Tribute to Kim Cameron: Privacy & the 7 Laws of Identity

Good evening, everybody. Let me see if I can get through this with a falling apart. I met Kim Cameron a long time ago, and it's a funny thing for me. It was a day that I remember very clearly. It was spring day in 1993, or sorry, in 1989. And I attended a vendor presentation when I was working for a government department. It wasn't a typical presentation. As what I saw was a, a software product that changed the organization I was working for and ultimately my life back at my office, I sent a telex that's how long ago this was to my boss, who was at our office in Kenya at the time.

And I told them that I had found this exactly the software we needed. That software was from a, a small company called zoomed corporation. Little did I know that this was going to be the first of many firsts along Friendship between myself, my soon-to-be wife and Kim and his family. Ultimately, I joined zoom at 1993 and had the privilege of working with Kim through the very early days of identity.

In fact, before it was, he called identity, it was directory synchronization, and we built a product, a directory synchronization product for Banian vs.

And by working with customers like sprint rebel bank, the us Marine Corps, and many enterprise customers in the late nineties, we learned that the industry was much more about, it was much more than just directory synchronization of email addresses, but it was about people and information on all these different systems that had to be correlated together into the representation of a person Kim and his family had a summer home in Victoria, Canada, where he typically in the summer, he would write a white paper, the first of many.

And in the, in 1996, he wrote one, which basically announced the birth of the meta directory. It was followed by the launch of zoom it via the first product we built the first commercial identity product ever in 1996, ultimately resulting in the acquisition of a small Canadian company by Microsoft in 1999. I literally believe that Kim was the catalyst for the identity industry in the identity market. And Microsoft Kim became the first architect for identity and a distinguished engineer. He built literally a wall of patents in his office.

Microsoft would give you a little square brick for every patent you had. And Kim had this wonderful office filled with these, with these, with these bricks, he would write RFCs on cocktail napkins, which I saw him do at Netscape one time. But even more importantly, he was husband to Adele who frequently accompany accompanied him to this conference. He was a dad, Clara and max, and he was a friend to many. Kim did everything with Gusto and quiet intensity, whether it was roasting coffee, beans and brewing the perfect cup of coffee or perf perfecting scrambled eggs.

Kim was always all in and he was ever the teacher, whether he was talking to bill gates or Steve bomber or a newly graduated developer. Kim was a patient man who would explain complex problems with humor and patience and passion. I could spend hours telling stories of our travels together, literally his ability to win people over His humor, but today will review his seminal seven laws of identity, probably his most important work. So let's get started on that. And I guess doc, another one of our close friends and Kim's close friends will talk about user control and consent.

Thanks, Jackson. Well done. Thanks. I do not see myself. Hmm. We hear you now. You can hear me. Yes.

Well, well that may be enough. I, I guess I, I thought I was gonna appear on screen. I've got my little camera up. Doesn't matter. You know who I am. That's identity, I guess I Thank you, Jackson, for an awesome background on that.

I, I wanted to talk briefly about where Kim was coming from. Oh, here I am. Kim was coming from two places. One was the physical world where we all live and breathe and have bodies and are not digital and, and where we worked out identity. And in both the 4 million to vernacular sense a long time ago, I know that I'm David to my family and to the department of motor vehicles and I'm docked to most of the rest of the world and I can make that work. And there's an understanding that I have have with everybody. I meet that I will engage them according to some well understood principles.

Those principles became the laws of identity. And the other world that we live in is where, what we call identity is how we are known to databases. We are in name spaces in corporate databases. When Kim wrote the laws of identity, which is the late 2004, mostly and published in 2005, I, he saw, he was trying to make it work within a world where companies needed to be able to work with each other more than we needed to be able to work with companies without changing those laws.

A bit that changed over the years, I advised people to go to his 2019 talk here at EIC, where he talked about turning the web right side up, where individuals would have their own homes on the net and would really be in charge. And I think the important thing is that if you think about the way that wait and his first law was user control and consent, he told me later, he'd rather called it personal control, but the computer industry knows this as users. And so he, we kept that term.

But what happened was that consent in the digital world turned into something where we're always agreeing to the terms of other parties, rather than they're agreeing to ours. He wanted us, he wanted it to go the other way around. We're a long way from that it's work. I'm doing it's work. A lot of other people are doing right now with self-sovereign identity, a term he didn't like, especially although here at the IC, he said, whenever I said the baby got named, he said, okay, we'll call it that anyway.

So that's, that's the main thing. I'm also gonna be talking a little bit in a bit about, I think justifiable parties, cuz I'm swapping in for Joyce, but that's enough on, on, on music control and consent consent should go, should be something that we obtain from others. Not that others are obtaining from us. Yes. You're up. I'm up. You're up. Wow. What a group to be with honoring Kim. And it's nice to see you even doc and the, in the pictures in front of us, I'm waving to you.

So I'm here to share about the second law, which is user control and consent and it states that technical identity systems must only reveal information, identifying a user with the users consent. I think that sounds like a powerful yet short statement. And when I think about when the laws that were published and how true that remains to be today and how succinct it is to capture this, I find this truly amazing.

I got to had the honor and privilege of getting to know Kim more later in his life, particularly as he came home to Canada back to live in Toronto, Kim was always keen to support success of Canada and, and the success of the work that we were doing in our organization at the DIAC. And I may have brought him to one of his last speaking events where we brought him to speak remotely in French to a French conference in Quebec only to find when the camera turned on, Kim was speaking from the hospital and that's how dedicated he was to speak in French and to speak in Canada.

And what he loved, if you knew Kim, you know, that he was, he was truly an artist truly, truly. I think that Kim approached art and technology in the same breath and, and the way that he approached art, he looked at technology as this delicate art to be cultivated and shared one night in particular, I really got to enjoy Kim. I was a part of EIC. It's a fond memory. We went to the light museum with Ingo Mar yeah. And I got to enjoy the Wonderman of, of Kim and Adel, enjoying, enjoying all of that art. And I think Eve may have brought home a light candle herself.

And it got me thinking the beauty of that museum, part of the beauty was where and how the light was shown and where it wasn't. And, and it was that disclosure, if you will, of the light and where it wasn't disclosed, that made the art that we were paying attention to. If you had too much light, the art would be gone and the experience wouldn't be there. So I think data can be thought about in an artful way as that light. And if we have too much data that's shared and not minimized, we lose the delicateness of that transaction that is to be performed.

So I think that it it's, he really brought this, this artistic view, that same wonderment of seeing that art and that light and that dark and how they played off each other and looking at data and how we share it and how we don't share it in the same delicate and pragmatic and thoughtful way. That's a Testament to him and to his humanity and to the long lasting guiding light, if you will, of the second law of identity Bravo and back to you, I think doc, okay.

Actually, I'm looking at the laws and I'm wondering that the second law is minimum disclosure for constrained use. So that's sort of interesting, but it comes down to the same thing. I guess I'm audible. I'm not seeing myself on yeah. On the lower screen. Good. A again there's if you think about how we operate in the world, we don't go down the street wearing a name badge. We don't go down the street, advertising ourselves. We don't go down.

We don't, you know, here in the physical world where all of us actually are, we're not busy telling the world or anybody who we are or what we're doing there. We're pretty full control. And that's a grace of civilization. It it's actually, it unburdens companies of the need to know everything about everybody, which became an imperative during the great age of marketing that occurred in the teens and became toxic and gave us the GDPR and the CCPA and other measures to try and reign back the want and, and uncontrolled accumulation of personal data for every possible purpose.

And that, as we just heard in the prior talk about our, our faces, you know, so, so, but justifiable parties, which justifiable parties is about, which that's the, that's the third law. If you think about it, if these laws had been obeyed in 2005 and we started out, you know, it's kinda like the law of robotics. If we'd started out with that, that Isaac Agam came up with in the 1950s, early 1950s, or the Hippocratic oath do no harm first do no harm.

We wouldn't be in the pickle with privacy that we have, we would the companies, the world would've had the good manners that can, and like gentleness and good manners to not pry into our personal lives, to not try to harvest everything they could possibly gather about us for any purpose. And we'd all be a lot better off because we have much more trusting as individuals with companies that we knew we're respecting the need to, to, to treat us with respect. And we don't have that yet.

And again, we're just beginning to get there. It's a shame that Kim hasn't lived to see all of this, but he lived to see enough of it. I think that we had reason to be optimistic about it.

So I'll, I'll leave it at that. Thanks doc. My name's Don Tebow, and I'm gonna talk briefly about the fourth law of identity. This is the law of directed identity. Kim made a distinction between omnidirectional identity and unidirectional identity. And to give you an example of that unidirectional identity identity is for public entities like Google WW, google.com is an identifier, but Kim also importantly paired that with unidirectional identities.

This is a, an iden identifier, which is very personal. Kim was a husband. Kim was a father. What he was trying to do was to prevent tracking and surveillance via pair wise identifiers. What Was important about law? Number four was that it was incorporated into GDPR. It was fundamental. You can see it there. And as we know, GDPR informed a global ecosystem of identity management. It was a consequential thing, law number four because it informed not only laws, but it also foresaw an era of self sovereign identity.

As nassak, Andora pointed out in a blog some time ago, Kim foresaw that the fundamentals of self sovereign identity is very Simple. That a person is not an, an entity. A person is not a public entity. So law number four was consequential. Let's go back to that notion of unidirectional identity, something that is, that belongs to us. And if you close your eyes or give you a few seconds and think about someone who's been a mentor in your life or consequential in your life, for many of us, Kim was consequential. Yep. For many of us, he was a mentor.

So how do you honor someone that's consequential? You can talk about them and remember them, and we're here to today to do so. But what Kim did did was that he took action on his beliefs. He took action on what he thought of as consequential. So as an example of, of being consequential, I'd like to announce that on behalf of the board of directors and the membership of open ID foundation and all of us gathered here, I'm pleased to announce today the launch of the Kim Cameron scholarship program.

This is a series of awards that will be given, has been given to a small cohort cohort of academic researchers and scientists. And what we wanna do is to invite a new generation of identity professionals into conferences like this. And I'm so pleased to say that KuppingerCole was immediately responsive and offered to join us. And we hope other organizations and individuals in making it easy for young people, interested in this area to attend conferences like this and joining these conversations.

So we've awarded this small grant to a small cohort of, of these young people in, in Kim's memory, hoping that they too will be consequential. We encourage all of you to join in this effort to honor Kim in this scholarship program, feel free to contact me or the open ID foundation about how we can extend and expand this program to make it more consequential. So the Kim Cameron scholarship awards are a token, literally a token of our esteem. Thank you. And I think you, so I love Over to you Eve. Okay. Hopefully people can hear me and or see me. Yes. Great. Thank you.

These, these are such beautiful tributes. I, you know, I'm, I'm quite passionate about some of the other laws too, but I really appreciate the hidden depths of number five pluralism of operators and technologies. We can see Kim's call for pluralism as, as actually precedent in a time back in 2004, when the conversation was really fresh about, you know, how many IDPs do we need? Should we have one identity ring to roll them all?

And in fact, in the face of the entire industry kind of array against the previous passport and hailstorm technologies informing the Liberty Alliance based on SAML as a response, Kim's work, advocating pluralism at Microsoft constituted, a courageous bold act. And it also gave a nod to the power of standards to underpin independent implementations. So these themselves have benefits for security and autonomy, individual autonomy. I also wanted to just describe how Kim lived according to this law and I'm actually living proof.

So back in 2004, Microsoft and son, weren't so friendly to each other, but we're actively trying to figure it out. And during that time I moved as a sunny as the sunny responsible for web services and identity interoperability as a part of the, the effort, the sun, Microsoft Resh mom, if you will, it turns out I moved to Seattle and I kind of only knew Microsoft is in the area. And Kim was definitely a friendly. And so the connection that he and I were able to forge and our I'll call it, our local lunching helped us to build a stronger corporate collaborative relationship. No kidding.

And it supported crazy things like IOP work that led to a, one of a kind Scott McNeely and Steve bomber president in which they demonstrated Ws Federation, SAML interoperability. So, so in short in pluralism, Kim boldly grasped a particularly sticky nettle and, and he advocated it, I think internally as much as externally.

And, and, you know, we need a reminder about this still now, more than ever, you know, when it comes to technology that strives to be decentralized. And the recentralization kind of pendulum swing that we sometimes see, and the, and the traps that we, that we become sensitized to possibly existing things like the impact on privacy and autonomy of using singular issuers of credentials. And frankly given the ubiquity of digital identity everywhere in the connected world, Kim and his fifth law stand out.

Oh, and by the way, Kim directly influenced that choice that I took away from the light museum. It's called my new flame. And it's the most persistent and electronic version of keeping a candle lit in the window that it's possible to create.

And, and the candle is still burning for these shared principles. Very good, not propo, good evening. I'm Mike Jones at Microsoft. I can say without a shred of doubt that I wouldn't be here. And I wouldn't know all of you, but for Kim taking me under his wing and telling me about this thing called digital identity and getting me excited about this would be a cool thing to do.

And it would matter the sixth law of identity as the law of human integration, as he wrote it in 2004 and published it in 2005, the human user is a component of the system and requires an unambiguous, safe communications mechanism. Or, you know, as most of us would talk about it, successful systems have to be able to be used by people and they have to be safe using it, or they will fail.

You know, Kim was always about the people you could build great systems, but if they were not for the people unusable by the people there wasn't a point and they would not succeed. When Kim took me under his wing in 2005, and he started taking me to these identity events. One of the things he said to me very early on was now you should always find something nice to say to everyone, But he also had a wickedly devious sense of humor.

So he followed that by saying, you may be certain that their endeavor is going to fail due to structural reasons and bad assumptions on their part, but at least you could find it in your heart to say, you're working on a really important problem. Kim demonstrated by example, that you get more done by being kind to people than by making enemies. Since Kim's passing, I came to understand just how many people Kim mentored. It was part of his DNA. He would seek out people that he thought had promise and spend time with them. I'm so honored that he chose me to be one of those people.

So my response to that, especially since Kim died is I have decided I'm gonna pay it forward. I'm going to mentor people that I believe have great potential much as Kim did. Kim was a visionary, and there's not many people I would say that about, but he was a visionary. I am still motivated by his quest to build the Internet's missing identity layer, and we're doing it. And it's a work in progress, but it really matters if you look at my Twitter or Facebook feeds, that's my tagline of what I'm doing and what I'm about. And that's thanks to Kim.

I'll tell one story for the Canadians in the room, including Joni, Pam. There's a number of you. I looked around and I saw there were all these Canadians working in digital identity. And I asked him, why does so many Canadians work in digital identity? And in his thoughtful way, Kim said, you know, as a Canadian, I spend my entire life asking myself the question, what is it that makes me uniquely Canadian, as opposed to just being an American. And of course his wit came to the bear again.

And he said, now Americans, don't give it a thought, but that's Kim's view on why there's so many Canadians in digital identity. I loved what Johnny said about Kim being an artist. It's certainly true. Those of you who can see me on camera, you may see that I'm wearing a musical instrument as my tie tech. Some of you know, many of you probably don't that Kim was an accomplished professional musician at one point in his career. And that's another tie that I personally have to Kim, that we share a love of how music can touch people's souls. I miss you, Kim. Thank you. Good job.

So the seventh and last law on consistent experience across contexts is interesting. You did good to me in particular, because I think when we first started back in the mid nineties, one of the things Kim kept saying to me is people wore different faces, whether it was a business face or whether it was their personal face. And he said, we have to figure out a way to represent these faces.

And I mean, we all see this today in what we do on the internet every day or, or how we interact with people, you know, as, as he wrote, or as we all know, when you're on a website, you may not wanna share any particular information. You wanna browse anonymously. In some cases you may want to give away personal information. In some other ways, you may want to give community information out to out to whatever site you happen to be talking about no Cole. And of course, we all have a professional identity or a professional face, and then there's credit cards.

And the fact that you're a citizen of Canada, like I am, or a citizen of the United States, all of these different facets of our art art of art identity are contextual and Kim's view. And what he's trying to say in the seventh law, at least the way I interpret it is for us to have complete, complete control over these contexts and the ability in an easy and uniform way to present these contexts in the case that in the scenarios that you want to present them, it's something that really truly does in my mind, go back to the mid nineties.

When we first started doing this and Kim came to this realization, it's a hugely important lawn. It's something we see every day. I think every single person in the world sees it today on the internet. So with that, I'll wrap this up.

I, I hope you enjoyed some of the pictures and thank the panel both here in person and online, it was great to see everybody. And I was told to mention that we're starting tomorrow morning at eight 30. So with that, thank you all. And rest in peace, Kim here's to Kim.