• affiliations
• store
  • Net Attitude
  • Amazon/IBM
• profile
  • affiliations
  • short bio
  • emcee introduction
  • long bio
  • photos
  • career at IBM
• in the news
• engagements
  • booking
  • upcoming
  • abstract
  • emcee introduction
  • a/v requirements
• favorites
  • books
  • composers
  • concerts
  • links
  • plays
  • restaurants
• travels
  • travels
  • gps log
• point of view
  • net attitude
  • favorites
    • books
    • composers
    • concerts
    • favorites of all kinds
    • plays
    • restaurants
    • running places
  • panels and papers
  • presentations
  • reflections
  • weblog
• photo gallery
• technology
  • alphaworks
  • autonomic computing
  • developer works
  • grid computing
  • IBM Research
  • linux
• links
  • favorite sites
  • related sites
• hobbies
  • collecting
  • computers
  • gadgets
  • hiking
  • home automation
  • motorcycles
    • log
    • bike list
  • music
  • photo gallery
  • running
  • technology
  • tinkering
  • website
  • weblog
• contact me
• wall street
• weblog
  • archives - by month
  • Aviation
  • Blogging
  • Conferences
  • e-business
  • Favorites
  • Gadgets
  • Go Figure
  • Healthcare
  • Hiking
  • Home Automation
  • IBM
  • Internet Technology
  • Media
  • Mobile
    • iPhone
  • Motorcycles
  • Music
  • On Demand
  • People
  • Personal Computing
  • PKI
  • Public Policy
  • Travels
  • Wifi

Web
patrickweb.com

Disclosures

PKI

Monday, December 17, 2007

Privacy City

One element of privacy on the Internet is "Opt in" versus "Opt out". When you register at a web site you will often see a small box to be checked giving you the “option” to be included or not included in subsequent emails making offers to you. Opt in means you proactively choose to be included. Opt out means you are included by default and you have to take action to be removed from the list of those who will automatically receive the emails. In some cases you have to read the words very carefully to determine which case is the default. This is part of Trust. Is the site really opening up to you and making it very clear what your options are, or are they making the words a bit fuzzy and hoping you won’t figure out what the default actually is?

Citibank introduced a service called c2it back in 2000 that enabled the sending and receiving of cash via email. You simply visited the c2it site, specified which of your checking, savings, or credit card accounts you wanted the money to come from, and entered an email address for someone you want to send the money to. That person would then receive an email, was asked to enroll in c2it, and then could accept the money from you directly into their checking, savings, or credit card account. This seemed like a potentially useful service to me when I learned about it and so I enrolled. Only after I enrolled did I find out that there were fees involved. Then I discovered that incoming amounts are not credited to your account for five to six days, which is longer than if I had received a check and deposited it myself. Then I discovered that there is no fee to receive into a Citibank credit card but there is a fee if it is another bank’s credit card. I am not saying the fees are unreasonable – the competition from PayPal and other services would determine that. C2it ceased operations in 2003. If you visit the c2it site you are told that you could contact c2it for a copy of your statement by writing a letter to "Customer Service Center" in Sioux Falls, South Dakota and provide them with your full name, e-mail address, phone number, and a copy of your social security card, driver's license, or a telephone bill, gas or electric bill or bank statement from the last 30 days. What would they do with all that information? Probably sell it to other companies. If you have any doubt of that, just read the Citibank Privacy Notice.

Fast forwarding seven years I would have been hopeful that Citibank would become a leader in gaining our trust. Unfortunately, not the case. Who might Citibank share your personal information with? The list includes affiliates among the family of companies controlled by Citigroup as well as non-affiliated third parties, such as financial services providers and non-financial organizations, such as companies engaged in direct marketing. I can't think of much that doesn't fall into one of those categories. What information is it that they might "share"? Your name, e-mail address, zip code, age and income range, information you provide on applications and other forms, information about your transactions with affiliated or nonaffiliated third parties, information received from a consumer reporting agency and information received about you from other sources. I can't think of much that is not included.

We are talking about a sweeping allowance to provide a broad and undefined amount of information about you with a broad and undefined audience. If you touch Citibank you will quickly start receiving marketing offers. Citigroup says "We may do this even if you ask us to limit disclosure of personal information about you". Not that it really matters, as they say, but how would you make a request to have your privacy respected? You would send them a "Privacy Choices Form" by U.S. mail. Mail? Yes, snail mail. This highly automated web savvy giant can transfer money in and out of any of your accounts in milliseconds but to have your privacy respected "please allow thirty days from our receipt of your privacy choices for them to become effective".

The issue is trust. It was easy to get the feeling that Citibank was not being forthcoming about their c2it offering. Citibank reminds us that it is "allowed by law to share with its affiliates any information about its transactions or experiences with you". Should the default be “check this box if you do not want this"? Seems to me that it should be opt in not opt out.

Brand used to be a feeling conjured up by how a company's product was physically packaged or how you imagined yourself using it. Increasingly brand is a feeling conjured up by your experience on that company's web site and from it's privacy policy. These tie directly to Trust. Companies that have a web site that provides an end-to-end positive experience and which enhances people’s quality of life by saving them time will gain enhanced brand equity. The converse will become obvious. Web sites already have a repository of huge amounts of personal data that represent the byproduct of not just our registrations but also our surfing habits, our purchases, and our interactions with others. In the near future our medical records will be on a web site somewhere and beyond that will come real time data streamed from pacemakers and other medical instruments that are attached to our bodies. All of this data can bring significant benefits to us but only if we are able to trust the holders of the data and have confidence that they will protect it and respect our preferences about how and when it can be used.

Epilogue: This is not a story picking on Citibank. They are one of the giants and they put things in our physical mailboxes on a regular basis, so they have no place to hide. Unfortunately, most privacy policies out there resemble what I have discussed here.

Other patrickWeb stories about Privacy and Trust

Internet Technology, PKI, Public Policy, e-Business December 17, 2007 05:33 PM

Monday, July 30, 2007

Authentication Redux

The trip to New York for a board meeting last week went smoothly. Traffic was light -- even within the city -- and I got to the hotel lobby in much better than normal time. The one thing that went less well than it could have the check in process at the Radisson Martinique on Broadway. After a long wait line I was greeted by a person at the desk. Hoteliers actually think that guests want to be greeted by an employee and have them ask how you are today. One would think that they would realize is that the most important thing a guest wants to get to their room. I had a reservation. All the information about me is already in the reservation record and the frequent stayer record. In spite of this the hotel agent had to enter a lot of keystrokes for some reason. The only thing they did not have was authentication. They wanted to make sure I was the person I said I was. I showed them my driver's license in the flip-up plastic window of my wallet but that was not good enough. The agent had to go to the back office and make a photocopy. No wonder the waiting line is so long.

The solution to speeding up and improving the accuracy of the authentication process is the use of biometrics. The technology has been around for decades. Pick your favorite -- hand geometry, fingerprint, iris scan, face scan, or voice print. There are many working solutions available today from many vendors. None are perfect and that is why we don't see more implementations. Rather than take a leadership approach, many institutions in effect say, "we can't do *anything* until it is perfect. Some lawyers say that if it hasn't been to the Supreme Court then don't use it. The result is that we stand in line waiting for someone to photocopy what might be a stolen driver's license.

My favorite approach is hand vascular pattern biometric a technology that originated from a conventional vein pattern recognition system. Studies show that 99.98% of the world's adult population can use it. It is highly secure because there is no back door, such as a key or numeric password. Fingerprint devices suffer from usability because some users have faint fingerprints while iris and retina scan devices may not be appropriate for people with eye diseases. On the other hand, no pun intended, hand vascular patterns are unique to each of us and to each hand. The chance of someone being incorrectly recognized is 0.0001%. Not perfect but that is good enough for me. The best part is that hand vascular scanning does not require physical contact, compared to fingerprint scanners which require users to press a finger onto the scanner in order to capture the print. The idea of wiping your finger over something that millions of other people have wiped their fingers seems inconsistent with what people on cruise ships are told. One other subtly for increased security with hand scanning is that because of the sensor's capability to sense the user's temperature, there assurance that the hand is alive. Being able to establish that we are who we say we are could speed the lines at airports, hotels, sporting events, and hospitals.

Other patrickWeb stories related to authentication

Healthcare, Internet Technology, PKI, Travels July 30, 2007 09:41 AM

Sunday, July 29, 2007

Seven Wonders

The Seven Wonders of the World is an expression that is as old as I can remember but it turns out there are actually multiple lists. Recently a non-profit organization called New7Wonders decided the list needed an update and so they set about to seek nominations -- almost 200 came in -- and then the list was narrowed to the 11 most-voted by the start of 2006. About 100 million votes were cast "by the Internet and cell phone text messages" and the new list was announced shortly after the fourth of July (2007). As you can imagine, there is a lot of controversy surrounding the list.

The most interesting part to me is not the list per se but the process used to "elect" the winners. According to the Associated Press, "Organizers admit there was no foolproof way to prevent people from voting more than once for their favorite". A simple step would have been to not allow more than one vote from the same email address or cell phone. Of course many people have multiple phones and addresses but at least disallowing clear duplicates would be a step in the right direction. The only foolproof way to assure no duplicates would be to have some form of strong authentication. Authentication is the single most important gap in the integrity of the Internet (and mobile text messaging). If I borrow (or steal) your cell phone I can send a message as though I am you. If you put your login and password on a Post-It stuck to your desk and someone visiting your house "borrows" it, then they become you. The bottom line is "Who are you – really?".

There was a cartoon by Peter Steiner in the July 5, 1993 issue of The New Yorker showing a dog at a PC speaking to another dog watching from the floor. The caption was, “On the Internet nobody knows you’re a dog.” Very true and in fact nobody really knows for sure just who you are when you are online. Nor do you know who is at the other end of an IM, text message, or eCommerce transaction. Technology is available to make things different by using "digital IDs". Unfortunately, there has been a prevailing attitude that digital IDs would mean that the “government” would issue an ID that would then enable them to spy on us; read our email, track what we do on the web, or invade our privacy in some way. I have a much more positive view -- that digital ID’s are not to be feared but in fact should be embraced. They represent the empowerment that can unleash the full potential of the Internet. They will allow us establish that we are who we say we are and to validate that the web server we are doing business with is really who they say they are. Security, per se, is not the issue. Authentication is.

Today we use the login ID and password as a substitute for authentication. We all use them every day but the problems with them are non-trivial. First is the password sharing problem that enables someone else to be you. Assuming you keep your password to yourself, there is another set of problems. Web sites have different rules for login Ids and passwords. Some require that you use your email ID as your login, some require you to use your social security number, others allow you to pick anything you want as long as it is at least so many characters or in other cases as long as it is no more than so many characters or that it starts with a capital letter or that it have at least two numbers in it, etc. For good reasons they all require that your ID be unique. Sorry, but jjones is already taken. The same thing is the case for the password. Some require at least so many characters, some require that a password must contain at least one numeric character, some require that it be all numeric, and others require that it contain no numeric characters. The variations are vast and the result is that you end up with a lot of different IDs and passwords. I have more than 200. Digital IDs to the Rescue. (read more)

Internet Technology, PKI July 29, 2007 10:46 AM

Saturday, June 4, 2005

Phishing - Part 4

"Phishing" continues to be one of the most fraudulent activities happening on the Internet. A lot of people are still not aware of phishing and, more alarming, a non-trivial number of people are being caught off guard by it and providing their personal and finananical information to perpetrators of fraud . According to the Anti-Phishing Working Group, there are nearly 1,000 web sites which use "social engineering and technical subterfuge" to steal consumers' personal identity data and financial account credentials. I have shared some examples of phishing attacks I have seen personally (see the PKI category of patrickWeb). Basically, phishing attacks are emails which "spoof" the identity of eBay, Citibank, or other legitimate organizations; i.e. . they make the email look as though it had come from the legitimate organization. In the earlier days of phishing attacks, you could see telltale signs such as misspellings or grammatical errors. However, the phishers are getting more sophisticated -- and perhaps using spell checkers and grammar checkers.

This week I received an attack that looked and sounded quite legitimate. The following is the email I received, what actions I took, and what I learned about validating such emails. (read more)

PKI June 4, 2005 06:15 PM

Tuesday, March 30, 2004

Phishing Update

In the Inside ID Conference report I mentioned "phishing" as one of the types of fraudulent activity that is happening on the Internet. There was a news story about phishing in the past few days -- it is clearly on the rise and something to be quite careful about. I have personally received three phishing emails this week and it is clear that the perpetrators are getting very clever. In addition to the basic fraudulent attempts to get personal information from others, the emails use"spoofing". Spoofing is a technique -- unfortunately not hard to do -- whereby the "from" address is modified to make it look like it came from a legitimate source. Here are the three emails I received and some advice on how to deal with them. (read more)

PKI March 30, 2004 11:37 AM

Friday, December 26, 2003

Privacy And Trust - Epilogue

Another dimension of Trust has to do with standards. Because of standards, the Internet is the only thing I know of that works the same everywhere. Most things work differently in different parts of the world. The side of the road we drive on, the side of the car we drive from, the width of the railroad tracks, the plugs that we put in the wall; all work differently around the world. But not the Internet; it works exactly the same in every corner of the world. There are a lot of debates during the process while Internet standards are being developed but once published as a standard every vendor has an obligation to implement the standard. Most do. (read more)

PKI December 26, 2003 12:33 PM

Wednesday, December 24, 2003

Privacy And Trust - Part 8

In "Too Secure?", I described how a financial services company insisted that I use the fax machine to send them a document. Let's contrast that process with how it might have worked using a public key infrastructure approach with the five security functions described in the last part of the Privacy And Trust series. We'll look at each of the five elements. (read more)

PKI December 24, 2003 11:06 AM

Tuesday, December 23, 2003

Privacy And Trust - Part 7

The most important benefit of a digital ID is authentication. Once digital IDs are more commonplace, you will no longer have to send your login ID and password over the Internet. Your password, passphrase, or biometric will go no further than your smart card, token, or your PC. Once you are authenticated, you will be able to authorize an encrypted exchange of digital data between your PC (or phone or other information appliance) and the other party. The result of the exchange is that both parties will be able to confirm that the other party is indeed who they say they are. If you provided biometric data the person will know not only that it was your ID but that it was actually you and not someone who may have ?borrowed? your login/password. (read more)

PKI December 23, 2003 08:34 PM

Monday, December 22, 2003

Privacy And Trust - Part 6

In the near future most people will have a digital ID along with an accompanying biometric link such as a fingerprint, face print, voiceprint, iris or retina scan. The combination of digital ID and biometric will enable you to establish yourself as a completely unique person. At last you have the ability in the digital world to establish that you are who you say you are just as you can in the physical world! Step one is to get a digital ID from someone that knows for sure who you are and who is trusted by others as a reliable source for authenticating you. And who would this someone be? (read more)

PKI December 22, 2003 05:34 PM

Saturday, December 20, 2003

Privacy And Trust - Part 5

There was a cartoon by Peter Steiner in the July 5, 1993 issue of The New Yorker showing a dog at a PC speaking to another dog watching from the floor. The caption was, ?On the Internet nobody knows you're a dog.? Very true and in fact nobody really knows for sure just who you are. Nor do you know who is at the other end of a chat session or e-commerce transaction either. Assuming success of the numerous technologies at the Inside ID conference in Washington, D.C. this week, we will soon have Digital IDs that will change this. There are many issues but has become urgent that we get digital ID's in place for all of us (and for our servers and eventually for everything. (read more)

PKI, Public Policy December 20, 2003 04:41 PM

Thursday, December 18, 2003

Inside ID - Summary

Before I continue with the Privacy and Trust series, Ins I wanted to summarize what I learned at the Inside ID conference in Washington. In my presentation I tried to set the stage for the conference by speaking about how the evolution of the networked world presents a staggering necessity and opportunity for organizations of all types to provide the means to establish who they are and who they are dealing with, whether it is across the counter or across the Internet. The Inside ID conference then drilled down in great depth as nearly 100 speakers and more than 60 vendors discussed the systems and technologies that facilitate identification -- ranging from digital identity to identity management. There were a lot of detailed things I learned but what I want to share is the big picture of what I learned. (read more)

PKI December 18, 2003 04:02 PM

Tuesday, December 16, 2003

Phishing - Part 2

A number of readers were surprised to learn about phishing, and more than one suggested that I send the example to eBay. Actually, I am quite confident that eBay is on top of this issue. I suspect they scan continuously to find eBay fraud of all kinds -- including phishing emails. eBay is an incredibly large and successful community for buyers and sellers and they have thought through all the aspects of the buying and selling processes. Any inhibitor to the growth of the community is something they are responsive too. Unfortunately, it is a constant battle to stay ahead of the fraudsters. Bob Safier shared with me an amazing fraudulent email that he received. (read more)

PKI December 16, 2003 05:34 PM

Sunday, December 14, 2003

Phishing

In the Inside ID Conference report (part 4) I mentioned "phishing" as one of the types of fraudulent activity that is happening on the Internet. Today I received an example personally. This is such a blatant example of fraud I hope and suspect that the Federal Trade Commission is taking swift action. I also hope sharing this here will make more people aware of this kind of sham, and I urge all to let their friends and families know. According to people at the conference I just attended, the positive response rate -- people who actually provide their personal information to the phishers -- is 30%. That is extraordinarily high compared to spam or legitimate advertising. (read more)

PKI December 14, 2003 04:47 PM

Saturday, December 13, 2003

Inside ID Conference - Part 5

I am planning this and one more story about things I learned at the Inside ID conference in Washington, D.C. and then I will continue to write stories that are part of the Privacy and Trust series. There were more than sixty exhibitors at the conference. Naturally, they all claimed to have *the* key ingredient needed to solve the identity management and authentication issues of the world. I was quite impressed with a number of them and this story will summarize what I learned about four vendor solutions. Three of them offer biometric technology. If one thing is clear from the conference it is that all government entities are looking to biometrics as the way to tie a person's body to their credentials. (read more)

PKI December 13, 2003 03:03 PM

Wednesday, December 10, 2003

Inside ID - Part 4

The next story in the Privacy and Trust series will be coming shortly, after a couple more updates from the Inside ID conference in Washington, D.C. In my keynote on the opening day of the conference I asserted that organizations and individuals should be spending more time and money on the security of their systems. I said that we don't leave our homes for the weekend with doors and windows open and yet we effectively leave our "always on" network-connected PC's wide open. In John Gould's talk he took this to the next level and discussed specific vulnerabilities of the PC including viruses, worms, hacking, phishing, and spyware. It was a wake-up call for me and I immediately headed for the Net with my ThinkPad to get some new software. (read more)

PKI December 10, 2003 10:41 PM

Inside ID - Part 3

The next story in the Privacy and Trust series will be coming shortly, but first will be an update or two from here in in Washington, D.C. at Inside ID. The conference has an exhibit area where dozens of vendors are showing digital identify solutions including smart cards, biometric technology, and middleware. There are almost 100 speakers from government, academia, and the private sector. I gave a talk at the opening general session where I shared a big-picture view about the shape of the future of the Internet. I talked about what the Internet has in store for our business and personal lives and why trust, in the form of secure digital identity and authentication, is critical. Since I have a meeting in Washington on Thursday, I decided to stay in town to visit the exhibition hall and attend as many of the seminar sessions as possible. I am very glad I decided to do that -- I have learned a lot. (read more)

PKI December 10, 2003 05:32 PM

Inside ID - Part 2

The next story in the Privacy and Trust series will be coming shortly, but first will be this update on the Inside ID conference in Washington, D.C. The conference has an exhibit area where dozens of vendors are showing digital identify solutions including smart cards, biometric technology, and middleware. There are almost 100 speakers from government, academia, and the private sector. I gave a talk at the opening general session where I shared a big-picture view about the shape of the future of the Internet. I talked about what the Internet has in store for our business and personal lives and why trust, in the form of secure digital identity and authentication, is critical. Since I have a meeting in Washington on Thursday anyway, I decided to stay in town to visit the exhibition hall and attend as many of the seminar sessions as possible. I am very glad I decided to do that -- I have learned a lot. (read more)

PKI December 10, 2003 11:57 AM

Tuesday, December 9, 2003

Inside ID - Part 1

On Tuesday morning I will be speaking at Inside ID in Washington, D.C. They are calling this conference a "Mega Show" because there will be dedicated sections of the exhibit hall branded to reflect the major tools used in modern identification solutions. These "shows within the show" include: Inside Identity Management, Inside Digital Identity, Inside Card Technology, Inside Biometrics, and Inside Document Security. I am extremely interested in the content of the show and will be reporting more on it later. My talk will be called "The Future Of The Internet: A Distributed Web of Trust". The talk will be based on my views as expressed in a story in Network World where I wrote an 850 word summary, called "The Ultimate Internet".

PKI December 9, 2003 07:44 AM

Sunday, December 7, 2003

Privacy And Trust - Part 4

Mention the word trust and many people immediately think of security. We hear so many negative questions about Internet security. Is it strong enough? What will happen to my credit card number? What about hackers? We would like to implement this or that application but we can't because of ?security?. The list goes on. This is one area where some ?old fashioned? attitudes are actually healthy. Security is critical and needs to be taken very seriously -- but not in a restrictive sense. In fact the question that business and government leaders should be asking is about how security on the Internet can become the enabler of global commerce, the enabler for enabling people to control the email they get, the enabler for more secure and efficient processing of healthcare information, and the enabler for trusted transcations. (read more)

PKI December 7, 2003 12:35 PM

Thursday, December 4, 2003

Privacy And Trust - Part 3

Most websites now have privacy policies and it is a good idea to read them, especially if it is a company you have not done business with before. Some privacy policies amount to "We capture data about you and we sell it or give it to anyone we choose". Other companies have a policy like "We will always tell you if we are capturing your personal data. We will never give it away or sell it. If we want to use it in any way other than to fulfill an order or something you asked of us we will ask your permission first. We guard all data with extremely tight backup and security procedures to insure your data is never compromised". That is a good policy but how does a company insure they are actually complying with their own policy? (read more)

PKI, Public Policy December 4, 2003 07:03 PM

Tuesday, December 2, 2003

Privacy And Trust - Part 2

In a world where every computer is connected to every computer a lot of things are possible. Some of them are not pretty. Trust will become critical. Brands will become more important than ever because they will signal to us what level of trust we can expect. How will we know whether we can really trust a web site? Trust goes hand in hand with good security and privacy. Offering good security and a solid privacy policy will be the bare minimum but we will also follow how an e-business acts over time. What is their commitment? Do they listen to their constituencies? Do they respond to concerns about privacy and make things better? These actions will separate the good guys and the bad guys. (read more)

PKI December 2, 2003 02:01 PM

Anonymity

From time to time I see an editorial or story suggesting that anonymity should not be allowed on the Internet. The motivation is usually associated with concerns over pedophilia. This is certainly an important concern but so are the concerns of some who feel they need to be anonymous. A battered wife or an alcoholic that are seeking help and finding it in discussion groups on the Internet have a very valid reason to be anonymous. We have to be careful that we don't react to ?bad things? that happen on the Internet with a cry for regulation of the Internet. There are laws that address many ?bad things? and law enforcement agencies need to use the Internet more effectively as a tool to enforce the laws that already exist. This is happening but more needs to be done. What we do need is authentication and digital ID's so that we can establish that we are who we say we are. Much more on this to come in the privacy series.

PKI December 2, 2003 01:56 PM

Monday, December 1, 2003

Too Secure?

Is it possible to be too secure? This morning I was working on a personal financial matter that required me to send some information to another person. The information was on a paper document and I did not have a machine readable version of it. I scanned the document and sent it via email as an eFax attachment. I first called the person to let them know that I would be sending the email. By making the call I was able to verify that the person was who they said they were and the person would then be able to expect the email and who it was coming from and what it contained. Five minutes later I got a call. (read more)

PKI December 1, 2003 02:23 PM