The stories range from the tame to the tragic.

A student not happy with an administrator at school creates a profile on a social networking site. Even though the student is a woman she creates a profile that is a man and then flirts with the administrator in order to cause her embarrassment later.

At a Catholic school in the Chicago suburbs, an administrator monitors the popular social sites on a regular basis just to make sure nothing out of the ordinary is happening. She has run into instances where students create accounts in other peoples’ names – people who actually exist – and then make false statements. For example, one student set up an account as a real person from another school and made statements about the student’s sexual proclivities while giving out her real phone number.

In 2006, a fake profile led to the suicide of a 13-year-old Missouri girl. A classmate’s mother originally created the profile to find out if Megan Meier was saying anything bad about her daughter. But then it was used to gain Meier’s confidence and then to tear her down. Angry messages went back and forth, and it ended with Meier hanging herself.

There’s also the need to prevent pedophiles from contacting children online. MySpace has agreed with different states’ attorney generals to adopt better technologies that will help identify underage users so they can be protected from predators, but the social networking site hasn’t figured out how it’s going to do it.

The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.

But this may all change. As sites become more scrutinized they will have to take steps to make sure people are who they say. “There will be a trend to use a third party that leverages database information that will be able to vouch for you and provide a more certain level of identification,” says Eric Skinner, chief technology officer at Entrust, an Addison, Texas-based digital identification vendor.

There are a handful of vendors that are offering online identity vetting. Most are working with financial institutions, but they see business opportunities with the social networking sites.

eHarmony and others offer optional identity services

Pasadena, Calif.-based eHarmony.com is offering identity verification technology to its members, says a spokesperson for the company. The dating web site is using technology from Dallas-based RelyID.

“Many users are new to the whole world of online dating and sometimes need a little more encouragement to get off the fence to reach out to their matches,” says the eHarmony spokesperson. “We saw RelyID as another way to help people take that first step.”

The service is voluntary to eHarmony members and they must pay an additional $5.95 fee to participate. For those members who want to be authenticated, they provide their full legal name, address and date of birth. RelyID’s technology then checks public and financial records databases and comes back with a multiple choice quiz based on an individual’s personal data, such as names of relatives and latest financial transaction, says Pat Mangacotti, vice president of business development at the company.

If an individual answers the question correctly, the ID will be verified and they receive an authentication badge on their profile. If they don’t answer the questions correctly they can come back and take the quiz again within 72 hours, Mangacotti says. If they can’t be verified after taking the quiz a second time they can then present government-issued identification to RelyID’s customer support team.

Reaction to the service has been positive, says the eHarmony spokesperson. But the company would not say how many members have chosen to use the RelyID service. “In a few cases, where certain customers may have been new to online dating, they have told us that seeing a user’s RelyID badge got them off the fence and let them confidently reach out to a particular eHarmony member,” the spokesperson says.

Mobile social networking service Funky Sexy Cool is offering identity verification to all its members at no additional cost, says Tim O’Connor, CEO of the New York-based company. But members have to choose to go through the process. Funky Sexy Cool enables members to find other like-minded individuals in the same geographic area to hang out with. For example, a member can send out a message to his friends saying he’ll be at a certain club or bar.

When first registering for Funky Sexy Cool potential members can click a box that will enable them to be verified, O’Connor says. If they choose to go through the process they will be asked for information, such as full name, last four digits of the Social Security number and date of birth. Funky Sexy Cool is using ID verification technology from IDology Inc., Atlanta.

IDology searches public databases to confirm an identity, says a company spokesperson. The company’s technology searches driver license records, property records and similar databases.

To sign up for Funky Sexy Cool a user must already claim to be 18 years old, O’Connor says. The site doesn’t require age or ID verification because they don’t want too many steps to register for the site. “If you make too many things mandatory people between the ages of 18 and 34 won’t join,” he says.

O’Connor says there is a need for some sort of age or identity verification, but the companies that run these sites walk a fine line. “I want to be part of a group that enforces age verification,” he says. “But if you have registration that is cumbersome and difficult you won’t get the members. We’re trying to gauge member reaction and see what happens.”

Cost is another problem, O’Connor says. IDology charges about 37 cents per ID verification, which doesn’t seem like much at first. But when dealing with hundreds of thousands to a million of members the cost rises quickly. “We need to increase ad revenue so we can defer some of that cost,” he says.

Minor difficulty

But the problem of identifying minors remains. The technologies that some sites use to prove an identity use public records and databases and minors don’t have any information in those systems. “There isn’t a technology that exists today that can confirm a minor’s identity online,” says a MySpace spokesperson. IDology and RelyID say they wouldn’t be able to identify minors with their technology.

It would also be difficult to just confirm age without needing additional information, says Ant Allan, research vice president at Gartner Inc., Stamford, Conn. This would raise privacy concerns, especially when dealing with minors. “The younger you are the less information appears in the databases,” he says. “And when you’re on the borderline, their identity proofing systems won’t come back with anything. Also, someone could be 18 to 21 years old, and they may not have amassed enough information to return a positive result.”

Liberty Alliance’s Sullivan, who is also vice president of Oracle Identity Management, says it’s only a matter of time before social networking sites offer tiers of identification assurance, which could be used to confirm a minor’s identity. For example, if a 14 year old wanted to sign up on MySpace without a parents’ permission they would be placed on the lowest ID tier. “They would be put into a question mark bucket,” Sullivan says.

But if one parent went online and confirmed his child’s identity they would be raised up a tier. If both parents did it they would go up two tiers. The parents would be authenticated through public records and online databases.

Eventually there would be a fourth tier as well. A minor would physically go to a trusted source with documents that prove their age and identity. These identity assurance sources don’t exist, but it’s something the Liberty Alliance is working toward, Sullivan says.

Already authenticated?

But what about those individuals who want to remain anonymous online? They’re not pedophiles or out to harm anyone, but they just don’t want their true identity revealed.

“There are some social networking sites where people want to be associated with the real world identity and others where they don’t,” Allan says. “If the folks running MySpace and Facebook insist on some level of identity proofing, it might discourage people from joining.

“The needs here vary and I don’t think it’s clear cut that social networking sites have to have the same level of authentication and identity proofing as financial services sites.”

For social sites there doesn’t have to be a strong link to the real-world identity, Allan says. “If you’re trying to prevent something obscene from being posted there is recourse through the usual channels like finding their IP address,” he says. “For the majority of reasonably well-behaved people it’s not so important.”

For sites where reputation might hold a bit more importance, such as LinkedIn, there is a type of hierarchical identity proofing that exists on the sites, Allan says. “The network is part of the identity verification,” he says. “Once you get a certain number if people it establishes you and is a way of acknowledging your identity. Depending on the rigor people are looking for that network might be enough to confirm a person’s identity, but other times you might need something else that can be verified.”

There is also the built-in support of Gemalto .NET smart cards to the Windows platform. This integration enables the cards to work seamlessly with Microsoft’s Terminal Services, Active Directory Domain Services, Active Directory Federation Services, Active Directory Certificate Services, smart card login and the powerful new virtualization features, while eliminating the need for middleware integration.

Gemalto’s security devices available for immediate use with Windows Server 2008 range from one-time password tokens to its latest Smart Enterprise Guardian. The SEG is a joint development with Lexar that provides up to 2 gigabytes of smart card protected data storage and Gemalto .NET software for strong authentication and digital signature in one USB device.

The latest generation of cards for Slovenia will enhance online services for health professionals by enabling them to go through their administrative tasks faster and exchange medical data and messages with hospitals and other health professionals in an easy and secure manner. The whole solution ensures backward compatibility with the existing infrastructure.

In 2000, Slovenia was among the very first countries, with France, to introduce smart card-based health cards. The country is now renewing and upgrading the 2 million e-health cards currently in circulation in the country.

“Information card technology can no longer be considered vaporware–it’s real and it’s here,” said Bob Blakley, principal analyst at Burton Group. “Information cards help to reduce the use of passwords and provide user experience advantages over today’s environment. They may enable new applications and business models based on innovative uses of identity information.”

As part of the “Control Your Identity” campaign launch, Novell will conduct a live demonstration of the Bandit Project’s DigitalMe and Windows CardSpace information card selectors using Bandit Cards to perform identity transactions online at the Digital ID World Conference this week in San Francisco. Further promotion will take place at various IT industry events over the next six months, culminating at Novell’s annual BrainShare® user conference in March 2008. The campaign Web site is built completely on an openSUSE® platform and uses open source identity components from the Eclipse Higgins Project and Pamela Project. Incentives on the Web site for users to obtain Bandit Cards, include prizes and contests. For more details, visit the “Control Your Identity” Web site: https://cards.bandit-project.org.

The campaign is being supported by Microsoft, helping to ensure that all users, regardless of operating system, have access to information card technology. Other identity community partners are expected to join in the near future.

“Microsoft believes information card technology, such as Windows CardSpace, is an integral part of a security-enhanced, interoperable identity metasystem,” said Kim Cameron, chief identity architect in the Connected Systems Division at Microsoft Corp. “With this campaign, the Bandit Project is removing another barrier to the worldwide adoption of simple, trusted Internet identity management technology. It is not enough to create next-generation identity solutions, it’s also important that users are given the tools and incentives to utilize the technology.”

In a consumer environment, information cards (digital identity cards) are either self-created or obtained from third-party companies and contain identity data, such as name, address, e-mail and credit card information. Information card selectors are used to manage, update and create information cards. This allows for a user-centric identity model, where users, not Web sites, control how sensitive identity information is presented, and it eliminates the need for users to manually create, provide and update identifying data at multiple Web sites. When the user visits an information card-compatible Web site and performs a transaction, such as purchasing an item, the information card selector enables a list of digital cards to be presented. The relevant digital card is selected and credentials are sent to an authorizing third-party site, for example, a credit card company, which verifies that the user has the necessary funds to perform the purchase. Authorization is securely sent back to the original site, and the transaction is completed.

Information cards are also useful in enterprise environments, where, for example, an employee can be provided with a company identity card that gives him or her access to outsourced payroll systems, benefits information or discounts at their employer’s partner e-commerce Web sites. In the future, enterprises will be able to use solutions, such as Novell® Access Manager, to set up a simple interface that accepts information cards, allowing for better control of access to federated Web applications.

“The next generation of identity-management is ready for use and Bandit is at the forefront of driving its adoption,” said Dale Olds, Novell distinguished engineer and Bandit Project leader. “A few months ago we made available a cross-platform information card selector that was functionally equivalent to Windows CardSpace. Now we are working on putting information card technology into the hands of everyone who can benefit from it.”

About Bandit

Bandit is an open source project, sponsored by Novell, that is developing open source identity services to provide organizations with a consistent approach to enterprise identity management challenges such as secure, role-based access and regulatory compliance reporting. As an open source project, it is also a community of developers–part of a larger identity and security community–that organizes and standardizes identity-related technologies in an open way, promoting interoperability, collaboration and further innovation. For more information, please visit: http://www.bandit-project.org/.

About Novell

Novell, Inc. delivers infrastructure software for the Open Enterprise. Novell is a leader in enterprise-wide operating systems based on Linux and open source and provides the enterprise management services required to operate mixed IT environments. Novell helps customers minimize cost, complexity and risk, allowing them to focus on innovation and growth. For more information, visit http://www.novell.com.

Novell, Digitalme and openSUSE are registered trademarks, BrainShare is a registered service mark, and Bandit is a trademark of Novell, Inc. in the United States and other countries. ¹Linux is a registered trademark of Linus Torvalds. All other third-party trademarks are the property of their respective owners.

---

The IDDY recognizes identity-based applications built using Liberty Federation, Liberty Web Services, Liberty People Service and Liberty Advanced Client specifications. This year’s call for nominations includes an Emerging Application category designed to shine a spotlight on the proof-of-concept applications leveraging the security, privacy and proven interoperability of Liberty’s open identity standards. Individuals can nominate a deployment for the 2007 IDDY at http://www.projectliberty.org/….

IDDY winners are among the organizations deploying Liberty-based identity solutions that put users in better control of their online identity information. Recipients of the first annual IDDY Awards issued in 2006 were EduTech, deploying Liberty Federation within New York State educational agencies; Deutsche Telekom AG (TCom, Business Unit T-Online), deploying Liberty Federation reaching nearly 12 million customers in Germany; and the UK Government Authentication Gateway, which provides eGovernment services to nearly 8 million citizens.

“The IDDY is about recognizing some of the best-of-the-best in digital identity management today,” said Brett McDowell executive director of the Liberty Alliance. “The IDDY Award ceremony at DIDW promises to uncover a variety of applications designed to deliver real identity management value to users and organizations today and over the long term.”

2007 IDDY Award Judges

This year’s judges are: Michael Barrett, CISO, PayPal, Inc.; John Fontana, senior editor, Network World; Gerry Gebel, VP & Service Director, Burton Group; Paul Madsen, co-chair of Liberty’s Technology Expert Group and identity standards researcher at NTT; Roger Sullivan, president of Liberty’s Management Board and vice president of Oracle Identity Management; Robin Wilton, co-chair of Liberty’s Public Policy Expert Group and corporate architect at Sun Microsystems; Christine Varney, partner, Hogan & Hartson, Washington, D.C. More information about Liberty Alliance is available at http://www.projectliberty.org.

Contact

Russ DeVeau
Liberty Alliance
508-487-6102: Office
908-251-1549: Mobile
russ@projectliberty.org
russdeveau@comcast.net
AOL IM (Russ DeVeau): devcommruss

---

Specifications Pass Key Liberty Alliance Milestone; Consortium Announces IGF Public Webcast August 15

REDWOOD SHORES, Calif., Liberty Alliance, July 26 /PRNewswire-FirstCall/–Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced two key milestones for the Identity Governance Framework (IGF). Today, industry leaders submitted IGF to openLiberty.org for open source development of IGF implementations. Liberty Alliance also announced the ratification of market requirements documentation (MRD) for IGF and the commencement of technical specification work. With today’s news, developers, system integrators and organizations in every sector can begin planning IGF deployments referencing the publicly available MRD and building IGF applications based on the open source APIs collaboratively developed at openLiberty.org. Liberty will hold a public webcast to review IGF developments and the roadmap for continuous development and support within Liberty Alliance and at openLiberty.org on August 15 at 8:00am US PT.

“With Liberty Alliance market requirements completed and technical specification work and open source implementations initiated in parallel, IGF is a significant step closer to delivering users and organizations greater privacy and security protection across applications and industries,” said Brett McDowell, executive director of the Liberty Alliance. “Organizations, infrastructure providers and the Web 2.0 community now have a variety of identity governance tools for advancing the Internet’s privacy layer based on open standards from Liberty Alliance.”

IGF is the industry’s first programmatic framework designed to help organizations meet regulatory requirements such as the European Data Protection Initiative, Gramm-Leach-Bliley Act, PCI Security Standard and Sarbanes-Oxley. The framework establishes a standard way of defining enterprise-level policies for organizations to share sensitive personal information securely and confidently between applications and diverse identity sources while helping ensure security and privacy. The rapid completion and publication of the Liberty Alliance MRD represents the growing and urgent need for IGF as an open standard. With the MRD now completed, work can progress rapidly on the creation of the technical specifications and open source implementations required to speed the development of standards-based end-to-end auditing and governance solutions.

Oracle released a draft of the IGF in November 2006 to wide industry support and in February submitted IGF royalty-free to Liberty Alliance for further development based on Liberty’s model of collaboratively addressing the technology, business and privacy aspects of identity management. Liberty’s Technology Expert Group (TEG) will now develop specifications to meet the IGF MRD. Membership in TEG is open to all industry stakeholders and individual contributors interested in participating in the specifications development process. The IGF MRDs announced today are available for public review and download at project liberty.

A two-phased, collaborative approach to IGF development

The further development of IGF standards will take place within Liberty’s TEG and openLiberty.org, a community driven open source project formed to facilitate the development of secure and privacy-respecting identity applications based on Liberty Alliance specifications. This two-phased approach ensures the widest possible collaboration in the development of IGF and provides opportunities for developers and the global open source community to participate in the development of IGF standards. Co-chaired by Paul Madsen of NTT and Carolina Canales-Valenzuela of Ericsson with participation from technology experts from around the world, TEG will collaboratively deliver IGF profiles, specifications and implementation recommendations. Individuals and organizations interested in following the development of IGF within TEG can read the public mail-list archive at http://maa.projectliberty.org/lap-technology/public-mail/.

Consisting of nearly 50 subscribers with leadership and representation from HP, Intel, Internet2/Shibboleth and OpenSAML, openLiberty.org is an open source community open to everyone interested in advancing open source Liberty Web Services and now IGF implementations. openLiberty.org will develop a set of open source libraries and technologies based on the Apache 2.0 license that developers and vendors can use to build products that consume, provide and manage identity-related information based on the IGF protocols. Developers, individuals and organizations can get more information and join the openLiberty.org IGF community at http://www.openliberty.org/wiki/index.php/IGF_Introduction

“The development of IGF specifications within Liberty Alliance in conjunction with open source implementations at openLiberty.org represents a new era in the collaborative development of open identity standards,” said Jason Rouault, vice president of the Liberty Alliance Management Board and chief technologist for Identity and Security Management, Software, HP. “The two-track approach to IGF development will allow developers to more easily and quickly drive policy and privacy attributes into open source identity initiatives.”

Support for developers and a call for industry-wide participation

Liberty Alliance, supporters of IGF and openLiberty.org invite the developer and open source communities to participate in the further development of IGF. The framework provides developers with a declarative model for access to identity data for creating business applications. Through the development of open source implementations, developers will be able to re-use the APIs developed within openLiberty.org to more easily develop application features and controls to ensure compliance of identity data usage with enterprise policies and privacy regulation requirements.

A key objective of the dual approach to IGF standards development is to demonstrate multi-protocol implementations. This means eventual support for ID-WSF, SAML 2.0, WS* and OpenID specifications and collaboration with other industry identity initiatives such as the Concordia Project, Project Bandit and the Eclipse Higgins project. As specifications development work progresses within Liberty’s TEG and at openLiberty.org, the groups will regularly work together to offer mutual guidance and support to ensure work is complementary and meets the Liberty Alliance IGF MRDs. Liberty Alliance expects to release draft IGF specifications during 2Q, 2008.

“Today’s news represents a significant milestone in the evolution of IGF and the collaborative development of an open, standards-based approach to meeting cross-industry governance objectives,” said Prateek Mishra, director, Identity Management Standards, Oracle. “IGF will allow organizations in every sector to easily create an open end-to-end governance framework based on Liberty Alliance specifications and openLiberty.org implementations.”

Industry support for IGF momentum and the openLiberty.org development process as the framework quickly moves toward open standard ratification

• CA – “Today’s highly interconnected business environment requires standardized ways of managing the flow of user identity data across disparate systems and applications. The release of the IGF use-case MRD is an important milestone in the delivery of practical, vendor-neutral standards for this growing challenge. CA will continue to work with the Liberty Alliance partners to define adaptable XML-based specifications that simplify the creation, enforcement and management of identity security policies.” Andy Rappaport, Senior Architect, Identity and Access Management at CA.

• HP – Sai Allavarpu, director of products for HP Identity Center, Software, HP, said, “Addressing governance, risk and compliance is hard enough within an enterprise and when enterprises federate with their partners, suppliers and customers, the challenge of compliance gets exponentially more complex. IGF and the open source tools developed at openLiberty will help enterprises in federated networks leverage a common, standards-based framework to better manage their compliance while optimizing their governance processes.”

• Luminance Consulting – “Just like the concept of ‘identity’ adds valuable context to applications, web services and SOAs, the enforcement of governance adds a critical layer of functionality to identity systems and implementations,” said Andrew Shikiar, Principal of Luminance Consulting. “Liberty’s rapid and open development of the Identity Governance Framework MRD and its submission to openLiberty.org will bring tangible benefit to any organization seeking to implement a governance framework and policies across their enterprise.”

• Eclipse Higgins Project – The IGF software implementation plans to build on the Higgins’ Identity Attribute Service Component. “We are very pleased that IGF plans to build on and coordinate with Higgins,” said Paul Trevithick and Mary Ruddy, Eclipse Higgins Project co-leads.

• NEC – “Identity Governance Framework and open source implementations are useful tools to establish systems that can effectively cope with privacy protection and internal control. NEC is supportive of developing IGF standards.” Makoto Hatakeyama, Identity Architect, NEC

• Oracle – “As a founder of the Identity Governance Framework, we are very pleased with the technology community’s positive response to the specification and as a leading provider of enterprise applications, database and middleware, we look forward to continuing to work with Liberty and other industry leaders within openLiberty.org to continue the development of IGF,” said Amit Jasuja, vice president, Development, Security and Identity Management at Oracle. “Our support of the specification will help organizations further advance their information security initiatives.”

• SSC, New Zealand Government – “We are committed to frameworks that foster privacy aware online services and IGF has the potential to complement and extend the identity systems we have in place today,” said Colin Wallis, Chair of the Liberty Alliance eGovernment Special Interest Group, Programme Manager, Authentication Standards, New Zealand Government. “We welcome the rapid completion of market requirements and look forward to seeing the further development of IGF within Liberty Alliance and at openLiberty.org.”

• Ping Identity – “Safeguarding individual and corporate use of identity on the Internet will require an international effort. As a participant in the build-out of identity infrastructure, we see it as our duty to support all efforts which help protect one’s identity on the Internet,” said Andre Durand, CEO, Ping Identity. “The Liberty Alliance offers the perfect forum for international collaboration and consensus building towards this end.”

• Symlabs – “The development of Identity Governance Framework within Liberty Alliance Technical Expert Groups is a positive step toward realizing the promise of open standards for identity management in complex, real-world networks,” said Sampo Kellomaki, Identity Architect, Symlabs. “Liberty’s global focus and use-case methodologies aim to deliver highly practical identity management solutions that serve a wide range of enterprises.”

About the August 15 Liberty Alliance IGF Webcast

The public webcast, An Overview of the Identity Governance Framework: Putting Privacy and Regulatory Compliance First, will be held on Wednesday, August 15 at 8:00am US PT. The session will feature Prateek Mishra and Phil Hunt of Oracle and leaders of the IGF initiative within Liberty Alliance, and Brett McDowell, Liberty’s Executive Director. The webcast will include a 45 minute presentation and 15 minute Q and A and is designed to show developers and organizations how they can leverage IGF today and over the long-term to build and deploy open, secure and privacy respecting governance solutions. Registration and more information is available at projectliberty.org

About Liberty Alliance

Liberty Alliance is the only global identity organization with a membership base that includes technology vendors, consumer service providers and educational and government organizations working together to build a more trusted Internet by addressing the technology, business and privacy aspects of digital identity management. The Liberty Alliance Management Board consists of representatives from AOL, Ericsson, Fidelity Investments, France Telecom, HP, Intel, Novell, NTT, Oracle, and Sun Microsystems. Liberty Alliance works with identity organizations worldwide to ensure all voices are included in the global identity discussion and regularly holds and participates in public events designed to advance the harmonization and interoperability of CardSpace, Liberty Federation, Liberty Web Services, OpenID, SAML 2.0, WS- Federation and WS-* specifications. More information about Liberty Alliance is available at http://www.projectliberty.org.

Trademarks

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.