The Economist has a thoughtful article called The Data Deluge on the benefits, and the privacy risks, of making better use of the torrent of data (it mostly focuses on, but doesn’t ever say, “personal” data) being generated in all kinds of business and marketplace endeavors. My favorite part, ’cause I share this assumption with the author:

The best way to deal with these drawbacks of the data deluge is, paradoxically, to make more data available in the right way, by requiring greater transparency in several areas. First, users should be given greater access to and control over the information held about them, including whom it is shared with.

This article makes a great companion to this meaty blog post by Iain Henderson laying out a serious vision for the notion of a personal datastore as a personal data warehouse. Iain knows whereof he speaks; he’s been in the CRM business a long time, and runs the Kantara InfoSharing work group (along with Joe Andrieu, another thoughtful guy who’s passionate about this stuff). I’m lucky to have both of them on my entirely complementary User-Managed Access group, UMA serving as a technological match for InfoSharing use cases.

I tried to add a comment to the Economist article about an aspect it didn’t cover: the quality of the personal data that’s floating around. Either this commenting effort completely failed, or in the fullness of time three copies of the same comment will appear — sigh. In the spirit of using this blog as my pensieve, here’s the main bit:

Privacy is not secrecy (says digital identity analyst Bob Blakley). It is context, control, choice, and respect. Ideal levels of personal data sharing may actually be higher in total than now — but more selective. And they won’t be interesting to people without offering convenience at the same time.

Wouldn’t it be great to get out of the defensive crouch of “never without my permission” and turn it into “with my permission, sure, why not, it’ll help me just as much as it will help you”?

(Any bets on whether I told the truth and nothing but the truth when I registered at the Economist site?)

This lecture is really better described as a call to action with biochemistry diagrams. Lustig argues that fructose is an evil that’s been behind the rise in obesity and metabolic syndrome of the last few decades; that soda, juice, and sports drinks loaded with sucrose or HFCS are the single biggest factor in childhood obesity (his specialty); and that we had better start treating fructose as the chronic hepatotoxin it is and stay the heck away from it. I agree.

The lecture series is called Current Controversies in Nutrition: Letting Science Be the Guide. Well, yeah — what other guide have they been using all this time, for goodness’ sake? You know, I started my carbgrrl.com series admitting a worry about looking like a loon…no more. Richard Nikoley, primal blogger extraordinaire, often talks about Modern Ignorance and the ways in which supposed experts tie themselves in knots because of broken preconceptions about stuff we used to understand instinctively. (Richard blogged this lecture, and also another I’ll touch on here sometime soon…) It sure looks like Lustig is emerging from a cave of institutional ignorance, blinking — and pissed off. Good.

Lustig’s obsession with fructose probably doesn’t give an accurate picture of all the factors in play. He seems to think glucose is just fine to consume in whatever quantity — it’s the “energy of life”, he says (around 1:26:00) — and so I suspect he’s misguided about the evils of spiking one’s insulin over and over, in addition to spiking one’s triglycerides. Remember that the glucose that feeds our brains and bodies can be made from practically any old thing lying around, as I’ve discussed before. And in GCBC, (The Great) Gary Taubes discusses the pernicious effects of eating fructose and glucose in combination:

Because sucrose and high-fructose corn syrup (HFCS-55) are both effectively half glucose and half fructose, they offer the worst of both sugars. The fructose will stimulate the liver to produce triglycerides, while the glucose will stimulate insulin secretion. And the glucose-induced insulin response in turn will prompt the liver to secrete even more triglycerides than it would from the fructose alone, while the insulin will also elevate blood pressure apart from the effect of fructose. [GCBC, Ch. 12, p. 201]

I have a couple of other quibbles (I’m not sure Lustig’s lust for fiber is entirely warranted), but it’s absolutely worth watching if you care about this stuff.

• Helping the Concordia group understand your needs for confidence in outsourced identity data and your business and technical drivers for authorization, to inform future harmonization work in these areas — the surveys should take you only a few minutes

• Joining the User-Managed Access webinar on January 29 to learn about UMA benefits, progress to date, and next steps — register early, as there’s an attendance limit

(I will not say “Join the conversation”, I will not say “Join the conversation”, I will not say “Join the conversation”…)

A lot of the conversation to date has revolved around NIST Special Publication 800-63 (newer draft version here) and its global cousins, which boil down assurance into four levels — hence all the loose talk of LOA (for “level of assurance” or sometimes AL for “assurance level”), even when people aren’t focusing on specific levels or even systems of assurance numbering. NIST 800-63 is intended to answer the use cases defined in OMB Memo 04-04, which deals with making sure users of the U.S. Federal government’s online systems are who they purport to be. Here’s an example given in OMB M-04-04 for one particular need for level 3 assurance:

A First Responder accesses a disaster management reporting website to report an incident, share operational information, and coordinate response activities.

And here’s how NIST 800-63 defines assurance (I’m quoting the Dec 2008 draft here; strangely, the official Apr 2006 version doesn’t include a formal definition):

In the context of OMB M-04-04 and this document, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.

So there’s an identity proofing component at registration time that nails down the precise real-world human being being referred to, and there’s a security/protocol soundness/authentication component at run time that establishes that the credential is being waved around legitimately. These get added up into four levels defined roughly like this (leaving aside the security and protocol soundness factors):

(Here, “same unique user” means that the same user can be correlated by the RP across sessions. And “verified name provided” means that the user’s real-world name is exposed to the RP, versus some sort of pseudonym; level 1, where no proofing is done, is implicitly pseudonymous, while level 2 offers a choice.)

I don’t mean at all to criticize this rolled-up four-level approach. It seems to have met the needs set out in M-04-04, and it predated both the “user-centric” movement (Dale Olds has a nice rundown of its use cases here) and truly modern notions of online privacy.

But I think we need more clarity about assurance use cases and terminology, for two reasons: One is to help ensure that identity providers can give RPs what they need, rather than what might just be a poor approximation based on NIST 800-63’s fame. The other is to help ensure that IdPs give RPs only what they need, since more assurance is likely to involve more personal information exposure.

To that end, let me explain some assurance use case buckets I’m seeing in the wild, and their relationship to the NIST requirements and each other. First, here are some use case buckets hiding in plain sight in the NIST levels:

Simple cross-session correlation: While NIST 800-63 doesn’t formally include “same unique user” as a goal, it’s in there:

Level 1 – Although there is no identity proofing requirement at this level, the authentication mechanism provides some assurance that the same claimant is accessing the protected transaction or data.

Funnily enough, cross-session correlation (without the baggage of proofing) is a key requirement of many enterprise and Web federated identity interactions. Lots of sites don’t need or want to know you’re a dog; they just need to know you’re the same dog as last time. This way, they can authorize various kinds of ongoing access and give you something of a personalized experience across sessions. Though NIST treats this as an also-ran and couples it with weak authentication in level 1, other use cases may have reason to match up “mere correlation” with higher authentication.

Identity proofability: If an RP can trust that it’s dealing with a human being who has some level of serious representation in civil society, it’s a powerful kind of assurance for lots of purposes. More about this below.

Real-world identity mapping: When level 3 or 4, or verified-name level 2, is used, this means a user’s real name is used to build up the unique identifier that the RP sees, and this verified name leaks PII like crazy, even if it’s not itself unique. (As far as I know, I’m the only Eve Maler out there…) This is strong stuff, and in a modern federated identity environment, it is to be hoped that most RPs simply don’t need this information. (John Bradley — that is, the John Bradley who works with the U.S. government on its ICAM Open Identity Solutions program — tells me he believes pseudonyms should be an acceptable choice all up and down the four levels, indicating that this use case bucket is fairly rare.)

Now things get really interesting, because there are other use case buckets that you can sort of see in this matrix if you squint, but really they’re just different:

Anonymous authorization/personalization: This is the flip side of cross-session correlation. OMB M-04-04 talks about “attribute authentication” and the potential for user attributes to serve as “anonymous credentials” (where an RP simply can’t know if this is the same unique user coming back but can still base its authorization decisions and personalization actions on the veracity of the attributes it’s getting). The attributes in question can range from “this user is over 18″ to “this user is a student at University ABC” to “this user is of nationality XYZ”.

Ultimately M-04-04 puts the whole area of attribute authentication firmly out of scope, but lots of folks have been picking at the general problem of attribute assurance in the last several months — like Internet2 in its Tao of Attributes workshop, and the Concordia group in a forthcoming survey (stay tuned for more on that).

This bucket often requires being able to check who issued some assertion or claim, and considering whether they’re properly authoritative for that kind of info. The way I think about this is: Who has the least incentive to lie? That’s why you can be said to be truly authoritative for self-asserted preferences such as “aisle vs. window”. Any other way lies madness (“What is your favorite color?” “Blue. No yel– Auuuuuuuugh!”).

Of course, there are cases where an RP really does need attribute assurance along with other kinds, like correlation or identity mapping. And don’t forget that it takes precious little in the way of personal information for an RP to figure out “who you really are” anyway. (Check out this cool Tao of Attributes diagram, which touches on all these points.)

Financial engagement: Sometimes an RP just just wants some assurance they’re dealing with someone who has sufficient ties to the world’s legitimate financial systems not to screw them over entirely. It turns out that identity proofability can often be a serviceable proxy for this kind of confidence. (Financial account numbers are one kind of proofing documentation in NIST 800-63.) And the reverse is also true: financial engagement can sometimes give a modicum of confidence in identity proofability.

Interestingly, this bucket can be useful even without any of the other kinds, partly because the parties can lean on a mature parallel financial system instead of just lobbing identifiers and attributes all over the place. For example, users often “self-assert” credit card numbers (which RPs then validate out of band with the card issuer), or use third-party payment services like PayPal (where the service provider does a lot of the risk-calculation heavy lifting).

No doubt there are other assurance use cases. Understanding them more deeply can, I think, help us get better at sharing the truth and nothing but the truth about people online — without having to expose the whole truth.

(Thanks to John Bradley, Jeff Hodges, and Andrew Nash for comments on early drafts of this post. And check out Paul Madsen’s many excellent commentaries on assurance matters.)

While it’s true that Twitter has absorbed some of my blogging rays, I do have a post-of-substance in the works that I hope to share with you before the year is out. But I didn’t want to let this occasion* pass without a thank-you to my readers here on xmlgrrl.com (also known as carbgrrl.com and vennofidentity.org).

So, here goes: Mahalo nui loa!

*Hey, maybe this is another opportunity for a custom Paul-designed card…

I hope you’ll stick with me for this rather technically dense post. As always, I will gladly accept all error corrections and pointers to research that disputes or usefully refines the information below.

Regurgitating (sorry) Part 1

As we join our story already in progress, we recall that the 1976 article “The Physiological Psychology of Hunger: A Physiological Perspective” made the following points in reviewing energy metabolism:

• The various parts of the body are largely source-agnostic when it comes to getting energy from the diet: carbs, fat, and protein are broken down into their constituent parts and used all over the place. (A couple of small exceptions become important later on.)

• The brain is always fed first and steadily; you’d pretty much have to be on a desert island surrounded by a fishless sea for many days before making a dent in your brain’s energy supply. And in fact, all your tissues get an adequate supply pretty much all the time, despite the fact that you don’t graze constantly.

A few cautions before we proceed: First, we’re talking physiological hunger here, not emotional bingeing, or missing lunch because you’ve got a deadline. Second, the research used to support the discussion in the article is mostly about laboratory rats. There are precise parallels when it comes to energy metabolism among the higher mammals, however, so don’t be offended if I use the word “you” below…

Hunger Hypotheses on the (Dinner) Table

The Friedman-Stricker article addresses two popular hypotheses for explaining what triggers hunger. They both posit a special role for the central nervous system:

• The glucostatic hypothesis: The brain responds to blood-borne signals about your level of blood sugar, making you eat when it dips (mmm, dip) and lay off the food when it’s sufficiently high.

• The lipostatic hypothesis: The brain responds, instead, to signals about your level of body fat. You could think of this as a “fat set point”.

Ultimately the authors present an alternative view, which I’ll get to in due time.

“Brain and Brain. What is Brain?”*

Much of the research examined in the article involves making lesions in the brains of rats, specifically damaging either the ventromedial hypothalamus (VMH) or the lateral hypothalamus (LH), and seeing what happens to weight, hunger, and feeding in various conditions (like shaving their fur off to make them cold, or even administering the dreaded “tail pinch”). A moment of silence, please, for these poor rats.

ernestfigueras / CC BY-SA 2.0

In general, it’s known that VMH lesions stimulate hunger and lead to weight gain, and LH lesions do the reverse. This is called the “dual hypothalamic model” (and initially led to speculations that the VMH is the “satiety center” and the LH the “hunger center” of the brain, but things got a little more sophisticated in the next iteration). Here’s how the two hypotheses predict these effects.

• Glucostatic: There are “glucoreceptors” located in the VMH, and they detect when blood sugar is low or when available blood sugar isn’t getting properly used.

• Lipostatic: Damaging the VMH either messes with a brain “hunger center”, taking off its controls and making you way hungrier than normal, or it turns up the dial on your “fat set point” so that you feel compelled to meet the higher requirement.

A Taste of the Arguments Against

The gross effects of messing with rat brains do seem generally supportive of one of these choices. But dig a little deeper (no, not murine-cerebrally) and the evidence doesn’t look as great. The article goes into a lot of technical depth; here is my best attempt at a summary of the “con” positions.

Glucostatic:

The idea that there are glucoreceptors in the VMH was already weakening at the time the article was written. For starters, originally it was noticed that small dips in blood sugar are indeed associated with hunger, so this formed the core of the hypothesis. But since diabetes involves both higher blood sugar and greater hunger, the hypothesis had to be refined to say that the brain is suffering from less-efficient use of the blood sugar you’ve got. However, it turns out this refinement doesn’t help; more on this below.

In addition, feeding behavior in the presence of lesions, lab conditions such as excess cold, and treatment with substances like insulin tends to float in surprising directions.

Finally, as Taubes adds in GCBC, this hypothesis doesn’t explain things like weight gain back to normal levels after an illness.

Lipostatic:

It’s a funny thing: Rats with VMH lesions add body fat even before they begin eating, even if they’re prevented from eating for many hours. So if the rats’ brains are telling them to eat, the eating doesn’t seem to be the first effect in line. And it’s known that the lesion immediately causes higher levels of circulating insulin (geez, why didn’t they say so before?), with effects similar to seasonal obesity in animals who migrate or hibernate (and, hmm, similar to other effects I’ve discussed in the past).

And in any case, positing a lipostat in the brain simply doesn’t get you very far. In particular, Taubes notes, it doesn’t explain why the very obese have an elevated set point. It’s all a bit circular:

Saying that we’re all endowed with a lipostat that monitors our adiposity and then regulates hunger appropriately is just another way of saying that our weight remains remarkably stable, whether we’re lean or obese, and then assigning the cause to a mysterious mechanism in the brain whose function is to achieve this stability. [GCBC p. 428]

Sugar Sugar, Ah, Honey Honey

It’s worth looking more closely at the diabetes problem for the glucostatic hypothesis. It reveals a metabolic story that goes way beyond a simple blood sugar level.

Diabetes kind of looks like starvation. The body madly breaks down fat into ketone bodies (ketogenesis) for use in the periphery of the body, since those parts need insulin to make use of the glucose and there isn’t any to be had. But the body also madly makes new glucose (gluconeogenesis). The brain must think it’s in heaven since it actually gets plenty of that fine, fine stuff, but the rest of the body is out of luck — unless it can get more of the stuff it can actually use:

[T]he fat content of the usual laboratory diet can be viewed as “diluted” with carbohydrate, material of little metabolic significance during diabetes. The hyperphagia [extra feeding] of diabetic animals thus resembles the increased feeding that occurs in intact rats when food is diluted with nonnutritive bulk and may result because the decrease in utilizable metabolic fuels in the diet reduces the diet’s capacity to satiate the animal. …. [D]iabetic animals maintained on a high-fat diet do not display hyperphagia despite continued impairments in glucose utilization. [TPPH:APP p. 418; citations elided; bold added]

So even the more modern version of the glucostatic hypothesis of hunger seems off.

The Mind-Body Connection

But wait, there’s more to the “con” position. The very assumption that the hunger trigger originates in the brain is suspect. All this nasty work to produce weight gain etc. in lab animals is highly unusual; as already noted, the brain lives in an energy bubble and never wants for anything whether you’re feeling peckish or not.

There’s another candidate — an organ on the periphery of the body that (a) already orchestrates fat-burning and other energy processes in our bodies and (b) is unique among its surrounding organs in that it can’t process ketone bodies but can handle fructose:

[I]t is not likely that pronounced decreases in cerebral glycolysis [energy usage in the brain] ever occur except under nonphysiological experimental conditions [rat abuse], because the brain is normally protected from such emergencies. …. Our recent findings that insulin-induced feeding is abolished by infusions of fructose, but not ketone bodies, strongly implicate the liver as the origin of the hunger signal. [TPPH:APP p. 422; citations elided]

Yep, if you inject ketone bodies directly into an insulin-treated rat’s bloodstream, the rat still wants to raid the fridge — and it appears to be because its little liver is still starving.

The Friedman-Stricker article discusses a particular event in the liver that could trigger the hunger signal: a shift away from “oxidative metabolism” (the Krebs cycle for making energy out of anything) to direct production of glucose and ketone bodies (gluconeogenesis and ketogenesis — remember these from “diabetes is like starvation” above?). This seems to be the initial sign that your body is starting to “run on fumes” and needs to fill the tank again.

(The authors have continued to push the ball forward; here’s one sample of recent research to determine how the liver signals the brain that eating would be a good idea right about now.)

Occam’s Razor

So after trying really really hard, scientists couldn’t quite put their finger on an actual brain center that controls levels of fat or blood sugar. And brains don’t ever want for anything, but sometimes livers do. And the totality of the energy metabolism story, not just one substance or another, is on display when each hypothesis is examined.

The simplest explanation for hunger and weight-balancing would be a homeostatic system, like so many others in the body. Taubes notes, “Life is dependent on homeostatic systems that exhibit the same relative constancy as body weight, and none of them require a set point, like the temperature setting on a thermostat, to do so.” [GCBC pp. 428]

And indeed, Friedman and Stricker show that the caloric homeostasis hypothesis fits the facts much more closely than do the others: Hunger returns when the total utilizable fuel level in your body, rather than a store of a particular kind of energy, drops below some critical level. After all, brains and bodies generally don’t distinguish between energy sources. And more insulin stimulates more frequent meals, while less insulin allows body fat to be mobilized, which appears to stave off hunger.

(If you’re a regular carbgrrl.com reader, you might think this is a blinding flash of the obvious. Please tell the diet industry.)

Taking pity if you’ve gotten this far, I’ll spare you the dry conclusion from the Friedman-Stricker article and let Taubes bring it home:

This hypothesis of eating behavior did away with set points and lipostats and relied instead on the physiological notion of hunger as a response to the availability of internal fuels and to the hormonal mechanisms of fuel partitioning. Hunger and satiety are manifestations of metabolic needs and physiological conditions at the cellular level, and so they’re driven by the body, no matter how much we like to think it’s our brains that are in control. [GCBC pp. 432-3]

Luckily, we can use our brains to understand this mechanism better — and turn it to our advantage.

The proposition still centers on helping individuals gain better control of their data-sharing online, along with making it easier for identity-related data to live where it properly should — rather than being copied all over the place so that all the accuracy and freshness leaks out.

On our wiki you’ll now find a fledgling spec that profiles OAuth and its emerging discovery mechanisms XRD and LRDD. We’re also starting to collect a nice little bunch of diagrams and such, to help people understand what we’re up to. Click on the authorization flowchart to get to our “UMA Explained” area:

Thanks to the Kantara Initiative participation rules, it’s easy and free to join the UMA group. If you’re interested to contribute use cases or thoughts on design or implementation talents, consider coming on board.

Yes, popcorn is deliciously seductive. Yes, it’s bad for you to eat a medium-sized popcorn/soda combo (“Movie Popcorn Has Shocking Calories, Fat”). But there’s no actual evidence to suggest that the “12 pats of butter” in it is the reason.

From (The Great) Gary Taubes’s GCBC:

In the mid-1970s …, [Ethan] Sims and [Elliot] Danforth [of the University of Vermont] believed that obesity was most likely caused by chronically elevated levels of insulin, and that the elevated levels of insulin were likely the product of carbohydrate-rich diets. In the 1980s, their opinions changed and fell into step with the prevailing consensus on the evils of dietary fat. ….

One potentially relevant observation that Sims and his colleagues neglected to publish, for example, was that it seemed impossible to fatten up their subjects on high-fat, high-protein diets, in which the food to be eaten in excess was meat. …. [T]he volunteers would sit staring at “plates of pork chops a mile high,” and they would refuse to eat enough of this meat to constitute the excess thousand calories a day that the Vermont investigators were asking of them. ….

Those fattening upon both carbohydrates and fat, on the other hand, easily added two thousand calories a day to their typical diet. Indeed, subjects in some of his studies … [took] as much as ten thousand calories a day. [GCBC pp. 310-1; bold added]

Well. Doesn’t that put a different spin on things?

We could practically make popcorn-eating a medical test. If it makes you hungrier rather than full, you’re courting trouble. And if you promise you won’t touch the stuff but you end up eating three-quarters of the bag your husband bought for himself (ahem), you’re in serious scrawny-pancreas territory.

Steve was passionate in describing this work. I think he’s right when he says that you first have to ensure that people are aware of a site’s terms of service; disclosing them in a form human beings can grok (à la Creative Commons or the nutrition label approach I wrote about here) can begin to empower humans to change things if they so desire, using a variety of means.

At one point we talked about the Archive Team project run by Jason Scott, which I think of as “data portability of last resort”. These folks are like digital historian ninjas who swoop in to save data that might otherwise be lost forever — like everything on GeoCities.

The thing is, website-sanctioned bulk import and export of data isn’t all that huge an improvement on this kind of rescue operation. True data portability wants granularity and timeliness. For example, if you choose to host (so to speak) your current location info at FireEagle, you might still want to reuse it in other places for other purposes, and luckily OAuth lets FireEagle, Dopplr etc. give you a nimble and safe way to “port” this data back and forth.

This is a kind of data statelessness, in that when you tell various sites they can set, read, and republish your location, they’re letting go of any pretense of exclusive hosting control so that they can offer you a different kind of value.

Now, in the IdM and VRM worlds, some of us have been talking about identity statelessness for a while, which is similar but looks more like straight data-sharing (reading) rather than arbitrary service access (setting). For some reason this is a tougher sell — even though CRM systems and user accounts are shot through with pale copies of stale data (and, in the enterprise case, even though syncing directories and replicating databases is brittle and no fun).

Even when one party — say, you yourself — is authoritative for some piece of personal data (like your home address), all the sites insist on making you provision a copy of this data into their profile pages by hand and by value, and insist on thinking they own something truly valuable even after you move and forget to tell them.

In short: To the extent data is volatile, copies of it leak value. If the chain of evidence between its authoritative source and a recipient of data is broken, it quickly becomes value-free. And if the chain of authorization breaks, you’ve got digital shadow cruft. Why oh why can’t we get to a place where, as Scott Cantor put it to me once, identity-aware apps think in terms of data caching rather than data replication?

The Data Portability TOS/EULA work is helping us raise our standards for what true data portability should look like: Open Arms – Ever Fresh – Graceful Exit. OAuth already helps us get a bit beyond disclosure of site terms, closer to a world where users have an active say in what sites do with our stuff. I’m hoping UMA (recent deep-dive Technometria podcast here) can help us go even further because of its notion of user-dictated terms that recipients must meet in order to have the privilege of fresh access.

We’re likely to discuss this topic in the DWB podcast sometime soon, so I hope you’ll give a listen.