There is an idea that has not fallen and has grown in strength and in implication – the idea that we can be completely safe. This farcical idea is literally destroying our country. This myth bankrupting our nation. This myth is breeding ideologues. The fantasy of complete safety has robbed us our dignity. It has decreased our operational efficiency.

This country is behaving like a child, afraid of the dark, insisting to turn on every light in the house. There isn’t a boogeyman under every bed, in every closet. The dark isn’t inherently dangerous. The dark contains the unknown and the undiscovered; it is in the dark that our future rests. It is only through bravery of admitting that we cannot be completely safe, through the decision to not be scared of the dark, that we can progress economically and emotionally.

Ben Franklin actually wrote, "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." I give the National Park Service a lot of credit for leaving this graffiti up on a bridge in Rock Creek Park. Besides, if Ben Franklin said it, is it really graffiti?

This modern era has been split into pre-9/11 and post. Consider what I wrote on September 10, 2001:

You never what you’ll hear at Toledo Lounge. Simple as that.

So I was sitting at the bar, with my new camera, playing around, taking pictures, carrying on. At any rate, a guy comes up to me and starts talking about the camera and if I am a photographer. Simple, idle banter. And then he asks me if I take people’s pictures… okay this getting a little odd, but nothing too bad. He asks me for a card, which I don’t have on me. He says he’ll be by tomorrow and I can give him a card then. He says that he has women who will pay me to take their picture… this gets stranger. I’m not really sure if I want give him my card… call me crazy.

At any rate, I am in the midst of training. The CEO, the two founders, and a host of other corporate types are here brainwashing us. So much fun. The long and the short of it is that I am unsure whether I will be at Toledo tomorrow.

On September 11, 2001, I awoke quite hungover in the then Double Tree in Tyson’s Corner. Half way through sales training, I had been drinking with Plutko, Curie, Debbie, Cameron, Ken, and the rest of the Access360 crew. The night of the 10th, Ken and I and Mark went to Bob and Edith’s quite late. Very very late. It was one of those silly fun nights with coworkers.

And then the next morning.

And I can remember Ken calling me as I headed in, late, to a training session, “Dude, turn on the TV down there. They say a plane or something hit the World Trade Center.” He said the news thought it was a small plane. I thought of how the Empire State building was hit by a B-52 and nothing major happened to it. No big deal, right? Then we saw the second plane.

And then our modern era split in two.

Tomorrow I will post about my thoughts living in this post-9/11 world. In the meantime, here is what I wrote on September 16, 2001:

We are numb. We are hollow with grief and panic and a fear that has not been seen in this country in a long long time. We get goosebumps when we hear a survivor’s tale, or learn that a friend of a friend was late to work and thus not in the World Trade Center when this all happened. The Internet is full of emails asking people to check in, websites (www.helping.org) collecting money for victims, and words of peace.

I am so worried that this is going to get worse. That the gloves are off, the brass-knuckles are on, and that the US won’t stop until it is too late. Is there a “Them” in this war? In World War II, it was simple: Hitler was Them. Mussolini was Them. Hirohito was Them. And now? Osam bin Laden is Them?… but there is no real army to fight against; there is no real installation to fight for and win; there are no beaches to land on. Them is Hydra: cut off a head and a new one grows back stronger than ever. Them is an army of ready-made martyrs willing to trade each of their lives for the lives of American citizens.

I have spent the last few days attempting to lead a normal life. Calls to friends. Drinks with guests. Laughing at jokes. But it all still feels so wrong.

We tried deep fried turkey therapy last night. The turkey was good… Fitz was right: deep frying a turkey is a great idea. Skippy, Kwame, Joe and I made a flag… that’s the real way to do it. But then we saw planes flying overhead, and at least to me, felt wrong, felt dangerous. I am still unsettled.

So far as I have heard everyone has checked in okay. There are two and three degrees of separation people that are unaccounted for, but all in all, I feel lucky.

There is no difference, in my mind, between what Robertson and Falwell said about the liberal media, homosexuals, and pro-choicers causing “God” to punish us than bin Laden saying that America caused the wrath of Allah to befall it. Roberston and Falwell are treasons snakes, and the poisonous vemon that they spew belongs nowhere in this world. This kind of institutional hatred makes Falwell and Roberston compatriots of bin Laden. It just fuels my deep distrust of organized religion even further.

The following is an exerpt from Bruce Schneier’s monthly computer security email called the Crypto-Gram. I believe it neatly sums up a lot of the fears I have.

11 September 2001

Both sides of the calendar debate were wrong; the new century began on 11 September 2001.

All day I fielded phone calls from reporters looking for the “computer security angle” to the story. I couldn’t find one, although I expect several to come out of the aftermath.

Calls for increased security began immediately. Unfortunately, the quickest and easy way to satisfy those demands is by decreasing liberties. This is always short sighted; real security solutions exist that preserve the free society that we all hold dear, but they’re harder to find and require reasoned debate. Strong police forces without Constitutional limitations might appeal to those wanting immediate safety, but the reality is the opposite. Laws that limit police power can increase security, by enforcing honesty, integrity, and fairness. It is our very liberties that make our society as safe as it is.

In times of crisis it’s easy to disregard these liberties or, worse, to actively attack them and stigmatize those who support them. We’ve already seen government proposals for increased wiretapping capabilities and renewed rhetoric about encryption limitations. I fully expect more automatic surveillance of ordinary citizens, limits on information flow and digital-security technologies, and general xenophobia. I do not expect much debate about their actual effectiveness, or their effects on freedom and liberty. It’s easier just to react. In 1996, TWA Flight 800 exploded and crashed in the Atlantic. Originally people thought it was a missile attack. The FBI demanded, and Congress passed, a law giving law enforcement greater abilities to expel aliens from the country. Eventually we learned the crash was caused by a mechanical malfunction, but the law still stands.

We live in a world where nation states are not the only institutions which wield power. International bodies, corporations, non-governmental organizations, pan-national ethnicities, and disparate political groups all have the ability to affect the world in an unprecedented manner. As we adjust to this new reality, it is important that we don’t become the very forces we abhor. I consider the terrorist attacks on September 11th to be an attack against America’s ideals. If our freedoms erode because of those attacks, then the terrorists have won.

The ideals we uphold during a crisis define who we are. Freedom and liberty have a price, and that price is constant vigilance so it not be taken from us in the name of security. Ben Franklin said something that was often repeated during the American Revolutionary War: “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” It is no less true today.”

So what do we do now? We continue. We carry on with a greater sense of purpose and strength. In that vein, we go to Toledo on Tuesday.

BTW – some of us will be at Toledo tonight to reminisce. Come join us!

The second, and frankly the more interesting, was extended permissions. The newish extended permissions govern how apps can access data and how users are informed of this use.  It is these extended permissions at the bottom of the recent kerfuffle over Facebook allowing app developers access to phone numbers and addresses. (Ars Technica did a good job over covering this, and here is Facebook’s current response.)

Extended permissions work like this. First, an app developer encodes a request for access to various pieces of your profile data, as well as pieces of your friends’ profile data. Second, when you add the app to your profile, the app asks you for your permission. The following is a picture of what it looks like when Privacy Mirror asks for access to your and your friends’ information.

An example of extended permissions

It is crucial important to notice that you as an app user can only agree to the use of all the requested information (as opposed to individual pieces.) Also, the app user cannot say that the app can have permission to her own data but not that of her friends. (See my series “I ‘like’ you, but I hate you apps” for the implications of this coarse-grained control.) Third, once the app has your permission, it goes off and does what it doe

I have to say, I like the spirit of the extended permissions. I like the fact that developers must ask for permission and I like that users must grant that permission. But I am very troubled by the lack of granular control afforded to the user.

Also, Facebook has not addressed what I feel to be a much bigger privacy issue: the mistreatment of relationship between people and their apps. If I have an app and you don’t use the same app, then that app can only see the elements of your profile that you have allowed applications to see. (This is controlled via the Account > Privacy Settings > Apps, Games and Websites > Info accessible through your friends settings.) But if you and I both have the same app on our profile, then the app can see the elements of your profile that you can granted me access to see. In this sense, the app executes with my permissions based on our relationship. But you have a relationship with me, not my apps. This is subtle and remains an critical unsolved problem.

–

Attendees

• Peter A
• Mary R
• Ian G
• Gerry B
• others

What is mean by identity oracle?

* An oracle provides an answer to a question but not a specific attribute

** If you ask an Oracle, is Peter over 21 it says yes. It does not hand back an attribute – birthdate

Peter: The Federal Govt is authoritative for very few attributes – State Dept – passport #, citizenship. State govt are authoritative for driver’s license number. SSA for SSN.

eVerfify is an example of an oracle, says Gerry.

Peter – what will drive this is the requirement for LOA3 credentials needed to access to medical records.

P – “We do not have an attribute infrastructure.” A lot of attributes are simply issued via IdP’

I – our examples so far have shown organizations that are authoritative for identifiers but not attributes

P – raises need for back end attribute exchange

Gerry – Problem with authoritative attribute provides is that the PDP makes a decision as to what is truly authoritative for a given context. Authoritative data source must provide SLA or MOU so that relying party can establish trust.

P – BAE is 1/2 of the equation and attribute provider (market?) is the other half

A – is there a business model for attribute providers?

G – have problems seeing attribute exchange at enterprise scale let alone government scale. Quality and availability are just some of the issues. Access decisions are fairly local and these decisions are not things that known often at the higher enterprise layer. Things are made authoritative by policy decision.

P – Second model for authoritative – a local decision to assign authoritative-ness to something

Nishant – should we get rid of the term authoritative?

Peter for sees multiple attribute providers having say over the same attribute for the same person

If I use an Oracle, do I have to know its sources? No, says Gerry, as you form an agreement with the Oracle ahead of time as to what happens when something goes wrong

P- I am running validation services which services 400 back-end apps. I am standing up a BAE to help. I could build that infrastructure or I could can contract out to an Oracle. The Oracle has to tell me its sources so I can make a decision to use it or not. Gerry comments that you may not want to know the Oracle’s source of data.

Returning to the eVerify system – is a person allowed to work? eVerify doesn’t disclose sources of info but DHS takes responsibility for its decisions.

Pam asks about redundancy of providers. Redundancy allows same decision to be made via separate paths.

Anil feels that there is a business case for multiple providers.

Mary raises the point that there are organizations who have a lot of data on people. These are often highly regulated organizations because they are related to financial services.

G – uses Health Vault and Google Health as an example of multiple providers of heath information data

A – Talked to financial roundtable – these ors not interested in B2C but very interested in B2B situations. Having the govt offering services to help vet people would be of great service.

Govt business for providing identity information? There are certainly companies that will aggregate public data for a fee. If a service provider helps get me as a business information I need to hire someone (citizenship for example), would I use it? Would I form a business to do this? N raises BT’s You Are You service as an example of this.

Pam – talking about building cloud-services in this area. Definitely interest from small business for federation and using Google as authoritative source. Sees consumer-focused needs later down the road.

I asks P about persisting “over 18″ information if it is acquitted from Equifax. P says they’d have to issues SORN and protect as PII.

I am curious about about Govt as Oracle and the implications with respect to the Privacy Act. Peter wants to facilitate market for Oracles. NIH had MOU with InCommon which included use of attributes and information. This included agreed upon protections for those attributes which was coherent with InCommons users’ requirements. Peter acknowledges this doesn’t scale but he offers as a counterpoint that NIH is doing this federation to federation. He asserts there wont be that many to federate to.

I many not want to maintain a BAE with hundreds of connections to attribute providers. Likely outsource the work to an Oracle. “It is easier to affiliate with a hubs than it is affiliate with each provider,” says Peter A.

Peter says that NIH sees need to to handle attributes and thus NIH is setting up BAE. He acknowledges that there needs to be policy and practice around this, which Peter is on the hook to build. FICAM roadmap says that if you are standing up an attribute service it must be a BAE if you want funding.

G – If I am a BAE affiliate and I want to consume other affiliate’s data, what is the quality I can expect? Anil says that this is currently being discussed amongst architecture groups. G talked about the quality within his organization. There is no strong commitment to the data that internal data collectors collect. At the end of the day if something goes wrong, is it my fault or someone else’s. THis is part of the contractual relationship between data consumer and provider.

Hold Harmless clause within MOUs used the by the PKI Bridge. So long as org is acting in accordance with their own policies then they are to be held harmless. G – in certain situations this works, but in others it does not. I might have to run my own infrastructure or shop for another provider who can back up their assertions.

Pam asks if this is govt to govt discussion, would a private group come in an provide services for G2G? Anil says yes and that currently this is happening.

Because there are so many million of high level of assurance credentials, one would think that someone would want to build an ecommerce infrastructure to consume these creds – says Peter.

Peter asserts authentication is a solved problem and next up is authorization, claims, roles, etc.

Every application owner want to maintain control over who comes into the app. But this a way that Peter gets people to plug into the federated SSO environment.

Are people building services to consider risk-based authorization in transaction, asks Pam. Anil mentions the consideration of environmental attributes for initial authorization. G says this is a hot space now. Anil brings up how PayPal takes a low assurance cred and uses it for financial transactions.