Kantara Initiative announced the judging panel for the 2009 Identity Deployment of the Year Awards yesterday. This year’s judging panel consists of an impressive group of respected identity experts from around the world, each with deep experience in the technology, business and policy aspects of digital identity management. These are important industry credentials as the IDDY program expands within Kantara Initiative to include nominations that can be based on any open identity technology and as the identity industry moves to embrace a “multi-protocol world” where harmonization and interoperability play a critical role.

The call for nominations for the 2009 IDDY Award ends on Monday August 3. Judges will begin reviewing deployment and proof-of-concept submissions on August 4, with winners receiving the IDDY on stage at DIDW in Las Vegas on September 15. Check out blog posts and tweets by the judging panel to see some of the insight this team is bringing to the 2009 IDDY Awards program. With new categories, more options for submissions and some of the best-of-the-best in the identity industry on the judging panel, this year’s IDDY Awards program promises to uncover some of the most exciting identity-enabled applications in the global marketplace today.

J. Trent Adams, trust & identity outreach specialist, Internet Society and chair of the Kantara Initiative Leadership Council — Twitter: @jtrentadams

Mike Beach, CISSP, chief security designer, information security, The Boeing Company

Bob Bragdon, Publisher, CSO Magazine

John Fontana, senior editor, Network World — Twitter: @JohnFontana

Gerry Gebel, VP & service director, identity and privacy strategies, Burton Group —Twitter: @ggebel

Paul Madsen, chair of the Kantara Initiative ID-WSF Evolution Work Group and identity standards researcher, NTT — Twitter: @paulmadsen

RL Bob Morgan, senior technology architect, University of Washington

Nat Sakimura, senior researcher, Nomura Research Institute (NRI) — Twitter: @_nat

Toby Stevens, director, Enterprise Privacy Group — Twitter: @tobystevens

Roger Sullivan, president of the Kantara Initiative Board of Trustees, president of Liberty Alliance and vice president Oracle Identity Management

Phil Windley, founder and chief technology officer, Kynetx —Twitter: @windley

More information about the 2009 IDDY Awards – including nomination forms and a picture of the IDDY is available at: http://kantarainitiative.org/confluence/display/GI/IDDY+Awards+2009

http://www.xmlgrrl.com/blog/archives/2009/07/14/consumerizing-it-at-catalyst/

The Burton Catalyst conference being held in San Diego in a couple of weeks is one of those don’t-miss events. If you’re going (I said it was don’t-miss, didn’t I?), you’ll want to get into town in time for the free Project Concordia workshop being held on the Monday. Our theme is Use Cases Driving Identity in Enterprise 2.0: The Consumerization of IT. This link gives you the agenda and instructions on how to register — it’s not too late.

We Concordians are excited to have Mike Gotta and Alice Wang of Burton Group on hand on Monday to present Relationships and Identity: Two Sides of the Social Networking Coin. We’ll also deep-dive on authorization standards progress and the evergreen “levels of assurance” topic (see the Concordia mailing list for huge volumes of discussion on it). And we’ll even review some potential ProtectServe use cases.

The workshop also makes a great companion to the Cloud SSO Interop Demo being run later in the week, in which Sun is participating. And and come visit me and my colleagues at the Sun hospitality suite on Wednesday night! I hear our own Smoking Monkey might be decked out in special attire…

Posted on 10th July 2009

At last, there’s an article which thoroughly exposes some of the nonsense which has been talked about ICAO (International Civil Aviation Organisation) ‘requirements’ and biometric passports. It’s by John Lettice, writing in The Register, and was rightly tagged as “UK ID article of the week” by the folks at Privacy International.

While John’s primary purpose was to compare the stated policies of the 3 main UK political parties on ID cards and the National Identity Register, in doing so he offers a lucid and compelling analysis of the difference between what ICAO requirements for travel documents are intended to achieve, what they actually mean for the UK, and what we have been being told about them.

The reason this is worth drawing attention to (and the reason it exercises me so much) is that for several years now, UK policy statements have been made which go roughly like this:

“We understand (but don’t necessarily care) that proposals for the capture and storage of citizen biometrics excite distrust and concern, but our hands are tied… we’re just doing what ICAO requires”.

Rather than try to re-hash John’s excellent analysis, I will simply recommend that you read the article.

Apologies for the rather opaque title of this post. In its expanded form, it would read something like this: “IP addresses: are they personally identifiable information within the meaning of the law, or not?”… but that would be a bit long.

The question is prompted by the latest legal ruling on the subject, this time from a US federal judge in Seattle, issuing a written decision in a class-action case between consumers and Microsoft. The judge ruled that they are not: IP addresses identify computers, not people, he concluded, and therefore do not constitute personally identifiable information.

I think there’s a technical and a pragmatic side to any discussion of this conclusion. Technically, the argument could well rumble on; after all, if I tell you the IP address “192.168.1.1″, does that identify anything, let alone a person versus a computer? It is probably recognisable as the default starting point for the IP address range behind the average domestic firewall/router. So, the address “192.168.1.1″ doesn’t uniquely identify any computer… but then again, the address the firewall/router exposes to the ISP doesn’t uniquely identify any of the computers it shields, either… so on examination, the judge’s argument doesn’t stand up – as presented, at least.

Does the pragmatic approach fare any better? Well, in some jurisdictions the argument has already moved on. In some EU member states, the current position is closer to this: IP addresses constitute personally identifiable information if the entity processing them can reasonably be considered to have access to data, linkable to the IP address, which would identify an individual. That makes a certain amount of sense, in that ISPs, for instance, need to establish enough of a link between an IP address and an individual to send them a bill. On the other hand, it doesn’t prove that the person responsible for paying the bill has anything to do with the internet traffic terminating at that IP address (for instance, I might pay for my child’s broadband subscription while they are at college). As a little experiment, try visiting Dave Birch’s blog, here. While you’re there, incidentally – check out the content; it’s excellent. Then have a look in the right-hand margin, and see how close Feedjit gets to personally identifying you. In my case, it gets as far as the neighbouring town – about 5 miles away – and therefore lumps me in with a population of over 60,000 people.

In the sense of “IP addresses being sufficient to uniquely identify an individual”, then, the pragmatic approach doesn’t look too healthy either. However, where I think it scores is in its ability, potentially, to make the decision conditional on other factors – such as, in this case, how much other data the IP address can be linked to by any given party who sees it. After all, it’s reasonable to assume that the ISP, in this case, can more easily work out who a given IP address is assigned to than could the man on the proverbial No.38 bus (Victoria to Clapton, via Piccadilly and Angel, incidentally).

In other words, if you are the data controller for both the IP address and the billing data, you would do well to behave as though the IP address was PII. That seems reasonable enough. In some cases, it may mean being able to prove that you have taken steps to prevent one from being linked with the other. That seems reasonable enough, too.

Looking a little further down the line, though, the pragmatic approach will run into some interesting obstacles. The same logic, after all, will mean that in some circumstances the words “Yes” and “No” will need to be treated as personally identifiable information. For example, suppose you are in a position to link the following pieces of data:

• Individual (subscriber, patient, etc)
• Question (Is this individual over 18?)
• Answer (Yes/No).

Good practice (read Dave Birch’s piece on Psychic ID for a great example) is to reduce disclosures of personal attributes to Yes/No answers to closed questions… and that’s both a laudable ambition and a good design objective. It won’t solve the “what is PII?” riddle, though.

Kantara Initiative expands the Liberty Alliance Identity Deployment of the Year Award program, announces new categories and judging criteria

June 30, 2009 – Kantara Initiative, the global identity community working to solve harmonization and interoperability challenges among identity-enabled enterprise, Web 2.0 and Web-based applications and services, today announced the call for nominations for the 2009 IDDY Awards. This year’s IDDY Award (IDentity Deployment of the Year) program features deployment and proof-of-concept categories and has been expanded within Kantara Initiative to recognize identity-enabled applications and services built using any open identity technology. The call for nominations will close on August 3, with awards presented on September 15 at CSO magazine’s Digital ID World 2009 in Las Vegas, NV.

The IDDY Awards shine a spotlight on the individuals and organizations responsible for building and deploying identity-enabled applications for people, communities, businesses and governments. The 2009 Deployment category recognizes applications that are in use today. The Proof-of-Concept category highlights working proof-of-concept applications. Nominations for both categories can be based on, or include any identity technology such as Activity Streams, APML, CX. IGF, ID-WSF, iNames, Information Cards, MicroFormats, OATH, OAuth, OpenID, OpenSocial, OPML, PKI , Portable Contacts, RDF, RSS, SAML, WS*, XACML, XDI, XRD, XRI, XMPP extensions, etc.

“Now in its fourth year, the IDDY Awards program continues to evolve to reflect the changing digital identity landscape. The 2009 program provides individuals and organizations working across the identity ecosystem with new opportunities to join the growing list of IDDY Award recipients,” said Brett McDowell, executive director of Kantara Initiative. “With the expanded scope of technologies being considered, we’re excited about the variety of new applications and services helping to advance the next generation of digital identity solutions that this year’s program promises to highlight.”

About the IDDY Awards
The annual IDDY Awards program was launched by Liberty Alliance in 2006 to recognize excellence in digital identity management. The 2009 program has been expanded to reflect the Kantara Initiative mission of fostering cross-protocol harmonization and interoperability. Previous winners of the IDDY Award include Aetna; Citi; Deutsche Telekom AG; eBIZ.mobility; EduTech, for the New York State educational agencies; NTT Labs; Rearden Commerce; the UK Government Authentication Gateway; UNINETT and the New Zealand Government. Nomination forms and more information about this year’s program is available at http://kantarainitiative.org/confluence/display/GI/IDDY+Awards+2009.

http://www.rightsideup.net/?p=273

This post is a short(ish) summary of a working session led by Drummond Reed and me at the recent West Coast VRM Workshop, and also an introduction to the Kantara workgroup in which we are going to move this debate forward. It is also part of the thinking that will short emerge in a Mydex white paper.

At the VRM workshop, we discussed the need for the concept of the Personal Data Store, what it would do in practice, and what that will ultimately enable.

Why we need such things – because individuals have a complex need to manage personal information over a lifetime, and the tools they have at their disposal today to do so are inadequate. Existing tools include the brain (which is good but does not have enough RAM, onboard storage, or an ethernet socket……thankfully), stand alone data stores (paper, spreadsheets, phones, which are good but not connected in secure ways that enable user-driven data aggregation and sharing), and supplier based data stores (which can be tactically good but are run under the supplier provided terms and conditions). NB Our current perception of ‘personal data stores’ is shaped by the good ones that are out their (e.g. my online bank, my online health vault); what we need is all of that functionality, and more – but working FOR ME.

What they will do/ enable – the term Personal Data Store is not an ideal term to describe a complex set of functions, but it is what it is until we get a better one (the analogy I’d use in more ways than one is the term ‘data warehouse’ – again a simplistic term that masks a lot of complex activity). A Personal Data Store can take two basic forms:

Operational Data Stores – that get things done, and only need store sufficient breadth and depth of data to fulfill the operation they are built for (e.g. pay a credit card bill, book a doctor’s appointment, order my groceries).

Analytical Data Stores – that underpin and enable decision making, and which typically need a more tightly defined, but much deeper data-set that includes data from a range of aspects of life rather than just that from one specific operation (e.g. plan a home move, buy a car, organise an overseas trip).

A sub-set of the individual’s overall data requirement will lie in both of the above, this being the data that then integrates decision-making and doing.

In both cases, the functionality required is to source, gather, manage, enhance and selectively disclose data (to presentation layers, interfaces or applications).

We also discussed ‘who has what data on you’ and introduced the following diagrams to explain current state and target state (post deployment of Volunteered Personal Information (VPI) tech and standards).

The key terms that require explanation are:

My Data – is the data that is undeniably within, and only within, the  domain of an individual. It’s defining characteristic is that it has demonstrably not been made available to any other party under a signed, binding agreement. This space has been increasingly encroached upon by technology and organisations in recent history (e.g. behavioural tracking tools like Phorm) and this encroachment will continue. Indeed a general comment can be made that ‘my data’ equates to privacy in the context of personal data; so the rise of the surveillance society and state is a direct assault on ‘My Data’. Management of ‘My Data’ can be run by the individual themselves, or outsourced to a ‘fourth party service’.

Your Data – is the data that is undeniably within the domain of an organisation; either private, public or third sector. Proxy views of this data may exist elsewhere but are only that. This data would include, for example, the organisations own master records of their product/ service range, their pricing, their costs, their sales outlets and channels. Customer-facing views of much of Your Data is made available for reproduction in the ‘Our Data’ intersect.

Our Data – is the data that is jointly accessible to both buyer and seller/ service provider, and also potentially to any other parties to an interaction, transaction or relationship. It is the data that is generated through engaging in interactions and transactions in and around a customer/ supplier relationship. Despite being ‘our’ data, it is probably technically owned, or at least provided under terms of service designed by the seller/ service provider; in practical terms this also means that the seller/ service provider dictates the formats in which this data exists/ is made available.

Their Data – is the data built/ owned/ sold by third party data aggregators, e.g. credit bureaux, marketing data providers in all their forms. It’s defining characteristic is that it is only available/ accessible by buying/ licensing it from the owner.

Everybody’s Data – is the public domain data, typically developed/ run by large, public sector(ish) entities including local government (electoral roll), Post Offices (postal address files), mapping bureau (GIS). Typically this data is accessible under contract, but the barriers to accessing these contracts are set low – although often not low enough that an individual can engage with them easily.

The Basic Identifier Set/ Bit in the Middle – this is the core personal identity data which, like it or not, exists largely in the public domain – most typically (but not exclusively) as a result of electoral rolls being made available publicly, and specifically to service providers who wish to build things from them. This characteristic is that which enables the whole personal eco-system and its impact on data privacy to exist, with the individual as the un-knowing ‘point of integration’ for data about them.

The ovals in the venn diagram represent the static state, i.e. where does data live at a point in time. The flow arrows show where data flows to and from in this eco-system; I use red to signify data flowing under terms and conditions NOT controlled by the individual data subject.

Flow 1 (My Data to Your Data, and My Data to Our Data) – Individuals provide data to organisations under terms and conditions set by the organisation, the individual being offered a ‘take it or leave it’ set of options. Some granularity is often offered around choices for onward data sharing and use, i.e. the ‘tick boxes’ we all know and which are one of the main bitsof legacy CRM that VRM will fix.

Flow 2 (Your Data to Your Data, including Our Data) – Organisations share data with other organisations, usually through a back-channel, i.e. the details of the sharing relationship are typically not known to the data subject.

Flow 3 (Your Data, including Our Data to Their Data) – Organisations share data with a specific type of other organisation, data aggregators, under terms and conditions that enable onward sale. Typically the sharer is paid for this data/ has a stake in the re-sale value.

Flow 4 (Everybody’s Data to Their Data) – Data Aggregators use public domain data sources to initiate and extend their commercial data assets.

The target state is shown below, a different scenario altogether – and one which I believe will unfold incrementally over the next ten years or so…..data attribute by data attribute, customer/ supplier management process by customer/ supplier management process, industry sector by industry sector. In this scenario, the individual and ‘My Data’ becomes the dominant source of many valuable data types (e.g. buying intentions, verified changes of circumstance), and in doing so eliminates vast amounts of guesswork and waste from existing customer/ citizen managment processes.

The key new capabilities required to enable this to happen are those being worked on in the User Driven and Volunteered Personal Information work groups at Kantara (one tech group, one policy/ commerce one), and elsewhere within and around Project VRM. The new capabilities will consist of:

- personal data store(s), both operational and analytical

- data and technical standards around the sharing of volunteered personal information

- volunteered personal information sharing agreements (i.e. contracts driven by the individual perspective, creative commons-like icons for VPI sharing scenarios)

- audit and compliance mechanics

Around those capabilities, we will need to build a compelling story that clearly articulates, in a shared lexicon (thanks to Craig Burton for reminding us of the importance of this – watch this space), the benefits of the approach – for both individuals and organisations.

The target state that will emerge once these capabilities begin to impact will include the 4 additional individual-driven information flows over and above the current ones. The defining characteristic of these new flows is that the can only be initiated by the data subject themselves, and most will only occur when the receiving entity has ’signed’ the terms and conditions asserted by the individual/ data subject. The new flows are:

Flow 5 (My Data to Your Data (inc Our Data) – Individuals will share more high value, volunteered information with their existing and potential suppliers, eliminating guesswork and waste from many customer management processes. In turn, organisations will share their own expertise/ data with individuals, adding value to the relationship.

Flow 6 (Everybody’s Data to My Data) – With their new, more sophisticated personal information management tools, individuals will be able to take direct feeds from public domain sources for use on their own mashups and applications (e.g. crime maps covering where I live/ travel)

Flow 7 (My Data to (someone else’s) My Data) – An enhanced version of ‘peer to peer’ information sharing.

Flow 8 (My Data to Their Data) – The (currently) unlikely concept of the individual making their volunteered information available to/ through the data aggregators. Indeed we are already starting to see the plumbing for this new flow being put in place with the launch of the Acxiom Identity Card.

The implications of the above are enormous, my projection being that over time some 80% of customer management processes will be driven from ‘My Data’. I’m pretty confident about that, a) because we are already see-ing the beginning of the change in the current rush for ‘user generated content’ (VPI without the contract), and b) because the economics will stack up. Organisation need data to run their operations – they don’t really mind where it comes from. So, if a new source emerges that is richer, deeper, more accurate, less toxic – and all at lower cost than existing sources; then organisations will use this source.

It won’t happen overnight obviously; as mentioned above specific tools, processes and commercial approaches need to emerge before this information begins to flow – and even then the shift will be slow but steady, probably beginning with Buying Intention data as it is the most obvious entry point with enough impact to trigger the change. That said, the Mydex social enterprise already has a working proof of concept up and running showing much of the above working. A technical write up of the proof of concept build can be found here. And the market implications of this are explored in more detail in new research on the market value of VPI shortly to be published by Alan Mitchell at Ctrl-Shift.

The two hour session at the VRM workshop was barely enough to scratch the surface of the above issues, so the plan is to continue the dialogue and begin specifying the capabilities required in detail in the User Driven and Volunteered Personal Information (technology) workgroup at The Kantara Initiative. The workgroup charter can be found here. A parallel workgroup focused on business and policy aspects will also be launched in the next few weeks. Anyone wishing to get involved in the workgroup can sign up to the mailing list here and we’ll get started with the work in the next couple of weeks.

Coverage continued to focus on the launch of Kantara Initiative, including a well attended journalist roundtable hosted by our Japan Discussion Group in Tokyo. It also includes a reference to a SlideShare version of Wednesday’s webcast overviewing Kantara Initiative–good viewing for those who missed it or want to pass on to others a succinct overview of the Kanatara Initiative. The core of the content is about 35 min with another 20 minutes of Q&A at the end.

1. Federal Computer Week 6/22
New organization to address interoperability between social media, ID management

2. Network World – 6/23
A look at the Kantara Initiative

3. Internet Business Law – 6/23
Internet Society Helps Lead New Global Identity Initiative

4. eGov Victoria – 6/25
New organization to address interoperability between social media, ID management

5. Econtent Magazine – 6/25
Kantara Initiative Launched

6. ZDNet Japan – 6/23
IDの相互運用の実現がゴール、Kantara Initiativeが方針説明

7. @IT Japan – 6/26
OpenIDでの反省から二院制採用、カンターラが目指すもの

8. IT Media Japan – 6/23
IDの相互運用の実現がゴール、Kantara Initiativeが方針説明

9. MIS Asia – 6/22
The Kantara Initiative is a not-for-profit organisation set up to bridge the web identity initiatives

10. Document Management – 6/22
Kantara Initiative Reshapes Global Identity Landscape Based

11. iT Home Taiwan – 6/18
Kantara Initiative的架構包含推動新的身份認證技術及政策

12. BLOG – Calsoft Blog – 6/26
Oracle is no longer just a player

13. BLOG – RSA Kantara Initaitive Blog – 6/26
The Personal Data Eco-System

14. BLOG – Turtle Annex – 6/23
Kantara Initiative、日本組織を発足

15. BLOG – Right Side Up Iain Henderson – 6/18
The Personal Data Eco-System

16. BLOG – RSA Kantara Initaitive Blog, Matthew Gardiner – 6/18
Why CA Supports the Kantara Initiative

17. BLOG/SOCIAL MEDIA – Kantara Initiative @ Twitter – W/E 6/26
Kantara Initiative Tweets via the comm team

18. BLOG/SOCIAL MEDIA – Kantara Initiative Mentions @ Twitter – W/E 6/26
Kantara Initiative Community Tweets
Kantara Initiative #Kantara

19. BLOG/SOCIAL MEDIA – Slideshare – w/e 6/26
Kantara Iniative Launch Overview

20. BLOG/SOCIAL MEDIA – Kantara Initiative on YouTube – W/E 6/26
http://www.youtube.com/user/KantaraInitiative

Kantara Initiative officially launched last week, with strong global interest in our membership and the work planned. The press and analyst communities saw value in Kantara Initaitive’s focus on solving the harmonization and interoperability challenges that currently exist among identity-enabled enterprise, Web 2.0 and Web-based applications and services. Reminder that there is a webcast to overview the organization on Wednesday, June 24–please join!

And here is your coverage summary:

1. Ovum – 6/19
Kantara Initiative for Internet identity launched – but who cares?

2. Network World – 6/17
Intel, Oracle, PayPal back ID technology interop group

3. InfoWorld – 6/17
Intel, Oracle, PayPal back ID technology interop group

4. PC World – 6/17
Intel, Oracle, PayPal Back ID Technology Interop Group

5. DigitalIDNews - ‎6/17
Kantara Initiative officially launches

6. Silicon.com – 6/18
BT, Intel, Sun team up over identity

7. Finextra– 6/19
Online ID interoperability initiative launched

8. SecureIDNews – 6/17
Kantara Initiative officially launches

9. Help Net Security – 6/17
Kantara Initiative Reshapes Global Identity Landscape

10. RedOrbit – 6/17
Kantara Initiative Reshapes Global Identity Landscape Based on Industry-Wide Collaboration, Announces Initial Focus Areas

11. ZDNet – 6/18
Tech giants back ID interoperability project

12. Computerworld – 6/17
Intel, Oracle, PayPal back ID technology interop group

13. Public Technology Net – 6/20
BT, Intel, Sun team up over identity

14. Telecompaper – 6/20
Kantara web identity harmonisation initiative launches

15. IT World – 6/17
Intel, Oracle, PayPal back ID technology interop group

16. The Industry Standard – 6/17
Intel, Oracle, PayPal back ID technology interop group

17. ZDNet Asia – 6/17
Tech giants back ID interoperability project

18. CIO – 6/17
Intel, Oracle, PayPal back ID technology interop group

19. The Paypers – 6/19
Kantara Initiative: global ID interoperability project launched

20. Computerworld Australia – ‎6/17
Intel, Oracle, PayPal back ID technology interop group

21.Computerworld UK – 6/17
BT, PayPal, Intel back unified online IDs

22.Australian Techworld - ‎6/17
Intel, Oracle, PayPal back ID technology interop group

23. PC World Magazine - ‎6/17
Intel, Oracle, PayPal back ID technology interop group

‎24. ARNnet – 6/17
Intel, Oracle, PayPal back ID technology interop group

25. San Francisco Chronicle – ‎6/17
Intel, Oracle, PayPal back ID technology interop group

26. Government Computer News – 6/17
Kantara Initiative aims to bring harmony, interoperability to ID

27. PC World Norway – 6/17
Intel, Oracle, PayPal back ID technology interop group

28. IDG Spain – 6/18
Nace una nueva iniciativa de interoperatividad ID con el apoyo de…

29. CIO Spain – 6/18
Nace una nueva iniciativa de interoperatividad ID con el apoyo de los grandes de la

30. @IT Japan – 6/18
OpenIDもSAMLも一緒に議論、新団体「Kantara」発足

31. China Bite.com – 6/18
ID认证互用性组织创立 英特尔等40家巨头力挺

32. CNET China – 6/18
ID认证互用性组织创立 英特尔等40家巨头力挺

33. Network World Italy – 6/17
Un’alleanza per l’interoperabilità delle tecnologie ID

34. PC Advisor – 6/18
BT, PayPal & Intel back unified online IDs

35. Yahoo News Germany – 6/18
Basis branchenweiter Zusammenarbeit neu und verkündet anfängliche Schwerp

36. LeMondeInfomatique, France – 6/18
40 grands de l’IT travailleront à l’interopérabilité des gestions …

37. Distributique, France – 6/19
40 grands de l’IT travailleront à l’interopérabilité des gestions …

38. Globe and Mail – 6/11
Biometrics industry raises alarm over misuse of data

39. BLOG: Dave Kearns’ IdM Newsletter – 6/19
Kantara Initiative for Internet identity launched – but who cares?

40. BLOG: Dave Kearns’ IdM Newsletter – 6/19
Why CA Supports the Kantara Initiative

41. BLOG: JISC Access Management Team – 6/18
Waving the Standard

42.BLOG: Future Identity – 6/18
Kantara Initiative Formally Launched

43.BLOG – Discovering Identity – 6/18
Kantara Initiative – Fostering Interoperable

44.BLOG – Internet Society Publications – ISOC Monthly Newsletter 6/17
Internet Society Helps Lead New Global Identity Initiative

45.BLOG – Matthew Gardiner – 6/18
Why CA Supports the Kantara Initiative

46.BLOG/SOCIAL MEDIA – Kantara Initiative @ Twitter – W/E 6/19
Kantara Initiative Tweets via the comm team

47.BLOG/SOCIAL MEDIA – Kantara Initiative Mentions @ Twitter – W/E 6/19
Kantara Initiative Community Tweets
Kantara Initiative #Kantara

48.BLOG/SOCIAL MEDIA – Kantara Initiative on YouTube – W/E 6/19

Posted on June 18, 2009

I promised some more notes from the recent LSE workshop I attended on Identity in the Information Society (IDIS), and have finally got around to it.

The opening keynote of the workshop was given by Prof. Kevin Bowyer, chair of the Dept of Computer Science and Engineering at Notre Dame University, who spoke on the topic “When Accepted Truth About Iris Biometrics Turns Out To Be False”.

One of the accepted truths he examined was that iris biometrics remain constant over the life of the subject. While he didn’t cite this article specifically, it’s a good example of how the accepted truth becomes established:

“Iris scanning is the most reliable of the three biometric technologies the UK government is considering. The iris is the most distinctive part of the human body, and does not alter with age.”
[...]

“Cons:

It is possible to fool iris scanners with artificial irises made by printing monochrome patterns on to paper.”

(Maija Pesola, FT article, June 27th 2005 – quoted by International Biometric Group)

This article, though now somewhat old, reveals a couple of closely-related flaws in such a position. First, fooling the scanner with a ‘monochrome printed iris’ would not work with the industry-standard devices, as these now use “near-infrared” imaging, not visible-light imaging. This passes straight through the surface layer of the iris – which is where the visible, melanin-based coloration is found – and instead records the surface texture of the underlying iris tissue.

What they see, therefore, is not the same as what you would get if you simply printed a picture of your iris… and then, of course, you would have to address the problem of how to interpose it between your eye and the scanner without this being obvious at authentication time.

Second, there’s the claim that the iris is ‘the most reliable biometric because it doesn’t change over time’. As a professional researcher in this field, Prof Bowyer took exception to this claim on the grounds that there is no relevant body of evidence to support it. It comes back to the use of near-infrared imaging. This has only been around for about 5 years… so there is simply no archive of near-infrared iris images to indicate whether or not the underlying tissue structure is indeed life-long. In fact, Prof Bowyer’s initial research indicates that the tissue structure does indeed change over time – though he qualified this finding on grounds of small sample size and short timescale.

Sure, you can look at archives of facial portraits and see whether the visible iris coloration changes over the life of the subject, but you’re not then looking at the characteristic on which iris authentication is based. In other words, this assertion of life-long reliability is currently founded not on a basis of research evidence, but on an assumption that surface melanin coloration and underlying tissue structure are intimately and causally related.

All this may or may not affect the UK’s plans for national biometrics databases. Back in December 2006, the National Identity Scheme plans were amended to drop iris biometrics – though at the time, the stated justifications for that were not to do with reliability. Instead, they were based on a combination of (i) cost reduction arguments and (ii) the standard ploy of claiming “international obligations“.

This last phrase is a rather shabby shorthand for “we’re claiming that we have to do this because the International Civil Aviation Organization, ICAO, says we must. We’re sliding past the fact that ICAO is an international regulatory consortium which recommends what its members say it should recommend, not a global authority which can force a nation state to do something it doesn’t want to do…”.

There are 190 member states in the ICAO consortium. According to this Wikipedia list, at least 129 of them do not have biometric passports, and of those which do, several use only a facial biometric. In the UK, the ICAO card is still being played in order to support the capture of fingerprint and facial biometrics.

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Representatives from Internet Society and Oracle elected to leadership positions as growing membership base works to bridge identity technologies, initiatives and organizations

 

Washington DC, June 17, 2009 – Nearly 45 organizations from the global identity and Internet communities today announced the launch of Kantara Initiative, a new organization formed to solve the harmonization and interoperability challenges that currently exist among identity-enabled enterprise, Web 2.0 and Web-based applications and services. Kantara Initiative has been founded to collaboratively foster the innovation required for broad adoption of interoperable identity-enabled solutions across industries, regions and fixed and mobile networks. As of today’s launch, nearly 20 initial work and discussion groups have been proposed by the growing Kantara Initiative community. Kantara Initiative will hold a public webcast to overview the new organization on Wednesday, June, 24 at 8:00am US PT (3:00pm UTC).

 

The launch of Kantara Initiative comes after a year of strategic planning involving stakeholders representing the entire identity ecosystem. This planning focused on how to best move the industry forward as the enterprise identity landscape continues to evolve and use of social networking and Web 2.0 applications rapidly proliferates, with growing interaction between these three markets driving new use cases and identity requirements. With zero barriers to participation and founding principles based on transparency, inclusion, empowerment, innovation, collaboration and openness, members of the community are leveraging the successes and experiences of each other to drive holistic, interoperable and trusted identity solutions into the global marketplace.

 

“The identity product and service market grows more complex every month, and as the market gets more moving parts, there are more and more requirements for all those parts to work together. The parts aren’t going to work together unless the part makers work together – and that’s why today’s announcement is important,” said Bob Blakley, principal analyst, The Burton Group. “The Kantara Initiative is helping to bridge identity initiatives and organizations, which can help set the stage for better collaboration in the global identity sector.”

 

Board of Trustees and Leadership Council – Fostering Innovation and Collaboration Based on a Bicameral Governance Model

 

The Kantara Initiative has been established based on a bicameral governance model where the Board of Trustees and Leadership Council work hand-in-hand as peers in steering the direction of the organization. The bicameral model ensures that all members and participants can have a voice within Kantara Initiative.

 

With today’s news, Roger Sullivan, vice president Oracle Identity Management, has been elected president of the 2009 Kantara Initiative Board of Trustees and J. Trent Adams, outreach specialist, trust & identity, Internet Society, has been elected chair of the Leadership Council. Initial Board of Trustee members include AOL, BT, CA, Intel, Internet Society, Fidelity Investments, Novell, NRI, NTT, Oracle, PayPal and Sun Microsystems. Representatives from Intel and the New Zealand government have Leadership Council seats on the Board of Trustees.

 

According to Sullivan, “The problems the global identity industry faces today are not just about technology, but rather a combination of business policy and privacy requirements, balanced against interoperability, usability, as well as technology harmonization. All of these issues need to be addressed for identity-enabled solutions to succeed and for deployers to leverage their benefits. Kantara Initiative is uniquely positioned to address these needs.”

 

A Holistic View – Technology, Policy and Proven Interoperability

 

The Kantara Initiative structure has been designed to foster the development of new identity-related technology and policy initiatives from initial proof-of-concept and incubation, to go-to-market and long-term adoption strategies. Existing projects moving into Kantara Initiative will benefit from additional community input which will include identifying new use cases, support for adding functionality, and opportunities for proving interoperability with other projects, initiatives and technologies.

 

All output from Kantara Initiative will be based on open standards with the goal of ensuring end user convenience, security and privacy. A commitment to open standards means the Kantara Initiative community will collaborate on projects that make use of all of the identity frameworks, protocols and specifications in the marketplace today. This means solutions could be built based on one or a combination of several IAF, ID-WSF, IGF, Information Card, OAuth, OpenID

SAML 2.0, WS-*, XACML and XDI standards.

 

Focus Spanning Identity Initiatives – Nearly 20 Work and Discussion Groups in Progress Today

 

The Kantara Initiative name, which is Swahili for “bridge” and has Arabic roots in “harmony,” was announced at the April 2009 RSA Conference and since then members of the identity community have proposed nearly 20 initial work and discussion groups. All groups are open to every Kantara Initiative member as well as to the public, and anyone can suggest a new group to the Leadership Council at any time. Groups are formed by members and participants to address common issues and problems related to specific industries.

 

Proposed groups, which are being approved on an ongoing basis by the Leadership Council, include Concordia Use Cases, eGovernment, Federated Identity Model Agreement & Commentary (FIMAC), Health Identity and Assurance, Identity Assurance and Accreditation, Identity Provider Selection, Identity Theft Prevention, ID-WSF Evolution (OAuth Extensions), Japan, Multi-Protocol Identity Selector, Multi-Protocol Relying Party Deployment, Privacy and Public Policy, Telecommunications Identity, User Driven Information Technology and Volunteered Personal Information (VPI). A list of all of the groups in progress is available at http://kantarainitiative.org/wordpress/?page_id=6 

 

“It’s clear that Kantara Initiative brings together the right mix of collaborators to help shepherd the next generation of identity solutions. Specifically, our goal is to facilitate the development of solutions that are interoperable, secure and privacy-respecting.  And importantly, the work is being done in an open and transparent fashion,” said Adams. “Collaboration between identity communities and initiatives within Kantara Initiative will lead to more trusted identity-enabled applications and services. This fits squarely into the Internet Society vision of an Internet Ecosystem where the continued development and adoption of Internet technologies includes a broad range of participants with dispersed ownership and control.”

 

About Kantara Initiative

Kantara Initiative has been formed by Concordia Project, DataPortablity Project, Information Card Foundation, Internet Society, Liberty Alliance, OpenLiberty.org and XDI.org. The Kantara Initiative membership structure is unique in that it has been organized to ensure that there are zero barriers to participation. Membership levels allow for maximum industry-wide participation and include Participant, Member and Trustee categories, which individuals and organizations join depending on the size of the organization and type of desired participation. The Kantara Initiative membership structure, levels, fees and governance model are outlined at http://kantarainitiative.org/wordpress/?page_id=8 . A complete membership and chair list is available at http://kantarainitiative.org/confluence/display/GI/Current+Members.

 

About the June 24 Kantara Initiative Public Webcast

Hosted by Brett McDowell, executive director, Kantara Initiative, Roger Sullivan and J.Trent Adams, the public webcast, Kantara Initiative, Shaping the Future of Digital Identity, takes place on Wednesday, June, 24 at 8:00am US PT. The one-hour event will provide participants with an overview of Kantara Initiative including a review of goals, structure and opportunities for all members of the global identity community to participate in the organization. Registration and more information is available at http://tinyurl.com/nsw3n5

 

Follow Kantara Initiative (#Kantara) on Twitter:

http://twitter.com/KantaraNews

 

Follow Kantara Initiative on YouTube:

http://www.youtube.com/user/KantaraInitiative

 

Follow Kantara Initiative on Flickr:

http://www.flickr.com/photos/kantarainitiative/

 

Follow Kantara Initiative on SlideShare:

http://www.slideshare.net/kantarainitiative

 

Follow the Kantara Initiative Blog:

http://kantarainitiative.org/wordpress/?page_id=29

 

 

###

 

CONTACT:

 

Russ DeVeau

Kantara Initiative

www.kantarainitiative.org

Mobile: 908-251-1549

Office – 954-530-2850

russd@projectliberty.org

russdeveau@comcast.net