Tagesarchiv: Juni 24, 2008

Trusting the Internet. Identitycamp in Bremen.

Bremen. Hochschule der Künste. Beautiful setting. European Soccer Championships. What more could I want? I was on my way to attend to the first Barcamp about identity online in Germany. Identitycamp was my first Barcamp, and will certainly not be the last Barcamp I’ll attend. The discussions were focused, the participants were enthusiastic, the weather was a dream come true, the place and the organization were wonderful, the atmosphere was relaxed, and the participants had two days of interdisciplinary knowledge exchange. Identitycamp focused online reputation, social relations and identity, and its big topics were reputation, social relations management, identity 2.0, data portability and privacy. The participants were the Web 2.0 /Identity 2.0 crowd and the privacy people, quite a few bloggers, and a few scientists from sociology, history, the political science and law in the middle. It was a good mixture for vital discussions.

Gerrit Hornung held the opening session with a talk about the new basic right to digital privacy that that Bundesverfassungsgericht, Germany’s highest court, put into place in December 2007. The decision was made about the question whether or it is legal to install a spyware, on the personal computer of citizens and spy into their information system given a suspicion of terrorism. Since people are highly dependent on their information systems online and on their personal computer, the court interprets a threat to a person’s information system to be a threat to a person’s integrity, and personal integrity needs special protection beyond the level that the other basic rights could guarantee. The Bundesverfassungsgericht decided that the suspicion on terrorism or endangerment of national security has to be very concrete for state agencies to step in and install the so-called Bundestrojaner – surveillance exerted by state agencies would be illegal if they just concerned any illegal activity, and it needs some jurisdictional authority to allow state agency to step in and engage in surveillance activities. Gerrit Hornung, though, though, that new right to privacy in information systems might open the door to extensive surveillance activitities from state agencies. Hornung explained the new basic right to digital privacy with regard to existing other basic rights in German legislation and pointed to open questions waiting for jurisdictional decisions in the near future. Does the new basic right apply for online information systems as people increasingly store their data on external servers? [Slides in German]

If there was one dominant topic at Identitycamp, it probably was about Single Sign On systems of verification, authentification and management of one’s credentials online. OpenID, I learned, is only one of various technologies in current discussion: OpenID is one possibility for people to manage their credentials, a competitor is Microsofts U-Prove which is about identity chipcards. The two competing paradigms infocards and OpenID seem to be moving closer to each other, recently. The best known case for this is using InfoCards for authenticating towards the OpenID provider. Dennis Blöte is currently developing a system which uses OpenID for the different online services at Bremen University (e-learning, exams, administration, etc.). [Slides in German].

Another big issue at identity camp was data portability. If you have registered in a number of social networking platforms, you cannot take your relational data with you, connect or manage different social roles online, since the conditions of use usually favour the business interests of the provider and prevent the user taking relational data other social networking platforms as one moves around the internet throughout one’s online biography. In practice, people have different habits of managing their reputation, social networks and identity. Some users strive to get a coherent representation of their in their various social circles and disclose the different facets open to the members of their interaction networks. These people will welcome full data portability. Other users, though, will try to keep their social circles from the academic world, the business world, the private sphere etc. separate. They will tend to limit data portability or at least control who gets to see what element of their personal identity, and at what specific occasion. The focus seems to be moving from single sign-on to data synchronization. Most people would that it would be nice to be able to update your contact data on all platforms you are a member of with one click, yet, from the standpoint of an autonomous user, one would expect technology to mature as to offer individual choice as to how one wants to manage the various elements of one’s personal identity.

New technologies and business models are always fascinating, but this one deserves special mention. Callink was designed to tackle the problem of increasing spam activities on the telephone and people being object to stalkers. Mark König from Fonym developed a smart business model to tackle spam on the telephone by introducing his spam filter callink. Callink allows telephone users to give away a link to the telephone online without handing out their number, to add an anonymous code on one’s identity card which directs a phone call to their telephone. Moreover, Callink enables users to filter out telephone calls that they define as spam or even threat, even if the number of origin is not disclosed on the telephone screen. Cool idea! Unfortunately, though, the callink is limited to the regular phone, so far. I could use it for my particularly for my mobile.

Stephan Humer gave a valuable introduction into digital identity from a social science perspective. I think, it was very important for people with social sciences background, practitioners and political activists to foster a discussion on what identity is all about, what makes for digital identity and what are the social, political, jurisdictional, cultural and technological components and implications. Humer emphasized the gap the factual social and individual relevance of digital identity and the lack of attention in social sciences, so far [Slides in German].

I had come to Identitycamp to discuss trust online with the participants. I was delighted how the participants shared my interest in the topic of trust and we had two sessions on the topic of trust online with reputation, social relationships and identity management onlineThese are the questions I discussed in my presentation: (1) Why are reputation, social relations and identity on the internet object to trust concerns? (2) How does the constitution of trust work? (3) How can trust – its preconditions and the constitution of trust online – be studied empirically? I am happy that the relevance of the topic was obvious to the participants regardless of their background. The language of trust giver and trust taker fit well into the technicians’ use of the term ‘relying parties’. Of course, every relying party, be it an individual user, a developer, a provider, a corporation or state agency can be in the role a relying party when it comes to the transfer of money, data, identity credentials. Here are my slides:

Ralf Bandrath writes:

You can reduce the need to trust with data minimization. A lot of the open questions discussed in the other sessions also boil down to “Who do you trust”? Your government? A corporation like Yahoo? The members of your social network? If the idea of a loosely coupled identity meta-system is that you do not need high trust among all parties, then I see two possible solutions:
1. Everyone becomes his or her own identity provider and does not have to worry about IdPs collecting their digital traces.
2. The amount of exchanged data is reduced in general, so you don’t have to trust all kinds of parties. This is where Identity 3.0 with minimal disclosure tokens and zero-knowledge proofs is very promising.

Ralf’s suggestion is, of course, a legitimate way to reduce the problem of trust online. It certainly does not make the problem obsolete, though. Of course, the more people pursue their daily activities online, the more money is transferred, the more data get transferred and the more people’s credentials are transferred. As people increasingly pursue their daily activities online, their vulnerability augments, and the more they must bear the uncertainty that they might be damaged with regard to their reputation, social relations and identity. Ralf’s suggestion pins down to be cautious, to limit one’s activities online, to reduce one’s expectations, at least in the short run. If every user would follow Ralf’s advice, this would limit the development of the internet considerably and limit legitimate business aspirations since it teaches the lesson “Reduce your expectations!” both on the side of large companies and state agencies and on the side of the individual internet user. People would be increasingly cautious to use online applications and be reluctant to try anything new as a result of negative experiences from the past. As a consequence, the development of Web 2.0 and related business models would be slowed down. Trust, though, becomes relevant only under the condition that expectations are high, that something big is at stake. Only in this case I would call it a trust issue. So, I look out for example cases where I find a social relation between at least one trust giver and trust taker, where expectations are high, where vulnerability is high [damage possible] and were uncertainty of potential damage does not vanish [even given a functioning technology, a thorough administration of rules, roles and routines and ‘perfect’ calculation of people’s trustworthiness which is usually displayed in the form of numeric representations] and people still do not refrain from using the internet but decide to expect something positive and use the internet. Only in these critical situations which are characterized by uncertainty of potential damage I can ask the question, why people trust, whom they trust and how they trust. One alternative way to trust vis-à-vis the purely naïve trust to move toward active trust which involves reflexivity and learning: Begin slowly, expect little, be cautious at the beginning, gain experience, gather information, exchange with other users, articulate your expectations, keep yourself informed about the other party’s behavior, exchange information with the other party regularly, reflect on your positive and negative experiences, and increase your expectations as experiences are positive. But even this active trust, which requires a lot of effort, is no guarantee that damage can be prevented. So, trust online pins down to a trust giver is away of the uncertainty of being damaged and still makes the ‘leap of faith’ to assume that a critical situation will be favorably dissolved, and a trust taker who offers a favorable definition of himself – be it an individual, a group, a company, a state agency or the internet public in its most abstract form. I am convinced that it needs strong institutions both online and in the offline world to help form an online social world in which people can move around and trust as they increasingly pursue their daily activities online.

Conclusion

Identitycamp was a really good meeting of practitioners, activists, bloggers, curious students and scientists to develop an interdisciplinary perspective on identity online and a wonderful opportunity to reach out beyond one’s academic discipline and milieu. The atmosphere was informal and the discussions were very constructive. The participants decided to stay in contact on Electronic Identities, and demand for a follow up was articulated. Yet, even a supreme conference or Barcamp leaves some room for improvement: The conference should have been framed by the organizers such that they give an introductory talk and a short conclusion of about ten minutes, each. Moreover, an introductory talk on the political, social and cultural aspects of identity for the participants unfamiliar with the way social scientists talk about reputation, social relations and identity, and there should be a separate introduction on the current developments from a technology and information perspective for participants with academic background and little knowledge on technology aspects of identity management should have been positioned in the first sessions on day one to help find a common language. Finally, I would hope that more and higher ranked experts from the various social sciences, economics, the humanities, the information sciences and especially, from experts on lawe, would attend an interdisciplinary meeting on Identity next time. So, I would pledge for a combination of Barcamp and the good old regular conference – the spontaneity of a Barcamp is a wonderful thing, but to help participants take home the very best of a conference, some framing would be helpful.