Privacy Identity and Innovation – pii & Women

The Privacy Identity and Innovation is coming up August 17-19th in Seattle, Washington.

This conference is the brain child of Natalie Fonseca who has run the Tech Policy Summit for several years.

I am speaking at the event on a panel about personal data stores (a new project I will write more about here soon).  I am really proud to be amongst many other women industry leaders speaking. I know Natalie took proactive approach to recruiting women to speak and voila – their are women speakers at this technology conference.

Denise Tayloe, CEO of Privo
Marie Alexander, CEO of Quova
Linda Criddle, CEO of Reputation Share
Fran Maier, President of TRUSTe
Anne Toth, Chief Privacy Officer for Yahoo
Michelle Dennedy, VP at Oracle
Judith Spencer of GSA
Christine Lemke, CTO of Sense Networks
Betsy Masiello of Google
Heather West of Center for Democracy and Technology
Eve Maler of PayPal
Susan Lyon of Perkins Coie
Deborah Estrin of UCLA

It should be a great event – the guys on the program are equally cool.

The Age of Privacy is Over????

ReadWriteWeb has coverage of Zuckerberg’s talk with Arrington at the Crunchies. According to him, the age of Privacy is Over. This is the quote that is just STUNNING:

..we decided that these would be the social norms now and we just went for it.

When I first heard it in the interview in the video I did a major double take – “we decided” ?? seriously? The we in that sentence is Facebook and clearly with Zuckerburg is at the helm – He could have said “I decided” and he as the CEO of a social network has the power to “decide” the fate of the privately shared amongst friends in the context of this particular social network for millions of people (see my post about the privacy move violating the contract with users). It makes you wonder if this one platform has too much power and in this example makes the case for a distributed social network where people have their own autonomy to share their information on their own terms and not trust that the company running a platform will not expose their information.

It is clear that Zuckerberg and his team don’t get social norms and how they work – people create social norms with their usage and practices in social space (both online and off).

It is “possible” to change what is available publicly and there for making it normal by flipping a switch and making things that were private public for millions of people, but it is unethical and undermines the trust people have in the network.

I will agree there is an emerging norm that young men working building tools in Silicon Valley have a social norm of “being public about everything”, but they are not everyone. I am looking forward to seeing social tools developed by women and actual community organizers rather then just techno geeks.

I will have more to say on this later this week – I was quite busy Saturday – I ran the Community Leadership Summit, yesterday I flew to DC and today I am running the Open Government Directive Workshop. While I am here I hope to meet with folks about Identity in DC over the next 2 days.

Great Identity News

Yesterday the Government hosted a workshop in DC: Open Government Identity Management Solutions Privacy Workshop.

The OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

Drummond Reed and Don Tibeau announced their paper Open Trust Frameworks for Open Government.

Quiet and intense work has been going on since just before the last IIW on all this, so it is great to see it begin to see the light of day.

The OpenID Foundation had a wonderful new redesign that Chris Messina announced. This page really made me smile: Get an OpenIDSurprise! You may already have an OpenID.

Axel did a Wordle of it:

Facebook Changing Privacy Settings

This past month has been interesting for Facebook – they hired Timothy Sparapani as their lobbyist in Washington:

As a prominent privacy advocate, Timothy Sparapani, former senior legislative counsel for the American Civil Liberties Union, argued that Internet companies have too much control over consumers’ data. The self-described “privacy zealot” didn’t join Facebook until seven months ago because he was uneasy about revealing personal information on the site.

He joins 24-year-old Adam Coner for the last year who has had as his main job “educat[ing] members of Congress and Capitol Hill staffers about leveraging Facebook to reach constituents.”

The current Chief Privacy officer Chris Kelly will be going on a leave of absence in September to focus on running for Attorney General of California.

EPIC has a very detailed page about Facebook Privacy. It is an impressive page that will give you pause. It outlines all the major features of the service it has concerns about. It has a list of all the EPIC Actions related to Facebook too.

This week Facebook is taking some steps to improve privacy from its website:

The power to share is the cornerstone of Facebook. Privacy and the tools for tailoring what information is shared with whom are at the heart of trust. Over the past five years, Facebook has learned that effective privacy is grounded in three basic principles:

  • Control. When people can easily control the audience for their information and content, they share more and they’re able to better connect with the people who matter in their lives.
  • Simplicity. When tools are simple, people are more likely to use them and understand them.
  • Connection. With effective tools, people can successfully balance their desire to control access to information with their desire to connect – to discover and be discovered by those they care about.

That’s why in the coming days, we’ll be improving privacy on Facebook by launching a series of tests that guide people to new, simpler tools of control and connection.

I wrote about some of the issues I have with Facebook when I heard Dave Morin talk at SXSW “Am I to “old” to get Facebook – or do they not get it?”. I highlighted 3 different issues:

  • What Blane Cook describes as “being in a room with everyone you ever met all the time”: all my friends from different contexts of my life get all the same ‘status’ updates and I don’t use them cause I feel like it is social spam to speak to them with the same voice and same frequency. I also don’t like that it broadcasts everything I “do” in the network to everyone.
  • “Real Names” vs. handles online – their belief they have “everyone’s real name in facebook”
  • The difference that women experience in online space and how they manage and protect their identity and what information is online.

Here is what they are saying about how to address this issue:

They are introducing a Publisher Privacy Control so that on a per-post basis users can control who sees each post. Friends, Friends and Family etc. On the other end of the spectrum, you can also share with “everyone” now.

They are simplifying their privacy settings. Hopefully this will make it more usable.

They are figuring out how to gracefully help people transition between the old settings and the new way.

They are asking everyone to revisit their settings…because:

We think Facebook is most useful when people can find and connect with each other, which is why this tool will enable you to make available those parts of your profile that you feel comfortable sharing in order to facilitate better connection. You will have the choice of being as open or as limited in the sharing of this information as you want.

The byline on the post is cute:

Chris Kelly, Facebook’s chief privacy officer, is glad to be offering you more control.

Read Write Web goes into their understanding of the announcement and user experience. This is a long, good piece.

FU – The Monday After, Facebook Usernames and Your Domain on the Web

Last week it was announced that on on Friday Night at 9pm Pacific Facebook had a name space land rush. Everyone was free to pick for themselves their username that would appear in their URL.

I actually found this a bit surprising – remember the big debate on the Social Web TV I had with Josh Elman about “real names.” He was against handles completely and felt that the big value facebook brought was “real names”. I argued for handles and the freedom to choose one’s “identity” on the web. I made the point that free society – having the ability freedom to have the option to have and use handles on the web NOT linked to our given/ in real life names. Another thing is that handles help us navigate namespace clash from regular names. Max from MySpace is 8bitkid not some other Max in a sea of Max’s.

I ran into Josh Elman at the Building43 party and we agreed I kinda won the debate with this latest development. It seems that having peoples pages rank higher in google is helped by having readable URL’s.

They of course “strongly encouraged” people to just pick a URL with one’s real name and did so by “suggesting” names that were derivatives of one’s name. You could override this and type in your own name choice (however defaults matter so most people will end up with names similar to their real name – rather then being asked to think up one). They give users an addressable identity.

Max Engel of MySpace became /8BitKid – his handle “everywhere”

David Recordon surprisingly didn’t go with DaveMan692 – his handle most places – he is /DavidRecordon

My friend Jennifer became /dangerangel as she had originally signed up for in Facebook but they disallowed her to have it.

I just became /Kaliya (I am hoping I can get enough fans to claim /identitywoman for that persona)

What is particularly interesting is the layers of identity in Facebook.

With a Facebook URLFacebook has the one’s username is not one’s e-mail address as it is with Google profiles and one also has a common name (or as they say “real name”) that is presented to throughout the system.

Google ironically enough they ask if you want a “contact” me button on your page that does not give away your e-mail address when the profile URL gives away your e-mail address.

Twitter has /usernames AND another display name of your choosing that is changeable (the /usernames are not). However most twitter clients display one or the other. If you are used to seeing the display name and then are on your phone that is only showing @handle /username then you don’t know who is talking.

Facebook usernames is another example Twitter feature adoption by Facebook others being activity streams becoming much more like twitter streams.

I said when I first “got” twitter about 18 months ago – a big part of the value it provided was its namespace. It gave me a cool anchor on the web that allowed communication between me and others via the web.

So how is it going so far? Inside facebook reports that over the weekend 6 million folks – 3% of their userbase gut URLs. 500,000 in the first 15 min, 1,000,000 in the first hour and 3 million in the first 14 hours.

There were several examples of FaceSquating. Mike Pence took Obiefernadez’s name.

Anil Dash has the funniest post ever about the whole thing. Highlight the point that users don’t need facebook URL’s they can just get their own domain name. He repeats this throughout the post about what these services are not telling you:

None of these posts mention that you can also register a real domain name that you can own, instead of just having another URL on Facebook.

I completely agree with him – he also misses a key point the usability of facebook is vastly higher then the usability of domain name registration, cpanel management and other things involved in getting ones own personal web presence going. DiSo isn’t hear yet so we can’t link to our friends without linking capability that a facebook provides. I suppose was trying to

He links to a post of his from December 2002 called privacy and identity control.

I own my name. I am the first, and definitive, source of information on me.

One of the biggest benefits of that reality is that I now have control. The information I choose to reveal on my site sets the biggest boundaries for my privacy on the web. Granted, I’ll never have total control. But look at most people, especially novice Internet users, who are concerned with privacy. They’re fighting a losing battle, trying to prevent their personal information from being available on the web at all. If you recognize that it’s going to happen, your best bet is to choose how, when, and where it shows up.

That’s the future. Own your name. Buy the domain name, get yourself linked to, and put up a page. Make it a blank page, if you want. Fill it with disinformation or gibberish. Plug in other random people’s names into Googlism and paste their realities into your own. Or, just reveal the parts of your life that you feel represent you most effectively on the web. Publish things that advance your career or your love life or that document your travels around the world. But if you care about your privacy, and you care about your identity, take the steps to control it now.

In a few years, it won’t be as critical. There will be a reasonably trustworthy system of identity and authorship verification. Finding a person’s words and thoughts across different media and time periods will be relatively easy.

What people don’t quite get is that if they anchor their whole online life around someone else’s domain they are locked in. When I first started paying attention to user-centric identity online this was one of the meta-long term issues that the first identity commons folks (Drummond Reed, Fen Lebalm, Owen Davis, Andrew Nelson, Eugene Kim, Jim Fournier, Marc Le Maitre, Bill Barnhill, Nikolaj Nyholm, etc).

A few of them wrote a paper about it all – THE SOCIAL WEB – Creating an Open Social Network with XDI.

They liked the XRI/i-names architecture because it addressed the URL recycling problem with a layer of abstraction. All i-names also have linked to them a conical identifier – an i-number. This number is never reassigned in the global registry. However one could “sell” one’s i-name (mine is =kaliya) and that new person could use it but it would have a different i-number assigned to it for that person.

This past week at the Online Community Unconference we were talking about the issue of conversation tracking around blog conversations. How an one watch/track the conversation about one’s work if it is cross posted on 10 different sites OR if it is just posted in one place and one is distributing a link through 10 different channels? We never did get to an answer – I chimed in that the web was missing an abstraction layer – that if one could have a canonical identifier for a post that was up in 10 different places this would make it easier to track/see conversations about that post. What we do have now that we didn’t have 3 years ago for helping track conversations across multiple contexts is OpenID at least so you can see if someone commenting in one place is the same as someone commenting in another.

There is an additional layer of abstraction in the XRI architecture that supports several things are key to helping people integrate themselves and information about themselves on thew web.

One is cross referencing – so I could have have two different (URI) addresses for the same information (in the identifier – not just mapped over one another leaving me with one address OR the other) and also have one version of my profile be the one I controlled and a different be a version that appeared in a certain social context.

There is also a concept of much finer grained data addressability and control – so I could have my home address in one place and instead of entering this into each website/services/company portal that I want to have this information – just hand them a link to the canonical copy I manage and then I don’t have to change it everywhere. This is of course where the VRM folks are going with their architectures and services.

We shall see how it all evolves. That is what we do at the Internet Identity Workshop is keeping on working on figuring this all out.

TSA data cloud searching – Flights today, Subways tomorrow?

This article was slashdotted today.

TSA had promised it would only use the limited information about passengers that it had obtained from airlines. Instead, the agency and its contractors compiled files on people using data from commercial brokers and then compared those files with the lists.

The GAO reported that about 100 million records were collected.

The 1974 Privacy Act requires the government to notify the public when it collects information about people. It must say who it’s gathering information about, what kinds of information, why it’s being collected and how the information is stored.

And to protect people from having misinformation about them in their files, the government must also disclose how they can access and correct the data it has collected.

Before it began testing Secure Flight, the TSA published notices in September and November saying that it would collect from airlines information about people who flew commercially in June 2004.

Instead, the agency actually took 43,000 names of passengers and used about 200,000 variations of those names – who turned out to be real people who may not have flown that month, the GAO said. A TSA contractor collected 100 million records on those names.

It brings up some serious concerns about how information collection and validation is done by the TSA for airline passengers. How can we trust governments to collect this much information about us just because we travel.

This week I wonder why care about airlines passengers because security is so tight that airlines do not seem to be a place where the next round of attacks will be. If London is any indication it will be on mass transit. Given the level of police/security presence on the transit systems in the Bay Area this week is certainly seems like there is some concern that mass transit will be attacked. They have started random searching of bags to get on the NYC subway. One wonders if they will start issuing ‘identity passes’ to get on such systems.

On the city subways, which are used by 4.5 million people on the average workday, the inspections started on a small scale Thursday afternoon and were expanded Friday.

The New York Civil Liberties Union opposed the searches, saying they violated the Fourth Amendment. Mayor Michael Bloomberg said he hoped the NYCLU would recognize that the city had struck the right balance between security and protecting constitutional rights. He said the bag-checking program is part of a policy to “constantly change tactics” and “may, or may not, be there tomorrow.”

Catalyst: Logic of Identity – Bob Blakley Chief Scientist IBM

This is a summary of Bob Blakley’s talk at Burton Catalyst:

Opening – Sermon on Laws

Laws of Planetary Motion
Kim’s Laws what happens to Identity if you make stupid or subtle mistakes
Newtons Law – gravity
Why things happen
Introduction – Looking Back Digital Signatures

A while back we decided we needed non-repudiation and did digital signatures by issuing certificates.
We forgot to figure out why do signatures work in the real world.
So, we got how they worked wrong in the technical world.
Having signatures not work is bad looking forward having privacy not work is bad.
Body of Talk
Identity is a collection of attributes by which a person or thing is generally recognized or known
Identity Relativity
The Identity of X according to Y: The set of attributes believed by Y to be true of X.
Axiom: Utility
An identity attribute has value if and only if knowing that attribute reduces risk for some party
Reducing one party’s risk often creates risks for other parties.
Consequence: Identification is Power
Identity allocates risk.The ability to create or eliminate a risk for another confers power over the other.

Axiom: Contention
Because identity claims allocate risks, they will be disputed.
Identity Attributes

  • Commercial Interest – Convenience
  • Government Interest – Security
  • Individual interest – Privacy

Privacy: is the ability to lie about yourself and get away with it.

Axiom: Subjectivity
People disagree about one anothers identity attributes
In general, there’s now easy way to tell who’s right and who’s wrong
Axiom: Temporality
The name that can be named is not enduring and unchanging name. All identity attributes change over time.

  • Prince -> symbol
  • Michael Jackson Black -> Plastified

Axiom: Obscurity
Identity attributes can be

  • what you know – you can lie
  • what you have – loose / leave
  • what you are – alter disguise

Axiom: Publicity
Identity attributes cannot be secret
By definition attributes aren’t observable can’t be used to use attributes
Axiom: Contextually
Identity is inherently subject to effect of scale.
Brandon Mayfield – guy who did not blow up trains
His finger print matched one at Madrid Bombing (it was not an accurate assertion)
Large databases -> not completely reliable
To scale identity information one needs to collect — more information

Consequence: Powerlessness
Identity is in they eye of the beholder – subjectivity.

  • You can’t control what other people think or say about you.
  • You can’t even know who knows what about you.
  • Can control what you tell people but not what people find out

Consequence: Privacy Erosion
Scale requires distinguishing between lots of individuals which requires lots of information.
In a sufficiently large population the commonly agreed to be public attributes will not distinguishing individuals well enough.
So information about sensitive attributes will be collected.

In the UK they are look at putting in scanners (QinetiQ) while entering the subway to detect knives but what about creep in the use of other things identifying tatoos?
People push back against government identification.

Consequence: Due Process
Because identity is subjective, contextually, contention and obscurity and temporality.


But due process undermines the business case for identity. Due process requires transparency. Transparency reveals how identity attributes are collected and synthesized to make judgment. Collection and Synthesis are the only sources of completive value.

They do it because they like costumer intimacy.

Supply and Demand mismatch between favorable and unfavorable information.
Favorable information is easy to get.
The subject is happy to give it to you and the subject is happy to help you authenticate it. Therefore the supply is large and the value is low. But it’s worse: Demand is also low! Because favorable information is less likely to reduce another party’s risk. Especially the case when the other party has lots of potential customers.

The business case fore identity service provider infringes privacy.

The business of identity service providers is risk reduction withholding adverse information decrease the value of business.
Collecting more adverse information makes more.

Identity and Privacy are Incompatible.
Adverse information has positive identity value but negative privacy value.
Favorable information has zero identity value and zero privacy value.

Fable about MARIA

Recent guatemalan immigration
she has AIDS and she doesn’t want anyone to know. The health insurance company wants to know this information because it is a $180,000 not to know this.

Canada has some crazy laws too.

Canada has some crazy laws too. I kind of was thinking of Canada where I was born as the ‘friendly’ nation to the north but it seems not to be true :(.

Before privacy laws or the Charter, there was little if anything to stop police or national security operatives from cajoling or coercing information from private sector organizations. A civic-minded government department or company could blab all it wanted about its customers or employees.

Our privacy laws changed this, although they didn’t really try to put a stop to it. In BC, our public sector privacy law gives public bodies discretion to disclose personal information for law enforcement purposes, without warrant, but there are (some would argue, weak) constraints on this. The same can be said for our private sector privacy law. Still, these laws, together with the Charter, have until recently insulated against over-enthusiastic private sector co-operation with all and sundry state inquiries. Is this still true? If it is, how long will this last?

After the 9/11 attacks, governments everywhere felt compelled to act, and to be seen to act. This was in an important sense responsible of government. It was also mandated by political Darwinism. But a profoundly important aspect of the post-9/11 changes is the blurring of lines between collection and use of personal information for law enforcement purposes under criminal and other penal laws and use for national security purposes. A defining characteristic of police states is the blurring of distinctions between law enforcement and national security functions, the danger being that the rule of law eventually gives way to arbitrary decision-making by law enforcement authorities and the rights of ordinary citizens lose meaning. Democracies depend on clear and effective rules suited to the state activities that the rules are intended to govern and that reflect the essential values of a free society.

In Canada, post-9/11 amendments to the Customs Act and regulations authorize officials to require private sector organizations to provide border officials with extensive advance information about arriving passengers. These changes expanded the federal government’s ability to use and share that information, not only for national security purposes, but also for ordinary law enforcement and other purposes, including (according to government statements in 2002) public health surveillance. The information-sharing authority includes a broad ability to share personal information about Canadians and others with foreign governments. The amendments don’t restrict information-sharing arrangements to national security uses they could easily include ordinary law enforcement or other purposes defined on a case-by-case basis or in an agreement with another nation.

Also, Public Safety Act amendments to the Aeronautics Act allow the RCMP Commissioner to require any air carrier or operator of an air reservation system to, for the purposes of transportation security, disclose specified information in its control to any person the Commissioner designates. Despite the Public Safety Act reference to transportation security, the amendments allow this data to be matched with other data and to be disclosed to assist in executing certain outstanding arrest warrants. This effectively compels the private sector to assist the state, in the absence of a warrant or court order, in surveillance of all air travellers for the broader general purposes of both national security and ordinary law enforcement.

Consistent with these powers to conscript the private sector into both national security and law enforcement activities, Public Safety Act amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) permit private sector organizations to collect personal information without an individual’s knowledge or consent in circumstances that amount to an invitation to, and in some cases compulsion of, the private sector to assist the state in surveillance for both general national security and ordinary law enforcement purposes.

The Public Safety Act also amended the Proceeds of Crime (Money Laundering) and Terrorist Financing Act to authorize the Financial Transactions and Reports Analysis Centre of Canada to collect information it considers relevant to money laundering or financing of terrorist activities from publicly available information, including commercially available databases. FINTRAC is also authorized to obtain, under information-sharing agreements, information maintained by federal or provincial governments for law enforcement or national security reasons.

FINTRAC expanded powers point to the fact that, when it comes to co-opting the private sector, 9/11 can’t be blamed for everything. Laundering of dirty money was of sufficient concern before 9/11 to lead to extensive transaction-reporting requirements for banks and others. You can easily find other examples of legislative responses to individually pressing policy challenges that draft private sector organizations into state service in the name of public safety or order. One example is the current federal government lawful access proposals, some of which would apparently require ISPs to hand over at least identifying customer information and perhaps more on simple request by state officials, and for a pretty broad range of uses.

Also, at the local level, at least in BC, we see more and more local government bylaws compelling businesses to hand customer information over to police for a variety of reasons. Pawnshop reporting requirements have been around for a long time, but now were seeing bylaws requiring businesses to regularly give police information, without request, in a variety of situations (such as information who’s been buying pepper spray, hydroponic supplies or chemicals that could be used to make drugs and who’s been renting mailboxes at commercial mailbox centres).

And governments are now large purchasers of personal information from the private sector. So far this is being seen mostly in the US think of Total Information Awareness, MATRIX, Secure Flight and so on but to think that our own governments will ignore the expanding private sector trove of electronic personal information much longer.

As databases proliferate, become more comprehensive and become lifelong, it’ll be harder and harder to resist those who say that, since the information is out there, the state should be able to use it. Time and time again over the last six years I’ve been told by middle-aged, middle class Caucasian males that they have nothing to hide, so why should anyone else feel differently? Let the government have the information it needs to protect us, they say.

Now, I don’t doubt the good faith of BC’s police agencies not for a minute. But, thinking thirty or fifty years down the road to a time when the lines between national security and law enforcement have blurred to vanishing, will there be any meaningful rules? If not, will our belief in the good faith of state officials, set adrift without guiding rules, be enough to sustain our privacy and other rights?