This is a strongly held belief but I absolutely agree that others will have different views and that there is a huge majority who are happy to be 'managed'. What I want is to provide alternatives and choice for those who are concerned about privacy. Government will always look for a 'one size fits all' solution which will please nobody. Graham Sadd Chairman & CEO Trusted Relationship Management T: +44 (0) 1628 510777 M: +44 (0) 7958 056171 E:   graham.sadd@paoga.com W: www.paoga.com B: blog.grahamsadd.com -----Original Message----- From: Tony Rutkowski [mailto:trutkowski@netmagic.com] Sent: 12 January 2011 15:50 To: Graham Sadd Cc: Frank Wray; Drummond Reed; Mary Ruddy; Walsh, Alan J; Rob Marano; community@lists.idcommons.net; community@kantarainitiative.org Subject: Re: [community] an interesting question On 1/12/2011 10:23 AM, Graham Sadd wrote:

An interesting and ongoing debate but I maintain that ‘I’ am the ONLY entity who owns my identity and it changes and morphs as I grow and continually add experiences.

This is obviously a personal strongly held belief. Do you admit that others may have different views and constructs of identity and accommodate them in some fashion? Or is your belief absolute and unyeilding? --tony ps. I lived for some years in Switzerland - which has a long record of strong support for human rights. However, there is a dimension of one's identity that is maintained by commune, canton, and federal levels and accepted as highly desirable - for example for public safety purposes.   Notice/Disclaimer   Internet communications are not secure and the company (PAOGA Limited) does not accept legal liability for the integrity of the contents of this message. This email is confidential and the contents may not be disclosed or used by anyone other than the intended recipient. If you are not the intended recipient and receive this email, please immediately contact the sender at the above location.   Whilst PAOGA Limited attempts to sweep email and attachments for viri and other malware. It does not guarantee that either virus or malware-free and PAOGA Limited accepts no liability for any damage sustained as a result of viral or other similar infections. Anyone who communicates with us by email is taken to accept these risks.   PAOGA Limited. Registered Office in UK No: 4572417, Registered Office: Moor Place, Moorlands Drive, Pinkneys Green, Maidenhead, Berkshire. SL6 6QS

Trust requires a 2-way interaction and there are considerable benefits to organisations, public and private, from sharing the load of Personal Information Management with the subject. Given that appropriate authentication and Verification procedures are followed then there are mutual advantages in a record being accurate and up-to-date, reduced costs and automatic legal compliance among them. Graham Sadd Chairman & CEO Trusted Relationship Management T: +44 (0) 1628 510777 M: +44 (0) 7958 056171 E: graham.sadd@paoga.com W: www.paoga.com B: blog.grahamsadd.com <http://blog.grahamsadd.com/> From: Ben Laurie [mailto:benl@google.com] Sent: 12 January 2011 15:58 To: Graham Sadd Cc: Frank Wray; trutkowski@netmagic.com; Drummond Reed; Mary Ruddy; Walsh, Alan J; Rob Marano; community@lists.idcommons.net; community@kantarainitiative.org Subject: Re: [community] an interesting question On 12 January 2011 15:35, Graham Sadd <graham.sadd@paoga.com> wrote: What I don't want is any organisation, public or private, passing it on without my knowledge or consent. In order to achieve this you have to make DRM work - and persuade everyone you interact with to use the hardware required for DRM. Both seem to be impossible.   Notice/Disclaimer   Internet communications are not secure and the company (PAOGA Limited) does not accept legal liability for the integrity of the contents of this message. This email is confidential and the contents may not be disclosed or used by anyone other than the intended recipient. If you are not the intended recipient and receive this email, please immediately contact the sender at the above location.   Whilst PAOGA Limited attempts to sweep email and attachments for viri and other malware. It does not guarantee that either virus or malware-free and PAOGA Limited accepts no liability for any damage sustained as a result of viral or other similar infections. Anyone who communicates with us by email is taken to accept these risks.   PAOGA Limited. Registered Office in UK No: 4572417, Registered Office: Moor Place, Moorlands Drive, Pinkneys Green, Maidenhead, Berkshire. SL6 6QS

I agree you cannot prevent it as in a 100% guarantee, but privacy aware technical design and the use of pseudonymity can make it darn hard and potentially not worth the effort .... vs. legal interception for example... But that's a different realm - law enforcement. It's not user centric identity management. you design so these two cannot intersect. Cheers Colin From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Ben Laurie Sent: Thursday, 13 January 2011 6:01 a.m. To: Graham Sadd Cc: community@kantarainitiative.org; Frank Wray; community@lists.idcommons.net; trutkowski@netmagic.com; Rob Marano Subject: Re: [Kantara - Community] [community] an interesting question On 12 January 2011 16:49, Graham Sadd <graham.sadd@paoga.com<mailto:graham.sadd@paoga.com>> wrote: Trust requires a 2-way interaction and there are considerable benefits to organisations, public and private, from sharing the load of Personal Information Management with the subject. Given that appropriate authentication and Verification procedures are followed then there are mutual advantages in a record being accurate and up-to-date, reduced costs and automatic legal compliance among them. I do not dispute this, but you should not ask for the impossible: "What I don't want is any organisation, public or private, passing it on without my knowledge or consent.". You cannot prevent this. You can penalise people who do, but you can't prevent it. Graham Sadd Chairman & CEO [?ui=2&ik=8aa53227cb&view=att&th=12d7b222cd9fe477&attid=0.1&disp=emb&zw] Trusted Relationship Management T: +44 (0) 1628 510777<tel:+441628510777> M: +44 (0) 7958 056171<tel:+447958056171> E: graham.sadd@paoga.com<mailto:graham.sadd@paoga.com> W: www.paoga.com<http://www.paoga.com> B: blog.grahamsadd.com<http://blog.grahamsadd.com/> From: Ben Laurie [mailto:benl@google.com<mailto:benl@google.com>] Sent: 12 January 2011 15:58 To: Graham Sadd Cc: Frank Wray; trutkowski@netmagic.com<mailto:trutkowski@netmagic.com>; Drummond Reed; Mary Ruddy; Walsh, Alan J; Rob Marano; community@lists.idcommons.net<mailto:community@lists.idcommons.net>; community@kantarainitiative.org<mailto:community@kantarainitiative.org> Subject: Re: [community] an interesting question On 12 January 2011 15:35, Graham Sadd <graham.sadd@paoga.com<mailto:graham.sadd@paoga.com>> wrote: What I don't want is any organisation, public or private, passing it on without my knowledge or consent. In order to achieve this you have to make DRM work - and persuade everyone you interact with to use the hardware required for DRM. Both seem to be impossible. Notice/Disclaimer Internet communications are not secure and the company (PAOGA Limited) does not accept legal liability for the integrity of the contents of this message. This email is confidential and the contents may not be disclosed or used by anyone other than the intended recipient. If you are not the intended recipient and receive this email, please immediately contact the sender at the above location. Whilst PAOGA Limited attempts to sweep email and attachments for viri and other malware. It does not guarantee that either virus or malware-free and PAOGA Limited accepts no liability for any damage sustained as a result of viral or other similar infections. Anyone who communicates with us by email is taken to accept these risks. PAOGA Limited. Registered Office in UK No: 4572417, Registered Office: Moor Place, Moorlands Drive, Pinkneys Green, Maidenhead, Berkshire. SL6 6QS ==== CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ====

Robin, Excellent. You've captured important parts of the essence of the situation. One way to think about watermarking your, for ex. email address: you will provide a different email address (or a different 'handle' or 'identifier') to each merchant. This abstraction mechanism will permit the audit of leaks, because the handles that refer to your real email address will each function just as the real email address would, but will permit auditability and the ability to track leaks to their source. Other pieces of the puzzle include authentication and non-repudiation of each side of each transaction, in parallel with privacy and auditability. Authentication should not compromise privacy. Non-repudiation assists with audits. regards, rich On 15/1/11 6:48 AM, Robin Wilton wrote:

Generallly this is what I and some others have been describing as the problem of "Privacy Beyond First Disclosure"... That is:

- One way to express it is to say that privacy is not the same as secrecy... I can achieve secrecy by keeping everything to myself - [viz. "There's no such thing as a shared secret".... ;^)] but privacy is actually about how I retain control over data which I disclose.

- At one level, as Bob Blakley put it, you cannot control the narrative which others construct about you. To that extent you have to accept that total privacy cannot co-exist with social interaction. Even a hermit can't stop other people gossiping about him.

- If you try to retain control over disclosed data by technical means alone, then as Ben said below, it implies a working and ubiquitous DRM infrastructure - which is neither technically realistic nor (probably) socially desirable. The opportunities such an infrastructure would create for abuse might well outweigh the potential privacy-related benefit.

- Realistically, a privacy architecture would have to consist, then, of a combination of technical and non-technical measures... In other words, part of your privacy protection will come from factors such as contractual provisions and legal recourse.

- I think that for those factors to work, the technology layer has to do a better job of providing an audit trail which is transparent to the right stakeholders, and which introduces a real possibility of accountability.

- I suspect that something DRM-like has a role to play in that architecture, if only in the form of something analogous to watermarking. In other words, if I give my address to two online merchants and one of them passes it on, against my will, to a third party, I really neeed to be able to tell which is the leaky merchant.

Hope this helps -

Robin On Thu, 13 Jan 2011 12:12 +1300, "Colin Wallis" <Colin.Wallis@dia.govt.nz> wrote:

...

I agree you cannot prevent it as in a 100% guarantee, but privacy aware technical design and the use of pseudonymity can make it darn hard and potentially not worth the effort …. vs. legal interception for example…

But that's a different realm - law enforcement. It's not user centric identity management. you design so these two cannot intersect.

Cheers

Colin

From:community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Ben Laurie Sent: Thursday, 13 January 2011 6:01 a.m. To: Graham Sadd Cc: community@kantarainitiative.org; Frank Wray; community@lists.idcommons.net; trutkowski@netmagic.com; Rob Marano Subject: Re: [Kantara - Community] [community] an interesting question

On 12 January 2011 16:49, Graham Sadd <graham.sadd@paoga.com <mailto:graham.sadd@paoga.com>> wrote:

Trust requires a 2-way interaction and there are considerable benefits to organisations, public and private, from sharing the load of Personal Information Management with the subject. Given that appropriate authentication and Verification procedures are followed then there are mutual advantages in a record being accurate and up-to-date, reduced costs and automatic legal compliance among them.

I do not dispute this, but you should not ask for the impossible: "What I don’t want is any organisation, public or private, passing it on without my knowledge or consent.". You cannot prevent this. You can penalise people who do, but you can't prevent it.

Graham Sadd

Chairman & CEO

paoga document header

Trusted Relationship Management

T:+44 (0) 1628 510777 <tel:+441628510777>

M:+44 (0) 7958 056171 <tel:+447958056171>

E: graham.sadd@paoga.com <mailto:graham.sadd@paoga.com>

W:www.paoga.com <http://www.paoga.com>

B:_blog.grahamsadd.com <http://blog.grahamsadd.com/>_

From:Ben Laurie [mailto:benl@google.com <mailto:benl@google.com>] Sent: 12 January 2011 15:58 To: Graham Sadd Cc: Frank Wray; trutkowski@netmagic.com <mailto:trutkowski@netmagic.com>; Drummond Reed; Mary Ruddy; Walsh, Alan J; Rob Marano; community@lists.idcommons.net <mailto:community@lists.idcommons.net>; community@kantarainitiative.org <mailto:community@kantarainitiative.org>

Subject: Re: [community] an interesting question

On 12 January 2011 15:35, Graham Sadd <graham.sadd@paoga.com <mailto:graham.sadd@paoga.com>> wrote:

What I don’t want is any organisation, public or private, passing it on without my knowledge or consent.

In order to achieve this you have to make DRM work - and persuade everyone you interact with to use the hardware required for DRM. Both seem to be impossible.

_Notice/Disclaimer_

Internet communications are not secure and the company (PAOGA Limited) does not accept legal liability for the integrity of the contents of this message. This email is confidential and the contents may not be disclosed or used by anyone other than the intended recipient. If you are not the intended recipient and receive this email, please immediately contact the sender at the above location.

Whilst PAOGA Limited attempts to sweep email and attachments for viri and other malware. It does not guarantee that either virus or malware-free and PAOGA Limited accepts no liability for any damage sustained as a result of viral or other similar infections. Anyone who communicates with us by email is taken to accept these risks.

PAOGA Limited. Registered Office in UK No: 4572417, Registered Office: Moor Place, Moorlands Drive, Pinkneys Green, Maidenhead, Berkshire. SL6 6QS

==== CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ==== _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community

Robin Wilton +44 (0)705 005 2931

_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community

-- regards, rich Richard Fetik, CISSP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 831 531 4072 fetik@data-confidential.com Data Confidential - Intelligent Security for a Digital World

I quote: - Realistically, a privacy architecture would have to consist, then, of a combination of technical and non-technical measures... In other words, part of your privacy protection will come from factors such as contractual provisions and legal recourse. A non-technical measure could also include a user sourced vendor reputation system. Could leverage existing orgs, http://datalossdb.org/, into a technical framework. Analogous to consumer reports for privacy policies. From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Robin Wilton Sent: Saturday, January 15, 2011 6:48 AM To: Colin Wallis; community@kantarainitiative.org Subject: Re: [Kantara - Community] [community] an interesting question Generallly this is what I and some others have been describing as the problem of "Privacy Beyond First Disclosure"... That is: - One way to express it is to say that privacy is not the same as secrecy... I can achieve secrecy by keeping everything to myself - [viz. "There's no such thing as a shared secret".... ;^)] but privacy is actually about how I retain control over data which I disclose. - At one level, as Bob Blakley put it, you cannot control the narrative which others construct about you. To that extent you have to accept that total privacy cannot co-exist with social interaction. Even a hermit can't stop other people gossiping about him. - If you try to retain control over disclosed data by technical means alone, then as Ben said below, it implies a working and ubiquitous DRM infrastructure - which is neither technically realistic nor (probably) socially desirable. The opportunities such an infrastructure would create for abuse might well outweigh the potential privacy-related benefit. - Realistically, a privacy architecture would have to consist, then, of a combination of technical and non-technical measures... In other words, part of your privacy protection will come from factors such as contractual provisions and legal recourse. - I think that for those factors to work, the technology layer has to do a better job of providing an audit trail which is transparent to the right stakeholders, and which introduces a real possibility of accountability. - I suspect that something DRM-like has a role to play in that architecture, if only in the form of something analogous to watermarking. In other words, if I give my address to two online merchants and one of them passes it on, against my will, to a third party, I really neeed to be able to tell which is the leaky merchant. Hope this helps - Robin On Thu, 13 Jan 2011 12:12 +1300, "Colin Wallis" <Colin.Wallis@dia.govt.nz> wrote: I agree you cannot prevent it as in a 100% guarantee, but privacy aware technical design and the use of pseudonymity can make it darn hard and potentially not worth the effort …. vs. legal interception for example… But that's a different realm - law enforcement. It's not user centric identity management. you design so these two cannot intersect. Cheers Colin From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Ben Laurie Sent: Thursday, 13 January 2011 6:01 a.m. To: Graham Sadd Cc: community@kantarainitiative.org; Frank Wray; community@lists.idcommons.net; trutkowski@netmagic.com; Rob Marano Subject: Re: [Kantara - Community] [community] an interesting question On 12 January 2011 16:49, Graham Sadd <graham.sadd@paoga.com<mailto:graham.sadd@paoga.com>> wrote: Trust requires a 2-way interaction and there are considerable benefits to organisations, public and private, from sharing the load of Personal Information Management with the subject. Given that appropriate authentication and Verification procedures are followed then there are mutual advantages in a record being accurate and up-to-date, reduced costs and automatic legal compliance among them. I do not dispute this, but you should not ask for the impossible: "What I don’t want is any organisation, public or private, passing it on without my knowledge or consent.". You cannot prevent this. You can penalise people who do, but you can't prevent it. Graham Sadd Chairman & CEO Error! Filename not specified. Trusted Relationship Management T: +44 (0) 1628 510777<tel:+441628510777> M: +44 (0) 7958 056171<tel:+447958056171> E: graham.sadd@paoga.com<mailto:graham.sadd@paoga.com> W: www.paoga.com<http://www.paoga.com> B: blog.grahamsadd.com<http://blog.grahamsadd.com/> From: Ben Laurie [mailto:benl@google.com<mailto:benl@google.com>] Sent: 12 January 2011 15:58 To: Graham Sadd Cc: Frank Wray; trutkowski@netmagic.com<mailto:trutkowski@netmagic.com>; Drummond Reed; Mary Ruddy; Walsh, Alan J; Rob Marano; community@lists.idcommons.net<mailto:community@lists.idcommons.net>; community@kantarainitiative.org<mailto:community@kantarainitiative.org> Subject: Re: [community] an interesting question On 12 January 2011 15:35, Graham Sadd <graham.sadd@paoga.com<mailto:graham.sadd@paoga.com>> wrote: What I don’t want is any organisation, public or private, passing it on without my knowledge or consent. In order to achieve this you have to make DRM work - and persuade everyone you interact with to use the hardware required for DRM. Both seem to be impossible. Notice/Disclaimer Internet communications are not secure and the company (PAOGA Limited) does not accept legal liability for the integrity of the contents of this message. This email is confidential and the contents may not be disclosed or used by anyone other than the intended recipient. If you are not the intended recipient and receive this email, please immediately contact the sender at the above location. Whilst PAOGA Limited attempts to sweep email and attachments for viri and other malware. It does not guarantee that either virus or malware-free and PAOGA Limited accepts no liability for any damage sustained as a result of viral or other similar infections. Anyone who communicates with us by email is taken to accept these risks. PAOGA Limited. Registered Office in UK No: 4572417, Registered Office: Moor Place, Moorlands Drive, Pinkneys Green, Maidenhead, Berkshire. SL6 6QS ==== CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ==== _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community Robin Wilton +44 (0)705 005 2931 ________________________________ ----Notice Regarding Confidentiality---- This email, including any and all attachments, (this “Email”) is intended only for the party to whom it is addressed and may contain information that is confidential or privileged. Sierra Systems Group Inc. and its affiliates accept no responsibility for any loss or damage suffered by any person resulting from any unauthorized use of or reliance upon this Email. If you are not the intended recipient, you are hereby notified that any dissemination, copying or other use of this Email is prohibited. Please notify us of the error in communication by return email and destroy all copies of this Email. Thank you.

I do not dispute this, but you should not ask for the impossible: "What I don’t want is any organisation, public or private, passing it on without my knowledge or consent.". You cannot prevent this. You can penalise people who do, but you can't prevent it.

I believe that we should ask for the impossible, as it is the only way to know the limits of the possible... I therefore believe that 1) we can prevent the passing of personal data without our (prior) knowledge or consent 2) we should not be able to prevent the passing of personal data without our (prior) knowledge or consent Well, that doesn't seem very consistent, but isn't consistency one of the lowest forms of intelligence... Preventing: in a trust architecture where all data is at one place and one place only, by default, the passing of data being done through pointers to the source and not a through a copy, only trusted parties can access the source through policy enforcement points (PEP). If A trusts B and not C, and if B gives C a pointer to A data, C won't be able to read it. Of course, B can take a screenshot and send it to C but then A can pretend that it is a fake, exclude B from his/her circle of trust. End of story. In such an architecture, it is the right to access the source that gives credibility to the claim. So, even if someone sends unauthorised data, a trust architecture provides the conditions for plausible deniability —or file a legal complain based on the violation of one's personal data policy. Not preventing: there are some claims in relation to personal data control that, if implemented, would be equivalent to *digital lobotomy*, or to *my very personal big brother*. If I send (a pointer to) a personal photo to a friend, and if tomorrow I decide that I don't like this photo anymore and erase it from my computer, I have no right to force my friend to forget about the photo if she made a copy in a personal album. I can ask her, but I can't force her. Ibid. if this friend wants to send it to one of her friends that I don't know or even don't trust: she can of course take a screenshot of the photo (or make a copy, depending on my policies) and send a link to this screenshot whithout having to ask me for any form of authorisation. My friends have a right to their own intimacy, so I don't need/want to control everything they do with the information I provide them with. Making the information public would be another matter, but there are circumstances where this would be perfectly legitimate as well. One possible solution to the prevention/non-prevention dilemma is a better understanding of the nature of identity. And to understand it, we need to get away from the confusion generated by ICT engineers and policy makers for whom identity=identifier. OpenID, SAML etc. are only interested in the identification *of* people and do not address the issue of identification *to* (and against) people, which is central to the process of identity construction. We also need to get away from the confusion between personal data and identity: one should be able to fully control one's personal data, but there is no way one can fully control one's identity: identity is a social construction which includes self-identity (Giddens) and identity through others (Laing). Someone's identity can't be isolated within a set of attributes under one's control. Identity is social, hence distributed in a network of trusted and not-trusted relationships —the people and organisations we do not trust also contribute to our identity. *Identity theft* is a misnomer as it is often nothing more than *identifier theft* —full identity theft, like the one described in Despair, a Nabokov's novel, is rare. To steal one's identity would require stealing all social relationships within the boundaries of that identity —and one has multiple identities, as parent, employee, customer, drag queen, accountant, entrepreneur, liberal, etc. Authentication and authorisation processes that would exploit the multi-dimentional properties of one's identity could provide more reliable outcomes than those based on simple, mono-dimentional identifiers... In such a world, everyone becomes an identity provider, and today's specialised identity providers (IDP) such as national ID providers are one among millions in a 'society of IPDs', or what I call an 'Internet of Subjects.' It should not be difficult to compute one's social surface, the trustworthiness of the 'surface' in relation to other known 'surfaces', one's worthiness within that surface, etc. Identity, like reputation, is contextual. Being distrusted by one group could be a good indicator that one should be trusted by another group (the enemies of...), so we need to support positive as well as negative identification —and double negative... This could be achieved by an identity centric internet (ICI) based on a clear functional separation between storage of personal data, under personal control, and the services creating/exploiting it. We need to achieve with personal data what we have just started with public data: free them from the application/service/organisational silos to put an end to the ever increasing fragmentation of our personal data. We need to call for the abolition of personal data slavery. Serge Ravet PS: a first step towards the separation of personal data from services could be the call for the split of Facebook into Baby Faces, like what was done with the split of Bell into Baby Bells in the 80s... Free our Data Now! Support the Internet of Subjects Manifesto! ---------------------------------------- tel +33 3 8643 1343 mob +33 6 0768 6727 Skype szerge www.iosf.org www.eife-l.org ----------------------------------------

You highlight the different attitudes to Personal Information Management and Privacy between Europe and the US. Of course government have to have and hold information about citizens in order to govern but they also have a duty to protect and keep up-to-date such records. The UK government have failed to do this with horrendous and repeated instances of multiple, unsynchronised data silos with life changing errors, 'lost and stolen' databases and, worse, sharing and selling personal information to private organisations. A key role for government departments would be in Verification of individuals and Certification of data and assertions. Graham Sadd Chairman & CEO Trusted Relationship Management T: +44 (0) 1628 510777 M: +44 (0) 7958 056171 E: graham.sadd@paoga.com W: www.paoga.com B: blog.grahamsadd.com <http://blog.grahamsadd.com/> From: Charles Andres [mailto:andres.charles@gmail.com] Sent: 12 January 2011 16:29 To: Graham Sadd Cc: Frank Wray; trutkowski@netmagic.com; Drummond Reed; Mary Ruddy; Walsh, Alan J; Rob Marano; community@lists.idcommons.net; community@kantarainitiative.org Subject: Re: [community] an interesting question At the risk of oversimplifying, the overarching goal is to make it possible for legally-binding transactions to take place between parties via a user-driven digital claims verification system. Getting governments (whose primary purpose is to regulate and determine what is legal) to agree and perhaps participate in such a system would be a tremendous leap forward -- similar to adopting/enforcing common traffic rules that enabled individuals (and companies) to own and operate motor vehicles. Within the U.S., NSTIC is the best proposal so far. However, John Poindexter, the NSA, the CIA, the Patriot Act, RealID, etc. (to name a few) have "poisoned the well" of trust with previous attempts to build centralized digital information systems to allow the government to know more about citizens than citizens know about the government. The obstacles are huge. We not only have to convince legislators to act without giving in to 'special interests', but also convince a rightfully skeptical citizenry that NSTIC actually might make things better. We can't afford to screw this up, and we can't afford to wait and let nature take its course. IMHO, despotism is likely from either of these alternatives. "Perhaps (these) sentiments are not yet sufficiently fashionable to procure them general favor; a long habit of not thinking a thing WRONG, gives it a superficial appearance of being RIGHT...But the tumult soon subsides. Time makes more converts than reason." - Common Sense, Thomas Paine. On Wed, Jan 12, 2011 at 10:35 AM, Graham Sadd <graham.sadd@paoga.com> wrote: I have been following this thread from the other side of the pond. An interesting and ongoing debate but I maintain that 'I' am the ONLY entity who owns my identity and it changes and morphs as I grow and continually add experiences. Now, I can keep this completely private as long as my ambition is to sit on a mountain top and hummm! If I want to engage with a community or society of any kind then I need to share or exchange it. All I want is to be able to chose what bits, at what time, for what reason and with whom I share it - the same things that I do with my cash. And, like my money, I want a record of these events. What I don't want is any organisation, public or private, passing it on without my knowledge or consent. If government-centric then it will be designed and used for their benefit. If individual -centric the it can be 'under my control, with my consent, for my benefit'. See http://blog.grahamsadd.com/ Regards Graham Graham Sadd Chairman & CEO Trusted Relationship Management T: +44 (0) 1628 510777 M: +44 (0) 7958 056171 E: graham.sadd@paoga.com W: www.paoga.com B: blog.grahamsadd.com <http://blog.grahamsadd.com/> From: community-request@lists.idcommons.net [mailto: community-request@lists.idcommons.net] On Behalf Of Frank Wray Sent: 12 January 2011 14:18 To: trutkowski@netmagic.com; Drummond Reed Cc: Mary Ruddy; Walsh, Alan J; Rob Marano; community@lists.idcommons.net; community@kantarainitiative.org Subject: Re: [community] an interesting question I am not sure if I agree completely... Americans have a history of not trusting government, and as a matter of fact, America was born on the notion of the lack of trust in government. The media uses that to sell their product. But, Identity should not be treated as a government issue, nation issue, but a user-centric issue in an Internet connected world (global). Each user is the owner of their identity and each user should have the ability to provide the information that they want to provide when they engage in an Internet transaction (sharing information included) and maintain the anonymity when desired. NSTIC was misrepresented by the mainstream media, but the root of the issue is the name. We cannot have a Nation-centric identity eco-system in a global Internet. One of the beauties of the Internet is the lack of borders. A global initiative where governments, the private sector and user communities as interested parties build the trust framework and use some or one of the current trust framework initiatives out there. And I am not suggesting that NSTIC is necessarily nation-centric, but the name leads to that believe. I also believe that the misrepresentation of the media is actually a good thing. This will not necessarily "kill" the initiative it will improve it and maybe even "globalize it" as I have suggested. So, let's keep the conversation going... :) ----- Original Message ----- From: Tony Rutkowski Sent: 01/12/11 08:43 AM To: Drummond Reed Subject: [community] an interesting question The treatment of personal IdM in the U.S. is shaped in substantial measure by a messaging by the media and lobbying community that conveys a hostility to government - some of it extreme - where the government is always painted in negative terms. It is a perspective almost unknown elsewhere in the world. That perspective is reflected in some of the NSTIC dialogue last week. Has the calculus changed by recent events? --amr ____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net For all list information and functions, see: http://lists.idcommons.net/lists/info/community Notice/Disclaimer Internet communications are not secure and the company (PAOGA Limited) does not accept legal liability for the integrity of the contents of this message. This email is confidential and the contents may not be disclosed or used by anyone other than the intended recipient. If you are not the intended recipient and receive this email, please immediately contact the sender at the above location. Whilst PAOGA Limited attempts to sweep email and attachments for viri and other malware. It does not guarantee that either virus or malware-free and PAOGA Limited accepts no liability for any damage sustained as a result of viral or other similar infections. Anyone who communicates with us by email is taken to accept these risks. PAOGA Limited. Registered Office in UK No: 4572417, Registered Office: Moor Place, Moorlands Drive, Pinkneys Green, Maidenhead, Berkshire. SL6 6QS ____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net For all list information and functions, see: http://lists.idcommons.net/lists/info/community   Notice/Disclaimer   Internet communications are not secure and the company (PAOGA Limited) does not accept legal liability for the integrity of the contents of this message. This email is confidential and the contents may not be disclosed or used by anyone other than the intended recipient. If you are not the intended recipient and receive this email, please immediately contact the sender at the above location.   Whilst PAOGA Limited attempts to sweep email and attachments for viri and other malware. It does not guarantee that either virus or malware-free and PAOGA Limited accepts no liability for any damage sustained as a result of viral or other similar infections. Anyone who communicates with us by email is taken to accept these risks.   PAOGA Limited. Registered Office in UK No: 4572417, Registered Office: Moor Place, Moorlands Drive, Pinkneys Green, Maidenhead, Berkshire. SL6 6QS

My point was the road to public acceptance of any Govt-approved identity plan/policy will be steep. Plans to create positive momentum requires dealing with this reality. Re: your question: Specific policies regulating commerce/ownership of dangerous substances/activities is context dependent. Can we first agree on what the colored lights mean, and what side of the road we all should drive on? (Right on Red except sometimes in Boston ;-). On Wed, Jan 12, 2011 at 12:13 PM, Tony Rutkowski <trutkowski@netmagic.com>wrote:

On 1/12/2011 11:29 AM, Charles Andres wrote:

...

However, John Poindexter, the NSA, the CIA, the Patriot Act, RealID, etc. (to name a few) have "poisoned the well" of trust with previous attempts to build centralized digital information systems to allow the government to know more about citizens than citizens know about the government.

The dialogue seems to have answered the question posed - the propensity to vilify public officials and institutions with different views on this subject as apostates has not changed. Perhaps no surprise.

Would you oppose identity checks or tracking of those who purchase extended clips for Glocks or does this also abridge perceived rights?

--tony

On 13 January 2011 13:12, Owen Thomas <owen.paul.thomas@gmail.com> wrote:

Personally, I would only accept a "citizenship identification" indicates a degree *[of trust I could ascribe to an interaction between]* one or more individuals over some medium.

Interactions in this system, whether I am a participant or not, would be modelled and presented to me as a user of the system. The level to which I could observe the interactions of, and interact with others would be an authorisation function of the system based upon the consistency of constraint-based parameters. -- Clique Space(TM). Practical, Ubiquitous, and Individual Security and Identity in Cyberspace. Research paper on Clique Space: http://ssrn.com/abstract=1714848 Owen's Garden of Thought: http://owenpaulthomas.blogspot.com/ Clique Space(TM) Facebook Group: http://www.facebook.com/group.php?gid=81335296379 www.cliquespace.net Skype: owen.paul.thomas Phone: +61 401 493 433

But Robin, in a democracy the state's actions are supposedly a reflection of the citizens' desires. Alternatively, a majority of the citizens can enact (or repeal) statutory powers. Even in a dictatorship or thugocracy (vide Tunisia, East Germany, etc.), a larege enough group of the citizenry can force government change. -dave On 1/15/2011 10:07 AM, Robin Wilton wrote:

With respect, Tony, I think "vilification" is over-stating Charles' position...

The negative reaction to perceived over-collection of data about citizens, however benevolent the state's apparent aim, often arises out of the imbalance Charles refers to: the state has the ability to grant itself statutory powers reinforced by law enforcement. The citizen does not enjoy that right, or any equivalent power.

I'm not convinced by your example of buying weaponry; first, it's an argument from the particular (selling arms with no statutory ID checks is a bad idea) to the general (statutory ID checks are a bad idea)... I have seen you argue enough to know you can do better than that ;^)

Second, your example of firearms is not useful because it doesn't translate well across borders (even US state borders...). What constitutes perfectly acceptable firearms policy in one jurisdiction is totally unconscionable in another.

Yrs., Robin

On Wed, 12 Jan 2011 12:13 -0500, "Tony Rutkowski" <trutkowski@netmagic.com> wrote:

...

...

However, John Poindexter, the NSA, the CIA, the Patriot Act, RealID, etc. (to name a few) have "poisoned the well" of trust with previous attempts to build centralized digital information systems to allow the government to know more about citizens than citizens know about the government. The dialogue seems to have answered the question posed - the propensity to vilify

On 1/12/2011 11:29 AM, Charles Andres wrote: public officials and institutions with different views on this subject as apostates has not changed. Perhaps no surprise.

Would you oppose identity checks or tracking of those who purchase extended clips for Glocks or does this also abridge perceived rights?

--tony _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community

Robin Wilton

+44 (0)705 005 2931

_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community