Information Cards: Where is the Information?

Sara Peters wrote a great article about how Information Cards are awesome and furthermore, how flawed SSNs are, since no one, not even the Social Security Administration, can verify that your SSN belongs to you.

But do Information Cards have a fatal flaw? Are they secure? Do they live on your computer? Are they portable? Can your information cards be stolen? Even if you are downloading managed cards verified from a trusted identity provider, are they giving you something that you can lose or can be stolen?

The Information Card Foundation was formed by a community of thoughtful Internet architects and developers whose primary objective is to provide us all with the tools to control our personal information in a safe secure manner. This is not an easy task. But to make it easy for the end user, the core of the design was a user ceremony we are all familiar with -- cards. The digital equivalent of the pieces of paper and plastic we carry around in our purses or wallets -- driver's license, library card, etc.

But what do digital cards really mean? As usual, it is just an analogy. Think about e-mail -- it is usually delivered much faster than postal mail, so much so that the latter is now often referred to as 'snail mail'. Or think about your computer's 'desktop' Well, it's sort of like a desktop, but it has these other cool features like organizing tools, deleting or storing files, changeable backgrounds, etc. So it is much more than a physical desktop, yet if the architects that created the Macintosh had not chosen such a simple, understandable metaphor, early users would have been confused.

This brings us to the question of: "Where is the information that appears 'on' an Information Card, when I see something that looks like a card in my digital wallet or 'card selector' on my desktop?" It's a great question for a user because this is THEIR personally identifying information!"

There is more than one answer to this question. Why can't it be just one answer? For the same reason that while all railroad cars fit on the same track, they are not all alike. Our world is more complex than that.

What we can say is that the information on an Information Card is dynamically assembled for you on the fly (if you choose to look at it) from one or more of several places where it can be stored. In the Information Card ecosystem, thee places include:

• Hidden in some encrypted part of your computer, that only the operating system knows about. Microsoft does this with one type of card selector called CardSpace. According to Microsoft, it is very difficult to retrieve this. (see Kim Cameron's blog on this topic)
• In a portable storage device, such as a smartcard, USB key, or smart phone.

• In the cloud. Some card selectors do not store any information locally. It is in a database on the net, at a provider or server of your choosing. This means you can access your cards from multiple devices -- your laptop, your workstation, your Internet-enabled phone, etc.

• In multiple places in the cloud. Your cloud-based cardstore can link to other places where the information lives. And the links could be encrypted, passing encrypted information, along with one-time security tokens with a short lifespan.

• Any combination of the above.

Without going into deep detail, the architectes of the Information Card ecosystem are working to make it extremely difficult for anyone but you to access your personal information. This does not require that it all be stored on one device, or in any one location. Yet to manage access to it, all you need is a device that is able to access the Internet, and that has selector software necessary to access and select your Information Cards. Neither the device nor the cards themselves are required to directly contain any personal information at all -- they can simply point to it, and that pointer can be encrypted (and even time-bound) in a way that lets you better control access to it.

Ok, you say, that all sounds great -- but somewhere somehow I have to know that only I have access to this information, and no one can steal thataccess from me. How will that be possible?

Starting with the simplest case, access to your Information Cards can require you to remember one and only one password -- the one to unlock your card selector. For two-factor authentication, this can be supplemented by an authentication device -- for example, a USB key, or a biometric scanner, or a physical security token generator. Furthermore, even if you share access to your card selector with your family, you can set certain sensitive cards to require a PIN for access.

So now, in order for someone to steal my identity information, the attacker needs to be an intruder, physically force me to divulge my password to unlock my card selector, and then guard me while they steal my information so I don't call 911. Even then, after they leave, I can disable access by changing my password, or if they change my password while their accomplice holds me at gunpoint, I can still call the place where my information is stored and put a hold on my accounts.

Considering the difficulty of this type of violent crime and the easy by which what is stolen can be disabled, this type of crime would be highly improbable. It would create a much safer environment than the one we have today, where companies have been storing customer data are increasingly risking a data breach. Not to mention that hacking and phishing is easy, anonymous, invisible, and international.

But is all this security necessary just to login to a blog to leave a comment? Obviously not. Information Cards need to be simple to use but intelligent enough to handle the full spectrum of security concerns addressed by different protocols today, from OpenID to SAML and beyond.

Note that there is one case where personal information is actually stored with a card: when an self-issued Information Card (a personal card) is exported as a digital file. Such an export file is always encrypted and protected with a password, but it is still important not to let it fall into the hands of an attacker. A well-designed selector should warn the user about this when the export operation is performed. Along with supporting a full range of information storage options, certification of Information Card selectors, identity providers, and relying parties is another key part of building the trust fabric of the Information Card ecosystem -- one the Information Card Foundation is actively working on.