|
|
June 28 2005
Identity is in the headlines again today, fuelled by the estimated figures from both Kable and the LSE for the proposed UK National Identity Card - and by today's debate in the House of Commons. I've previously mentioned the provisional analysis I did in my European e-Government Conference Paper "eID - identity management in an online world" of the proposed National ID Card scheme. One of the main issues highlighted relates to the technical design aspects of the system - and particularly areas where it diverges from the Laws of Identity.
These concerns have not been picked up yet in much of the public debate, probably because of the perceived obscurity of some of the technical language surrounding the topic. But they are important issues none the less. We have been through a great deal of learning about what does and doesn't work well in terms of identity and how it is managed.
The current technical discussion around the National ID Card system seems to imply a single monolithic database containing all information relating to our identity, including biometrics. But we have seen elsewhere - most recently, the compromise of 40 million credit card records - how the idea of holding in a single place all relevant information has not only major implications for privacy (which is what much of the discussion has been about), but equally importantly security. Putting all of our trust in a 'single guard at the door' approach has demonstrably not proved capable of preventing unlawful access to computer systems.
In fact, there is a broader reality to be recognised here inside and outside of the IT industry: no system is unhackable. This should be the fundamental tenet on which all systems are designed: and we should build in safeguards that recognise this and minimise the impact of security breaches when they occur. Simplistically, this means ensuring we segregate and isolate data and information appropriately, federating it between mutually trusted, but segregated, data stores: when that security breach does happen, the extent of it will be confined to the one data store that is compromised. A single breach will then be incapable of compromising the whole system - unlike the use of a monolithic database and single universal identifier.
But often there can be a perception that holding data in multiple locations is not a good thing. It can be difficult for instance to ensure that data is kept up-to-date across different data stores. And it can involve costly replication of identical information in multiple places. For example, each government department maintains its own separate set of data about us. But there are benefits to this model which need to be carefully considered too: for example, a security compromise of say a local government system does not currently run the danger of also compromising other personal information, such as that held by Inland Revenue or my medical records held by the National Health Service (NHS). They are each held separately and each indexed off quite separate personal identifiers - so there is no easy way for anyone to automatically data-mine personal information across the entire breadth of government as a result of a single security compromise. This is not to argue against the case for rationalisation of the way data and information is handled in the public sector: that certainly needs to happen. But we need to be careful to ensure we design the rationalised system with an architecture that balances the needs of operational efficiency with those of security and privacy.
To set against this of course are the needs of activities such as criminal investigation and anti-fraud activities that the State legitimately needs to carry out. Data-mining for such purposes is perceived as much simpler in a model where all data is held in a single data store. But separation of data in a federated model does not prevent data aggregation and collation when the need arises. For reasons such as criminal investigations, as much as for simplifying our experiences online with electronic government services (where we do want our public services delivered in a more "joined-up" fashion), it's possible to enjoy the benefits of federated approaches (no single point of vulnerability) whilst still taking a benefit from the ability to collate data. In reality, data-mining activities take place in replica systems where data has been collated from live systems, not on the live systems themselves, so I believe the perceived concerns about the impact of a federated data model on supporting legitimate anti-fraud and other investigative requirements are not as significant as sometimes they are portrayed.
I understand the Belgian identity card scheme, having already issued some 800,000+ cards, may now be recognising that there are problems in using a single universal identifier: notably, that wherever the card is used, the same identifier is broadcast. A single correlation handle is emitted by the ID Card that can be shared between sites to profile activities and preferences. For a privacy-sensitive nation such as Belgium, this is a fundamental problem. The Laws of Identity highlight this very issue, using the example of electronic passports and passport readers:
Passport readers are public devices and therefore should employ an omni-directional beacon. But passports should only respond to trusted readers. They should not be emitting signals to any eavesdropper that identify their bearers and peg them as nationals of a given country. Examples have been given of unmanned devices that could be detonated by these beacons. In California we are already seeing the first legislative measures being taken to correct abuse of identity directionality. It shows a failure of vision among technologists that legislators understand these issues before we do.
This issue of 'broadcasting' our identities indiscriminately is one of the reasons why PKI-based approaches have not been thought a very good fit to the needs of national identity card systems: public key certificates broadcast the same correlation handle whenever they are used to identify individuals. Whilst this may not be such an issue inside an organisation, where PKI systems are traditionally used, it does raise challenges for national identity card solutions being deployed universally for citizens.
The underlying problem lies in the attempt to design systems that do not take account of the issues set out in the Laws of Identity and which hence fail to understand the problem domain. The IT industry should put its hand up and take the blame for some of this - for not thinking through the implications of some of its design decisions. Take for example the issue of embedded Bluetooth in mobile phones. This promiscuous technology broadcasts an identifying beacon wherever the owner goes: in fact I understand part of the original business case for Bluetooth was based on the idea of shops being able to dynamically beam adverts at your phone or other mobile Bluetooth device as soon as you were in their vicinity. Thankfully that has not happened. But it does make the point about how easy it is for others to spot your presence and movements. Whilst this may not bother many people in their everyday life, consider more malicious uses where, for example, a terrorist might wish to identify anyone in the area with a phone issued in a particular geography; or even just a petty pick-pocket wanting to identify who has the latest gadget worth lifting. There is no reason why well-designed technology should broadcast such information so indiscriminately and without sufficient user control over the way their system is configured and behaves.
It is these issues of technology policy about which there has been little public debate in the UK. Such issues need to enter the mainstream - so that a well-informed debate can take place about how identity systems should be constructed to provide both maximum privacy and security. After all, they are not binary opposites: in a well-designed system, privacy and security will be mutually supportive.
June 24 2005
The IT industry sometimes seems to be regarded as unique in the way it constantly updates and revises its products and technologies. I don't particularly hold with this view - although I accept that the pace and frequency of change in our industry can be very different from many other domains. That's more a reflection of the fact that IT is still a very young industry. Older technologies that surround us, ones which we take for granted, such as chairs, cars, buildings, etc, also continue to evolve (even to the extent that we probably no longer really regard them as technologies). Many of these technologies have been with us so long, that we notice this less. They are largely incremental changes.
It is the IT industry that has institutionalised the idea of versioning most. But in some of the project and procurement processes that exist, there has been insufficient adoption of this model. Too many projects continue to use a rigid waterfall approach and attempt to do 'big bang' initiatives. A far better model is to adopt a versioned approach, aiming to deliver the "80%" of features that most people want. And then to iteratively add-in other features over time. Too often projects seem to be slowed down, or even to run over budget and over time, purely from the desire to deliver the 'perfect' solution all at once. Well, there is no 'perfect' solution to any problem. And an iterative, versioned approach actually enables feedback to be built positively into the project life-cycle, helping ensure that the final system is far better than it could ever have been if someone had tried to design it all up-front.
Cracking this problem of how we approach and break down the component parts of IT projects seems to be one of the major ways we can begin to mend the distrust that often builds up between users and IT suppliers. We all need to identify and encourage closer ways of working in partnership to achieve the successes with IT that we all desire. The IT industry's approach to versioning of both hardware and software contain lessons for us that we should consider adopting elsewhere, particularly in procurement and project management.
June 22 2005
Kim Cameron's participation at GCExpo today provoked a positive response from the audience. Starting by looking at the historical lack of identity on the Internet (which was built without a way to know who and what you are connecting to), Kim set out the background that led to his work on the 7 Laws of Identity and the requirement for an identity meta-system. Unless we tackle this problem, the future of the Internet may not just be impeded it could be completely undermined and rendered unusable - in the same way junk mail, for example, can make email largely unusable. As an illustration, phishing and pharming are currently growing at 1,000% compound annual growth rate.
Microsoft Passport has offered some great learnings: with a billion authentications per day and 250 million active users it is the largest and most successful system in the online authentication space. As an authentication provider for Microsoft web sites, Passport works well and is appropriate. But is it appropriate for Microsoft Passport to be inserted in the middle of a relationship between you and a third party Web site? The evidence is no: people (both users and suppliers) did not want Microsoft inserted into the middle of their online interactions. Learnings such as this (and the reaction to Hailstorm a few years ago) are encapsulated in the Laws (in this case, Law 3 - the Law of Fewest Parties). Which raises interesting questions for national eID projects: just how far could a government-issued identity be used? Would you want for example to use it with amazon.com or ebay? Or just for government-related interactions? This is to some extent a cultural debate as much as a technological one. It also brings in other considerations - such as the extent to which for example the Law of Directed Identity is adhered to.
When I predicted at the beginning of the year that identity would be one of 2005's hot topics, I did not fully appreciate just how much it would move to the forefront of debate. Of course, the proposed UK National ID Card scheme has helped focus attention. But equally, there are many other parts of the wider identity ecosystem that are important - such as supporting the public sector's shared services agenda. All of these will need consensus on the broad technology policies that underpin identity: hence the growing interest in the Laws Kim has been evolving and the meta-system that underpins them.
Since DigitalID World, the Laws have been further manifested in the idea of the identity meta-system. And more specifically in InfoCard. One of the most significant developments here that I would like to bring out is Law 5 (that of Pluralism). I have mentioned before a shift in our industry and the growing recognition that no single entity 'owns' identity and that no single provider or solution will own identity on the Internet is part of this process. Like the joint Sun/Microsoft announcement around interoperability (between Liberty Alliance and WS-Federation), the identity meta-system enables multiple identity providers and technologies to be plugged in: another obvious one of course would be Shibboleth. No doubt there will be others in the future too.
InfoCard builds on the 7 Laws and the underlying identity meta-system to provide strong two-way authentication and enhanced privacy. At the user’s discretion, InfoCard metadata can be stored on a device such as a PC or phone or USB stick or Smartcard - or indeed anywhere (in “the Internet cloud” if you like). It also provides fully informed disclosure of multiple personas. A mock-up of how this might look is shown below (the shipping version will differ significantly from this).
Illustration of a potential InfoCard user experience
Everything about InfoCard is built using open standards. The work between Microsoft and Sun to get WS-Federation and Liberty Alliance inter-operating uses the same underlying architecture too - demonstrating the extent to which the identity meta-system supports the ability to support multiple identity technologies and protocols.
Overview of the WS-* based identity meta-system
With the 7 Laws of Identity, we have a good basis for identity technology policies. And with the technical identity meta-system we have the capacity to deliver against them. To paraphrase William Heath's opening remarks at the GCExpo identity session: the question to me is not 'Can we do it?' but 'Can we do it right?' Those of us in the technology industry have an obligation to bring our expertise and experience to the debate. We need to point out best and worst practices. And we need to ensure any identity system represents the best possible match to the problem domain.
From a technology policy perspective, there remain serious issues around ensuring sufficient public understanding of the full risks and benefits of different ways of tackling the identity space. Let's take a broader example. There is much talk of inserting RFID tags into Passports - to ease border controls, validate electronically that paper documents have not been tampered with and so on. But that same technology solution introduces new risks: for example, a terrorist could then easily design a bomb designed to detonate when someone with a particular nationality walks past. Or potentially narrow this further to identify and detonate on detecting the presence of a specific individual. (For those technologists reading this, I realise this is a simplification of reality, but it underscores the point I wish to make about public awareness of technology). The Laws of Identity (in particular, Law 4) help address these wider issues and indicate the extensive experience and insight that has gone into their development and framing.
Likewise, the idea of moving to a single electronic identifier for all of our online interactions may appear superficially attractive, but presents a major threat to online identity. In fact, it is likely to bring about the very thing it intends to avoid: a potentially catastrophic and unrecoverable compromise of our identity: something that would make the recent compromise of credit card information (as a topical example) look like a minor hiccough. Not only does a single identifier mean that wherever we use it we leave an open audit trail, but also that once it is compromised it also compromises our entire identity. Once we move to eID we are in a very different world than that of paper identities. Laws 4 and 7 in particular are key metrics by which we should be assessing these aspects of proposed systems.
June 16 & 17 2005
To Antwerp for the 5th European Conference on e-Government, where I present my paper eID – identity management in an online world. As my presentation reflects, thinking in this area is still very much under active development as we look at ways that the likes of parental controls impact the laws of identity developed by Kim Cameron.
The Conference is well attended, with many useful and intelligent sessions on the topic of e-government. The opening Keynote is delivered by Peter Vanvelthoven, the Belgian State Secretary for Computerisation. Entitled Future Opportunities for e-Government, the emphasis is on the new electronic Belgian identity card and the role they hope it will play in assisting with online services. The Belgian scheme differs in several respects from the proposed UK one: it is effectively an electronic equivalent of the existing paper-based Belgian identity card, one containing a chip with several digital certificates for use in authenticating identity and for legally binding digital signatures. There are great hopes that the card will not only help with delivery of online government services, but also those offered by private sector e-commerce providers. It will be interesting to watch how this scheme develops and what might be learned from it for other national identity solutions - some 800,000 electronic cards have already been issued. A great deal of time is being invested by the Belgian government in working with third party software companies to encourage them to support the card and online authentication in their software. It is intended, for example, that the card will be supported by the likes of Microsoft Passport as an alternative method of authentication to the existing user ID and password. From Vanvelthoven's comments, the Belgian system has been designed with privacy as a major component: and, as my presentation indicates, the map between it and Kim Cameron's identity laws appears reasonably strong, with some reservations around a few of its principles.
I particularly enjoyed a session on accessibility issues (The Virtual Workspace: Telework, Disabilities and Public Policy) presented by Paul Baker and Alea Fairchild. There was a good discussion of how technology can produce jobs for people that previously would not have been able to enter the labour market – courtesy of teleworking. The US New Freedom Initiative (NFI) for example, enacted in 2001, focuses on telework as a means of helping people with disabilities to enter the workforce. Whilst teleworking is clearly a benefit to able-bodied and disabled people alike, there still remains some complex social concerns – the loss of social interactions (the ‘water-cooler’ chats) – that have not yet been entirely understood or resolved. There are also wider aspects of teleworking for public policy that go beyond the immediate cultural changes to the way we work - including, as I have mentioned before, the potentially beneficial impacts on transportation and traffic congestion. We need to be looking at all of these issues in a more comprehensive and inclusive way: in a previous blog entry I mentioned the impact broadband could have on our ability to improve the ways we live and work, and how current low-bandwidth upstream links could be impeding our ability in the UK to interact and work in new and optimal ways. Certainly some of the more socially-interactive benefits that come with technologies such as Web-conferencing (which support visual and aural interactions rather than merely the sometimes impersonal world of email) can help overcome the loss of those 'water-cooler' interactions.
Another interesting presentation was provided by Professor Mike Hart from University College Winchester and Peter Byrne, from Winchester City Council. This looked at Using e-Services to Improve the Quality of Local Authority Services. It questioned the extent to which the first round of e-services target-setting had actually brought forwards any real benefits. The underlying proposition was that the benefits of technology will only be realised when we start to re-think the way we structure and deliver public services. This is of course much more complex than merely providing PDF files on Web sites, or even basic two-way transactional interactions. The true benefits of innovative technology policy involve re-thinking the way services are developed and delivered: for example, for citizens claiming benefits we no longer need multiple separate paper forms. Nor do we merely want the electronic equivalent of multiple separate paper forms. Instead, we want smart forms that collect the required information only once, adapt themselves as we work through them (not bothering for example to ask us to complete sections which previous answers have indicated no longer apply) and simplify the way we interact with public services. Likewise, on the government side, such changes need not cause unnecessary pain: the forms that emerge from such interactions can initially be mapped to appear identical to those they are currently accustomed to working with. This enables both rapid external service transformation and the more cost-effective gradual transition of backend systems and processes to match them.
One sobering thought however: back in 1997 an i-forms (intelligent forms) project demonstrated three separate government forms being intelligently aggregated into a single on-line interaction. The pilot project was regarded as successful by both users and departments alike. But many years later we seem no closer to providing such services: it was one of many pilots that never made it into full implementation. Clearly, technology itself is not the issue - it was capable of solving such problems eight years ago. Which raises the interesting question: what are the real blockers to progress? And how might we address these and begin to realise the benefits of the smart application of technology policy to a more efficient and adaptive public sector?
June 15 2005
Virtualisation looks like an idea whose time has come - or at least, whose time is rapidly approaching. Of course, we've had software products such as VMWare and Virtual PC and Virtual Server for some time. If you're not familiar with these - or the topic of virtualisation - basically the intention is to enable a PC or server to run multiple operating systems and their respective applications at the same time. For example, with Virtual PC you can run several different operating systems on the same physical PC, ranging from MS-DOS 6.22 through OS/2 Warp to the latest release of Windows XP Professional.
But why might you want to do this? There are actually a variety of reasons: you might have some older applications that require an operating system that is no longer in production. Instead of no longer being able to use them, you could instead run a virtual version of that operating system on your PC. So for example you could run Windows XP with Virtual PC and host a guest copy of Windows 95.
The screenshot below shows a copy of Windows XP Professional running Virtual PC and hosting both Windows NT Workstation 4 and Windows 98 as virtual guest operating systems. You can see how easy it is to access and move between these different environments: effectively it gives you several PCs running on the same physical hardware.
Another reason for the use of virtualisation technology is this ability to rationalise, or reduce, the amount of separate hardware required. The above screenshot shows that what would previously have been three separate physical PCs is now one PC instead. Likewise, the same sort of consolidation has taken place in server environments using Virtual Server technology - which enables multiple versions of server operating systems to run on the same physical hardware.
All of the above are examples of software virtualisation. But there are interesting developments on the hardware side too. Intel for example has been developing support for virtualisation at the microprocessor level. This should help provide both improved performance and improved isolation of the separate operating systems running on the same physical device. Multi-core processors and the new generation of 64-bit computers are all clearly beneficial hardware innovations that support virtualisation. The underlying ambition of course is to try to achieve virtualisation at full speed: I still recall many years ago watching an Apple Mac running Windows emulation software which ran so slowly that you could watch the way in which the screen was drawn. Of course, we've come a long way since then and modern software virtualisation works very well - something that is going to be dramatically enhanced by these new hardware improvements.
All of these developments can help contribute to improved operational efficiency for both development and production environments. For large scale systems that need to migrate to new functionality, virtualisation offers the prospect of enabling the old version of a system to remain online (to ensure it is available while users migrate to the new version) - and of progressively then scaling down that virtual version and increasing the balance of hardware used for the new version. This enables both better continuity between generations of systems and much more efficient use of the existing hardware, software and human resources.
Virtualisation also provides new operating models in environments where security has been an issue. In the past it was not unknown for some users to have two physical PCs on their desk: one connected to a secure internal network, the other a less secure network (possibly one connected to the Internet). Virtualisation enables those two physical PCs to be replaced with multiple logical PC environments running on a single physical PC. Even in many corporate and government environments where the need for such high security has not been an issue, virtualisation technology does raise some interesting additional options about how use of the Internet can be secured and isolated from other organisation resources without impacting its benefits and advantages.
June 13 2005
I outlined in a previous blog entry some of the Longhorn wave of technologies, namely Avalon and Indigo. Longhorn you will recall is the codename for the next release of the Windows operating system. Much of the existing coverage of Longhorn has focused on its new look and feel - and the way in which it will provide an improved User Interface (UI) experience. This is certainly the most stunning and spectacular impact of seeing Longhorn for the first time - and I'll spend more time looking at the UI in a future posting. But today I wanted to highlight some top headlines regarding the benefits that Longhorn will provide, most particularly for the public sector.
The core pillars that underpin Longhorn include:
Let's take a brief look at some of the key features and benefits in each of these areas.
Security and Trust
As a result of the Trustworthy Computing Initiative, our experience with Common Criteria and working closely with many governments and other organisations around the world, security has been baked into the core of Longhorn. This includes Secure Startup, which will ensure that a PC always boots in a trusted, known state. This is designed to help protect against software-based attacks. Full volume encryption will be available to protect an entire disk, including sensitive registry and operating system files. In addition, code integrity will protect the operating system when it is running: all Windows system code will be signed and the integrity of each file will then be checked on loading. Other new features include 'Protected User Accounts' to provide reduced-privilege execution. Legacy applications will be able to run under lower privileges without reconfiguration using file/registry virtualisation. And anti-spyware protection will also be included.
Overall, Longhorn provides new security and privacy advances that will provide greater protection of both personal and organisation data. It will be easier to secure both computers and the network - be it at home, at work, or while travelling. This combination of new software and hardware features in Longhorn should help us to establish a new industry benchmark for higher levels of PC security. Add in other developments that have been happening in parallel - such as InfoCard - and collectively these innovations represent major new ground for the IT industry and a maturing of the way technology will help support and improve our online experiences, whilst protecting us from many of the attacks that plague our experiences of the Internet today.
Information and data management
Longhorn will also provide smarter tools for managing information. This includes new ways of visualising information, including virtual folders to organise and access data in new ways. Embedded into the Longhorn operating system will be a fast, enterprise-class distributed search facility capable of locating and presenting information in more efficient and intuitive ways. There will also be improved support for collaborating and sharing information between users, including within and between workgroups - as well as on a more ad-hoc basis between users (including peer-to-peer collaboration). Overall, these will provide us with a rich new set of tools and interfaces for managing our interaction with and use of information.
Operational efficiency
Longhorn has been designed from the ground up to provide substantial improvements in operational efficiency. This includes support for image-based setup and easier image management together with faster operating system distribution and installation. There will be notable reductions in the time spent managing update processes in organisations and everyday management tasks will become much easier and less costly to perform. Given that the vast majority of IT budget costs go on systems integration, bespoke work and operational support, these improvements will not only have beneficial impacts on the way organisations work, but on ensuring that more budget can be redirected into value-added IT resources, such as new and improved applications and processes. The more that commercial off-the-shelf-software such as Longhorn help to improve the user experience and drive process and operational improvements, the more they will help to drive true value from IT and show a real return to the business.
I'll post links to more materials and samples of Longhorn's new features as we move through the beta programme towards full launch. I'll aim to draw out the ways I see it impacting the way we will use technologies and the beneficial improvements for organisational efficiency. It's interesting to see how customer feedback has helped shape this new release of Windows - something reflected in the attention to detail not only around the much-discussed UI, but also around security, information management and support for operational efficiency.
There's continuing positive debate and coverage of the 'identity laws' that Kim Cameron has been developing over the 'blogosphere'. As an example, I see Mary Branscombe (The Guardian) has posted an article (June 9) on both the identity laws and "InfoCard". In fact, coverage has been positive and global: so much so that it's pointless trying to provide links to all the coverage here.
The fact that Kim has made clear this is a genuine effort to tackle one of the major problems of the Internet and online interactions certainly helps: note that the DigitalID World launch of the 'laws' and "InfoCard" included a working version running on Java and Linux too. We're not going to solve identity issues unless there is a groundswell of consensus across the industry, users, online providers, privacy experts, regulators (such as offices of data protection), and of course government. Mary Branscombe makes this point well in her piece:
For the system to work, it needs to cover more than just Windows. There will have to be Identity Selectors for Linux, Macintosh, mobile phones and any other devices used to browse securely. Microsoft has already demonstrated InfoCard working with an open source Java implementation on Linux, which gives Cameron hope that the industry will see this as more than just Passport 2.
"To me," he [Kim Cameron] says, "it demonstrates that innovative people can get into this and that it can truly be a cross-platform solution that transcends the usual faultlines of the industry."
I am delivering a paper on electronic identity (eID - Identity Management in an Online World) at the 5th European Conference on e-Government in Antwerp next week. Part of the basis for my paper is that until now we have lacked the clear underpinnings of effective identity management on the Internet. The '7 Laws' provide a good advance on this topic. I use them in my paper to assess a few of the European ID Card schemes: the Belgian one (in part since they are the host country for the conference, but also because their own national scheme is well advanced) and the proposed UK National ID Card. I also assess the UK's Government Gateway project. None of them match entirely to the principles set out. But for government systems there is still much debate to be had about responsibilities between the State - with its obligations on providing citizen safety and security - and citizens, particularly their right to privacy and online security in a wider context than purely their interactions with government. These can be complex issues to reconcile and on which to reach consensus.
My presentation will look at how we can build upon the laws to develop associated principles that tackle other aspects of identity that need to be accommodated. Let's take an obvious example: parental controls. It's clear that in the case of a young child using the Internet, the indiscriminate application of all 7 laws to them would not prove appropriate - since the parent or carer responsible would need to be able to ensure that the child is not making use of unsuitable Internet sites and resources, or being misled by another online user misrepresenting their identity and intentions. In this sense, the parent or carer would 'override' some aspects of the child's use of the laws (although in turn, the parent/carer would inherit aspects of the laws displaced from the child). In fact, Kim's laws seem to me here a very good and positive thing in terms of online child security and safety - in that, if adopted and applied consistently, they would limit the ability of other users on the Internet to misrepresent their identity in the first place.
So, taking this idea a little further, if we picture Kim's 7 laws as columns, then across them we might identify a range of scenarios or situations where modifiers or other behaviours (I'm nicknaming them 'overrides' for now, but a better name would be appreciated) could be legitimately needed. I've mentioned parental controls, but equally there could be other requirements for employers, government (and its investigative agencies), regulators and so on. I've represented this crudely below.
At each intersection, we can then aim to define the specific laws/rules/tenets/principles that apply, including any exceptions. At first reading, this may sound like a weakening of the principles that underlie the 7 laws. But this is not true: what I am interested in achieving here is the same clarity of understanding and consensus that Kim has already set out: but to ensure we have an equivalent consensus on these legitimate 'overrides' too. We need to accommodate and be very clear and transparent about the principles that would apply to exceptions - such as parents and carers needing to control young children's access through to the needs of investigative bodies needing to legitimately investigate individuals and groups (for example, perhaps needing to enforce disclosure of true identity without consent). I suspect such overrides (or exceptions to the laws, depending on what language we choose to use) could vary from country to country, dependent on cultural and legal expectations. So it's likely that it's a framework we're looking to define, rather than a single global specification. That's the type of approach I'm trying to reflect in the outline model above: the hard work is on scoping the definitions at the intersections of the laws and the scenarios.
I'm optimistic about how these ideas and principles will mature and develop as we begin to tackle the problems of online identity in a more realistic, consensual and coherent way than has previously been attempted or achieved. I'll post my paper and reaction and thoughts from the conference here in a little over a week.
I've been meaning for some time to explain the value of the 'Longhorn wave' of technologies. These are the new generation of technologies that will be released alongside Longhorn (the next release of the Windows operating system), but which will also be capable of running on Windows XP and Windows Server 2003. I'll start today by focusing on "Avalon" and "Indigo" - and I'd like to spend a little time describing them and the ways in which I believe they will take forwards the way we work and interact with technology in highly beneficial and productive ways. As you read this, I hope you will be as excited and impatient to use some of these new innovations as I am - but please bear in mind the final versions are not likely to ship until the backend of 2006.
Let's start with Avalon. For the more technically minded of you, this was provided in an early Community Technical Preview release in 2004 and is now in Beta 1 RC. I'll start with the official definition of Avalon:
Avalon provides the foundation for building applications and high fidelity experiences, blending together application User Interfaces (UI), documents, and media content, while exploiting the full power of your computer. The functionality extends to the support for Tablet and other forms of input, a more modern imaging and printing pipeline, accessibility and UI automation infrastructure, data-driven UI and visualization.
If it's true that a picture paints a thousand words, then seeing what Avalon can do is worth far more than any words I could write here. Avalon provides some of the most intuitive and rich graphics experiences that I have seen on a desktop PC. The underlying language for Avalon is the Extensible Application Mark-up Language (XAML), which is itself based on XML. This provides it with great flexibility and adaptability - and making changes to the way graphics appear and behave is all done through the mark-up language, rather than through complex low level graphics development code. It also means it can be programmatically driven, enabling applications and user interactions with them to be reflected in real time.
So what does all this mean for users? I think Avalon provides the basis for some significant new ways of interacting with computers. Imagine some of the current ways data is manipulated - perhaps socio-demographic data where someone wants to do a 'what-if' analysis. A local government planning officer for example trying to work out what the impact could be on core infrastructure such as hospitals, roads, schools and so-on if a new housing development goes ahead. Today, such analysis is often done in spreadsheets using pivot tables linked to underlying databases. The results will be further rows of data, or possibly simple graphics such as pie charts automatically generated from that data. The planning official will need to look at, analyse and interpret those figures and onwardly manipulate and re-present them in formats suitable for their intended audience - such as a planning executive meeting.
Now imagine we layer Avalon on top. Instead of dealing directly with the data, the planning official can now do their what-if analysis by manipulating graphics themselves. Perhaps as they expand a graphical representation of a house (to represent the new housing development) or drag it to different brownfield sites on a map, in turn they will see graphical images of the impact this has on the road infrastructure, schools and hospitals as they too expand and contract. The user begins to experience a new, much more intuitive and productive way of working with information. Since Avalon is using a mark-up language under the surface, it can be dynamically updated and manipulated to reflect the changing inputs resulting from user interaction.
Another example I have seen in Redmond is emergency planning - rich graphics expand around the potential site of an emergency, indicating the immediate evacuation area and potential other additional evacuation profiles. Different models (perhaps say to plan for small, medium and large chemical spills) can very quickly be physically manipulated on-screen and the results seen in real-time. Layer this type of system together with GPS and rich 3D photographic representations of real locations, and you have highly useful and productive tools that enable us to re-think our traditional approach to cracking complex business issues such as emergency response planning.
So what starts by sounding like a very dry topic actually starts to reveal itself as a major innovation in the way we can represent and interact with data on a PC. I think we're going to see some highly compelling scenarios and applications that will take advantage of these new 3D and dynamic graphical capabilities and provide us with a whole new generation of experiences in the way we use technology. Having walked through a lab in Redmond last time I was there - where hundreds of vendors were all testing the latest builds of Avalon and the applications they were building to exploit it - I know there's some very exciting developments happening in this area.
In terms of the wider benefits of Avalon, I see it helping with issues such as social inclusion, providing new ways of interacting with users not familiar with PCs. We will be able to define new metaphors and graphics that will be less alienating than traditional GUIs can appear to first-time or occasional users. And we can render complex information in more intuitive, visual ways than has been possible in the past. I think we have only just begun to understand the full implications of what this new technology will make possible.
Next, I want to talk about Indigo. Again, for the more technically minded and hands-on, you'll find Indigo is in the same Beta 1 RC download as Avalon. I'll also start with the official definition of Indigo:
Indigo is a set of technologies for building and running connected systems. It is a new breed of communications infrastructure built around the Web services architecture. Advanced Web services support in Indigo provides secure, reliable, and transacted messaging along with interoperability. Indigo's service-oriented programming model is built on the Microsoft .NET Framework and simplifies development of connected systems. Indigo unifies a broad array of distributed systems capabilities in a composable and extensible architecture, spanning transports, security systems, messaging patterns, encodings, network topologies and hosting models.
This is another new technology that on the face of it may not appear terribly compelling. But again, I think this has the potential to fundamentally transform the way we think about designing, procuring and using systems. Service oriented architectures have been much spoken about, but in many ways the tools to build them have not been there. Some early support for many of the WS-* standards has been included in previous developer tools, such as Web Services Enhancements (WSE), but Indigo is the first release of technologies that will help make the vision of connected systems a reality. It will enable developers to build secure, reliable, transacted Web services that integrate across platforms and interoperate with existing investments.
But what does all this mean for organisations and users? It will enable the better use and return on investment of systems - systems that will be able to interoperate and communicate with each other in new ways. Using Web services standards, true vendor interoperability will become possible. And tools such as Indigo will abstract away the complexity that has at times been associated with building distributed systems. Complex bespoke projects can be de-risked and become more successful by being broken down into constituent services. These can then be developed sequentially or in parallel as discrete components. This is not only a benefit for the purchaser of such systems, but also for the supply side. Smaller SMEs will stand more chance of bidding for and winning business when complex IT projects are broken down into component parts. SMEs who do not compete directly in the same space may also be able to join together and co-operate, using each other's expertise and Web services specialisms to complement each other. On the Web, no-one knows what size business you are: what they care about is that you deliver a good, reliable, friendly and secure service. Web service components in a service-oriented architecture also enable re-use - for example, an authentication component can be re-used with other new services as they are developed. A payments facility or VAT calculation engine can likewise be used by other application components. Some services may well be provided by third parties across the Web rather than in-house. Provided the service level agreements and other contractual relationships exist, new applications and services can be constructed regardless of where the underlying Web services components reside.
Indigo will be a major factor in helping all of this happen. With Indigo runtime installed on PCs, PCs could become as significant components on the Web as traditional Web servers have been until now: with Indigo running, they will be able to supply and consume services directly, becoming smart agents and really making productive use of the PC. Until now we've seen a few applications, such as Microsoft Office, able to natively use Web services and show the results in say Word or Excel. With Indigo, we're going to see a much wider use of Web services to deliver applications and services directly into PCs from the Web.
My brief explanations and thoughts above have only just begun to scratch the surface here. In future entries, I'll return to the topic of the 'Longhorn wave' of technologies and also introduce WinFX and of course Longhorn itself. In the meantime, it's well worth while following some of the links above to find out more.
June 7 2005
Time to deliver my keynote at the BCS IT Security Conference 2005 on the topic of Trustworthy Computing and how we can make IT more secure in design, deployment and daily use. This is the third annual BCS IT Security Conference:
... bringing together IT professionals, developers, policy makers, industry leaders and academics to share information and exchange ideas on technology trends and best practices in identity theft, hacking, cyber-terrorism, biometrics, network forensics, perimeter defence, secure web services, encryption and related topics
It's a well attended event, with a good profile of attendees and speakers. My fellow keynote speaker is Sir Edmund Burton, who talks on the topic of 'Establishing and maintaining a framework that facilitates trust and assurance in an uncertain world'. There are some interesting ideas here for how we can better structure the whole way we approach Information Assurance and make it a standard part of business best practice, rather then leaving it to be seen as something only the CIO has to worry about.
Preparing for my speech, I find it's a good opportunity to look back over the changes I've seen in the industry. From the days of UK101s and kit computers through the days of Commodore PETs, Apple IIs and the first IBM PCs (and the first viruses that were specific to disk formats and specific machines). And then through the age of acoustic couplers (probably best forgotten) and the first viruses distributed over the wire: it's useful to consider where we have come from as an industry, what we have learned and where we look to be heading next. I also discover the excellent online archive of old computer photos and associated computing history.
The IT industry quite clearly faces - and will continue to face - a wide and diverse range of security threats. These range from operating system and kernel vulnerabilities through to application code and, quite frequently, inadequate configuration. Barely a day passes when the media do not report on some new malware, spyware, trojan or virus that has struck somewhere in the world. Likewise, social engineering attacks – most infamously phishing – continue to provide one of the most successful attacks against computer users and online systems and networks. The problem has become further exacerbated in the always-on age of Broadband – and as we move towards true Broadband (by which I mean throughput rates worthy of the name), the speed with which these attacks and malware agents can spread and promulgate will yet again redefine the threats and counter-measures we need to be considering.
Microsoft’s response to the attacks on our platform has been to launch the Trustworthy Computing initiative, something initiated by Bill Gates several years ago. This is designed around the four pillars of security, privacy, reliability and business integrity. Improved security design will ensure the platform becomes resilient to attack. Privacy will ensure the individual has full control over their personal information and the way in which it is used. Reliability will be built on engineering excellence providing dependable performance. And business integrity will underpin all our activities and interactions with customers.
We have put our hands up and recognised the need to change the way we balance usability and security: our older products were designed for a pre-Broadband, always-on world. Trustworthy Computing is our practical programme to address this, already delivering results in fundamentally re-engineering and improving our platform. Since its introduction, the number of security bulletins associated with our products has dropped dramatically. They run at a rate far lower than Linux distributions and associated Open Source applications (based on UNIRAS reports). But security remains an industry wide problem: and the 'honest broker' work of NISCC is playing an increasingly valuable and useful role in helping build a community of common interest across both the industry and users - and hence helping protect the UK's critical national information infrastructure.
There are some interesting follow-on questions to my keynote from the audience, some of which are not directly related to the topic. The opportunity to grill a representative from Microsoft is always evidently an opportunity to be seized. One of the questions is about interoperability and what Microsoft is doing to be a better player in the heterogeneous world that exists in most IT environments. This is an area where Microsoft has made enormous investments and progress. This ranges from support for interoperability with Unix and Novell, through to the WS-* work, which has seen interoperability workshops between the likes of Microsoft, IBM, BEA and Sun. So too the recent joint announcement with Sun about interoperability between WS-Federation and Liberty Alliance shows how much the market is changing, as I have commented in previous blogs. For those of you not familiar with the degree of interoperability between Microsoft and other platforms, it's worth finding the time to look through my interoperability paper. Although I targeted it at the Government sector, its messages are as relevant elsewhere.
Another question was around NGSCB - the Next Generation Secure Computing Base. This has changed since earlier thinking, when there were concerns that some of the security features planned might conflict with privacy needs. The first tangible delivery of the NGSCB vision is planned to be a feature in Longhorn (the next release of the Windows operating system) known as "Secure Startup". This will use a Trusted Platform Module (TPM 1.2) to improve PC security and meet some of the most critical requirements requested by users - particularly the need to ensure a PC starts in a known good state, as well as providing protection of information through the use of full volume disk encryption. I'll post details of future roadmap plans beyond Secure Startup for NGSCB as they develop. As with all future roadmap and product plans I discuss here, I'll just highlight the usual caveat that plans can, and do, change as software development progresses. I will endeavour to update this site and its information as quickly and accurately as I can when that happens.
June 6 2005
The new release of Windows Mobile technology has been announced. It has a range of new enhancements that I believe will prove highly useful to organisations moving to a fully mobile and flexible workforce. It includes not only changes to the way information can be propagated to mobile devices, but also improved administration tools. Ease of deployment and administration across environments ranging from desktops PCs, to laptops, PDAs and mobile phones is a critical part of ensuring a successful mobility architecture in an organisation that fully supports business needs.
Amongst the many changes is the move to push technology - across calendar, contacts, tasks and email. For mobile workers out in the field, other useful enhancements include the ability to browse an organisation's address book over the air. Equally important are changes provided to help with improved deployment and support of applications and features, including the ability to provide improved protection of data held on the device. Administrators can remotely manage and enforce an organisation's policies over the air. And organisations are able to mandate policies such as requiring PINs for every device.
One feature that I suspect will get a lot of attention is the new support for local and remote device wipe. This provides the ability to remove all information (over the air) and reset the device back to its original state. A highly useful tool for IT administrators in improving the management of sensitive information on a misplaced Windows Mobile-based devices. Additionally, the administrator can choose to have the local memory on a device erased if the correct password is not entered after an allotted number of attempts.
Mobile working is now an established way of working for many in the private sector. The public sector too is increasingly looking to adopt more flexible, mobile and remote working options. The way in which mobile facilities integrate with the overall business and technology infrastructure will play an important role in ensuring successful implementation and take-up of new ways of working.
June 5 2005
I'm deeply saddened to learn of the death in a motor accident of my colleague McKay Motshabi from South Africa. He was a valuable member of our NTO Community and a vocal and welcome presence at our meeting in Johannesburg earlier this year. He will be greatly missed. Our thoughts and best wishes are with his family.
June 3 2005
One of the challenges I face in my daily work is tackling 'perception lag'. If it's true that a company can be as difficult to move in a new direction as an oil tanker, then the same is equally true for perceptions. I was surprised to find how hostile many people have been towards Passport until quite recently - still seeing it as an attempt by Microsoft to 'own identity' on the Internet. Yet it's at least 2 or 3 years since Passport was repositioned purely as the authentication mechanism for Microsoft sites such as Hotmail, MSN, Xbox and MSDN. And let's be honest: it didn't make much sense for Microsoft to play a role in transactions between, for example, a company and its customers. That feedback - together with the feedback on Hailstorm - was listened to and used in considering how complex issues of identity can be tackled better for the benefit of all parties on the Internet. It was only with the recent InfoCard announcement that many in the media and elsewhere began to realise how significant Microsoft's shift around identity management has been.
Likewise, there remains much discussion around Office file formats and issues of 'proprietary' versus 'open' standards. These too often seem to lag behind the reality of where we are now. Microsoft has been one of the most prominent and consistent supporters of open-standards XML, investing both in its research and development and embedding support into products such as Office.
XML is a significant development for the IT industry since it lets data be explicitly structured and accessed, enabling its use across applications. XML support has existed in Office since 2000, but improved support came in Office 2003 and future releases will move to embedding it as the native file format (with a .docx extension to distinguish it from the earlier .doc format). One of the challenges for transition is always backwards compatibility. Updates for Office 2000 and Office XP will help ensure the continued interoperability of files between versions of Office that have helped contribute to its popularity and ubiquity.
Unlike some third party office applications, Microsoft Office can make intelligent use of not only presentation-related XML, but also data structures through the use of custom-defined schema that let users structure and model the underlying data in which they are interested. This provides great flexibility and power, and enables the true advantages of XML to be exploited.
XML Reference Schema
display-oriented (eg. bold, italics, tables, paragraphs, styles)
open document format
enables archival and file format interoperability
XML Custom-defined Schema
data-oriented (eg. price, invoice)
represents the business information stored in the document
enables system integration
With its embedded support for XML, Office makes a great productivity tool for interacting directly with backend information drawn from a variety of sources. Users can exploit the familiar look and feel of Microsoft Office to interact with and update data that may be sitting in a variety of backend data silos. But to them it will be presented onscreen in applications such as Word and Excel in easy-to-use and familiar formats. This type of integrated software, that enables improved productivity and better use of information inside organisations, will help lay the basis for new ways of interacting with information and more successful collaboration across teams.
For a more detailed discussion of interoperability, see my paper at http://www.microsoft.com/windowsserversystem/interop/govt/govteservices.mspx.
June 2 2005
I'm interested to see the Hansard Society is criticising the UK Parliament's Website. As the Officer of the House responsible for establishing the Parliamentary Data and Video Network in the early 1990s, I called in the Internet registrars to negotiate the parliament.uk domain name for the Houses of Parliament and arranged the launch of Parliament's initial Web site. If the Hansard Society is critical now, it ought to know that back then the Parliamentary Web site ran on a single server sitting under a desk in my office, was maintained by a handful of enthusiasts and received most of its updates via sneakerware: a series of floppy disks were brought into my office from around the Parliamentary estate and physically copied onto the server. This was of course back in the days of the early 'browser wars' with the likes of Cello and Mosaic fighting it out: a battle Internet Explorer later won. The Parliamentary Web site was secured with a firewall sitting in the corner of my office (space is always at a premium in Parliament: for some reason, the Victorians never foresaw the Internet age) and connected to the Internet courtesy of a link provided by Imperial College.
The Parliamentary Web site always had humble origins and many of the features I wanted to see provided on the site - such as full text, searchable Hansard - were already available on our intranet. But due to exclusive publishing agreements with HMSO (now TSO), we were not able to provide these services to the public. Likewise, ambitions to provide live and archive video coverage of proceedings from both Chambers (and to have this cross-linked with the Hansard official reports) also ran foul of existing contractual arrangements.
There were also plans to publish an annual report on the site, detailing each MP, the allowances they had claimed, debates attended, how they had voted and so on: the type of service now provided by third party sites such as theyworkforyou.com. There remains great opportunity to use IT to re-energise the value and perception of Parliament to the wider general public. Most MPs work hard and long hours representing their constituents and the Parliamentary Web site could be the ideal showcase for a more direct engagement between Members and the public. I'm surprised how many people do not even understand basic principles of the way the UK is run - including the fact that Parliament is there to represent citizens and to hold government and the State to account (one of the reasons Parliament has its own domain and is not part of gov.uk).
I hope the debate this new report provokes will lead to a fundamental re-examination of the way we can use new technologies to enhance and re-energise our democracy. I also think Parliament needs to be monitoring and archiving its use of technologies. In the future, historians will be interested to learn how technology impacted one of the oldest democracies in the world, both internally and externally. But from what former colleagues tell me, attempts to preserve some of the original technology used for Parliament's first data and video network - or even donate it to such worthy recipients as the Science Museum's historic collections - have come to nothing. Much of that history has now already been lost.
| (C) 2004/2005 J Fishenden
|
