published at 3:01am on 01/09/12
Any company can own your own identity online, but no one company should own the entire online identity infrastructure.
Right now on the web, there are a number of different companies that claim to own some part of your identity online (or who might lay claim to your entire online identity). LinkedIn would like to own your professional identity, for example. More specifically, LinkedIn would like to own the professional identity ecosystem. They would like to say that if you want to know something about someone professionally, you will need to know about them on LinkedIn. Socially (whatever that means), the gorilla that would claim to own identity is Facebook. Purchasing habits? I suppose that Amazon would own that one. And for a particular company to own what I give it and try to make use of it is fine. What I take issue with is the idea that one company would like to be the de facto identity provider for everyone, with no option for the market to introduce competition into the picture.
In fact, I take offense at the idea that a company would want to have something as valuable as my identity, and would not be willing to compete on quality to earn it. I have no problem with the idea that a large number of my friends may trust Facebook with controlling their personal information on the web. What I have a problem with is that even though I personally do not trust Facebook with that information, I need to hand it over to them in order to function in this new wonderfully connected world known as “the web.”
We don’t have this problem with communications on the Internet. Take email for example. If I want to start a new email service, I can do so and as long as my email service speaks the same protocol as every other email service out there, I can participate, I can offer my service, and I can participate in the communications ecosystem. All of my friends use Gmail, but I choose not to. I can still email them, and I can participate in this wonderful Internet that I have available to me without having to switch over to the same damn thing everyone else is using. And more importantly, the existence of my email server does not necessitate everyone else going out of business in order to be useful.
So why is it that when it comes to identity, we all get a little bit stupid and start thinking that any one company is going to ultimately “own” the overall concept of identity on the web. Sure, there can be a company that owns your identity. Or my identity. But they shouldn’t have to be the same company.
This is not a brand new concept. OpenID tried to do this with authentication but it never really got the traction that I really wish it did. But it was a good start. For the 99% of you who don’t actually use and love OpenID, it’s the idea that your username and password are stored independently from the service that you’re actually trying to log in to. If I want to log into a photo sharing service that supports OpenID, that service would ask my personal login server whether I am really who I said I am, and assuming I am authenticated with my own login server, the photo sharing service would log me in. But the key concept here is that I get to choose my own OpenID provider. If I don’t like the service I’m getting with a particular provider, I can change it easily (especially if I set it up properly). The same goes for email, as noted before, especially if my email address is tied to a domain that I own, and not one that my ISP or email provider owns.
Similarly, then, we should move towards using an identity protocol that can identify us as individuals without tying us to a particular service. If I trust Twitter with my identity, and Twitter speaks this identity protocol, then it should be perfectly happy giving any supporting service information about me. Similarly, if I believe that Facebook is going to be the best provider for my identity, then I should have a Facebook account, and as long as Facebook also speaks this same protocol, the host service shouldn’t need to do anything differently to support either identity. Most importantly however, if I decide that none of these services is serving me well, I should feel confident that I can switch as long as I can find an identity service that speaks this general identity protocol.
Companies today try to provide identity on top of existing data that they already own (your social network, your professional profile, etc). Over time, these services will be made irrelevant as new, better services come online and replace them in the market. If we build on top of an open identity infrastructure, we future-proof the entire system. While service lock-in can provide security for a business temporarily, eventually your customers will get bored, and they will leave for the next shiny new service. In our current system of tying identity to existing services, once a new business gains significant market share, eventually all new services that require identity will start to use this new identity provider. But if everyone is speaking a common identity protocol from the get-go, older identity providers will never lose their utility in that regard. After all, I can still use my old email server now, even though everyone has moved on to Gmail, or Shortmail, or whatever new email service is coming next.
I think this move is inevitable, it’s just a matter of whether the existing identity providers are going to realize that they have to play nicely together and develop this open infrastructure, or if they’re all going to have to go out of business first and let the next crop of identity providers figure this out.
Filed under: Technology