To create a trustworthy Internet respectful of privacy, shouldn't we simply make our personal data public?

In the developments relative to trust and privacy technologies, one of the goals was to provide people with the means to protect their personal data: personal data is mine! This has naturally led to the idea of personal lockers and personal data stores: if all of my data is in my personal locker, then I can decide who has access to it and under which conditions (for how long, to do what, etc.). Personal Data Stores rapidly became the Holy Grail for the most advanced actors in the field of personal data management, from ePortfolios to personal health records. Personal lockers and personal data stores helped us to understand that an Internet based on a clear separation between storage of personal data and services creating/exploiting them would revolutionise the Internet. Empowered users would be at the centre of an ecosystem they control. "The Semantic Web & THE POWER OF PULL", by David Siegel admirably describes the transformations one should expect from the systematic use of personal lockers.

However radical and transformative, personal lockers and personal data stores have their limits. One is to be found in the initial statement: personal data is mine! Data, the product of social interaction and processes, is generally shared with other people and organisations: I share the name of my parents, the review of a paper submitted with reviewers and conference organisers, the diagnosis of my illness with a doctor, a laboratory and a drugstore. Even my intimate thoughts can be shared when I commit a freudian slip... If most data is shared with others then we might want to rewrite the initial statement with: personal data is ours! Translation into technology of this statement might lead to something radically different from personal data stores as personal information silos.

Wouldn't it be wonderful if we were able to exploit the natural property of data as a connection to people (places, ideas etc.) while preserving the need for privacy, anonymity and enabling trust? Could Shared Data Stores or Shared Lockers be a solution?

Another problem with personal data lockers is in the name itself. If they are personal, that means that they contain information that renders their owners identifiable. If they are lockers it means that there will always be someone ready to break in to steal data —who would be stupid enough to break into a safe if money grew on trees in public parks? And is there not a contradiction between aiming at the creation of a trust environment while basing it on highly protected safes and lockers? In an environment I trust, I'm not afraid to leave my wallet on the table... So, if personal lockers are not that safe, does it mean that the alternative is between abandoning the idea of privacy altogether and developing technologies that would create higher and thicker walls around our personal lockers? Is there an escape from an alternative that can only lead to an escalation in the development of distrust technologies.

Starting from the premises above, can we design an architecture that is at the same time natively social (data is ours!) and natively anonymous (I share my data but you can't connect this data with the real me)? Anonymity is extremely hard to implement, it is why it should be a native feature and not an add-on, like anonymisation or encryption are.

Imagine that, instead of storing our data in personal lockers, we store them in Public Anonymous Data Stores (PADS). When I store a piece of data in a PADS, anonymously, I receive in exchange a key that allows me to edit it. Associated to this data is a kind of mailbox, so if someone wants to contact me, it is possible to leave a message in the box. My data can be distributed over a number of PADS and I'm the only one to know that it is my data. For the rest of the world, my data is just a drop in an ocean of anonymous data.

Putting personal data in PADS allows fine search granularity while respecting anonymity. Let's say that someone is looking for a professional in the region of Chablis (not far from where I live) who has some expertise in ePortfolios. The enquirer leaves a message in the PADS mailboxes of all the people who have declared living in Chablis and in all those who have declared an ePortfolio expertise. When people collect their mailboxes from their PADS, only those that match both criteria are notified*. The person who has made the query doesn't know whether there is someone matching the query until the target(s) decides to notify him/her that there is a match; and even then the target(s) remains fully anonymous.

Of course, when we make a query we expect to have timely, if not instant, feedback. As it is very unlikely that people will collect their mail at the same time and even less likely that they will want to spend any time validating more of less relevant queries. We need something more, something able to take decisions on our behalf. A software agent or proxy could do the trick, so that when someone queries the Internet, it is the agents that act on our behalf that validate, or not, visibility of the match. PADS + agents/proxies give us the power to control our visibility on the Internet.

Going back a few years, we advocated that every citizen should have an ePortfolio, then that every citizen should have a personal data store, we now would like to explore how to provide every citizen with a personal agent or proxy operating, on our behalf, in a space where our personal data is stored in PADS to explore the question:

To create a trustworthy Internet respectful of privacy, shouldn't we simply make our personal data public?

It is one of the discussions that will be in the background of the 9th international ePortfolio and Identity Conference. You are welcome to contribute to it.

The New Internet of Subjects Manifesto

After the Internet of Subjects Forum London (5 July 2010) Graham Sadd wrote in his blog: Violent Agreement Breaks Out at IoS Forum.

This was echoed in the final session of the 8th ePortfolio conference (www.epforum.eu) when Derrin Kent offered to invite the Mahara open source ePortfolio community to integrate the idea of separation between data, metadata and ePortfolio services. We hope that more ePortfolio providers will support this model, which should lead to greater interoperability across systems and organisations, whilst increasing control by individuals of the exploitation of their personal data. It is a path to creating true personal lifelong learning environments.

One of the next documents to be produced is a New Internet of Subjects Manifesto, based on the '7 IoS principles'. It will be a response to the National Strategy for Trusted Identities in Cyberspace (USA).

A simple analysis of the NSTIC document reveals that:

1. there is not a single reference to (personal) data storage
2. there is one single reference to publish[ing] private information
3. there is no reference to 'discoverability'
4. the word 'relationship' is only used 3 times

The main weakness of the NSTIC is the focus on "trusted identities" (that are no more than glorified 'trusted identifiers') rather than "trusted relationships." The whole exercise looks like the effort to represent a 3 dimensional space on a single straight line: It doesn't use any of the topographic properties of a network! In order to trust a claim by an individual that she is a British citizen, it would be sufficient to check that the server of the passport office points to the subject's PIMS (personal information management system) while sending a message to the PIMS (the mobile phone being part of it!) to check that it is the owner of the PDS that makes the claim —and the PIMS could provide a proxy service to manage this kind of transaction, making one's life easier.

An identity can be defined by a series of (more or less) trusted relationships evolving over time and space. It is a combination of identification of (by a third party) and identification to (a group of people sharing certain attributes).

The main limitation of the NSTIC document is that it only focuses on the identification of, and does not address a single element of the identification to. It also assumes that one needs to be identified in order to enter a transaction, while most transactions in real life do not require any kind of formal identification.

The concept of "trusted identity" in NSTIC is mono-dimensional, while the IoS concept of 'trusted relationships' is multi-dimensional. An identity is a (series of) relationship(s), evolving over time and space, not a static attribute. NSTIC aims at a "user-centric Identity Ecosystem", while we aim at a "subject centric Trust Relationship Ecosystem", where the subject can be a person, an organisation or a network. Placing too much emphasis on 'user centricity' contains the risk of reinforcing the asymmetry of the current system —patronising is not far.

The focus on "trusted identity" rather than "trusted relationship" is also revealing of the non-existence of Internet Subjects in the current architecture. In an Internet of Subjects, that is a space where self-asserted subjects exist autonomously, the need for the old fashion approach to identity and access management vanishes.

The IoS objective is to create a totally symmetrical system where individuals can act as identity, attribute and service 'providers', not just as 'trusted users'. Of course, if we want to know that a person is a EU citizen, we will look for a proper trusted party for such an attribute, but the mechanism will be the same if we want to know whether a person is a member of a cricket club, a university alumni or a friend —or if a business client list is genuine, etc.

If you want to contribute to the Ios and the writing of the New Internet of Subjects Manifesto, you can do so by joining the IoS working group.

10 ePortfolio challenges

For the 7th ePortfolio conference, and in order to give directions to our work towards our 2010 goal (ePortfolio for all), EIfEL decided to address a number of challenges to the ePortfolio community and beyond —many of the problems the ePortfolio community faces today will not be resolved if they are not addressed beyond the ePortfolio silo. The goal of these challenges is to move beyond the current state of ePortfolio development, in particular in the field of interoperability as interoperability is not just a technical issue, but a means to enable new practices and the emergence of truly lifelong and life wide ePortfolios.

The ten challenges are:

1. Universal ePortfolio Repository —a unified view of all my assets
2. Universal Competency Identifiers —share competency definitions across systems
3. ePortfolio social —share assets, knowledge and processes across communities
4. ePortfolio semantic editors —make sense of what I write, connect, etc.
5. ePortfolio Readers —read any ePortfolio through consistent and multiple views
6. Open & Trusted Service Architecture
7. ePortfolio based performance support system —make the ePortfolio part of my work
8. ePortfolio discovery mechanism —find people, competencies, resources
9. URIs as tags —make tags meaningful
10. Universal Metadata —create a world brain

Our main objective is to create the conditions for the emergence of MultiPortfolio organisations (one organisation can interact with many different ePortfolio platforms) and MultiOrganisation ePortfolios (have one ePortfolio to interact with many different institutions with their own platform).

Challenges' link

Other documents related to the challenges are:

• Internet of Subjects manifesto
• What is the problem?

EIfEL becomes a MultiplePortfolio (MeP) organisation

Until now, the issue of ePortfolio interoperability was mainly considered within the framework of documents export/import, hence the focus on data structures and the lack of appetite, except for EIfEL and very few others, to fully embrace identity and access management (IAM) as the central locus for ePortfolio interoperability.

In order to contribute actively to the design of state of the art interoperability solutions, EIfEL has decided to become a MultiplePortfolio (MeP) organisation, i.e. an organisation where each of our member will be able to choose their own ePortfolio platform while still being able to fully interact with the organisation and their peers to support their continuing professional development and recognition as professional members of the learning community. In doing so, EIfEL aims at being a life testbed, a benchmark for interoperability.

As an organisation wishing to represent all the actors of the ePortfolio community, unlike other organisations, it was not possible for EIfEL, even if we have our personal likes and dislikes, to select a particular platform to support the continuing professional development of our members. Moreover, many of our members already have their own ePortfolio system that they use within their organisation or institution and several already have to deal with multiple ePortfolio systems — e.g. a member of the Institute for Learning (IfL) who uses REFLECT, based on PebblePad, for his/her CPD might work at a college using eXact Portfolio to support teaching and Multi-Port to support the delivery of NVQs (just to name the 3 Gold sponsors of the 2009 Learning Forum London conference!).

Committed to become a fully functional MultiplePortfolio organisation, EIfEL will work with all the ePortfolio and learning technology publishers and providers to demonstrate the feasibility and benefits of an interoperability framework where individuals are free to choose the components of their own ePortfolio system while being capable of interacting with a number of different institutions across time (diachronic interoperability) and space (synchronic interoperability). A MultiplePortfolio approach is a necessity to territorial approaches, i.e. to the implementation of systems working across multiple institutions within a city, a district, a region or a state.

EIfEL’s MultiplePortfolio environment will be dedicated to supporting the continuing professional development (CPD) of our members validated through peer review of their CPD ePortfolio. Reviewing other members CPD portfolio is part of members’ own professional development to demonstrate assessment skills and gain an opportunity to explore a range of different professional practices.

EIfEL will provide its members with an environment to publish their ePortfolio(s), select the reviewers for their CPD portfolio and publish the outcomes of the review process —a choice of ePortfolio platforms will be offered to those needing one. EIfEL staff will mainly support the quality improvement of the review process, and interoperability.

As MultiplePortfolio organisation EIfEL will go through the following stages:

1. At the initial stage, each ePortfolio platform will be independent from each other, so the reviewers of peers’ ePortfolios will have to register on different systems. The focus on interoperability will be on the ability to publish ePortfolios using RSS/Atom/RDF feeds, based on multiple formats (LEAP2A, HR-XML, Europass, microformats, FOAF, etc.) and packaging ePortfolios (ZIP, IMeP, etc.) for archive and verification —quality assurance. We will also be working on the systematic exploitation of unique resource identifiers (URI) to competency definitions hosted in shared repositories of occupational standards, so definitions will be independent from ePortfolio platforms and could be used for many other purposes, e.g. to post a job, set a 360° assessment, etc.
2. The second stage will be the implementation of single sign on mechanisms (SSO), so a member already identified by EIfEL platform will be able to use the same identifier to review a colleague’s CPD ePortfolio. This will require ePortfolio providers to support IAM standard frameworks.
3. The third stage will be the implementation of circle of trusts and attribute sharing. At stage 2, the granularity of access is the whole ePortfolio, while at stage 3, elements of ePortfolios can be shared with other members of the EIfEL community —and others. This is very convenient when members work together on a project and want to share evidence from their respective ePortfolios. Sharing evidence is one of the means to increase the trustworthiness of individual ePortfolios.
4. The fourth stage of interoperability will be the provision of ePortfolio readers independent from the idiosyncrasies of the different platforms, so a reviewer will be able to browse multiple ePortfolios created on multiple systems, while having the same navigational and informational interface. This will be particularly relevant in specific processes such as the accreditation of prior learning (APL) when an assessor needs to review evidence against a number of occupational standards of competence.
5. The fifth stage of interoperability will be the ability to create a seamless space between the different components of one’s digital identity in an Internet where individuals exist as autonomous and empowered entities, lifelong and lifewide.

Of course, EIfEL will be working on these different stages in parallel, in cooperation with ePortfolio publishers, clients and users, exploiting the outcomes of existing and future projects (like TAS3). We will be looking at establishing a quality mark for the ePortfolio and ePortfolio-related solutions that have demonstrated their interoperability within EIfEL’s MultiplePortfolio environment.

The MultiplePortfolio initiative will be launched during Learning Forum London, the international ePortfolio conference, 22-24 June 2009. Demonstrations will be made during ePortfolio plugfest and participants will be invited to contribute their reflections to this ambitious and challenging project.

Tagging with URI

Cross-referencing is one of the key activities when building a portfolio used for accreditation of prior learning or to gain a competency-based qualification. How does it work: 

• On the one hand, candidates have a list of competencies and performance criteria
• On the other hand, candidates collect a number of evidence demonstrating their competencies
  

Then

•  for every piece of evidence the candidate indicates which competencies / units / elements / performance criteria it covers
  
• for each unit / element / performance criteria the candidate indicates which pieces of evidence support the claim

With a computer, there is a very simple way of doing this: using competency definitions as tags. Once all the pieces of evidences are tagged with the various competency definitions it is easy to retrieve all those linked to a particular competency and the all the competencies linked to a single piece of evidence. The simple process of tagging creates all the cross references needed to have the portfolio reviewed by an assessor who can then (in)validate the links.

There are two ways of creating this kind of tag with existing systems:

1. strings: the title of the competency/performance criteria —pros: relatively user friendly (probably not if the user has to key in long definitions); cons: ambiguity as the same string of characters can refer to different definitions; and risks of typos (that can be reduced by providing drop-down boxes)
2. URL/URI: the address of the competency definition —pro: uniqueness; cons: not user friendly

There is a third way, that would require very little effort from ePortfolio publishers: using URL/URIs as tags while making it user-friendly: users would select a definition from a competency repository, drag it in the 'tag' section of the piece of evidence. The tag would appear as a string to the user, but the URI would point to the competency definition. The level of granularity of a URI could be down to a single performance criterion.

Ta make it backward compatible and allow users to create tags without URIs, the URI field could be set to null. This could also encourage groups of people and communities to create and share their own meaningful URIs/definitions.

Of course, this method of URI tagging is not restricted to ePortfolios and could be generalised to any kind of tagging, like linking a blog entry to Learning Forum London or ePortfolio 2009 could use the same URI http://www.epforum.eu —today it is ep2009, hoping that nobody else with use it or won't use ePortfolio2009 or ePortfolio 09...

And of course, to make this work seamlessly, instead of having each ePortfolio system create its own internal representation of competency frameworks, these frameworks could be made public through a series of distributed repositories providing the desired URIs that could be shared within a community of professionals an organisation or a sector.

The solution to unique resource identifiers for competency definition has already been discussed by Simon Grant (Representing frameworks of skill and competence for interoperability and more recently in Representing defining and using ability competency and similar concepts). It is clear that we have all the technology required and the solutions are not exactly rocket science. What is missing is the political impetus and committment.

One could imagine that each URI is translated into a URL where the competency map could be represented by a hierarchy of directories:

• language / sector / domain / area / unit / element / performance criteria
  
• language / sector / domain / area / unit ? data = "knowledge", "evidence examples", etc.
  

This is one possible representation, and there are alternative equivalents.

One of the goals of EIfEL for the Learning Forum London conference is to create a consensus within the ePortfolio community, and possibly beyond, on:

• "URI tagging" as a general mechanism for tagging
• Establish a number of initial competency repositories providing URIs using existing occupational competency standards and a simple mechanism for growing internally and externally those repositories
• Draw a roadmap for future developments

“The Internet of Subjects” Manifesto

EIfEL is currently working on the publication of “The Internet of Subjects” Manifesto. The objective is to bring together all the current efforts to make the Internet more 'subject centric', taking into account the human factor.

“The Internet of Subjects” Manifesto

The central role individuals now play in the Internet, calls for a radical rethinking of its organisation, in particular, the way the ever-increasing flow of personal data is being created, stored, connected, accessed, protected, tracked, exploited and managed. There is a need to create the foundations of an Internet where the architecture creates the conditions for the free association of self-conscious individuals, beyond the pre-defined boundaries of current information systems and social networks.

The foresight of an Internet of Subjects, rests on a vision of self-conscious subjects who are in full control of the whole of their personal data, from personal healthcare, education and employment records, to bank, sales and various tracking records generated in the cyberspace.

The Internet of Subjects aims at being a people enabler, creating the conditions developing one’s social and professional identity and contribute to the growth of social capital.

The Internet of Subjects aims also at being a business enabler, creating the conditions for for-profit as well as not-for-profit organisations, public and private agencies, to provide personalised services while using personal data ethically, as defined by the individuals.

To achieve this, a second order change is required. Thanks to research, innovation, improved quality of online services and the ever-decreasing costs of online storage, bandwidth and computing power, we have reached the tipping point where this second order change is now made possible

[...]

If you want to join the conversation and contribute to the Manifesto, please contact serge.ravet@eife-l.org.

The Identity Centric Framework

The tremendous work done by organisations such as the Oasis Group, Liberty Alliance and Open ID on specifications and standards for digital identity call for a profound transformation of the Internet, moving from the "Internet of documents" to the "Internet of Subjects." In an Internet of Subjects, we don't want our actions to be limited by existing social network services provided by a third party, we want to be able to create social networks on the fly, just like in real life —and undo them without losing any data. We also want to be able to keep in one place (possibly distributed), a place we own, all the publications, contributions and various artefacts and tracks generated during our Internet activities.

Publication mechanisms like trackback demonstrate that it is possible to publish a blog entry or a comment in a personal space to make it visible in another one, so if a specific aggregation of blog entries/comments is not supported anymore (let's say that this instance of Blogger disappears), then the entries and comments will still be available in my personal space (today I use a Word copy as save). Of course, the use of trackback has been impeded by pirates trying to circumvent anti-spam software, but this general mechanism (or equivalent) could be revived and systematised in a trustworthy environment, using social computing to support reputation mechanism.

In order to give a genral framework for these reflections, I've come up with something named the "Identity Centric Framework" (ICF) with the intention to to codify a set of fundamental principles to which any identity architecture should conform to be universal and sustainable. This framework can be seen as a derivation of the Microsoft's identity metasystem and laws of identity. The principles can be summarised by the acronym “ID TOUCH.”

A universal identity centric system should be:

• Independent: it should be sovereign and independent from commercial or partisan interests; it should be based on the existence of multiple, competitive, operators and technologies.
• Dependable: it should have a provision to guarantee that personal data are free from potential loss or theft as well as identity attacks.
• Transparent: it should provide accurate reports and statistics on how one’s personal data is being used by third parties. It should also provide negotiation and discovery mechanisms for social interaction and data exchange.
• Opaque: it should provide mechanisms to fine-tune external visibility of personal data, up to the point of total opacity and anonymity —except for legal or regulatory requirements. It should include encryption and other techniques to limit the risks of undesired disclosure.
• Unifying: it should provide a seamless experience across contexts (e.g. healthcare, education, employment, leisure, mobility) and identities while keeping a clear separation between independent contexts and multiple identities.
• Communal: Identity systems must recognise and exploit the social nature of identity. Mechanisms such as reputation and trust should be native features of identity systems.
• Humanist: the underpinning values of an identity centric system is a humanist vision of technology refusing the reification of human beings and promoting an open and free society.