COLLABORATION

1

• COLLABORATION COMPLIANCE
• Identity Management meets Risk Management
• Policy Physics meets Unintended Consequences

Terry Gray, PhD Chief Technology Architect
Therapist University of Washington NAAG Identity
Panel 15 June 2010
2
WHO, ME ?
Accused killer to use an insanity defense Citing
a family history of bipolarity and murder, the
attorney for accused killer Terry Gray says Gray
will rely on an insanity defense.
Rap singer arrested in slaying "Terry Gray did
not murder anyone," Alexander said. "They
arrested the wrong man. Terry wasn't even in the
building when it happened."
http//www.realpagessites.com/attyatlaw/newsarticl
es/article.nhtml?uid10003
http//www.latimes.com/news/local/la-me-rapper10ma
rch1094,0,7499869.story
2
3
MISTAKEN ID?
http//www.dallasdesperados.com/images/coach_gray_
terry.jpg
http//1.bp.blogspot.com/_bOKmjbY7wEo/SwF3evlnsnI/
AAAAAAAABMI/cjL2xs-dP2E/s1600/TerryGraywithOwl.
JPG
3
http//cdn1.ioffer.com/img/item/737/389/96/839e_1.
JPG
4
Policy
Technology
5
CONTEXT Research Universities

• Mission discovery innovation
• Means extreme collaboration
• Globally, at scale, crossing many boundaries
• Seamless and simple resource sharing
• Culture decentralized diffuse authority
• Collections of many independent businesses
• A microcosm of the Internet

http//liu.english.ucsb.edu/wiki1/images/4/4c/Coll
aboration.gif
Industry turns ideas into money Universities
turn money into ideas. --Craig Hogan
5
6
IDENTITY ISSUES IN COLLABORATION

• Multiple Account Madness and role of Federated
  access
• How many credentials?
• Single ID convenience vs. Single Point of
  Failure
• Institutional vs. consumer identities
• Role of identity providers trust fabrics
• Reputational risk
• Transitive trust, e.g. Zoho via Google bug or
  feature?
• Contradictions
• Access control complexity leads to no access
  control
• The role of anonymity and pseudonyms
• Jurisdictions data location, prevailing law
  sunshine states

7
WHAT DO WE FEAR ?
Stolen identities used to buy furniture and
tummy tuck, police allege
http//www.chicagotribune.com/news/ct-met-identity
-theft-charges-20100605,0,7395352.story
7
8
WHAT DO WE FEAR ?

• Individuals
• - Identity theft and identity errors
• - Privacy invasion (direct or via correlation and
  inference)
• - Undesired disclosure or modification of
  identity or content
• - Loss of civil liberties Unreasonable or
  incorrect search / seizure
• - Crippling complexity
• Institutions
• - Compliance violations and costs (financial or
  reputational)
• - Compliance and opportunity costs / complexity /
  backlash
• - Identity or access control errors and their
  consequences
• - Undermining the effectiveness of our
  faculty/staff/students

9
WHO DO WE FEAR?
10
TOTAL INFORMATION AWARENESS
Study Shows Targeted Ads Make Users Uneasy
By Terrence Russell April 10, 2008
Even without ads, many are worried!
http//www.wired.com/epicenter/2008/04/study-shows
-tar/
11
GETTING ON LISTS IS SO EASY
Computer Glitch caused NY Police to raid wrong
house       By Justin McGuire March 20th,
2010
Sen. Kennedy Flagged by No-Fly List By Sara
Kehaulani Goo Washington Post Staff
WriterFriday, August 20, 2004 U.S. Sen. Edward
M. "Ted" Kennedy said yesterday that he was
stopped and questioned at airports on the East
Coast five times in March because his name
appeared on the government's secret "no-fly" list.
Here is a shocking incident of insensitivity, an
octogenarian couple Walt and Rose Martin who are
83 and 82 respectively, had their house raided an
incredible 50 times in the last 8 years leaving
them scared and wary of the police. New York
Police Department claims that this was caused due
to a glitch in the computer.
http//www.washingtonpost.com/wp-dyn/articles/A170
73-2004Aug19.html
http//www.manhattanstyle.com/news/computer-glitch
-caused-ny-police-to-raid-wrong-house/
12
THE ROLE OF FEDERATION SSO

• - Helps with Multiple Account Madness
• - Can reduce collaboration friction
• - Can convey attributes
• - e.g. OverLegalAge, or first-responder skills
• - Can reduce data correlation risks
• - Brings transitive trust risks
• - Crossing organizational policy boundaries
• - Crossing legal jurisdiction boundaries

http//farm1.static.flickr.com/237/446791372_ec191
81a63.jpg?v0
12
13
WHAT DO WE NEED ?

• Updated laws for privacy protection
• HIPAA plus EU Fair Information Practices
• Fundamental right to correct the record
• 4th Amendment applied to data held by 3rd parties
• Role for anonymity (whistle-blower, stalker
  victim, dissident, secret agent)
• No single points of (identity) failure, nor very
  high-value targets (cf. RealID)
• No security theater unintended consequences (cf.
  Pre-paid cell registration)
• Improved identity infrastructure
• Privacy-preserving (non-correlatable) federated
  identities
• Pervasive trust fabrics (e.g. InCommon)

IT Government Partnership
14
DISCUSSION