Trust and Identity In Virtual Worlds and

Collaborative SpacesAnthony Nadalin, Distinguished Engineer, IBM

Early Virtual Worlds & Collaborative Spaces Business Applications

Commerce

Collaboration and Events

Education and Training

Emerging Business Applications

Trust and identity in Virtual worlds and collaborative spaces

• Think: Wikipedia, Second Life• International: open to everybody with access to the Internet• Collaborative: free information sharing, user-created content• Social: users can establish relationships with other users

• Everybody can participate – and bad guys can act anonymously

• Unclear basis for trust in the information you find in Wikipedia• Insufficient accountability for inappropriate content in virtual worlds

• We are in the early days of commercial exploitation of these technologies

• Resembling situation with electronic mail and spam 10 years ago

• Trust and identity are key to the success of collaborative space – either way

• Issues around trust threaten the continued success of collaborative spaces

• Sound trust and easy to use federated identities enable new services

Some examples of issues around trust and identity

Online Predators: http://www.cbsnews.com/stories/2007/03/13/tech/main2563414.shtml

“… one of a half-dozen documented cases this past year alone in which older men used such Internet sites to set up sexual encounters with minor girls in Connecticut."

Illegal Content/Behavior: http://www.theregister.co.uk/2007/02/21/dutch_demand_ban_on_virtual_child_porn/

"... reports about adult players with child avatars soliciting (paid) sex."

Online Harressment and Bullying: http://doc.weblogs.com/2007/03/28#whatItIsnt

"... abruptly cancelled her appearance at the O'Reilly ETech conference in San Diego, after receiving threatening and sexually graphic messages that made her afraid to leave her house."

Reputation Fraud: http://www.msnbc.msn.com/id/17171372/

"... eBay suspended accounts identified in the article, ... the forger merely moved the operation to another Internet auction site for a few months before returning to eBay, setting up new accounts and picking up where he left off."

False Claims: http://en.wikipedia.org/wiki/Essjay_controversy

"... claimed to hold doctoral degrees in theology and canon law as a tenured professor at a private university, he was in fact a community college dropout from Kentucky."

Collaborative spaces and virtual communities

*MMOG = Massive Multiplayer Online Game  

Multi-service

Platforms

Social Computing

3D/Realtime Internet/MMOGs

Common problem:Trust and Identity

Enterprise Customers & Governments

What is new, compared to 10 years ago?

• History

• Public key infrastructure (X509v3, SPKI, PGP, …), digital signature initiatives – late 90’s

• Microsoft Passport (= Windows Live ID) – 2000

• Liberty Alliance – 2001

• What changed?

• Awareness for the role of digital identity

• Post-9/11 security concerns

• High-profile privacy incidents – e.g., TJX: lost 45.7 million payment card numbers

• Identity theft – 3.7% of all US citizens were victims of fraud due to identity theft

• More valuable data online, e.g., healthcare portals

• Value

• Increasing value of identity per se: more and better services

• Increasing value of portable identity: Web 2.0 connects people and data across enterprise boundaries

• Increasing demand for user-centric, portable, life-long identity, and reputation

• Increasing demand for strong identity

Scenarios

1. Trusted Content2. Trusted Collaboration3. Trusted Roaming4. Trusted Delegation5. Trusted Aggregation

Scenario 1: Trusted Content

Can I trust this collaborative space? Is all content correct? Is all content authorized? Is all content appropriate for me? What is the creator’s reputation?

Can I trust this content? Is this content correct? Is this content authorized? Is this content appropriate for me? What is the creator’s reputation?

Scenario 2: Trusted Collaboration

psmith@acme.com pauls@yahoo.com

Request freetime

• How can Patrick locate Paul’s calendar?• Can Paul trust this request? Is this request legitimate? Who is this requestor?

Patrick Paul

Scenario 3: Trusted Roaming

I want to see what World of Warcraft is about

I want to stand in SL look over the bridge into WoW I want to go from “left” to “right” And both with a minimum of overhead – no new registration, no

new avatar design, no new reputation

I do have an avatar in Second Life

Scenario 4: Trusted Delegation

Give Alice the right to see Bob’s images

How can Bob trust that only Alice sees the pictures, and how can he maintain control over the pictures?

How can Bob avoid telling the service who Alice is?

Scenario 5: Trusted Aggregation

Bank

HealthInsur.

Employer

Aggregator

ScenariosSpecific Scenario

1. Trusted Content

Trust in correctness and appropriateness of specific / of all objects in a collaborative space (e.g., Wikipedia, Second Life).

2. Trusted Collaboration

Enable freetime-based scheduling of meetings across calendars in different enterprises, using different identity schemes.

3. Trusted Roaming

Cross bridges from one virtual world to the other, carrying your identity (avatar, attributes, reputation) with you

4. Trusted Delegation

Give your friend access to your digital photos without the fear that the photo server knows who your friends are, or that your friends share your photos with others.

5. Trusted Aggregation

Aggregate personal information through a portal, without fear of misuse or fear of identity theft, but with the added value of non-trivial aggregation.

Interoperability of trust and identity systems

User-centricity, transparency, choice

Privacy and pseudonymity Reputation of users and

spaces Cross-platform capability

State of the Art

Some Remarks on Policy

• Identity• Online identities are essentially unregulated• Risk associated with using online identities is growing, number of

high profile incidents will increase

• Identity theft, e-banking, healthcare portals, reputation on eBay, …

• Needed: best practices for trust and identity

• Privacy• Privacy is a top concern for individuals• Similar privacy concerns and privacy regulations exist world-wide• Current privacy principles (OECD) seemingly collide with Web 2.0

paradigm: minimize vs. maximize info sharing• Needed: new societal norms and best practices

Identity Technology

• Status quo• Site-specific username / password

• Low security, vulnerable to phishing, password management up to user• Application-specific identity

• Sharing of identity information only within defined federations

• Trends• User-centric identity

• User controls release of identities and attributes• Decoupling of user’s from service provider’s view• Framework provides unified, abstract view on a multitude of specific identity

systems• Security beyond username / password

• Username / password tokens containing identity claims• Framework approach enables strong mutual client-server authentication

• Federated identity, portable identity in Web 2.0• Lightweight, decentralized identity provider for single sign-on• Fine-grained, user-controlled attribute sharing with privacy

Reputation Technology

Digital Identity

Summary of actual past behavior, by service

provider

Real identityBackground check

against external data

Peer reviews

portable

specific

Identity Verification, Identity Proofing= Strong Identity

Trust in specific attribute or future behavior?

Outlook

3. Future of Virtual Reality

4. Future of Identity Systems

User-centric, transparent identity management

Service-specific identities are managed transparently

User can create as many identities as he or she wishes

User maintains full control over his or her privacy (e.g., pseudonyms)

Access to identities is secured through strong authentication

Privacy friendly service discovery and search will emerge

Portable identities Immersive user

interfaces yield rich identities and complex attributes and capabilities

Users expect to carry their rich identities from one space (application) to the next

2. Future of Identity

Life-long personal identities People act as “free agents” who

manage their digital identities and capabilities independently of their current “employers” or “schools”

Identities and attributes become independent from identity providers, and can be freely moved between providers

Some will stay for a user’s whole life, and need special protection

1. Future of IdentificationStrong identity proofing

Biometrics increasingly used to prove and authenticate identities

Online identity increasingly established through physical world identities

0

20

40

60

80

100

120

140

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

BBC 2007

On average: 2020% growth/year

IBM GIO 2006

Technology Outlook

An eComm 2008 presentation –

http://eCommMedia.com for more