Beyond Passwords: A Context-aware Internet
My previous SENDS blog post reflects on the current effort to redefine cyber-security and what the opportunities to empower individuals to manage their identity and cyber-presence might look like. This post describes a vision for a new Internet architecture that is context-aware, a key requirement to automate and secure online transactions, as well as provide trusted user identities and enhanced cyber-presence.
Addressing privacy challenges of user cyber-presence
Our identities and collective cyber-presence are captured across numerous service providers in today’s Internet environment with each site registration, transaction and social posting (Figure 1). We have limited control over what information is captured and how it might be exploited. The prevailing business model is based on mining and perhaps selling information to third parties: this leads to potential contention between maintaining user privacy and maximizing service provider revenues.
Even if user privacy is 100% preserved, these walled gardens base their service offerings on proprietary metadata, which hampers the economic potential for location and transactional services to interoperate between websites.
Under an expanded vision of the NSTIC described in part one of this blog series, each user’s cyber-presence could be represented in a secure, user-controlled iSelf space within a Context-aware Internet layer. Web, data, ontology and document content could transparently pass between the layer and the current Internet through the Identity Ecosystem gateway.
Each user would have absolute control over identity attribute and personal data disclosure. Attributes are associated to a user’s authority, roles, rights, and privileges. Modification control of personal data would not apply to such information like health care records where the user may take a role in verifying its accuracy. When combined, attributes and personal data are called a profile when represented in an iSelf.
Metadata (data about data) is replaced with the notion of a concept (a natural language-neutral universal idea), controlled by a user-driven community and not by a service provider. Concepts enable mass interoperability between iSelfs, internationalization of concepts, and efficient processing of contextualized content by software agents.
Service providers’ still benefit under this Internet framework by matching accurate personal data to directed advertisers and marketers. A user might choose to financially benefit from more detailed personal data disclosure through a micropayment mechanism, for example.
Figure 1: Addressing privacy challenges of user cyber-presence
A Context-aware Internet would leverage semantic technology to achieve a level of machine understanding necessary to manage the Identity Ecosystem and more (Figure 2). An early application of semantics can be found in rich snippets that make it easier for users to decide whether a Google page is relevant to their search. Taking this technology to the next level requires contextualization. Context processing recognizes similarities in design intent, identifies relevance of existing work to new efforts, drives consolidation of redundant concepts and components, and enables unprecedented transparency and interoperability between systems.
Under a context-aware Internet, a user’s identity is fused to a legal and architectural ’entity’ that can be a person, company, organization, or government. Anything created by a user is traceable to the entity allowing crisp management of intellectual property including an integrated metering and micropayment mechanism to support global reuse. Applications and apps are developed from a finite set of well-constrained recombinant components based on an icon-based executable design language. This ‘white-box’ software technology should be easy to understand and authenticate due to the graphical nature of its architecture.
Figure 2 – Context-aware Internet
Within such an environment, each user would be able to easily modify their iSelf profile values within well-established boundaries (Figure 3). Profile types are grouped under different concepts, shared between the iSelfs. A Context-aware Internet would execute algorithms that automatically compare, match and disambiguate concepts across natural languages and subject fields. This concept harmonization capability would support a new generation of social and professional networked communities that meet specialized interests, as well as enable deterministic expression of intents and sharing of fine-grain profiles.
Figure 3: User-controlled identity/cyber-presence
Universal ID Management
The Identity Ecosystem would consist of four players (Figure 4). It is anticipated that Users will conduct transactions through Relying Parties1 who contact Identity Providers2 that provide credentials based on Attribute Providers3.
1 – Relying Parties make transaction decisions based upon its receipt, validation, and acceptance of a subject’s authenticated credentials and attributes.
2 – Providers are rresponsible for the processes associated with enrolling a subject, and establishing and maintaining the digital identity associated with an individual or NPE (non-person entity)
3 – Attribute Providers are a named quality or characteristic inherent or ascribed to someone or something (e.g., “Jane’s age is at least 21 years”).
Figure 4: Universal ID Management
Extending Universal ID Management
The current NSTIC vision presumes that each Identity Provider will also be an Attribute Provider that stores attributes in siloed formats (Figure 5). While this configuration may address the multiple password problem (previously discussed here and here), it might open a Pandora’s Box as providers choose to compete by extending their attribute configuration. This may leave users bewildered how to manage ever increasing complex profiles. It’s anticipated that identity management functional demands will quickly escalate from basic attributes to rich personal data.
Semantic Web-based technologies and the ‘standards’ process may not be able to meet these escalating challenges to prevent systematic chaos. A secure, new Context Web that operates under the Context-aware Internet could be capable of helping people to harmonize concepts and secure profiles at the required global scale.
Advanced Identity Ecosystem
The Identity Ecosystem should scale more gracefully by deploying separate authentication and storage infrastructures (Figure 6). An iSelf could execute as a secure Virtual Machine (VM) that computes on semantic relationships.
Figure 6 – Advanced Identity Ecosystem
Creating trusted identities among participants in the Identity Ecosystem requires an infrastructure to support the interactions between transaction participants. A separate Context Web could:
• Automate the development process to provide secure, streamlined access to online services.
• Provide a common framework to assure that identity solutions interoperate.
• Lower the implementation and management costs that are dampening rapid market growth for identity and attribute provider services.
For example, the capability to record and store a user’s fingerprint once and make it globally available to any third-party reading device is a first step in delivering advanced identity solutions (Figure 7). The Context Web could help meet this challenge by providing a Context Registry to harmonize concepts across all VMs and their supporting Community Repositories.
All fingerprint reader vendors could become members of a community where concepts are organized in ontologies. Community members could share attributes based on common types that their devices use for fingerprint decoding by Relying Parties.
Figure 7 – Harmonization example
Privacy control in most social networking sites is currently limited to a set of predefined options, i.e. ‘friend’ or ‘friend of a friend.’ Exchange Sets greatly expand the notion of privacy control to provide authorized users’ access to a profile that may evolve into very complex sets (Figure 8). In this example, all ID Provider Community members are authorized to read Basic ID and Biometrics attribute values. Exchange Sets enable complex access patterns to be easily maintained by each user through an intuitive interface on their laptop or mobile device. This ease of use is vital to assure users adopt best security practices for their cyber-presence. Profile management, like updated drivers’ licenses or fishing licenses, are ultimately a user responsibility but it must be easy to do to make such a comprehensive approach effective.
Inquiring users would interact through software agents that travel between iSelfs. Harmonized concepts allow agents to visit many iSelfs, processing profiles that execute safely within each VM’s ‘sandbox.’
Much of context processing could take place without direct user direction with benefits accruing through the following capabilities:
• User preferences respected at compliant sites
• Filtration of incoming communications by agents, i.e. email, RSS, Twitter
• Attribution and monetary reward for user-generated content
• User-invited advertising based on expressed needs and interests
• Computable, fine-grained, contextualized reputation
• User-created specialized social/professional networks
A Context-aware Internet could provide the prerequisite automation to help secure online transactions and user profiles. This blog suggests a manner that provides users with fine-grained control over their data from a single user interface while supporting the rapid development of a broad range of high-value commercial applications.
Such architecture could extend the Identity Ecosystem toward a trusted, efficient and resilient information and communications infrastructure for generations to come. The Cubicon team has done extensive work in exploring the practical deployment of such architecture and warmly invites dialog on the associated opportunities and implications.
Editor’s note: Sandy Klausner is the founder and CEO of CoreTalk Corporation, the designer of the Cubicon executable design language, described at http://www.coretalk.net/. The opinions and concepts proposed by Sandy reflect his thinking about new types of programming languages, and web-based architectures including Cubicon. SENDS does not endorse any specific product, but seeks to ensure members and guests of the Private-Public partnership of the SENDS Consortium are aware of novel thinking proposed by those associated with the Consortium and its efforts.
by Sandy Klausner, sendsonline.org, February 9, 2011