Adventures of an Eternal Optimist

The other day, I applied to have the post office temporarily redirect my mail. I've moved, and I want to make sure that even if I forget to update my address somewhere, my mail will still arrive at my new house.

Canada Post charges $33 to perform this service for me, and it is possible to procure this service online. The seven step process was very straightforward – until I hit the last step. Step 6 was for me to enter my credit card information. Step 7 was this screen:

My credit history was being displayed to me over the internet, looked up in real time and parroted back to me as a multiple-choice exam question.

I was horrified. Absolutely horrified.

I believe that this incarnation of identity authentication is very very wrong, and I'm going to do my best to define and discuss what significance I think that this particular kind of transaction has.

You are using my credit card # for WHAT?!?

It turns out that I didn't read the fine print. Here are the details on what Canada Post is doing, it is an interesting read. Canada Post did try to tell me on this page that by entering into the transaction, I was agreeing to having Canada Post pass my credit information to Equifax for the purposes of verifying my identity. It also says that Canada Post isn't privy to any of the credit file information.

Use of Identity Information not of my Choosing

The first and most obvious problem with using information that I myself did not supply in order to prove who I am is that I may not know or remember the answer. Imagine anyone with a complicated financial portfolio trying to answer these questions.

The second problem with using information that I did not supply, is that somebody else discovered that information in order to present it to me. If that entity can discover the information, it only seems logical that other entities could too. In this case, it seems to me that anyone who gets hold of my credit file can answer my identity authentication questions. Sadly, I'm pretty sure that such a thing is not that difficult.

In this particular case, I'd have to say that there is a third problem – the answer to the particular question I was asked is pretty obvious, to Canadians at least, and probably to anyone with access to Google. Given that this website is run by CANADA POST, it can't be hard to use a process of elimination based on geography.

The Juicier the Secret the Better the Identification

Think about how this kind of identity verification would scale. I'm sure Equifax would just love it if everyone were using their service – but the more clients you offer the service to, the more questions you would need. And the only data that works is "secret" data. How will they find that data, and what is the incentive to respect anything about your privacy?

Take that thought to the extreme, and then imagine these questions next time you try and do something online:

In early 2004, you were diagnosed with a condition. Was it:
a) Crabs
b) Syphilis
c) Genital Warts
d) Athlete's foot

Or how about this one:

At the age of 17, you were arrested for a crime. Was it:
a) Driving under the Influence
b) Dangerous Driving
c) Speeding
d) Public Nudity

It Doesn't Have to be Illegal to Piss People Off

My mother has always said to me that our family financial affairs are not to be discussed. To her, it is just plain bad manners to discuss things, even if they are publicly discoverable. That is how I feel about having my credit history thrown in my face. Can Canada Post legally do it? Apparently. Can they do it without making me feel like they have put their noses into my business? No, they cannot. It is entirely subjective, perhaps other people have no problem answering these kinds of questions, but aside from any logical or technical opinion I have about this kind of identity authentication — that question creeped me out. As vague and pointless and stupid as that question was, it still referenced information that I consider to be mine. Yes, I know, logically I understand that this isn't my data to control, but to have the public nature of my private affairs rubbed in my nose was unpleasant, it ticked me off, and in general, it has resulted in a poor consumer experience. If even a small percentage of people feel that it's creepy to have the Post Office breach the sacrosanct nature of their personal finances, even if that sanctity is an illusion, there are going to be complaints.

Where's the Transparency?

If we really drink the cool-aid, if we really believe that federation of data can be done securely and safely, we have to convince the entities passing the data that it matters to us what methods they use to sling our personal identity data back and forth. Canada Post sent my personal information, including my credit card number and (had I been dumb enough to provide it) my social insurance number to a third party. How did they send it? What are the policies surrounding the retention of that data? Why was I not given the ability to choose which Identity Provider vetted my identity, if it had to happen? How do I know how much data was sent to Equifax? Seems to me that this is a bloody gold mine for them, I imagine that they get the address update information before practically anybody else, they are getting paid to make their own databases even more accurate…

So, as far as I'm concerned, Canada Post has decided to endorse an insecure identity verification mechanism that is more easily answered by the person who has stolen your credit file than by you. Who knows, if my one single experience is any measure, it might be possible for ANYONE to guess the answer. As an added bonus, they also manage to piss people off, or at least to piss ME off. And all of this to change a postal address!

I watched a hockey game last night, where one of the players was hit in the face point-blank by a hockey puck. They literally picked his teeth up off the ice afterwards.

He returned to the game with a mouth full of packing and a frozen face, and proceeded to play another regular period followed by two 20-minute overtime periods, and a bit of a third. And he played superlatively.

What is it that inspires that kind of dedication? He’s already a star. Whether he came back for more punishment or not, he already gets the girls, he already has ‘achieved’. Nobody would have begrudged him some time to mourn his smashed jaw.

Of course, I can’t answer that question for him. Could be that he’s just the stubbornest mule of a man on the planet. But I do think that if he didn’t have passion for what he did, if he wasn’t into that game body and soul, he couldn’t have come back and been able to put aside his pain, the distraction of the swelling, the despair at impending dental surgery. I’ve been injured playing sports before, and getting your mind back into focus after even a minor injury is unbelievably tough.

My job is pretty different from Oilers #94. Still, I see some parallels (and as a result, you have to come along for the ride, sorry ’bout that).

Is there an identity equivalent to taking a puck in the face? I rather hope not :) Still, there are times where delays and unexpected issues force you to cool your heels. Identity projects have a terrible nasty tendency for scope creep. Why that is, is an interesting study in and of itself, but I think the truth is that identity is so holistic and so fundamentally interconnected that it leads to cascading sets of revelations about internal business processes that even the business process owners themselves do not discover until somebody tries to map those business processes to technology.

Somehow, the technology and philosophy surrounding Identity inspires passion – it is a field that is full of characters that are larger than life, and full of communities that thrive. The problems are intriguing to solve, but the people are far more intriguing. It isn’t a 9-5, leave-it-at-the-door kind of place, and it isn’t about merely putting in the time. What inspires these people’s dedication? I would guess it is a love for the game, no different in caliber or origin than that of the hockey player I admire so much.

You know how everything blurs over time, and looking back you can never remember when exactly things happened? Well, here’s my attempt to define all of the Infocard/Identity Metasystem milestones that I feel are critical, likely, or in some cases, wishful thinking, and make sure that their accomplishment is accurately reported. When these things happen, I can trot along back to this article and add a date and/or a link. May I humbly note that I think #10 is pretty damn important and that MS is going to have a difficult time garnering corporate adoption until it happens.

All of these items are open to debate, and I’m open to nominations for new items. The more the merrier, I say. Also, if you happen to know any more information on the status of any of the items, I would love to be updated, just drop me a comment!

Pam’s Identity Metasystem Laundry List and Future Predictions

created: 7 May 2006
updated: 28 June 2006 (updated naming & OSIS project references)

1. MS releases the long-awaited updated Federated Identity & Access Management Resource Kit :)
2. MS alters self-issued Infocard supported claims to include homePage

Update (10 July 2006): included in June 2006 CTP

3. CardSpace client support is built-in (or plugged-in) to Mozilla
4. Apple releases Safari with Infocard client support
5. First Identity Provider product released
6. Apple integrates Infocard and Keychain
7. Microsoft turns over schema for infocard definition to a standards body
8. Microsoft releases information about the communication protocols between the CardSpace client and the Metadata store
9. ADFS plays nicely in the Identity Metasystem.
10. Microsoft releases a version of CardSpace that can be managed (and audited) by an administrator (both at a machine level & at a domain level)
11. First open source Identity Selector client released

Update (28 Jun 06): the first Identity Selector project has started: OSIS. Doesn’t count as done until it’s released though.

12. First non-auditing Identity Provider goes live on the internet
13. First major consumer site adopts CardSpace and/or Identity Metasystem
14. First major financial institution adopts CardSpace and/or Identity Metasystem
15. First windows competitor to CardSpace is released
16. First CardSpace exploit is discovered
17. First infocard provisioning standards appear
18. MS Windows creates an Identity Selector client default setting, just like their browser default setting, to allow the users to choose which client they wish to have pop up on their desktop

Stay tuned, something tells me that this page is going to be very frequently edited :)