Ch-ch-ch-ch-changes

I’ve just made a big change, joining Forrester Research as a Principal Analyst, and this new adventure is sure to be exciting. It’s an honor to join this stellar organization and work with so many talented folks. I’ll be serving security and risk professionals and will focus primarily on identity and access management, so this move feels like a natural outgrowth of work I’ve been involved in for more than ten years now.

My tenure at PayPal was a great learning experience; I’ll never forget my time there, nor the good friends I made. I also managed to learn a few things while “catching up on life” in the few weeks between gigs. Here are some questions folks have been asking me, with answers:

Q: Are you moving back to the east coast?

A: Nope, I’m still based in the Pacific Northwest, but I will likely be out Boston-way somewhat more often. As for other appearances, you’ll definitely be able to find me at Forrester’s IT Forum 2011 in May, and I’ll be figuring out the situation with other events shortly.

Q: Will you continue to blog here?

A: Yes, though the mix of topics will likely change, as I’ll be contributing industry-related posts to the Forrester blog. I’ll post pointers to those here, and my hope is to step up my writing activity on other topics of interest at Pushing String. And I hope you’ll continue to follow my doings at @xmlgrrl (where the #forrester tag will likely make lots of appearances).

Q: What about User-Managed Access and other innovation-oriented work?

A: The plan is for me to continue in my role as “chief UMAnitarian” and to participate in certain other tech leadership activities as time allows. In the last couple of months we’ve gotten a big influx of active UMA contributors, and we’ve had a burst of progress in the last few weeks on defining how to loosely couple “user-centric” policy enforcement points and policy decision points. So I think we’re well on our way to meeting the goals and timing stated in our charter.

Q: So what did you do on your winter vacation?

A: One of my goals was to “learn one big thing”, so I started learning how to play guitar, under the tutelage of my dear old friend Rich. My original use cases were around communicating better with my Mud Junket bandmates who are actual guitarists, but Rich doesn’t fool around: I have to learn good technique and not take any shortcuts. Luckily, the fret-hand callus crop has finally started to come in.

I also read a great book called The Talent Code, which describes what goes on neurologically in people who seem like once-in-a-lifetime geniuses, and discusses how any skill (like guitar-playing!) can be honed more rapidly through “deep practice” that stimulates myelin growth.

With all this plus a healthy dose of R&R, it feels like I’m learning how to learn all over again.

Talking about security that “assumes DNS holds”

In discussions of economics, a predictive statement is often accompanied by the qualifier ceteris paribus, or, roughly, “other things being equal”, in order to compare apples fairly to apples. In discussions of Internet security, more and more I hear, and have occasion to use, a qualifier like “assuming DNS holds”. For a while, I used a stock formulation that went like “assuming DNSSEC or no cache poisoning”.

An awful lot rides on getting to the domain you think you’re getting to; it’s a basic ingredient in many web protocols. It lets you do things like treat unsigned metadata from a known-good domain as sufficient for lightweight use cases. And being clear about this assumption lets you compare solutions on their other merits.

UMAnitarian Joseph Holsten and I tried to cook up a pseudo-Latin equivalent for the economics phrase: ceteris nomina indubia, hoping to translate it roughly to “assuming non-doubtful names”.

But now I realize the first word isn’t right (ceteris is the “other things” part, like in et cetera), and we need something in the vindicatum or sumo category. Or we could just leave that part out, since “ceteris paribus” doesn’t have the “assume” part either. Any Latin scholars want to opine?

By the way, Pushing String has hit its sixth blogiversary. Thanks for sticking around!

Wishing you a happy, healthy, user-managed new year

Thanks to Domenico Catalano (@DomCat) for putting together this lovely and geeky holiday message! And thanks to all the UMAnitarians for their contributions of passion, business problem-solving, and technical know-how to the User-Managed Access work.

The end of 2010 has brought new progress on several fronts. The UMA-friendly Java-based OAuth leeloo implementation was released as open source; we’ve begun solving some hard problems in defining interoperable interfaces between OAuth authorization servers and resource servers; we’ve been teasing out the implications of trusted claims as the basis for user-centric access control; and we saw two significant submissions in response to the UMA validation bounty program. We’re grateful to submitters Cordny Nederkoorn, whose interest in UMA grew as a result of his explorations into cloud identity, and Project hData, a unique and important effort that seeks to make electronic health data amenable to RESTful web app treatment.

We’ve got lots more developments in store for the coming months, and we welcome your involvement. From our Kantara home page you can join the group (no membership fees!), subscribe to our mailing list, and check out the latest news, and don’t forget to follow us on Twitter.

Happy holidays!

The price for free online service, down to the last decimal

I’ve been thinking lately that websites should display a pie chart showing what you’re really paying for “free” online services, just to show that it really does always add up to 100%. Something like this:

Now Drummond points us to the world’s first truly honest privacy policy. A taste:

Remember, when you visit our Web site, our Web site is also visiting you. And we’ve brought a dozen or more friends with us, depending on how many ad networks and third-party data services we use.

Read the whole thing if you want to know exactly how to fit the price into your web-surfing budget.

People and online services: leaving value on the table

The recent Google-Facebook flap demonstrates that the hottest battleground for users’ control of the data they pump into these online services is the sites’ Terms of Service. Why? Because when you’re not a paying customer, you’re not in a hugely strong bargaining position. As I put it to ReadWriteWeb in their piece on data portability implications of the debate: Facebook’s end-users are not its customers; they’re the product. (Or as my Data Without Borders pal Steve Greenberg sometimes puts it, users are crops…getting harvested. Oh dear.)

For all “free” online services, it’s worthwhile to ask: What am I paying instead? If it’s not money, is it attention to ads? …behavioral cues about myself and my preferences? …personally identifiable data? …beta-testing time? …what, exactly? Payment for services rendered isn’t a bad thing. But it’s always something, and you might as well not be a chump.

That’s why I like Frank Catalano’s new TechFlash post viewing personal data sharing through an economic lens and discussing how to barter your data more equitably. Regarding his second point, “hide”: I’d actually be thrilled if more online services that were marketed to individuals offered a premium for-pay option; it would keep out the riff-raff and give people more meaningful control over their relationships with the companies offering the services.

It’s not just individuals who are leaving something on the table, though. I think there’s a big untapped market in selective sharing, which is like “privacy” (poor abused word), without the assumption that minimal disclosure is the be-all and end-all. What would you start sharing with a selective set of people and businesses, if you could have confidence that your expectations around context, control, choice, and respect would be met?

That’s why I think Dave McClure has it right with his notion of intimacy as a market opportunity Facebook currently has no idea how to address. (“maybe I only want to tell a few close buddies about that episode with the VERY BAD bean burrito” — yeah, thanks for keeping this sharing episode VERY selective. :-)

And that’s why I think Esther Dyson doesn’t quite have it right in saying privacy is a marketing problem. Her exhortation to “Know your customer, and talk to that person as an individual, not as someone in a bucket” has a natural barrier: Facebook and others are serving their actual customers very well indeed by, uh, making more product.

And that’s why I think User-Managed Access could help: Becoming paying customers of services that need our data is good. But becoming, in addition, producers of data products as peers in a selective data-sharing network, and dictating our own Terms of Access for getting to them, is even better.

UMA meeting co-located with IIW and other news

Thanks to Phil and Kaliya and the gang, I’m happy to say we’re holding an UMA face-to-face meeting at the Computer History Museum on the Monday just prior to IIW XI (pronounced “yewksie”?).

This follows close on the heels of a face-to-face in Paris at the Kantara conference, so I hope we’ll be able to crank through a lot of work in the next few weeks. What work, you ask? We’re shooting for draft completion of some key items in the upper box shown here (click to get to a full-size site-mapped version on our Working Drafts page):

I’ve already gotten several requests for more info about the IIW meeting. These will be working meetings, not public transfer-of-information workshops, and we always welcome new participation. You can become a participant (voting/frequently attending or non-voting/attend at will, totally up to you) by filling out this form. I’ve put up some very preliminary agendas (Paris, Mtn View); they tend to be responsive to work done in weeks prior, so check back.

(UPDATE: There’s no formal registration process for the IIW meeting as long as you’re already signed up as an UMA participant; just send me an RSVP. Contact info is under my Welcome section in the right sidebar.)

Did you know our Newcastle University UMAnitarians have begun open-sourcing their Java implementation? The first big piece from the SMART Project covers UMA-friendly OAuth 2.0 and has the lovely name leeloo. They promise more to come soon, and I bet we’ll see some swank demos at IIW. Check it out!

Aiming for data usage control

Earlier this week, W3C held a workshop on privacy and data usage control. Among the submitted position papers are quite a few interesting thoughts, and though I couldn’t attend the workshop, it will be good to see the eventual report from it.

I did manage to submit a paper that explores the contributions of User-Managed Access (UMA) to letting people control the usage of their personal data. It was a chance to capture an important part of the philosophy we bring to our work, and the challenges that remain. From the paper’s introduction:

…UMA allows a user to make demands of the requesting side in order to test their suitability for receiving authorization. These demands can include requests for information (such as “Who are you?” or “Are you over 18?”) and promises (such as “Do you agree to these non-disclosure terms?” or “Can you confirm that your privacy and data portability policies match my requirements?”).

The implications of these demands quickly go beyond cryptography and web protocols and into the realm of agreements and liability. UMA values end-user convenience, development simplicity, and web-wide adoption, and therefore it eschews such techniques as DRM. Instead, it puts a premium on user visibility into and control over access criteria and the authorization lifecycle. UMA also seeks at least a minimum level of enforceability of authorization agreements, in order to make the act of granting resource access truly informed, uncoerced, and meaningful. Granting access to data is then no longer a matter of mere passive consent to terms of use. Rather, it becomes a valuable offer of access on user-specified terms, more fully empowering ordinary web users to act as peers in a network that enables selective sharing.

Some of the challenges are technical, some legal, and some related to business incentives. The paper approaches the discussion with what I hope is a sense of realism, along with some justified optimism about near-term possibilities.

(Speaking of which, I like the realism pervading Ben Laurie’s recent criticism of the EFF’s suggested bill of privacy rights for social network users. He cautions them to stay away from implicitly mandating mechanisms like DRM — and, in focusing on broader aims, to be careful what they wish for.)

If you’re so inclined, I hope you’ll check out the paper and the other workshop inputs and outputs.

PayPal X Innovate is around the corner

It’s nearly time for the second annual PayPal X Innovate conference — October 26 and 27 at Moscone Center in SF. The PayPal X developer network has not only the coolest domain known to humankind, but it also hosts the Innovate conference, which is all about making the future of money happen.

Praveen Alavilli has slipped me a great discount code for y’all to use: “LETSINNOVATE” will get you $100 off the registration fee.

Ashish Jain and I will be there talking about identity services progress and plans, and also listening intently: we’d love to talk with online retailers and e-commerce developers about how you see digital identity playing a role in your apps and your payment needs.

Folks from Janrain will also be there, discussing social sign-on trends in retail. They’ve posted an excellent roundup of everything you can hear and experience at Innovate, and they also share some news about the OpenID Foundation’s new Retail Advisory Committee.

See you there!

Personal RFP Model and Information Sharing Report

The Kantara Information Sharing group, led by the intrepid Joe Andrieu and Iain Henderson, has been doing a ton of work to make the business justifications for Vendor Relationship Management scenarios concrete and and the use cases actionable.

The group has two documents out for review, and seeks your input. (I’m really tardy blogging this; comments are due tomorrow, but I’m sure they’d be welcome even coming in a little late…) See Joe’s writeup for document links and descriptions.

Here’s a taste of the pRFP document:

Sally uses a Personal Request for Proposal (pRFP) to solicit offers for, negotiate, and purchase a new car through the MyPal pRFP Broker. She has previously researched her options and made up her mind about the kind of car she wants to buy. She has also secured financing and credentials asserting that fact. Sally’s information is maintained in a personal data store which provides it on demand for use by service providers and vendors. On the Vendor side, Frank at Chryota of London responds to Sally’s Personal RFP (pRFP), using a hands‐on approach that integrates CoL’s CRM system, MyPal, and Chryota Manufacturing’s CRM program HEARING AID, which is managed by Jimmy.

The Info Sharing Report is interesting too, but in a totally different way; it’s chock full of interesting statistics and trends around the cost of acquiring customers and the privacy pitfalls of the current ecosystem.

Check ‘em out, and send in your thoughts.

Identity tweetup at OASIS conference next week

Ian Glazer and I were planning a get-together next week at the OASIS Identity Management conference in D.C., and he suggested we make it a tweetup (bona fides established here). So if you’re in town because of the conference, or just…around, join us at Buffalo Billiards next Monday at 6ish.

The agenda looks solid, and since it’s arranged in a single track, should get some intensity going. I’m looking forward to participating in the privacy/identity/cloud computing session led by Jim Harper on Monday.

The conference hashtag is #oasisidm (RSS). If you can’t make it out, you can at least follow the fun from home.

(For all pool hustlers flying in, remember: cue sticks are prohibited items…)