Kim Cameron’s Identity Weblog

Ping Identity has announced new download:  a SourceID toolkit providing WS-Federation support for Single Sign-On to Apache 2.0 applications.  Ping says:

Download the toolkit for Apache here.

Technological research needs

5. Government should promote research into knowledge technologies that facilitate the benefits of linking personal datasets. A key focus here is research on privacy-enhancing technologies. Government should work closely with business experts from the private sector (such as the banks) in identifying future needs regarding privacy-enhancing technology. In addition, government should:

• initiate a technology road-mapping exercise to identify what technologies will be available when, and plot these against relevant socio-economic and other drivers; • stimulate more interdisciplinary R&D – involving computer scientists, engineers and social scientists - in techniques for anonymising and pseudonymising data, encryption, and anti-virus devices; • encourage private sector organisations which are involved in privacy to share R&D ideas on security modelling; • develop more explicit and proportional confidentiality requirements in its procurement specifications; • promote greater trust through encouraging greater levels of investment by business into IT security.

42. Privacy concerns are fuelled in part by the power of technology - in particular the power of data-combing services on the internet and how instantaneous the processes are - and the ease with which personal data held on a private database can be combined with publicly available datasets. The use of the electoral register as an effective marketing tool is one clear example.

43. Privacy enhancing technologies enable users of information technology to interact with each other and with service providers, revealing only the minimum of identifiable information necessary to perform particular transactions. They may also serve to inhibit or prevent unlawful data processing. The design of privacy enhancing technologies depend on the extent of the cooperation, and goodwill, of the different participants: some assume that service providers can be trusted to respect the rights and preferences of users; other scenarios assume a very hostile environment where an adversary may exploit all available means to breach privacy.

44. We believe that government, as a major user of personal data, should make clear what privacy enhancing technologies it is likely to need in the future so that business can work with government to develop such technologies. Government should work closely with business experts from the private sector (such as the banks) in identifying needs. We also believe that government needs to develop more explicit and proportional confidentiality requirements in its procurement specifications.

…

66. We believe there is a need for some creative thinking here which develops the concept of citizens owning their own data, which would enable them to be able to exercise some control over how and when their data was used as well as putting more emphasis on individual citizens to ensure their personal data was up-to-date. While accepting there are circumstances where government must retain the right to use individual citizens’ data, and that government has a role in preventing malicious exploitation, the basic concept would be that citizens themselves would own their personal data. Ownership would mean, as a minimum: that individual citizens would have the right to know what government and agencies hold on them, with certain explicit exceptions; that there would be a shared responsibility between individual citizens and government to maintain the accuracy of the personal data; and citizens would have the right to know the ways in which government uses personal data. This concept needs to be explored further – at present it appears to be too remote from people’s own experiences for them to engage with it. It will mean addressing a range of issues, including whether individual citizens have the necessary skills to ensure their information remains accurate and protected.

I'm just scratching the surface with these quotes - there's a lot more for me to read and think about.

[tags: Privacy, Report, Policy, Data Ownership]

James McGovern, who writes a blog on Enterprise Architecture, is working with Phil Becker to put together a panel on federated identity and community for the upcoming Digital ID World (yup, it's coming…): 

I had a conversation last week with Phil Becker regarding putting together a panel for an upcoming conference Digital ID World and landed on a couple of thoughts around the practice of community formation. Figured I would use the opportunity to get feedback from the blogosphere to see if my idea for a session has merit…

We all understand that the idea of community is important, but we just don't have time to get involved in yet another meeting. If you view the development of a community like a project this will always be a problem. The project mindset which tends to be the default mandates the need for clear objectives, a defined time-line and a set of tasks based on the notion of best practices (we all should know that no such thing exists)

The Enterprise architecture view ideally has a different mindset than the project mindset and the notion of communities external to the enterprise breaking insular thinking. In fact, it is mandatory that this happen in order to get federated identity correct on the first shot. The biggest problem is that this is typically done through a variety of channels. For example, an enterprise can join a variety of consortiums ranging from the Liberty Alliance to the Object Management Group or even pursue local interests such as CT Object Oriented Users Group. The main problem is that community formation for an enterprise shouldn't really depend on making the case to open one's wallet.

I would say that the same notion of community formation and traditional insular thinking of large enterprises also prevent it from truly realizing benefits offered by the open source community but that will be a topic of a future blog entry. The marketplace and the conference attendees need to hear a story other than thinly veiled sales presentations. They need to hear the perspectives of other enterprises. Until the voice of the enterprise is heard in an unmoderated manner, federated identity will never emerge in any meaningful way.

In a previous blog entry, I talked about the notion of community formation and how it occurs within a particular industry vertical. Great examples are the folks that pulled off Securities.Hub. So far the discussion in federations has been centered around vendors telling stories about interoperability and other remotely interesting technical topics. Not a single industry analyst though has figured out there is an opportunity to research best practices and create reports around them. I wonder if Jamie Lewis of the Burton Group to get one of his analysts on it.

Anyway, one of the things that I am thinking about is a panel that is primarily made up of end-users (hint: no vendors allowed) from Fortune 500 enterprises. Was thinking though that I will need to make two or maybe three exceptions to the no vendors rule. First, no panel would be complete without including Kim Cameron of Microsoft. Also will be enlisting the services of Jeff Margolies of Accenture who can provide a somewhat insider's view to the thinking inside corporate America. Would love to line up someone from Merrill Lynch and Boeing but haven't yet figured out who to contact.

Was thinking about asking Jon Udell if he would also serve as a member of the panel. . Have to figure out which industry analyst covers federated identity the deepest and invite him/her but not sure who this would be? If you happen to have thoughts on how I can make this session strong, please do not hesitate to leave me a comment. Thanks in advance.

It's interesting that James sees DIDW attendees from the Fortune 500 as end users…  They certainly have a different perspective than vendors or consultants, but they also have their own customers, so “end users” doesn't really seem like the operative word…  

But I pick nits, and the right word eludes me too.  James' main point is a great one:  it will be very interesting to find out whether people see themselves using identity to build and empower communities in enterprise settings, and if so, how.