Decentralizing Identity

March 9th, 2003 | Posted by paul in Uncategorized - (Comments Off on Decentralizing Identity)

I’m attempting to follow this important issue carefully. Andre Durand says the time is ripe for developers to hijack the Liberty Alliance and create the tools necessary for individuals to have control over their digital identities:

Imagine if someone hijacked the Liberty Alliance protocol (I say ‘hijack’ because Liberty was designed by corporations for corporate federation of Tier 2 identities) and embedded it in a client of some sort. For the purpose of this discussion, let’s say the client was a Jabber IM client, and imagine if we extended the personal information in the Jabber client to include things which Bryan describes in his ‘Digital Estate‘ article posted last year (which by the way was the original Ping vision). Now let’s take this concept two steps further — imagine if this new breed of Jabber client did more than just allow you make buddy-lists and chat in real-time, but actually allowed you to build your own Personal Area Networks (similar to a project we did at Durand back in 1995 called CommunityWare). To truly understand this notion, check out Ryze — a business and social networking community (website) which actually achieves much of the original thinking behind (now out of business). And lastly, what if, as Eric Norlin has suggested, we hijack email while we’re at it, putting an ’email like’ interface (many Jabber clients already have this) into the IM interface, but do so in such a way that only ‘certified’ individuals (people who have been added to your Personal Area Network or Roster) can actually send you email (thereby eliminating spam) — now we might have something both unique, new and interesting.


Sovereign Identity

December 27th, 2002 | Posted by paul in Uncategorized - (Comments Off on Sovereign Identity)

There has been an ongoing discussion about Digital Identities between Doc Searl, Eric Norlin and David Weinberger. And this months CIO has a great survey of which #8: Identity Crisis talks about the necessity of decentralizing our identities. It makes the very important point that if we rely on increasingly unique biometric identifiers it would only make the problem of identity theft worse. If someone is able to spoof your fingerprint or other biometric identifier, then how would you be able to prove you were you? The answer lies in giving you back control of your identity. Afterall, as long you have control over your identity, does Amazon really need to know who you are, as long as you can secure payment?

John Gilmore is also challenging identity by refusing to give his ID to board an airplane.

Freedom of Travel. I’m suing Attorney General John Ashcroft and various federal agencies, to make them stop demanding that citizens identify themselves in order to travel. Not only airports, but trains, buses, and cruise ships are now imposing ID requirements. This violates several constitutional rights. Stop showing ID whenever someone asks (or demands) it, and you will start to discover just what your rights are.

From this months CIO:

“As long as security relies on identity, then ID theft becomes an effective way of committing fraud,” Schneier adds. “And creating stronger IDs [through biometrics] only makes the problem worse.” Likewise, putting all of your customer information in one central database only heightens the chance that identifying information will be stolen. After all, it’s much easier to break into a large centralized database than small separate databases. And resourceful thieves will always find a way around the toughest security, as Ford and Experian have learned to their chagrin.

To avoid a similar disaster on their turf, CIOs should insist their company’s customer data be kept in separate databases protected by a number of different security measures. And they should push their company to adopt safer business practices that require customers and employees to use a number of different identifiers to gain access to personal data. For retailers, that might mean implementing other business safeguards, such as matching the shipping address with the home address on customers’ credit reports. In the meantime, legislation that bans the use of Social Security numbers and other personal identifiers in instant credit e-mails or letters has already been passed in California and is being considered in other states.

“If you had a dozen IDs and they weren’t linked together, now that would be difficult to steal,” Schneier says. “Decentralize, distribute. There is never one answer to security.