What a head-filling event! If you’re interested, you can see notes from many of the sessions on the IIW wiki. Some of the sessions are rather technical, which is consistent with the roots of this unconference.
A few of the things I learned: people continue to amaze me by these projects: personal data projects (check out Personal–no notes from their demo; and soon The Locker Project), reputation sites (I was busy vouching for people whose work I know with Connect.me), the many stories of evented APIs (think actions: when something happens, it can trigger something else to happen, as in the “Internet of Things”), and of course the evolution of the Personal Data Ecosystem and PDEC.
Coaching moment: There are two major forces pushing forward. One is represented by Facebook: collect and manipulate, sell and distribute all of the personal data that can be found. This is a pulling, pillaging process with the “users” as the product being sold. The other force is not yet represented, but you might think of it as an opposite: individual people have access to their own data when they need it, using starter organizing, permissioning, sharing and distribution tools. What if you could say “No Facebook, you can’t plunder my own and my friends’ data–and mean it? What if advertisers came to you when you wanted? The idea is to say “yes” and “no” to data sharing when it’s appropriate for you. It’s you who is important, not a product.
Brief introductions. Yubico offers Yubikeys that help with authentication: low cost and simple! Acts as a keyboard, enters user password and 32 character passcode. Easier than smart cards (insert into USB port, push a button).
Lots of users: 1M users + 16k customers in 95 countries. Use cases: Google for internal staff, PayPal, Fedora, lastpass. Yubico is self-service: hardware sales on web store, free and open source server components and virtual appliance for remote access (enterprise-class VPN.
Versions of Yubikey: regular: one-time password, OATH (works with OTP – one-time passcode, not same as oAuth) standard, Static password, and Challenge response key. Secure life cycle: “trust no one.” Secure your servers.
Key is robust: sealed, simple. Accidentally went through a washing machine for several weeks and worked fine.
Future vision: one key for all Internet: YubiCloud validation service, 3rd party single sign-on and SAML. High security, Easy to use, Low cost. Plans to work with mobile phones via nearfield communications (NFC).
Markus pointed out that the purpose of PDEC is to help coordinate and educate, facilitate dialog in the system. Most of our current work is on the legal and business level, and also needs to happen on technical level. PDEC is trying to catalyze the ecosystem. One of the important promises of the ecosystem is the interoperability; needs some technical work/agreement/understanding. We’re not about setting standards, we’re about discovery, conversation, documentation. Technical profiles of the different projects, what exposed schemas and APIs, how it’s exposed, what strategies are in use.
Proposal to collect a set of questions that will help inform the dialog:
Can your project work with someone else’s project?
Documentation steps:
Document technical profile — with temporal attribute (what tech now, what changes coming?)
Interoperability: do you have interoperability with another member of the ecosystem? or planning to do?
(TBD)
Proposal suggested that we put a set of questions up and propose member organizations post responses (RSS or other) to help “cat herding” of the information. Proposal suggested to organize info in three columns: name, tech keywords, brief description. Proposal to pre-define businesses (personal data store) then differentiate between those companies/projects. Some questions won’t apply equally to all companies in the startup circle.
Survey Examples (does this format work?):
Technology
Personal.com
Locker Project
Gluu/SAML
appliance
Data model/schema
own schema (gems)
x
x
Tech for sharing
RDF endpoints, oAuth?
x
XDI, LDAP, SAML for federation
Protecting privacy/controls
x
x
x
Client support
x
x
x
Need to do more thinking on how to collect/organize this information.
Good attendance, very diverse industry representation! Thanks Joseph from Broadridge for his chair in our crowded room, allowing me to take notes.
Kaliya showed a slide of PDEC landscape: Personal zone overlapping with Accountability “Trust” Frameworks which contained Personal Data Zone, also overlapping with the Market. At bottom of this landscape view: Governance through Legal, Code, Identifiers, and Peers–who act as framework creators.
Slide of PDEC Startup Circle. Joining is a peer-reviewed process, what open standards are they using, what’s their value space/where are they coming from. Leaders consider if group qualifies; trying to cultivate “an industry collaborative, engaging with technologists and business leaders from banking and finance, telecom, cable, web, advertising, media and other industries seeking to understand opportunities, launch pilot projects and ultimately offer service in the ecosystem.”
Discussion about who “manages” your data as your IDP, and what personal control individuals have over that data. Is this like a bank, where you go in to withdraw all your money and get the Bank’s response “that’s our money?” Or can you withdraw your funds and walk across the street to another institution and open a new account, because your money is portable? Why would a telco worry about risk? This is a most important concept for them. Similarly in banking: board-level view is that they’re not going to be the first ones to jump. Either all jump at once or they get killed. Risk in the US of having all your funds in one institution is higher than distributed accounts. Same thing with different kinds of data, e.g., health data vs spending.
Fair Information Practices (FTC standard used for enforcement): framework when they started back in the 1970s worked, but now systems are more complex, no notice and consent about which databases we’re now part of. About time for a FIPS refresh? Kaliya is working on a paper, what are core principles and guidelines that government could adopt? Where does the thinking need to be? We have more powerful devices in our pockets. Lots of privacy conversations are about do not track/store. OECD principles are not regulations, are technology neutral (data minimization, etc.) but they don’t make assumption about individual ownership & agency over own data.
Refreshing principles is a good exercise, but one thing missing from principles is concept of fairness. Control is about fairness, fair trade and equality. Striking assymetry today. Notice and consent is not working, people can’t do much about it.
Mary quickly reviewed Organizations stewarding user driven personal data and ID. Slide includes: ProjectVRM (an ethos and conversation), WEF, PDEC, Kantara Initiative, IDCommons, UMA, Information Sharing Working Group, Open Identity Exchange, The Data Portability Project, W3C, and microformats.
Shift in focus back to PDEC’s work: What’s personal data and what’s not? What’s self-asserted data?
Kaliya showed a map of personal data (link to come), then reviewed briefly what some of the companies do in the Startup Circle. Question about business models and how those companies plan to make money. (Some uncertainty here.) What are they hoping to do, how do they see working together? Respect, collaboratively working toward interoperability, for big players to adopt or use emerging standards. Faster adoption. Is this policy or protocol standards? PDEC is about conversation, discovery and education, document activities, and catalyzing an interactive collaborative market. Paint common pictures, evolve common language.
Note: If you’re interested in this space, check back for updated links to slides and graphics that were in progress during this session.
Connect.me is a socially verified reputation system in which people vouch for other people using customizable tags. This is called social vouching. The whole system is based on it, so someone has to vouch for another person to join the network. The purpose of this session was to help a group of people get their initial vouch and learn how to use this new network.
It works in conjunction with/on top of Twitter, Facebook, and LinkedIn. If you follow or are connected to someone in one of those networks, they show up in your network as someone you can offer a “vouch” for. For example, I vouched for Drummond with tags “digital identity” and “trust frameworks,” which are both areas that he has done considerable work in for years. I also vouched for Kaliya (one of the organizers of this event) with tags “identity” and “digital identity” because she’s known widely as “identity woman.”
People can refer to others on this site by their reputation, as represented by their tags (what people know them for). One of the tags I’m known for is “early adopter.”
Much of this session was working through some of the user interface glitches and idiosyncracies. This was a great opportunity to see how things work with more people doing the testing. Once we got past some of the early work-in-progress, it was clear that there is a good networking resource in the making.
For anyone at IIW who wants to start using the network, you can either: 1) have anyone that is already using it — and that you have a link to on Facebook, Twitter, or LinkedIn – vouch for you (and then you’ll be sent a custom invitation link), or if you’re not at IIW, 2) go to http://connect.me, sign up, and then either give the username you registered to Drummond (or send it to him at drummond — at — connect — dot — me ) and he will vouch for you as an early adopter to get you into the beta.
![[del.icio.us]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/delicious.png)
![[Facebook]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/linkedin.png)
![[Ma.gnolia]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/magnolia.png)
![[Technorati]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/twitter.png)
![[Email]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/email.png)