Thoughts on the Internet Identity Workshop 2005 Day 1

Overall, I am really enjoying this workshop. It serves as a great high speed primer for a variety of identity issues and technologies.

Some highlights from the presentations so far:

Doc Searls – Identity in the marketplace: The Rise of Fully Empowered Customer
It’s always good to hear Doc give a talk. His belief that the web is a marketplace, a place for business and culture definitely has a Diamond Age feel to it. His example of customer freedom from vendor CRM shackles is an interesting one. Though his example of renting car is certainly valid and demonstrates the reverse nature of our world today, I’d love to get the vendors’ perspective on this. There are a few people from Yahoo in the audience and I am sure that they have some strong opinions about the freeing of identity.

Brad FitzpatrickOpenID

Brad put on the best show of the day, by far. It was a very Dada affair full of self-criticism. It was a simple talk about how OpenID works and why it does what it does. A simple tool for a specific problem… frickin’ brilliant. OpenID is a way to prove you own a URL using an identity provider you trust. Fairly simple. I sat there wondering why, when we see a simple solution, we say, “That’s all it does?” Why is it that we seem to always want some grandiose solution to a massive problem. What happened to elegant, simple solutions to problem? For that matter, what happened to problems that can be expressed in a few words and not an onslaught of slides?

Paul TrevithickSocial Physics and The Higgins Trust Framework

Paul and co’s work has lead them to the conclusion there is no identity independent of context. Context is the real king here. Not individual demographic attributes. Not roles. Not protocols. It the the context of interaction between users, trusted parties, vendors, etc that is the real domain of identity.

I applaud the group’s work around creating the Framework. It is an abstraction layer that helps tie the vast array of user information to contexts appropriately. Paul’s honesty on the subject of implementation are hard was definitely a welcome admission.

After hearing his presentation, I was a little annoyed that I hadn’t heard of this before. You’d think if you have read my Shadows of Identity piece that I would have already been an versed in Higgins. Nothing could be further from the truth. Strange how things happen sometimes.

Other thoughts:
Although these presentations today do not represent the entirety of the identity world, they are a sketch of the problems and solutions out there. It seems to me that there is so much attention to possible solutions, technologies, protocols, and the like that we are losing sight of the problems we have set out to solve. To me, there are two general classes of problems. First, there are the problems of an individual. How do I manage my identities out there? How do I describe what data about me I will allow to be disclosed? Who can get that data? The second class of problems are relationship-based where the relations involve more than two parties. How do I share my perferences and needs with an entire market? One question I keep coming back to is, if we figure out a way to solve both classes of problems, who is going to pay for it?

Technorati Tags:

Identity as an unpatched device

So I am sitting here at the Internet Identity Workshop and so far, I’ve been impressed with the quality of the presenter. (I’ll have more on that later.)

I was chatting with Dale Olds from Novell and came across the following thoughts. With the rise of the empowered user, as Doc Searls speaks of, we may be facing a major downside. These concepts of user-centric identity are great… if the user actively manages their identity. What happens when this empowered user isn’t actively managing his or her identity? It seems to me that an inactive empowered user’s identity is equivalent to an unpatched Windows machine. Without actively managing my identity, it becomes a great target for not nice people to do not nice things.

If we elevate identity to the same status as a domain or device, then we elevate the responsibility of the identity owners. I, as an identity owner, have to maintain that identity: update privacy choices, update demographics, geographic information, etc. I would say that maybe, just maybe, 5% of the overall web population actively maintain their identities. My grandparents, for example, are not part of that 5%. So of the nearly 1 billion web users out there, there are literally hundreds of millions of identities which will not be actively maintained. An unmaintained identity is a prime target for not nice people just as an unpatched machine is a prime target.

Will unmaintained identities become weedy vacant lots in the city of the web in which nefarious types can use to their own ends? I think so.

Which means:

  • the default settings for empowered users matter. But who creates these defaults? Communities? Governments? Insurance companies?
  • the tooling for maintaining my identity must be usable by my grandparents. We must not expose the underlying data model to the end user. We have to present identity and identity-related preferences in a way that the most basic users can understand.
  • there needs to be a way to remain un-empowered. There will be a majority of users who do not want to have to actively manage their identity. These people will not manage their identities and those identities, left unmanaged, will be perfect targets for phraud and other identity crimes.
  • we as an industry have a lot more work to do.

Technorati Tag:

If you meet your identity on the Internet, kill it

Thinking of that Buddhist koan, “If you meet the Buddha on the road, kill him,” I realized it is relevant for identities as well.

If you met your identity, would you recognize it?
When I register at a site I usually use the same username. It helps keep the catalog of things I have to remember to a manageable number. I always get concerned when my choice in username is taken. My first thought is, have I been here before? Did I already register? If so, “who” did I register as? I start scouring through offline emails trying to figure out if I saved the registration notice. 9 times out of 10, I haven’t. The next option is hoping that the Keychain or Password Manager grab the credentials for me. If the site’s login didn’t get prepopulated there’s little chance either repository of has what I need. This leads me to the annoying process of having to register with a different username which I am definitely bound to forget.

The first problem is that recognize my identity based on a login on a site. This is clearly a weak way to link me to the services I want to access on that site.

If you don’t meet your identity, how would you know it?
The following just happened to me. I went to a site to order some software. I know that I’ve used this site before. I know that I have ordered things from them before. But for the life of me cannot remember “who” I registered as. In this case, the site uses email address as identity. The problem is I have multiple email address, some of which changed over time due to takeover, domain changes, etc. I can search my old emails, Keychain, Password Manager, etc, but I am still left with little to go on to figure out who I registered as. In this case, I can try and use a “Forgot your username / password” service, if the site has it. But what if I am mistaken and, in fact, I have never used the site before?

The second problem is that my catalog of registered identities is limited, if it exists at all. Worse yet, that catalog is spread across multiple machines both personal and work issued.

How do you kill your identity?
I know I have registered at dozens of sites over the years. Some, I’m sure, don’t even exist any more. But those that do have some little piece of my identity information on them. At the very least, they contribute to some of the spam that heads my way every day. I just don’t like the idea that I am not in control of the places my identity lives. Now, I grant you, if I was that concerned I would have kept better records about where I registered and “who” I registered as. The problem is five, eight, ten years ago we simply didn’t have the problems we have now. (Amazingly though, the oldest account I can think of that I have, my CDNow account, did morph into my Amazon account. Let’s hear it for good customer identity management on Amazon’s part.)

Quick quiz, how many sites that you frequent let you delete your identity? I think I may have seen one or two in all the sites I have been too. The third problem is there is not a common facility for tracking and deleting an old identity.

And that leaves me where exactly?
I don’t have a reliable and complete catalog of my identities. I don’t have a way to discover my registered identity from a given site. And even if I did have a catalog and could find identities I forgot about, I couldn’t prune old identities I no longer wanted out there.

To some extent this problem has been solved within the enterprise. Identity Management vendors can maintain the catalog of my identities and can prune of identities as necessary. Those solutions, however, will either not work on the Internet-scale or will not be accepted by end users. We tried to building something like this at Access360 with out offering, but that flopped horribly and completely. My gut tells me the solution is more along the lines of Identity 2.0. I can’t wait for the Internet Identity Workshop next week to hear people’s thought on problems like these.

Technorati Tag:

Being proactive without acting

After reading about the latest round of attacks against DoD and other government computers, I started thinking about the defensive, reactive nature of security world. Vendors are consistently on their heels trying to catch up with hackers and crackers. Consumers are consistently running behind vendors trying to deploy security patches, let alone adopt security-based best practices in their own applications. Yes, there are more proactive solutions, especially at the network level, but its safe to say that the computing world has yet to achieve a complete proactive stance when it comes to security.

Being proactive is hard. As a vendor, there is so much you can do to stay head of the curve, making sure that your code is a well behaved as possible. As a consumer, you are beholden to both the vendor-world as well as the particulars of your organization in terms of rolling out patches and new technology.

We, as an industry, have to make sure that there are security functions at every layer of our customer solutions. But more than that, those functions have to be able to act in concert. They have to be able to be monitored and audited in a more holistic manner. I feel that an Identity Metasystem is part and parcel to this. We owe it our customers to create a computing world which is security proactive on its own, freeing the customer to focus on their day to day business.