policy


The hottest thing in higher ed is MOOC. And one of the hottest MOOC platforms is Coursera.

Keyboard image

Wikipedia keyboard image

There are couple of challenges the MOOC movement is about to run into:

  1. How do we know that the person submitting a test is the same person she claimed to be before? Identity proofing in a self-declared identity environment is not trivial. MOOCs are by definition open
  2. If we want to make money, we better be able to give credits (or badges, or certificates, or a university degree, or something similar). Solutions include test submission with identity proofing.

Then comes the scary part: Coursera offers a Signature Track, where you as a student get identity verification, verified certificates and sharable course records. This is innovative and new. And the way they do it scares me because of the implications for the student and for other services online (biometric unique typing pattern). There is a Signature Track Guidebook with more details

The unique typing pattern is used to identify your work

“Signature Phrase, a biometric profile of your unique typing pattern. Every time you submit coursework, you’ll easily authenticate your identity by typing your Signature Phrase.”

If this is really workable, I am not sure I want to use any cloud service (like WordPress for this blog, or Gmail) where I type in text. Selling the unique typing patterns for their 2.8 million learners would, however, probably fund the company for the rest of its natural life. It also opens a whole new game of trust issues for any of us using online services. So far the typing part is only available on PC/Mac, and not on tablets

Hopefully I am wrong to be scared.

We need to find a better way to do identity proofing.

Advertisements

Professor Audun Jøssang has formulated some useful principles for security usability. I wish more people would reflect on these, and what their practical implications are for the systems and web pages we offer our users today. And I really wish Facebook would read them.

The rough statistics for usability is

  1. 35% of the people will understand, almost no matter what you write or do
  2. 40% will have cognitive challenges at some times
  3. 25% do have special challenges understanding

Given this, and the fact that most web sites aim at the population at large, we really need to rethink the mental load we place on our users.

Google+ is subject to a #nymwar discussion about the requirement to use Real Names. Google+ has shut down a large number of accounts, for example for IdentityWoman. The movement for use of pseudonyms have launched My Name Is Me, where the arguments for pseudonyms are presented. Some arguments are:

  • the right not to be stalked or persecuted (whistle blowers, abuse survivors,  people from small communities, sexual minorities)
  • wanting to have multiple persona, choosing nick names presenting yourself, celebrities (Lady Gaga, Bob Dylan, Madonna …)
  • being able to voice personal opinions without being associated with employer (academics, fans, bloggers, journalists, military)

Earlier this year, SXSW discussed Social Network Users’ Bill of Rights, and there was agreement on most of the points proposed. The one point with most discussion (and least agreement) was the right to use pseudonyms. Kim Cameron commented on his blog that imposing pseudonyms on all social sites breaks the laws of identity.

In Norway we have a debate about how public online discussion forums may avoid hateful and cesspit discussion. There is a need for participants to be held accountable for their opinions, but in my opinion not necessarily to expose legal identities. The federations in higher education are currently handling both Real Names, nicknames and pseudonymous/anonymous access

  1. Real Names are present in the identity management system, because the universities need these names to issue formal credentials (PhDs, MS etc) and bind the formal credentials to formal legally registered names.
  2. Nicknames are present in the attribute definitions, but we are still in the process of sorting out what are the most practical ways of sharing this information. There is ongoing debate about consent and necessity for attribute sharing, and displayName is an attribute we need to think more about. Feide decided to require both legal name (Real Name = norEduLegalName) and preferred name (nick = displayName)
  3. Federations provide anonymous traceable access, based on technology for per service unique identifiers .

We need to find a balance online, as we have for other aspects of public space where we do not need to post information about identities for each person, but in many cases require that identity is traceable. Minimal exposure of information is good, but defining minimal is difficult.

Yesterday’s newspaper had a good rant in the letters to the editor about stupid enterprises, where more than 60% had not outsourced their email to the cloud yet.  It got me thinking: Are the enterprise managers avoiding the cloud stupid?  Or might they be reacting according to some of the basically sound principles for security

  • If I do not understand it, avoid it. True security assessments can only be made for things I understand. Since the cloud email solutions are somewhat new, they tend to get bitten by this.  And some of the business models are not well understood, or well explained (for example: paying with your personal information or your clicks, as opposed to paying cash).
  • If it is too good to be true, it is too good to be true. Avoid deals that are too good to be true,  in this case free (or cheap) email.
  • Giving the US government access may not benefit my business.  The Patriot Act and other regulations give extensive access to infrastructural components, including cloud servers, even if they are not located in the US.  Oh, and this goes for a number of other governments as well, I am using the US as an example since most major cloud suppliers are governed by US law.
  • What is the bribe level for gaining access to my data? A month’s paycheck will get you access in many countries, and in low cost countries the bribe level may be too low for you to expose your data to the country.  Some West-European banks outsourcing operations to Ukraine ran into this thinking in the security audit.
  • Unclear value chain may turn out to be expensive for me in the long run.  My business intends to be here for the long run.
  • What happens if they loose my data?  What do I know about their backups?

Most if this boils down to how to trust something ephemeral, like a cloud.  Personally, I like clouds.  But I have taken the time to read and study up on them, and not every manager out there has the time or the same policy inclination I do (weirdly, some people do not read cloud audit guidelines late at night).

It turns out, that yet again, people are not stupid.  Even managers are not stupid.

 

So, it happened to me, like most of my friends with children and iTunes accounts.  And now I want a logout button or a logout app for my iPad. The kid was in a child friendly game, and

  1. a request to buy something popped up, and
  2. he happily clicked YES.

Since the device (in my case an iPad, but this is even more common on iPhones) was still within the time buffer for login, there was automatic approval of the purchase.

On the bright side, I got a happy child with a killer bird for AngryBirds.  On the down side I got an email, drowning in similar emails, about a purchase that was done with my iPad, and I had to pay money.  If he had been in the smurf town, like so many other Norwegian kids, this could have cost me 549 NOK (around 70 euros), as the unhappy dad whose daughter spent 4500 NOK in a free game discovered.

Why is there no logout button in the AppStore? Why is there no logout in iTunes? Why have they chosen to do the cannot-by-stuff-from-within-apps configuration in a submenu where you must enable restrictions explicitly for each device instead of offering me the ability to simply log out and then hand over the device to the kids?  Enabling a long long menu of stuff I do not really understand what is seems more complex to me than simply allowing logout.  Then I am probably spoiled by the elegant and simple logout support in Feide.

Logout is crucial on shared devices, to ensure that the next user does not gain unreasonable privileges.  Family iPads fall in the category of shared devices.  Give us logout in AppStore!

UPDATE: …and a bit embarrassed (but mostly happy)  I have to admit that iTunes has a logout button, available from the iTunes Store menu.  Took me a while to find it, and it does not help in AppStore, but it is great to have in iTunes.

Applications should perform well in the environment where they live.  Requests have been made to domesticate applications for higher education.  Some key elements we ask for in a domesticated application

  • federated login (in our case: support SAML2.0 with the SAML2int profile)
  • never touch a password, login is handled in the federation (in our case: Feide)
  • consume attributes as defined by eduPerson and additional schemas (in our case: norEduPerson, eduOrg and eduOrgUnit)
  • have a reasonable privacy statement, and act accordingly (in Europe, se Article 29)
  • if there is need for provisioning, have a well defined provisioning API (in our case: PIFU)
  • support virtual organizations and external group management

These requirements are basically the same as you find when people build their private cloud systems from open hosted applications.

The discussion on these issues started among federation people operating university identity federations.  Victoriano Giralt says that

“domesticated application is on that has been adapted to federated access management in some way. I’d even dare to propose levels of domestication:

  1. Domestic species. FIAM has been put in by design, with delegation of AuthN and AuthR to the federation.
  2. Petted species. The application design has allowed to create an AuthN(R?) plugin that allows it to smoothly integrate to the federation, maybe with a minimal local user provisioning.
  3. Tamed applications. They have been made to play in the federated environment by way of provisioning local users on the fly with kind some kludge, but AuthN/AuthR happens mostly at application level but with information carried over from the federation, but do not ask for username and password.”

There are wild beasts out there!



I agreed to put my info in to Facebook because I do care about my relationships to people, and would like to use the platform Facebook provides.  Now there has been too many changes in the privacy settings for me to know anything about what I am sharing and who I am exposing to messages and stuff.

The settings have changed many times, and the changes Facebook has made have required me to take action.  They argue that what has happened is needed for data portability, but I agree with Chris Saad who argues against it in Facebook’s Claims About Data Portability Are False.

The  Norwegian Consumer Council have reported Facebook and Zynga to the Data Protection Agency for break of consumer expectations, arguing that Facebook and Zynga are delivering something significantly different from what people signed up to.

OK, so I did this to me.  I brought the stealing of my life onto my self, by putting effort, content and relationships into Facebook.  But by breaking expectations of privacy, and exposing my friends, I do not feel comfortable with Facebook.  Should I stay in Facebook, and try to get my life back from them (and Zynga), or should I vote with my feet?  I have spent many hours on Facebook, and greatly enjoy the service that makes it possible for me to keep an eye on who is doing what.  The greatest benefit is getting news of my friends, family and acquaintances; and being a part of their lifes.

Do I want my life back? There is no way to do that.  Information does not go away, as those of us know who have at one point said something that should have not been unsaid.  The question should probably rather be can Facebook steal more of my life? or is the damage done, and we move on?

Next Page »