Lesley Fair is a Senior Attorney at the U.S. Federal Trade Commission. She blogs regularly for the Business Center of the Bureau of Consumer Protection. Recently, she wrote about the FTC’s huge settlement with Google over deceptive tracking practices. Lest you feel too smug about Google getting an expensive black-eye, Ms. Fair spells out what it means for your company’s Web site.  Ignore at your peril!

  • Lesley Fair: Track afield: What the FTC's Google case means for your company
    “After two weeks of talk about track, the trending topic is tracking, including the FTC’s $22.5 million settlement with Google for violating an earlier order. Google told users of the Safari browser it wouldn’t place tracking cookies or serve them targeted ads, but the FTC charged that the company’s tracking practices went far afield of its claims. Of course, the terms of that settlement apply just to Google, but there’s a lot savvy executives can take from the case and other recent FTC actions that touch on tracking.”

There were several other items of interest to the identity community:


  • Peter Van Auwera: Digital Asset Grid #CIS2012
    [@petervan’s prezzi from the Cloud Identity Summit, including audio]
  • Ping Identity Announces “Best Bloggers” from Cloud Identity Summit 2012
    “Adrian Lane, Securosis CTO, and Nat Sakimura, Chairman OpenID Foundation, Win “Nimby Award” for Best Conference Commentary”
  • miiCard Joins Open Identity Exchange to Help Develop Online Trust Standards
    “As the leader in electronic identity and verification systems, miiCard will leverage its global footprint to assist OIX in expanding an international network of trust frameworks. miiCard joins the UK’s Government’s Cabinet office Identity Assurance Programme (IDAP) as a fellow UK-based member of OIX.”
  • Shibboleth: The "On Breaking SAML" Paper
    “The issue resulted in a Security Advisory in July 2011 and the vulnerability was corrected at that time. You should certainly review the advisory, and if you are still operating vulnerable software, you should understand that it is likely a matter of weeks or days before simple scripts are available to attack your system. Please upgrade to the latest supported releases at the earliest opportunity.”
  • John Bradley: OAuth 2 Abandoned by Parents, Forced to carry other Protocols Tokens to make flows meet
    “I wanted to beat the pundits to the sensational headline.”
  • Jericho Forum: Identity Management: Building a Global Identity Ecosystem (5 of 5)
    “Using the concepts addressed in the previous four videos, this fifth and final video of the Identity Management series presented by the Jericho Forum, "Building a Global Identity Ecosystem," highlights what needs to happen in order build a viable identity ecosystem.”
  • Dave Kearns: The Honan Hack and the BYOI meme
    “Bring Your Own Identity (BYOI) is a meme launched  by Axiomatics’ Gerry Gebel a few years ago when he was with the Burton Group when he asked “why can’t the company I work for accept identity assertions or information based on an identity service that has already vetted my existence to an adequate assurance level?” The important part of this, of course, is “adequate assurance level.””
  • Dave Birch: Adding MYTH to financial services
    “BYOT doesn't quite work for me. Maybe "COD" (customer-owned-device) or "MYTH" (MY THingy) would be catchier. Nonetheless, Eve is spot on. We all know what that thingy would be, by the way. … I don't think this is what will happen in practice, because there is a difference between asserting that an identity is unique and authentication, and asserting that that identity is you or me. I think it will work differently, and in a better way, but since I refuse to provide free consultancy to the government on this, I won't say how... oh, all right then. Here's one way it could work...”


Cloud Computing

  • Chris Hoff: Incomplete Thought: Virtual/Cloud Security and The Potemkin Village Syndrome
    “What this yields is that when new threat models, evolving vulnerabilities and advanced adversarial skill sets are paired with massively disruptive approaches and technology “conquests,” the security industry basically erects facades of solutions, obscuring the fact that in many cases, there’s not only a lacking foundation for the house of cards we’ve built, but interestingly there’s not much more to it than that.”

Valuable Identity


* Required Fields