The Need For an Open Online Identity Infrastructure,

published at 3:01am on 01/09/12

20101005D_4643e

Any company can own your own identity online, but no one company should own the entire online identity infrastructure.

Right now on the web, there are a number of different companies that claim to own some part of your identity online (or who might lay claim to your entire online identity). LinkedIn would like to own your professional identity, for example. More specifically, LinkedIn would like to own the professional identity ecosystem. They would like to say that if you want to know something about someone professionally, you will need to know about them on LinkedIn. Socially (whatever that means), the gorilla that would claim to own identity is Facebook. Purchasing habits? I suppose that Amazon would own that one. And for a particular company to own what I give it and try to make use of it is fine. What I take issue with is the idea that one company would like to be the de facto identity provider for everyone, with no option for the market to introduce competition into the picture.

In fact, I take offense at the idea that a company would want to have something as valuable as my identity, and would not be willing to compete on quality to earn it. I have no problem with the idea that a large number of my friends may trust Facebook with controlling their personal information on the web. What I have a problem with is that even though I personally do not trust Facebook with that information, I need to hand it over to them in order to function in this new wonderfully connected world known as “the web.”

We don’t have this problem with communications on the Internet. Take email for example. If I want to start a new email service, I can do so and as long as my email service speaks the same protocol as every other email service out there, I can participate, I can offer my service, and I can participate in the communications ecosystem. All of my friends use Gmail, but I choose not to. I can still email them, and I can participate in this wonderful Internet that I have available to me without having to switch over to the same damn thing everyone else is using. And more importantly, the existence of my email server does not necessitate everyone else going out of business in order to be useful.

So why is it that when it comes to identity, we all get a little bit stupid and start thinking that any one company is going to ultimately “own” the overall concept of identity on the web. Sure, there can be a company that owns your identity. Or my identity. But they shouldn’t have to be the same company.

This is not a brand new concept. OpenID tried to do this with authentication but it never really got the traction that I really wish it did. But it was a good start. For the 99% of you who don’t actually use and love OpenID, it’s the idea that your username and password are stored independently from the service that you’re actually trying to log in to. If I want to log into a photo sharing service that supports OpenID, that service would ask my personal login server whether I am really who I said I am, and assuming I am authenticated with my own login server, the photo sharing service would log me in. But the key concept here is that I get to choose my own OpenID provider. If I don’t like the service I’m getting with a particular provider, I can change it easily (especially if I set it up properly). The same goes for email, as noted before, especially if my email address is tied to a domain that I own, and not one that my ISP or email provider owns.

20080712D_4081e

Similarly, then, we should move towards using an identity protocol that can identify us as individuals without tying us to a particular service. If I trust Twitter with my identity, and Twitter speaks this identity protocol, then it should be perfectly happy giving any supporting service information about me. Similarly, if I believe that Facebook is going to be the best provider for my identity, then I should have a Facebook account, and as long as Facebook also speaks this same protocol, the host service shouldn’t need to do anything differently to support either identity. Most importantly however, if I decide that none of these services is serving me well, I should feel confident that I can switch as long as I can find an identity service that speaks this general identity protocol.

Companies today try to provide identity on top of existing data that they already own (your social network, your professional profile, etc). Over time, these services will be made irrelevant as new, better services come online and replace them in the market. If we build on top of an open identity infrastructure, we future-proof the entire system. While service lock-in can provide security for a business temporarily, eventually your customers will get bored, and they will leave for the next shiny new service. In our current system of tying identity to existing services, once a new business gains significant market share, eventually all new services that require identity will start to use this new identity provider. But if everyone is speaking a common identity protocol from the get-go, older identity providers will never lose their utility in that regard. After all, I can still use my old email server now, even though everyone has moved on to Gmail, or Shortmail, or whatever new email service is coming next.

I think this move is inevitable, it’s just a matter of whether the existing identity providers are going to realize that they have to play nicely together and develop this open infrastructure, or if they’re all going to have to go out of business first and let the next crop of identity providers figure this out.

Filed under: Technology

At 1:08 pm on 01.09.12, William Ward said,

And when those services cast us into the virtual cornfield, as Google has done during the ‘nymwars’ where entire accounts were shut down. I’d love to see a common protocol, and behind that, I’d like to see choice in identity providers such that I have regulatory protection against being shut out of my services because of “policy violations.”

One possible model for such is the accreditation services like Verisign, where we pay them for a signed certificate that guarantees identity for web servers (and once upon a time, for individuals holding similar certificates.) In this model, you can choose whether you pay Verisign or Geotrust or another provider to vouch for your identity digitally. Not a large stretch for them to provide authentication services via OpenID or similar, I think. You pay them and you have some legal recourse for being shut-out.

Another model is a bank or DMV-style, which is less desirable because of their lack of convenience. At one point, the US Government discussed digital identity. Perhaps that’s not the best place for it – but while the DMV can revoke your driving privileges for various reasons, your identity is not revocable, and you can obtain a simple identification card backed by the DMV.

Both methods sit outside the low-overhead nature of pulling your twitter account along as an identity provider, but they add two features that are valuable – boot-strapping authenticity when you are creating a new authentication data source since you can provide real documentation to a real authority, and they provide a less volatile on-line identity, because they are in the business of providing accreditation rather than social networking – you would presumably have substantial recourse to having your identity held hostage.

One’s social network connections can inform authentication “consumers” of the trustworthiness of an on-line data source, and that makes the Twitter/Facebook/LinkedIn data valuable for some level of authenticity, but I fear that they are not motivated to provide a durable authentication service that you and I can rely on for decades of investment in our on-line assets, reputation, and access to services.

Agreed on the wine-fueled musings.

At 3:11 pm on 01.09.12, Joe Devon said,

I think Firefox’s browserid service is a step in the right direction.

At 6:47 pm on 01.09.12, Connect Me said,

Good idea but seems a long shot especially given Facebook/Apple and others won’t even syndicate their XMPP servers which would allow chat/voice/video with parties not on their network. So they have taken an open protocol and walled it.

At 1:19 am on 01.17.12, Michael E. Gruen said,

So long as the economies favor eyeballs, you’re going to see walled gardens and incompatible protocols on the web. Targeted advertising rules, and if you can do it better than anyone else, why surrender your competitive advantage?

It’s one of the reasons I had (and, to a lesser extent, have) high hopes for *diaspora. With a bit of biomass, hopefully Google+ et al. will be forced to play along.

Leave a Reply: