Tony Nadalin' presentation at eComm 2008


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Tony Nadalin' presentation at eComm 2008

    1. 1. Trust and Identity In Virtual Worlds and Collaborative Spaces Anthony Nadalin, Distinguished Engineer, IBM
    2. 2. Early Virtual Worlds & Collaborative Spaces Business Applications Commerce Collaboration and Events Education and Training Emerging Business Applications
    3. 3. Trust and identity in Virtual worlds and collaborative spaces <ul><li>Think: Wikipedia , Second Life </li></ul><ul><ul><li>International: open to everybody with access to the Internet </li></ul></ul><ul><ul><li>Collaborative: free information sharing, user-created content </li></ul></ul><ul><ul><li>Social: users can establish relationships with other users </li></ul></ul><ul><li>Everybody can participate – and bad guys can act anonymously </li></ul><ul><ul><li>Unclear basis for trust in the information you find in Wikipedia </li></ul></ul><ul><ul><li>Insufficient accountability for inappropriate content in virtual worlds </li></ul></ul><ul><li>We are in the early days of commercial exploitation of these technologies </li></ul><ul><ul><li>Resembling situation with electronic mail and spam 10 years ago </li></ul></ul><ul><li>Trust and identity are key to the success of collaborative space – either way </li></ul><ul><ul><li>Issues around trust threaten the continued success of collaborative spaces </li></ul></ul><ul><ul><li>Sound trust and easy to use federated identities enable new services </li></ul></ul>
    4. 4. Some examples of issues around trust and identity <ul><li>Online Predators: </li></ul><ul><ul><li>“… one of a half-dozen documented cases this past year alone in which older men used such Internet sites to set up sexual encounters with minor girls in Connecticut.&quot; </li></ul></ul><ul><li>Illegal Content/Behavior: </li></ul><ul><ul><li>&quot;... reports about adult players with child avatars soliciting (paid) sex.&quot; </li></ul></ul><ul><li>Online Harressment and Bullying: </li></ul><ul><ul><li>&quot;... abruptly cancelled her appearance at the O'Reilly ETech conference in San Diego, after receiving threatening and sexually graphic messages that made her afraid to leave her house.&quot; </li></ul></ul><ul><li>Reputation Fraud: </li></ul><ul><ul><li>&quot;... eBay suspended accounts identified in the article, ... the forger merely moved the operation to another Internet auction site for a few months before returning to eBay, setting up new accounts and picking up where he left off.&quot; </li></ul></ul><ul><li>False Claims: </li></ul><ul><ul><li>&quot;... claimed to hold doctoral degrees in theology and canon law as a tenured professor at a private university, he was in fact a community college dropout from Kentucky.&quot; </li></ul></ul>
    5. 5. Collaborative spaces and virtual communities * MMOG = Massive Multiplayer Online Game   Multi-service Platforms Social Computing 3D/Realtime Internet/MMOGs Common problem: Trust and Identity Enterprise Customers & Governments
    6. 6. What is new, compared to 10 years ago? <ul><li>History </li></ul><ul><ul><li>Public key infrastructure (X509v3, SPKI, PGP, …), digital signature initiatives – late 90’s </li></ul></ul><ul><ul><li>Microsoft Passport (= Windows Live ID) – 2000 </li></ul></ul><ul><ul><li>Liberty Alliance – 2001 </li></ul></ul><ul><li>What changed? </li></ul><ul><ul><li>Awareness for the role of digital identity </li></ul></ul><ul><ul><ul><li>Post-9/11 security concerns </li></ul></ul></ul><ul><ul><ul><li>High-profile privacy incidents – e.g., TJX: lost 45.7 million payment card numbers </li></ul></ul></ul><ul><ul><ul><li>Identity theft – 3.7% of all US citizens were victims of fraud due to identity theft </li></ul></ul></ul><ul><ul><ul><li>More valuable data online, e.g., healthcare portals </li></ul></ul></ul><ul><ul><li>Value </li></ul></ul><ul><ul><ul><li>Increasing value of identity per se: more and better services </li></ul></ul></ul><ul><ul><ul><li>Increasing value of portable identity: Web 2.0 connects people and data across enterprise boundaries </li></ul></ul></ul><ul><ul><ul><li>Increasing demand for user-centric , portable , life-long identity, and reputation </li></ul></ul></ul><ul><ul><ul><li>Increasing demand for strong identity </li></ul></ul></ul>
    7. 7. Scenarios <ul><ul><li>1. Trusted Content </li></ul></ul><ul><ul><li>2. Trusted Collaboration </li></ul></ul><ul><ul><li>3. Trusted Roaming </li></ul></ul><ul><ul><li>4. Trusted Delegation </li></ul></ul><ul><ul><li>5. Trusted Aggregation </li></ul></ul>
    8. 8. Scenario 1: Trusted Content <ul><li>Can I trust this collaborative space ? </li></ul><ul><li>Is all content correct? </li></ul><ul><li>Is all content authorized? </li></ul><ul><li>Is all content appropriate for me? </li></ul><ul><li>What is the creator’s reputation? </li></ul><ul><li>Can I trust this content ? </li></ul><ul><li>Is this content correct? </li></ul><ul><li>Is this content authorized? </li></ul><ul><li>Is this content appropriate for me? </li></ul><ul><li>What is the creator’s reputation? </li></ul>
    9. 9. Scenario 2: Trusted Collaboration [email_address] [email_address] Request freetime <ul><li>How can Patrick locate Paul’s calendar? </li></ul><ul><li>Can Paul trust this request ? </li></ul><ul><li>Is this request legitimate? </li></ul><ul><li>Who is this requestor? </li></ul>Patrick Paul
    10. 10. Scenario 3: Trusted Roaming I want to see what World of Warcraft is about <ul><li>I want to stand in SL look over the bridge into WoW </li></ul><ul><li>I want to go from “left” to “right” </li></ul><ul><li>And both with a minimum of overhead – no new registration, no new avatar design, no new reputation </li></ul>I do have an avatar in Second Life
    11. 11. Scenario 4: Trusted Delegation Give Alice the right to see Bob’s images <ul><li>How can Bob trust that only Alice sees the pictures, and how can he maintain control over the pictures? </li></ul><ul><li>How can Bob avoid telling the service who Alice is? </li></ul>
    12. 12. Scenario 5: Trusted Aggregation Bank Health Insur. Employer Aggregator
    13. 13. Scenarios <ul><li>Interoperability of trust and identity systems </li></ul><ul><li>User-centricity, transparency, choice </li></ul><ul><li>Privacy and pseudonymity </li></ul><ul><li>Reputation of users and spaces </li></ul><ul><li>Cross-platform capability </li></ul>Specific Scenario 1. Trusted Content Trust in correctness and appropriateness of specific / of all objects in a collaborative space (e.g., Wikipedia, Second Life). 2. Trusted Collaboration Enable freetime-based scheduling of meetings across calendars in different enterprises, using different identity schemes. 3. Trusted Roaming Cross bridges from one virtual world to the other, carrying your identity (avatar, attributes, reputation) with you 4. Trusted Delegation Give your friend access to your digital photos without the fear that the photo server knows who your friends are, or that your friends share your photos with others. 5. Trusted Aggregation Aggregate personal information through a portal, without fear of misuse or fear of identity theft, but with the added value of non-trivial aggregation.
    14. 14. State of the Art
    15. 15. Some Remarks on Policy <ul><li>Identity </li></ul><ul><ul><li>Online identities are essentially unregulated </li></ul></ul><ul><ul><li>Risk associated with using online identities is growing, number of high profile incidents will increase </li></ul></ul><ul><ul><ul><li>Identity theft, e-banking, healthcare portals, reputation on eBay, … </li></ul></ul></ul><ul><ul><li>Needed: best practices for trust and identity </li></ul></ul><ul><li>Privacy </li></ul><ul><ul><li>Privacy is a top concern for individuals </li></ul></ul><ul><ul><li>Similar privacy concerns and privacy regulations exist world-wide </li></ul></ul><ul><ul><li>Current privacy principles (OECD) seemingly collide with Web 2.0 paradigm: minimize vs. maximize info sharing </li></ul></ul><ul><ul><li>Needed: new societal norms and best practices </li></ul></ul>
    16. 16. Identity Technology <ul><li>Status quo </li></ul><ul><ul><li>Site-specific username / password </li></ul></ul><ul><ul><ul><li>Low security, vulnerable to phishing, password management up to user </li></ul></ul></ul><ul><ul><li>Application-specific identity </li></ul></ul><ul><ul><ul><li>Sharing of identity information only within defined federations </li></ul></ul></ul><ul><li>Trends </li></ul><ul><ul><li>User-centric identity </li></ul></ul><ul><ul><ul><li>User controls release of identities and attributes </li></ul></ul></ul><ul><ul><ul><li>Decoupling of user’s from service provider’s view </li></ul></ul></ul><ul><ul><ul><li>Framework provides unified, abstract view on a multitude of specific identity systems </li></ul></ul></ul><ul><ul><ul><li>Security beyond username / password </li></ul></ul></ul><ul><ul><ul><ul><li>Username / password  tokens containing identity claims </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Framework approach enables strong mutual client-server authentication </li></ul></ul></ul></ul><ul><ul><li>Federated identity, portable identity in Web 2.0 </li></ul></ul><ul><ul><ul><li>Lightweight, decentralized identity provider for single sign-on </li></ul></ul></ul><ul><ul><ul><li>Fine-grained, user-controlled attribute sharing with privacy </li></ul></ul></ul>
    17. 17. Reputation Technology Summary of actual past behavior, by service provider Real identity Background check against external data Peer reviews portable specific Identity Verification, Identity Proofing = Strong Identity Trust in specific attribute or future behavior?  Digital Identity
    18. 18. Outlook
    19. 19. 3. Future of Virtual Reality 4. Future of Identity Systems <ul><li>User-centric, transparent identity management </li></ul><ul><ul><li>Service-specific identities are managed transparently </li></ul></ul><ul><ul><li>User can create as many identities as he or she wishes </li></ul></ul><ul><ul><li>User maintains full control over his or her privacy (e.g., pseudonyms) </li></ul></ul><ul><ul><li>Access to identities is secured through strong authentication </li></ul></ul><ul><ul><li>Privacy friendly service discovery and search will emerge </li></ul></ul><ul><li>Portable identities </li></ul><ul><ul><li>Immersive user interfaces yield rich identities and complex attributes and capabilities </li></ul></ul><ul><ul><li>Users expect to carry their rich identities from one space (application) to the next </li></ul></ul>2 . Future of Identity <ul><li>Life-long personal identities </li></ul><ul><ul><li>People act as “free agents” who manage their digital identities and capabilities independently of their current “employers” or “schools” </li></ul></ul><ul><ul><li>Identities and attributes become independent from identity providers, and can be freely moved between providers </li></ul></ul><ul><ul><li>Some will stay for a user’s whole life, and need special protection </li></ul></ul>1. Future of Identification <ul><li>Strong identity proofing </li></ul><ul><ul><li>Biometrics increasingly used to prove and authenticate identities </li></ul></ul><ul><ul><li>Online identity increasingly established through physical world identities </li></ul></ul>Technology Outlook BBC 2007 On average: 20 20% growth/year  IBM GIO 2006
    20. 20. An eComm 2008 presentation – for more