SENDS & The Science of Cyberspace
Highlighting publicly accessible efforts to promote the development of a Science of Cyberspace. This effort is proposed by an interagency project known as Scientific Enhancements to Networked Domains and Secure Social Spaces (SENDS). To contribute a blog to this effort, please contact us at words@sendsonline.org.
Friday, April 22, 2011
More SENDS Blogs Available at SENDSOnline.org!
Thursday, March 10, 2011
SENDS Blogs at SENDSOnline.org
Monday, February 7, 2011
The End and the Beginning
Saturday, February 5, 2011
Seeing the Invisible
When I was a boy, my grandfather taught me a Cherokee Proverb which I have pondered my entire life. It didn’t make much sense to me at the time, but the more I thought about it, and the more I grew, and the more I learned, and the more I did, and the more people I met, worked with, and engaged with, the more I began to see what the proverb meant.
I suppose that’s what proverbs are supposed to do. They guide you toward some universal truth that is unknowable at the time. Unknowable because you haven’t lived the time and it is time that is the critical factor.
While time is the critical factor, experience is the determining factor and thought multiplies the effect for it is what you give your thought to that determines what your experience is and the time you will give to a task and hence what you learn. This is true whether it’s cyberspace time or the “old-fashioned” variety of time!
The proverb stated: “If you listen to whispers, you will not hear screams.” For a close-knit, tribal people this meant paying attention to those around you. Even in a hyper-connected age like the one we experience in cyberspace, it means the health of the whole is the responsibility of the individual. It means an acculturated community. It means seeing the invisible…an invisible that transcends both the tribe and the physical world, if you look and listen closely enough.
Why do we so often miss seeing the invisible? Perhaps because we are looking and listening in the wrong places.
What makes people who they are? Why do they do what they do? How can we know such things? Time, experience, thoughtfulness: just as my grandfather inferred in his proverb.
Listening to people, learning from them, learning all we can about them. What are their proverbs, their poetry, and their music? These are the tools of enculturation: how we learn and apply values of a culture.
To know a people’s language is just the beginning, to know their thoughts is to know them. This is what it means to socialize. This is how we will ultimately exploit cyberspace as a species. In the meantime, let’s listen…
Thursday, February 3, 2011
Beyond Passwords: A Vision for Personal Information Management
Introduction
Bob Schapiro’s previous SENDS blog post asserted that passwords are a security “solution” that’s part of the problem. Unfortunately, managing multiple passwords is just the tip of the iceberg regarding the cyber-security challenges that we collectively face. This post reflects on the current effort to redefine cyber-security and explores what empowering individuals to manage their personal information and cyber-presence might look like. A companion piece that fleshes out more of a required framework will follow next week.
The NSTIC initiative
The National Institute of Standards and Technology's (NIST) website recently described the emphasis of the current administrations effort on identities and privacy. The National Strategy for Trusted Identities in Cyberspace (NSTIC) “is an Obama Administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will improve the security and convenience of sensitive online transactions through the process of authenticating individuals, institutions, and underlying infrastructure - such as routers and servers.
“The NSTIC envisions a cyber world - the Identity Ecosystem - that improves upon the passwords currently used to login online. The Identity Ecosystem will provide people with a variety of more secure and privacy-enhancing ways to access online services. The Identity Ecosystem enables people to validate their identities securely when they're doing sensitive transactions (like banking) and lets them stay anonymous when they're not (like blogging)…People and institutions could have more trust online because all participating service providers will have agreed to consistent standards for identification, authentication, security, and privacy,” notes the NISTC website.
Universal ID Management
While the NSTIC goal of securing identity is an important first step, the path to enhancing user privacy is a much longer road to travel. The framework for a Universal ID Management infrastructure will need to include the ability to provide users with at least some level of consistency and control over how their private information is accessed and treated.
Today, simple address formats are diverse and make on-line registration efforts much more cumbersome than they should be. Today, if you’re one of the unfortunate individuals applying for work on company job boards, the inconsistency and repetitiveness of the experience can be downright maddening. As we move toward an ever-growing list of on-line information about us, including biometrics and medical records, the need for a consistent if not fully intelligent framework becomes even more apparent.
Managing personal information also branches into the realm of automation. When we do have a consistent and convenient way to transfer our address where needed, there should also be a simple mechanism to make updates virtually automatic. For example, if I move, I should be able to update my secure profile and have that change ripple to every single user of that information, including utilities, banks, on-line shopping sites I’ve registered with, magazine subscriptions, etc. Clearly, there has to be a robust identification mechanism in place to ensure only I could make such sweeping changes. But, it would be negligent to craft a new Identity Ecosystem that did not enable such basic management features.
Distribution rights
Another aspect of personal information that warrants attention is the user’s ability to track and manage distribution of their personal information. In its simplest form, that means a user should be able to select who gets access to what piece of personal information in a manner as simple as selecting from a list of people, institutions or websites they frequent and whether or not the recipient can post the information in a public format. Exerting this type of control over a person’s biography is a great example.
But, the concept of managing personal data can expand much further. If we consider the stories we tell about ourselves on social media sites to be an element of personal information, we find eroding levels of control. Facebook has been a classic example. Their privacy policy in 2005 read:
It may also be the right time to address the individual’s rights in the shadowy world of the personal information marketplace. Many people don’t realize that their profile is a common source of profit for companies that collect large databases of members/subscribers/contestants, etc. Today, many companies are sensitive, if not passionate, about protecting their customer’s information, but anytime you’ve been registered for a free magazine subscription or answered a few required questions to access something on a commercial site, there is the potential that the information is used to create distribution lists that are sold for direct mail campaigns, fund raising, surveys, etc.
While this practice has been in place for decades, it is only fair to ask the question if it is reasonable for someone to sell your personal information without permission, or at least provide some form of compensation...especially with the advent of recent web services that offer to provide a wealth of aggregated information about an individual for a fee. It could indeed open an entirely new market dynamic if individuals had the ability to assign a value to the distribution of their personal information and there was sufficient automation in place to award an individual micropayment for each use of a specific information packet for a specific class of organization.
Users who hate unsolicited information could simply raise the price on the right to trade in their information until they get the level of relevant information they desire (this assumes at a sufficiently high price, no one will engage unless there is high certainty of a positive response). On the other side, people who wanted to maximize the monetary return for just being who they are could adjust the price to extract the maximum income from the authorized selling of their personal information to specific classes of solicitors. Clearly, such a scheme could never be foolproof, even if laws were created to support it, since anyone could simply copy your information and sell into a black market. But, as in most circumstances, the vast majority of honest businesses would align and sustain such a concept if the implementation was sufficiently painless.
Independent of monetization, it would be wonderful if you could track instances of your personal information as it was distributed through the Internet. It would potentially make it much easier for individuals to assess their footprint in ways that current search engines could never reveal.
Location-based services
Another area that warrants attention is location based services. A growing list of services delivers valuable information, but exposure of private data can vary significantly per application. Moreover, each service has its own privacy schemes and settings which can change over time. Also, it’s often difficult for the user to know with certainty when their location is being accessed outside of specific requests or if it is being tracked by individual service providers or other members of a mutual service.
While some people are happy to publicly publish every moment of their existence, any new identity framework needs to provide fine-grained control of how location information can be used and who can have access to it down to the individual level. This includes the service provider as well. The user should be able to control whether the service provider is allowed to accumulate location information or if each record must be deleted after the completion of a transaction. Most important, the user should be able to declare their preferences and settings in one global profile that drives interactions which each service provider.
The framework should also allow a user with a GPS-enabled cell phone or mobile device to make anonymous transactions. For example, the user’s profile can verify that the phone/device is subscribed to a service without revealing who the user is and, for metered services, track the number of available transactions remaining. By providing the service and geo coordinates, there is no need to pass information that could identify the user such as the cell phone number to a location service provider. Under this scheme, you can check for local restaurants and entertainment, or get whatever relevant ad or promotion information is significant without the service provider being able to track your location or location records. Of course, the wireless provider will always have such records, but containment of such information is always a first step toward better personal security.
Conclusion
Overall, if a framework is put in place to allow these scenarios to be developed and evolved over time, a picture emerges of an internet environment that is much friendlier and allows the individual to tune their cyber-presence in ways that are barely imagined today.
The challenge in driving this vision to reality is the enormous complexity of the framework that would be required to deliver such a vision if it’s built on today’s computing architectures. Fortunately, there is advanced thinking and technology that could make such an interconnected environment practical. That will be the topic of my next post.
Editor’s note: Sandy Klausner is the founder and CEO of CoreTalk Corporation, the designer of the Cubicon executable design language, described at http://www.coretalk.net/. The opinions and concepts proposed by Sandy reflect his thinking about new types of programming languages, and web-based frameworks including Cubicon. SENDS does not endorse any specific product, but seeks to ensure members and guests of the Private-Public partnership of the SENDS Consortium are aware of novel thinking proposed by those associated with the Consortium and its efforts.
Thursday, January 27, 2011
Are Passwords Part of The Problem?
by Bob Schapiro
How many new passwords did you have to create in the past few months?
Spam is the first culprit when people think of the clutter that’s choking the Internet, but passwords aren’t far behind. Passwords are a security “solution” that’s part of the problem.
In fact, with the CONFIKR virus living comfortably on millions of home computers, maybe all of this cyber-clutter is not just an annoyance; it’s an actual security threat.
A few months ago I attended a conference with people from all the big companies and government agencies. Many of the speakers wondered why the gosh-darn American public doesn’t take cyber-security seriously…at least seriously enough to create stronger passwords. The consensus was that people need more education.
I don’t think we’re dumb. We’re just overwhelmed.
Maybe my situation is unique. I enrolled for a course at a university and had to create four new passwords—one each for the registrar, bursar, health service and to get my email. This week I subscribed to a magazine and had to create three new passwords: One to manage my subscription, one for the online version and another for the environmental organization that publishes the magazine.
But the most galling experience comes from—who else?—my cell-phone company. I can’t name them for legal reasons but it’s a huge company known for really lousy reception. (Let them come to court and claim that distinction.)
When I got my new cell-phone, I had to get a “micro cell” device because I get zero reception in my home. In order to connect it, of course, I needed a “user name and password” distinct from the ones I already have with both the phone company and with the company that makes my phone. (If you’re counting, I needed three passwords just to make the first phone call from my home.)
While installing the configuration software—to get the warranty—I got one of those little drop-down boxes where I had to “agree” to their terms. The word “agree” was in the flashing blue box, in case I was confused about what I was supposed to do. (I put “agree” in ironic quotation marks because the word is supposed to mean that you actually concur with something.)
I don’t know what possessed me, but I decided to actually read the agreement. I scrolled through a few pages of tiny print before downloading the whole thing. It was over 200 pages! Of tiny type! I know there was fine print before the Internet, but this is insane. When I bought my first car I had to sign seven or eight pages of small print and I thought that was a lot.
We’ve all clicked that flashing “agree” button. We know how the world works now. Are you really going to return that piece of software—the one you’re already installing—because of sub-paragraph xvii on page 128?
But not so long ago, all you’d need for the warranty is keep the receipt.
What is the effect of all these meaningless passwords and agreements? Imagine if you only had to create five or six passwords…for your employer, your bank, a few others…do you think you might take them all more seriously? Most of us used to think twice before signing a long document. Now we don’t even look anymore. In fact, if you took all of this seriously, you wouldn’t be able to get through daily life in the cyber age.
You probably have your own stories. We’d like to hear them. Just send them to words@sendsonline.org or make your comments to this blog below.
Not to boast—okay, to boast a little—SENDS has the attention of the major players who are shaping cyberspace. Participating in SENDS will help you be heard.
SENDS seeks to discover what is inherent in cyberspace. My guess is that passwords are not. In the future, you may just swipe your thumbprint at any computer…or there may be facial recognition.
Right now, a lot of so-called cyber-security is driven by marketers. Yet companies will stop these people if they see a downside. A few years ago many websites absolutely needed to know your social security number and mother’s maiden name “to help us protect you.” Then they discovered that they were liable if there was data theft…and all of a sudden, they decided that this information was not so vital after all.
What do you think is vital…and what is intrusive cyber-clutter? Let us know at words@sendsonline.org. We’ll pass it along.