Pushing String

The recent Symposium on Usable Privacy and Security, SOUPS 2009, seemed to cover a whole lot of interesting topics. One of these days I hope to attend for real — but failing that, I’m just working my way through the proceedings slowly. One paper, A “Nutrition Label” for Privacy, is especially cool.

The researchers have gotten pretty far down the path of rationalizing website privacy policies into a graphical/tabular form that’s actually enjoyable to use (their word! and they have numbers to back it up!). Whereas such policies in natural-language form are usually wordy, complex, inconsistent, and stubbornly irrelevant to a user’s actual preferences, their proposed label format provably borrows the benefits of real U.S. FDA nutrition labels, such as making a policy more amenable to at-a-glance interpretation, allowing you to compare two policies, and providing visual boundaries for the regulated/trustable portion of what you’re seeing.

The data categories in the label are a very high-level, “cooked” version of what’s in the Platform for Privacy Preferences (P3P) policy system. It’s worthwhile asking if the labels, and even the original sophisticated descriptions of data collection and use that they’re based on, are measuring the right thing. (After all, I have very little confidence that actual FDA Nutrition Facts labels are measuring the right thing.) But the categories they list seem like a pretty good start; “your activity on this site”, for example, turns out to be one of the biggest loopholes in many of today’s prolix-but-slippery privacy policies:

• contact information
• cookies
• demographic information
• financial information
• health information
• preferences
• purchasing information
• social security number & govt ID
• your activity on this site
• your location

Now I’m consumed by the thought of letting a person use this matrix-based approach to configure her ProtectServe-enabled relationship manager, such that any would-be recipient has to meet her privacy terms if they want to get the goods…

So last week I made a big transition, joining Andrew Nash’s identity services team at PayPal. (And I kind of told Twitter about it before I told y’all. Sorry about that; it’s the nature of the communications beast.) Working with Andrew, Ashish, and other great folks at PayPal is going to be a blast. And it’s an especially interesting time to shift from a technology-stack-providing world to a consumer-facing one.

Being with Sun Microsystems for ten years was an honor and a pleasure; I got to work closely with some of the most talented and interesting folks in the business. And during that time my experiences helped me layer new personae onto “old SGMLer”: “XMLgrrl”, “the SAML lady”, and even, ahem, “the queen of Venn”.

You’ll still find me involved in some familiar activities — for example, I remain involved in ProtectServe and User-Managed Access efforts, and I hope to keep up my fledgling Tek-Tips video-blogging series on identity and the cloud (#1 on the relevance of federated identity to cloud computing, #2 on the challenges of passwords for authenticating to cloud services).

Thanks for continuing to witness my pushing of string over here. I plan to continue blogging my thoughts on matters of identity, security, privacy, and trust (and occasionally nutrition, music, and knitting…), and look forward to your feedback. You can find fresh contact and bio information on my welcome page; drop me a note anytime.

“But what do you eat for breakfast?”

That’s the first question everyone asks when we get to talking about low-carb eating. Admittedly, it took me a while to figure out what to do. The obvious answer, eggs, can take time if you don’t plan ahead. So here’s what I really do eat for breakfast, in case you want to try the low-carb way and you’re looking for ideas.

Breakfasts That Only Seem Carby

(Hey, if Tim can toast-blog, why can’t I?)

Almost every morning I have Oroweat Whole Wheat Light bread, toasted, with plenty of good-quality butter and sometimes a bit of low-carb jam (any flavor of Hero Sugar Free Preserves is my favorite). When traveling to destinations with toasters I usually bring some Oroweat along.

The Pacific Northwest bakery Franz also has a Net 4 line that’s low-carb. Good, if a bit sour-tasting, and tends to go off faster for some reason.

Favorite bread: Carb Krunchers Rye, bought online and kept in the freezer. It actually says “rye” with quotes on the package; it’s not real, but its caraway seeds have a magical ability to transport me into rye-land.

Next bread I’m going to try: Julian Bakery’s Smart Carb #1.

I owe Joe Andrieu big-time for introducing me to a granola product called Flax-Z-Snax. Follow this link to get it straight from the source and save money. This stuff tastes so good you’ll be tempted to overdo it. It’s good plain or with a splash of half-and-half or Calorie Countdown milk, but amazing with Dannon Light ‘n’ Fit low-carb vanilla yogurt. I’m always worried these latter two products will be discontinued; you have to hunt for the supermarkets that carry them. I’ve also tried and liked Dixie Carb Counters granola (and appreciate that it’s a lot harder to overconsume).

Breakfasts That Don’t Look Carby in the Least

Favorite: There’s an Original Pancake House within walking distance of my house. Why make eggs when you can get someone else to cook them? Their huge fluffy five-egg omelettes are awesome, especially stuffed with cheese, onion, and bacon. (Great for lunch too.) I can only ever eat about half, and take the rest home.

Weekends: Eli makes a mean cheesy scramble (scrambled eggs with cheese, onion powder, and half-and-half). By the way, real cream is much yummier in morning coffee than milk is. I prefer a scant tablespoon, or what my sister refers to as “a molecule”.

Making ahead: Speaking of my sis, she worked up this recipe for no-crust mini-quiche muffins…

Preheat oven to 350°F.
Quantities only seem important with the eggs and cream; otherwise load it up and have fun!

• Red onions chopped
• Red peppers chopped
• Scallions chopped
• Diced ham
• 2 cups shredded cheddar cheese
• 6 eggs
• 3/4 cup half-and-half or heavy cream [the latter is less watery]
• Salt
• Pepper
• Pinch of garlic powder
• 7 or 8 shakes of hot sauce

Sauté onions and peppers till soft.
Mix all ingredients.
Spray muffin tin with cooking spray.
[I load the lumpy ingredients before pouring the egg mixture on top.]
Bake for 40 minutes or until golden brown.
Eat and enjoy!

Hybrid Breakfasts

Eli may specialize in cheesy scrambles, but I specialize in the Sunday morning egg sandwich. Two eggs fried over medium, some good cheddar, pre-toasted and buttered low-carb bread, the whole thing assembled and grilled — and served with low-carb strawberry jam. It’s got to be strawberry; this is tradition. (Forgive its tar-like appearance in the picture.)

Breakfast in the Before-Time

The one supermarket aisle I still swoon over is the one with all the breakfast cereal. I had a bowl of cereal (or two, once the insulin resistance kicked in) nearly every day of my life until 2004. I had Kellogg’s Sugar Frosted Flakes — yes, they still proudly had “Sugar” in the name back then — right through high school. In college it was Grape-Nuts with honey, sometimes microwaved. Later, I got sophisticated (what with the Bread & Circus stores all around) and went the granola-with-yogurt route.

The most counterintuitive part about starting a low-carb routine is staring at a plate of eggs and bacon and wondering: Can this be right? Review the facts, and you’ll conclude it’s the rare cereal that’s “part of a balanced breakfast”.

Dave Kearns asks, I deliver — in two parts (so far)…

Concordia workshop report

Monday’s Concordia workshop at Catalyst was a surprise and a delight. We tried to make it a more interactive and intimate experience than the mega-carnivals we do at RSA: check. We set up a theme — identity in Enterprise 2.0 — and hoped for a bunch of interesting use-case submissions to tee up the subject: check. We worried that the diverse agenda would hang together: we needn’t have. A leitmotif emerged pretty quickly: authorization.

A crack team of volunteer tweeters, led by Brett McDowell (in English; I helped!) and Tatsuo Kudo (in Japanese), helped keep the outside world connected to our discussions (searching #catalyst09 concordia gives you an accessible sampling, but looking for tweets on July 27 for just #catalyst09 will give a more complete listing).

All presentations and original sources are now linked from the workshop agenda, and I strongly encourage you to check out this rich material. Attendees were enthusiastic about the new XACML profile work and our Burton speakers’ thoughts on the complexity of social networking in enterprise settings (thanks again to Mike Gotta and Alice Wang for presenting some exciting/scary scenarios, and to Burton as a whole for continuing to support our Concordic efforts). And people had lots of useful feedback on the Levels of Assurance survey idea we’ve been hammering on for a couple of months now — basically, we think we’re going to start with in-depth interviews instead, since all our questions are open-ended and lead to more questions.

If you want to help us figure all this out going forward — including possibly contributing multi-technology authorization use cases for future interop experimentation — don’t forget to join Concordia in its new guise as a Kantara discussion group! Here are simple instructions.

ProtectServe and UMA deeper dive

At the workshop I had a great opportunity, given that my User-Managed Access group is just spinning up, to do a quick overview of the ProtectServe work that has inspired UMA and to review some alternative “use-case topologies” that could satisfy a single generic scenario in different ways. Srijith Nair et al. of BT submitted an interesting ProtectServe use-case document, and in my workshop presentation I walked through some of the implications.

The scenario I highlighted is about an employer and an employee, and the fact that both might want to impose their own constraints on the sharing of the same piece of information. Examples of pieces of information your employer holds that you might need to share (the Liberty ID-SIS employee profile spec might suggest more):

• Employment status (often needed when you apply for a loan)
• U.S. Internal Revenue Service W-4 (tax withholding) form details (handy for sharing with accountants and investment planners)

I (sort of ab)used the Scrum concept by formulating the following “user stories” that capture what’s special about the need:

• As an employee, I want to audit and control the further dissemination of information my employer must know about me as a condition of employment.
• As an employer, I want to adhere to laws and best practices regulating my sharing of information about my employee.

Three obvious ProtectServe entity topologies present themselves, each with a different sweet spot:

#1: Employer as authorization manager and service provider

This topology preserves an explicit place for the employer to apply its own sharing policies — the authorization manager (and enclosing relationship management app) that it hosts itself. However, I think this is probably a “legacy” solution because it forces the employee to seek out other relationship managers in the outside world where they’re just an individual rather than an employee, and I can’t think of very good reasons for the employer to host this AM/RM other than corporate inertia (admittedly, a force to be reckoned with). Maybe I’m wrong, though, and a good reason will emerge.

#2: Employer as service provider

For information for which the employer is authoritative (”Is this person employed here?”), it should host a service provider willing to attest to this on request (in accordance with the instructions issued by the employee’s personal AM). If the employer doesn’t want to release the data even though the employee is cool with the sharing, it could use existing access control mechanisms that are out of band with respect to ProtectServe, perhaps only surfacing a response code that reflects its refusal. (Ah, there’s a potential requirement for the UMA work if this use case is accepted by the group.)

#3: Employer as consumer

For information that the employee already self-asserts to the employer (”What is the employee’s home address of record?”), why can’t the employer consume this data in the same way some other “vendor” (online service) on the open Internet could? If the employee moves, a number of workflow actions have to unroll on the employer’s side as they would have anyway (in the U.S., moving to a different state might involve withholding a different amount of state income tax), but this is already handled in existing systems when the employee provisions the new information into employee portal apps by hand. An on-board “personal datastore” service provider is shown here as being hosted out of the same relationship manager app as the user’s chosen AM, but the SP could just as easily have been hosted remotely somewhere.

If you have thoughts on this, either about the problem space or the solution space, please consider joining the UMA group and helping out!