Past week I’ve been in Paris for the The European e-Identity Conference 2007 and ENISA Workshop
“Security Issues in Social Networking”. It has been very interesting.
There was a keynote by Kim Cameron, Microsoft’s chief identity architect. It has not been impressive, of course he is a good speaker and even funny, but he tried to make a pitch for Microsoft CardSpace. While he tried to be friendly and open stating more than once that he built it on gnu/linux, with php and mysql, I’m not impressed at all. I’m not an expert at all in identity but I bet that there are so many patents on Cardspace that Microsoft can control its evolution and use as it wishes.
On a general level I was very very surprised that in 2 days I heard nobody ever mentioning OpenID, probably because it is simple and mainly because it works and solves the issue it is devoted to solve. I guess lots of serious researchers have to consider it just a toy, we have to create things much more complicated otherwise how can we justify stellar budgets and years of … research? And what are we going to do later if we just find a simple solution that can be implemented in 1 week? This is a bit depressing I think.
Instead of simple solutions and discussions about what we could improve in OpenID, there were a lot of vendors basically saying “host all the identities of your firm, government, service in our servers and everything will work”. All of them with the same trivial techniques.
Well actually, I liked a lot the presentations of the workshop “Security Issues in Social Networking”. You can check the presentations. So, besides the many pitches (actually all of them during the second day when luckily I have to leave early to catch the flight, there were interesting talks and super cool people.

Alessandro Acquisti , Carnegie Mellon University, delighted us with great insights about “Imagined communities: awareness, information sharing and privacy: the Facebook case” (presentation). His research is in the economics of privacy and he revealed interesting facts about Facebook, for example, 89% of Facebook users reveale their real name. And 87% of CMU Facebook profiles reveale birthday, 51% reveale the address, 40% reveale their phone number (40%!). 61% of the posted images are suited for direct identification. Remember that this information will never disappear, it will stored forever in many computers (facebook servers, google servers, archive.org servers and … as the following discussion easily revealed, governments servers, secret agencies servers and probably many companies who can just afford to save everything and decide in future what to do with this information). There is an evident privacy risk of re-identification: 87% of US population is uniquely identified by {gender, ZIP, date of birth} (Sweeney, 2001), Facebook users that put this information up on their profile could link them up to outside, de-identified data sources
Facebook profiles often show high quality facial images, Images can be linked to de-identified profiles using face recognition. Some findings on Facebook: Non members rate privacy (concerns, worries, importance) statistically significantly (although only slightly) higher than members. Members deny they use Facebook for dating, however they state they think other members use it for dating. Majority agrees that the information other Facebook members reveal may create a privacy risk for them (mean Likert 4.92). They are significantly less concerned about their own privacy (mean Likert 3.60). Respondents trust the Facebook… more than they trust unconnected Facebook users. The survey about how much users know about Facebook’s privacy policy is interesting as well: “Facebook also collects information about you from other sources, such as newspapers and instant messaging services. This information is gathered regardless of your use of the Web Site.” 67% believe that is not the case. “We use the information about you that we have collected from other sources to supplement your profile unless you specify in your privacy settings that you do not want this to be done.” 70% believe that is not the case.

Another interesting presentation was presentation (pdf) “Security recommendations for social network communities” by Maz Nadjim of Rareface. He offered us six techniques for building and running safer social networking sites: Craft your guidelines, Build automated filters, Embrace your technology, Enlist your users, Make moderation actions visible, Moderation tools need love too. And he pointed us to their partner emoderation.com.

Other interesting presentations were “Social networking security issues for children” by Josephine Fraser of Childnet, “Implications of Social Networking behaviour for tomorrow’s citizens & workforce” by Mathieu Gorge of VigiTrust (I think he is the one who introduced that social networking sites are used by terrorists for recruting new members) and “Netlog – Experiences from a large-scale social networking application” by Lien Louwagie of Netlog (birth date is very often the secret question for getting back your forgotten bank password so it is not very sage to ask it and to show it on a social site). Thanks to this presentation I discovered Netlog, leader in Europe, multilanguage, to which I registered few minutes ago and, wow, there are thousands of people from Trento registered there, quite amazing the fact I missed it.

In the afternoon there was a great presentation by Tarvi Martens , National Certification Centre, Estonia about “Authentication in Estonia” (presentation in, warning, powerpoint). Estonia is surely the most tech-advanced country in Europe, they in fact call it E-stonia. Some facts: Population: 1.35M Internet usage: 56% Internet banking: 88% Mobile penetration: >100%. 1000+ Free Internet Access points. PKI penetration: >80%. Biggest national eID card roll-out in Europe. With your eID card you get an email address such as Forename.Surname@eesti.ee and a certificate for digital signature. You can login in banks with E-id card given by the state. You pay taxes online as well. And you can vote in election. They are rolling out the Mobile-ID, i.e. your ID is your mobile. With an ID card, you also have an OpenID and the state is your OpenID provider. During the coffee break I asked him how is it possible for me to get an Estonian ID card and the answer is that it is enough to work/study there for 3 months, I guess
this is one of my goals now, I would like to have a European government backed identity.
What I didn’t like about the conference was the dress code, can you imagine? There was a dress cose (casual smart or something like that, I don’t even know what this is and don’t bother to follow how other people tell me to dress). I had red trousers and an Electronic Frontier Foundation shirt while almost all the other people wear tie and suit, well I like to be different. And the EFF shirt was very useful, did I mention that there were many seller of biometric stuff for getting DNA information so that your identity can be checked by anyone anytime and anonymity is finally estirpated?
Last but not least I met Nicolas Debock, a guy who basically works as coolhunter (as in the Pattern Recognition novel by William Gibson) for La Poste, the french postal organization. His work is to track down what is trendy and to envision how La Poste can exploit it, embrace it and ultimately profit from it. We had 2 travel back from the hotel at the Charles De Gaulle airport to the center of Paris in which we share a lot of ideas about cool technologies but also alternative monetary systems, he is one of the founder of BarCampBank. This was really amazing. Actually he found the job by looking on the Web for “cool trends” or similar keywords, I think I need to do the same and to propose a similar position to the Italian postal organization, we’ll see.
What I also liked about the workshop is that after the workshop I’ve been invited to join a virtual group which is writing a collective paper about “Security of reputation and web-of-trust authentication systems”. The purpose of the exercise is to give relevant advice on important trends and threats to policy and decision makers in Europe. Of course I’ll try to push the usual mantra “trust is subjective, don’t squash controversial opinions and minorities but consider them opportunities” and such. I actually like the fact I can put in some way my activity at service of the European community, of course I’m not that naive to think that it will be really read by anybody or high level politicians and influence decisions but it is still better than nothing.
The last part of this long post (did I write somewhere that these posts are useful to me as memory of what the event was like, what I learned and how I felt? Then if this is useful to someone else as well, this is better but such a long post is primarily for me so that in one year I come back and I see what I was thinking and I learnt) is about the amazing hospitality I got via CouchSurfing.
Since the conference was at the CDG airport I tried to find something close to it and not in Paris. And in fact I was hosted by Heloïse et Laurent in Meaux. They were uber-kind! We met in the center of Paris and they offered to have a tour of Paris by car (never had it, and the traffic doesn’t seem too bad). And then they offered to bring me from their house to the conference hotel every morning, wow, amazing really! The second day we met in the center of Paris and we went to a concert of Mademoiselle Ka in a huge club in Pigalle and then to wander in a sexy shop (I never had as well!). Well they were amazing and they are also musicians (Heloïse has 906 friend on MySpace and she sings in the Cartel Couture that is basically the french Scissor Sisters, the genre is, uhm, pop punk sexy et eurodance déviante, but they also have a group together in which Laurent plays drums.
Well, just to conclude, the people I met via Couchsurfing surprise every time more. Every time I think this is the most amazing thing and then something overtakes this. Amazing. Really.