Radovan Semančík's Weblog

Luke Razzell writes about "Virtual Personality":

A Virtual Personality is posited by VRI as an aggregate of all the Virtual Personas a person might have in their online life (their banking persona, blogging persona, online chat persona etc.).

But who says all the Virtual Personas belong to the same Virtual Personality?

I have written about personae before and the more I think about it, the more I'm convinced that the model fits well. But the "Virtual Personality" concept does not.

One of the most important statements of the model is that a user is an entity in the "real" world, while computers operate in the distinct "virtual" world. Computers have no direct "touch" with users, they may only describe them using data records (personae or "virtual personas").

The "Virtual Personality" concept looks to me as being nothing more as just another persona, that happens to be linked to another personae. I must agree with Luke, that the "Virtual Personality" looks as a superfluous concept.

Some time after the informal drafting of the project I've realized, that the relation between persona and physical subject (person) may not be that important as it is currently seen. And it even might not be possible to reliably determine it in practice. As I've written earlier, maybe we should really forget about the entire "physical identity" concept - as it is intangible in the virtual world of computer software.

The only "identity" thing that can be processed in the virtual world is relations between personae. Especialy the relation that I call analogy, that indicates that the personae describe the same subject (whoever that subject may be). Maybe that would be sufficient to describe the "digital identity" situation. But the model is still work in progress, needs more thinking and more work ...

I was working on a kind-of-directory-kind-of-SSO project for past three months. I was working quite hard and had no time to follow the identity buzz around. Just few days ago I found the entry in Kim Cameron's blog that features a recording of his conversation with Craig Burton. One of the topic was anonymity, especially the question if anonymity is an empty set of claims or not. After a while it came to me that the question is all wrong. More exactly, the "anonymity" is all wrong.

First of all we usually see anonymity as a boolean quality. You are either anonymous or you are not. You cannot be "a bit more" anonymous or have "quite a big" anonymity. But if you see anonymity as a boolean value, you must first define the "world" that it operates on. This is called anonymity set by some researchers. The exact definition may be found here:

The anonymity set is a collection of all possible subjects that you can choose from. For example when evaluating the anonymity of a single HTTP access the anonymity set may be "all IP-addressed devices" or "all devices accessing Internet form a single proxy server". In the former case the HTTP access is not anonymous, as it is identified by an IP address (the fact that the address may not uniquelly identify the client does not really matter). In the later case the access may be anonymous.

Or you may define anonymity as a quantitative value, measured by the size of the smallest applicable anonymity set. That way you may be "very anonymous" or "just a little bit anonymous". But in that case there's a new question: How much anonymity is enough?

One way or another, talking about anonymity without defining the anonymity set has no point. And I think that definition of anonymity set for the Internet may not be that easy. And will probably be very dynamic, anyway. Will we see the anonymity set as a collection of all Internet-enabled devices? Will we also include devices hidden behind masking proxies? Or will we see it as a set of physical users and it will not matter if a device is identified as long as a user is not? And if I can identify e.g. user's location (city) is the user still anonymous or is he not?

I think that the "anonymity" and "identity" are two extremes of quite broad and multi-dimensional identitifcation spectrum. And I also think that these two extremes cannot be reached in practice. But that may be a topic for following posts.

Maybe we should abandon the words "anonymity" and "identity" completely, as they may be very misleading. Especially while building practical systems.

Jozef Vyskoč reported(SK) today on an incident in china, where a police detained a man that stole and sold "short" IM numbers.

This looks ridiculous at first, but it is in fact a "reputation theft". The shorter IM numbers hints that a user was on-line in the early days of serivce and that may give him some kind of "reputation". This may be seen as a isolated incident, but it is not the first time I've about this kind of "inherent" reputation. A friend of mine told me that Switzerland citizens strive for car registration plates that have smallest numbers on them. The low numbers mean that the owner of the plate is long-time citizen and thus should be honored. This goes even further, as the most interesting plates are sold and bought.

There are several thoughts that came to my mind:

• In the lack of other reputation system, the people are using the mechanisms that are at hand. Like short IM numbers or low car registration plate numbers. Could this mean that there is a real need for a reputation system? That people needs it? That they even want it?
• The low numbers on Switzerland car registration plates originaly indicated an old-time citizen. But now, as the plates are being sold and bouth using market-derived prices they indicate a different value. The value shown by the figures on the plate is the mix of the time that the person lives in the city and the price that he is willing to pay for the illusion that he is honorable. The low numbers are not assigned anymore, they can only be bought. After some time this measuring system will mutate to show only the amount of money one is willing to pay for the plate. Does this mean that the reputation metrics in reputation system may have variable meaning over time? In such a case we will need some meta-reputation system that will assert the reputation of reputation systems. Or is there some different way?
• For a reputation system, one must always account for a "short-cut" value of the system. I mean, that every system may be breached, (almost) every person can be corrupted, everything has its price. There may be ways how to aquire reputation with money alone. One can get a reputation of a sound expert only by paying the "short-cut" price of the system (the price to break it, the price to buy a reputation of existing expert, etc). This may (or may not) destroy the system. As with other systems, we must know where the limits of reputation systems are and do not push the "honorability" of a reputation system beyond these limits.

Last months I tought a lot about LID, SXIP, ISSO (based on i-names that are based on XRI) and other similar "identity" systems. The recent posts by Drummond Reed, Phil Windley, Eric Norlin and others indicates that these systems got some traction. That's quite interesting. Why?

All of these systems use global user identifiers (URL, XRI, GUPI). People get some of these identifiers and then use it to log into different web sites. Nice and easy for the user, but terrible for privacy. The different web sites may easily collude and join their data about user, using global identifier as reliable correlation key. How would you like if an on-line flower shop (that you used to send flowers to your friend) would collude with "adult entertainment" site. The "adult" site may learn from the flower shop your real name (from credit card data) and shipping address that you used for sending flowers. The site may provide you with "better customer service" by sending a spicy catalog, personalized exactly to your needs (and with your name on it) to the address you used for shipping flowers. Surprise guaranteed.

The global identifiers used there are on-line equivalents of SSN, with most of the SSN drawbacks. The attribute protection mechanisms implemented by "identity" systems does not help here, as the data are already out at service provider's systems and are not in control of "identity" system anymore. Yes, you may create several "personalities" by using several global identifiers, but the management of these different accounts may soon become very difficult. And even that does not help much. Imagine, that you make a mistake and login to the "adult" site with your "civil" account. That alone leaks some information, that you might not want to be leaked. And if you logout and login with the other account, it may be easy to correlate these two accounts (cookies, IP addresses). And great part your privacy is lost ...

The use of randomly generated identifiers that are shared only between Authentiation/Identity Provider and one Service Provider (as it is in Liberty case) may help a bit. It limits collusion an such way, that the Identity Provider must be one of colluding parties. That may be more acceptable is some cases (but not everywhere).

But neighter of these approaches is ideal. There must be something else to look at, some better solution. Or maybe we are chasing ghosts and people does not really want privacy, after all ...

Disclaimer:
Don't get me wrong about XRI. I don't see anyting bad about XRI (as I don't see anything bad about URI either). I must admit that the more I know about XRI the more I like it. But I don't like i-names. That use of XRI somehow does not feel right ...

Kim Cameron bloged today about something that I've been pondering about for some time - Personal Information Centralization.

Overcentralization of identity information increases the risks involved once the idea of a breach is accepted. So does the ability to assemble information from different contexts which should strictly be separated.

That's right, I believe. Overcentralization is not good. But that does not apply to server-side only. The information may be overcentralized on the client-side also.

Take InfoCards as an example. If we'll use only self-issued claims in the InfoCards system, all the personal information will be stored on one's personal computer. That will make common PC a rewarding target for attack. Do you know how difficult is to hack a PC? I do not. PCs were not much targeted by hackers, yet. There was nothing really important there. But now, it may change ... And the PCs are well uniform. Find one good hole and you can hack millions of PCs all around the world in few minutes.

I do not think that storing personal data on PC is any better that storing them on a server. Overcentralization is equally bad in both cases, but the "PC case" is much harder to recognize. And the things that are hidden are the worst ones ... and that's not limited to computer security.