Yesterday at 21:56 my first “Hello world!” program in parenthood completed successfully, producing the expected result: a 48 cm long 3.1kg boy.

EDIT: Mandatory picture of the little guy chilling:

• Global Trends on Mobile Marketing: Most interesting slides as they had actual and factual information from a survey listing different trends and technologies which are used in marketing. Notice that LBS has a HUGE growth potential (“planning to use in next 12 months vs have used in past 12 months”) and that majority of marketeers still rely on messaging. LBS drum has been hammered for years now as The Next Big Thing. But to me it comes with no surprise that iPhone does not have MMS support – it is expensive, cumbersome and mobile/closed (vs web/open) technology apparently invented (read: sucked out from a pencil) only to bring you junkmail. Multimedia exchange between peers feels much more potent via social services running over the (mobile)internet using internet methods (http, e-mail, social sharing services) than via monstrums like MMS. From my ignorant point of view, MMS represents a greedy mockup by operators who hope that it will follow the success of SMS (which, unlike ugly-CORBA-successor-SOAP based MMS, is a neat and clever hack on top of existing GSM network). I hope MMS dies soon.
• Estonian Operators Mobile Advertising Reach Package: Rrrright. After reading “2/3 of mobile internet traffic comes from operator portals” I understood that I’ve never given much thought to the difference of Mobile Internet and Mobile Broadband. For me mobile broadband internet is just a Pipe going through the Air into some Processing Device. Sometimes the device is attached to a computer, sometimes the processing device itself has input-output and user interaction capabilities and sometimes the broadband comes in sub-GPRS speeds. And operators are fighting hard not to become mere Pipes, hoping they could maintain their walled gardens. I still don’t believe that 2/3 of handset browsing only goes to the operator portal, but then again, most people don’t use technology the way I do or they don’t use it at all. After getting a glimpse of what the global trends are (technology, attitude and the unique right place-time-location mantra) it came a little shocking that the only thing they provide is a way to buy wholesale ‘dumb pixel squares’ on mobile ‘web’ portals. No demographics, no advanced features. Nothing.

  A suggestion to operators who are evaluating their location based services (and advanced marketing) strategies for Mobile *Broadband*. Mix LBS with web technologies such as Gears Geolocation API to give location aware ads and web content to desktop browser. A good (also a bit scary) example was JoikuSpot, which turns your 3G Nokia phone into a WiFi hotspot. The landing page of the hotspot displayed a Google map with the location of your mobile…

• Mobile Marketing Case Studies: There have been moments when I’ve thought that operators exist only because of football, because different big football events are very often natural stress-tests for mobile messaging technologies – spikes in traffic are guaranteed during New Year and world cup. Life in mobile messaging revolves around football, so did the Snickers campaign launch just hours before an important match. Does some big operator (Vodafone? Telefonica?) already own some FCs? If not, they should!

I’m not really into advertising and I hate annoying popups and ‘look here what we have to offer!’ pictures. I’ll have to wait until *marketing* guys come up with something technically advanced like offering meaningful information when I check for better prices in a supermarket.

OpenID.ee uses the same idea – that people and URLs are the same things to some extent in certain situations. At least when URLs are used for matching identifiers for authentication purposes. In fact – if URLs are people then OpenID.ee provides permalinks for people. Cool URIs allow to address people, but OpenID.ee allows to address real people in the real world. And not only address – also to authenticate them.

Scott Kveton is definitely right – 2008 shall be very exciting!

EMT, an Estonian mobile operator, provides a very interesting service named call filtering what essentially is a user-programmable call router for your GSM number. It allows you to have whitelists and blacklists of phone numbers you want to receive or drop or forward to another number – without a ‘beep’ on your phone.

Traditionally you could either switch off your phone (and lose all calls), forward calls to voicemail or another person (and lose all calls but still get SMS messages), keep your phone in silent mode if you do not want to be disturbed but would still want to see who calls you (and possibly answer some calls) or just press the red button to get rid of annoying callers.

Jaiku is all about enhancing your mobile experience. Rich presence and status information on your mobile device – what we are all used to from IM networks – is here to stay. But IM clients/networks have also something I would call ‘rich contact and privacy management’. Take a look at Skype privacy settings or think about the last time you blocked an annoying user on some IM network.

Now.. Just as Jaiku Mobile integrates with your address book and allows to share your status and location with folks in your address book – wouldn’t it be nice if selecting ‘block this person’ in your rich address book would actually propagate the blocking action down to the GSM network level and answer all calls from that person with ‘phone not switched on’ message? Or instead of checking your silent phone every time the screen lights up during a not-so-important-meeting to see if this is your sick mother/wife/child or Big Boss calling, you could just activate a ‘busy for others, available to important people only’ mode/whitelist ?

Clearly the ‘passive address list’ used as the address book in most phones is not enough and Jaiku is one application that could make a difference. The quest for a unified address book has not yet seen a full solution and the future looks bright!

That’s all folks!

After watching a video about Jaiku I’m even more convinced that when compared to other similar services Jaiku really tries to help real people with real benefits and not just suck time and attention by providing another entertainment site on the Internet.

These days, in the era of continuous partial attention, the ability to focus without disruptions is pure cash (or just peace of mind). Microblogging, with ‘more updates, faster’ approach certainly doesn’t seem to be designed to save my attention.

Internet enabled us to get in touch with people across the world easily. Remember those “I’m on vacation until XX, please contact ZZ meanwhile” e-mails you receive every now and then when replying to corporate e-mails with 10 persons in the Cc list? Well, luckily those recipients only have to deal with a clogged up inbox. After they have enjoyed their vacations.

What mobile communication brought along is the ability to get in touch any time, any place. This is not the same as to skim over your full inbox once you return. This means constant ‘beep-beep’ in your pocket. The next step would be to stay in touch and avoid the constant disturbance created by mobile communications.

I see Jaiku one step ahead of the competition, willing to bring me the information that I need, when I want, wherever I want – readily available on my mobile phone. This information allows everybody to make better decisions and disturb each other less. Putting your mobile phone on ‘silent’ or ‘meeting’ does not eliminate the casual polling call: “Where are you? How are you? Do you have time to talk?”

So. Here is my wild vision where Jaiku (and mobile positioning and/or GPS phones) could take us in next few years:

I leave for summer home and mark myself as “on vacation” and all my work related contacts see in their applications as “don’t bug him, his on vacation” (well, actually I would be off their radar screens with this status message). At the same time, contacts in my “casual buddies” group get a green light together with “@summer cottage preparing sushi. sushi anyone ?” in their phone books.

Next morning I wake up and decide to go swimming somewhere (Estonia does not have as many lakes as Finland but still many enough) and I open the map application of my GPS phone to find a new lake to visit near the summer house. The map also shows my buddies who have decided to share their rich presence with me. And I see that one of them, Margus, is nearby “drinking beer and preparing for the concert in the evening”

And thus I can make a phone call:

“Hey Margus! I see you’re nearby – I was thinking of going for a swim and there’s a nice lake near the place where you are. Lets meet up and have a swim and enjoy some beers afterwards?”

Now, that is a truly different and useful mobile experience and I believe Jaiku has enough power to make it a common reality.

Yours truly,
martinpaljak.jaiku.com

Knock-knock! Who’s there? It’s me!

This works when you’re visiting your friends garage after you have called him beforehand. But we all know that internet doesn’t work this way.

OpenID is an open, decentralized, free framework for user-centric digital identity. (from openid.net)

If we omit “digital” from the equasion we see that OpenID should be user-centric identity or as Dick Hardt says: Identity (both 1.0 and 2.0) is about who you are.

So who are you?

Who am I? I can’t predict how you percieve your inner self but unless you suffer from “split personality” or have very certain beliefs about dualism the answer should be relatively easy – you are you (yes, the same You who was the person of the year). You are who you are. Period.

How this relates to OpenID? What is an OpenID? Simon Willison explains this in simple terms: OpenID is a URL. What means that the answer to the “Who?” question in OpenID world is a URL. A URL is better known as web address.

Address as an identity?

If we agree that OpenID is nothing but an address, we can compare it to traditional addresses people can easily understand. “Big City, Long Road 306″, “Smaller Village, 5th building from the left”, “New York, 5th Street 1234, 32nd floor, room #666″ etc. We all live somewhere (even if this “somewhere” is under a bridge), work somewhere and visit our friends who live somehere. All these places have addresses.

Wikipedia tells us that “Identity is about the sameness of two things”.

What if there is “Big City” in Italy and in Japan and they both have “Long Road 306″? Forget the readable address and take numbers – geographic coordinate system. You can unambiguously address a place on planet earth and all you need is a GPS to find the exact place. The mountain at a specific coordinate has existed before there was GPS or even before people understood that world is not flat.

The same way people have names. “John Smith” (or “Hannibal“), “Martin Paljak”, “Bill Gates”. Everybody you know has a name. Every “name address” leads to a human being who (hopefully) has a sense of “me” or a subject who could “practice” user-centric identity. As there are thousands of “John Smith”-s in the world, you can try to narrow it down to “John Smith, born on 13.07.67 in London”. I’m lucky (or unlucky?) in this case as I’m currently probably the only Martin Paljak on this planet. Our society (or governments) has invented an unambiguous adressing scheme for people as well – a database of social security numbers or personal ID codes. There is no other person in Estonia with a personal identity code 38207162722 even if his name would be Martin Paljak.

The same way you can’t assign coordinates to a mountain or issue coordinates (you can only invent the geographic coordinate system once) you can’t do that with other addresses – like OpenID URLs – they just exist in some system. You can escape your home address by going camping but you can’t escape the geographic coordinates of your tent. You can choose the place you live but you can’t choose the address the building has.

Internet is not real life

Everything I described before is about absolute identification what is actually the nice reality in real life. So you say that your online identity might be different from your real identity in the era of web2.0 and identity2.0?

This is the topic of the next post.

There are also philosophical issues in real life that need to be dealt with in practical ways. For example: Estonian personal identity code encodes the gender of the owner. Me as a male – my personal ID code starts with an odd number. If I would be female it would start with an even number.

What happens with people who undergo sex change operation? In real life and on the Internet ?

Finally I’d like to share with you two nice findings from the wild-wild-web:

Mart Parve talking about Estonian eID in a podcast and a funny video about Britons and how they fight their eID with humor (I DO understand the attitude towards government in UK. All those cameras and no real privacy there …)

—–
This is part of a series of posts that talk about my view on “Who? (you are)”, “How? (you prove it)” and “What? (can one do with this information)” of OpenID and electronic identity in general. The keywords of this post could be “absolute identification” and “federated identity” but in simple terms.

I have promised a longer and more in-depth English post about the backround of the mentioned service before or right after the “gold v1.0 beta” release (what is happening really soon now, a matter of days I would say) – stay tuned for that.

Mark points out several real risks we must deal with. And yes – the golden rules for security related stuff would be “never say never” and “there is no mission impossible”. Even though my post does not give the answer to the original question about phishing nor discuss the generic functioning of smart cards or two factor authentication or identity issues I’d like to make some things clear in the context of open.id.ee solution and answer his concerns.

First: I’d like to make it absolutely clear that Estonia is not issuing OpenID-s as it is all about enabling existing technology and electronic identity rollouts to become OpenID compatible. This is mainly a question of ‘addressing’ or defining the semantics of the OpenID URL and how (if at all) do we encode the identity information into the OpenID URL. Very technical and very practical problem. You don’t issue addresses as they are just merely ‘pointers’ in programming parlance. You exist independently of any URLs possibly pointing at you. You can issue as many pointers as you like, as long as you understand the address and find it useful.

Second: The reason why this hybrid was created is not absolute security that is required by applications like electronic voting or electronic banking but to improve the overall security and privacy of the online identities of Estonians for the 99% rest of the websites in the wild wild web (and mainly abroad). Something practical. Somethig real. Right now, right here – not on the whiteboard.

Back to the list of things that could fail with open.id.ee:

A person could be threatened or bribed into activating their smart-card for someone else to use

You can never avoid the human factor. Threatened – yes (a hammer works best). Bribed? If you’re a complete moron selling your identity to someone – you could do it but what would the buyer get? By selling it you only hurt yourself (and the buyer could post on jyte a stupid claim under the sellers name). The idea is mainly to allow those who care to take better care of their online identity. If you don’t care and are willing to sell it – there is a problem secure OpenID can’t help you with. But what is very important: you can always reclaim your online identity (after you have been forced to part part from your eID card and PIN codes, thanks to either brute force or loads of gold) by applying for new eID ‘hardware’ (the old one is revoked and becomes useless).

The openid service itself could be hacked and thus faked

True. This is one of the biggest problems and this shall be dealt with special care by using a very secure environment and by open sourcing the service software. As this is a pure SSL service server certificates should help eliminate fakes.

The smart cards could be forged

Could. But very unlikely. If that would happen you should be much more worried about your Visa card than your online dog forum account. Be sure to check the pictures where I break into my eID card

Valid smart cards could be given to false identities either through forged documents or dishonest government employees

This is a more rare crime and way more serious and understood by police than a ‘my pet forum account was hijacked’. It is of course possible but here again the technical security of the given solution is secondary and human factor the primary threat.

Someone could figure out how to simulate a valid smart-card authentication

I would classify this under the generic security of smart cards. Again – this attack is possible – but very unlikely/difficult/expensive.

The openid server could have a bug that allowed for cross-site scripting attacks

True. This is what open source security is all about. You’ll eventually see the source code running the v1.0 service (and if there is a reasonable way to have signatures on the actual code running in the servers – you’ll have that too)

A phishing site might discover a way to capture a valid authentication and replay it later

What would make OpenID collapse. A lot of problems for everybody involved.

I’m all about security and healthy paranoia but in my humble opinion everyday security is mostly about common sense. Just like two terrorists would probably not use their national eID cards to secure and protect their communications, the security of the available technologies like smart cards is unbreakable for 99.999% of people and thus good enough for an even greater number of legitimate use cases.

And in the end it is all about trust. If I don’t trust somebody then there is nothing technology could change. Technology can only increase the level of trust as it shows that the other party is taking security seriously and is doing the best he could do. One has to figure out: Who do I have to trust? Why do I have to trust them? Who do I actually trust? Why do I trust them? Is the trust level good enough for the given situation?. Currently you have to trust evert site you register with to take care of your personal information rather than force the site to trust whatever YOU are willing to present as ‘this is something I trust. Use it!’…

The Estonian eID (or any national eID) is a nice reality check/example. One can say that you can’t really trust the government issuing it. But I believe it is OK in that case to use a piece of technology you do not trust to do business with a government you anyway don’t trust.

OpenID, just like electronic identity in the form of smart cards, makes stuff easier for you and more secure by design (hopefully). Take it or leave it. Use it and spend the time you save on doing something you love.

[https://bugzilla.mozilla.org/show_bug.cgi?id=328346](https://bugzilla.mozilla.org/show_bug.cgi?id=328346)

The bug Estonians know as the ‘PIN1 vs PIN2′ bug in Firefox 1.5.

Technically: Substituting NonRepudiation with DigitalSignature because both represent a digital signing operation in a query filter is like substituting sex with anal sex when browsing classifieds – because TECHNICALLY it is banging some hole. NO! If I’m looking for sex then I’m looking for sex. If I’m looking for anal sex then I’m looking for anal sex. You get what you ask for (IF you’re lucky) and you don’t get what you don’t want. Even if technically it is all the same in-and-out and some say even better (NR meaning ‘more secure DS’?) than normal.

goddamit, I go to [Patpong](http://en.wikipedia.org/wiki/Patpong) now and without making specific request i would get all the holes i never wanted….

Yet.

My happy ‘finally back from Spain’ post never reached the internet. And summer brought another short business visit to Spain that was extended into a full-featured eurotrip..

I’m back, with the best tan i’ve ever had and least stress i’ve ever encountered since February.

Next two months shall bring you more news and downloads, before i DO emigrate to Australia (sort of..)

If you feel that i’ve not replied to your e-mails or answered your calls, please, DO send them again.

Thank you, come again.