...

chuckle. NSTIC is about public relations.

If you want accountability, you want regulatory requirements and enforcement. See, 47 CFR.

Isn't that what OIX is doing with its "trust frameworks" :)

Thanks for starting this thread... just a bit of qualification on TF here:

Trust Frameworks is not an OIX thing. It's an industry thing... OIX, KI and InCommon all are Trust Framework Providers. It's not a new thing either - Trust Frameworks roots go back a decade (if not more depending on how wide you want to scope). Anyone who uses payment cards (credit cards / debit cards / atms) already uses versions of a Trust Framework. thx = Joni

On Aug 1, 2011, at 2:57 PM, ext Tony Rutkowski wrote:

On 8/1/2011 2:13 PM, Kaliya wrote:

...

It is about freedom of speech and self representation on the network. Expression not "privacy".

Isn't that what Anders Brevik advocated?

No, he advocated killing people who disagreed with his views.

The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas. Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors.

We cannot be protected from terrorists by "real names". We can only be protected by a functioning society. A functioning society must use "security" as only one variable in a complicated equation.

Why is accountability only for identity providers. Those using those identities should be accountable as well.

I agree that accountability is important for everyone. - John

--tony

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

On 2/08/2011 4:57 AM, Tony Rutkowski wrote:

The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas.

That might be literally true, but I'm pretty sure that Kaliya was speaking abstractly and generally about minority groups with a legitimate need to engage anonymously. So ... (1) What evidence do you have Tony that there are more miscreants than innocents? (2) As an engineer, are you comfortable making up requirements for identity management (in particular deeming that users need not be given anonymity options) or would it better, as with all IT, for requirements to be handed over from some authority for implementation? When technologists make up requirements -- let alone public policy -- IT goes off the rails. (3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then you're not so much on a slippery slope, so much as already at rock bottom. There would be no inhibition left, no separation of powers, nothing to stop us allowing interception of all communciation contents, in the name of law enforcement.

Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors.

If there is a new social contract in the making, one where we all agree to protect ourselves by ceding a degree of privacy, then let's negotiate the new parameters in our conventional law making fora: the parliaments and the courts. I have no absolute attachment to privacy; I agree that the reality of terrorism and the like probably does demand a rethink of conventional freedoms. But for pity's sake, let's not let the informopolies of the world be the arbiters. Can anyone seriously believe that Facebook and Google demand "real names" for other than commercial reasons? If they were remotely interested in crime prevention, they would lifted a finger against pedophiles by now. They conventionally disclaim responsibility for bad acts on their platforms by claiming their networks are simply communications platforms, but now they feign security interest and insist on changing the fundamental ways in which people manage their own identities. The hypocricy is breathtaking, but what's really surprising is that so many technocrats don't see through it. Cheers, @Steve_lockstep Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au http://www.lockstep.com.au Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy.Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.

OMG.. Tony.. I'm so glad you agree. Could you please open your wallet and type in all your credit card data.. along with your home address, and the 3 digit code on the back of the cards? After all .. there is no privacy!!!!! I'm ready to shop! On Aug 1, 2011, at 2:49 PM, Tony Rutkowski wrote:

"Rights to anonymity." Surely you are joking.

In law, there is no such network based right. In technology, there is no such capability.

Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.

--tony

On 8/1/2011 5:38 PM, Stephen Wilson wrote:

...

(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name". Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline. Nick On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski wrote:

"Rights to anonymity." Surely you are joking.

In law, there is no such network based right. In technology, there is no such capability.

Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.

--tony

On 8/1/2011 5:38 PM, Stephen Wilson wrote:

...

(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then

______________________________**______________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.**idcommons.net

For all list information and functions, see: http://lists.idcommons.net/**lists/info/communityhttp://lists.idcommons.net/lists/info/community

Fine with me. I for one don't have the time, capacity, nor desire to know everything about everyone. I'll leave that to God. If you want it to be private, then share it in a private setting (online or otherwise). If Google+ doesn't offer you that option, then go elsewhere. Nick On Mon, Aug 1, 2011 at 5:21 PM, Mary Hodder wrote:

The definition of totalitarianism:

When everyone knows everything about everyone.

Everyone has something to hide, be embarrassed about, etc..

It's a false argument anyway to talk about who gets hurt with privacy outings..

instead.. if we want to have a civil and humane society.. we have to let each person decide, within limits, what is private and what is public.

The right to be let alone is a right in Europe and it should be in the US.

On Aug 1, 2011, at 3:09 PM, Nicholas Crown wrote:

but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name".

Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline.

Nick

On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski wrote:

...

"Rights to anonymity." Surely you are joking.

In law, there is no such network based right. In technology, there is no such capability.

Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.

--tony

On 8/1/2011 5:38 PM, Stephen Wilson wrote:

...

(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then

______________________________**______________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.**idcommons.net

For all list information and functions, see: http://lists.idcommons.net/**lists/info/communityhttp://lists.idcommons.net/lists/info/community

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

On 08/01/2011 02:36 PM, Nicholas Crown wrote:

...

If you want it to be private, then share it in a private setting (online or otherwise). If Google+ doesn't offer you that option, then go elsewhere.

I seriously hope that the premise that pseudonymity is a desirable property of an identity system is not open to debate, and that the discussion isn't going to disappear into this particular rathole.

Melinda Shore

Yes.  The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity.  Today most of your activity on the Web, other when you pay with a credit card, is anonymous.  When you log in to a site with a username and a password, you are just proving that you are the same user who registered earlier with the site.  As we move away from passwords we should preserve this anonymity.  A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site.  (The certificate binds a public key to a reference to the your account at the site, internal to the site.  The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.) One of the goals of NSTIC is clearly to increase privacy, see for example Howard Schmidt's post to the White House blog on NSTIC and privacy.  But unfortunately some of the NSTIC documents seem to suggest that pseudonymity and anonymity belong outside of the NSTIC Ecosystem.  That's not right.  It would mean that when you want pseudonymity or anonymity you have to keep using passwords.  Actually, as more and more sites rely on "Login with Facebook", you may no longer be able to use passwords, and pseudonymity and anonymity may disappear from the Web. At the upcoming NSTIC workshop on technology, we have to insist on providing pseudonymity and anonymity *inside* the NSTIC ecosystem. Francisco Francisco Corella, PhD Founder & CEO, Pomcor Twitter: @fcorella Blog: http://pomcor.com/blog/ Web site: http://pomcor.com

...

Yes.  The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity.  Today most of your activity on the Web, other when you pay with a credit card, is anonymous.  When you log in to a site with a username and a password, you are just proving that you are

On Tue, Aug 2, 2011 at 1:43 AM, Francisco Corella wrote: the

...

same user who registered earlier with the site.

In practice this is not generally so, you leak identity information all over the place. For example:

* IP address * Recovery email address * Third party tracking cookies

* Usually the IP address only tells the site what ISP you are using * You may not need a recovery email address if you don't use a password * You can configure your browser to refuse third party tracking cookies,   plus Congress is working on that problem.

and so on.

...

  As we move away from passwords we should preserve this anonymity.

No, we need to improve on it.

...

  A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site.  (The certificate binds a public key to a reference to the your account at the site, internal to the site.  The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.)

This has been available in browsers forever, yet it is hardly used.

This could be made available relatively easily, but it is not available yet.  The browser can store a TLS client certificate and present it to the site's TLS server, but there are two problems: 1. As you know, the server can only request the certificate during the TLS handshake, by sending a CertificateRequest message.  That means the user is asked for the certificate whenever she accesses the site over a secure connection, whether or not she wants to log in. Instead, the server should be able to request a certificate when the user clicks on a login button.  That is, when the server receives the HTTP request resulting from the click on the login button, the server should be able should be able to request a certificate (just like now it can request a password for basic or digest authentication---which, I know, are rarely used on the Web).  The browser could then respond to the request by establishing a new TLS connection and sending the certificate.  For more details of how this can be done, see sections 2 and 3 of Pomcor's proposed architecture for the NSTIC ecosystem. 2. The site must be able to issue a certificate automatically when the user registers.  Until recently there was no pratical way of doing this.  Certificate issuing protocols (CMP, CMC, SCEP) are too complicated to be implemented by an ordinary Web site.  Recently, the W3C has resurrected the old Netscape <keygen> tag and added it to HTML5; it is now used by WebID.  That should provide a practical way of issuing certificates automatically once it is implemented by all browsers.  In section 2 of our architecture we propose an alternative method that has the virtue of also being usable for credentials other than PKI certificates, such as U-Prove tokens or Idemix anonymous credentials.

Why?

a) UI

b) Portability.

Why haven't the above two problems been solved earlier?  First, because it was easier to just use passwords.  Second, because once passwords proliferated and password reuse became a problem, companies such as Facebook and your employer found it convenient to adopt a solution based on OAuth where they are informed of all the user's logins, in addition to knowing all the user's friends and everything the user tells her friends on the social site and when visiting relying parties. Which brings me back to the issue of Google and Facebook requiring real names.  That allows them to combine all the information they gather by simply watching the user's logins and activities, with all the public information that's associated with the user's name.  They can then sell that thorough knowledge of the user to advertisers. By the way, Google seems to be pushing OAuth, and I think that's a strategic mistake.  OAuth is Facebook's main asset.  OAuth requires registration of the relying party with the social site, and more and more parties will take the easy route of just registering with Facebook.  Some relying parties already have no other means of logging in than the "Login with Facebook" button.  That gives users an additional incentive to get a Facebook account.  And the more users get Facebook accounts, the easier it becomes for relying parties to just offer "Login with Facebook".  So you have a positive feedback loop that ends when every user has a Facebook account (I mean, every user that Facebook is willing to accept), and every Web site has registered with Facebook.  Facebook can then provide a search facility within Facebook, powered by Bing, that takes advantage of all the knowledge Facebook has about all Web users, and Google is in trouble.

Neither of these is simple. But at least I (and Google) offer a solution to b (http://www.links.org/files/nigori/).

Francisco Francisco Corella, PhD Founder & CEO, Pomcor Twitter: @fcorella Blog: http://pomcor.com/blog/ Web site: http://pomcor.com

________________________________ From: Ben Laurie To: Francisco Corella Cc: Melinda Shore ; Nicholas Crown ; Mary Hodder ; "community@lists.idcommons.net" ; "community@kantarainitiative.org" Sent: Monday, August 1, 2011 8:45 PM Subject: Re: [community] Google+ "real" names and NSTIC

On Tue, Aug 2, 2011 at 1:43 AM, Francisco Corella wrote:

...

Yes.  The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity.  Today most of your activity on the Web, other when you pay with a credit card, is anonymous.  When you log in to a site with a username and a password, you are just proving that you are the same user who registered earlier with the site.

In practice this is not generally so, you leak identity information all over the place. For example:

* IP address * Recovery email address * Third party tracking cookies

and so on.

...

  As we move away from passwords we should preserve this anonymity.

No, we need to improve on it.

...

  A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site.  (The certificate binds a public key to a reference to the your account at the site, internal to the site.  The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.)

This has been available in browsers forever, yet it is hardly used. Why?

a) UI

b) Portability.

Neither of these is simple. But at least I (and Google) offer a solution to b (http://www.links.org/files/nigori/).

On Mon, Aug 1, 2011 at 7:10 PM, Stephen Wilson wrote:

On 2/08/2011 8:36 AM, Nicholas Crown wrote:

...

Fine with me. I for one don't have the time, capacity, nor desire to know everything about everyone. I'll leave that to God.

Or Mark Zuckerberg.

Brilliant! Nice one. So, Facebook now knows everything about all 6 (almost 7) billion people on the planet. Wow, that was fast! Nick

Cheers,

Steve.

Stephen Wilson Managing Director Lockstep Group

Phone +61 (0)414 488 851

http://lockstep.com.au http://www.lockstep.com.auhttp://www.lockstep.com.au

Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.

Nicholas, I wonder if you are a middle class, middle aged white guy who has been lucky enough to have never experienced persecution, or had good grounds to fear it? The implicit sentiment that "if you've got nothing to hide, you've got nothing to worry about" is too often the position of the privileged. Can you not imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications? Steve. Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au http://www.lockstep.com.au Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. On 2/08/2011 8:09 AM, Nicholas Crown wrote:

but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name".

Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline.

Nick

On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski mailto:trutkowski@netmagic.com> wrote:

"Rights to anonymity." Surely you are joking.

In law, there is no such network based right. In technology, there is no such capability.

Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.

--tony

On 8/1/2011 5:38 PM, Stephen Wilson wrote:

(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net mailto:community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net mailto:community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community http://lists.idcommons.net/lists/info/community

Nick, Do you really compare the Internet -- the global business infrastructure of the future -- with a public square?? The comparison is not even wrong. One's everyday activities in "public" actually benefit from a host of inherent privacy features (collection limitation, use & disclosure limitation, data retention limitation) that are shattered by information technologies. If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing names on peoples' foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit. See also http://lockstep.com.au/blog/2011/01/26/public-yet-still-private Cheers Steve Wilson Lockstep. On 2/08/2011 1:11 PM, Nicholas Crown wrote:

If they want to enjoy private communications online, then they should build their own private network. Why do we believe that public infrastructure should be treated any differently than the public square?

As for persecution, I understand the concerns. There are ways to communicate about sensitive issues that don't involve social networking sites. Hiding behind a pseudonym will do nothing to advance the cause for which one should fear the risks of exposure. Plenty of revolutions were started without the help of anonymous tweets. They figured out a way to get it done, because the cause was worth the risk. Our Identity ecosystem doesn't need the complexity and issues that come with this anymore than someone who is willing to die for their cause needs a mask to hide behind while online.

Nick

On Mon, Aug 1, 2011 at 7:08 PM, Stephen Wilson mailto:swilson@lockstep.com.au> wrote:

Nicholas,

I wonder if you are a middle class, middle aged white guy who has been lucky enough to have never experienced persecution, or had good grounds to fear it? The implicit sentiment that "if you've got nothing to hide, you've got nothing to worry about" is too often the position of the privileged. Can you not imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications?

Steve.

Stephen Wilson Managing Director Lockstep Group

Phone +61 (0)414 488 851 tel:%2B61%20%280%29414%20488%20851

http://lockstep.com.au http://www.lockstep.com.au Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.

Suggested reading in this forum should be Eugeny Morozov's The Net Delusion. It explains techno-political reality to the cyber utopians of the world. That reality includes the ability of almost every government to circumvent anonymous capabilities. Conversely, if mandated by national law, those mandates impose significant costs on everyone in an unrealistic attempt to protect the paranoia of the few. Those costs include major distortions in national trade in services (effectively moving the services offshore), and diminishing innovation in provisioning new services. In addition, the attempts of most nations to instantiate cybersecurity infrastructure protection capabilities combined with enforcing IPR protection and protection of children online, is a losing battle. --tony On 8/1/2011 8:08 PM, Stephen Wilson wrote:

risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications?

Morozov falls into the trap almost everyone else is also in: duality. The reality is that you can almost always be anonymous or pseudonymous (in many cases unlinkably pseudonymous) - and at the SAME TIME, you can almost always be identified. It takes very little effort to set up a pseudonym and do a few simple things to obscure your "real" identity (whatever that might mean; the Platonists have deluded us into thinking a "true identity" exists...). It takes a LOT of effort to identify an individual who has carefully obscured his identity. But identification can almost always be done if the money and effort are invested. Both of these are good things; it's good to let people be anonymous or pseudonymous, and it's good that the police can find malefactors if they try hard enough. It is not the goal of a civilized society to spend a lot of money or effort making things easy for the police. -- bob BOB BLAKLEY Vice President & Distinguished Analyst, Gartner ITP Identity & Privacy bob.blakley@gartner.com | +1 (512) 657-0768 http://www.gartner.com | http://blogs.gartner.com/bob-blakley/ On 2/Aug/11 7:50 AM, "Tony Rutkowski" wrote:

Suggested reading in this forum should be Eugeny Morozov's The Net Delusion. It explains techno-political reality to the cyber utopians of the world.

That reality includes the ability of almost every government to circumvent anonymous capabilities. Conversely, if mandated by national law, those mandates impose significant costs on everyone in an unrealistic attempt to protect the paranoia of the few. Those costs include major distortions in national trade in services (effectively moving the services offshore), and diminishing innovation in provisioning new services. In addition, the attempts of most nations to instantiate cybersecurity infrastructure protection capabilities combined with enforcing IPR protection and protection of children online, is a losing battle.

--tony

On 8/1/2011 8:08 PM, Stephen Wilson wrote:

...

risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications?

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

This e-mail message, including any attachments, is for the sole use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Gartner makes no warranty that this e-mail is error or virus free.

On 2/08/2011 7:49 AM, Tony Rutkowski wrote:

"Rights to anonymity." Surely you are joking.

In law, there is no such network based right. In technology, there is no such capability.

You're wrong there. European and Australian information privacy law expressly provides individuals with the right to transact anonymously.

Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.

--tony

On 8/1/2011 5:38 PM, Stephen Wilson wrote:

...

(3) If you use crime prevention as the rationale for taking away users' rights to anonymity ...

Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au http://www.lockstep.com.au Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy.Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.

See http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp8 Australian National Privacy Principle NPP 8 "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation". Cheers, @Steve_lockstep Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au http://www.lockstep.com.au Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy.Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. On 2/08/2011 10:25 AM, Tony Rutkowski wrote:

Please provide a citation to a provision that conveys such a right unconditionally over electronic networks. --tony

On 8/1/2011 7:57 PM, Stephen Wilson wrote:

...

You're wrong there. European and Australian information privacy law expressly provides individuals with the right to transact anonymously.

Oh for gods sake Rutkowski, it's a long way *further* than your bombastic assertion that "In law, there is no such network based right [to anonymity]". The Australian Privacy Act requires any private business turning over more than $3M p.a. to comply with the 10 NPPs including NPP 8 cited above. Nobody ever said privacy is unconditional. Steve Wilson. On 2/08/2011 9:32 PM, Tony Rutkowski wrote:

That is a long way from:

Please provide a citation to a provision that conveys such a right unconditionally over electronic networks.

-tony

On 8/1/2011 10:14 PM, Stephen Wilson wrote:

...

See http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp8

Australian National Privacy Principle NPP 8 "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation".

Accountability does not require real names. Carrot Top has been arrested. -- bob BOB BLAKLEY Vice President & Distinguished Analyst, Gartner ITP Identity & Privacy bob.blakley@gartner.com | +1 (512) 657-0768 http://www.gartner.com | http://blogs.gartner.com/bob-blakley/ On 1/Aug/11 1:57 PM, "Tony Rutkowski" wrote:

Isn't that what Anders Brevik advocated?

The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas. Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors.

Why is accountability only for identity providers. Those using those identities should be accountable as well.

--tony

On 8/1/2011 2:13 PM, Kaliya wrote:

...

It is about freedom of speech and self representation on the network. Expression not "privacy".

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

This e-mail message, including any attachments, is for the sole use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Gartner makes no warranty that this e-mail is error or virus free.

On Aug 1, 2011, at 11:04, Tony Rutkowski wrote:

chuckle. NSTIC is about public relations.

Interesting … could you expand on that a bit?

chuckle. NSTIC is about public relations.

And here I thought it was about the highest bidder -----Original Message----- From: community@lists.idcommons.net [mailto:community@lists.idcommons.net] On Behalf Of Tony Rutkowski Sent: Monday, August 01, 2011 11:04 AM To: Kaliya Cc: community@lists.idcommons.net; stewards@lists.idcommons.net; community@kantarainitiative.org Subject: Re: [community] Google+ "real" names and NSTIC chuckle. NSTIC is about public relations. If you want accountability, you want regulatory requirements and enforcement. See, 47 CFR. If you want privacy, find a nice trail in the wilderness and turn off your communications devices. --tony On 8/1/2011 1:14 PM, Kaliya wrote:

NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net For all list information and functions, see: http://lists.idcommons.net/lists/info/community

I'm guessing that Google + is using a dictionary "attack" to figure out if a name is real.. or a word that is not a name. "Identity" and "woman" separated.. would be hit by an automated dictionary scan.. and generate a shutdown. A name like "independentidentity" is too long and doesn't fit any dictionary of non-name words.. Outside of the issues where google is forcing long term "personal trademarks" out, they seem to be doing a sort of silly dictionary scan of names and aren't even checking or notifying people in advance. The whole real name issue is poorly done at Google+, and I think Kaliya is right to point out that Google + is making policy with this, because they have a lot of power in the marketplace. And Google + is doing it because they think the NSTIC wants real names, when in fact the government is not saying that at all. mary On Aug 1, 2011, at 11:23 AM, Phil Hunt wrote:

Did you have your first and last name in your profile? In my case independentidentity has not been touched. I guess because I have a name in addition to my avatar.

Phil

On 2011-08-01, at 10:14, Kaliya wrote:

...

NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.

Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.

Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman

I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).

I am curious what others think is there a link? and are you having your accounts suspended?

I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".

- Kaliya

Kaliya Hamlin, Identity Woman (blog) (twitter)

Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator

Kaliya@identitywoman.net Cel +1 (510) 472-9069

Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters

____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

---

You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

This has nothing to do with NSTIC and everything to do with what is perceived as valuable in making social networks successful. It may or may not have something to do with Googles minimization model. This level of pretend identity proofing would not be sufficient for NSTIC. I expect that google will continue to make pseudonymous federated identity possible (perhaps no longer their default). They were the ones who insisted on it in openID 2.0. I don't think this or Facebook's misdeeds can be attributed to NSTIC which is mostly a wish list of things that could or should be part of a future Identity ecosystem. However I would expect the NSTIC privacy people to say this is what you get in a totally free market solution. Perhaps another argument for a NSTIC type plan. John B. On 2011-08-01, at 2:53 PM, Dick Hardt wrote:

...

And Google + is doing it because they think the NSTIC wants real names, when in fact the government is not saying that at all.

I don't this policy has anything to do with NSTIC. I would say it is similar reasons why Facebook has a realname policy.

-- Dick ____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net

For all list information and functions, see: http://lists.idcommons.net/lists/info/community

OK so the Google dictionary pretend proofing would not be sufficient for any of the FICAM levels required by the gov. So while it may be useful for some social network reason, it is not related to any of the higher levels of assurance that NSTIC is talking about. In NSTIC one of the premises is that a identity that is proofed as being real by some service provider should be able to be used pseudonymously at relying parties. I am tempted to blame NSTIC for a lot of things this however is not one of them. John B. On 2011-08-01, at 4:12 PM, Jim Fenton wrote:

On 8/1/11 12:11 PM, John Bradley wrote:

...

This has nothing to do with NSTIC and everything to do with what is perceived as valuable in making social networks successful. It may or may not have something to do with Googles minimization model.

This level of pretend identity proofing would not be sufficient for NSTIC.

Not necessarily. NSTIC doesn't specify any particular level of identity proofing, and it's really up to the Relying Party what if any proofing they need. Of course, verifying that users have names that appear to be real isn't identity proofing at all.

Does that mean that the dog in the IIW logo is OK on Google+ if his name is "Fred Smith" but not if his name is "Rover Smith"?

...

I expect that google will continue to make pseudonymous federated identity possible (perhaps no longer their default).

They were the ones who insisted on it in openID 2.0.

I don't think this or Facebook's misdeeds can be attributed to NSTIC which is mostly a wish list of things that could or should be part of a future Identity ecosystem.

However I would expect the NSTIC privacy people to say this is what you get in a totally free market solution. Perhaps another argument for a NSTIC type plan.

Agreed; it is the Relying Party's business decision that drove the "use your real name" community standard in Google+.

-Jim