a filing cabinet… and yet, as Cory notes, there’s not much on the market that provides a simple solution.

The French eID scheme has, for some time, included a ‘digital vault’ for each citizen to use as a repository, but I don’t know what the escrow arrangements are should the citizen die and someone else need access. Perhaps someone could comment if they know the details?

Cory mulls over the compliexity of various DIY options – but fortunately for him, help may be at hand in the form of the EU-sponsored PrimeLife project. At the project’s Reference Group meeting in Frankfurt earlier this year, I heard an excellent talk by Sandra Steinbrecher on “Trusted Content and Privacy Throughout Life”. The slides are online here, and I recommend them for their clear analysis of the problem.

Home Secretary Alan Johnson has taken advantage of his recent arrival to announce a change of policy: ID Cards will now not be compulsory… for anyone other than foreign nationals working in the UK.

Though, if I remember correctly, it remains illegal under EU law for any Member State to require the citizens of another Member State to carry its (the former State’s) identity credential… so actually that means “foreign nationals other than citizens of other EU States…” and possibly European Economic Area/European Free Trade Area States (Norway, Iceland, Liechtenstein and Switzerland) as well, I don’t know. “EU Member State” is one of those categories which seems neat and tidy at first glance, but turns out to get a bit fractal the closer you peer at it. Apparently the Falkland Islands, Greenland and Nouvelle Calédonie are not Member States, for instance, despite being overseas dependent territories of countries which are. I apologise in advance to their worthy inhabitants, but I’m not even going to look up San Merino, Andorra and the Vatican…

But I digress. The point is, by the time you rule out UK nationals and “citizens of the European Fractal”, I wonder what percentage of the inhabitants of these islands you’re left with, who may legitimately be challenged to produce an ID card. However, adoption of a voluntary citizen card, by the rest of us, is unlikely to achieve critical mass unless there is already a sufficient infrastructure (of authentication devices, for instance) to stimulate the development of a service provision ecosystem, which in turn make such a card worth carrying. Carrying that logic through to its conclusion: I cannot, in the current circumstances, see a Home Secretary committing to the investment required in such an infrastructure in the hope that it might stimulate enough demand for the scheme to pay for itself in the end.

When you then consider that anyone who still counts as a “foreign national working in the UK” will have to have their own country’s passport, and probably a visa, work permit and/or other documentation in order to get in and stay here, Mr Johnson’s announcement is probably sufficient to make the roll-out of any ID card fall below critical mass. What would be the point? A database record, indexed to the individual’s immigration record on entry, would satisfy the same purpose without anyone having to issue, carry or check a plastic card.

All that having been said, Mr Johnson’s announcement signals less of a policy climb-down course-change than it might appear. There is, for instance, no change to the plans for a National Identity Register, and anyone applying for a UK passport will continue to have their details entered in that repository. Similarly, there’s still no apparent change to the policy on DNA retention, despite the European ruling earlier this year… though perhaps it’s a little unreasonable to expect two major climb-downs course-changes in quite such short succession.

So where do we go from here? Despite successive Home Secretaries’ determination to confuse the two, the National Identity Register and the National Identity Card were never the same thing, and a National Identity Scheme can quite viably continue without anyone having to carry the “terrifying, small… plastic card“. The question, then, is what the government plans to do with the Scheme once its plastic card has been virtualized – NIS 2.0, perhaps… (sorry).

I think it’s fair to say that the ditching of said plastic cards removes an element which added enormous complexity for questionable benefit. My hope is that that will free enough “policy-bandwidth” to make something sensible and constructive out of the government’s citizen ID policy henceforth. For instance, perhaps this signals a shift away from the hierarchical, paper-credential view of citizen identity and towards one based on the selective management and disclosure of attribute-level assertions.

Perhaps we are ready to move away from the policy of:

“Tell me who you are, and I’ll look up everything about you” and towards one of

“Approve a minimal disclosure of just enough data to let me grant you access, deliver this service, establish this entitlement…”.

That would be a shift indeed, and one which could reflect a far more privacy-positive approach. It may be that I’ll have the opportunity to find out tomorrow, at a meeting of the All Party Privacy Group in Westminster.

Kantara Initiative expands the Liberty Alliance Identity Deployment of the Year Award program, announces new categories and judging criteria

June 30, 2009 – Kantara Initiative, the global identity community working to solve harmonization and interoperability challenges among identity-enabled enterprise, Web 2.0 and Web-based applications and services, today announced the call for nominations for the 2009 IDDY Awards. This year’s IDDY Award (IDentity Deployment of the Year) program features deployment and proof-of-concept categories and has been expanded within Kantara Initiative to recognize identity-enabled applications and services built using any open identity technology. The call for nominations will close on August 3, with awards presented on September 15 at CSO magazine’s Digital ID World 2009 in Las Vegas, NV.

The IDDY Awards shine a spotlight on the individuals and organizations responsible for building and deploying identity-enabled applications for people, communities, businesses and governments. The 2009 Deployment category recognizes applications that are in use today. The Proof-of-Concept category highlights working proof-of-concept applications. Nominations for both categories can be based on, or include any identity technology such as Activity Streams, APML, CX. IGF, ID-WSF, iNames, Information Cards, MicroFormats, OATH, OAuth, OpenID, OpenSocial, OPML, PKI , Portable Contacts, RDF, RSS, SAML, WS*, XACML, XDI, XRD, XRI, XMPP extensions, etc.

“Now in its fourth year, the IDDY Awards program continues to evolve to reflect the changing digital identity landscape. The 2009 program provides individuals and organizations working across the identity ecosystem with new opportunities to join the growing list of IDDY Award recipients,” said Brett McDowell, executive director of Kantara Initiative. “With the expanded scope of technologies being considered, we’re excited about the variety of new applications and services helping to advance the next generation of digital identity solutions that this year’s program promises to highlight.”

About the IDDY Awards
The annual IDDY Awards program was launched by Liberty Alliance in 2006 to recognize excellence in digital identity management. The 2009 program has been expanded to reflect the Kantara Initiative mission of fostering cross-protocol harmonization and interoperability. Previous winners of the IDDY Award include Aetna; Citi; Deutsche Telekom AG; eBIZ.mobility; EduTech, for the New York State educational agencies; NTT Labs; Rearden Commerce; the UK Government Authentication Gateway; UNINETT and the New Zealand Government. Nomination forms and more information about this year’s program is available at http://kantarainitiative.org/confluence/display/GI/IDDY+Awards+2009.

A few years ago I was given a very good piece of advice about technologists expressing a view on matters of policy: don’t.

“Think of three layers”, was the suggestion of my older and wiser colleague: “a bottom layer of technology, a ‘good practice’ middle layer, and a policy top-layer. Be aware that decisions at the policy layer are driven by all kinds of factors over which you will never have control… and however tempting it may seem to do otherwise, restrict yourself to opinions on the other two layers”. I took this advice to heart, and while I have had the occasional lapse, it has not let me down when I have stuck to it.

So, then, what to say about the UK government’s announcement, last week, of its plans to establish a cyber-security operations centre?

Well, I think there are three questions to ask (even as a technologist…):

1 – is there a pressing need for a cyber-security capability? I suspect the answer to that one is a clear ‘yes’. There’s no doubt that cyberspace represents an element of the Critical National Infrastructure (CNI), just like the transport, water, power, communications, financial and sewage networks on which our country depends. And just like all those other elements, the UK’s cyberspace presence is inextricably linked into the global network. (“Sewage?”, I hear you mutter… “How is the sewage system cross-border?” Ask the Dutch… I read a report that, if the Netherlands couldn’t export the excrement by-product of its bacon industry, the whole country would be ankle deep in pig-poo before the year was out. And with all those greenhouses, they use a lot of fertiliser…).

2 – is the government justified in maintaining/using an offensive cyber-security capability? This one is tricky to answer at the policy layer.

• At the technical layer, I have no reservation in saying that I want the security services to know how cyber-attacks work, and even in maintaining significant expertise: after all, they can’t mount passive defences if they don’t thoroughly understand the attacks.

• At the ‘good practice’ layer, offensive cyber-security capabilities tend to be restricted to getting malicious sites/services taken off the internet – and that only after going through ‘due process’ with the telcos, service providers, hosting companies and so on. Clearly, the latest policy announcement is based on the assumption that there may be cases where the security services expect to need to go further than that.

• At the policy layer, then, I think it boils down to this: what confidence can we have that those responsible for exercising such a capability are doing so proportionately, justifiably and accountably? In other words, it raises all the governance and oversight issues which have been so much in the political searchlight in recent months. There are established structures (such as the Intelligence and Security Committee – ISC) which are intended to make it possible for those ‘on the outside’ to be confident that those ‘on the inside’ have to at least tell a cleared and trusted few what they are up to. It is quite possible that those structures, though, are effective at providing policy oversight, but not effective at building and reinforcing public trust. For instance, Tory MP Michael Mates, a long-standing ISC member, has recently said that policy-forming documents he saw in the run-up to the Iraq War would “make people’s eyes water” if and when they are made public through the proposed enquiry… and yet, the Iraq War went ahead.

3 – Can the cyber-security team meet the security policy objective, while simultaneously protecting the UK against repercussions from the policy, safeguarding citizens’ use of the internet, and providing sufficient evidence of accountability to maintain the public trust?

In policy terms, the cyber-security announcement does include a statement about the appointment of an ‘ethics advisory group’ to complement whatever other governance measures are put in place. This group is apparently to monitor the ‘proportionality‘ of actions taken under the policy. But the ethical issues don’t stop there.

Supposing the cyber-security folks pre-emptively take down a malicious server outside the UK… presumably they would want to do that in a way which leaves no evidence of the attack having originated in the UK (for fear of reprisals…); perhaps they might consider launching the attack from elsewhere, in the hope that any blame (and retaliation) would fall on someone else.

I think the ethics advisory group is going to have a busy time.

http://www.rightsideup.net/?p=273

This post is a short(ish) summary of a working session led by Drummond Reed and me at the recent West Coast VRM Workshop, and also an introduction to the Kantara workgroup in which we are going to move this debate forward. It is also part of the thinking that will short emerge in a Mydex white paper.

At the VRM workshop, we discussed the need for the concept of the Personal Data Store, what it would do in practice, and what that will ultimately enable.

Why we need such things – because individuals have a complex need to manage personal information over a lifetime, and the tools they have at their disposal today to do so are inadequate. Existing tools include the brain (which is good but does not have enough RAM, onboard storage, or an ethernet socket……thankfully), stand alone data stores (paper, spreadsheets, phones, which are good but not connected in secure ways that enable user-driven data aggregation and sharing), and supplier based data stores (which can be tactically good but are run under the supplier provided terms and conditions). NB Our current perception of ‘personal data stores’ is shaped by the good ones that are out their (e.g. my online bank, my online health vault); what we need is all of that functionality, and more – but working FOR ME.

What they will do/ enable – the term Personal Data Store is not an ideal term to describe a complex set of functions, but it is what it is until we get a better one (the analogy I’d use in more ways than one is the term ‘data warehouse’ – again a simplistic term that masks a lot of complex activity). A Personal Data Store can take two basic forms:

Operational Data Stores – that get things done, and only need store sufficient breadth and depth of data to fulfill the operation they are built for (e.g. pay a credit card bill, book a doctor’s appointment, order my groceries).

Analytical Data Stores – that underpin and enable decision making, and which typically need a more tightly defined, but much deeper data-set that includes data from a range of aspects of life rather than just that from one specific operation (e.g. plan a home move, buy a car, organise an overseas trip).

A sub-set of the individual’s overall data requirement will lie in both of the above, this being the data that then integrates decision-making and doing.

In both cases, the functionality required is to source, gather, manage, enhance and selectively disclose data (to presentation layers, interfaces or applications).

We also discussed ‘who has what data on you’ and introduced the following diagrams to explain current state and target state (post deployment of Volunteered Personal Information (VPI) tech and standards).

The key terms that require explanation are:

My Data – is the data that is undeniably within, and only within, the  domain of an individual. It’s defining characteristic is that it has demonstrably not been made available to any other party under a signed, binding agreement. This space has been increasingly encroached upon by technology and organisations in recent history (e.g. behavioural tracking tools like Phorm) and this encroachment will continue. Indeed a general comment can be made that ‘my data’ equates to privacy in the context of personal data; so the rise of the surveillance society and state is a direct assault on ‘My Data’. Management of ‘My Data’ can be run by the individual themselves, or outsourced to a ‘fourth party service’.

Your Data – is the data that is undeniably within the domain of an organisation; either private, public or third sector. Proxy views of this data may exist elsewhere but are only that. This data would include, for example, the organisations own master records of their product/ service range, their pricing, their costs, their sales outlets and channels. Customer-facing views of much of Your Data is made available for reproduction in the ‘Our Data’ intersect.

Our Data – is the data that is jointly accessible to both buyer and seller/ service provider, and also potentially to any other parties to an interaction, transaction or relationship. It is the data that is generated through engaging in interactions and transactions in and around a customer/ supplier relationship. Despite being ‘our’ data, it is probably technically owned, or at least provided under terms of service designed by the seller/ service provider; in practical terms this also means that the seller/ service provider dictates the formats in which this data exists/ is made available.

Their Data – is the data built/ owned/ sold by third party data aggregators, e.g. credit bureaux, marketing data providers in all their forms. It’s defining characteristic is that it is only available/ accessible by buying/ licensing it from the owner.

Everybody’s Data – is the public domain data, typically developed/ run by large, public sector(ish) entities including local government (electoral roll), Post Offices (postal address files), mapping bureau (GIS). Typically this data is accessible under contract, but the barriers to accessing these contracts are set low – although often not low enough that an individual can engage with them easily.

The Basic Identifier Set/ Bit in the Middle – this is the core personal identity data which, like it or not, exists largely in the public domain – most typically (but not exclusively) as a result of electoral rolls being made available publicly, and specifically to service providers who wish to build things from them. This characteristic is that which enables the whole personal eco-system and its impact on data privacy to exist, with the individual as the un-knowing ‘point of integration’ for data about them.

The ovals in the venn diagram represent the static state, i.e. where does data live at a point in time. The flow arrows show where data flows to and from in this eco-system; I use red to signify data flowing under terms and conditions NOT controlled by the individual data subject.

Flow 1 (My Data to Your Data, and My Data to Our Data) – Individuals provide data to organisations under terms and conditions set by the organisation, the individual being offered a ‘take it or leave it’ set of options. Some granularity is often offered around choices for onward data sharing and use, i.e. the ‘tick boxes’ we all know and which are one of the main bitsof legacy CRM that VRM will fix.

Flow 2 (Your Data to Your Data, including Our Data) – Organisations share data with other organisations, usually through a back-channel, i.e. the details of the sharing relationship are typically not known to the data subject.

Flow 3 (Your Data, including Our Data to Their Data) – Organisations share data with a specific type of other organisation, data aggregators, under terms and conditions that enable onward sale. Typically the sharer is paid for this data/ has a stake in the re-sale value.

Flow 4 (Everybody’s Data to Their Data) – Data Aggregators use public domain data sources to initiate and extend their commercial data assets.

The target state is shown below, a different scenario altogether – and one which I believe will unfold incrementally over the next ten years or so…..data attribute by data attribute, customer/ supplier management process by customer/ supplier management process, industry sector by industry sector. In this scenario, the individual and ‘My Data’ becomes the dominant source of many valuable data types (e.g. buying intentions, verified changes of circumstance), and in doing so eliminates vast amounts of guesswork and waste from existing customer/ citizen managment processes.

The key new capabilities required to enable this to happen are those being worked on in the User Driven and Volunteered Personal Information work groups at Kantara (one tech group, one policy/ commerce one), and elsewhere within and around Project VRM. The new capabilities will consist of:

- personal data store(s), both operational and analytical

- data and technical standards around the sharing of volunteered personal information

- volunteered personal information sharing agreements (i.e. contracts driven by the individual perspective, creative commons-like icons for VPI sharing scenarios)

- audit and compliance mechanics

Around those capabilities, we will need to build a compelling story that clearly articulates, in a shared lexicon (thanks to Craig Burton for reminding us of the importance of this – watch this space), the benefits of the approach – for both individuals and organisations.

The target state that will emerge once these capabilities begin to impact will include the 4 additional individual-driven information flows over and above the current ones. The defining characteristic of these new flows is that the can only be initiated by the data subject themselves, and most will only occur when the receiving entity has ’signed’ the terms and conditions asserted by the individual/ data subject. The new flows are:

Flow 5 (My Data to Your Data (inc Our Data) – Individuals will share more high value, volunteered information with their existing and potential suppliers, eliminating guesswork and waste from many customer management processes. In turn, organisations will share their own expertise/ data with individuals, adding value to the relationship.

Flow 6 (Everybody’s Data to My Data) – With their new, more sophisticated personal information management tools, individuals will be able to take direct feeds from public domain sources for use on their own mashups and applications (e.g. crime maps covering where I live/ travel)

Flow 7 (My Data to (someone else’s) My Data) – An enhanced version of ‘peer to peer’ information sharing.

Flow 8 (My Data to Their Data) – The (currently) unlikely concept of the individual making their volunteered information available to/ through the data aggregators. Indeed we are already starting to see the plumbing for this new flow being put in place with the launch of the Acxiom Identity Card.

The implications of the above are enormous, my projection being that over time some 80% of customer management processes will be driven from ‘My Data’. I’m pretty confident about that, a) because we are already see-ing the beginning of the change in the current rush for ‘user generated content’ (VPI without the contract), and b) because the economics will stack up. Organisation need data to run their operations – they don’t really mind where it comes from. So, if a new source emerges that is richer, deeper, more accurate, less toxic – and all at lower cost than existing sources; then organisations will use this source.

It won’t happen overnight obviously; as mentioned above specific tools, processes and commercial approaches need to emerge before this information begins to flow – and even then the shift will be slow but steady, probably beginning with Buying Intention data as it is the most obvious entry point with enough impact to trigger the change. That said, the Mydex social enterprise already has a working proof of concept up and running showing much of the above working. A technical write up of the proof of concept build can be found here. And the market implications of this are explored in more detail in new research on the market value of VPI shortly to be published by Alan Mitchell at Ctrl-Shift.

The two hour session at the VRM workshop was barely enough to scratch the surface of the above issues, so the plan is to continue the dialogue and begin specifying the capabilities required in detail in the User Driven and Volunteered Personal Information (technology) workgroup at The Kantara Initiative. The workgroup charter can be found here. A parallel workgroup focused on business and policy aspects will also be launched in the next few weeks. Anyone wishing to get involved in the workgroup can sign up to the mailing list here and we’ll get started with the work in the next couple of weeks.

Coverage continued to focus on the launch of Kantara Initiative, including a well attended journalist roundtable hosted by our Japan Discussion Group in Tokyo. It also includes a reference to a SlideShare version of Wednesday’s webcast overviewing Kantara Initiative–good viewing for those who missed it or want to pass on to others a succinct overview of the Kanatara Initiative. The core of the content is about 35 min with another 20 minutes of Q&A at the end.

1. Federal Computer Week 6/22
New organization to address interoperability between social media, ID management

2. Network World – 6/23
A look at the Kantara Initiative

3. Internet Business Law – 6/23
Internet Society Helps Lead New Global Identity Initiative

4. eGov Victoria – 6/25
New organization to address interoperability between social media, ID management

5. Econtent Magazine – 6/25
Kantara Initiative Launched

6. ZDNet Japan – 6/23
IDの相互運用の実現がゴール、Kantara Initiativeが方針説明

7. @IT Japan – 6/26
OpenIDでの反省から二院制採用、カンターラが目指すもの

8. IT Media Japan – 6/23
IDの相互運用の実現がゴール、Kantara Initiativeが方針説明

9. MIS Asia – 6/22
The Kantara Initiative is a not-for-profit organisation set up to bridge the web identity initiatives

10. Document Management – 6/22
Kantara Initiative Reshapes Global Identity Landscape Based

11. iT Home Taiwan – 6/18
Kantara Initiative的架構包含推動新的身份認證技術及政策

12. BLOG – Calsoft Blog – 6/26
Oracle is no longer just a player

13. BLOG – RSA Kantara Initaitive Blog – 6/26
The Personal Data Eco-System

14. BLOG – Turtle Annex – 6/23
Kantara Initiative、日本組織を発足

15. BLOG – Right Side Up Iain Henderson – 6/18
The Personal Data Eco-System

16. BLOG – RSA Kantara Initaitive Blog, Matthew Gardiner – 6/18
Why CA Supports the Kantara Initiative

17. BLOG/SOCIAL MEDIA – Kantara Initiative @ Twitter – W/E 6/26
Kantara Initiative Tweets via the comm team

18. BLOG/SOCIAL MEDIA – Kantara Initiative Mentions @ Twitter – W/E 6/26
Kantara Initiative Community Tweets
Kantara Initiative #Kantara

19. BLOG/SOCIAL MEDIA – Slideshare – w/e 6/26
Kantara Iniative Launch Overview

20. BLOG/SOCIAL MEDIA – Kantara Initiative on YouTube – W/E 6/26
http://www.youtube.com/user/KantaraInitiative

Kantara Initiative officially launched last week, with strong global interest in our membership and the work planned. The press and analyst communities saw value in Kantara Initaitive’s focus on solving the harmonization and interoperability challenges that currently exist among identity-enabled enterprise, Web 2.0 and Web-based applications and services. Reminder that there is a webcast to overview the organization on Wednesday, June 24–please join!

And here is your coverage summary:

1. Ovum – 6/19
Kantara Initiative for Internet identity launched – but who cares?

2. Network World – 6/17
Intel, Oracle, PayPal back ID technology interop group

3. InfoWorld – 6/17
Intel, Oracle, PayPal back ID technology interop group

4. PC World – 6/17
Intel, Oracle, PayPal Back ID Technology Interop Group

5. DigitalIDNews - ‎6/17
Kantara Initiative officially launches

6. Silicon.com – 6/18
BT, Intel, Sun team up over identity

7. Finextra– 6/19
Online ID interoperability initiative launched

8. SecureIDNews – 6/17
Kantara Initiative officially launches

9. Help Net Security – 6/17
Kantara Initiative Reshapes Global Identity Landscape

10. RedOrbit – 6/17
Kantara Initiative Reshapes Global Identity Landscape Based on Industry-Wide Collaboration, Announces Initial Focus Areas

11. ZDNet – 6/18
Tech giants back ID interoperability project

12. Computerworld – 6/17
Intel, Oracle, PayPal back ID technology interop group

13. Public Technology Net – 6/20
BT, Intel, Sun team up over identity

14. Telecompaper – 6/20
Kantara web identity harmonisation initiative launches

15. IT World – 6/17
Intel, Oracle, PayPal back ID technology interop group

16. The Industry Standard – 6/17
Intel, Oracle, PayPal back ID technology interop group

17. ZDNet Asia – 6/17
Tech giants back ID interoperability project

18. CIO – 6/17
Intel, Oracle, PayPal back ID technology interop group

19. The Paypers – 6/19
Kantara Initiative: global ID interoperability project launched

20. Computerworld Australia – ‎6/17
Intel, Oracle, PayPal back ID technology interop group

21.Computerworld UK – 6/17
BT, PayPal, Intel back unified online IDs

22.Australian Techworld - ‎6/17
Intel, Oracle, PayPal back ID technology interop group

23. PC World Magazine - ‎6/17
Intel, Oracle, PayPal back ID technology interop group

‎24. ARNnet – 6/17
Intel, Oracle, PayPal back ID technology interop group

25. San Francisco Chronicle – ‎6/17
Intel, Oracle, PayPal back ID technology interop group

26. Government Computer News – 6/17
Kantara Initiative aims to bring harmony, interoperability to ID

27. PC World Norway – 6/17
Intel, Oracle, PayPal back ID technology interop group

28. IDG Spain – 6/18
Nace una nueva iniciativa de interoperatividad ID con el apoyo de…

29. CIO Spain – 6/18
Nace una nueva iniciativa de interoperatividad ID con el apoyo de los grandes de la

30. @IT Japan – 6/18
OpenIDもSAMLも一緒に議論、新団体「Kantara」発足

31. China Bite.com – 6/18
ID认证互用性组织创立 英特尔等40家巨头力挺

32. CNET China – 6/18
ID认证互用性组织创立 英特尔等40家巨头力挺

33. Network World Italy – 6/17
Un’alleanza per l’interoperabilità delle tecnologie ID

34. PC Advisor – 6/18
BT, PayPal & Intel back unified online IDs

35. Yahoo News Germany – 6/18
Basis branchenweiter Zusammenarbeit neu und verkündet anfängliche Schwerp

36. LeMondeInfomatique, France – 6/18
40 grands de l’IT travailleront à l’interopérabilité des gestions …

37. Distributique, France – 6/19
40 grands de l’IT travailleront à l’interopérabilité des gestions …

38. Globe and Mail – 6/11
Biometrics industry raises alarm over misuse of data

39. BLOG: Dave Kearns’ IdM Newsletter – 6/19
Kantara Initiative for Internet identity launched – but who cares?

40. BLOG: Dave Kearns’ IdM Newsletter – 6/19
Why CA Supports the Kantara Initiative

41. BLOG: JISC Access Management Team – 6/18
Waving the Standard

42.BLOG: Future Identity – 6/18
Kantara Initiative Formally Launched

43.BLOG – Discovering Identity – 6/18
Kantara Initiative – Fostering Interoperable

44.BLOG – Internet Society Publications – ISOC Monthly Newsletter 6/17
Internet Society Helps Lead New Global Identity Initiative

45.BLOG – Matthew Gardiner – 6/18
Why CA Supports the Kantara Initiative

46.BLOG/SOCIAL MEDIA – Kantara Initiative @ Twitter – W/E 6/19
Kantara Initiative Tweets via the comm team

47.BLOG/SOCIAL MEDIA – Kantara Initiative Mentions @ Twitter – W/E 6/19
Kantara Initiative Community Tweets
Kantara Initiative #Kantara

48.BLOG/SOCIAL MEDIA – Kantara Initiative on YouTube – W/E 6/19

Posted on June 18, 2009

I promised some more notes from the recent LSE workshop I attended on Identity in the Information Society (IDIS), and have finally got around to it.

The opening keynote of the workshop was given by Prof. Kevin Bowyer, chair of the Dept of Computer Science and Engineering at Notre Dame University, who spoke on the topic “When Accepted Truth About Iris Biometrics Turns Out To Be False”.

One of the accepted truths he examined was that iris biometrics remain constant over the life of the subject. While he didn’t cite this article specifically, it’s a good example of how the accepted truth becomes established:

“Iris scanning is the most reliable of the three biometric technologies the UK government is considering. The iris is the most distinctive part of the human body, and does not alter with age.”
[...]

“Cons:

It is possible to fool iris scanners with artificial irises made by printing monochrome patterns on to paper.”

(Maija Pesola, FT article, June 27th 2005 – quoted by International Biometric Group)

This article, though now somewhat old, reveals a couple of closely-related flaws in such a position. First, fooling the scanner with a ‘monochrome printed iris’ would not work with the industry-standard devices, as these now use “near-infrared” imaging, not visible-light imaging. This passes straight through the surface layer of the iris – which is where the visible, melanin-based coloration is found – and instead records the surface texture of the underlying iris tissue.

What they see, therefore, is not the same as what you would get if you simply printed a picture of your iris… and then, of course, you would have to address the problem of how to interpose it between your eye and the scanner without this being obvious at authentication time.

Second, there’s the claim that the iris is ‘the most reliable biometric because it doesn’t change over time’. As a professional researcher in this field, Prof Bowyer took exception to this claim on the grounds that there is no relevant body of evidence to support it. It comes back to the use of near-infrared imaging. This has only been around for about 5 years… so there is simply no archive of near-infrared iris images to indicate whether or not the underlying tissue structure is indeed life-long. In fact, Prof Bowyer’s initial research indicates that the tissue structure does indeed change over time – though he qualified this finding on grounds of small sample size and short timescale.

Sure, you can look at archives of facial portraits and see whether the visible iris coloration changes over the life of the subject, but you’re not then looking at the characteristic on which iris authentication is based. In other words, this assertion of life-long reliability is currently founded not on a basis of research evidence, but on an assumption that surface melanin coloration and underlying tissue structure are intimately and causally related.

All this may or may not affect the UK’s plans for national biometrics databases. Back in December 2006, the National Identity Scheme plans were amended to drop iris biometrics – though at the time, the stated justifications for that were not to do with reliability. Instead, they were based on a combination of (i) cost reduction arguments and (ii) the standard ploy of claiming “international obligations“.

This last phrase is a rather shabby shorthand for “we’re claiming that we have to do this because the International Civil Aviation Organization, ICAO, says we must. We’re sliding past the fact that ICAO is an international regulatory consortium which recommends what its members say it should recommend, not a global authority which can force a nation state to do something it doesn’t want to do…”.

There are 190 member states in the ICAO consortium. According to this Wikipedia list, at least 129 of them do not have biometric passports, and of those which do, several use only a facial biometric. In the UK, the ICAO card is still being played in order to support the capture of fingerprint and facial biometrics.

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Posted June 18, 2009

There’s a nice, succinct article in the FT today (also available online here) reading the runes on the Home Office’s contractual arrangements for parts of the ID Cards scheme. At the heart of the story is the issue that contractual timescales and the policy-making calendar don’t always align very tidily, particularly when a general election has to be factored in within the next 350 days.

As the FT article notes:

“The Home Office has already signed four contracts in the ID programme: a pilot scheme run by Thales; a passport and ID card application system being developed by US-based CSC; an IBM contract to build a database to store fingerprint and facial biometrics; and a De La Rue contract to produce biometric passports.

These, however, could be left largely untouched by the Tories, because much of the technology would be needed to introduce biometric passports, which the party supports.”

So the current ID Card implementation policy may indeed have been ‘kicked into the long grass’ for the time being… but when the next election rolls around, I suspect the public will be looking much more closely than they did last time at any manifesto commitments relating to national-scale databases of identity data, facial/fingerprint/iris biometrics, DNA and the like.

PS – I should also include a link to this article in today’s Guardian, partly because it raises very lucid points about the future of a database state, and partly to note that any similarity between their opening paragraphs and my blog post of Monday 15th are doubtless entirely co-incidental :^)

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Representatives from Internet Society and Oracle elected to leadership positions as growing membership base works to bridge identity technologies, initiatives and organizations

 

Washington DC, June 17, 2009 – Nearly 45 organizations from the global identity and Internet communities today announced the launch of Kantara Initiative, a new organization formed to solve the harmonization and interoperability challenges that currently exist among identity-enabled enterprise, Web 2.0 and Web-based applications and services. Kantara Initiative has been founded to collaboratively foster the innovation required for broad adoption of interoperable identity-enabled solutions across industries, regions and fixed and mobile networks. As of today’s launch, nearly 20 initial work and discussion groups have been proposed by the growing Kantara Initiative community. Kantara Initiative will hold a public webcast to overview the new organization on Wednesday, June, 24 at 8:00am US PT (3:00pm UTC).

 

The launch of Kantara Initiative comes after a year of strategic planning involving stakeholders representing the entire identity ecosystem. This planning focused on how to best move the industry forward as the enterprise identity landscape continues to evolve and use of social networking and Web 2.0 applications rapidly proliferates, with growing interaction between these three markets driving new use cases and identity requirements. With zero barriers to participation and founding principles based on transparency, inclusion, empowerment, innovation, collaboration and openness, members of the community are leveraging the successes and experiences of each other to drive holistic, interoperable and trusted identity solutions into the global marketplace.

 

“The identity product and service market grows more complex every month, and as the market gets more moving parts, there are more and more requirements for all those parts to work together. The parts aren’t going to work together unless the part makers work together – and that’s why today’s announcement is important,” said Bob Blakley, principal analyst, The Burton Group. “The Kantara Initiative is helping to bridge identity initiatives and organizations, which can help set the stage for better collaboration in the global identity sector.”

 

Board of Trustees and Leadership Council – Fostering Innovation and Collaboration Based on a Bicameral Governance Model

 

The Kantara Initiative has been established based on a bicameral governance model where the Board of Trustees and Leadership Council work hand-in-hand as peers in steering the direction of the organization. The bicameral model ensures that all members and participants can have a voice within Kantara Initiative.

 

With today’s news, Roger Sullivan, vice president Oracle Identity Management, has been elected president of the 2009 Kantara Initiative Board of Trustees and J. Trent Adams, outreach specialist, trust & identity, Internet Society, has been elected chair of the Leadership Council. Initial Board of Trustee members include AOL, BT, CA, Intel, Internet Society, Fidelity Investments, Novell, NRI, NTT, Oracle, PayPal and Sun Microsystems. Representatives from Intel and the New Zealand government have Leadership Council seats on the Board of Trustees.

 

According to Sullivan, “The problems the global identity industry faces today are not just about technology, but rather a combination of business policy and privacy requirements, balanced against interoperability, usability, as well as technology harmonization. All of these issues need to be addressed for identity-enabled solutions to succeed and for deployers to leverage their benefits. Kantara Initiative is uniquely positioned to address these needs.”

 

A Holistic View – Technology, Policy and Proven Interoperability

 

The Kantara Initiative structure has been designed to foster the development of new identity-related technology and policy initiatives from initial proof-of-concept and incubation, to go-to-market and long-term adoption strategies. Existing projects moving into Kantara Initiative will benefit from additional community input which will include identifying new use cases, support for adding functionality, and opportunities for proving interoperability with other projects, initiatives and technologies.

 

All output from Kantara Initiative will be based on open standards with the goal of ensuring end user convenience, security and privacy. A commitment to open standards means the Kantara Initiative community will collaborate on projects that make use of all of the identity frameworks, protocols and specifications in the marketplace today. This means solutions could be built based on one or a combination of several IAF, ID-WSF, IGF, Information Card, OAuth, OpenID

SAML 2.0, WS-*, XACML and XDI standards.

 

Focus Spanning Identity Initiatives – Nearly 20 Work and Discussion Groups in Progress Today

 

The Kantara Initiative name, which is Swahili for “bridge” and has Arabic roots in “harmony,” was announced at the April 2009 RSA Conference and since then members of the identity community have proposed nearly 20 initial work and discussion groups. All groups are open to every Kantara Initiative member as well as to the public, and anyone can suggest a new group to the Leadership Council at any time. Groups are formed by members and participants to address common issues and problems related to specific industries.

 

Proposed groups, which are being approved on an ongoing basis by the Leadership Council, include Concordia Use Cases, eGovernment, Federated Identity Model Agreement & Commentary (FIMAC), Health Identity and Assurance, Identity Assurance and Accreditation, Identity Provider Selection, Identity Theft Prevention, ID-WSF Evolution (OAuth Extensions), Japan, Multi-Protocol Identity Selector, Multi-Protocol Relying Party Deployment, Privacy and Public Policy, Telecommunications Identity, User Driven Information Technology and Volunteered Personal Information (VPI). A list of all of the groups in progress is available at http://kantarainitiative.org/wordpress/?page_id=6 

 

“It’s clear that Kantara Initiative brings together the right mix of collaborators to help shepherd the next generation of identity solutions. Specifically, our goal is to facilitate the development of solutions that are interoperable, secure and privacy-respecting.  And importantly, the work is being done in an open and transparent fashion,” said Adams. “Collaboration between identity communities and initiatives within Kantara Initiative will lead to more trusted identity-enabled applications and services. This fits squarely into the Internet Society vision of an Internet Ecosystem where the continued development and adoption of Internet technologies includes a broad range of participants with dispersed ownership and control.”

 

About Kantara Initiative

Kantara Initiative has been formed by Concordia Project, DataPortablity Project, Information Card Foundation, Internet Society, Liberty Alliance, OpenLiberty.org and XDI.org. The Kantara Initiative membership structure is unique in that it has been organized to ensure that there are zero barriers to participation. Membership levels allow for maximum industry-wide participation and include Participant, Member and Trustee categories, which individuals and organizations join depending on the size of the organization and type of desired participation. The Kantara Initiative membership structure, levels, fees and governance model are outlined at http://kantarainitiative.org/wordpress/?page_id=8 . A complete membership and chair list is available at http://kantarainitiative.org/confluence/display/GI/Current+Members.

 

About the June 24 Kantara Initiative Public Webcast

Hosted by Brett McDowell, executive director, Kantara Initiative, Roger Sullivan and J.Trent Adams, the public webcast, Kantara Initiative, Shaping the Future of Digital Identity, takes place on Wednesday, June, 24 at 8:00am US PT. The one-hour event will provide participants with an overview of Kantara Initiative including a review of goals, structure and opportunities for all members of the global identity community to participate in the organization. Registration and more information is available at http://tinyurl.com/nsw3n5

 

Follow Kantara Initiative (#Kantara) on Twitter:

http://twitter.com/KantaraNews

 

Follow Kantara Initiative on YouTube:

http://www.youtube.com/user/KantaraInitiative

 

Follow Kantara Initiative on Flickr:

http://www.flickr.com/photos/kantarainitiative/

 

Follow Kantara Initiative on SlideShare:

http://www.slideshare.net/kantarainitiative

 

Follow the Kantara Initiative Blog:

http://kantarainitiative.org/wordpress/?page_id=29

 

 

###

 

CONTACT:

 

Russ DeVeau

Kantara Initiative

www.kantarainitiative.org

Mobile: 908-251-1549

Office – 954-530-2850

russd@projectliberty.org

russdeveau@comcast.net