Microsoft Privacy & Safety : Identity

Identity Roadmap Presentation at PDC09

Microsoft Privacy Team — Tue, 24 Nov 2009 19:21:00 GMT

Kim Cameron, the Chief Architect of Identity in the Identity and Security Division at Microsoft writes on his Identity Blog: Earlier this week I presented the Identity Keynote at the Microsoft Professional Developers Conference (PDC) in LA. The slide...(read more)

Microsoft: minimum disclosure about minimum disclosure?

Microsoft Privacy Team — Wed, 02 Sep 2009 00:38:00 GMT

Microsoft's Kim Cameron on his Identity Blog: Back from vacation and catching up on some blogs I found this piece by Felix Gaehtgens at Kuppinger Cole in Germany: A good year ago, Microsoft acquired an innovative company called U-Prove. That company,...(read more)

Windows Live ID OpenID Status Update

Microsoft Privacy Team — Fri, 28 Aug 2009 02:16:00 GMT

Here's an update from the Windows Live Group on integrating Windows Live ID with OpenID from the Windows Live blog: Many people have asked recently about the status of the Windows Live® ID community technology preview (CTP) OpenID endpoints, so here is...(read more)

Introducing the ID Element

Microsoft Privacy Team — Tue, 11 Aug 2009 01:49:00 GMT

Check out the newest resource on Microsoft's Channel 9, The Id Element : Welcome to The Id Element , your one-stop shop for all things identity on Channel9! In this page you will find all kinds of material on Identity and Access Control : weekly interviews...(read more)

Kim Cameron's Proposal for a Common Identity Framework

Microsoft Privacy Team — Tue, 09 Jun 2009 01:28:00 GMT

From Kim Cameron's blog : Today I am posting a new paper called, Proposal for a Common Identity Framework: A User-Centric Identity Metasystem . Good news: it doesn’t propose a new protocol! Instead, it attempts to crisply articulate the requirements in...(read more)

Information Cards in Industry Verticals

Microsoft Privacy Team — Thu, 04 Jun 2009 18:11:00 GMT

Kim Cameron,Chief Architect of Identity at Microsoft, writes on his Identity Blog : The recent European Identity Conference , hosted in Munich by the analyst firm Kuppinger Cole , had great content inspiring an ongoing stream of interesting conversations....(read more)

Privacy & Identity Theft Conference

Microsoft Privacy Team — Tue, 23 Dec 2008 23:45:00 GMT

I recently delivered a keynote address at the Privacy & Identity Theft Conference in Vancouver, Canada. My keynote was entitled, "The Big Picture: Defining and Redefining Identity Fraud." Below is the major portion of my keynote, along with the relevant...(read more)

Kim Cameron on Information Cards as a solution to site redirection

Microsoft Privacy Team — Mon, 27 Oct 2008 21:25:00 GMT

Kim Cameron, Chief Architect of Identity in the Connected Systems Division at Microsoft has an interesting post up about at his Laws of Identity blog on the vulnerability of passwords to "site redirection", a problem that Information Cards don't have:

The UK's Register has been running a a series of articles by John Leyden  (here, here and here) about Verified By Visa. (VByV)  Verified By Visa uses the same kind of "site redirection" I've written about many times with respect to OpenID and other password-based federation technologies - but in this case it is a banking password that can be stolen.

The phishing scenario is simple enough. If you happen onto an "evil" site and are tricked into purchasing something, it can "misdirect" your browser to a counterfeit VByV signon page. As John explains, you have little chance, as a user, of knowing you are being duped, but once you enter your password it is available to the evil site for both instant use an future reuse. Those familiar with this site will understand that this is yet another example of an attack that cannot be made against Information Card users.

Beyond focusing attention on the phishing problems inherent in "site redirection" approaches, John argues that the system - though claiming to be more secure - is actually just as vulnerable as non-VByV mechanisms.  He then argues - and I have know knowledge as to whether this is the case - that the false claims about increased security are being used to reject complaints by end-users about irregularities and fraudulent purchases made in their name. If that were true, it would be scandalous.

Friends, this is a case of "The Writing on the Wall". I think people in the industry should see John's work as a sign of what's to come. He is the guy in the fable who is shouting out that "the Emperor has no clothes!"  And he's doing it cogently to the wide readership of the Register.

If I were an advisor to the emperor at this point I would insist on two things:

1.      admit the vulnerability of all systems based on "site redirection"; and

2.      start getting into phishing-resistant technologies like Information Cards while one's modesty can still be protected.

There's more...

Digital Playgrounds presentation at the Berkman Center

Microsoft Privacy Team — Mon, 29 Sep 2008 21:01:00 GMT

Last week I presented the concepts from Microsoft's paper, "Digital Playgrounds: Creating Safer Online Environments for Children," at the Internet Safety Technical Task Force (ISTTF) Open Meeting at the Berkman Center for Internet & Society in Cambridge, Mass.

The Digital Playgrounds paper outlines a framework that would enable the creation of optional online "walled gardens," specifically for children and trusted adults. These online sites would only be accessible by folks with trusted and age verified ‘digital identities.' This framework suggests achieving this by allowing trusted offline parties, who have the ability to meet with a parent and child in real life, examine the appropriate documents and then issue extremely secure digital identities based on these in in-person proofing moments. The framework we have outlined is largely a technical solution to the age verification challenge, but we believe that the nontechnical aspects of the problem will be as difficult to solve as the technical ones, if not more so. For example, government and industry will need to work together on designing the necessary criteria for in-person proofing events as well as the subsequent issuing, auditing and revoking of these digital identity cards.

My presentation was but one of a number of presentations over the day and half long meeting. Facebook, MySpace, VeriSign, and large number of other companies provided interesting solutions of their own to similar and related online safety challenges.

You can read our whole paper here: Digital Playgrounds: Creating Safer Online Environments for Children

The rest of the presentations are posted here.

--Jules Cohen

Identity Crisis? What Crisis?

Microsoft Privacy Team — Tue, 12 Jun 2007 21:44:00 GMT

Jerry Fishenden, National Technology Officer for the UK, here ...

If you think the current problems of online safety and Internet e-crime (or cybercrime if you prefer) appear challenging, what on earth is going to happen when the Internet pervades every aspect of our daily lives?

As the Internet beings to power and monitor health and energy saving devices in our homes, enabling us to live richer, fuller lives in our own communities, will problems of cybercrime and threats to identity, security and privacy scale at the same rate: and thwart our aspirations to use technology to improve society? Will we finally reach Internet meltdown?

Right now, it’s all too likely the answer would be – “Yes.” If we don’t get the foundations right – and address some of the most fundamental issues that currently plague Internet safety – anything else we might construct on top of its inadequate infrastructure is unlikely to be sustainable.

But the Internet is not some autonomous, sentient, self-evolving life form – even if at times it might feel that way. It’s a by-product of decisions technologists took in the past, are taking now and will take in the future. So the problems we see today are fallout from failures in design – failures in technology design and in human-computer interaction design. And cyber-crooks are of course always amongst the quickest to exploit such flaws. After all, the digital world is no different to the real one – and that includes the preponderance of criminal activities based on exploiting weaknesses in both systems and people.

One of the most obvious contributory causes to our existing Internet problems is the lack of an identity layer. I can’t prove it’s me when I’m online – and I can’t prove to a reasonable level of satisfaction whether the person or thing I’m communicating or transacting with online is who or what they claim to be. Which really isn’t a good place to be. Unless you’re a cyber-crook, in which case, hey, this is great news and highly lucrative with it since it makes online attacks such as phishing and spam email possible.

If we’re serious about realising the Internet’s true potential we need to act now to fix the identity issues we’re seeing. These issues need to be resolved before we can seriously contemplate letting the Internet move into far more important areas – such as technology-assisted healthcare at home and the whole idea of assisted-living. After all, how are we going to do that if none of the devices can be certain who or what they’re communicating with? In front of us lies a vision where everything and everyone is linked and joined through an all pervading system. Billions of devices and communications happening every second, a complex mesh of systems communicating within and between each other in real time.

Now try to convince me you can build that – and trust it – without first fixing the problem of identity.

Which raises the question: identity, what is it anyway? For the sake of the point I’m making here, identity is about people - and "things": the physical fabric of the Internet and everything in (on) it. And ultimately it’s about safeguarding our security and privacy.

If we're to avoid exponential growth of the issues that plague the current relatively simple Internet as we enter the pervasive, complex, grid age, what principles do we adhere to? How can we have a secure, trusted, privacy-aware Internet that will be able to fulfil its potential – and have our trust too?

The good news is that these problems are being addressed: have you heard of the "laws of identity"? The “laws” are a set of design principles evolved over the last few years by some of the most respected authorities on identity using the crucible of the blogosphere. Kim Cameron (father of meta-directories and now Chief Identity Architect at Microsoft) has gathered together these lessons into a set of powerful guidelines. They help ensure that digital systems exhibit better behaviours than today - particularly around digital identity and ensuring security and privacy. They encompass everything learned about the good and the bad of digital identity systems. Lessons learned the hard way over the last 30 years or so of real world experiences. And these “laws” are already beginning to gain recognition: the Information and Privacy Commissioner of Ontario for example has issued an independent public endorsement (see http://www.ipc.on.ca/docs/7laws-whitepaper.pdf).

Without the application of underlying principles such as these "laws of identity" the future Internet will suffer entropy, massive breaches of security and privacy – and probably make the scale of today’s cybercrimes look like a golden era of online law and order by comparison. But with the “laws”, we may finally be able to realise the truly transformational benefits of the Internet.

Digital identity - of people and "things" - is a fundamental requirement of the coming pervasive Internet age. Equally clearly, we need consensus on the identity framework required before we go much further. So go and read the “laws” and see what you think: you can find them online at http://www.identityblog.com/?page_id=354.

And then let’s get moving on fixing these issues – before the whole idea of the benefits of the next generation of Internet developments gets a bad name and our dreams end up as just that: dreams, rather than a reality.

- Jerry’s personal blog can be found at http://ntouk.com