Date: Thur, 26 October 2006 08:02:00 -0600
From: SuitWatch 
To: suitwatch@ssc.com
Subject: SuitWatch - October 26




                          SuitWatch -- October 26


                                    Sponsor: Levanta

   "Top 5 Strategies for Managing Linux Servers" White Paper

   Managing Linux servers is different.  Avoid common problems and mistakes
   with proven strategies and best practices for optimally managing Linux servers.
   Register to download now.
   http://www.levanta.com/top5strats/lj_enews_suitwatch/
     _________________________________________________________________

  Anonymity, Independence and VRM

   On the way home from a trip last Fall, with the kid asleep in the back seat
   of the car, my wife asked me to fill her in on a subject that had
   preoccupied me over the last several years, yet had remained opaque to her.
    "Tell me about this whole identity thing", she said.

   So I did.  I told her about the need many of us saw for identity services
   that were centered on individuals rather than organizations, about the need
   to equip individuals with instruments of independence, about changing
   markets from collections of customer traps to free and open environments
   where customers and vendors could converse and relate from positions of
   equal power and autonomy.  And so on.

   She listened patiently as I ran down the various ideas and offerings
   forwarded by members of the Identity Gang and others who shared the same
   concerns.  Then she said, "I hear all this as More Identity.  I don't want
   more identity.  I want less.  When I'm online, I want to be anonymous.  I
   don't want anybody to know who I am until I have a good reason to tell
   them."

   In other words, she wants anonymity to be the default, rather than a lucky
   grace of occasional circumstance.  Also, a decade of experience in the
   online world gives her no more reason to trust the Powers That Wannabe than
   she trusts the Powers That Already Be.

   In all these respects her position is in agreement with David Weinberger's
   http://www.hyperorg.com/blogger/, which he detailed awhile back in
   Anonymity as the default , and why digital ID should be a solution, not a
   platform
   http://www.hyperorg.com/blogger/mtarchive/anonymity_as_the_default_and_w.html .
   Here's how he sums it up:

     The basic problem is, in my opinion, that the digital ID crew is
     approaching this as a platform issue.  Most places on the Web have solved
     the identity problem sufficiently for them to operate.  Some ask for the
     three digits on the back of your credit card.  Some only sign you up if
     you confirm an email.  Some only let you on if you can convince an
     operator you know the name of your first pet and the senior year season
     record of your high school's football team.  Sites come up with solutions
     as needed.

     Good.  Local solutions to local problems are less likely to change norms
     and defaults.  But the push is on for an identity management platform.
     It's one solution -- federated, to be sure -- that solves all identity
     problems at once.  If you want to change a social default, build a
     platform.  That's not why they're building it, but that will (I'm afraid)
     be the effect.  It's not enough that anonymity be possible or permitted by
     the platform.  The default isn't about what's permitted but about what's
     the norm.  If the default changes to being naked at the beach, saying,
     "Well, you can cover up if you want to," doesn't hide the fact that
     wearing a bathing suit now feels way different.  Yes, there's something
     wrong - and distracting - about the particulars of this analogy.  But I
     think the overall point is right: We're talking about defaults, not
     affordances.

     There are serious problems caused by weaknesses in current identity
     solutions.  Identity theft is nothing to sneer at, for example.  But are
     we sure we want to institute a curfew instead of installing better locks?

   Well, if there's one thing that the whole Identity Gang seems to have agreed
   upon, it's that there will never be one identity platform.  In fact, all of
   the proposed (and in some cases working) technologies at hand are approaches
   to what David calls local problems.  (Though the scope of some may be less
   local than others.) Microsoft's CardSpace
   http://msdn.microsoft.com/winfx/reference/infocard/default.aspx is a
   way for individuals to manage their ends of the many different identities
   they bring to many different relationships online.  More importantly, it
   provides a way http://www.identityblog.com/?page_id=430 "to put the
   release of identity information under the direct control of computer users".
    Those are the words of Kim Cameron, Microsoft's chief architect on the
   Identity case (see Independent Identity, in the September 2005 issue of
   Linux Journal), and the author of the Seven Laws of Idenity
   http://www.identityblog.com/?page_id=354 .  The first of those says
   "Technical identity systems must only reveal information identifying a user
   with the user's consent".  Seems to me this respects a user's wish to remain
   anonymous if they wish.  But does it support anonymity as a default? Not
   sure.

   Cardspace's compatible open source implementations, being worked out by the
   OSIS (Open Source Identity Selector) crowd, will do the same.  These
   approaches are, if anything, more respectful of one's autonomy and
   individuality than the collection of cards that currently inhabit our
   wallets (issued, as they all are, by organizations other than ourselves).

   OpenID http://openid.net/ is an open source solution to the
   single-sign-on problem.  Higgins http://www.eclipse.org/higgins/ is an
   open source trust framework for solutions like CardSpace and OpenID.  None
   of these is a platform in the sense that it controls your digital selfhood.
    In fact, Kim's 5th law http://www.identityblog.com/?page_id=352 of
   identity says "A universal identity system (or "metasystem") must channel
   and enable the inter-working of multiple identity technologies run by
   multiple identity providers".  In other words, it's not one system, or one
   platform.  Kim explains, "One reason there will never be a single,
   centralized monolithic system (the opposite of a metasystem) is because the
   characteristics that would make any system ideal in one context will
   disqualify it in another".

   In any case, there is total agrement amongst the Identity Gang that there
   will be many Identity platforms in the world.  In fact, I would go beyond
   that (speaking for myself here) in saying that platforms are too often (in
   practice if not by definition) foundations for silos, and that what we all
   want and need are better relationships between any two parties.  By "better"
   I mean ones in which both sides have control over what they disclose, and
   the bases on which they can trust each other.  That control includes choice
   about whether or not one remain anonymous.

   Yet nontechnical people reading the last few paragraphs are unlikely to be
   reassured.  Defaulted anonymity, for all its sometimes inconvenient costs,
   is still preferable to any "system" that sacrifices it.  One case in point
   is a cousin of mine who loves to take photographs and share them with
   people.  He does this by email.  When I asked him why he doesn't use Flickr
   or some other photo site, he said "I don't use any site that requires a
   password".  Why? "They're a pain in the ass".

   So I'd like to take a different angle on this -- one that will, hopefully,
   satisfy my wife, my cousin and Dr. Weinberger.

   This approach begins with a different default: independence.  As Neo put it
   in The Matrix, "The problem is choice".  Are we equipped to be independent?
   Meaning, do we have choice? I don't think so.  Not when big vendors still
   come at customers with battling silos and still call their markets "free".
   Not when we still think only Google, Microsoft, Verizon, Congress or some
   other Big Player to solve our Big Problems for us.

   The answers won't come from the outside.  That may be where choices are
   presented, but it's not where choices are made.  Choice is an inside job.
   It's an expression of autonomy.  And that independence, that autonomy, must
   include the choice to remain anonymous.  Whatatever we end up doing with
   Identity, apart or together, the choice to remain anonymous must be
   supported.

   Perhaps oddly, the context for anonymity is relationship.  If we look at
   markets as places where we have choices about who and what we relate to --
   and how we relate to them -- anonymity is one of those choices.

   I'll go back to the same use case I've used many times before: renting a
   car.  I would like to tell the car rental marketplace in Denver that I want
   to rent, say, a 4-wheel drive vehicle that seats six, has a roof rack, and
   plays MP3 CDs.  I would also like to tell vendors in the market that I
   belong to the Budget FastBreak, Hertz One and Avis Wizard clubs.  And,
   finally, that I'm not revealing my name or supplying any other
   identity-related information yet.  In other words, I'm still anonymous.  And
   I will remain anonymous until we're ready to do business.  And then I'll
   reveal personal information on a trusting but need-to-know basis.

   Think about this for a minute.  Do any of these agencies need to know who I
   am yet? Does trusting that I'm a good potential customer require that they
   possess a pile of personal identity information about me inside their CRM?

   And how about what happens if I want a deeper relationship with a vendor
   than the one that its CRM will allow? I'm much more likely to be loyal to a
   vendor who actually relates to me.  (Rather than just, say, "personalizes" a
   deal by posting my name on a board out in the rental car lot -- a feature I
   may not want.)

   Never mind that no CRM -- Customer Relationship Management -- system on
   Earth is interested in hearing such a request, or in appreciating customers'
   desires to remain anonymous until they are ready to reveal personal
   information on a need-to-know basis, or in welcoming relationships that are
   any deeper than a "loyalty program" or whatever.  It's not their fault.  All
   CRMs grew up in a lopsided industrial world where the whole relationship
   burden fell on vendors rather than customers.

   But we don't live in that lopsided world any more.  Thanks to the Net and a
   plethora of technologies, protocols and other goodies, there is no reason
   why some of the burden cannot be borne on the customers' sides as well.

   What I'm proposing is VRM -- Vendor Relationship Management -- that equips
   the customer to actually relate to vendors, and not just to buy stuff from
   them.  In order to do that, a high degree of control on the customer's side
   is required.

   How do we do that? What form does it take? Is it code that lives in a card?
   Can it be operated by cell phone? Will it require a broker of some kind?
   Where do we start?

   Well, those are all questions on the floor here at the Berkman Center for
   Internet and Society http://cyber.law.harvard.edu , where I'm now a
   Fellow and working on this very project: making VRM happen.

   I'm looking for help, of course.  Some will come from colleagues like Mary
   Rundle http://cyberlaw.stanford.edu/blogs/rundle/, a Fellow who has
   been working the anonymity beat here at Berkman
   http://cyber.law.harvard.edu .  Some will come from developers like
   former Berkman Fellow Dave Winer http://scripting.com/ , who has been
   thinking about this issue, and whose track record at Making Things Happen is
   legendary.  Same goes for Jeremie Miller http://jeremie.com/blog/
   (father of Jabber and XMPP http://www.jabber.org/), Joe Andrieu
   http://blog.joeandrieu.com/ and Christopher Carfi
   http://www.socialcustomer.com .  That's in addition to Identity Gang
   members such as Kim Cameron, Paul Trevithick
   http://paul.trevithick.name/ and Drummond Reed
   http://www.equalsdrummond.name/ , who are all developers with
   Independent Identity goods on the table and more on the way.

   I know this whole thing is still vague and not well-defined.  But that's
   also why I'm vetting it here in the Linux community -- and everywhere else I
   can.  Let me know what you think.  And, if you can, how you can help.

     -- Doc Searls is Senior Editor of Linux Journal, a Visiting Scholar with
     the Center for Information Technology and Society at UC Santa Barbara, and
     a Fellow with the Berkman Center for Internet and Society at Harvard
     University.

     _________________________________________________________________

   To remove yourself from this list, see http://www.ssc.com/mailing-lists.
     _________________________________________________________________

Subscribe now!

• Subscribe
• Renew
• Free Issue
• Customer service