Tuesday, May 16, 2006, 3:19 PM

Much Ado About Nothing?

Been busy. Six months without a post ... thought I'd better either shut the blog down, or start posting again. I decided in favor of the latter. And it just so happens that there is interesting stuff to post about...

"51% oppose NSA database" was USA Today's headlines on Monday (at least it was on the copy I picked up in Hong Kong). Interesting. So I read through all the related articles.

The long and short of it is the NSA has been collecting phone call records directly from most phone companies. Qwest, according to USA Today, was the only one who didn't release their customers' records. 51% of the 809 people USA Today polled was against the idea. (Not sure how -- I always like to know how a poll was conducted). USAToday's editorial (written by Keith Simmons) agreed with the majority view.

I think we could get a little bit more practical about the problem, and move away from the privacy debate -- which typically degenerates to a religious debate based on one's normative beliefs on the relationship between the individual and society. Huh? :-) Right.

Why collect the data? To catch the bad guys, right?

Well, if you assume that the bad guys are stupid, they will register phones under their real names and use their personal credit cards topay the bills. Everything traceable.

However, if the bad guys are a bit smarter, they would go out to the nearest Best Buy (Dixon's if they're in the UK) and get a pre-paid phone, using cash... buy lot's of pre-paid vouchers (again, with cash)... and viola! anonymous calling on a mobile phone. This might be a bit more expensive than regular phones, but a few bucks more on the phone bill is not a major consideration for these bad guys. And sure, if they are dumb enough to add credit to their phone with a personal credit card, or set up their phone from an ISP which can link the connection to them, then they might be hosed.

So, assuming a modicum of smarts in the bad guys, what is the reason for amassing personal phone records? I can't think of one. Can you?

Postscript: Here's one suggested by a friend: If you have a phone# linked to a well-known bad guy, the patterns of numbers the well-known phone calls might be useful information, even if there are anonymous phones involved. Well... serves them right for calling anonymous phones with well-known phones!

Wednesday, May 10, 2006, 2:27 AM

What Must Happen

The future of digital identity is set in the context of the evolution of digital systems. This article might be a bit off topic (in that it is not specifically about digital identity), but I think it's important for us to consider the bigger context of the evolution of digital systems.


When trying to figure out what building technology, answering the question "what must happen" is a necessity. Not what would be good to happen, but what must happen...

Software that Runs Software: Software to-date have been built for human use. But because of the sheer numbers of systems we are exposed to, the next generation of software needs to be software that runs software -- for humans. Agents, or meta-applications, if you will.

Dominant Systems Define Standards: All these attempts to define standards just result in a mishmash of "standards". Just about the only way to create widely adopted protocols is to create a dominant system, and then open it up. For example, Skype has a tremendous opportunity to set an industrial standard, if they open up fast enough and flexibly enough.

Sandboxes vs Always-On: (i.e. P2P vs Client/Server). Because the physical still matters, and ownership still matters, sandboxes are still needed, and will always be needed. Even if it is possible to be always on the network, the user might not choose to refer to a network resource, but rather, have a copy of it he/she manages. For example, instead of pointing to a web page on a website owned by someone else, the use might want a copy kept in his/her own blog or wiki -- just in case the owner changes it, or stops exporting it.

ASP systems (e.g. Salesforce.com) ultimately will reach full functionality only if they provides P2P facilities.

Synchronization Must Be Done Right: A corollary to the sandboxing trend is that synchronization as a science and engineering technique must be done right.

Lego My Servers: Servers are too complicated to set up and to run. Future servers will come in "Lego" building block format. Run out of disk space on your email server? Plug another email server "brick" next to your first, and the problem is solved. Want redundancy? Buy another two bricks, put them else where, point them to the first pair, and you will have a hot-fail-over system. The bricks will be very specialized: email server, web server, directory server, file server, system admin servers, dataservers, etc.

Of course strong security, including strong digital identity, is required in server bricks.

Evolutionary Revolutions: Respect Legacy. Systems that do not respect and work with legacy systems will fail (unless they perform a function heretofore did not exist). That's why, also, the next generation of software will be meta-applications.

WHAT SHOULD HAPPEN (Normative Statements)

Here are a couple of things I believe should happen, but might not because short term commercial drivers might not be there to make them happen ...

Software for the Long Haul: All too often, we design software without thinking about the long haul. For example, 4-byte IP address space (which has long since run out of room) and 32-bit time integer in Unix (which will expire in 2038). See http://blog.onghome.com/2005/06/long-lived-software.htm.

Basic Software Engineering: Professional software engineering means that we hold ourselves up to the highest engineering standards. Basic issues like designing for testability, internationalization, code coverage, error handling, UI useability, etc. needs to be part of what we do day-to-day in Software Engineering -- otherwise, we should just call it hacking.

[This article was initially written on December 2005.]