Disturbances in the cloud

Cloud computing is cool, no doubt about that. There have never been more good looking and futuristic looking schematics been made in Visio. Thousands of presentations, workshops and even conferences have been held on the subject.

One question however has not be clearly answered yet … what about data ownership? What about privacy of that data? When your applications are running in the cloud you are also handing over your data to whoever is running the data center. How sure are you that they protect this data as they should do? What about these situations:

1. Your cloud partner goes out of business and your data becomes a valuable asset that can be sold to pay of debt. How well are you protected from this scenario? Or … what are the guarantees about confidentiality? Think SalesForce …
2. Your cloud partner goes out of business without any warnings, your applications are offline, your data is not accessible. Worst case you got a couple of days notice, best case a couple of weeks. Does your disaster recovery plan takes this into account? How fast can you move to a new cloud partner or your own data center? How much data will you loose? How recent is the data you go online with after recovery?
3. Your cloud partner decides to disable a feature in their application, a feature you depend on. Does your disaster recovery plan takes this into account? This is not far fetched, in a small way this is what happened when Microsoft decided to disable anonymous comments on their Live Blog. They even did this retroactively and so revealed identity information of authors who previously had been anonymous.

None of these scenarios is purely technical in nature and none of these scenarios are far fetched. You can probably think of many more realistic and sure to happen situations.

In relation to the 3th scenario … how many companies have application versions that are far behind the lastest public version purely because of functionality or compatibility they depend on? At least all of the companies I have came into contact with are in this situation. If you run everything on your own servers you have a greater deal of control then you can imagine at first. Companies should do their homework when moving some of this into the cloud, they are often giving up far more control then they think they do and want to do. Contracts alone won’t solve it either.

YouTube vs. Viacom … what about privacy?

Most of you have probably heard about the case where a judge ordered Google to turn over every record of every video watched by YouTube user. That includes the user’s name and IP addresses. This in response to complaint filed by Viacom against Google for allowing clips of its copyright videos to appear on YouTube. Read about it here. This is the actual ruling from the judge.

I am not going to comment on the copyright issues or the actual complaint filed. I am however worried about the consequences for online privacy. A lot of users will see their personal information being handed over to Viacom even though they probably never watched a single copyrighted clip or at least were not aware of infringing anyone’s copyright. Somehow this reminds me of the toystar.com case. A company selling toys, files for bankrupcy and tries to sell their customer database to the highest bidder. It was eventually stopped by the FTC.

People can hand out personal information to sites and even carefully review the privacy terms before doing so. It means nothing if this kind of rulings can mean your information is handed over to a third party. It would be a different case if that information helps law enforcement agencies to detect crimes and prosecute criminals. I trust law enforcement agencies more then Viacom to properly process that data. Does Viacom give any guarantees on safeguarding this data? Will the processing be transparant and with full disclosure to the users involved?

Not being you

Lately there has been a lot of talk about anonymity and pseudonimity. Just read around on the blog agregation Planet Identity.

There is a strong interest in walking around on the Internet, participating in transactions and doing whatever without people knowing who you are. Most federation and user centric protocols have some sort of support for this. Most of it driven by Kim Kameron’s identity law on minimal disclosure: only disclose that part of your identity that is absolutely necessary.

I happen to be a fervent player of World of Warcraft. For those of you who don’t know, that is an MORPG (massive online role playing game). Divided across hundreds of servers, players can create avatars, give them names and create an entire new personality in the virtual world. That sounds like pseudonimity heaven to me. You can literally recreate an entire new identity, new in every aspect. You can choose a different avatar from eight races. A human character versus an orc based, how different can it get?

Using that avatar you can play whatever you like. A female, suspicious priest or a strong and eager hunter. You can even start multiple characters, all completely different. This is in fact what most players do. Sounds easy to create different identities right?

Surprise … no it isn’t. Even seasoned players have complained about how difficult it is to create two different identities. Even when you have all the tools at your disposal: new avatars, new names, different clothing, different professions, different cities … It still isn’t easy to change identity. After a few weeks of playing their new character, most of them eventually are discovered: “Hey, aren’t you also playing this other character?”

You might think “Why?” Well, it seems there is one thing you cannot change, one thing none of the MORPG, games nor federation or user centric can change: YOU.

No matter who hard you pretend, no matter what tools you have at your disposal for creating a new identity, it is still you. You might be different in the way you look, in your name but you are still you. You betray yourself by talking, walking and liking the same things. Even if you try hard and pretend to like other things or walk differently, there are so many details of you, that are you, that people recognize and will blow your cover after a while.

Even if Cardspace of OpenID gives me anonymity or pseudonimity, I will probably betray myself the moment I start posting on the forum or buy my favorite music.

The hard part of anonymity or pseudonimity is not in the identification or authorization process, it is afterwards, when you start posting in forums or do stuff on the Internet. Thereby exposing the real you. Remember how search queries on AOL (or Google, Live …) could identify you?

Driver’s License to be the Next Debit Card

I just came across this article on Business Week “Use Your Driver’s License as a Debit Card“.

The intent is to use your drivers license for payment transactions. By coupling your license number to your bank account, they make your drivers license suitable for payments. Just swipe it, enter your personal code and the money is transfered. This way the shop owner doesn’t have to pay credit card companies those exorbitant fees and can carry less plastic around in your wallet.

Sounds like a good idea? Yes and no. Yes, since you don’t have to carry yet another card for doing payments. No, because they are overloading the drivers license to do stuff that it wasn’t made for.

We all know the the verification process for the US drivers license is shaky yo say the least on most states. The REAL ID act tries to improve this situation by introducing extra measures. But in the end, the verification process remains faulty. It is just less faulty but still faulty enough. Piggy backing a payment authorization is not such a good idea. You could couple the bank account of John to the drivers license of Jeff. And what happens if your drivers license is revoked? No payments anymore?

Their aim, reducing the number of plastic in your wallet, is worthy. Their modus operandi isn’t. Piggy backing one type of identification and authorization on to another type is often dangerous. Not always bad, but often questionable.

Why not introduce a blank card that can store multiple virtual ID cards like your credit card, drivers license … You just pick and unlock the one you would like to use. That reduces the plastic weight while still separating identities and authorization when needed and when you wish. Sounds like user centric identity in your wallet.

Identity Ownership

During lunch on the first day of the Identity Open Space in Brussels one of the attendants mentioned that he wanted more power over his identity since he owns his own identity.

He used the following example: when he send his resume to a potential employer, he wanted to be informed about what happened to that resume. That sounds fair to me, it contains private and potential sensitive information. However, he went even further and said that when the recruiter ranked the resume, he wanted to be informed of that rank and why it was ranked like this. His reasoning was: that resume is part of my identity, an identity I own, so I am entitled to that information.

Immediately I was thinking about this article. The article explains in great detail the difficulties you have with “user consent” and “owning your identity”.

If I meet a person, I build up an identity of that person. Part of that identity is based on my perception: the way he walks, talks and behaves. Other parts of that identity are based on what that person told me: his name, phone number, telephone number … Reasoning that the other party also owns the identity I created based on my perception is a bridge to far for me. I should not be forced to disclose my perception about a person because it is somehow connected to him.

You don’t own your identity, in fact, without other people around you, you don’t even have an identity. For me, identity only exists in a relationship with some other party. That identity is the perception that other party has about you. That perception might be based on information it got through several channels. In all cases, you only own a small part of that identity if you own a part at all.

The only identity you really completely own is the identity you have built about yourself in the relationship you have with yourself.

I would like to blog more about this idea of identity only existing within the context of a relationship. Feedback is more then welcome.

Two Must-Reads

It has been a while since I have blogged about identity. That does not mean I haven’t been actively thinking, reading or discussing the subject. Recently I came across one recent and one older article on identity, I consider both articles a must-read.

The first one, the oldest, was written by Bob Blakley and discusses the feasiblity of the first law of identity “User control and consent”. A very good read. It touches on most of the difficulties with “user-centric” identity systems. In the Identity Gang discussion group I have touched on the feasability of identity meta-systems and the forces that could make or break it. This article however does a much better job at this. No matter how interesting identity meta-systems are, I yet have to see some good arguments that proof that current silos (Google, Yahoo!, MSN …) would want to give up the control they have over your personal (identity) information. Or will we end up with a Hobson’s Choice. They support the identity meta-system and will play along with specifications like OpenID or Infocards … as long as they are the identity provider issuing the assertions.

The second one, titled “Law of Relational Symmetry” was posted only a few days ago on the Identity Blog of the Burton Group. It builds upon the reservations made in the first article and gives a, well thought out, try in explaining why user-centry identity systems are very hard to accomplish and where potential solutions may be found.

So, grab some quality identity time and go read these articles!

Craig, don’t help spammers!

Craig Burton’s blog is on my blogroll. Yesterday I wanted to comment on a recent post of him about Onfolio and Firefox. The form asked me to insert my email address. Thanks to the amount of spam I receive I have become very reluctant to enter my address. Sites just have no clue about how to deal with them. There are numerous sites posting entire mail archives with no obfuscation whatsoever to protect email addresses. On Craig’s site, I pasted my XRI contact service url (http://xri.net/=bavo.de.ridder) which would allow both Craig and his readers to contact me.

Sadly enough, the form came back to me, telling me that I should enter a real address. Hmmm, so I had to give my address. Knowing Craig’s reputation I assumed to following:

1. Craig uses the email address to confirm a real person was posting and I would probably get a confirmation mail I had to respond to before my comment would be published.
2. Craig would then be smart enough not to publish my email address or at least obfuscate it enough to keep it safe from spammers.

Feeling slightly more comfortable, I entered my real address and hit submit. A few seconds later (actually a lot of seconds later, his site must be on a 32kbps line), the post was submitted. I went to my mail reader to hit “get mail” but nothing had arrived yet. Going back to Craig’s site I discovered that:

1. The comment was submitted and showed my email address in both the source and the rendered version (so not even basic javascript hiding).
2. I did not receive a confirmation mail.

I mailed Craig to ask him to remove my address from the site. His mail address is available on his site, obfuscated as “gcraigburton [at] Yahoo [dot] com”. Nice. Obfuscation for his address but al his commenters are exposed.

I am very tempted to include Craig’s mail address, not obfuscated, but I will refrain. Craig’s obfuscation of his own address is weak enough, spammers probably already got it.

Clearing cookies is not enough to save your privacy

Through a story on Slashdot I came across this article.

Apparently it is not enough to just clear cookies, your cache can also contain some nasty tracking features:

Your browser’s cache is a valuable store of information. A JavaScript .js file resource which is generated dynamically when requested can have embedded a unique tracking ID and can live permanently in your browser’s cache when sent with the right HTTP cache-control headers. This JavaScript file can then be called by pages. The script is never re-requested, and hence keeps the unique ID, and it can call resources on the server-side to track you. They just need to associate this unique ID once with your account (when you login first time after the ID was created), and they can set cookies back again later and track you anyway. The result is that you can be tracked uniquely even past the point where you clear your cookies (i.e., as if you never cleared your cookies to generate fresh ones).

The article informs you that with Firefox you can clear the cache each time you close the browser. Their menu path is wrong, here is the correct one: “Tools -> Options -> Privacy -> Cache -> Settings”. There you can choose what you consider private data. At the bottom of the dialog, you can enable a check box to make Firefox clear this private data on exit.

The author also complains about passing on identity information from one site to another, even when their TOS (Terms of Service) forbids them to:

They say that in their TOS which you usually ignore. For example, I was contacted on August 4, 2006 by a script at Google about my Sourceforge.net project, which asked me if someone else should be allowed to create a project on Google’s project hosting service with the same name as the Sourceforge.net project. Let’s ignore the fact that this email was sent by a script and was unsolicited. How did they know my details?? They should have a database of all Sourceforge.net projects and the owner email addresses and other details. I was quite unhappy about it.

I am not sure if Sourceforge would sell project owner details to Google, a competitor for them. Google probably just used their crawling knowledge to harvest these details from the Sourceforge site.

Your pc can hear you!

According to this article, Google is planning to use your PC’s microphone to eavesdrop on you. By isolating background sounds and comparing them to fingerprints, they can calculate what you are listening to on the radio or what you are watching on TV. They will then use that information to give you targeted ads while you surf.

For me this is clearly a bridge to far. This kind of technology is absolutely unacceptable. Law enforcement agencies need a judge to approve this. Google however, probably can get away with it by having you click “Yes” on a EULA. If a user opts-in for this, it should be in a very formal way, with paper trail and the likes.

It is just a matter of time before someone will use it to listen in on your conversations. A very scary thought.

If this trend will continue and nobody stands up against it, I am going to switch back to this.