Tag: identity

Some thoughts on Keybase, online security, and verification of identity

I’m going to stick my neck out a bit and say that, online, identity is the most important factor in any conversation or transaction. That’s not to say I’m a believer in tying these things to real-world, offline identities. Not at all.

Trust models change when verification is involved. For example, if I show up at your door claiming to be Doug Belshaw, how can I prove that’s the case? The easiest thing to do would be to use government-issued identification such as my passport or driving license. But what if I haven’t got any, or I’m unwilling to use it? (see the use case for CheapID) In those kinds of scenarios, you’re looking for multiple, lower-bar verification touchstones.

As human beings, we do this all of the time. When we meet someone new, we look for points of overlapping interest, often based around human relationships. This helps situate the ‘other’ in terms of our networks, and people can inherit trust based on existing relationships and interactions.

Online, it’s different. Sometimes we want to be anonymous, or at least pseudo-anonymous. There’s no reason, for example, why someone should be able to track all of my purchases just because I’m participating in a digital transaction. Hence Bitcoin and other cryptocurrencies.

When it comes to communication, we’ve got encrypted messengers, the best of which is widely regarded to be Signal from Open Whisper Systems. For years, we’ve tried (and failed) to use PGP/GPG to encrypt and verify email transactions, meaning that trusted interactions are increasingly taking place in locations other than your inbox.

On the one hand, we’ve got purist techies who constantly question whether a security/identity approach is the best way forward, while on the other end of the spectrum there’s people using the same password (without two-factor authentication) for every app or service. Sometimes, you need a pragmatic solution.

keybase

I remember being convinced to sign up for Keybase.io when it launched thanks to this Hacker News thread, and particularly this comment from sgentle:

Keybase asks: who are you on the internet if not the sum of your public identities? The fact that those identities all make a certain claim is a proof of trust. In fact, for someone who knows me only online, it’s likely the best kind of trust possible. If you meet me in person and I say “I’m sgentle”, that’s a weaker proof than if I post a comment from this account. Ratchet that up to include my Twitter, Facebook, GitHub, personal website and so forth, and you’re looking at a pretty solid claim.

And if you’re thinking “but A Scary Adversary could compromise all those services and Keybase itself”, consider that an adversary with that much power would also probably have the resources to compromise highly-connected nodes in the web of trust, compromise PKS servers, and falsify real-world identity documents.

I think absolutism in security is counterproductive. Keybase is definitionally less secure than, say, meeting in person and checking that the person has access to all the accounts you expect, which is itself less secure than all of the above and using several forms of biometric identification to rule out what is known as the Face/Off attack.

The fight isn’t “people use Keybase” vs “people go to key-signing parties”, the fight is “people use Keybase” vs “fuck it crypto is too hard”. Those who need the level of security provided by in-person key exchanges still have that option available to them. In fact, it would be nice to see PKS as one of the identity proof backends. But for practical purposes, anything that raises the crypto floor is going to do a lot more good than dickering with the ceiling.

Since the Trump inauguration, I’ve seen more notifications that people are using Keybase. My profile is here: https://keybase.io/dajbelshaw. Recently, cross-platform apps for desktop and mobile devices have been added, mearning not only can you verify your identity across the web, but you can chat and share files securely.

It’s a great solution. The only word of warning I’d give is don’t upload your private key. If you don’t know how public and private keys work, then please read this article. You should never share your private key with anyone. Keep it to yourself, even if Keybase claim it will make your life easier.

To my mind, all of this fits into my wider work around Open Badges. Showing who you are and what you can do on the web is a multi-faceted affair, and I like the fact that I can choose to verify who I am. What I opt to keep separate from this profile (e.g. my gamertag, other identities) is entirely my choice. But verification of identity on the internet is kind of a big deal. We should all spend longer thinking about it, I reckon.

Main image: Blondinrikard Fröberg

3 things we need for the next big frontier in Open Badges and digital credentials

Just less than a year ago, I wrote a post entitled Why the future remains bright for Open Badges. There had been some turmoil in the ecosystem, and the ‘horses’ looked like they were getting spooked. I used Gartner’s hype cycle as a ‘convenient hypocrisy’ to explain that, at that point in time, the badges community was on the downwards slope towards the Trough of Disillusionment.

Right now, I think we’re coming out of that trough. We’re beginning to see people and organisations looking beyond individual badges towards connected credentials. There’s also renewed interest in badges as creating local ecosystems of value. Not only is LRNG continuing to expand, but the RSA is actively exploring ways in which badges could connect learning experiences across towns and cities.

For me, the key thing about the web is identity-at-a-distance. When I’m in front of you, in person, then the ‘three-dimensionality’ of my existence isn’t in question. There’s something about the bandwidth of in-person communication that is reassuring. We don’t get that when projecting a digital image of ourselves.

As an educator, I think the great thing about Open Badges is that they are packaged-up ‘chunks’ of identity that can be put together like Lego bricks to tell the story of who a person is, and what they can do. The trouble is that we’re used to thinking in silos, so people’s (understandable) immediate reaction is “can I put my badges on LinkedIn/Facebook/somewhere else I already have an account”. While the short answer is, of course, “YES!” there’s a longer, more nuanced answer.

This longer answer pertains to a problem, which like invasive advertising as a business model, seems almost intractable on the web. How do we demonstrate the holistic, yet multi-faceted nature of our identities in online spaces?

I helped set up, but then withdrew from, a group of people looking at ways in which we could use blockchain technology with badges. The trouble is, as Audrey Watters so eloquently pointed out in The ideology of the blockchain, that the prevailing logic when both technologies are used together is be to double-down on high-stakes testing. I’d rather find a way that recognises and fits human flourishing, rather than reductively retro-fitting our experiences to suit The Machine.

3 things we need to move forward

As I often mention during my presentations, the problem with linking to a particular venture-capital backed social profile (even if it’s LinkedIn) is that it shows a very two-dimensional version of who you are.

1. Progression pathways

What we need is a platform (ideally, decentralised and built upon interoperable standards) that allows individuals to display the badges they have, the ones they want, and — through an online dashboard — a constellation map of paths they can follow to employment or levelling-up their skills.

I’m not mentioning particular vendors in this post, but I feel that there are several platforms that are moving towards this model.

2. Granular permissions

Something else which would help on the identity front is the separation of badge display from badge evidence store. In the same way that YouTube allows you granular permissions over who has access to your videos, so platforms should allow you to make your badges public, but, if required, restrict access to linked evidence.

The only examples of this I’ve seen are people taking this into their own hands, by ensuring that the web address for the evidence going into the badge is under their own control. For example, if you put evidence in Google Docs, you can make that URL be entirely private, shared with specific people, publicly accessible, or fully searchable.

3. Long-term storage

We’re at the stage now where there are large enough vendors within the badges ecosystem to be ensure the long-term survival of digital credentials based on an open metadata standard. However, individual vendors come and go, and some ‘pivot’ towards and away from particular platforms.

For individuals, organisations, and institutions to be confident of establishing their long-term identity through badges, it’s important that the demise or pivot of a particular vendor does not unduly effect them.

The best way to do this that I’ve come up with is for there to be a non-profit explicitly focused on ‘deep-freeze’ storage of digital credentials, based on a sustainable business model. I know that there were conversations with the Internet Archive when I was at Mozilla, and there’s definitely a business opportunity using Amazon Glacier or similar.

Next steps

I often talk about solutions that ‘raise all of the ships in the harbour’. It’s relatively straightforward to build a platform that extracts the most amount of money out of customers. That’s a very short-term play. Open Badges is an open metadata standard that connects everyone together.

These three suggestions will allow the Open Badges ecosystem become an even more flourishing marketplace of digital credentials. For employers, it means they are not forced to use chunky ‘proxies’ such as degrees or high school diplomas when they’re looking for a particular combination of skillsets/mindsets. Educational institutions can return to being places of learning rather than examination factories. And, perhaps most importantly, individuals can show what they know and can do, in a flexible, holistic, market-responsive way.


New to Open Badges? Bryan Mathers and I put together this community course to help you get up-to-speed with the basics.


I consult on identifying, developing, and credentialing digital skills as Dynamic Skillset, which is a part of We Are Open co-op. I’m looking to partner with organisations looking to use Open Badges as the ‘glue’ to build learner identity on the web. With my We Are Open colleagues, we’ve already got one City Council exploring this, and we’d like to talk to more forward-thinking people.

Get in touch: hello@nulldynamicskillset.com / doug@nullweareopen.coop

Digital Literacy, Identity and a Domain of One’s Own [DML Central]

My latest article for DML Central has just been published. Entitled Digital Literacy, Identity and a Domain of One’s Own, it’s an attempt to get beyond ‘ownership’ to think about identity online.

Here’s the final paragraph:

A world where one’s primary identity is found through the social people-farms of existing social networks is a problematic one. Educators and parents are in the privileged position of being able to help create a better future, but we need to start modeling to future generations what that might look like. Let’s start with a domain of our own, but let’s keep pushing that envelope in terms of our digital skills to fully realize our own digital identities.

Read the post in full

I’ve closed comments here to encourage you to add your thoughts on the original post. You may also like another recent post of mine if you’re into this kind of thing.

What do new Social Networks tell us about Digital Literacies?

20110711-053222.jpg

As I mentioned in a previous post, I’ve started to blog occasionally for DMLcentral. My first post has now been published and is available here. 🙂

Digital literacy and the public/private boundary

Dave White writes:

Social media platforms, with their inherent hyper-connectivity require the user to hold highly complex multi-dimensional maps of them as social spaces, with many thresholds of differing permeability. It’s a long way from closing-the-front-door type methods of creating privacy boundaries. Some people are very skilled at managing the ‘edges’ of these social maps and manage their digital identities with great skill and to great effect. The rest of us have come to expect occasional moments of disjuncture.

I would argue that our notions of the public and the private don’t yet account for the width of these social thresholds or for the speed at which they can shift. We constantly negotiate the boundaries between the public and the private but we have an expectation that these boundaries, while moving, will remain sharp. The web and especially social media platforms defocus our understanding of these boundaries. Our ability to map and remap our relationship with these social thresholds is a key form of digital literacy, and possibly a new life-skill (if I can call it that).

Dave brings up an important element of digital literacy here: the ability to negotiate multiple spaces, some purely digital and some blended. This will inevitably involve shifts, even subtle ones, in the way that an individual projects themselves into that space. The boundary between this as a ‘literacy’ (reading/writing oneself) and a life-skill is itself blurred, I would suggest.

Literacy -> Digital Flow: digital epistemologies & ontology.

This post comes from my (ongoing) Ed.D. thesis, which can be read in full over at http://dougbelshaw.com/thesis. You may want to check out my wiki to follow up references.

CC BY-SA luc legay

Some would reject the idea of a dialectic when it comes to literacy. Instead of encouraging an interplay of old and new conceptions of literacy, they would espouse a clear demarcation. New technologies call for new literacies – and perhaps, epistemologies:

[A] seemingly increasing proportion of what people do and seek within practices mediated by new technologies – particularly computing and communications technologies – has nothing directly to do with true and established rules, procedures and standards for knowing. (Lankshear & Knobel, 2006:242-3)

There are three main reasons why “what people do and seek within practices mediated by new technologies… [have] nothing to do with true and established… standards for knowing.” The first relates to the personality traits of people involved. A common internet saying is that “the geeks will inherit the earth” – certainly they are the early adopters, the first to figure out ways of using new technologies. By the time technologies reach the mainstream they are far from neutral having been tried, tested, accepted, rejected or accommodated by a ‘digital elite’. Skewed epistemologies can lead to skewed literacies.

The second reason why practices surround technology-mediated practices are different is down to identity. Digital interaction removes a layer of physicality from interactions. This can be liberating in the case of, for example, a burns victim or someone otherwise disabled or disfigured. It can also be ‘dangerous’ as individuals are often able to remain anonymous in online interactions. Physical interactions are bounded by time and space in a way that digital interactions are not. Whilst asynchronous interactions have been possible since the first marks were made in an effort to communicate, digital interactions go beyond what is possible with the book. In the latter, it is difficult to accidentally take something out of context as one has to deal with the book in its entirety. With digital interactions, however, it is much easier to misrepresent and distort the truth, even accidentally. Interactions and texts tend to be shorter online. Thus, in the fight for the soundbite distortion can take place.

Third, practices mediated by technology are different because of the element of community involved. Traditional Literacy, is predicated upon a scarcity model of education and exclusionist principles. An example of the latter is a near-synonym of ‘literate’ as ‘cultured’ (in the sense of having a knowledge of ‘high’ culture). Communities on this model are based on the who rather than the what – identity rather than interest. With technology-mediated practices, even ‘niche’ interests can be catered for.

These, then, are three reasons new technologies can be linked to new epistemologies. Whether new epistemologies necessarily lead to new literacies is an interesting question. As Erstad notes in quoting Wertsch (1998:43), all interaction is mediated and involves social and psychological processes. This is transformed when technology is used to do the communicating:

Regardless of the particular case or the genetic domain involved, the general point is that the introduction of a new mediational means creates a kind of imbalance in the systemic organization of mediated action, an imbalance that sets off changes in other elements such as the agent and changes in mediated action in general. (quoted in Erstad, 2008:180-1)

It is at this point that Lankshear and Knobel’s demarcation between ‘conceptual’ and ‘standardized operational’ definitions of literacy becomes useful. Conceptual definitions are what primarily interest us here – the extension of literacy’s “semantic reach” as opposed to ‘operationalizing’ what is involved in digital literacy and “advanc[ing] these as a standard for general adoption” (Lankshear & Knobel, 2008:2,3).

Instead of coining terms and giving existing concepts a ‘digital twist’, those who reject the dialectical approach propose ‘New Literacies’. They would reject Gilster’s (1997:230) assertion that ‘digital literacy is the logical extension of literacy itself, just as hypertext is an extension of the traditional reading experience.’ Instead, New Literacies theorists such as Lankshear and Knobel believe that ‘the more a literacy practice privileges participation over publishing, collective intelligence over individual possessive intelligence, collaboration over individuated authorship…, the more we should regard it as a ‘new’ literacy” (Lankshear & Knobel, 2006:60).

In an attempt to flesh out this conception of New Literacies, however, the authors tie themselves up in knots, so to speak. By seeking to explain what is ‘new’ about New Literacies, Lankshear and Knobel make reference to ‘a certain kind of technical stuff – digitality’ (2006:93) which seems to somewhat beg the question. What is ‘digitality’? They do concede, however, that ‘having new technical stuff is neither a necessary nor a sufficient condition for being a new literacy. It might amount to a digitized way of doing ‘the same old same old’.’ The authors attempt to deal with the difficulty of New Literacies involving identity by demarcating between ‘Literacy’ and ‘literacy’. Their demarcation is worth quoting in full (my emphasis):

Literacy, with a ‘big L’ refers to making meaning in ways that are tied directly to life and to being in the world (c.f. Freire 1972, Street 1984). That is, whenever we use language, we are making some sort of significant or socially recognizable ‘move’ that is inextricably tied to someone bringing into being or realizing some element or aspect of their world. This means that literacy, with a ‘small l’, describes the actual process of reading, writing, viewing, listening, manipulating images and sound, etc., making connections between different ideas, and using words and symbols that are part of these larger, more embodied Literacy practices. In short, this distinction explicitly recognizes that L/literacy is always about reading and writing something, and that this something is always part of a large pattern of being in the world (Gee, et al. 1996). And, because there are multiple ways of being in the world, then we can say that there are multiple L/literacies. (Lankshear & Knobel, 2006:233)

Earlier, Lankshear and Knobel moved from new technologies to new epistemologies, here they move from ontology to literacy. It is not clear, however, that such a move can be sustained. What do the authors mean by stating that ‘there are multiple ways of being in the world’? What constitutes a difference in these ways of being? Does each ‘way of being’ map onto a ‘literacy’? The authors claim that to be ‘ontologically new’ means to ‘consist of a different kind of ‘stuff’ from conventional literacies’ reflective of ‘larger changes in technology, institutions, media and the economy… and so on’ (Lankshear & Knobel, 2006:23-4).

This is so vague as to be effectively meaningless.

Google: excellence and diversity?

Quentin Hardy, Forbes:

Your day begins with a wake-up call from your Google Android phone. As you run to the shower, you hit Google News and check headlines, then Gmail. Your first appointment of the day has been moved to a new location; Google Maps will direct you there. Quickly update your expense report–including the printout of that sales presentation using, say, Google Template–and shoot them to the back office in India (in Hindi, if you prefer, with Google Translate). Your boss wants to discuss your group’s contributions to some marketing documents? Lean on Google Groups. You’re not even out the door yet. You have the rest of the day to search for work-critical information on the Web while you’re at the office–to say nothing of snatching a few moments to download a game, check stock prices, organize your medical records, share photos and pick a restaurant and movie for the evening. How convenient.

I love Apple stuff. I love Google stuff even more because it’s free, is often the best solution, and most of the time promotes collaboration and sharing. However, I’m a bit concerned that they could know a little too much about me. Here’s the Google stuff I use currently:

  • Google Chrome web browser
  • Google Apps (personal)
  • Google Apps Education Edition (at work)
  • Google Picasa
  • Google Product Search
  • Google FastFlip
  • Google Maps
  • Google Dictionary

I wasn’t very far away last month from purchasing AlertMe Energy for our house. This uses Google PowerMeter to show how much energy you are using at home. It’s better than the LCD display we’ve got currently, but I was a bit uneasy about it – for the same reasons that I would be about using Google Health.

It’s all very well using the best stuff, but at what cost? All it would take is a government requisition of the data from one company and, if I used Google PowerMeter and Health in addition to the products I already use, they could know:

  1. What I’ve been looking at online.
  2. The names of my family and friends.
  3. Where I’ve been recently.
  4. Who I’ve been communicating with and what about.
  5. What I look like, as well as what my friends and family look like.
  6. My political bias.
  7. How much energy I’ve been using at home.
  8. My health record.

I think that’s too much information to put into the hands of one company, even if there mantra is Don’t be evil.

So I won’t be buying an Android phone. I won’t be buying AlertMe Energy (or any other service that uses Google PowerMeter) or using Google Health either.

I have to say that it’s a potential problem, not an actual one at the moment… I’ll keep you updated.

Further reading:

css.php