Digital Identity Web/Tech

Pondering Digital Identity

Identity is a very noisy space, but, sadly, one in which little actually gets done beyond all the blather. And, oh, is there blather.

For the last couple of years there’s been a fall conference on digital identity stuff. Phil Windley and others are holding an Internet Identity Workshop in Berkeley later this month. Kim Cameron has his Laws of Identity – but he’s overlooked the law of lack of progress! Sxip’s Dick Hardt has a beautiful presentation on Identity 2.0 that’s sweeping the web. Sixapart developed TypeKey to simply deal with comment spam. InfoCards are coming in Window Vista, whenever that might be ready for primetime.

In an earlier post today, I closed by asking whether the emergence of a viable digital identity system for the web might be Web 2.0’s parallel to what SSL enabled for Web 1.0.

Recently, when Google opened up Gmail for general enrollment, they required you to provide a mobile phone number as part of your personal registration information. They send you a text message with a code in it that you need to bring back to their site to complete registration. They say they’re using the phone number as a mechanism to limit the number of Gmail accounts (10 max) that any one person can sign up for, but in the future they could be doing other things too.

I bring this up because Gmail is a great example of a web application that could have (*would love to have*) relied on an existing, trusted digital identity infrastructure for new user enrollment – if such a digital identity infrastructure actually existed.

And that’s the basic problem: getting something that’s trustable, reliable, and user controllable into the user’s hands — the electronic equivalent of my photo ID driver’s license or my passport. There are so many relying party wannabees…yes, maybe even Google. That side of the digital identity “chicken and egg” certainly isn’t the problem.

So, what is it that Google really wants to know about me before they give me a Gmail account? How is what Google wants (actually, needs) to know about me different from what my bank or brokerage or mortgage company needs to know?

They all want to rely on someone else (who they trust) to step forward on my behalf and declare that, yes indeed, this interaction is being driven by the person they know as Scott. But why would anyone want to provide such a service to others on my behalf? Said, perhaps more bluntly, what’s in it for them?

With a driver’s license, my state’s DMV doesn’t take any risk if some arbitrary third party (the local liquor store) decides to sell me a bottle of vodka based upon the credential the DMV issued to me literally years ago. There’s nothing in my booze purchase transaction for the DMV — no upside but, perhaps more importantly in terms of liability concerns, also no downside.

An analogy (always dangerous!) comes to mind. If I apply to open a credit card account, who does the card issuer rely on to make the decision whether to issue me a new credit card? As part of the application process, I supply the issuer with lots of personal information about me. But, of course, they can’t know whether it’s right or not. So, what do they do? They ask somebody else – specifically, a credit bureau – what they know about me. Am I a good guy? Do I have a history of paying my bills? Based upon what the credit bureau tells them about me, they just might issue me a new credit card.

If, subsequently, I turn out to be a dead beat and stiff them for the credit they’ve granted me, do they have any recourse to the credit bureau who sorta vouched for me during the application process? Let’s be very clear: NO! Similarly, if I was an identity thief and just impersonating another identity, does the credit bureau bear any risk of loss? Nope.

Why do we need credit bureaus? Because they provide a broad view of consumer behavior that’s very useful in making decisions to grant credit. And, let’s face the music, because for some things (like extending more credit) you just can’t trust what the individual says about themselves!

Back to digital identity…who’s my identity bureau on the Internet? Who’s willing to vouch for me to arbitrary third parties?

[More to come…]

This site uses Akismet to reduce spam. Learn how your comment data is processed.