Emergent Chaos

In “U-Prove Minimal Disclosure availability,” Kim Cameron says:

This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual Microsoft press release and lay it on you. The reason? Microsoft has just done something very special, and the fact that the announcement was a key part of the RSA Conference Keynote is itself important.

Further, Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy.

Kim then goes on to analyze the announcement, which is a heck of an important one.

Disclaimer: I work for Microsoft, and am friends with many of the people involved. I still think this is tremendously important.

Or, Security and Privacy are Complimentary, Part MCVII:

Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash the ID and credit card in front of the camera. That way, he could sell the credit card number and address of someone who had no reason to report their card as stolen. Presumably they could then use it on the internet as many sites require the billing address when using a credit card. The corporation decided that there was too much liability in a restaurant employee having access to someone’s drivers license and began specifically requesting servers to not do so except to verify that the person was of legal drinking age. (“How I Learned To Start Worrying And Hate Showing My ID“, Consumerist)

I hadn’t thought about this particular aspect of stealing credit cards. It seems pretty helpful to have address and date of birth. When I think about this, the chaotic nature of how those around us accumulate and use information is hard to predict or track. There’s a value of minimal disclosure here. It’s yet another example of how protecting privacy protects security as well. Asking people to be aware of what emerges from the chaotic swirl of information is expensive.

Historically, the card brands have demanded that their cards be honored based only on the card system. They used to back you if a store asked for ID. As the system has come under attack, they’ve backed away from that, but the current state is hard to discern.

Consistency is an important part of how people form mental models. The whole world is making different demands about what’s secret (is your address a security string? Your frequent flyer number? The first street you lived on?) The demands banks and merchants are changing rapidly from a consumer perspective. (Quick, do you know what the CARD act changes?) When the rules for consumers are chaotic, what emerges is misconceptions, superstition and best practices.

In the world of security, we’re going to have to work hard to provide a comprehensible set of workable and effective advice for people to follow.

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login.

Boy, am I glad to know they take my privacy seriously, because otherwise, their failure to fill out fields in their certificate might really worry me.

I mean, I’m not annoyed that BNY Mellon treated my information negligently. Oh, no. I expect that. I am a little annoyed that having done so, they offered me a year of “monitoring” rather than prevention. I’m annoyed that it’s a year, when there’s no evidence that risk of harm falls after a year. And I’m annoyed that the company offering monitoring doesn’t bother to get the little things right.

[Update: This may be a broader issue of all non-EV certs being treated like this. I admit, I rarely check because I rarely care. But when I do care, I reasonably expect it to be done right.]

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online.

That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they are prohibited, not bad in themselves. It’s important if we want to export freedom of speech and freedom from self-incrimination, to push for an international norm of limiting the powers of governments, not of people. Of course, since the main way that the international reach of governments is limited is through treaties negotiated by, umm, governments, I don’t expect a lot of that soon.

Not to mention the creation of fake Facebook accounts by Iranian intelligence.

But most interesting is this:

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.

and

One 28-year-old physician who lives in Dubai said that in July he was asked to log on to his Facebook account by a security guard upon arrival in Tehran’s airport. At first, he says, he lied and said he didn’t have one. So the guard took him to a small room with a laptop and did a Google search for his name. His Facebook account turned up, he says, and his passport was confiscated.

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes.

This raises the question, what is fatherhood? Is it the genes or the relationship? There’s obviously elements of both, but perhaps there’s a rule in here: adding identity to a system makes the system more brittle.

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up was “Fast, Cheap and out of Bob’s Control.”)

I think, however, that my frame for a response will be Alvin Toeffler’s excellent analysis of Future Shock. In it, he describes our lives as most people in the professional class move more and more often for work. How the traditional means of social cohesion — church, scouts, the PTA, bridge clubs, the local watering hole — all down as we expect to be gone in just a few years. How we have friends we see annually at a conference or in airports. He explained that ongoing acceleration and the removal of support structures would lead to isolation, alienation and an ongoing and increasing state of future shock.

A great many Americans on the coasts live in many micro-societies. We have our professional groups and sub-groups. We have hobbies. We may have college buddies in the same areas as we are. We pick a fat demogauge to listen to: Rush Limbaugh or Michael Moore as suits our fancy. But our social spaces are massively fragmented. And so when Bob says:

But he’s right that we’d better behave. When we see someone else’s private information, we’d better avert our gaze. We’d better not gossip about it. We’d better be sociable. Because otherwise we won’t need the telescreen – we’ll already have each other. And we’ll get the society we deserve.

We no longer have a society, or the society. We have teabaggers screaming at Obamaphiles. We have neighbors suing neighbors. We call the cops rather than walking next door. We run background checks on our scoutmasters, all because we no longer have a society which links us tightly enough that we can avoid these things.

And amidst all of this which society will create and drive the social norms for privacy? Will it be the one that lets cops beat protesters at the G20? The one that convinced Bob to join Facebook? The one that leads me to tweet?

In a world where some people say “I’ve got nothing to hide” and others pay for post office boxes, I don’t know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of “Online Data Present a Privacy Minefield” on All Things Considered. In a world in which cheesy-looking web sites get more data, I’m not sure the social frame will save us.

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony.

There are reports that:

Two Australian newspapers reported Friday that gender tests show the world champion athlete has no ovaries or uterus and internal testes that produce large amounts of testosterone. … Semenya is hardly alone. Estimates vary, but about 1 percent of people are born with abnormal sex organs, experts say. These people may have the physical characteristics of both genders or a chromosomal disorder or simply ambiguous features. (“When someone is raised female and the genes say XY,” AP)

For more on the medical end of this, see for example the “Consensus statement on management of intersex disorders” in the Journal of the American Academy of Pediatrics.

The athletics associations rules don’t cover all of these situations well. The real world is far messier and more complex than most people have cause to address. There are a great many apparently simple things that are really complicated as you dig in.

What the sports associations and news media are doing to Semenya is reprehensible. (There are over 10,000 stories listed on Google News, versus 13,000 for Derek Jeter, who just broke a Yankees record.) She didn’t come into running knowing that she had no ovaries. Having to deal with the identity issues that her testing brings up under the harsh light of the entire world (including me) is simply unfair.

It’s unfair in almost the same way as the British government’s treatment of Alan Turing, the mathematician who Time named one of the 100 most important people of the 20th century for his fundamental work on computers and cryptanalysis. Turing was also a convicted homosexual who committed suicide because of his “treatment” with estrogen, which caused him to become impotent and to develop breasts.

This week, Gordon Brown issued an apology entitled “Treatment of Alan Turing was ‘appalling’:”

While Turing was dealt with under the law of the time and we can’t put the clock back, his treatment was of course utterly unfair and I am pleased to have the chance to say how deeply sorry I and we all are for what happened to him. Alan and the many thousands of other gay men who were convicted as he was convicted under homophobic laws were treated terribly. Over the years millions more lived in fear of conviction.

I am proud that those days are gone and that in the last 12 years this government has done so much to make life fairer and more equal for our LGBT community. This recognition of Alan’s status as one of Britain’s most famous victims of homophobia is another step towards equality and long overdue.

Sports officialdom and state governments are different. Sports are voluntary associations, although athletes have little influence on the choices of international sports functionaries. Either way, watching the chaotic world crash onto the inflexible bureaucracies is tremendously frustrating to me.

As more and more of the world is processed by Turing Machines, assumptions that seem obvious to the programmer are exposed harshly at the edges. A friend with a Juris Doctorate recently applied for a job online. The form had a field “year you graduated from high school” that had to be filled out before she went on. Trouble is, she never did quite finish high school. She had the really relevant qualification-a J.D. from a good school. But she had an emotionally wrenching choice of lying on the form or not applying for the job. She eventually chose to lie, and sent a note to the HR people saying she’d done so and explaining why. I doubt the fellow who wrote that code ever heard about it.

I have a challenge to anyone involved in creating an online identity management system: How well does your system handle Semenya?

The typical answer is either that “that’s configurable, although we don’t know if anyone’s done exactly that” or “she’s an edge case, and we deal with the 95% case really well.” If you have a better answer, I’d really like to know about it. And as a product guy, those are likely the decisions I’d make to ship.

I’ll close by echoing Brown’s words: We’re sorry, you deserve so much better.

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:”

JR: And I don’t mind the time. I just don’t know that I have the
legal authority to change your name when it’s not a change. The
code sections talk about changing. Can I give you an order that
doesn’t change your name at all? That keeps your name the same? Is
that the same as granting a name change? And I think not. And I’m
going to do this, I’m going to continue this matter for two
weeks… and try to think about these issues in this time…

Via guerrilla-innovation.

Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database:

During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, suggested that Asian-Americans might want to adopt names that are “easier for Americans to deal with” when they want to vote so their names will match what is on registration rolls.

Brown made her statements during testimony from Ramey Ko, representing the Organization of Chinese Americans….

“… do you think that it would behoove you and your citizens to adopt a name that we could deal with more readily here?”

Quotes from “Lawmaker suggests Asian-descendant voters should adopt names easier for Americans to deal with’,” Houston Chronicle Texas Politics blog.

Of course, this is nothing new. Once

Or read Brian’s “Any Suggestions for My New User-Friendly Name?”