thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, December 23, 2006

Speaking at the CCC Congress in Berlin

I will be at the upcoming Chaos Communication Congress, the largest hacker convention in Europe. I am happy that they accepted both presentations I had submitted. They are both on the first day (Dec 27th):
I'll try to make the slides available right afterwards, and the videos will be on the congress server later. They also plan to live stream everything, but demand is high.

We also have a meeting of the German Working Group against Data Retention, 28th Dec, 15:00, hall 4.

Monday, December 18, 2006

Terror Forecast on TV

Funny to-the-point parody of the terrorism alert warnings by the Department of Homeland Security. We need more people to laugh about all this fear, uncertainty and doubt (FUD).

(via Bruce Schneier, who also just blogged about a scary example of "When Computer-Based Profiling Goes Bad")

Tuesday, December 05, 2006

First Monday special issue on "Identity and Identification"

Some of the papers presented at a symposium on "Identity and Identification in a Networked World" that was held at New York University in September have now been published in a special issue of "First Monday". They look at online identities from different social science perspectives:
Update: Michael Zimmer, one of the organizers, has all the abstracts in his blog.

Monday, December 04, 2006

The Global Governance of Privacy and Identity

International organizations, originally created by states to coordinate their policies in specific fields, are starting to become more aware of identity management developments. At the same time, these organizations are more and more collaborating with non-state actors like business and public interest groups. A short list:
  • The ITU has just released its new report "digital.life", covering a wide array of issues related to digital lifestyle. Chapter four is titled "identity.digital", and it contains a thoughtful
    discussion of digital ID management issues and developments. The conclusion says:
    "legal and policy considerations require further harmonization at the global level. (...) In order to ensure the global impact of such a system, dialogue at the international level seems indispensable."
  • The EU has been funding several research projects in this context, like PRIME, FIDIS, RAPID, and GUIDE, the latter dealing with user-ids in e-government contexts.
  • The OECD has announced that it will look closer into digital ID management in 2007, building upon its earlier work on digital signatures and authentication as well as online ID-theft.
  • The OECD-APEC workshop in Seoul in September 2005 already had a session on "Comparing legislative and policy approaches to identity management and to security of information systems and networks".
  • The recent UN Internet Governance Forum saw the launch of a Dynamic Coalition on Privacy, which is planning to come up with recommendations in this field, among other things.
  • There is also some interest developing in the private sector for global public policy harmonization. See e.g. Microsoft's Jerry Fishenden who suggested a "UN Charter for Digital Identity".
Technology governs, as we have learned from the early sociologists of technology as well as from Lawrence Lessig and others elaborating this for cyberspace. It is good to see that the global governance of digital identity is no longer left to the technologists and private vendors alone, and that bodies charged with protecting the public interest and constitutional principles like privacy are getting more involved in this.

Sunday, December 03, 2006

The Politics of "Identity Governance"

Oracle has announced the "Identity Governance Framework", a set of draft standards for sharing and controlling personally identifiable information across different systems and applications. It is a back-end complement to data input and authentication front-ends like Microsoft's Infocards/CardSpace, the Liberty Alliance's Identity and Web Services Federation (ID-WSF), Eclipse.org's Higgins Trust Framework, OASIS' Service Provisioning Markup Language (SPML) and Security Assurance Markup Language (SAML), or older standards for transmitting user data in web connections like the W3C's Platform for Privacy Preferences Protocol (P3P). While the latter provide a unified platform for collecting and transmitting identifiable data to a web service provider, back-end systems are needed to ensure that the data is not flowing freely once the user has given it away and it has entered the corporate data warehouse. Similar approaches are the Enterprise Privacy Authorization Language (EPAL) or IBM's approach to have a "sticky" privacy policy that is attached to the user data and moves with it. Similar ideas that are more privacy-friendly and even minimize the collection and transmission of personal data in the first place are currently being developed in the EU-funded PRIME project.

Oracle has taken an application-centered perspective here, consistent with its general strategy for application-centered identity management. From the press release:
The IGF provides a standard mechanism for organizations to establish "contracts" between their applications and sources of identity data.
As a political scientist, I was surprised by the use of the word "governance" in this context (and because the abbreviation IGF is also used for the new UN Internet Governance Forum in which I am involved). But Oracle is right with the wording: Like all governance processes and frameworks, there are many options and decisions to be made, and that is where politics comes into play. You can exemplify this on several levels. Let me just take the Identity Governance Framework as an example:

Discourse

In the good old days, the social value to be safeguarded was called "privacy". Then came computers, and the ugly word "data protection" took over. The semantic move was subtile, but worked to some extent: It was about protecting the data (i.e. the computers on which they reside), not the privacy of the persons the data was about. After the rise of the Internet, it started to be called "privacy and identity management". The idea of protecting data or persons got lost and replaced by "management". Instead, "identity" was introduced, which also includes an idea of control: The users have to authenticate themselves. Nowadays, it is mostly called just "identity management", and the idea of privacy has to be re-introduced as a kind of add-on, like in the "privacy-embedded laws of identity".

So, it sounds like the discourse of identity has won over the discourse on privacy. By introducing the term "governance", Oracle makes it clearer again that it is not just a corporate process, as "identity management" sounds like, but includes externally set values and goals.

An interesting development. It is still unclear to me how "privacy" could systematically be inserted into this on the semantic level, as it would be one of many theoretically possible goals of the governance of identity. On the other hand, "governance" here just means enforcement of data-usage policies inside the corporation. In political science, "governance" has a far wider meaning, including public laws, private-public partnerships, standards, private contracts, education, publicity and so on. The Identity Governance Framework in this perspective is just enabling the operational implementation of values set in the larger network of institutions that deal with the governance of personal information - privacy governance, that is.

Of course, reality is much more complex, and there are always competing discourses, side-branches and so on. But this big picture with little complexity should do for the moment, if we look at the private sector perspective on it. I also did not attempt a Foucault-inspired discourse analysis, which would much more focus on the governmentality of the modern buraucracy that rose and developed together with the practices and laws of identity management from the 15th century on. (My former colleague Christoph Engemann is currently finishing a book about the latter, and I am looking forward to getting it as soon as possible.)

Law

The background for Oracle's move was the growing pressure by governments and the EU on corporations to limit access to data and its flow across enterprise units and to partners. Oracle refers to this in their press release:
Organizations today are struggling to balance the need to meet regulatory mandates and secure personal information while maintaining streamlined business processes. (...) With the IGF, organizations can more easily determine and control how identity information - including Personally Identifiable Information, access entitlements and personal attributes - is used, stored, and propagated across diverse systems, helping ensure the information is easily auditable and not abused, compromised or misplaced.
Some people tend to praise the recent moves by large IT companies to better protect the privacy of customer and user data. But they largely build the technical infrastructures that implement these protections. The original incentive for this is external, and it is coming from public institutions and laws: The EU privacy directives, the Safe Harbor agreement, US auditing regulations like Sarbanes-Oxley, and others. This reminds us that over the excitement about new technological approaches towards privacy and identity protection, we should not forget the enduring importance of public policy - and in the end, the state and its regulatory agencies.

Institutions

There are many options for how to make a set of technological definitions a standard. It can be mandated by the state (hierarchical governance), it can be selected at the marketplace (decentralized governance), or it can be defined by a committee like the W3C or the IETF (horizontal governance). Sometimes we find hybrid forms, e.g. when two or more committees compete at the market. Identity management is currently a living laboratory for these hybrid forms. The Identity Governance Framework was developed by Oracle in their attempt to integrate identity management products they had acquired from other companies. The first drafts will be further developed now with Sun, Novell, CA, Ping Identity, Layer 7, and Securent. Sun is the most interesting player here, because it has been the main driver behind the Liberty Alliance that developed an open identity federation standard (as a reaction to Microsoft's centralized Passport project). So we have a club or an alliance that is competing with other players.

As the next step, Oracle plans to submit the IGF drafts to a standards body. Which one will this be? Sun of course is pushing towards the Liberty Alliance. Other options may be OASIS, Eclipse.org, or the W3C. Oracle is also pressing for speed, as they made clear:
Our goal is to take this into a standards organization as quickly as possible to get the (intellectual property) stuff figured out, and not sit around and waste a lot of time and energy.
This focus on speed is understandable, because the Identity Governance Framework has to catch up with older developments like EPAL or IBM's sticky policy. But it could backfire. Important players like IBM, Microsoft or SAP are not on board yet, and they will be needed if this is to become a widely-used standard. If the IGF alliance moves too fast, its standard will only be applied in a part of the general market for enterprise-wide identity management. Inclusiveness and speed are conflicting goals here, as can be learned from the general theory of standardization processes and their institutional design. Speed can only be useful if you are the first mover and have enough market power. The choice of the standards body to which the final IGF drafts will be submitted will have an impact on how widely the technology is accepted as well as on the speed at wich it is agreed upon.

Maybe Oracle is just trying to secure its market share and aiming at a fragmented market, with the Identity Governance Framework driven by Oracle, Novell and Sun getting one part, IBM with its Tivoli Privacy Manager another one, and SAP with its own technologies as the third major one. I'd love to know where Microsoft fits into the picture here.