ian glazer's tuesdaynight

It’s an open secret among us identity geeks that, despite all of federated identity’s progress, one thing has lagged significantly: relying party participation1. Getting relying parties to the table, to talk about challenges they have with identity on the Internet, has always been a hard problem. Although the identity community has grown, the number of relying parties getting involved with things like the Internet Identity Workshop hasn’t kept pace.

Willingly or not, NIST’s National Strategy for Trusted Identities in Cyberspace (NSTIC) has taken up the challenge of increasing relying party participation. Without real-life use cases based on actual business, actually problems, NSTIC is, though aspirational, vague. However, armed with a set of discrete use cases, NSTIC (and more importantly the identity community) can begin to craft solutions, discover unforeseen challenges, strengthen protocols, and tackle policy issues. But to get these needed use cases requires relying parties to be involved.

As a technologist you’ve likely heard about the Stop Online Privacy Act (SOPA) or the Protect-IP Act. The intention of these bills, as described by SOPA, is “[t]o promote prosperity, creativity, entrepreneurship, and innovation by combating the theft of U.S. property, and for other purposes.” It provides a range of resource to tackle “foreign websites” who “engage in, enable or facilitate” copyright or trademark infringement. Amongst SOPA’s so-called “reasonable measures” of dealing with the assertion that a site engages in, enables, or facilitates copyright infringement, is the use of DNS filter. In essence, the site’s hosting provider would be required to modify its DNS records such that entry for supposedly_infringingsite.com does not resolve. Beside the well publicized incompatibility between DNS filtering and DNSSEC, DNS filtering has tangible negative effects on federated identity systems including the National Strategy for Trusted Identities in Cyberspace (NSTIC.)

Our modern era split into two parts on September 11th. In the last ten years, like the World Trade Center, some of our shared concepts about our world have fallen. Collapsed is the notion that the world “over there” has no impact on our own soil. In sad heap is the idea that we can apply kinetic force again ideological force. Fallen is the naïveté that we know how to manage the institutions that have fueled America’s growth, whose complexity and interconnectedness have increased geometrically. There is an idea that has not fallen and has grown in strength and in implication - the idea that we can be completely safe. This farcical idea is literally destroying our country. This myth bankrupting our nation. This myth is breeding ideologues. The fantasy of complete safety has robbed us our dignity. It has decreased our operational efficiency. This country is behaving like a child, afraid of the dark, insisting to turn on every light in the house. There isn’t a boogeyman under every bed, in every closet. The dark isn’t inherently dangerous. The dark contains the unknown and the undiscovered; it is in the dark that our future rests. It is only through bravery of admitting that we cannot be completely safe, through the decision to not be scared of the dark, that we can progress economically and emotionally.

I have been avoiding watching the TV these last few days. I’ve been avoiding reading the op eds and the wrenching retelling of what happen that day ten years ago tomorrow. I have been avoiding these things, not because I do not want to remember, but because I do not want to relive that day. This modern era has been split into pre-9/11 and post. Consider what I wrote on September 10, 2001:

As someone of you have already heard, the spiritual home of Tuesdaynight, Toledo Lounge, has been sold. After nearly 20 years Abbajay sisters have sold Toledo to the owners of the Black Squirrel. From reading this article, it sounds like things are going to pretty much stay the same at Toledo which is great news. BTW - some of us will be at Toledo tonight to reminisce. Come join us!

Even though DC faces a budget crisis and there are radical inequities in our public education system, the city is looking to expand its surveillance program. As I have mentioned before, there are strong evidence that CCTV surveillance doesn’t lower the crime rate and doesn’t add to the public good. Hopefully, the city council will put a stop to this but I doubt it will.

The last part of my series on apps and privacy has gone up over at Gartner.

I had let Privacy Mirror languish for a bit, and having found a free few hours, I decided to update Privacy Mirror to take advantage of Facebook’s Graph API. (For those of you not familiar with my Privacy Mirror experiment, it is a very basic app that explores what personal data apps can see via your friends.) Since I last updated Privacy Mirror, Facebook rolled out two major features. The first was the previously mentioned Graph API, which is a RESTful API that results Facebook data as JSON. The second, and frankly the more interesting, was extended permissions. The newish extended permissions govern how apps can access data and how users are informed of this use. It is these extended permissions at the bottom of the recent kerfuffle over Facebook allowing app developers access to phone numbers and addresses. (Ars Technica did a good job over covering this, and here is Facebook’s current response.) Extended permissions work like this. First, an app developer encodes a request for access to various pieces of your profile data, as well as pieces of your friends’ profile data. Second, when you add the app to your profile, the app asks you for your permission. The following is a picture of what it looks like when Privacy Mirror asks for access to your and your friends’ information.

I’ve posted the second part of my ‘I “like” you, but I hate your apps’ series over on my Gartner blog.

I’ve been doing a lot of thinking lately about how the apps on our smartphones and Facebook profiles introduce strangers into our interactions. I’ve broken my thoughts up into a three-part post over on my Gartner blog. Check out part 1 and give me your thoughts on it.