Pushing String

Everybody’s talking about identity assurance these days, meaning, generically, the confidence a relying party needs to have in the identity information it’s getting about someone so that it can manage its risk exposure.

A lot of the conversation to date has revolved around NIST Special Publication 800-63 (newer draft version here) and its global cousins, which boil down assurance into four levels — hence all the loose talk of LOA (for “level of assurance” or sometimes AL for “assurance level”), even when people aren’t focusing on specific levels or even systems of assurance numbering. NIST 800-63 is intended to answer the use cases defined in OMB Memo 04-04, which deals with making sure users of the U.S. Federal government’s online systems are who they purport to be. Here’s an example given in OMB M-04-04 for one particular need for level 3 assurance:

A First Responder accesses a disaster management reporting website to report an incident, share operational information, and coordinate response activities.

And here’s how NIST 800-63 defines assurance (I’m quoting the Dec 2008 draft here; strangely, the official Apr 2006 version doesn’t include a formal definition):

In the context of OMB M-04-04 and this document, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.

So there’s an identity proofing component at registration time that nails down the precise real-world human being being referred to, and there’s a security/protocol soundness/authentication component at run time that establishes that the credential is being waved around legitimately. These get added up into four levels defined roughly like this (leaving aside the security and protocol soundness factors):

(Here, “same unique user” means that the same user can be correlated by the RP across sessions. And “verified name provided” means that the user’s real-world name is exposed to the RP, versus some sort of pseudonym; level 1, where no proofing is done, is implicitly pseudonymous, while level 2 offers a choice.)

I don’t mean at all to criticize this rolled-up four-level approach. It seems to have met the needs set out in M-04-04, and it predated both the “user-centric” movement (Dale Olds has a nice rundown of its use cases here) and truly modern notions of online privacy.

But I think we need more clarity about assurance use cases and terminology, for two reasons: One is to help ensure that identity providers can give RPs what they need, rather than what might just be a poor approximation based on NIST 800-63’s fame. The other is to help ensure that IdPs give RPs only what they need, since more assurance is likely to involve more personal information exposure.

To that end, let me explain some assurance use case buckets I’m seeing in the wild, and their relationship to the NIST requirements and each other. First, here are some use case buckets hiding in plain sight in the NIST levels:

Simple cross-session correlation: While NIST 800-63 doesn’t formally include “same unique user” as a goal, it’s in there:

Level 1 – Although there is no identity proofing requirement at this level, the authentication mechanism provides some assurance that the same claimant is accessing the protected transaction or data.

Funnily enough, cross-session correlation (without the baggage of proofing) is a key requirement of many enterprise and Web federated identity interactions. Lots of sites don’t need or want to know you’re a dog; they just need to know you’re the same dog as last time. This way, they can authorize various kinds of ongoing access and give you something of a personalized experience across sessions. Though NIST treats this as an also-ran and couples it with weak authentication in level 1, other use cases may have reason to match up “mere correlation” with higher authentication.

Identity proofability: If an RP can trust that it’s dealing with a human being who has some level of serious representation in civil society, it’s a powerful kind of assurance for lots of purposes. More about this below.

Real-world identity mapping: When level 3 or 4, or verified-name level 2, is used, this means a user’s real name is used to build up the unique identifier that the RP sees, and this verified name leaks PII like crazy, even if it’s not itself unique. (As far as I know, I’m the only Eve Maler out there…) This is strong stuff, and in a modern federated identity environment, it is to be hoped that most RPs simply don’t need this information. (John Bradley — that is, the John Bradley who works with the U.S. government on its ICAM Open Identity Solutions program — tells me he believes pseudonyms should be an acceptable choice all up and down the four levels, indicating that this use case bucket is fairly rare.)

Now things get really interesting, because there are other use case buckets that you can sort of see in this matrix if you squint, but really they’re just different:

Anonymous authorization/personalization: This is the flip side of cross-session correlation. OMB M-04-04 talks about “attribute authentication” and the potential for user attributes to serve as “anonymous credentials” (where an RP simply can’t know if this is the same unique user coming back but can still base its authorization decisions and personalization actions on the veracity of the attributes it’s getting). The attributes in question can range from “this user is over 18″ to “this user is a student at University ABC” to “this user is of nationality XYZ”.

Ultimately M-04-04 puts the whole area of attribute authentication firmly out of scope, but lots of folks have been picking at the general problem of attribute assurance in the last several months — like Internet2 in its Tao of Attributes workshop, and the Concordia group in a forthcoming survey (stay tuned for more on that).

This bucket often requires being able to check who issued some assertion or claim, and considering whether they’re properly authoritative for that kind of info. The way I think about this is: Who has the least incentive to lie? That’s why you can be said to be truly authoritative for self-asserted preferences such as “aisle vs. window”. Any other way lies madness (“What is your favorite color?” “Blue. No yel– Auuuuuuuugh!”).

Of course, there are cases where an RP really does need attribute assurance along with other kinds, like correlation or identity mapping. And don’t forget that it takes precious little in the way of personal information for an RP to figure out “who you really are” anyway. (Check out this cool Tao of Attributes diagram, which touches on all these points.)

Financial engagement: Sometimes an RP just just wants some assurance they’re dealing with someone who has sufficient ties to the world’s legitimate financial systems not to screw them over entirely. It turns out that identity proofability can often be a serviceable proxy for this kind of confidence. (Financial account numbers are one kind of proofing documentation in NIST 800-63.) And the reverse is also true: financial engagement can sometimes give a modicum of confidence in identity proofability.

Interestingly, this bucket can be useful even without any of the other kinds, partly because the parties can lean on a mature parallel financial system instead of just lobbing identifiers and attributes all over the place. For example, users often “self-assert” credit card numbers (which RPs then validate out of band with the card issuer), or use third-party payment services like PayPal (where the service provider does a lot of the risk-calculation heavy lifting).

No doubt there are other assurance use cases. Understanding them more deeply can, I think, help us get better at sharing the truth and nothing but the truth about people online — without having to expose the whole truth.

(Thanks to John Bradley, Jeff Hodges, and Andrew Nash for comments on early drafts of this post. And check out Paul Madsen’s many excellent commentaries on assurance matters.)

Mele Kalikimaka me ka Hau’oli Makahiki Hou!

While it’s true that Twitter has absorbed some of my blogging rays, I do have a post-of-substance in the works that I hope to share with you before the year is out. But I didn’t want to let this occasion* pass without a thank-you to my readers here on xmlgrrl.com (also known as carbgrrl.com and vennofidentity.org).

So, here goes: Mahalo nui loa!

*Hey, maybe this is another opportunity for a custom Paul-designed card…

(This is part 2 of “The science of feeling peckish”, promised way back in April. Thanks for the encouragement/prodding in the original comments thread about finishing the series.)

I hope you’ll stick with me for this rather technically dense post. As always, I will gladly accept all error corrections and pointers to research that disputes or usefully refines the information below.

Regurgitating (sorry) Part 1

As we join our story already in progress, we recall that the 1976 article “The Physiological Psychology of Hunger: A Physiological Perspective” made the following points in reviewing energy metabolism:

• The various parts of the body are largely source-agnostic when it comes to getting energy from the diet: carbs, fat, and protein are broken down into their constituent parts and used all over the place. (A couple of small exceptions become important later on.)

• The brain is always fed first and steadily; you’d pretty much have to be on a desert island surrounded by a fishless sea for many days before making a dent in your brain’s energy supply. And in fact, all your tissues get an adequate supply pretty much all the time, despite the fact that you don’t graze constantly.

A few cautions before we proceed: First, we’re talking physiological hunger here, not emotional bingeing, or missing lunch because you’ve got a deadline. Second, the research used to support the discussion in the article is mostly about laboratory rats. There are precise parallels when it comes to energy metabolism among the higher mammals, however, so don’t be offended if I use the word “you” below…

Hunger Hypotheses on the (Dinner) Table

The Friedman-Stricker article addresses two popular hypotheses for explaining what triggers hunger. They both posit a special role for the central nervous system:

• The glucostatic hypothesis: The brain responds to blood-borne signals about your level of blood sugar, making you eat when it dips (mmm, dip) and lay off the food when it’s sufficiently high.

• The lipostatic hypothesis: The brain responds, instead, to signals about your level of body fat. You could think of this as a “fat set point”.

Ultimately the authors present an alternative view, which I’ll get to in due time.

“Brain and Brain. What is Brain?”*

Much of the research examined in the article involves making lesions in the brains of rats, specifically damaging either the ventromedial hypothalamus (VMH) or the lateral hypothalamus (LH), and seeing what happens to weight, hunger, and feeding in various conditions (like shaving their fur off to make them cold, or even administering the dreaded “tail pinch”). A moment of silence, please, for these poor rats.

ernestfigueras / CC BY-SA 2.0

In general, it’s known that VMH lesions stimulate hunger and lead to weight gain, and LH lesions do the reverse. This is called the “dual hypothalamic model” (and initially led to speculations that the VMH is the “satiety center” and the LH the “hunger center” of the brain, but things got a little more sophisticated in the next iteration). Here’s how the two hypotheses predict these effects.

• Glucostatic: There are “glucoreceptors” located in the VMH, and they detect when blood sugar is low or when available blood sugar isn’t getting properly used.

• Lipostatic: Damaging the VMH either messes with a brain “hunger center”, taking off its controls and making you way hungrier than normal, or it turns up the dial on your “fat set point” so that you feel compelled to meet the higher requirement.

A Taste of the Arguments Against

The gross effects of messing with rat brains do seem generally supportive of one of these choices. But dig a little deeper (no, not murine-cerebrally) and the evidence doesn’t look as great. The article goes into a lot of technical depth; here is my best attempt at a summary of the “con” positions.

Glucostatic:

The idea that there are glucoreceptors in the VMH was already weakening at the time the article was written. For starters, originally it was noticed that small dips in blood sugar are indeed associated with hunger, so this formed the core of the hypothesis. But since diabetes involves both higher blood sugar and greater hunger, the hypothesis had to be refined to say that the brain is suffering from less-efficient use of the blood sugar you’ve got. However, it turns out this refinement doesn’t help; more on this below.

In addition, feeding behavior in the presence of lesions, lab conditions such as excess cold, and treatment with substances like insulin tends to float in surprising directions.

Finally, as Taubes adds in GCBC, this hypothesis doesn’t explain things like weight gain back to normal levels after an illness.

Lipostatic:

It’s a funny thing: Rats with VMH lesions add body fat even before they begin eating, even if they’re prevented from eating for many hours. So if the rats’ brains are telling them to eat, the eating doesn’t seem to be the first effect in line. And it’s known that the lesion immediately causes higher levels of circulating insulin (geez, why didn’t they say so before?), with effects similar to seasonal obesity in animals who migrate or hibernate (and, hmm, similar to other effects I’ve discussed in the past).

And in any case, positing a lipostat in the brain simply doesn’t get you very far. In particular, Taubes notes, it doesn’t explain why the very obese have an elevated set point. It’s all a bit circular:

Saying that we’re all endowed with a lipostat that monitors our adiposity and then regulates hunger appropriately is just another way of saying that our weight remains remarkably stable, whether we’re lean or obese, and then assigning the cause to a mysterious mechanism in the brain whose function is to achieve this stability. [GCBC p. 428]

Sugar Sugar, Ah, Honey Honey

It’s worth looking more closely at the diabetes problem for the glucostatic hypothesis. It reveals a metabolic story that goes way beyond a simple blood sugar level.

Diabetes kind of looks like starvation. The body madly breaks down fat into ketone bodies (ketogenesis) for use in the periphery of the body, since those parts need insulin to make use of the glucose and there isn’t any to be had. But the body also madly makes new glucose (gluconeogenesis). The brain must think it’s in heaven since it actually gets plenty of that fine, fine stuff, but the rest of the body is out of luck — unless it can get more of the stuff it can actually use:

[T]he fat content of the usual laboratory diet can be viewed as “diluted” with carbohydrate, material of little metabolic significance during diabetes. The hyperphagia [extra feeding] of diabetic animals thus resembles the increased feeding that occurs in intact rats when food is diluted with nonnutritive bulk and may result because the decrease in utilizable metabolic fuels in the diet reduces the diet’s capacity to satiate the animal. …. [D]iabetic animals maintained on a high-fat diet do not display hyperphagia despite continued impairments in glucose utilization. [TPPH:APP p. 418; citations elided; bold added]

So even the more modern version of the glucostatic hypothesis of hunger seems off.

The Mind-Body Connection

But wait, there’s more to the “con” position. The very assumption that the hunger trigger originates in the brain is suspect. All this nasty work to produce weight gain etc. in lab animals is highly unusual; as already noted, the brain lives in an energy bubble and never wants for anything whether you’re feeling peckish or not.

There’s another candidate — an organ on the periphery of the body that (a) already orchestrates fat-burning and other energy processes in our bodies and (b) is unique among its surrounding organs in that it can’t process ketone bodies but can handle fructose:

[I]t is not likely that pronounced decreases in cerebral glycolysis [energy usage in the brain] ever occur except under nonphysiological experimental conditions [rat abuse], because the brain is normally protected from such emergencies. …. Our recent findings that insulin-induced feeding is abolished by infusions of fructose, but not ketone bodies, strongly implicate the liver as the origin of the hunger signal. [TPPH:APP p. 422; citations elided]

Yep, if you inject ketone bodies directly into an insulin-treated rat’s bloodstream, the rat still wants to raid the fridge — and it appears to be because its little liver is still starving.

The Friedman-Stricker article discusses a particular event in the liver that could trigger the hunger signal: a shift away from “oxidative metabolism” (the Krebs cycle for making energy out of anything) to direct production of glucose and ketone bodies (gluconeogenesis and ketogenesis — remember these from “diabetes is like starvation” above?). This seems to be the initial sign that your body is starting to “run on fumes” and needs to fill the tank again.

(The authors have continued to push the ball forward; here’s one sample of recent research to determine how the liver signals the brain that eating would be a good idea right about now.)

Occam’s Razor

So after trying really really hard, scientists couldn’t quite put their finger on an actual brain center that controls levels of fat or blood sugar. And brains don’t ever want for anything, but sometimes livers do. And the totality of the energy metabolism story, not just one substance or another, is on display when each hypothesis is examined.

The simplest explanation for hunger and weight-balancing would be a homeostatic system, like so many others in the body. Taubes notes, “Life is dependent on homeostatic systems that exhibit the same relative constancy as body weight, and none of them require a set point, like the temperature setting on a thermostat, to do so.” [GCBC pp. 428]

And indeed, Friedman and Stricker show that the caloric homeostasis hypothesis fits the facts much more closely than do the others: Hunger returns when the total utilizable fuel level in your body, rather than a store of a particular kind of energy, drops below some critical level. After all, brains and bodies generally don’t distinguish between energy sources. And more insulin stimulates more frequent meals, while less insulin allows body fat to be mobilized, which appears to stave off hunger.

(If you’re a regular carbgrrl.com reader, you might think this is a blinding flash of the obvious. Please tell the diet industry.)

Taking pity if you’ve gotten this far, I’ll spare you the dry conclusion from the Friedman-Stricker article and let Taubes bring it home:

This hypothesis of eating behavior did away with set points and lipostats and relied instead on the physiological notion of hunger as a response to the availability of internal fuels and to the hormonal mechanisms of fuel partitioning. Hunger and satiety are manifestations of metabolic needs and physiological conditions at the cellular level, and so they’re driven by the body, no matter how much we like to think it’s our brains that are in control. [GCBC pp. 432-3]

Luckily, we can use our brains to understand this mechanism better — and turn it to our advantage.

If you saw the ProtectServe status update from the Internet Identity Workshop in May, but haven’t taken a look since then, you’ll want to check out our progress on what has become User-Managed Access (”UMA”, pronounced like the actress…).

The proposition still centers on helping individuals gain better control of their data-sharing online, along with making it easier for identity-related data to live where it properly should — rather than being copied all over the place so that all the accuracy and freshness leaks out.

On our wiki you’ll now find a fledgling spec that profiles OAuth and its emerging discovery mechanisms XRD and LRDD. We’re also starting to collect a nice little bunch of diagrams and such, to help people understand what we’re up to. Click on the authorization flowchart to get to our “UMA Explained” area:

Thanks to the Kantara Initiative participation rules, it’s easy and free to join the UMA group. If you’re interested to contribute use cases or thoughts on design or implementation talents, consider coming on board.

It’s frustrating to see “news” stories about diet and metabolism that get something right, sort of, but for really harmful reasons.

Yes, popcorn is deliciously seductive. Yes, it’s bad for you to eat a medium-sized popcorn/soda combo (“Movie Popcorn Has Shocking Calories, Fat”). But there’s no actual evidence to suggest that the “12 pats of butter” in it is the reason.

From (The Great) Gary Taubes’s GCBC:

In the mid-1970s …, [Ethan] Sims and [Elliot] Danforth [of the University of Vermont] believed that obesity was most likely caused by chronically elevated levels of insulin, and that the elevated levels of insulin were likely the product of carbohydrate-rich diets. In the 1980s, their opinions changed and fell into step with the prevailing consensus on the evils of dietary fat. ….

One potentially relevant observation that Sims and his colleagues neglected to publish, for example, was that it seemed impossible to fatten up their subjects on high-fat, high-protein diets, in which the food to be eaten in excess was meat. …. [T]he volunteers would sit staring at “plates of pork chops a mile high,” and they would refuse to eat enough of this meat to constitute the excess thousand calories a day that the Vermont investigators were asking of them. ….

Those fattening upon both carbohydrates and fat, on the other hand, easily added two thousand calories a day to their typical diet. Indeed, subjects in some of his studies … [took] as much as ten thousand calories a day. [GCBC pp. 310-1; bold added]

Well. Doesn’t that put a different spin on things?

We could practically make popcorn-eating a medical test. If it makes you hungrier rather than full, you’re courting trouble. And if you promise you won’t touch the stuff but you end up eating three-quarters of the bag your husband bought for himself (ahem), you’re in serious scrawny-pancreas territory.

Christian Scholz and his Data Portability Project pals have roped me into their Data Without Borders podcasts. On Friday, Christian and Trent Adams and Steve Greenberg and I had some fun relaunching the series by talking about the DPP Terms of Service and End-User License Agreement (TOS/EULA) task force.

Steve was passionate in describing this work. I think he’s right when he says that you first have to ensure that people are aware of a site’s terms of service; disclosing them in a form human beings can grok (à la Creative Commons or the nutrition label approach I wrote about here) can begin to empower humans to change things if they so desire, using a variety of means.

At one point we talked about the Archive Team project run by Jason Scott, which I think of as “data portability of last resort”. These folks are like digital historian ninjas who swoop in to save data that might otherwise be lost forever — like everything on GeoCities.

The thing is, website-sanctioned bulk import and export of data isn’t all that huge an improvement on this kind of rescue operation. True data portability wants granularity and timeliness. For example, if you choose to host (so to speak) your current location info at FireEagle, you might still want to reuse it in other places for other purposes, and luckily OAuth lets FireEagle, Dopplr etc. give you a nimble and safe way to “port” this data back and forth.

This is a kind of data statelessness, in that when you tell various sites they can set, read, and republish your location, they’re letting go of any pretense of exclusive hosting control so that they can offer you a different kind of value.

Now, in the IdM and VRM worlds, some of us have been talking about identity statelessness for a while, which is similar but looks more like straight data-sharing (reading) rather than arbitrary service access (setting). For some reason this is a tougher sell — even though CRM systems and user accounts are shot through with pale copies of stale data (and, in the enterprise case, even though syncing directories and replicating databases is brittle and no fun).

Even when one party — say, you yourself — is authoritative for some piece of personal data (like your home address), all the sites insist on making you provision a copy of this data into their profile pages by hand and by value, and insist on thinking they own something truly valuable even after you move and forget to tell them.

In short: To the extent data is volatile, copies of it leak value. If the chain of evidence between its authoritative source and a recipient of data is broken, it quickly becomes value-free. And if the chain of authorization breaks, you’ve got digital shadow cruft. Why oh why can’t we get to a place where, as Scott Cantor put it to me once, identity-aware apps think in terms of data caching rather than data replication?

The Data Portability TOS/EULA work is helping us raise our standards for what true data portability should look like: Open Arms – Ever Fresh – Graceful Exit. OAuth already helps us get a bit beyond disclosure of site terms, closer to a world where users have an active say in what sites do with our stuff. I’m hoping UMA (recent deep-dive Technometria podcast here) can help us go even further because of its notion of user-dictated terms that recipients must meet in order to have the privilege of fresh access.

We’re likely to discuss this topic in the DWB podcast sometime soon, so I hope you’ll give a listen.

In the past week, several people approached me with the idea of incorporating OAuth somehow into the Venn view of identity. Feels like more of that “destiny” Ashish invoked a couple of weeks ago — especially since I had already developed just such a Venn for my XML Summer School talk last week.

My very first Venn of Identity blog post also included a second diagram, covering something like “identity in web services”. It was little-noticed, I think, because the deployment of the more esoteric pieces of WS-* and ID-WSF was pretty low. I’ve been itching to add OAuth to it, given its wildfire-esque spread. Last week gave me my excuse, and with further feedback (thanks Paul and Dom!), I’ve continued to revise it. So here’s a new version for your perusal (click to enlarge).

As with the original version, the relative heights and sizes are significant: they indicate roughly how voluminous, vertically applicable, and far away from “plumbing” each solution gets. (Unlike the original, however, this one seems to give off a Jetsons vibe.)

Some thoughts from space-age 2009:

OAuth is helping many app developers meet their security and access goals with minimal fuss (80/20 point, anyone?), and by providing for user mediation of service permissions, it is easily as “user-centric” as any other technology claiming the title. It’s these lovable qualities that led the ProtectServe/User-Managed Access effort to use OAuth as a substrate.

ID-WSF still provides identity services functionality that nothing else does, and some folks I’ve been talking to lately still chafe at the lack of more widespread support for these features. But obviously it’s still a “rich” solution vs. a “reach” one.

WS-*, ah yes, what to say?… It uniquely solves certain issues, but do all of them really need solving? My Summer School trackmate Paul Downey had some choice words about this, and his WS-TopTrumps class exercise proved that the star in WS-* really does match everything possible — that’s too much. And trackmate Marc Hadley pointed out lots of benefits you get “for free” with a REST approach, which it was hard not to notice when we all chose to design REST interfaces for his class exercise despite having a SOAP option.

To be fair, Paul and Marc and also trackmate Rich Salz — who has an uncanny ability to explain complex security concepts simply — stressed the value of the core pieces for message security if you’re using SOAP. It would be interesting indeed if OAuth, or extensions to it with the same pure-HTTP design center, were to “grow leftward” to accommodate the use cases covered by the WS-*/ID-WSF intersection.

(Anyone think the new REST-* effort will win in this space anytime soon? I’m a bit dubious, myself. Its name sure didn’t inspire any love in our lecture room.)

“You will never be done with the Venn. That’s your destiny. Accept it.”

So said my colleague Ashish recently, as I agonized over some tweaks to the Venn of Identity diagram. The editing started out as a quick fix to the figure that appears in the IEEE Security and Privacy article of the same name; the diagram text was exactly what Drummond and I had specified — but the graphic emerged from the publication process visually “broken”, with no intersection lines.

But of course technologies and understandings and use cases evolve, and it began to seem like a good time to update the text too. What with the new U.S. federal government effort around Open Identity Solutions for Open Government (and PayPal’s involvement in same), I thought maybe I could do a better job of capturing the main strengths OpenID, InfoCard, and SAML bring to today’s table.

In that Zen-like and Concordic spirit, I hereby present a new — date-stamped — version of the Venn (click for the full-size .png):

I hope this new version can continue to support productive discussions that help solve real-world identity problems.

If you’re wondering whether it’s okay to pick up and reuse the diagram — go for it! Just please note the Creative Commons license below. I’ll keep VennOfIdentity.org pointed to the new Venn category on my blog so that people who see propagated copies can keep up with updates if they like.

The Venn of Identity – September 2009 by Eve Maler is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

p.s. Thanks to “W.” of the Tech and Law blog for our great email exchange this week on Venn-shaped matters, which sparked even more edits…

Sometimes you have wonder about “conventional wisdom” (and what makes it different from “actual wisdom”). Until about 40 or so years ago, it was conventional wisdom that you shouldn’t exercise to lose fat because exercise tended to make you more hungry. Then the CW changed to “you must become a hamster on a wheel” — without any evidence to back it up. Now it appears that we may be undergoing a much-needed correction.

I only recently discovered (h/t Pat) a great New York Magazine article from 2007 recounting the state of science in this area, called The Scientist and the Stairmaster. Naturally, it’s by Gary Taubes. (I think I’m going to start calling him The Great Gary Taubes, or TGGT for short, much as I’ve shortened GCBC.) Here’s a snippet, but as always, it’s worth reading the whole thing:

Just last month, the American Heart Association and the American College of Sports Medicine … suggested that 30 minutes of moderate physical activity five days a week is necessary to “promote and maintain health.” What they didn’t say, though, was that more physical activity will lead us to lose weight. Indeed, the best they could say about the relationship between fat and exercise was this: “It is reasonable to assume that persons with relatively high daily energy expenditures would be less likely to gain weight over time, compared with those who have low energy expenditures. So far, data to support this hypothesis are not particularly compelling.” In other words, despite half a century of efforts to prove otherwise, scientists still can’t say that exercise will help keep off the pounds.

And now I notice that Time jumped on the new-CW bandwagon last month with Why Exercise Won’t Make You Thin.

Do I exercise? Well, yeah, but I have to fight the hunger it brings on. I lift weights and such to increase muscle mass, stave off loss of bone density (two decades ago I would have said “build bone density”, sigh), increase my VO2 max, and just generally feel more vital. But I’ve given up on endless medium-intensity cardio to lose weight — because insanity is doing the same thing over and over again and expecting different results.

Speaking of doing the same thing over and over again, what do you suppose that grainy photo at the top represents? In 2006, as part of the XML Summer School events (this year’s School is coming up fast! sign up now!), I had the privilege of going on a special tour of the Oxford Castle, which had recently opened to visitors. It was put to use as a prison for many centuries, and it was nasty in there. The “terrible prison conditions” they talk about on the website included this primitive Stairmaster, with which they’d punish prisoners by making them climb for eight hours a day.

I can take a hint.

The recent Symposium on Usable Privacy and Security, SOUPS 2009, seemed to cover a whole lot of interesting topics. One of these days I hope to attend for real — but failing that, I’m just working my way through the proceedings slowly. One paper, A “Nutrition Label” for Privacy, is especially cool.

The researchers have gotten pretty far down the path of rationalizing website privacy policies into a graphical/tabular form that’s actually enjoyable to use (their word! and they have numbers to back it up!). Whereas such policies in natural-language form are usually wordy, complex, inconsistent, and stubbornly irrelevant to a user’s actual preferences, their proposed label format provably borrows the benefits of real U.S. FDA nutrition labels, such as making a policy more amenable to at-a-glance interpretation, allowing you to compare two policies, and providing visual boundaries for the regulated/trustable portion of what you’re seeing.

The data categories in the label are a very high-level, “cooked” version of what’s in the Platform for Privacy Preferences (P3P) policy system. It’s worthwhile asking if the labels, and even the original sophisticated descriptions of data collection and use that they’re based on, are measuring the right thing. (After all, I have very little confidence that actual FDA Nutrition Facts labels are measuring the right thing.) But the categories they list seem like a pretty good start; “your activity on this site”, for example, turns out to be one of the biggest loopholes in many of today’s prolix-but-slippery privacy policies:

• contact information
• cookies
• demographic information
• financial information
• health information
• preferences
• purchasing information
• social security number & govt ID
• your activity on this site
• your location

Now I’m consumed by the thought of letting a person use this matrix-based approach to configure her ProtectServe-enabled relationship manager, such that any would-be recipient has to meet her privacy terms if they want to get the goods…