Eco-Hypocrites

It looks like Kennedy clan has managed to kill a wind farm in the Nantucket sound area. I guess they really don’t believe their own global warming rhetoric after all. 

Privacy and the Shield

There is a proposed federal shield law winding its way through congress right now. Unfortunately the debate is being framed in terms of whether a reporter should be able to protect sources that leak information about issues involved in intelligence gathering and other clandestine operations. While that is an important debate there is another more mundane side of this of this that is getting lost, privacy.

While the legislation is still in flux, if passed in it current form, it would protect reporters from subpoena not only in cases of intelligence gathering, but also in cases of the release of privacy related information. In other words, if someone in the IRS gave your entire tax return to a reporter, the federal government could not subpoena the reporter to find out who gave him your return. If you where the subject of a federal investigation, and false information about you was leaked to the media to make you look guilty, the same rules would apply.

You think that last example is far-fetched? That is exactly what happened with Richard Jewell.

Of course left unasked in this debate is exactly who qualifies as a reporter. Presumably that would be left to the courts to sort out on a case by case basis.

The media is framing this as freedom of the press. It isn’t. The media wants the freedom to not answer questions under oath about clearly illegal activities. I’m sorry, but I don’t think a J-School degree and a stint at the NYT should grant you special legal privileges. I also don’t think freedom of the press means the freedom to cover up a crime.

(Mirrored from TalkBMC)

When VRM is a Blunt Instrument

In this case I mean a literal blunt instrument. Specifically a hammer. More specifically a hammer applied by a senior Comcast customer to aforementioned office equipment (h/t to Instapundit):

“I scared the tar out of some people, at least,” she says. “It had never occurred to me to take a hammer to a phone company before, but I was just so upset. . . . After I hit the keyboard, I turned to this blonde who had been there the previous Friday, the one who told me to wait for the manager, and I said, ‘ Now do I have your attention?’ “

Now I don’t recommend or condone such actions, but after reading about the events that led up to the incident, I certainly can understand and sympathize.

I’ll be in the garage looking for something heavy …

(Mirrored from TalkBMC)

Information Card Miscellany

Pamela Dingle sums up a bunch of new developments around Information Cards here.

Mike Jones points to a health care provider that is supporting Managed Information Card authn, and also points out that MyOpenID.com now supports Information Cards.

Mike also has a list of open source Information Card implementations here.

(Mirrored from TalkBMC)

Privileged Account Management

Mark Diodati has a very thought provoking post here. He talks about how recent acquisitions by Identity Management vendors have expanded the scope of their identity management suites and what future acquisitions may happen.

Mark mentions a small but growing segment of IdM, Privileged Account Management. I don’t really know what the real potential of this market is. It seems to be a fairly small market now, but it could grow rapidly as more enterprises hear about the idea.

But for this idea to reach its full potential it needs to be integrated with one of the major provision platforms (like the BMC IdM Suite). Over the years the provisioning vendors have developed connectors to most of the major systems on which these highly privileged accounts reside. These can be used to discover the highly privileged accounts and then do password resets on them as part of the privileged account management.

Now whether this integration happens because of acquisition, partnerships, or new product offerings by existing provisioning vendors is the interesting question. But it seems unlikely that the existing privileged account management vendors will be able to build out a set of connectors on par with the existing provisioning vendors.

(Mirrored from TalkBMC)

Another censorship flap for Google

Google is catching heat for their spiking of ads critical of the political action committee MoveOn.org. There is a good editorial about it here. What is getting Google in trouble in not so much that they spiked the ad, but their professed justification. They are claiming that they had to remove the ad because it violated MoveOn.org trademark.

Clearly the ads offended the political beliefs of someone at Google. Fine. Google is free to not do business with anyone they don’t want to. But why not be honest about it? By claiming the decision was based on trademark infringement they are setting a very dangerous precedent that will harm both free speech and Google’s profits.

I’m really skeptical about this use case

In the discussion around Identity Oracles, I am seeing a lot of references to the use case of asking about potential drug interactions. For instance Paul Madsen gives the example:

Can Kim take drug X without fear of drug interactions?

The person that most needs to be asking this question is the prescribing doctor, and he really needs to know the list of other medications and medical conditions involved. Meta-data won’t cut it in this example. For instance if the resulting drug interaction caused a loss of appetite that would be acceptable in many cases, but not for a chemotherapy patient. The fact there is or isn’t a drug interaction is simply too course-grained to be sufficient.

A common theme among the Identity Oracle examples I have seen so far.

My doctor needs to know everything about my medical condition. He needs data, not meta-data. My insurance company needs to know what prescriptions I am taking that they are paying for. No other parties need the data or the meta-data.

(Mirrored from TalkBMC)

Higher Orthodoxy

The continued erosion of the quality of college education in this country is highlighted by this George Will column. It’s a devastating critique about students being forced to adhere to a rigid orthodoxy imposed on them by their professors:

In 1943, the Supreme Court, affirming the right of Jehovah’s Witnesses children to refuse to pledge allegiance to the U.S. flag in schools, declared: “No official, high or petty, can prescribe what shall be orthodox in politics, nationalism, religion or other matters of opinion, or force citizens to confess by word or act their faith therein.” Today that principle is routinely traduced, coast to coast, by officials who are petty in several senses.

They are teachers at public universities, in schools of social work. A study prepared by the National Association of Scholars, a group that combats political correctness on campuses, reviews social work education programs at 10 major public universities and comes to this conclusion: Such programs mandate an ideological orthodoxy to which students must subscribe concerning “social justice” and “oppression.”

Is Jeff bigger than a bread box?

A thread about something called an Identity Oracle has spun out of the LLP thread. Bob Blakley describes an Identity Oracle here. Kim Cameron has his take here.

So the idea behind the Identity Oracle seems to be a service that can answer questions about an identity without giving away personal information. The example Bob gives is the person’s age:

Instead, GiCorp’s request looks like this:
“I am allowed to extend service to Bob only if he is above the legal age for this service in the jurisdiction in which he lives.  Am I allowed to extend service to Bob?”
And the Identity Oracle’s response looks like this:
“Yes.”

It pains me to disagree with someone who I respect as much as Bob Blakley, but I don’t think there is much promise in this idea. Of course Bob uses the age example, which is the “Hello World” of identity information. What other useful answers could an Identity Oracle provide? The usefulness of this seems limited to personal information that is a simple attribute to which a boolean test could be applied. That seems a pretty small and not very useful set.

Say for instance I want order some chocolate. The conversation between my Chocolate Provider and my Identity Oracle might sound something like:

Chocolate Provider: Jeff has ordered our Gut Buster size chocolate sampler. Could you give me his home address so we can ship it?

Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if he is over 18?

Chocolate Provider: No thank you. We pretty much sell to anyone who can pay for it. I really need his address.

Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if he is a resident of a specific state or country?

Chocolate Provider: That’s not really specific enough to ensure delivery. Could you give me his phone number?

Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if his medical condition allows him to eat chocolate?

Chocolate Provider: We don’t care if he actually eats it so long as we get paid. Can you give me his email address?

Identity Oracle: I can’t give you that information without violating Jeff’s privacy.

Chocolate Provider: I thought so. Is Jeff bigger than a bread box?

Identity Oracle: Yes! Do I get paid now?

Chocolate Provider: No, just kidding. We’ll cancel his order.

OK this is a silly example, but I just can’t see much besides age that would fit the Identity Oracle model. I do recognize that many of the companies I do business with collect more information than they really need. But the solution to that is very simple; just don’t collect what you don’t need. But for the information they need, they need the information, not an answer based on that information.

I just can’t see how I could use an Identity Oracle in practice, much less be willing pay for it.

(Mirrored from TalkBMC)

What then, is the difference?

The Burton Group is putting forth the notion of a Limited Liability Persona (LLP) which would allow a person to put forth a virtual identity that could be used in place of his own personal information. The LLP would have its own name, tax ID, and other personal information. The LLP would also grant some level of liability protection to the person it represents. Kim Cameron has some thoughts about this here and links to this interesting Denise Caruso article about it in the NY Times.

OK, these are great ideas, but there is something I’m just not getting.

What is the difference between a LLP and an LLC? Obviously the LLP name is derived from LLC, but how do they differ? An LLC with a single owner seems to have all the characteristics of what the Burton Group is describing.

What am I missing here?

(Mirrored from TalkBMC)