Here we go again.  The Computer and Communications Industry Association (representing industry giants like Google and Microsoft) just filed a complaint with the U.S. Federal Trade Commission claiming that content providers (copyright holders) are issuing excessive, misleading warnings with movies, games, books and music.  (See story.) Essentially, this complaint seems to be saying “stop telling us so loudly to stop breaking the law.”

At the same time, a coalition of Japanese television, music and film companies are once again criticizing YouTube, complaining that the video-sharing site is “not doing enough” to rid the site of clips that infringe on copyrights!  In the same commentary, the group expressed skepticism about the work YouTube parent Google was doing on its own new video recognition and purging system.  (See story.)

Damned if you do and damned if you don’t!

This is yet another example of dueling claims about rights – digital rights – and the effort required to protect the value of digitized intellectual property without ruining distribution channels.  This particular exchange of claims and demands illustrates once again the shortfall in digital trust technologies to satisfy the competing interests of content providers and content purveyors.  Watermarking, acoustic and video fingerprinting, encryption-based DRM, and content summary and comparison techniques are all being tried and used to one extent or another.  Yet, the dueling rights argument continues.

It’s not completely a technology issue.  Intellectual property protection laws vary from nation to nation, and there are no comprehensive standards for formats or interfaces.  Without updates in legal frameworks and standards, and without digital trust technologies that satisfy both interests and provide evidence that rights are being managed in accordance with agreements, we can expect the argument to go on and on and on…

The Digital Trust volume on Intellectual Property Protection (Volume 3) will be out soon.  Subscribe to the LEF RSS feed www.csc.com/lefpodcast and you’ll get the volume when it’s released.  There’s some encouraging news in that volume, but the basic shortfalls remain.  If you have the “right” idea to solve this one, .  We can go far together.

Passwords, hardware tokens, software tokens, public key certificates, one-time key pads, virtual keypads, fingerprints, retinal scans, facial recognition, question and answer systems, picture selections, public records data base hint systems…and the list goes on and on.  These are all methods for authentication, and apparently these are not enough.  There is always “yet another authentication mechanism” (YAAM) being introduced.  And, every time a YAAM appears, it is introduced with a rationale that is some combination of:

• less expensive
• easier to deploy
• simpler (and therefore more effective)
• better scalability

Two of the most recent YAAMs are Vidoop and Passfaces.  Both are variations on the theme of picture selection and recognition instead of password entry.  And, both are pretty clever.

However, every time a new YAAM emerges, we seem to be a little more confused than we were before.  This is especially true whenever the YAAM looks like other methods that are already being used.  There are the inevitable questions: How much better? What else has to change? How do existing methods compare? But the issues around authentication run much deeper than the typical tradeoff studies.

Without an identity strategy that defines what subjects are, what the set of identity claims includes, how far the span of the identity extends, and which authorities give meaning to the identity, worrying about authentication is premature.  Authentication is important, but no type of authentication can fix shortfalls in foundations of identity.  (Incidentally, even picture-based authentication can fail.  See article.)

So, before you invest too much effort pondering the selection of an authentication mechanism, first review the foundations of your identity infrastructure.  After that, the YAAMs are waiting!

On the Internet, as in the physical world, we have many identities depending on the situation.  But unlike the physical world, the Internet affords a high degree of anonymity, which can be good and bad.  We are free to participate in online surveys anonymously, for example, but we can also be tempted to spout off under a fake identity. 

Recently, the chief executive of Whole Foods Market was accused of “sock puppeting,” meaning he assumed a false identity online and posted comments promoting his company and attacking competitors.  The SEC is investigating whether or not he broke the law with his posts, which he had been making for years.  (See article.)

The Internet was not built with identity in mind, purposely.  As online citizens, we need to be constantly aware that the digital world is on shaky ground in terms of identity, yet it increasingly requires strong identity management, with trust, as the Net becomes more and more commercial.  Digital Trust Volume 2 on identity management explores these issues.

There seems to be no end to the “power of trust” in the digital world.  There are dozens of invocations of the word “trust” in company, product and service names, and “trust” is used to explain why products and services are valuable, superior or at least not harmful.

Now, a new service is being offered by WabiSabiLabi.com that will auction software vulnerabilities to the highest bidder.  (See article.)

On the one hand, the service is in the best entrepreneurial spirit of getting value out of the intellectual property of security researchers.  (By the way, the researchers will have to “trust” WabiSabiLabi to protect their intellectual property rights during the process of the auction.) On the other hand, the possibility that software security flaws will end up in the hands of criminals generates a lot of concern about the ultimate outcome of such auctions.  How do we control the participants in these auctions?

According to Herman Zampariolo, WabiSabiLabi’s chief executive, the company will thoroughly screen all potential buyers (and sellers), building a base of trusted bidders.  So we are not to worry – the auctioned vulnerabilities will only end up in the hands of trustworthy, ethical customers.  Ironically, the “power of trust” is being invoked to support a service auctioning vulnerabilities that could reduce trust in the digital enterprise.

WabiSabiLabi will depend on its ability to implement a trusted bidder scheme to legitimize its new vulnerability auction service.  Previous attempts at a similar service were abandoned.  It’s easy to invoke the word “trust” and seek a way to generate a commercially viable base of trusted bidders, but it’s hard to define and enforce what that trust is in the identification, authentication and qualification of bidders.

Nevertheless, like hope, trust springs eternal.

Maximizing the value of intellectual property through digital trust is discussed in the Digital Trust report series, Volume 3, “Intellectual Property Protection: Minding Your Mind Power” (expected to be available in late August here).