Comments from Frankston, Reed, and Friends
Wednesday, April 13, 2005
BobF at 2:33 PM [url]:
It’s not “Identity Theft”!
We have to get past the misleading metaphor in the recent headlines about �Identity Theft�. That's like saying you steal someone's soul when you take their picture or you when you use their �true name�. The concept of identity theft makes it difficult to recognize that we are simply using outdated approaches to facilitating transactions.
What it means is that we use a few simple identifiers such as your name and social security number (in the US, something similar in other countries) to identify ourselves on forms and over the phone for the purposes of establish trust, especially trust associated with purchases.
Imagine a simple alternative � instead of giving your �identity� information over the phone or typing it into a website you have a third party who can vouch for you and the merchant. Instead of recording personal information about you the merchant would simply get a token (a unforgeable code number). Note that this doesn't require that the third party know anything about you � you can choose to have a �bearer� relationship which means you simply pay cash.
In fact, cash is just a third party transaction � a government vouches for the value of the tokens. An early form of this was the use of precious metals such as gold. Gold is like today's crypto keys in that it's relatively easy to test validity but hard to forge. But the supply of gold hobbled commerce. China created paper money because it had a bureaucracy that was trusted. This freed up gold for use as jewelry and allowed commerce to flourish.
Self-coined paper money has long been more problematic because of the increased difficulty of trusting the authenticity of the document itself and the promises made by the parties involved. The value of such documents outweighed the risk and we insured (often self-insured) for that risk. Credit cards and services like PayPal extend this and take out a percentage of the transaction as a fee which includes the insurance.
When we provide �identity� information on a form we are performing such a transaction but with very weak credentials. This works as long as the information is confidential. In reality it's not confidential but has been considered sufficiently difficult to obtain that the system worked in the sense that the risk was tolerable. In practice this has only been true statistically. Those whose information was public suffered greatly and the rest were very happy to get the benefits of such transactions. If the forms just contained your credit number the risk was bounded � you could just get another �identity� (number) and the banks would accept the losses.
Commerce-at-distance requires some way to verify that you have authority to make the purchase in lieu of the lack of being there in person to make the merchant accept your authority. I purposely didn't say �e-commerce�. We had phone-commerce long before e-commerce and the problem was the same. Postal-commerce is even older. A combination of the increased use of these facilities and the downgrading of the job status of those who process the transaction has raised risks. To keep things simple we've simply extended old practices of asking for a few standard tidbits of information as sufficient to establish that you are you.
While we are very aware of credit card companies as creditors it's less obvious that the Telcos have been seeking an increasing role as third party agents because of their skill in billing for small transactions (see http://www.frankston.com/?name=TR128). The �900 number� in the US is a good example. Minitel in France is similar � you are billed according to the number so different services chose numbers that reflected the amount they wished to charge. The assumption is that your phone line is hard to steal. 900 numbers essentially failed because the system was simply too Procrustean. They got a bad reputation because only merchants who weren't too concerned with things like refunding money find it useful.
Imagine 900 number implemented differently � the Telco simply cached the credit information for you and when you made a call you could hit a �pay� button to make the payment. If both parties trusted the phone company then the merchant needn't know too much about you.
Why not take this to the next stage � have a protocol which allows a third party to vouch for the transaction. The onus is on the third party. But that third party can do more to establish the relationships than just use the tokens. When we can assume utility connectivity we can do this for paper transactions.
Smart cards, in a sense, were an early form of this. They were useful at a time when merchants couldn't simply check with the credit card company to verify transactions. They have failed in the US because the phone system worked very well. Today Internet connectivity is providing such a channel everywhere.
There is no need for merchants to have any such identity information to verify transactions. They might want more information for marketing purposes but they can just ask for it directly as in �you can get $1 off of your bill if you provide all the intimate details of your life�. The value is based on how much else they can find given the information. They will have to settle for the ability to harass you with mailings rather than profiling you � not really, there are plenty of people who will still try to aggregate information to make marketing companies more efficient by a point or two.
Microsoft's Passport and other third party identity companies are attempting to meet this need but by selling �identity� they are selling a bad metaphor. A better example is PayPal which is simply facilitating a transaction. PayPal is far from perfect as it is a target for scams but they can be more creative in establishing their relationships. Should you trust PayPal? Not necessarily, especially as they are such a target and because you shouldn't trust too far beyond what you can verify. We need to establish a more distributed approach and a more nuanced concept of trust � it's not a Boolean.
But a first step is to get past the notion that knowing your social security number, date of birth and your mother's maiden name (if women keep changing their name as if they are property) is enough to steal your soul.
Tuesday, April 12, 2005
BobF at 3:56 PM [url]:
RIAA Plans to Sue Hearing Aid Manufacturers
RIAA to Sue Internet2 Users is just one step in the RIAA camaign to assure that they will be get paid for all use of their "property" no matter what the cost to society. Technological progress must be prevented if it means people might escape the control of the RIAA.
My confidential sources have informed me that the RIAA is planning to sue hearing aid manufacturers for transporting music without explicit authorization. They see this as a necessary step in order to protect themselves against piracy.
In fighting against the Internet they have become aware of the opportunities as well as well as the threats posed by technology. The goal is to assure that all devices that can copy audio across the device will check all sounds against a database of signatures and record the copying. They will then decide whether to prosecute or collect royalties depending on their whim. After what good is total control if you have to follow rules yourself? They are excited about be able to catch all unauthorized singing or whistling of classics like Happy Birthday.
Hollywood's MPAA will be watching closely as they plan to sue to assure that eyeglasses are modified to honor the broadcast bit and thus not just prevent illegal copying but illegal viewing.
Research is continuing on using EEGs (brain waves) to allow them to charge each time people think about a given tune. They see vast profits in charging per-thought as opposed to per-play.
I apologize for this late posting, I meant to have posted this on April 1st but it was unfortunately delayed by forces beyond my control -- After all, I didn't read about the Wall Street Journal story about the RIAA's plans to sue Internet2 Users till April 12th. The battle against piracy goes on -- after all, the RIAA pirated first by replaying sheet music and then got their piracy rights endorsed by the Supreme Court of the Universe. They have to defend their piracy rights.
Monday, April 11, 2005
DPR at 9:35 AM [url]:
Wired is now Tired
For around a decade, Wired has had a column contrasting the new, new things as Wired, and the fading fads as Tired. This creates a problem for Wired in the new century, because the concept of being Wired is now itself Tired.
Now you might think that what I'm talking about is that Wireless is the new thing. That radio is a cool new area - that radio is the new "wire". But that is not at all the point. Radio is only a small part of this new century. The point is that the containers and transports for information, the gadgets and the wires, have become pretty much irrelevant. It's no longer relevant whether you are "plugged in" or "off the grid". Cyberspace and real space are coterminous - the world of information is as real as the physical world, and no longer lives in discrete physical containers.
Over the weekend, the New York Times contained a column about how Nielsen is tracking what people watch, rather than what TVs are tuned to.
TVs in elevators and bars and airports are now engaging people's attention. This technology is based on "wires" for its connectivity, but it might as well be wireless.
In the same way, people's email now lives in cyberspace - you can access it via the web, a Blackberry, or your laptop, but it is the same email.
And of course the center of telephony (while the Tired-Wired thinkers continue the self-serving debates of marketers, sell-side analysts, and policy wonks about VoIP and cable/DSL QoS) has moved to cellphones and Skype - services that make communications personal, not device-based.
Finally, the debate about security and privacy continues to focus on the physical configuration of devices - whether a particular link can be tapped or what rules a firewall should enforce. Yet security and privacy are ultimately about people and the representation of information about them. As cyberspace has grown and diffused into society, security and privacy is now a problem that is well and thoroughly dispersed in the network, so much so that there is no way to isolate a particular person's persona in a single device or a company's interests in a single isolated subnet.
So what does this mean?
There is a huge amount of focus on the visible and tangible forms that connectivity takes. So much so that even engineers get stuck focusing on radio networks as "cable replacements", and security policymakers believe that "firewalls" can be made to behave like barbed wire fences.
But in an age of pervasive connectivity, where information is becoming more and more free to roam in intangible form, the whole idea that one must "plug in" is becoming a symptom that our metaphors are broken.
When the IT departments pretend that they are being effective in protecting personal privacy by putting up firewalls and intrusion detection systems to protect the devices, they do us a disservice.
When businesses build their business model around particular physical infrastructures (whether it's a fiber or a cellular network) they do their investors a disservice.
The 21st century looks to me to be an era of pervasive, nomadic, and viral connectivity among people and groups. We will look back at an era centered on gadgets, the era of Wired, with nostalgia, just as we look back at the era centered on railroads, electrification, steamships, automobiles, and airplanes with nostalgia today.
It's not an era of Wireless, anymore than that era was Horseless.
Sunday, April 10, 2005
BobF at 9:53 PM [url]:
Comcast and Disney vs the Internet
Note -- I wanted to edit this essay and mull it for a while but "blogger" has hair-trigger posting so these are my first thoughts in reaction to:
Check AvailabilityIn an attempt to keep customers hostage, Comcast is offering http://www.comcast.net/kids/disney. But you must be a Comcast subscriber to get to it. I presume that Disney really won't really want to limit its audiences but the implications of such exclusive arrangements -- typical of cable industry -- are very worrisome. For now I'm taking the Comcast warning very seriously.
This is the very kind of cross subsidy between the content and transport businesses that put a lie to claims of a level playing field. Clearly Comcast is taking advantage of it's privileged access to the rights of way to carve up the Internet. It's just like the attempts to block Voice over IP and a violation of the spirit of the Internet.
Even though they are not blocking packets they are clearly trying to use tie-ins to their advantage rather than competing by providing more effective Internet access. Comcast has publicly stated that they will provide unfettered access to the Internet. Apparently their promises aren't worth much. Will I have to buy a separate "pipe" to access each provider special version of their Internet?
Why would Disney want to limit its audience to Comcast subscribers?
Cities how have awarded Comcast the privilege of providing services should reexamine their arrangements in light of this hostility to the Internet.
Those who wondered why we shouldn't let a company like Disney subsidize Internet access should see this an example of the price we'd pay for letting Disney buy the Internet.
Comcast/Disney -- the Anti-Internet
Am I overreacting?. Comcast may be allowed to offer services to their subscribers but what bothers me is that Internet connectivity is a fundamental and vital commodity. That's the reason we had common carrier rules for telephony -- not simply to avoid companies taking advantage of their privileged position but also to meet a societal goal of creating a commons. The Internet is valuable because it is such a large commons. Those who seek advantage by carving out exclusive reserves within this commons leaves each of a us a little poorer.
When they take advantage of our trust and their privileged position as providers of connectivity I must object and make my objection heard.