It's great that even the BBC understands the basic concepts behind identity management (BBC NEWS | Technology | Solutions to net security fears) and the problems associated with multiple identities.  The token approach (as promulgated by RSA, Activcard and others) is pretty good.  But of course this all comes down to trust; specifically, the ability of any issuiing body to be able to tie a real, live person to a single digital identity. 

Issuing bodies that can do that are few and far between, and in North America have yet to to step up to the challenge for more than just their own needs.  Banks have that ability.  So does the motor vehicle licensing bureau in each state/province, although I think that the level of consumer trust in the license bureau is probably lower than it is in a bank. 

But the bottom line is that this is going to be expensive, and anyone who does it is going to have to balance business goals against customer convenience.  If I get a single ID from Washington Mutual here in Seattle, are they going to willingly allow me to use the same ID to replenish my Starbucks account?  Perhaps.  What about to log on to my Schwab brokerage account.  Perhaps, but there are issues of liability as well as competition.  Now what about my Bank of America account?  And will BofA accept a WaMu identity? 

Bottom line:  This needs to happen from a central issuing authority that doesn't have these competition issues.  Only two come to mind:  the Feds, and the credit-card companies.  If Visa (I mean the whole Visa association, not any one bank) could implement this it would be a home run.  Guaranteed MasterCard and Amex would follow suit.  But if I end up with three identities instead of the 40 or 50 I have now, that would be progress. 

What would YOU pay for this?  $10 a year?  $50? 

Some interesting papers came out of the third annual Workshop on Economics and Information Security.  If you're an IEE Computer Society member you can read the full text.  Eric Rescorla's article, "Is Finding Security Holes a Good Idea?", provides a statistical analysis of a point I have long held:  that disclosure of holes is the prime driver for exploits, and that holding off on disclosure (which also means holding off on the fix) can in many cases reduce costs and improve security.  That may be counter-intuitive, but read Rescorla's paper and judge it for yourself.

S&P: Economics of Information Security

DRM is one of those fascinating areas where we really haven't explored the implications of our decisions.  I have seen a lot of complaints about Napster's requiring you to be a mamber of their service in order to continue to listen to music that you downloaded under their subscription.  So, your license is somewhat transient, even though it feels like you're buying the music. 

This working document from the European Union is another great example of that.  This working team feels that "digital watermarking" -- the process of putting a unique identifier into a file so that you can track who downloaded it and where it came from -- could be somehow be used to obtain personally identifiable information (PII) and combine it with music listening habits to somehow use the resultant info for nefarious marketing purposes.

Quote:  "...where information is exchanged over the internet, more and more digital watermarks tags are being used to track users and their preferences - for example, when a music track is purchased online, the purchaser has to enter their account information and unique identifier. "

What isn't clear to me is how they think that this will happen, and why the existing laws aren't good enough.  Something has to read the tag and then somehow report that info (and anything else it can vacuum up) back to another agency.  What is that "something"?  Is it a media player?  The operating system?  Presumably the creator of that software is already covered by the EU's Data Protection Directive.  Perhaps it is spyware... but if there is spyware on my PC looking at the metadata within individual files it already has access to a large amount of PII about me.

Sorry, I don't buy it.  Yes, the authors are correct in saying that watermarking files is propagating PII, but any chance to read it will happen in a space that already has access to a lot (probably far too much) PII.  I really need to worry about more substantive issues, and so should they.

Digital rights management 'could threaten privacy' - silicon.com

Interesting -- According to a UK study, demograpghics are skewing for home users, with older people buying a larger percentage of home infosec products (AV, etc.) and younger people being the ones that naively assume they're OK.  Without the data it's hard to analyze further.  I hope that the shift is due to more existing home PC users taking security seriously, as opposed to merely a shift in who is buying PCs. 

BBC NEWS | Technology | More women turn to net security

Ouch -- 92 million screen names and email addresses stolen from AOL.  The guy netted $28k, and will have to pay $200-400k in restitution.  Not exactly a lucrative business, was it? 

Once again we see privacy compromised from the inside -- nothing that the individual account holder could have done would have prevented this.

MSNBC - Former AOL employee pleads guilty in spam case

I love how news reporting can subtly (or not so subtly) slant interpretations while professing to still be reporting facts.  CNet's reporting of the Microsoft Security Cooperation Program is a great example.  When I heard about this program I thought it was great -- a mechanism for getting governments the security info that they need for national security, but with less stringent retrictions than the existing Government Security Program.

Of course, I am probably biased as well...

Microsoft to confide security woes to governments | CNET News.com