About the Institute

The Hybrid Vigor Institute is dedicated to rigorous critical thinking and the establishment of better methods for understanding and solving society’s most difficult problems. Our particular emphasis is on cross-sector and collaborative approaches; we seek out experts and stakeholders from a range of fields for their perspectives or to work together toward common goals.
Principals | Advisors | What We Offer



hybridvigor.net houses the work of critical thinkers, researchers and practitioners who conduct cross-sector and cross-disciplinary explorations and collaborations.
Blog | Contributors | Topics

  Subscribe to Hybrid Vigor’s RSS Feed



Privacy | Funding


Contact Us



Intervention by Denise Caruso Read Intervention by Denise Caruso, Executive Director of the Hybrid Vigor Silver Award Winner, 2007 Independent Publisher Book Awards; Best Business Books 2007, Strategy+Business Magazine

archive for March, 2010


by ~ March 30, 2010

In reviewing my last several posts, I was beginning to wonder whether I’m cynical by nature or simply running low on happy pills. But then I found something really positive to write about: Microsoft announced at RSA that it would open source its U-Prove technology. This is really good news.

I hope the development community takes notice and begins contemplating the power of these tools for improving trust relationships online. I discussed some of its potential as part of my post on the “The Law of Relational Projection”  (scroll to the bottom of the post to find the specific reference).

So here’s a shout out to Kim Cameron, Stefan Brands, and the others who made this happen: Congrats!!


by ~ March 29, 2010

The word “trust” appears 32 times in the press release announcing the official launch of the Open Identity Exchange (OIX). Normally, I’d be enthusiastic about such dense coverage of a critical topic, but in this case I question the group’s understanding of the term.

A Governance Template, Not a Trust Framework

OIX is a kind of standards body where techies from various industries come together to prescribe satisfactory methods for identification, so that these IDs can be used across websites. From the OIX site, the process is as follows:

… policymakers representing a trust community (e.g., government, industry association, professional society) start by developing a trust framework specification. This document defines the identity proofing, security, and privacy policies that must be followed by identity service providers to reach a specified level of assurance (LOA). In some cases it will also specify the data protection policies that must be followed by both identity service providers and relying parties to reach a specified level of protection (LOP).

Lastly, the trust framework defines the qualifications necessary to be an assessor for the trust framework—a person or a company who has the professional experience necessary to assess whether an identity service provider or relying party is in compliance with the policies specified for a certain LOA or LOP.

Next the policymakers contract with a trust framework provider (TFP) to operate a certification program for the trust framework. A TFP who operates by the OITF model performs the following functions:

  1. Publishes the trust framework so it is publicly accessible.
  2. Accepts listings from assessors who meet the qualifications specified in the trust framework.
  3. Accept listings from identity service providers (and in some cases relying parties) who are successfully certified by a qualified assessor.
  4. Publish updates to the trust framework as it is revised, and periodically renew certifications of participants as required by the trust framework.

Lastly, the OITF model includes roles for auditors and dispute resolution service providers to assist in ongoing assessment of trust framework participants and resolution of any disputes that may arise.

(Side Note OIX: also don’t abuse the word “lastly.”)

Apparently OIX just hosts the party and provides the napkins (for sketching), but little else. Defining the standards is up to the policy makers and certifying compliance is up to a Trust Framework Provider (TFP)—whatever that is.

Identification isn’t Trust

I suppose that, if successful, OIX will improve the way digital IDs are used. That’s not altogether a bad thing, but it’s also not trust.

By analogy, imagine that, in order to improve the effectiveness of TSA screeners, the government sets a policy requiring travelers to present both a driver license and passport at the airport. Does it follow that everyone inside the secure area of the airport will trust each other? If the TSA screener clears someone, does that mean the screener trusts the traveler? Or that the screener trusts the ID? Do the IDs foster any kind of trust at all?

If there’s one thing I’d like to get through to techies who work these protocols, it’s this: identification isn’t trust. Please find another word to describe what you’re doing.


by ~ March 19, 2010

Interesting tidbit in the NYT yesterday about how developers can use public information to get the remaining 5 numbers of your SSN:

The Carnegie Mellon researchers used publicly available information from many sources, including profiles on social networks, to narrow their search for two pieces of data crucial to identifying people — birthdates and city or state of birth.

That helped them figure out the first three digits of each Social Security number, which the government had assigned by location. The remaining six digits had been assigned through methods the government didn’t disclose, although they were related to when the person applied for the number. The researchers used projections about those applications as well as other public data, like the Social Security numbers of dead people, and then ran repeated cycles of statistical correlation and inference to partly re-engineer the government’s number-assignment system.

This is why the b-day listed on my Facebook account is NOT my actual birthday, just my Facebook Birthday. I encourage everyone else to do the same.

In fact, if some of you hackers out there want to put your skills to good use, I’ll open source this idea for a killer privacy app: Develop a “misinformation virus” that goes around the internet making false and conflicting claims about individuals (and their doppelgangers). Make it so only people who know a person can distinguish between fact and fiction. I’d gladly download a “Plausible Deniability” iPhone app that that swarms users together to generate bogus tweets, text messages, photo tags, etc. in the interest of privacy. Anyone want to take me up on this? Reply with the first four of my social so I know your for real.


by ~ March 16, 2010

Imagine a friend invites you to a dinner party. This year, the invitation goes, the party will be catered so you’ll need to pay $40 per guest. Maybe you’re not too excited about the catering idea, but you figure you want to support your friend, so you decide to attend and bring your spouse. At the party, the general consensus is that it’s fun to see everyone, but the catered food wasn’t nearly as good as the traditional potluck approach. Later, word’s passed around that your friend decided to do some cost-cutting on the catering, which explained the below-average food. Then news breaks that because of these cost-cutting measures, your friend actually turned a nice profit on the party and was able to buy her kid a new Nintendo DSi (apparently the kid got mad while playing with the old one and threw it against a wall).

Would you feel happy for your friend? Or would you feel used? After all, your friend took the initiative; she took the risk (after all, what if someone got sick and decided to sue her?); she organized the event; she provided the venue. In short, your friend was the entrepreneur; she “owned” the party. And if that’s not to your liking, what’s stopping you from throwing a party of your own?

But you may still experience a sense of betrayal that comes from feeling obliged to attend an event for friendship’s sake—an event that ostensibly was just a party but turned out to be a fundraiser for your friend’s spoiled kid. In addition, your attendance at the party mandated the attendance of your spouse, prompted you to buy a new dress, and encouraged your mutual friends to attend as well. So you also unwittingly marketed this fundraiser for an over-privileged kid. And of course, since the food was sub-par, you feel taken by your own friend.

Stone Soup 2.0

This modern retelling of the Stone Soup fable is a commentary on capitalistic society, one in which the Pot & Stone owners walk away with most of the soup. Or more literally, American capitalism is a system that distributes the greatest rewards to owners of infrastructure. In this economic arrangement, business owners have much greater control over the value created by the business than do the contributors. This reward structure is said to encourage private enterprise and competition, which eventually will produce the greatest good for the largest number of people.

But the Law of Relational Symmetry tells us that the party in control of the relationship will exploit the other participants. In today’s businesses, owners control the most important aspects of the relationship, such as the ability to set compensation, benefits, and terms of employment. Contributors usually have to sign away their rights to any intellectual property they create to their employer. And often, contributors sign non-compete agreements that restrict their movements after refusing to work under unfavorable terms. With no ability to hold property (intellectual property in this case) and an acute need for income and healthcare, workers in today’s society need jobs the way Victorian women needed husbands.

So while capitalism is undoubtedly the best system practiced on a massive scale for producing wealth, it is nonetheless a system of exploitation and produces less than optimal results for all parties.

Continue reading »