Google+ "real" names and NSTIC
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this. Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars. Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either). I am curious what others think is there a link? and are you having your accounts suspended? I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real". - Kaliya Kaliya Hamlin, Identity Woman (blog) (twitter) Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator Kaliya@identitywoman.net Cel +1 (510) 472-9069 Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
I don't think they are directly related. Google's real identity's for + doesn't meet the level of a verified identity for government use. There will also be options to use a pseudonymous identifier at a RP if that is desired. I suspect the current activity is about differentiating their social network from the competition rather than any preparation for NSTIC. John B. On 2011-08-01, at 1:14 PM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
- Kaliya
Kaliya Hamlin, Identity Woman (blog) (twitter)
Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator
Kaliya@identitywoman.net Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
____________________________________________________________ You received this message as a subscriber on the list: stewards@lists.idcommons.net To be removed from the list, send any message to: stewards-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/stewards
Hi Kaliya, On Aug 1, 2011, at 1:14 PM, ext Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
From here: http://www.volconvo.com/forums/society-rights/36843-pseudonyms-social-respon..., I read this:
‘In US Common Law, pseudonym used “consistently, openly and non-fraudulently, without interfering with other people’s rights” is a legal name’ I don't know if it's true, but I do agree with the sentiment. Further, I can think of specific reasons to allow pseudonyms: i) Allow some limiting of not-specifically-authorized tracking by those seeking to track me by using pseudonyms on the Internet ii) Allow someone to prevent the release of additional identity information (gender, for example) by means of a pseudonym iii) Allow the ability of people who fear physical/mental harm as a result of being publicly identified with their "real names" to exist on the Internet. iv) Allow someone with an existing community of people within which they are known by their pseudonym to continue to be known as that same person by that community and those who might become part of that community. There are probably other reasons. As Anil Dash points out in the post you linked to in your post (http://dashes.com/anil/2011/07/if-your-websites-full-of-assholes-its-your-fa...) "real names" are not a substitute for a functioning social environment and community. I agree with you that accountability may exist with or without "real names". Cheers, - John
- Kaliya
Kaliya Hamlin, Identity Woman (blog) (twitter)
Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator
Kaliya@identitywoman.net Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
chuckle. NSTIC is about public relations. If you want accountability, you want regulatory requirements and enforcement. See, 47 CFR. If you want privacy, find a nice trail in the wilderness and turn off your communications devices. --tony On 8/1/2011 1:14 PM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
On Aug 1, 2011, at 11:04 AM, Tony Rutkowski wrote:
chuckle. NSTIC is about public relations.
If you want accountability, you want regulatory requirements and enforcement. See, 47 CFR.
Isn't that what OIX is doing with its "trust frameworks" :)
If you want privacy, find a nice trail in the wilderness and turn off your communications devices.
The freedom to use a pseudonym online that is persistent and not a spammer and not spouting hate speech and not doing anything illegal is what this is about. It is about what people can choose to publicly link or in certain cervices via their so called "real" name NOT "privacy". If the spooks you work for want to spy on all of us to keep us safe from terrorism "fine" - sure just take away all our "privacy" on the back end.... but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name". It is about freedom of speech and self representation on the network. Expression not "privacy".
--tony
On 8/1/2011 1:14 PM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
chuckle. NSTIC is about public relations.
If you want accountability, you want regulatory requirements and enforcement. See, 47 CFR.
Isn't that what OIX is doing with its "trust frameworks" :)
Thanks for starting this thread... just a bit of qualification on TF here:
Trust Frameworks is not an OIX thing. It's an industry thing... OIX, KI and InCommon all are Trust Framework Providers. It's not a new thing either - Trust Frameworks roots go back a decade (if not more depending on how wide you want to scope). Anyone who uses payment cards (credit cards / debit cards / atms) already uses versions of a Trust Framework. thx = Joni
Isn't that what Anders Brevik advocated? The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas. Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors. Why is accountability only for identity providers. Those using those identities should be accountable as well. --tony On 8/1/2011 2:13 PM, Kaliya wrote:
It is about freedom of speech and self representation on the network. Expression not "privacy".
On Aug 1, 2011, at 2:57 PM, ext Tony Rutkowski wrote:
On 8/1/2011 2:13 PM, Kaliya wrote:
It is about freedom of speech and self representation on the network. Expression not "privacy".
Isn't that what Anders Brevik advocated?
No, he advocated killing people who disagreed with his views.
The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas. Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors.
We cannot be protected from terrorists by "real names". We can only be protected by a functioning society. A functioning society must use "security" as only one variable in a complicated equation.
Why is accountability only for identity providers. Those using those identities should be accountable as well.
I agree that accountability is important for everyone. - John
--tony
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
Hey Tony, Can you show some data positively correlating the use of pseudonyms and exponentially increasing crime? Thanks! -Heather On Mon, Aug 1, 2011 at 11:57 AM, Tony Rutkowski <trutkowski@netmagic.com> wrote:
Isn't that what Anders Brevik advocated?
The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas. Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors.
Why is accountability only for identity providers. Those using those identities should be accountable as well.
--tony
On 8/1/2011 2:13 PM, Kaliya wrote:
It is about freedom of speech and self representation on the network. Expression not "privacy".
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
-- Heather Schlegel, heathervescent Practical Futurist, Product Developer & Agent of Cacophony @heathervescent // www.heathervescent.com // skype: heathervescent
On 2/08/2011 4:57 AM, Tony Rutkowski wrote:
The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas.
That might be literally true, but I'm pretty sure that Kaliya was speaking abstractly and generally about minority groups with a legitimate need to engage anonymously. So ... (1) What evidence do you have Tony that there are more miscreants than innocents? (2) As an engineer, are you comfortable making up requirements for identity management (in particular deeming that users need not be given anonymity options) or would it better, as with all IT, for requirements to be handed over from some authority for implementation? When technologists make up requirements -- let alone public policy -- IT goes off the rails. (3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then you're not so much on a slippery slope, so much as already at rock bottom. There would be no inhibition left, no separation of powers, nothing to stop us allowing interception of all communciation contents, in the name of law enforcement.
Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors.
If there is a new social contract in the making, one where we all agree to protect ourselves by ceding a degree of privacy, then let's negotiate the new parameters in our conventional law making fora: the parliaments and the courts. I have no absolute attachment to privacy; I agree that the reality of terrorism and the like probably does demand a rethink of conventional freedoms. But for pity's sake, let's not let the informopolies of the world be the arbiters. Can anyone seriously believe that Facebook and Google demand "real names" for other than commercial reasons? If they were remotely interested in crime prevention, they would lifted a finger against pedophiles by now. They conventionally disclaim responsibility for bad acts on their platforms by claiming their networks are simply communications platforms, but now they feign security interest and insist on changing the fundamental ways in which people manage their own identities. The hypocricy is breathtaking, but what's really surprising is that so many technocrats don't see through it. Cheers, @Steve_lockstep Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au <http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy.Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.
"Rights to anonymity." Surely you are joking. In law, there is no such network based right. In technology, there is no such capability. Like Scott McNealy said rather publicly in 1995 - Privacy: get over it. --tony On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
OMG.. Tony.. I'm so glad you agree. Could you please open your wallet and type in all your credit card data.. along with your home address, and the 3 digit code on the back of the cards? After all .. there is no privacy!!!!! I'm ready to shop! On Aug 1, 2011, at 2:49 PM, Tony Rutkowski wrote:
"Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
Actually.. i'd also like your medical records please.. as I'm planning to take out a life insurance policy on you and I need those.. oh.. and your school transcripts.. I'd like to rank you on a list i'm making.. you won't mind having all your grades and SATs evaluated by us will you?? I didn't think so.. I'm sure you got over the loss of privacy you used to have long ago. On Aug 1, 2011, at 2:49 PM, Tony Rutkowski wrote:
"Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name". Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline. Nick On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski <trutkowski@netmagic.com>wrote:
"Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
______________________________**______________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.**idcommons.net<community-unsubscribe@lists.idcommons.net>
For all list information and functions, see: http://lists.idcommons.net/**lists/info/community<http://lists.idcommons.net/lists/info/community>
The definition of totalitarianism: When everyone knows everything about everyone. Everyone has something to hide, be embarrassed about, etc.. It's a false argument anyway to talk about who gets hurt with privacy outings.. instead.. if we want to have a civil and humane society.. we have to let each person decide, within limits, what is private and what is public. The right to be let alone is a right in Europe and it should be in the US. On Aug 1, 2011, at 3:09 PM, Nicholas Crown wrote:
but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name".
Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline.
Nick
On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski <trutkowski@netmagic.com> wrote: "Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote: (3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
Fine with me. I for one don't have the time, capacity, nor desire to know everything about everyone. I'll leave that to God. If you want it to be private, then share it in a private setting (online or otherwise). If Google+ doesn't offer you that option, then go elsewhere. Nick On Mon, Aug 1, 2011 at 5:21 PM, Mary Hodder <mary@hodder.org> wrote:
The definition of totalitarianism:
When everyone knows everything about everyone.
Everyone has something to hide, be embarrassed about, etc..
It's a false argument anyway to talk about who gets hurt with privacy outings..
instead.. if we want to have a civil and humane society.. we have to let each person decide, within limits, what is private and what is public.
The right to be let alone is a right in Europe and it should be in the US.
On Aug 1, 2011, at 3:09 PM, Nicholas Crown wrote:
but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name".
Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline.
Nick
On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski <trutkowski@netmagic.com>wrote:
"Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
______________________________**______________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.**idcommons.net<community-unsubscribe@lists.idcommons.net>
For all list information and functions, see: http://lists.idcommons.net/**lists/info/community<http://lists.idcommons.net/lists/info/community>
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
On 08/01/2011 02:36 PM, Nicholas Crown wrote:
If you want it to be private, then share it in a private setting (online or otherwise). If Google+ doesn't offer you that option, then go elsewhere.
I seriously hope that the premise that pseudonymity is a desirable property of an identity system is not open to debate, and that the discussion isn't going to disappear into this particular rathole. Melinda Shore
On 08/01/2011 02:36 PM, Nicholas Crown wrote:
If you want it to be private, then share it in a private setting (online or otherwise). If Google+ doesn't offer you that option, then go elsewhere.
I seriously hope that the premise that pseudonymity is a desirable property of an identity system is not open to debate, and that the discussion isn't going to disappear into this particular rathole.
Melinda Shore
Yes. The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity. Today most of your activity on the Web, other when you pay with a credit card, is anonymous. When you log in to a site with a username and a password, you are just proving that you are the same user who registered earlier with the site. As we move away from passwords we should preserve this anonymity. A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site. (The certificate binds a public key to a reference to the your account at the site, internal to the site. The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.) One of the goals of NSTIC is clearly to increase privacy, see for example Howard Schmidt's post to the White House blog on NSTIC and privacy. But unfortunately some of the NSTIC documents seem to suggest that pseudonymity and anonymity belong outside of the NSTIC Ecosystem. That's not right. It would mean that when you want pseudonymity or anonymity you have to keep using passwords. Actually, as more and more sites rely on "Login with Facebook", you may no longer be able to use passwords, and pseudonymity and anonymity may disappear from the Web. At the upcoming NSTIC workshop on technology, we have to insist on providing pseudonymity and anonymity *inside* the NSTIC ecosystem. Francisco Francisco Corella, PhD Founder & CEO, Pomcor Twitter: @fcorella Blog: http://pomcor.com/blog/ Web site: http://pomcor.com
On Tue, Aug 2, 2011 at 1:43 AM, Francisco Corella <fcorella@pomcor.com> wrote:
Yes. The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity. Today most of your activity on the Web, other when you pay with a credit card, is anonymous. When you log in to a site with a username and a password, you are just proving that you are the same user who registered earlier with the site.
In practice this is not generally so, you leak identity information all over the place. For example: * IP address * Recovery email address * Third party tracking cookies and so on.
As we move away from passwords we should preserve this anonymity.
No, we need to improve on it.
A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site. (The certificate binds a public key to a reference to the your account at the site, internal to the site. The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.)
This has been available in browsers forever, yet it is hardly used. Why? a) UI b) Portability. Neither of these is simple. But at least I (and Google) offer a solution to b (http://www.links.org/files/nigori/).
Yes. The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity. Today most of your activity on the Web, other when you pay with a credit card, is anonymous. When you log in to a site with a username and a password, you are just proving that you are
On Tue, Aug 2, 2011 at 1:43 AM, Francisco Corella <fcorella@pomcor.com> wrote: the
same user who registered earlier with the site.
In practice this is not generally so, you leak identity information all over the place. For example:
* IP address * Recovery email address * Third party tracking cookies
* Usually the IP address only tells the site what ISP you are using * You may not need a recovery email address if you don't use a password * You can configure your browser to refuse third party tracking cookies, plus Congress is working on that problem.
and so on.
As we move away from passwords we should preserve this anonymity.
No, we need to improve on it.
A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site. (The certificate binds a public key to a reference to the your account at the site, internal to the site. The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.)
This has been available in browsers forever, yet it is hardly used.
This could be made available relatively easily, but it is not available yet. The browser can store a TLS client certificate and present it to the site's TLS server, but there are two problems: 1. As you know, the server can only request the certificate during the TLS handshake, by sending a CertificateRequest message. That means the user is asked for the certificate whenever she accesses the site over a secure connection, whether or not she wants to log in. Instead, the server should be able to request a certificate when the user clicks on a login button. That is, when the server receives the HTTP request resulting from the click on the login button, the server should be able should be able to request a certificate (just like now it can request a password for basic or digest authentication---which, I know, are rarely used on the Web). The browser could then respond to the request by establishing a new TLS connection and sending the certificate. For more details of how this can be done, see sections 2 and 3 of Pomcor's proposed architecture for the NSTIC ecosystem. 2. The site must be able to issue a certificate automatically when the user registers. Until recently there was no pratical way of doing this. Certificate issuing protocols (CMP, CMC, SCEP) are too complicated to be implemented by an ordinary Web site. Recently, the W3C has resurrected the old Netscape <keygen> tag and added it to HTML5; it is now used by WebID. That should provide a practical way of issuing certificates automatically once it is implemented by all browsers. In section 2 of our architecture we propose an alternative method that has the virtue of also being usable for credentials other than PKI certificates, such as U-Prove tokens or Idemix anonymous credentials.
Why?
a) UI
b) Portability.
Why haven't the above two problems been solved earlier? First, because it was easier to just use passwords. Second, because once passwords proliferated and password reuse became a problem, companies such as Facebook and your employer found it convenient to adopt a solution based on OAuth where they are informed of all the user's logins, in addition to knowing all the user's friends and everything the user tells her friends on the social site and when visiting relying parties. Which brings me back to the issue of Google and Facebook requiring real names. That allows them to combine all the information they gather by simply watching the user's logins and activities, with all the public information that's associated with the user's name. They can then sell that thorough knowledge of the user to advertisers. By the way, Google seems to be pushing OAuth, and I think that's a strategic mistake. OAuth is Facebook's main asset. OAuth requires registration of the relying party with the social site, and more and more parties will take the easy route of just registering with Facebook. Some relying parties already have no other means of logging in than the "Login with Facebook" button. That gives users an additional incentive to get a Facebook account. And the more users get Facebook accounts, the easier it becomes for relying parties to just offer "Login with Facebook". So you have a positive feedback loop that ends when every user has a Facebook account (I mean, every user that Facebook is willing to accept), and every Web site has registered with Facebook. Facebook can then provide a search facility within Facebook, powered by Bing, that takes advantage of all the knowledge Facebook has about all Web users, and Google is in trouble.
Neither of these is simple. But at least I (and Google) offer a solution to b (http://www.links.org/files/nigori/).
Francisco Francisco Corella, PhD Founder & CEO, Pomcor Twitter: @fcorella Blog: http://pomcor.com/blog/ Web site: http://pomcor.com
________________________________ From: Ben Laurie <ben@links.org> To: Francisco Corella <fcorella@pomcor.com> Cc: Melinda Shore <melinda.shore@gmail.com>; Nicholas Crown <nick@thecrowns.org>; Mary Hodder <mary@hodder.org>; "community@lists.idcommons.net" <community@lists.idcommons.net>; "community@kantarainitiative.org" <community@kantarainitiative.org> Sent: Monday, August 1, 2011 8:45 PM Subject: Re: [community] Google+ "real" names and NSTIC
On Tue, Aug 2, 2011 at 1:43 AM, Francisco Corella <fcorella@pomcor.com> wrote:
Yes. The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity. Today most of your activity on the Web, other when you pay with a credit card, is anonymous. When you log in to a site with a username and a password, you are just proving that you are the same user who registered earlier with the site.
In practice this is not generally so, you leak identity information all over the place. For example:
* IP address * Recovery email address * Third party tracking cookies
and so on.
As we move away from passwords we should preserve this anonymity.
No, we need to improve on it.
A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site. (The certificate binds a public key to a reference to the your account at the site, internal to the site. The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.)
This has been available in browsers forever, yet it is hardly used. Why?
a) UI
b) Portability.
Neither of these is simple. But at least I (and Google) offer a solution to b (http://www.links.org/files/nigori/).
On 2/08/2011 8:36 AM, Nicholas Crown wrote:
Fine with me. I for one don't have the time, capacity, nor desire to know everything about everyone. I'll leave that to God.
Or Mark Zuckerberg. Cheers, Steve. Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au <http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.
On Mon, Aug 1, 2011 at 7:10 PM, Stephen Wilson <swilson@lockstep.com.au>wrote:
On 2/08/2011 8:36 AM, Nicholas Crown wrote:
Fine with me. I for one don't have the time, capacity, nor desire to know everything about everyone. I'll leave that to God.
Or Mark Zuckerberg.
Brilliant! Nice one. So, Facebook now knows everything about all 6 (almost 7) billion people on the planet. Wow, that was fast! Nick
Cheers,
Steve.
Stephen Wilson Managing Director Lockstep Group
Phone +61 (0)414 488 851
http://lockstep.com.au <http://www.lockstep.com.au><http://www.lockstep.com.au>
Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.
The phrase "Real name" includes assumptions: - The name is the thing - (vs.* Ceci n’est pas une pipe*) - Some names are more real than others - ("Phil Wolff" isn't my full legal name or the name I respond to in * schul*) - An outside observer can judge which is more real - And of course Facebook and Google are the natural judges Phil Wolff managing editor, Skype Journal http://SkypeJournal.com pwolff@skypejournal.com skype:evanwolf +1-510-444-8234 San Francisco +1-510-316-9773 mobile http://www.linkedin.com/in/philwolff http://www.facebook.com/philwolff http://twitter.com/evanwolf http://dataportability.org http://pde.cc
Nicholas, I wonder if you are a middle class, middle aged white guy who has been lucky enough to have never experienced persecution, or had good grounds to fear it? The implicit sentiment that "if you've got nothing to hide, you've got nothing to worry about" is too often the position of the privileged. Can you not imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications? Steve. Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au <http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. On 2/08/2011 8:09 AM, Nicholas Crown wrote:
but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name".
Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline.
Nick
On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski <trutkowski@netmagic.com <mailto:trutkowski@netmagic.com>> wrote:
"Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net <mailto:community@lists.idcommons.net> To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net <mailto:community-unsubscribe@lists.idcommons.net>
For all list information and functions, see: http://lists.idcommons.net/lists/info/community <http://lists.idcommons.net/lists/info/community>
If they want to enjoy private communications online, then they should build their own private network. Why do we believe that public infrastructure should be treated any differently than the public square? As for persecution, I understand the concerns. There are ways to communicate about sensitive issues that don't involve social networking sites. Hiding behind a pseudonym will do nothing to advance the cause for which one should fear the risks of exposure. Plenty of revolutions were started without the help of anonymous tweets. They figured out a way to get it done, because the cause was worth the risk. Our Identity ecosystem doesn't need the complexity and issues that come with this anymore than someone who is willing to die for their cause needs a mask to hide behind while online. Nick On Mon, Aug 1, 2011 at 7:08 PM, Stephen Wilson <swilson@lockstep.com.au>wrote:
Nicholas,
I wonder if you are a middle class, middle aged white guy who has been lucky enough to have never experienced persecution, or had good grounds to fear it? The implicit sentiment that "if you've got nothing to hide, you've got nothing to worry about" is too often the position of the privileged. Can you not imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications?
Steve.
Stephen Wilson Managing Director Lockstep Group
Phone +61 (0)414 488 851
http://lockstep.com.au <http://www.lockstep.com.au><http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.
On 2/08/2011 8:09 AM, Nicholas Crown wrote:
but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name".
Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline.
Nick
On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski <trutkowski@netmagic.com <mailto:trutkowski@netmagic.com><trutkowski@netmagic.com>> wrote:
"Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net <mailto:community@lists.idcommons.net><community@lists.idcommons.net> To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net <mailto:community-unsubscribe@lists.idcommons.net><community-unsubscribe@lists.idcommons.net>
For all list information and functions, see: http://lists.idcommons.net/lists/info/community <http://lists.idcommons.net/lists/info/community><http://lists.idcommons.net/lists/info/community>
Nick, Do you really compare the Internet -- the global business infrastructure of the future -- with a public square?? The comparison is not even wrong. One's everyday activities in "public" actually benefit from a host of inherent privacy features (collection limitation, use & disclosure limitation, data retention limitation) that are shattered by information technologies. If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing names on peoples' foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit. See also http://lockstep.com.au/blog/2011/01/26/public-yet-still-private Cheers Steve Wilson Lockstep. On 2/08/2011 1:11 PM, Nicholas Crown wrote:
If they want to enjoy private communications online, then they should build their own private network. Why do we believe that public infrastructure should be treated any differently than the public square?
As for persecution, I understand the concerns. There are ways to communicate about sensitive issues that don't involve social networking sites. Hiding behind a pseudonym will do nothing to advance the cause for which one should fear the risks of exposure. Plenty of revolutions were started without the help of anonymous tweets. They figured out a way to get it done, because the cause was worth the risk. Our Identity ecosystem doesn't need the complexity and issues that come with this anymore than someone who is willing to die for their cause needs a mask to hide behind while online.
Nick
On Mon, Aug 1, 2011 at 7:08 PM, Stephen Wilson <swilson@lockstep.com.au <mailto:swilson@lockstep.com.au>> wrote:
Nicholas,
I wonder if you are a middle class, middle aged white guy who has been lucky enough to have never experienced persecution, or had good grounds to fear it? The implicit sentiment that "if you've got nothing to hide, you've got nothing to worry about" is too often the position of the privileged. Can you not imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications?
Steve.
Stephen Wilson Managing Director Lockstep Group
Phone +61 (0)414 488 851 <tel:%2B61%20%280%29414%20488%20851>
http://lockstep.com.au <http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.
ENOUGH From: Stephen Wilson <swilson@lockstep.com.au<mailto:swilson@lockstep.com.au>> Reply-To: "swilson@lockstep.com.au<mailto:swilson@lockstep.com.au>" <swilson@lockstep.com.au<mailto:swilson@lockstep.com.au>> Date: Tue, 2 Aug 2011 05:54:56 +0100 To: Nicholas Crown <nick@thecrowns.org<mailto:nick@thecrowns.org>> Cc: "community@lists.idcommons.net<mailto:community@lists.idcommons.net>" <community@lists.idcommons.net<mailto:community@lists.idcommons.net>>, "community@kantarainitiative.org<mailto:community@kantarainitiative.org>" <community@kantarainitiative.org<mailto:community@kantarainitiative.org>> Subject: Re: [Kantara - Community] Privacy underestimated by the privileged [was: Google+ "real" names and NSTIC] Nick, Do you really compare the Internet -- the global business infrastructure of the future -- with a public square?? The comparison is not even wrong. One's everyday activities in "public" actually benefit from a host of inherent privacy features (collection limitation, use & disclosure limitation, data retention limitation) that are shattered by information technologies. If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing names on peoples' foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit. See also http://lockstep.com.au/blog/2011/01/26/public-yet-still-private Cheers Steve Wilson Lockstep. On 2/08/2011 1:11 PM, Nicholas Crown wrote: If they want to enjoy private communications online, then they should build their own private network. Why do we believe that public infrastructure should be treated any differently than the public square? As for persecution, I understand the concerns. There are ways to communicate about sensitive issues that don't involve social networking sites. Hiding behind a pseudonym will do nothing to advance the cause for which one should fear the risks of exposure. Plenty of revolutions were started without the help of anonymous tweets. They figured out a way to get it done, because the cause was worth the risk. Our Identity ecosystem doesn't need the complexity and issues that come with this anymore than someone who is willing to die for their cause needs a mask to hide behind while online. Nick On Mon, Aug 1, 2011 at 7:08 PM, Stephen Wilson <swilson@lockstep.com.au<mailto:swilson@lockstep.com.au>> wrote: Nicholas, I wonder if you are a middle class, middle aged white guy who has been lucky enough to have never experienced persecution, or had good grounds to fear it? The implicit sentiment that "if you've got nothing to hide, you've got nothing to worry about" is too often the position of the privileged. Can you not imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications? Steve. Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851<tel:%2B61%20%280%29414%20488%20851> http://lockstep.com.au <http://www.lockstep.com.au><http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.
Suggested reading in this forum should be Eugeny Morozov's The Net Delusion. It explains techno-political reality to the cyber utopians of the world. That reality includes the ability of almost every government to circumvent anonymous capabilities. Conversely, if mandated by national law, those mandates impose significant costs on everyone in an unrealistic attempt to protect the paranoia of the few. Those costs include major distortions in national trade in services (effectively moving the services offshore), and diminishing innovation in provisioning new services. In addition, the attempts of most nations to instantiate cybersecurity infrastructure protection capabilities combined with enforcing IPR protection and protection of children online, is a losing battle. --tony On 8/1/2011 8:08 PM, Stephen Wilson wrote:
risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications?
On 2 August 2011 22:50, Tony Rutkowski <trutkowski@netmagic.com> wrote:
Suggested reading in this forum should be Eugeny Morozov's The Net Delusion. It explains techno-political reality to the cyber utopians of the world.
That reality includes the ability of almost every government to circumvent anonymous capabilities. Conversely, if mandated by national law, those mandates impose significant costs on everyone in an unrealistic attempt to protect the paranoia of the few. Those costs include major distortions in national trade in services (effectively moving the services offshore), and diminishing innovation in provisioning new services. In addition, the attempts of most nations to instantiate cybersecurity infrastructure protection capabilities combined with enforcing IPR protection and protection of children online, is a losing battle.
--tony
I agree on one hand to this statement. I think you correctly point to the fact that it becomes intractable for a centralised authority to oversee the activity of a whole communications infrastructure; but if you also mean that the protection of an individual's privacy, and the representation of an individual's activity over a collection of devices for a set period of time is similarly doomed, I will have to disagree. -- Employment-from-home. Make mine part-time. You've go a job for me working full-time from an office? No thanks. Clique Space(TM). Practical, Ubiquitous, Individual, and Real-time Security and Identity in Cyberspace. Research paper on Clique Space: http://ssrn.com/abstract=1714848 Owen's Garden of Thought: http://owenpaulthomas.blogspot.com/ Twitter: @CliqueSpace <http://www.elance.com/CliqueSpace>www.cliquespace.net Skype: owen.paul.thomas Mobile: +61 401 493 433
Morozov falls into the trap almost everyone else is also in: duality. The reality is that you can almost always be anonymous or pseudonymous (in many cases unlinkably pseudonymous) - and at the SAME TIME, you can almost always be identified. It takes very little effort to set up a pseudonym and do a few simple things to obscure your "real" identity (whatever that might mean; the Platonists have deluded us into thinking a "true identity" exists...). It takes a LOT of effort to identify an individual who has carefully obscured his identity. But identification can almost always be done if the money and effort are invested. Both of these are good things; it's good to let people be anonymous or pseudonymous, and it's good that the police can find malefactors if they try hard enough. It is not the goal of a civilized society to spend a lot of money or effort making things easy for the police. -- bob BOB BLAKLEY Vice President & Distinguished Analyst, Gartner ITP Identity & Privacy bob.blakley@gartner.com | +1 (512) 657-0768 http://www.gartner.com | http://blogs.gartner.com/bob-blakley/ On 2/Aug/11 7:50 AM, "Tony Rutkowski" <trutkowski@netmagic.com> wrote:
Suggested reading in this forum should be Eugeny Morozov's The Net Delusion. It explains techno-political reality to the cyber utopians of the world.
That reality includes the ability of almost every government to circumvent anonymous capabilities. Conversely, if mandated by national law, those mandates impose significant costs on everyone in an unrealistic attempt to protect the paranoia of the few. Those costs include major distortions in national trade in services (effectively moving the services offshore), and diminishing innovation in provisioning new services. In addition, the attempts of most nations to instantiate cybersecurity infrastructure protection capabilities combined with enforcing IPR protection and protection of children online, is a losing battle.
--tony
On 8/1/2011 8:08 PM, Stephen Wilson wrote:
risks to many of the dispossessed or disadvantaged in the world. Why should people have to go hide offline to enjoy privacy of their communications?
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
This e-mail message, including any attachments, is for the sole use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Gartner makes no warranty that this e-mail is error or virus free.
Nicholas, Translation of your question: Why can't people with unpopular views just stand up in public and be killed for them, or stay in the closet? It's great to stand up for what you believe in in a nice safe affluent white suburb where everything is theoretical. It's a lot different to come out of the closet in Uganda, where the government is trying to impose the death penalty for homosexuality. And you don't have to go to Uganda; people are killed for being gay every year in most states of the USA. And gay isn't the only thing that can get you killed – ask any Muslim you happen to meet. -- bob BOB BLAKLEY Vice President & Distinguished Analyst, Gartner ITP Identity & Privacy bob.blakley@gartner.com | +1 (512) 657-0768 http://www.gartner.com | http://blogs.gartner.com/bob-blakley/ From: Nicholas Crown <nick@thecrowns.org<mailto:nick@thecrowns.org>> Reply-To: Nicholas Crown <nick@thecrowns.org<mailto:nick@thecrowns.org>> Date: Mon, 1 Aug 2011 18:09:30 -0400 To: "community@lists.idcommons.net<mailto:community@lists.idcommons.net>" <community@lists.idcommons.net<mailto:community@lists.idcommons.net>>, "community@kantarainitiative.org<mailto:community@kantarainitiative.org>" <community@kantarainitiative.org<mailto:community@kantarainitiative.org>> Subject: Re: [community] Google+ "real" names and NSTIC but that is a totally different problem then the one I am raising which is whether people with medical conditions they want to talk about with others and get support (share +1s) or a buddhist in Kansas (can share freely with other buddhists or seekers without their hyper conservative christian neighbors finding out) or having a feminist persona that is not linked to your work identity in the tech industry (and if it was you would find work had to come by in the valley) is free to use google+ not linked to a "real name". Why can't people just be who they are and stand in their own shoes for what they believe in? Trying to be a buddhist behind closed doors in Kansas does no one any good. If you believe in feminist tenants, than stand up for those and speak your voice. I understand that persecution could come in any one of these cases, but that is the beauty of taking a stand on the truth. If your ideal is not worth sharing with your own ID, then it's not for you. About the only one that I struggle with is the case where you have some medical condition you would like to discuss in a private setting. Can that case not be solved with a private/closed group? If it's too sensitive for that, then take it offline. Nick On Mon, Aug 1, 2011 at 4:49 PM, Tony Rutkowski <trutkowski@netmagic.com<mailto:trutkowski@netmagic.com>> wrote: "Rights to anonymity." Surely you are joking. In law, there is no such network based right. In technology, there is no such capability. Like Scott McNealy said rather publicly in 1995 - Privacy: get over it. --tony On 8/1/2011 5:38 PM, Stephen Wilson wrote: (3) If you use crime prevention as the rationale for taking away users' rights to anonymity, then ____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net<mailto:community@lists.idcommons.net> To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net<mailto:community-unsubscribe@lists.idcommons.net> For all list information and functions, see: http://lists.idcommons.net/lists/info/community ________________________________ This e-mail message, including any attachments, is for the sole use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Gartner makes no warranty that this e-mail is error or virus free.
On 2/08/2011 7:49 AM, Tony Rutkowski wrote:
"Rights to anonymity." Surely you are joking.
In law, there is no such network based right. In technology, there is no such capability.
You're wrong there. European and Australian information privacy law expressly provides individuals with the right to transact anonymously.
Like Scott McNealy said rather publicly in 1995 - Privacy: get over it.
--tony
On 8/1/2011 5:38 PM, Stephen Wilson wrote:
(3) If you use crime prevention as the rationale for taking away users' rights to anonymity ...
Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au <http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy.Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.
Please provide a citation to a provision that conveys such a right unconditionally over electronic networks. --tony On 8/1/2011 7:57 PM, Stephen Wilson wrote:
You're wrong there. European and Australian information privacy law expressly provides individuals with the right to transact anonymously.
See http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp8 Australian National Privacy Principle NPP 8 "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation". Cheers, @Steve_lockstep Stephen Wilson Managing Director Lockstep Group Phone +61 (0)414 488 851 http://lockstep.com.au <http://www.lockstep.com.au> Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy.Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. On 2/08/2011 10:25 AM, Tony Rutkowski wrote:
Please provide a citation to a provision that conveys such a right unconditionally over electronic networks. --tony
On 8/1/2011 7:57 PM, Stephen Wilson wrote:
You're wrong there. European and Australian information privacy law expressly provides individuals with the right to transact anonymously.
That is a long way from: Please provide a citation to a provision that conveys such a right unconditionally over electronic networks. -tony On 8/1/2011 10:14 PM, Stephen Wilson wrote:
See http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp8
Australian National Privacy Principle NPP 8 "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation".
Oh for gods sake Rutkowski, it's a long way *further* than your bombastic assertion that "In law, there is no such network based right [to anonymity]". The Australian Privacy Act requires any private business turning over more than $3M p.a. to comply with the 10 NPPs including NPP 8 cited above. Nobody ever said privacy is unconditional. Steve Wilson. On 2/08/2011 9:32 PM, Tony Rutkowski wrote:
That is a long way from:
Please provide a citation to a provision that conveys such a right unconditionally over electronic networks.
-tony
On 8/1/2011 10:14 PM, Stephen Wilson wrote:
See http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp8
Australian National Privacy Principle NPP 8 "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation".
You don't need to look as far afield as Australia or the EU. Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical, minority views . . . Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society. ———— 1995 Supreme Court ruling in McIntyre v. Ohio Elections Commission On Tue, 02 Aug 2011 21:39 +1000, "Stephen Wilson" <swilson@lockstep.com.au> wrote: Oh for gods sake Rutkowski, it's a long way *further* than your bombastic assertion that "In law, there is no such network based right [to anonymity]". The Australian Privacy Act requires any private business turning over more than $3M p.a. to comply with the 10 NPPs including NPP 8 cited above. Nobody ever said privacy is unconditional. Steve Wilson. On 2/08/2011 9:32 PM, Tony Rutkowski wrote: That is a long way from: Please provide a citation to a provision that conveys such a right unconditionally over electronic networks. -tony On 8/1/2011 10:14 PM, Stephen Wilson wrote: See [1]http://www.privacy.gov.au/materials/types/infosheets/view/6 583#npp8 Australian National Privacy Principle NPP 8 "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation". _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community References 1. http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp8 Robin Wilton +44 (0)705 005 2931
Accountability does not require real names. Carrot Top has been arrested. -- bob BOB BLAKLEY Vice President & Distinguished Analyst, Gartner ITP Identity & Privacy bob.blakley@gartner.com | +1 (512) 657-0768 http://www.gartner.com | http://blogs.gartner.com/bob-blakley/ On 1/Aug/11 1:57 PM, "Tony Rutkowski" <trutkowski@netmagic.com> wrote:
Isn't that what Anders Brevik advocated?
The reality is that a very large number of miscreants use communications networks for exponentially increasing crime, infrastructure attacks, and all kinds of behavior that significantly harms others. They far outnumber the Buddhists in Kansas. Most rational societies will opt for protecting themselves, and those folks in Kansas will have to deal with their neighbors.
Why is accountability only for identity providers. Those using those identities should be accountable as well.
--tony
On 8/1/2011 2:13 PM, Kaliya wrote:
It is about freedom of speech and self representation on the network. Expression not "privacy".
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
This e-mail message, including any attachments, is for the sole use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Gartner makes no warranty that this e-mail is error or virus free.
Although this discussion has focused on whether people should be able to use pseudonyms online, there is a related issue that no one has raised. Using a persistent pseudonym like "Identity Woman" in effect becomes someone's personal brand. Since it's become your personal brand, you'd presumably like to prevent others from using that same pseudonym. What if someone else were to start identifying themselves as "Identity Woman" in blog comments or other online transactions? You could perhaps sue them, if you can legally claim some kind of ownership of the pseudonym. But that's a messy, inconvenient, and expensive remedy. Is this a real concern, or am I just inventing some new problem here? I think it's related to online identity theft, regardless of whether that identity is your "real" identity or some pseudonym that's become associated with one individual and represents that individual's personal brand. The issue is, how do you prevent someone else from claiming your identity (represented by some name or other set of attributes meant to uniquely identify you), especially when that identity is being used to obtain a high value service? This may not be a problem today with pseudonyms, but it's certainly a problem with "real" identities. The ability of an evildoer to use your personal information online to obtain a new credit card, or to access online financial accounts or medical records, or even to access your email (by using "social engineering" to do a password reset) has become a significant problem. Does NSTIC solve this problem? Not really. You could voluntarily seek out an identity provider that will vet your identity and issue you some sort of high assurance credential bound to that identity. [I have no idea how this would work with pseudonyms. What would be the criteria for asserting that "Identity Woman" belongs to you and no one else? There would need to be some rules defined for such things.] But even if you did this, NSTIC is voluntary. There is no requirement that all service providers authenticate an identity claim using such credentials before providing their service. So identity theft (using real identities or pseudonyms) is still a possibility. [I'm going to ignore privacy concerns for the time being.] There seems to be two possible approaches for preventing online impersonation. One is to require *all* providers of certain types of "high value" services to take "adequate" steps to authenticate an identity claimed by someone seeking its service. Such a requirement would not be able to mandate the use of NSTIC-compliant credentials, but presumably such credentials would serve this purpose more effectively than other methods. Another possibility would be to create incentives (legal, economic, or something else) that would motivate providers of high value services to perform these authentications. These incentives would need to be defined in such a way to encourage high assurance authentication for high value services, where harm could come to someone who is successfully impersonated, while specifically discouraging high assurance authentication for other kinds of services. Bob Pinheiro kantara@bobpinheiro.com On 8/1/2011 2:13 PM, Kaliya wrote:
The freedom to use a pseudonym online that is persistent and not a spammer and not spouting hate speech and not doing anything illegal is what this is about.
Actually, after the debt ceiling decisions taken over the past 24hours, it may not even be public relations. Those trillions are going to come from somewhere, and NSTIC is going to be up at the top of the elimination list. NSTIC is the latest in a lineage that began with Melissa's cybersecurity report, followed by SOT (oops, bad acronym), followed by (shazaam) NSTIC. NSTIC reminds me of the fessing up speech by Matt Damon in the film The Adjustment Bureau where he explains just what went into determining the perfect amount of scuffing on his shoes. Look at NSTIC as those shoes. Vintage Washington politics. --tony n 8/1/2011 2:50 PM, Johannes Ernst wrote:
chuckle. NSTIC is about public relations.
Interesting … could you expand on that a bit?
chuckle. NSTIC is about public relations.
And here I thought it was about the highest bidder -----Original Message----- From: community@lists.idcommons.net [mailto:community@lists.idcommons.net] On Behalf Of Tony Rutkowski Sent: Monday, August 01, 2011 11:04 AM To: Kaliya Cc: community@lists.idcommons.net; stewards@lists.idcommons.net; community@kantarainitiative.org Subject: Re: [community] Google+ "real" names and NSTIC chuckle. NSTIC is about public relations. If you want accountability, you want regulatory requirements and enforcement. See, 47 CFR. If you want privacy, find a nice trail in the wilderness and turn off your communications devices. --tony On 8/1/2011 1:14 PM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net For all list information and functions, see: http://lists.idcommons.net/lists/info/community
On Aug 1, 2011, at 11:52 AM, Anthony Nadalin wrote:
chuckle. NSTIC is about public relations.
And here I thought it was about the highest bidder
Bidding for what?
-----Original Message----- From: community@lists.idcommons.net [mailto:community@lists.idcommons.net] On Behalf Of Tony Rutkowski Sent: Monday, August 01, 2011 11:04 AM To: Kaliya Cc: community@lists.idcommons.net; stewards@lists.idcommons.net; community@kantarainitiative.org Subject: Re: [community] Google+ "real" names and NSTIC
chuckle. NSTIC is about public relations.
If you want accountability, you want regulatory requirements and enforcement. See, 47 CFR. If you want privacy, find a nice trail in the wilderness and turn off your communications devices.
--tony
On 8/1/2011 1:14 PM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
I believe strongly in the need for NSTIC to support pseudonymous identity; that's the reason I have been pushing to separate the issuance and management of credentials from the binding of attributes. Name should be "just another" attribute, just like whether I'm age 13-19, a resident of California, and a Cisco employee. Identity proofing should be associated with the binding of the name attribute to a credential, not the issuance itself. I have been working with NIST to make them aware of that need in their current revision of SP 800-63, because while it's only normative for the US Government, it's a model that a lot of others use. That having been said, in the NSTIC model, Relying Parties can request any attributes they want, and the User can decide whether or not to release those attributes. If the User doesn't release the requested attributes, the Relying Party is free to deny service to that user. In this case, Google+ has made a commercial decision to require users to use their real names in order to access their service. They must realize that this is going to cause some people not to use Google+, but it's the rules they have set for their community. If their calculation on that is wrong and they don't get "enough" users on those terms, they could change their minds. However, I am really disappointed to hear that users are losing their entire Google "life" (GMail, etc.) as a result of this, especially without prior notice. This is much more of a pressure tactic. At the most, Google should clear the "offending" name from the user's Google profile (which would probably render Google+ inoperative) and give the user the ability to repopulate that field with a real name, or to leave it blank and continue to use other Google services without the name field specified. -Jim (hoping not to be suspended for using "Jim" rather than "James") On 8/1/11 10:14 AM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability <http://www.identitywoman.net/the-trouble-with-trust-the-case-for-accountability-frameworks>" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
- Kaliya
Kaliya Hamlin, /Identity Woman (//blog/ <http://www.identitywoman.net/>/) (//twitter/ <http://www.twitter.com/identitywoman>/)/ Internet Identity Workshop <http://www.internetidentityworkshop.com/> - Co-Founder, Co-Producer, Co-Facilitator / / / / Kaliya@identitywoman.net <mailto:Kaliya@identitywoman.net> Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com <mailto:Identitywoman@gmail.com> AIM/ichat kaliya@mac.com <mailto:kaliya@mac.com> Yahoo! earthwaters
I am curious to see what others think about supporting multiple values for name. It is not unusual or illegal for someone to be known by two or more different names. The easiest example is when someone changes their name after getting married. If nothing else, there is a transition period where people (or applications) may not know your new name. It is a level of complexity that is added. You have processes that may break, and you have to make decisions on which name to display, if needed. There are many other issues/thoughts, but was wondering what the group thought about this? Alexis Bor alexis.bor (Skype) From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Jim Fenton Sent: Monday, August 01, 2011 2:21 PM To: Kaliya Cc: community@lists.idcommons.net; community@kantarainitiative.org; stewards@lists.idcommons.net Subject: Re: [Kantara - Community] [community] Google+ "real" names and NSTIC I believe strongly in the need for NSTIC to support pseudonymous identity; that's the reason I have been pushing to separate the issuance and management of credentials from the binding of attributes. Name should be "just another" attribute, just like whether I'm age 13-19, a resident of California, and a Cisco employee. Identity proofing should be associated with the binding of the name attribute to a credential, not the issuance itself. I have been working with NIST to make them aware of that need in their current revision of SP 800-63, because while it's only normative for the US Government, it's a model that a lot of others use. That having been said, in the NSTIC model, Relying Parties can request any attributes they want, and the User can decide whether or not to release those attributes. If the User doesn't release the requested attributes, the Relying Party is free to deny service to that user. In this case, Google+ has made a commercial decision to require users to use their real names in order to access their service. They must realize that this is going to cause some people not to use Google+, but it's the rules they have set for their community. If their calculation on that is wrong and they don't get "enough" users on those terms, they could change their minds. However, I am really disappointed to hear that users are losing their entire Google "life" (GMail, etc.) as a result of this, especially without prior notice. This is much more of a pressure tactic. At the most, Google should clear the "offending" name from the user's Google profile (which would probably render Google+ inoperative) and give the user the ability to repopulate that field with a real name, or to leave it blank and continue to use other Google services without the name field specified. -Jim (hoping not to be suspended for using "Jim" rather than "James") On 8/1/11 10:14 AM, Kaliya wrote: NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this. Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars. Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either). I am curious what others think is there a link? and are you having your accounts suspended? I am all for "Accountability<http://www.identitywoman.net/the-trouble-with-trust-the-case-for-accountability-frameworks>" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real". - Kaliya Kaliya Hamlin, Identity Woman (blog<http://www.identitywoman.net/>) (twitter<http://www.twitter.com/identitywoman>) Internet Identity Workshop<http://www.internetidentityworkshop.com/> - Co-Founder, Co-Producer, Co-Facilitator Kaliya@identitywoman.net<mailto:Kaliya@identitywoman.net> Cel +1 (510) 472-9069 Skype: IdentityWoman GTalk: Identitywoman@gmail.com<mailto:Identitywoman@gmail.com> AIM/ichat kaliya@mac.com<mailto:kaliya@mac.com> Yahoo! earthwaters
Did you have your first and last name in your profile? In my case independentidentity has not been touched. I guess because I have a name in addition to my avatar. Phil On 2011-08-01, at 10:14, Kaliya <kaliya@mac.com> wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
- Kaliya
Kaliya Hamlin, Identity Woman (blog) (twitter)
Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator
Kaliya@identitywoman.net Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
You can now add other names to your Google+ profile that will show up in searches for you. There was a discussion on this on Google+ by Caterina Fake[1] after a post she wrote[2] and a post from Brad Horowitz on Google's policy[3] [1] https://plus.google.com/u/0/115478779964227301239/posts [2] http://caterina.net/wp-archives/88 [3] https://plus.google.com/u/0/113116318008017777871/posts/VJoZMS8zVqU On 2011-08-01, at 11:23 AM, Phil Hunt wrote:
Did you have your first and last name in your profile? In my case independentidentity has not been touched. I guess because I have a name in addition to my avatar.
Phil
On 2011-08-01, at 10:14, Kaliya <kaliya@mac.com> wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
- Kaliya
Kaliya Hamlin, Identity Woman (blog) (twitter)
Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator
Kaliya@identitywoman.net Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
I'm guessing that Google + is using a dictionary "attack" to figure out if a name is real.. or a word that is not a name. "Identity" and "woman" separated.. would be hit by an automated dictionary scan.. and generate a shutdown. A name like "independentidentity" is too long and doesn't fit any dictionary of non-name words.. Outside of the issues where google is forcing long term "personal trademarks" out, they seem to be doing a sort of silly dictionary scan of names and aren't even checking or notifying people in advance. The whole real name issue is poorly done at Google+, and I think Kaliya is right to point out that Google + is making policy with this, because they have a lot of power in the marketplace. And Google + is doing it because they think the NSTIC wants real names, when in fact the government is not saying that at all. mary On Aug 1, 2011, at 11:23 AM, Phil Hunt wrote:
Did you have your first and last name in your profile? In my case independentidentity has not been touched. I guess because I have a name in addition to my avatar.
Phil
On 2011-08-01, at 10:14, Kaliya <kaliya@mac.com> wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
- Kaliya
Kaliya Hamlin, Identity Woman (blog) (twitter)
Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator
Kaliya@identitywoman.net Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
And Google + is doing it because they think the NSTIC wants real names, when in fact the government is not saying that at all. I don't this policy has anything to do with NSTIC. I would say it is similar reasons why Facebook has a realname policy. -- Dick
This has nothing to do with NSTIC and everything to do with what is perceived as valuable in making social networks successful. It may or may not have something to do with Googles minimization model. This level of pretend identity proofing would not be sufficient for NSTIC. I expect that google will continue to make pseudonymous federated identity possible (perhaps no longer their default). They were the ones who insisted on it in openID 2.0. I don't think this or Facebook's misdeeds can be attributed to NSTIC which is mostly a wish list of things that could or should be part of a future Identity ecosystem. However I would expect the NSTIC privacy people to say this is what you get in a totally free market solution. Perhaps another argument for a NSTIC type plan. John B. On 2011-08-01, at 2:53 PM, Dick Hardt wrote:
And Google + is doing it because they think the NSTIC wants real names, when in fact the government is not saying that at all.
I don't this policy has anything to do with NSTIC. I would say it is similar reasons why Facebook has a realname policy.
-- Dick ____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
On 8/1/11 12:11 PM, John Bradley wrote:
This has nothing to do with NSTIC and everything to do with what is perceived as valuable in making social networks successful. It may or may not have something to do with Googles minimization model.
This level of pretend identity proofing would not be sufficient for NSTIC.
Not necessarily. NSTIC doesn't specify any particular level of identity proofing, and it's really up to the Relying Party what if any proofing they need. Of course, verifying that users have names that appear to be real isn't identity proofing at all. Does that mean that the dog in the IIW logo is OK on Google+ if his name is "Fred Smith" but not if his name is "Rover Smith"?
I expect that google will continue to make pseudonymous federated identity possible (perhaps no longer their default).
They were the ones who insisted on it in openID 2.0.
I don't think this or Facebook's misdeeds can be attributed to NSTIC which is mostly a wish list of things that could or should be part of a future Identity ecosystem.
However I would expect the NSTIC privacy people to say this is what you get in a totally free market solution. Perhaps another argument for a NSTIC type plan.
Agreed; it is the Relying Party's business decision that drove the "use your real name" community standard in Google+. -Jim
OK so the Google dictionary pretend proofing would not be sufficient for any of the FICAM levels required by the gov. So while it may be useful for some social network reason, it is not related to any of the higher levels of assurance that NSTIC is talking about. In NSTIC one of the premises is that a identity that is proofed as being real by some service provider should be able to be used pseudonymously at relying parties. I am tempted to blame NSTIC for a lot of things this however is not one of them. John B. On 2011-08-01, at 4:12 PM, Jim Fenton wrote:
On 8/1/11 12:11 PM, John Bradley wrote:
This has nothing to do with NSTIC and everything to do with what is perceived as valuable in making social networks successful. It may or may not have something to do with Googles minimization model.
This level of pretend identity proofing would not be sufficient for NSTIC.
Not necessarily. NSTIC doesn't specify any particular level of identity proofing, and it's really up to the Relying Party what if any proofing they need. Of course, verifying that users have names that appear to be real isn't identity proofing at all.
Does that mean that the dog in the IIW logo is OK on Google+ if his name is "Fred Smith" but not if his name is "Rover Smith"?
I expect that google will continue to make pseudonymous federated identity possible (perhaps no longer their default).
They were the ones who insisted on it in openID 2.0.
I don't think this or Facebook's misdeeds can be attributed to NSTIC which is mostly a wish list of things that could or should be part of a future Identity ecosystem.
However I would expect the NSTIC privacy people to say this is what you get in a totally free market solution. Perhaps another argument for a NSTIC type plan.
Agreed; it is the Relying Party's business decision that drove the "use your real name" community standard in Google+.
-Jim
I agree. I think this has NOTHING to do with NSTIC. Facebook's "real name" policy is even more farcical than Google's. Log into Facebook and search for Eliot Spitzer. -- bob BOB BLAKLEY Vice President & Distinguished Analyst, Gartner ITP Identity & Privacy bob.blakley@gartner.com | +1 (512) 657-0768 http://www.gartner.com | http://blogs.gartner.com/bob-blakley/ From: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> Reply-To: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> Date: Mon, 1 Aug 2011 14:53:54 -0400 To: Mary Hodder <mary@hodder.org<mailto:mary@hodder.org>> Cc: Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Kaliya Hamlin <kaliya@mac.com<mailto:kaliya@mac.com>>, "community@lists.idcommons.net<mailto:community@lists.idcommons.net>" <community@lists.idcommons.net<mailto:community@lists.idcommons.net>>, "stewards@lists.idcommons.net<mailto:stewards@lists.idcommons.net>" <stewards@lists.idcommons.net<mailto:stewards@lists.idcommons.net>>, "community@kantarainitiative.org<mailto:community@kantarainitiative.org>" <community@kantarainitiative.org<mailto:community@kantarainitiative.org>> Subject: Re: [community] Google+ "real" names and NSTIC And Google + is doing it because they think the NSTIC wants real names, when in fact the government is not saying that at all. I don't this policy has anything to do with NSTIC. I would say it is similar reasons why Facebook has a realname policy. -- Dick ________________________________ This e-mail message, including any attachments, is for the sole use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Gartner makes no warranty that this e-mail is error or virus free.
I've been playing minimally with Google+ for a few weeks and it's clear to me that it's Facebook 1.3b1 with a different name. We can't fix that. Nor can NSTIC or any other noble effort. It is what it is. The deeper problem is limiting our imagination's scope to the calf-cow system we call client-server, which has metasticised with "social networks" that substitute closed ranches for the open Web, for billions of people. I wrote about this in A Sense of Bewronging: <http://blogs.law.harvard.edu/doc/2011/04/02/a-sense-of-bewronging/>. Google+ might be better than Facebook, but it's one more ranch. On the one hand, maybe it's nice that Google wants you to to be "real" in how you brand yourself. But they're still wanting brands. They don't want you to bring onto their ranch whatever you called yourself out on the open range. It would be unwise in the extreme for NSTIC to be involved with any vendor, including (and perhaps especially) Google. Meanwhile, a question: With NSTIC can I be my own "trusted identity provider"? I don't know the answer. But if it's no, it's about ranching, not the wide open Internet, and not about user-driven (or centric) digital ID. If it's yes, then NSTIC should steer clear of siding with any "social" ranch, no matter how much NSTIC likes one of those ranch's causes. And it should stand with liberating efforts, rather than more of the same from the likes of Google I'm assuming NSTIC does. Am I right? IMHO. Doc On Aug 1, 2011, at 1:14 PM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
- Kaliya
Kaliya Hamlin, Identity Woman (blog) (twitter)
Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator
Kaliya@identitywoman.net Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
I've been playing minimally with Google+ for a few weeks and it's clear to me that it's Facebook 1.3b1 with a different name. We can't fix that. Nor can NSTIC or any other noble effort. Google+ is what it is. Namely, a service meant to operate "at scale," which means with minimal interaction with individuals who are not customers (those would be advertisers) and use the service for free. Google is clearly learning by doing, however, and I'd be cautious about jumping to early conclusions. See: <http://searchenginewatch.com/article/2096925/Google-VP-Explains-the-Google-Real-Name-Policy> <http://www.pcmag.com/article2/0,2817,2389078,00.asp> The deeper problem is on our side, and it's limiting our imagination's scope to the calf-cow system we call client-server, which has metasticised with "social networks" that substitute closed ranches for the open Web. These ranches (of which Facebook and Google+ are two) are now occupied by billions of people. I wrote about this in A Sense of Bewronging: <http://blogs.law.harvard.edu/doc/2011/04/02/a-sense-of-bewronging/>. My point: Google+ might be better than Facebook, but it's one more ranch. Being a calf there doesn't give me the warm fuzzies, because I don't want to be a calf at all. I wish to be the human being I am. The calf-cow system works against that, and always has. Back to the identity issue. On the one hand, maybe it's nice that Google wants you to to be "real" in how you brand yourself. But, on the other hand they're still wanting brands, only now personal ones. They don't want you to bring onto their ranch whatever you called yourself out on the open range. As for NSTIC, it would be unwise in the extreme for it to take sides with any vendor, including (and perhaps especially) Google. Is that actually what's going on? How exactly is NSTIC part of the "real names" push by Google? Whatever the answer, I have another question: With NSTIC can I be my own "trusted identity provider"? I don't know the answer. If it's no, it's about ranching, not the wide open Internet, and not about user-driven (or even -centric) digital ID. If it's yes, then NSTIC should steer clear of siding with any "social" ranch, no matter how much NSTIC likes one of those ranch's causes. NSTIC should stand with liberating efforts, rather than more of the same from the likes of Google. (And I don't mean that negatively. In the current system, companies like Google default to ranching on the calf-cow model. I invite them to explore alternatives.) I'm assuming NSTIC does stand with liberating efforts as well as the Usual Suspects running ranches. Am I right? This page on NSTIC <http://www.nist.gov/nstic/identity-ecosystem.html> says that they're hip to the Identity Ecosystem, but it also talks about effects (a roster of Good Things) rather than causes (who they're with and what those efforts are doing). This is all IMHO; and I beg forgiveness for not understanding NSTIC better. Can't know everything, y'know? Doc P.S. The first time I sent this was from another address, so it got held for moderation: a minor identity issue. This time I'm coming from the address to which the original mail was sent. This version is longer and more thought-out, fwiw. On Aug 1, 2011, at 1:14 PM, Kaliya wrote:
NSTIC "says" it is about maintaining privacy and freedom of speach we have today on the internet while enabling "when you want to" the ability to use a verified account...but I don't have a good feeling about this.
Over the last week in preparation for the "official" door opening of Google+ they have been sweeping it clear of personas and avatars.
Yesterday I myself was included in the sweep post here: http://www.identitywoman.net/googlereal-name-identity-woman
I had been working on a post I will publish this week about NSTIC being part of the push for so called "real names" in Google+ (and apparently you can't get a google e-mail address without one either).
I am curious what others think is there a link? and are you having your accounts suspended?
I am all for "Accountability" that is different then the sort of mantra around "trusted identities" that the only ones worth trusting for anything must be "real".
- Kaliya
Kaliya Hamlin, Identity Woman (blog) (twitter)
Internet Identity Workshop - Co-Founder, Co-Producer, Co-Facilitator
Kaliya@identitywoman.net Cel +1 (510) 472-9069
Skype: IdentityWoman GTalk: Identitywoman@gmail.com AIM/ichat kaliya@mac.com Yahoo! earthwaters
____________________________________________________________ You received this message as a subscriber on the list: community@lists.idcommons.net To be removed from the list, send any message to: community-unsubscribe@lists.idcommons.net
For all list information and functions, see: http://lists.idcommons.net/lists/info/community
participants (26)
-
Alexis Bor -
Anthony Nadalin -
Ben Laurie -
Blakley,Bob -
Bob Pinheiro -
Dick Hardt -
Doc Searls -
Doc Searls -
Francisco Corella -
heather vescent -
Jim Fenton -
Johannes Ernst -
John Bradley -
john.1.kemp@nokia.com -
Joni Brennan -
Kaliya -
Mary Hodder -
Melinda Shore -
mike riddell -
Nicholas Crown -
Owen Thomas -
Phil Hunt -
Phil Wolff -
Robin Wilton -
Stephen Wilson -
Tony Rutkowski