Government data linked together…

From Slashdot:

a story from The Guardian about FBI interest in connectivity between its own database resources and those abroad. It’s spearheading a program labeled ‘Server in the Sky’, meant to coordinate the police forces of the United States, the United Kingdom, Canada, Australia, and New Zealand to better fight international crime/terrorist groups. The group is calling itself the International Information Consortium.

“Britain’s National Policing Improvement Agency has been the lead body for the FBI project because it is responsible for IDENT1, the UK database holding 7m sets of fingerprints and other biometric details used by police forces to search for matches from scenes of crimes. Many of the prints are either from a person with no criminal record, or have yet to be matched to a named individual. IDENT1 was built by the computer technology arm of the US defence company Northrop Grumman. In future it is expected to hold palm prints, facial images and video sequences.”

Neflix anonymous data De-anonymization

Wow! This is a different kind of data breach.

In October last year, Netflix released over 100 million movie ratings made by 500,000 subscribers to their online DVD rental service. The company then offered a prize of $1million to anyone who could better the company’s system of DVD recommendation by 10 per cent or more.

Of course, Netflix assured everybody that the data had been anonymized by removing any personal details.

That turns out to have been a tad optimistic. Arvind Narayanan and Vitaly Shmatikov at the the University of Texas at Austin have just de-anonymized it.

They go on to explain how they did it.

As one of the comments highlights the part they gloss over is that they can only find out who you are if you had an account on Netflix and IMDB.

Because she Owns Her Image

This is quite an interesting case and highlights a flaw that can occur when people who use Creative Commons work.

A Texas family has sued Creative Commons after their teenaged daughter’s photo was used in an ad campaign for Virgin Mobile Australia. The photo had been taken by the girl’s youth counselor, who put it on Flickr, and chose a CC Attribution license, which allows for commercial use. Virgin did, in fact, attribute the photo to the photographer, fulfilling the terms of the license, but the family is still suing Virgin Mobile Australia and Creative Commons.

The photographer can license the work under CC (for comercial or non-comercial purposes) but that does not mean that the person in the photo has licensed their image to be used.

They should not be suing CC but instead Virgin Mobile because they failed to get permission from her to use her image.

I actually had this happen to me. An image was taken of me at HollyHock and the next year I went to the site to check out their programs I found out I was their new poster girl. I would have given them permission to use my image had they asked but they didn’t.

Credit Checks by the Government ‘legal’

More privacy invasion by the Executive Branch:

Vice President Dick Cheney said Sunday the Pentagon and CIA are not violating people’s rights by examining the banking and credit records of hundreds of Americans and others suspected of terrorism or espionage in the United States.

Rep. Silvestre Reyes, D-Texas, the new chairman of the House Intelligence Committee, said his panel will be the judge of that.

National security letters permit the executive branch to seek records about people in terrorism and spy investigations without a judge’s approval or grand jury subpoena.

Kim Cameron’s Panel about Identity @ SD Forum

This is from the SD Forum on Interoperability January 31, 2006.

Prateek Mishra – Oracle
What is the identity problem?
It is stuck in a few places at employwer, bank and you want to
how does your identity get from your identity provider – the places were you have defined your identity to all these business processes and services.

We want to do this across the internet. There is the protocol piece – we know how to transmit identity from point a to point b this is solved…

Governence models how to transfer identity in trusted ways from point a to point b. Folks like Liberty Alliance have white papers and frameworks for this. This is a non-trivial problem. How you maintain and create governance?

How do you have normal folks sitting at their computers manage their identities in intuitive ways. How do they have a tool

Identity is stuck it wants to be free.
Protocol – Token Representaiton – solved
Governence and Infrastructure – somewhat solved
How does a person leverage these multiple identities?

Kim Cameron – fan of SAML and Liberty
As we move to more interconnected set of systems we need an identity layer. When you have an architectural whole of this magnitude you have a huge number of kludges.

Meta System

Users have no way of predicting how they should work – knowing when they are in danger.

old days fighting over token rings vs. ethernet – we got TCP/IP that encapsulated both.

We need a metasystem (I got a tiny bit distracted here, sorry. So the transcription is not perfect)

Karen Wendel, Identrus
Metasystem – single interface from an identity perspective.
Everyone has a visa card – that folks each having a card for each store. The industry would be stuck without interoperable.
Rules used consistently throughout the world.
VISA would take responsibility for legal, technical and policy issues.

Identrus was owned by the banks. Your identity will be given to you. It takes responsibility around the policy stuff. Legal aspects of your identity – dispute resolution. Liability of relying party who maintains it and lifecycle. We run this network and commonality on global basis.

(from there website) Identrus provides the global standard for identity authentication.
As communications expand and the world shrinks, knowing who’s who in the electronic universe becomes vital.
Identrus offers a full range of technology and services that support every aspect of safe eTransactions.

Rena Mears, Deloitte
Access – from a privacy point of view is different from access from a security point of view
Assertions and Claims are different

Kim Cameron..
Claims are assertions which are in doubt
everything being claimed has to be doubted so we can establish trust.

They considered using Claims but it would have become SCML (scammel)

It is to the benefit to the SAML make things secure in the browser. Shibboleth the hardest thing is home site discovery – infocards visual representation and

pick one of the 5000 higher education institutions…
or pick ‘your’ university identity.

Identrus: This is what we would call an identity provider.

Kim:
SAML is the transport language
SAML is used between a portal and services to the portal.

I propose we have new ways of the user authenticating to the portal.
The systems still exist.

Karen:
What constitutes and identity and the needs for security.
How does language play in this space – there are a lot of different models – identity is not the same as authentication or security.

problem blending identity and security – PKI
you get these people

Kim:
anyone who works with a protocol they get infected by the protocol and their vision blurs and and narrows.
We need more fanatics about protocols

Identrus:
one of the challenges for us as a community – identity does more then authenticate – sign things and create legal contracts – engage in business transactions, incur liability and regulatory transactions.

you can’t look at the papers and not see an inherent relationship between identity and security.

Rena:
Who has stepped up to be the binder of identity to the individual.

Prateek:
there is not such thing as single monlithic identity
there are multiple notions of identity useful for different contexts
Shibolith context higher education
Identrus is a context and a governance model

We like Infocards if we could use it when we get to the line in the spec it says Identity provider discovery – out of band
authentication is out of band for SAML

Karen:
everyone is bound by
the bank that issues the identity to the person
the bank binds to the person – labile to up to 10 million dollars
issued within all the legal requirements

there all these pockets of identity – the level of binding – between issuer and relying party – it does not transfer through the bridge structure.

A lot of the federated model you don’t have that level of binding between the parties.

We will work with the bridges and it is a different element.

Kim:
The government – thinking of itself as the ‘binding’ authority – reasons for relative autonomy.

Belgium a national identity card – but no card readers
One group was the association of mayors – they were now being asked to sign their legal documents with their individual citizen identity – they used to sign their documents with a stamp of their office – we must think of roles.

Kim:
The issue is PRIVACY.
the characteristics that really respects privacy are the characteristics of a system that really is difficult to penetrate.

All of the identity issues – any initiative that takes this forward we should all applaud.

we must be wary of the lawyers

The lawyers have learnt their lesson now…When the next disruptive communications technology – the next worldwide web – is thought up, the lawyers and the logic of control will be much more evident. That is not a happy thought.

From Slashdot. More from the article it refers to

Why is the web unlikely? Prepare for a moment of geek-speak. For most of us, the web is reached by general­purpose computers that use open protocols – standards and languages that are owned by no one – to communicate with a network (there is no central point from which all data comes) whose mechanisms for transferring data are also open.

Takeaways – Open and Free.