Charles Andres's blog

Information Cards can Authenticate Online Petitioners While Protecting Anonymity

• In 1215, King John signed the Magna Carta, which recognized the right of the barons to petition the crown.
• In 1775 Thomas Paine wrote in Common Sense that "... frequent interchange ...between the electors and the elected ... will establish a common interest with every part of the community ... they will mutually and naturally support each other, and on this depends the strength of government, and the happiness of the governed."
• By 1789, Founders of the United States embedded the right to petition into the Constitution in the First Amendment: "Congress shall make no law ... abridging ... the right of the people ... to petition the Government for a redress of grievances."

Today petitioning has become an instrument of mass politics, designed to make a point, not a plea. To quote the First Amendment Center:

"Petitioning" has come to signify any nonviolent, legal means of encouraging or disapproving government action. The direct appeal and individualized response that once marked petitioning belong to a more organic past when leaders knew petitioners by name. No branch of the government today is equipped to provide such personal attention.

Sites like The Petition Site provide tools to create online petitions, but you need to fill out the usual form -- name, address, etc. Not only is this work, but by signing a petition, you may create a record that you later regret. To avoid this, you might choose to enter a false address (Beverly Hills 90210). Verifying signatories of an online petition is a laborious and lengthy process.

For the past few years, analysts such as Bob Blakley and Jamie Lewis have predicted that someday, with the right identity technology, a 'digital oracle' could issue abstract but trusted declarations such as "a specific person is above or below a specific age" without needing to reveal the actual birthdate.

In mid-October a story published on theonion.com shouted to the world that, for the first time in history, someone pressed the “I'm under 18 button” on a pornographic site, denying themselves a treasure trove of “adult content.” This story highlights a glaring defect with Internet identity: after more than 20 years of evolution, there is still no way to prove how old we are (let alone whether we are a dog or not).

Last week that finally changed. Equifax introduced the first digital Information Card that allows anyone with a credit record to make verified claims -- specifically, an "I'm over 18" claim. This new age verification service was introduced by Equifax in conjunction with Azigo, makers of the Azigo Information Card selector. Equifax acts as the identity provider for the Equifax Over 18 I-Card. This card is produced by the Azigo CardPress service, and works with any Information Card selector.

With Information Card technology, Equifax can attest online whether a person is older than a specific age without needing to divulge actual identifying information such as the real birthdate. A website that accepts the Equifax Over 18 I-Card doesn't have to trust the user asserting this information; it can trust Equifax.

Sara Peters wrote a great article about how Information Cards are awesome and furthermore, how flawed SSNs are, since no one, not even the Social Security Administration, can verify that your SSN belongs to you.

But do Information Cards have a fatal flaw? Are they secure? Do they live on your computer? Are they portable? Can your information cards be stolen? Even if you are downloading managed cards verified from a trusted identity provider, are they giving you something that you can lose or can be stolen?

The Information Card Foundation was formed by a community of thoughtful Internet architects and developers whose primary objective is to provide us all with the tools to control our personal information in a safe secure manner. This is not an easy task. But to make it easy for the end user, the core of the design was a user ceremony we are all familiar with -- cards. The digital equivalent of the pieces of paper and plastic we carry around in our purses or wallets -- driver's license, library card, etc.

But what do digital cards really mean? As usual, it is just an analogy. Think about e-mail -- it is usually delivered much faster than postal mail, so much so that the latter is now often referred to as 'snail mail'. Or think about your computer's 'desktop' Well, it's sort of like a desktop, but it has these other cool features like organizing tools, deleting or storing files, changeable backgrounds, etc. So it is much more than a physical desktop, yet if the architects that created the Macintosh had not chosen such a simple, understandable metaphor, early users would have been confused.

At DIDW in 2007, the term 'user-centric' identity was called 'new school' identity. Kim Cameron introduced the term claims as a way of accurately generalizing the data fields on Information Cards. But the concept of Information Cards as a metaphor to wield the claims that others made about you was not the overarching meme at DIDW last year.

But at DIDW 2008, Information Cards and the Information Card Foundation have moved mainstream.

The Higgins Project, the basis for open source information card implementations demonstrated by Novell (The Bandit Project) Oracle, Parity, and IBM, has created an open source implementation of Information Card selectors compatible with Microsoft CardSpace. A SAML-plug-in for Higgins was built for Google. Where there used to be one organization (Liberty) promoting SAML, there are now a triumverate of organizations -- Liberty has been joined by the Open ID Foundation supporting Open ID and the Information Card Foundation supporting Information Cards. Thus the Venn of Identity diagram from Concordia's Eve Maler now has active established organizations in each sphere.

Examples of the impact Information Cards had on this conference:

The prospect of digital identity working at Internet scale—and Internet strength—has occupied the attention of many in the industry for the better part of a decade. Perhaps that should come as no surprise—cross-domain authentication and authorization has long been one of the thorniest problems in networking. Blow it up to Internet size—and add the Internet’s staggering diversity—and even Don Quixote might start looking for a more possible dream.

Yet twice before the Net has beaten such interoperability odds. It owes its very existence to a no-frills internetworking protocol—TCP/IP—emerging from a thick protocol soup to become a lingua franca of packets. Less than two decades later another minimalist approach—HTML—turned the universe of information into a World Wide Web by giving us a universal way to link content.Could there be a hat trick for the Internet identity layer? And if so, what’s under the hat?

When I first started reading about Information Cards in Kim Cameron’s blog posts in 2004, it was a disarmingly simple metaphor: no more than the online equivalent of the cards we carry in our wallets to prove our identity and use for transactions every day. Could such electronic cards really be the key to an “identity metasystem” that can bridge security and privacy domains the same way Web pages bridged content domains?

After spending last Friday talking to press and analysts about the launch of the Information Card Foundation, I arrived home to find in my US Mail box, a letter from my "bank and trust company" which stated:

"Dear Mr. Andres,

"I am writing to let you know about the theft of computer equpment from a third party....Because the stolen equipment contained data with certain personal information about you...such as your name and social security number...We have been in close contact with law enforcement ....we deeply regret this has happened."

In addition, last week I had to:

• locate a password that I had not used in 2 months.
• create 2 new usernames and new passwords for 2 websites, filling out the usual form with name, address, email address, phone number, credit card number, expiration date, secret card code, etc.

For all of us the Internet has been a wonderful transformational experience. Information at your fingertips, as Bill Gates famously said, has changed our lives. We can comparison shop, buy custom products, find hard-to-find replacement parts, locate nearly any book or record we ever wanted to own, provide feedback on products and services, get answers to almost any question, etc. My kids can't imagine life without it.

But the Internet wasn't originally designed to handle every economic or social transaction, or the need to prove you are you, or the claims you make. Today we need this capability.