For additional information, please contact us at partners@identity.net - Identity.net will review all partner applications to ensure compliance with our strict privacy and data security policies.

Having had my credit card number stolen from a company before, I think he’s on to something here. There’s simply no recourse for me against a company who puts my identity out there for somebody to take. In my case, I joined a class action suit against the company and was mailed a check for $2. That’s what my identity was worth to this company - 2 measly dollars.

Almost every day we hear about laptops being stolen that contained thousands of social security or credit card numbers. Often times we learn that all of this data was sitting in excel spreadsheets somewhere on the computer.

There’s no valid reason that my social security number should be in an excel spreadsheet anywhere.

It’s bad enough that way too many companies require this number for non social security related purposes, but I shouldn’t have to even entertain the idea of my data sitting on somebody’s laptop in a coffee shop.

Paul’s proposed law calls for penalties for companies who don’t follow acceptable security practices, but I don’t think that’s enough. It may be time to examine some of our laws and add a clause about how we can store sensitive data.

There’s simply no reason that any of this information should be on a laptop, cell phone, memory stick, ipod, portable hard drive, or voice activated electronic diary. It should all be encrypted and password protected on a server that requires an authenticated user to access. It shouldn’t take a law to accomplish this, we should all be doing it already.

Having said that, now is a good time to look at your own business and how you store data. Are you storing data that you don’t really need? A good example is companies who store credit card information for 1 time sales. Having previously coded several e-commerce websites, I always made sure that we had no record of a credit card number on our server after we were done processing it.

What about social security numbers or drivers licenses? Are you storing them in a database in plain text format? What kind of information is on your employees’ laptops? Is it essential that they be able to take that information home with them? If so, how is it protected?

Asking yourself these simple questions can prevent you from suffering PR nightmares like TJ Maxx and Best Western are currently going through.

Another key takeaway is that “almost everyone posts as anonymous” and most trolls refuse to disclose their identity. In fact, as one troll interviewed for the article said: “Ultimately trolling will stop only when its audience stops taking trolls seriously.” So key to identifying trolls, which the NY Times piece concludes, is to break anonymity by establishing reputation around a persona or pseudonym:

A broader answer is persistent pseudonymity, a system of nicknames that stay the same across multiple sites. This could reduce anonymity’s excesses while preserving its benefits for whistle-blowers and overseas dissenters. “People know to be deeply skeptical of what they read on the front of a supermarket tabloid,” says Dan Gillmor, who directs the Center for Citizen Media. “It should be even more so with anonymous comments. They shouldn’t start off with a credibility rating of, say, 0. It should be more like negative-30.”

I discussed personas in an earlier post, which is the idea behind Identity.net’s reputation sheets, or RepSheets. You build reputation across several personas — one for home, one for office, one for blog commenting, or however you choose to manage your reputation. You decide how much of your profile information you share on each RepSheet, which you can link to any site you use. What’s more, you can have your information verified by a third party, so those checking you out will know what’s true. Of course, you can also check out any Identity.net member to see what verified information they’ve shared about themselves. 

Verified identity fills the gray area between disclosing everything about yourself and the dark, anonymous places where supertrolls can hide.

Identity is not easy to define. Lots of smart people have been thinking, talking, and writing about identity for years. See Kim Cameron’s blog for lots of resources from academics and practitioners. Unfortunately, most of these definitions are indigestible by mere mortals. Identity, it seems, is one of these deceptively deep ideas. 

Dave Snowden’s takes an interesting approach. He lays out several criteria for identity — the roles you play, the “blurriness” of your identity, and how your identity changes over time. What struck me as interesting is how Professor Snowden borrows from chaos theory: “Identity in human systems is a strange attractor.” What?

A strange attractor is chaos theory jargon for a system that changes unpredictably when events change just a little. The weather is a common example — little disturbances can create big changes in the weather. As Edward Lorenz colorfully put it in 1972 when describing the butterfly effect: “A butterfly flapping its wings in Brazil can cause a tornado in Texas.”

What does this have to do with identity? Well, identity is chaotic, strange, and changes in big ways on small events. For example, consider becoming a parent. It depends on a single romantic moment. That single moment not only creates an identity where none was before. It also transforms you into a parent and forever changes parents into grandparents, sisters into aunts, etc.

Of course, identity is not just limited to individuals. Groups have identities too. The American identity shifted dramatically on November 7, 2000 when George Bush won the US election by just 537 votes, or 0.009%, in Florida. By many accounts, the election swung on the design of the butterfly ballot, an ironic coincidence with chaos theory’s butterfly effect.

For your online identity, the challenge is to naturally and safely use your identity in all its complexity, and seamlessly deal with the chaotic change that invariable happens to it over time.

July 17, 2008 — Bellevue, WA — Identity.net today announced the addition of two senior executives – a move that signals the company’s commitment to give consumers from around the world control of their identity and reputation.

Alan Steele was named Vice President of Engineering and will be responsible for product development.   Frank Paterra will serve as Executive Vice President of Operations.   The additional talent will accelerate programs for the adoption of Identity.net by consumers around the world to build and share their reputation, navigate the web with greater ease, and safely share information over the internet.   

“I am excited to have talent of this caliber coming on board just as we launch Identity.net. These additional hires understand the stakes involved with that responsibility for the evolution of the internet to one that is safer to use, more convenient, and more user-centric.” concluded Rob Monster, Co-Founder, Chairman and CEO. 

“With Alan and Frank taking leadership roles at our company, we have the ability to execute and scale our business growth strategies and deliver superior solutions with Identity.net,” said Co-Founder and President Jim Adler.  “They know the consumer market, are very familiar with identity protection and security, and understand why consumers want to take control of their identity and reputation.”

Alan Steele is a startup veteran with over 15 years of experience at Avogadro, Viathan Corp., eRoom Technology and Midnight Networks.  Alan was most recently the Founder and CEO of Mergelab, a Seattle-based startup that developed technology for merging user profile and identity information and aggregating feeds of information from user contacts.  Prior to founding Mergelab, Alan was SVP of Products at Jobster where he built an unrivaled technical team in Development, Product Design, Operations and QA. At Jobster, Alan integrated the acquisitions of WorkZoo.com and Jobby, growing Jobster’s consumer destination to over 1 million unique visitors/month.  He received his BS in Writing and Computer Science from M.I.T.

Frank Paterra brings a strong background in business process, product management, operations and corporate acquisitions.   Prior to joining Identity.net, Frank was most recently Vice President of Corporate Development responsible for the acquisition of SmartShopper and served as general manager while at Zango, an online media company.  Previously, Frank founded Fluency Software which provided services and software products to the enterprise software market.  Prior to Fluency, Frank worked for Rational Software as the general manager of the Rose Business Unit, responsible for one fourth of the company’s revenues.  Before this he worked with NASA  to develop artificial intelligence systems to aid in the development and operation of satellites. Frank has published over 20 technical articles.  He received his BS in Computer Science from Frostburg State College and his MS and PhD degrees in artificial intelligence and high speed network protocol development from Old Dominion University. 

About Identity.net

Headquartered in Bellevue, Washington, the company’s mission is to put consumers firmly in control of their online identity and reputation.  The Identity.net (formerly Demoxi) software is built on 50 issued patents and 10 years of advanced research in the fields of cryptography and online identity.  For more information, visit www.identity.net or contact Jennifer Curley at 202.422.6244 or Jennifer@CurleyCompany.com

 
July 16, 2008 — Bellevue, WA — Identity.net launched today, giving consumers control of their Internet identity and reputation. With the new site users can build and share their identity, navigate the web with greater ease and control, and verify attributes about their online reputation.  Current features of Identity.net include: single sign-on to web sites, selective or anonymous identification, portable personal content, and reputation management.

“Identity is an unsolved problem on the Internet today. Unlike the Internet itself, there is no central directory for verified users of the Internet. As a result, we have spam, online fraud, and with that the inherent transaction friction associated with an online world where everyone is guilty until proven innocent,” said Rob Monster, Chairman, CEO and Co-Founder of Identity.net. “Identity.net lets users invest in build and manage online identities that are portable across the Internet, while also being in full control of what, when and where information about their identity is public or private. Our launch partners agree that the arrival of Identity.net marks the arrival of web 3.0, putting consumers firmly in the driver’s seat and giving them the best of identity, privacy, and reputation management.”

At Identity.net, users can create their own personal “reputation” web page where they can choose to publicly share either in its entirety or as select subsets, depending on the audience.  Users can verify their identity attributes once and then reuse that verified identity information across the Internet.  For example, creating JohnDoe.Identity.net enables John Doe to put all his information on one site, 3^rd party verify specific identity attributes and use this with other sites he cares to engage with.  He may choose to share all the information on a MySpace page or select his professional accomplishments and highlight just those attributes on Linked In.   John could also create multiple pages for the different “reputations” he chooses to share, i.e.: Johnlovestoshop.Identity.net.

“Identity.net frees users to take their reputation with them as they engage online, so their reputation isn’t just tied to a specific site, it travels with the consumer as he/she uses the internet for blogging, shopping, conducting business or even engaging with the various social media sites.” stated Jim Adler, President of Identity.net. “By providing a single source for users to control and manage their individual reputation – it makes the reputation portable.  This saves time and gives the user control of what is publicly available about him/her on the internet.”

Identity.net (formerly Demoxi) added more than 200,000 unique users per month during its public beta and secured a network of valuable launch partners and affiliates. Functionality includes single sign-on and a digital wallet for holding online credentials.  The entire package is a one-stop for identity and reputation management.

Today we announced the launch of Identity.net — a website and growing set of services dedicated to giving you control of your identity, both online and offline. So, what can Identity.net do for you today? Well, to start, two things: single sign-on and verified personas.

Single Sign-On, Of Course

Identity.net supports OpenID which, for the uninitiated, means two things:

1. You can use your Identity.net OpenID at sites around the web. This means you can visit all your favorite (participating) websites without having to remember yet another username and password. Currently, more than 13,000 sites accept OpenIDs.
2. If you already have an OpenID (from sites like Yahoo, Google, AOL), you can use Identity.net without registering. As of July 2007, more than 120 million OpenIDs have been issued.

OpenID certainly helps reduce the number of usernames/passwords you’re forced to litter around the Web. But, the real power of OpenID is that it lays the groundwork for you, the user, to control how your information is shared with websites. Much more to come on that topic.

Verified Personas — we call them RepSheets

In your everyday life, you enjoy, what I like to call, various degrees of disclosure. When you’re in a grocery store, people can roughly tell (with some certainty) your age, gender, marital status, and location. But they can’t tell where you live, where you work, or much of anything else about you unless you tell them.

There’s nothing like this on the Internet. On one side of the spectrum, there are websites where everyone knows your name, all the recommendations are positive, and everyone is above average. On the other side, there are anonymous, flame-throwing blog commenters who can say anything they want without fear of retribution or damage to their reputation.

Identity.net aims to fill the breach — multiple personas linked to real data about you. On Identity.net, you have a private profile where you keep your personal data. If you want, you can have some of your personal data verified by a third party. We partnered with Trufina to verify your name, home address, and birthday. And that’s just the start. We’ll be verifying more attributes soon.

Once you’ve entered information into your profile, you can choose to share some of it on what we call a RepSheet. A RepSheet is just a personal web page with stuff that you choose to share about yourself. For example, I have a RepSheet at http://jimadler.identity.net. It looks a lot like my public LinkedIn profile — basically my online resume. On this RepSheet, you can see that my first name, last name, and home city/state were verified by Trufina. I also have a RepSheet at http://jim.identity.net, which is less formal, showing only my first name and home city/state, also verified by Trufina.

I can reference my jimadler.identity.net RepSheet on more professional sites and my jim.identity.net RepSheet for more personal uses. For example, you can link to yourself with your RepSheet link on blog post comments, social networks, dating sites. See here for the growing list of ways to link your RepSheet on Facebook, MySpace, LinkedIn, and others.

For those geeks among you, RepSheets support hCard so sites can easily import the RepSheet information you’ve chosen to share (Identity.net is also a member of DataPortability.org). Of course, they can never gain access to the underlying profile information you haven’t chosen to share.

Places to Go and Things to Do

To date, there’s been great technology developed for identity (like OpenID, oAuth, SAML, etc.) but little reason for regular folks to use it. It’s like the industry is selling car keys but not cars. That’s been changing with the expansion of OpenID, but it’s been a slow process.

So the idea is to give you control of a secure, trustworthy place for your identity and a bunch of cool things to do with it on Identity.net and around the Web. In the coming weeks and months, we’ll be rolling out services to do just that. Stay tuned!

• Charlene Brownlee, Davis Wright Tremaine
• Chris Hoofnagle, Associate Director, Samuelson Law, Technology & Public Policy Clinic and Senior Fellow, University of California-Berkeley Center for Law & Technology
• Ken McGraw, Chief Compliance Officer, Zango
• Basem Nayfeh, Chief Technology Officer, Revenue Science
• Stephen Toulouse,Lead Program Manager for Policy and Enforcement with Xbox LIVE

Should be a fun event!

Implemented wrongly, these features can actually be a very big security liability. The right way to do it is to ask the question, then send an email with password reset instructions (but not the actual password). The wrong way is to validate the user and then simply tell them their password.

Why? Because most security questions are very common and easy to figure out - so if I know a little bit about you, I can easily answer them.

What makes a good security question? It’s not just about scarce information, it’s about non-public information.

Some of the most common questions are “What is your high school mascot?” “What city were you born in?” “What’s your favorite pet’s name?” “What was your first street name?” “What was your first phone number?” and “What is your company’s street name?”

The problem with these questions is that they’re all easily answered on my MySpace page. Birth information is public record - it can easily be looked up. So can my previous addresses, phone number, and where I work. It’s all out there somewhere on the internet.

Better questions are things like “What is your frequent flyer number?” or “what are the last 4 digits of your credit card number?” But even these fail. Many people other than me know my FF number, including my secretary, airline attendants, and TSA employees. The last 4 of your credit card won’t work either since many sites list it as a way to identify transactions.

So what do you do? Simple: Let the user choose their own question.

A good questions should be something that can’t be guessed or looked up, doesn’t change over time, and is easily memorable.

As a user, you should choose something that nobody can easily figure out. My favorite question is “What is your favorite Prime Number?” Another great one I use is something like “Last 3 words on page 15.” It’s useless to you unless you know what book I’m talking about. You could even use a bible here, since there are so many versions in print that it’s almost impossible somebody else will have the same one as you. Another one I once used was “What’s my cell phone serial number?” It’s clearly printed on the back of my phone, and always in my pocket if I should need it. (Just remember to update your question if you get a new cell phone!)

Whether you’re implementing this feature on a website, or simply choosing your own security question - don’t pick something that others can easily guess or look up about you.

• password
• 123456
• qwerty
• abc123
• letmein
• monkey
• myspace1
• password1
• blink182
• (your username)

If so, please stop reading and go change it (but don’t forget to come back here!)

The list above is the top 10 MySpace passwords according to PC magazine, but if we add in the “Hackers” popular passwords of god, sex, love, and money, there’s a good chance we’ve guessed one of yours.

So why am I talking about passwords? It’s because I just had one of my email accounts cracked. The cracker then used my email account to gain access to other accounts of mine on different websites. All in all, it took a long time to repair what little damage they did; and it would have been a lot harder if I hadn’t caught it before they locked me out of my email account.

Don’t let somebody steal your online accounts. Here’s some tips you can follow to make sure your accounts are secure:

• Don’t use the same login on multiple sites
• Don’t use the same email for all your accounts
• Use different passwords on every site
• Make your passwords secure. If you need help generating one, try this tool (you don’t have to use all 63 characters.) Another great technique is to think of a mnemonic like “four score and seven years ago” and turn in into a password like “4Sa7Ya” (just don’t use that one!)
• Change your passwords at least once a month.
• Don’t give out your passwords to anybody, or any untrusted websites.

I know that secure passwords can be hard to remember, but that’s where Demoxi can help. Passwords stored in Demoxi are stored on your own computer - so there’s less risk of somebody hacking in. They’re also encrypted, so nobody will be able to read them without logging in to your Demoxi account on your computer.

Good luck.