News

In the mid-1970s Kim Cameron played guitar for a Toronto bar band called Limbo Springs, and backed up John Belushi and Dan Ackroyd, at the time calling themselves the Blues Brothers. Today, Cameron is Microsoft's chief architect of identity, and has been named by Network World as one of the 50 most powerful people in networking.

He created an e-mail technology called ZoomIt, which he sold to Microsoft in 1999. In 2003, working at Microsoft, he went public with a technology he developed called InfoCard, an identity system that lets users control the information about them; it is now the centre of Microsoft's identity strategy.

In 2005, he ignited a major industry discussion on the subject of digital identity, which included Bill Gates, various leaders of the open-source community, sworn enemies of Microsoft and the celebrated legal scholar Lawrence Lessig. From that he hammered out his publication of the Seven Laws of Identity.

The seven laws could also help kill spam.

Kim Cameron chatted about the Seven Laws with Jack Kapica

JACK KAPICA:  How did Microsoft get into identity management?

KIM CAMERON: Basically, the software got more complex and did more things, and it got to the point where we started to move stuff between machines with the Internet. It got to the point that we wanted to do more on the Internet than just publish things for anybody, then we started getting problems about spam and phishing, and it became clear to everybody who was concerned about the future that we had made an architectural mistake.

We had built this huge Internet infrastructure and it was missing what I call an identity layer, with the result that it's impossible to know whom you're talking to.

At a certain point, with this architectural problem, we reached a stagnation point, so we became very interested in it in terms of we needed identity to move virtual reality closer.

JACK KAPICA: How broad are the implementations?

KIM CAMERON: It can save a lot of trouble on the Internet because you can have some notion of who you're connected to. Right now, if you got to an evil site that is defrauding you or fooling you or spamming you, you're putting yourself in the hands of an evil party. That's the way the browser works.

The evil site now controls my experience completely and can get me to do things that I wouldn't otherwise do.

Today I got an e-mail from PayPal saying someone had spent $780 buying a new Dell computer on my PayPal credit card. And at the bottom it said, if this transaction is in error, click here.

Now I understand that's spam. But if someone had a PayPal credit card, they might click there, and if they do they're under the control of this other evil party.

It gets very scary because once they get some credentials, they can do what's called a man-in-the-middle attack, in which they hook you up to things so that you think you're having a real experience while they continue to extract more and more information from you. So I should have some way to know of whether I'm dealing with PayPal or not.

JACK KAPICA: When did Microsoft get involved?

KIM CAMERON: Microsoft got involved with this initiative called Passport in the late 1990s, which today does a billion authentications a day, so you have to see it as a success in some ways.

But on the other hand, Passport was initially envisaged as an Internet-wide solution, and it did not succeed at that at all. So I was partly motivated by understanding why Passport didn't evolve as an Internet-wide solution.

JACK KAPICA: Why was it a failure?

KIM CAMERON: I believe there is a set of principles that have to be respected before we'll have an identity system that people buy into. In Passport's case — and it wasn't the only one that failed, by the way — merchants would say, what is Microsoft doing between me and my customer? And customers would say why is Microsoft involved in my relationship with this online store? Marketing people call the process of getting rid of the third party as disintermediation, where the third party tries to, um, make a threesome.

So to me that's one of the principles, and it led me to think when I did my laws of identity, one of them is that only justifiable parties should be involved in any identity transaction. And that led me to a bunch of others, like it should always be under the user's control. You should always give out the least amount of information possible.

The notion was, could we figure out what you would have to do so that everybody would want to participate in this thing? That's what the laws of identity were about.

I started to blog about it, and certainly I didn't know the answers — I didn't even know all the right questions — when I started it. And it became part of a much wider conversation with all kinds of people from the Linux community, various parts of the open-source community, the legal community (like Lawrence Lessig), the Creative-Commons people, a whole new approach to how you would look at these things, and we all put our heads together, and I kept trying to push the boundaries on this, and did the laws.

JACK KAPICA: Did you bring this to Microsoft Management?

KIM CAMERON: I thought we needed a multi-centred approach to identity, a user-centric one. My blog was well known, and they chose to put me in a position where I could have a growing influence.

But Microsoft is so big, over 60,000 people, and they're very focused. But they were reading my stuff as much as people from outside Microsoft. We all wanted to know how we go forward from this.

JACK KAPICA: Okay, what happens next after the Seven Laws of identity?

KIM CAMERON: I started to use the laws to control what was being built here at Microsoft, so that everything Microsoft built was conformed to these laws. One of the aspects of this is that privacy is brought up to the same level of importance as security — privacy is just a form of security. At that point I was trying to build an identity product.

You remember in the old days of CP/M, when you had to write a long command to copy a file from one place to another. And when the windowing environments came along, all of sudden you had these pictures of files and folders, and someone could easily understand how to copy a file into a folder, just by picking up the image of the file and dragging it to the image of a folder. But in fact, people don't see these as pictures, they see them as the actual files and folders, which is really strange.

So we had the pictures for files and folders, but we forgot to introduce them for people. In retrospect, we're wondering, what were we on?

What we wanted to do here was introduce the same visual metaphors for identity that allow people to learn how to manage files and folders, and we called those information cards, and that became a product called CardSpace.

At the same time you had these people who were coming at this from a different point of view, they were running these big blog sites. They came up with the idea that since everybody's blogging, everybody has a URL, like www.kapica.com, or whatever, and that could be your identity on the Net.

From the point of view of the Seven Laws, that would be one type of identity, a public identity. You don't necessarily want to use a public identity like that every time you go anywhere to buy something, so it all becomes enmeshed in this big ball that someone called a "slime trail."

If you want to be publicly recognized in a community, it's a great idea, so that started to be pushed into this concept called OpenID.

OpenID was certainly developed under the influence of the laws, as part of the conversation around the laws, so people have done good things with OpenID in response to making sure they also took account of the laws. What's interesting is that if you got into this community, the people in it really get along, which is bizarre, when you come to think of it.

It's obviously good stuff. But it doesn't solve a lot of problems — it doesn't solve privacy problems, it doesn't solve the slime-trail problem, it's phishable, it doesn't solve the password-theft problem.

So I argue in the fifth law that you need a pluralism of technologies to handle all the different things that identity means. In the past, the underlying identity mechanisms were all these enterprise-like, top-down things, with some omnipotent authority that made assertions. And that can be good, for instance, Microsoft can say I work for it, and that's reasonable. But what OpenID adds is this very bottom-up thing, which is okay, my URL is www.identityblog.com and my DNS address says so.

So OpenID leverages the power, the anti-bureaucratic power of DNS, and it's as strong — and as weak — as DNS.

JACK KAPICA: How would this affect us in real terms; would we see anything? Is it a product, or just a way of thinking?

KIM CAMERON: You get this new experience called CardSpace. So if you go to a website that supports CardSpace, and you want to log in, you click on the CardSpace icon and if you're using Vista or XP with the CardSpace Software on it, this CardSpace screen comes up and it shows you your possible identities in there as icons.

So you can have identities that you make up, or you can have identities that you get from employers, government even, organizations, clubs, just like in your wallet. You have a whole bunch of cards, each of which represents something. And you can send whichever one you want off to the party you're contacting. You'll see exactly what's being sent, and you can decide whether you want to send it or not, and it will have all the privacy features, and so basically you don't have to remember a user identity or password. And it's not phishable — well, I won't say that, because people with enough resources and enough time can makes attacks on us. So let's call it phishing resistant.

On Vista, go to www.identityblog.com, and press log in. This CardSpace thing will come up. Make your card up, then you can get into that site using that card.

JACK KAPICA: How will you know it's really me?

KIM CAMERON: It's the usual thing, the blog will send you an e-mail, you respond to the e-mail, and the more you use it the more I will be convinced it's you. So I combine my knowledge of your e-mail with your use of it. Similarly if you have a blog, it can also check out your web identity. You could also get an identity from, for example, your employer, saying you're Jack Kapica of The Globe and Mail, or whatever.

JACK KAPICA: Can I lie about my identity?

Kim Cameron: On the self-issued CardSpace, yes. And everyone will know it's a self-issued one. We think it's important that we have to have the right to lie.

When people ask me my age on the Internet and if music is involved, I never tell them because all I'll ever get is Beatles songs.

People will want to say they're Elvis Presley or James Dean, that's part of life too.

When it comes to identity it's a very complex and delicate thing. Theoretically, when you look at my laws, this digital identity, I just reduce it to a set of claims made by one party about another party.

JACK KAPICA: So this sounds like a weapon that can be used against spam.

KIM CAMERON: Oh yes it is. The cryptography under these information cards is very strong. So I can now manipulate identities and send somebody my information cards and do all these kinds of things. It's the first time that we have an infrastructure in place that can stop spam.

Remember I said you should call that icon an information card? Because CardSpace is not the only system that is being built to do this. So people are building completely compatible systems for Linux and Open Source and everything else. And that's key. If you didn't have this working across all the platforms, then it would be identity for part of the world, and it would be a failure.