Independent Advocate for the Rights and Dignity of our Digital Selves
I was invited to give a talk at Privacy Identity and Innovation about the Digital Death and the conference that has happened a few times Digital Death Day.
I chose to lay out a matrix of questions that have arisen from the work. Enjoy the talk.
Digital Death a Matrix of Questions and Considerations from Privacy Identity Innovation on Vimeo.
So the Guardian is reporting about Sean Parkers remarks at the Techonomy conference.
Thinking ahead.
None of us could possibly have understood what it would mean to have a billion or two billion people potentially using these platforms regularly,” said Parker. “That wasn’t something that factored into anyone’s analysis in the starting of these companies. You just want to be a successful company. You want to understand the mechanisms that work, you want to play into them, you want to reinforce them, you want to be a successful company.”
While it is refreshing to hear some self reflection after the fact about the consequences of building a social platform driven by profit with an incentive to get people to engage with it – personal and social costs be-dammed.
I think people did for-see and could understand some of the negative effects he is discussing – the problem is they just were not in the mix of young men founding these companies at the time. The fact is the narrow demographic of who was empowered with funds to create these systems (By men likc Sean Parker and Peter Theil) and who thcy subsequently chose to hire and listen to early on (Read the Boy Kings to get the inside scoop on that) speaks volumes about what was built.
As a side note I developed an outline for building a distributed social network for spiritual activist leaders and their followers in 2003-4. I even raised $35,000 and had two protoypes build in Drupal. I like to think if I got funding beyond that and had the chance to develop the vision we were thinking about the social consequences.
Communities considering the future of social tools and online communities did think thoughtfully about the future and how things could play out and what was needed to support things evolving well from a user-centric perspective. A great starting point published in 2003 is the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.
My friend Allen who was at Brookings got a job with NTIA to figure out what issues to focus on and how to get multi-stakeholder collaboration on cyber security issues. Because he asked me to respond I took the time to give him my thoughts and input drawing on my experience with the attempts by NSTIC to do this same thing. Here is the PDF document. IPTF-Kaliya-2
I will in time work to publish it in blog sized sections online so it is more internally linkable (starting with an index from this post). Until then enjoy.
Short answer No – I’m headed to the protest today at Facebook.
A post about the experience will be up here by tomorrow. I’ll be tweeting from my account there which is of course @identitywoman
______
Post from Sept 2014
Mid-July, friend called me up out of the blue and said “we won!”
“We won what” I asked.
“Google just officially changed its policy on Real Names”
He said I had to write a post about it. I agreed but also felt disheartened.
We won but we didn’t it took 3 years before they changed.
They also created a climate online where it was OK and legitimate for service providers to insist on real names.
For those of you not tracking the story – I along with many thousands of people had our Google+ accounts suspended – this posts is an annotated version of all of those.
This was the Google Announcement:
[Read more…] about We "won" the NymWars? did we?
I first met Dan Whaley last spring via an introduction from Jim Fournier co-founder of Planetwork. I was inspired by the vision he was working on building Hypothes.is – a way to have sentence level annotation of news and other articles on a web wide scale. Really a foundation for peer review on the web. The motivation for his work is to support greater discernment of the truth around climate change and other key issues facing our society and our planet. (Another area I could see this being really useful right now is around accountability in the financial system and ways to make that real.)
He asked me to be a part of the project as an advisor particularly around identity issues and technology options for identity. He is taking my advice and coming to IIW this coming week. Its an honor to be amongst other distinguished advisors like Brewster Kahle, John Perry Barlow, Mark Surman and others..
He has been working on a development plan and has a solid on one in place. He has launched a Kickstarter Campaign and stars in the video that articulates the vision of the project. If you are inspired by the vision I encourage you to contribute.
Following my post yesterday Google+ says your name is “Toby” not “Kunta Kinte”, I chronicled tweets from this morning’s back and forth with Tim O’Reilly and Kevin Marks, Nishant Kaushik, Phil Hunt, Steve Bogart and Suw Charman-Anderson.
I wrote the original post after watching the Bradley Horwitz (@elatable) – Tim O’Reilly (@timoreilly) interview re: Google+. I found Tim’s choice of words about the tone (strident) and judgement (self-righteous) towards those standing up for their freedom to choose their own names on the new social network being rolled out by Google internet’s predominant search engine disappointing. His response to my post was to call me self-righteous and reiterate that this was just a market issue.
I myself have been the victim of a Google+ suspension since July 31st and yesterday I applied for a mononym profile (which is what it was before they insisted I fill out my last name which I chose to do so with my online handle and real life identity “Identity Woman”)
In the thread this morning Tim said that the kind of pressure being aimed at Google is way worse then anything they are doing and that in fact Google was the subject of a “lynch mob” by these same people. Sigh, I guess Tim hasn’t read much history but I have included some quotes form and links to wikipedia for additional historial context.
Update: inspired in part by this post an amazing post “about tone” as a silencing/ignoring tactics when difficult, uncomfortable challenges are raised in situations of privilege was written by Shiela Marie.
I think there is a need for greater understanding all around and that perhaps blogging and tweeting isn’t really the best way to address it. I know that in the identity community when we first formed once we started meeting one another in person and really having deep dialogues in analogue form that deeper understanding emerged. IIW the place we have been gathering for 6 years and talking about the identity issues of the internet and other digital systems is coming up in mid-October and all are welcome. The agenda is created live the day of the event and all topics are welcome.
Here’s the thread… (oldest tweets first)
Note all the images of tweets in this thread are linked to the actual tweet (unless they erased the tweet). [Read more…] about Is Google+ is being lynched by out-spoken users upset by real names policy?
This post is about what is going on at a deeper level when Google+ says your name is “Toby” NOT “Kunta Kinte”. The punchline video is at the bottom feel free to scroll there and watch if you don’t want to read to much.
This whole line of thought to explain to those who don’t get what is going on with Google+ names policy arose yesterday after I watched the Bradley Horwitz – Tim O’Reilly interview (they start talking about the real names issue at about minute 24).
[Read more…] about Google+ says your name is "Toby" NOT "Kunta Kinte"
Seeing that Google+ is approving mononyms for some (Original Sai, on the construction of names Additional Post) but not for others (Original Stilgherrian Post Update post ).
I decided to go in and change my profile basically back to what it was before all this started. I put a ( . ) dot in the last name field. In my original version of my google proflile my last name was a * and when they said that was not acceptable I put my last name as my online handle “Identity Woman”.
[Read more…] about Lets try going with the Mononym for Google+
When Google+ launched, I went with my handle as my last name. This makes a ton of sense to me. If you asked most people what my last name is, they wouldn’t know. It isn’t “common” for me. Many people don’t even seem to know my first name. I can’t tell you how many times I have found myself talking with folks at conferences this past year and seeing ZERO lighbulbs going off when I say my name “Kaliya”, but when I say I have the handle or blog “Identity Woman” they are like “Oh wow! You’re Identity Woman… cool!” with a tone of recognition – because they know my work by that name.
One theory I have about why this works is because it is not obvious how you pronounce my name when you read it. And conversely, it isn’t obvious how you write my name when you hear it. So the handle that is a bit longer but everyone can say spell “Identity Woman” really serves me well professionally. It isn’t like some “easy to say and spell” google guy name like Chris Messina or Joseph Smarr or Eric Sachs or Andrew Nash. I don’t have the privilege of a name like that so I have this way around it.
So today…I get this
I have “violated” community standards when using a name I choose to express my identity – an identity that is known by almost all who meet me. I, until last October, had a business card for 5 years that just had Identity Woman across the top.
Display Name – To help fight spam and prevent fake profiles, use the name your friends, family, or co-workers usually call you. For example, if your full legal name is Charles Jones Jr. but you normally use Chuck Jones or Junior Jones, either of these would be acceptable. Learn more about your name and Google Profiles.
[Read more…] about Google+ and my "real" name: Yes, I'm Identity Woman
There are many definitions of trust, and all people have their own internal perspective on what THEY trust.
As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.
I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.
However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.
When spoken of in every day conversation trust is most often social trust.
[Read more…] about The Trouble with Trust, & the case for Accountability Frameworks for NSTIC
The NSTIC governance NOI articulates many key activities, qualities and goals for a governance system for NSTIC. NSTIC must:
Achieving these goals will require high-performance collaboration amongst the steering group and all self-identified stakeholder groups. It will also require earning the legitimacy from the public at large and using methods that surface their experience of the Identity Ecosystem Framework as it evolves.
[Read more…] about Alignment of Stakeholders around the many NSTIC Goals
This is the “punchline section” (in my response it is after what is below…the history of collaboration in the identity community):
In 2004-5 the Identity Gang (user-centric identity community) was 1/10 the size of the current NSTIC stakeholder community. It took us a year of active grassroots effort to develop enough common language and shared understanding to collaborate. NSTIC doesn’t have 5-10 years to coalesce a community that can collaborate to build the Identity Ecosystem Framework. To succeed, the National Program Office must use processes to bring value and insight while also developing shared language and understanding amongst stakeholders participating.
[Read more…] about Proactive Development of Shared Language by NSTIC Stakeholders
Context for my response to the NSTIC Governance NOI
Table of Contents to Blog Posts of My Response
My Complete Response in PDF form Kaliya-NSTIC-NOI
Introductory Letter of the Response.
Context for my NSTIC NOI response
I surprised myself when writing my response to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Governance NOI (Notice of Inquiry). I wasn’t sure exactly what I was going to say because the questions seemed like they were way ahead of where they should be interms of where things were. I decided to begin by sharing important Context, Frames and Terms that were important before getting to the Questions of Governance and what should be done now.
I began with the word Ecosystem – what it meant and that a system was at the heart of this strategy not something simple or easily actionable.
I touched on the history of the Identity Community and how much conversation and intensive dialogue happened amongst that early community to get to a place where collaboration was natural and “easy”. A huge amount of effort went into developing shared language and understanding then and this is needed once again. The range of self identified stakeholders for NSTIC is quite large (the range of not self identified stakeholders it could be said is everyone on the planet or at least all those with a digital connection (via phone or interent).
I put forward two different methods/tools/processes that could be used to form shared language and understanding across this stakeholder community Polarity Management and Value Network Mapping.
I suggest that the governance structure proposed a “steering group” actually have a mandate to regularly listen to and act on the recommendations of the system that are generated via 3 different well established dialogic processes (Creative Insight Council, World Cafe and Open Space Technology [What we use at IIW]. I then answer the NOI questions referencing the ideas above.
I am going to be posting the whole of my Response in a series of posts and linking them all from there.
I began with one earlier last week which is focused on “trust” both as an emergent property of the overall system AND as the current name of technology and policy/legal frameworks for identity creation.
Links to NSTIC Response Posts:
[Read more…] about NSTIC Response by Identity Woman
I was the first person Van asked to speak at the Community Leadership Summit West Ignite talks. I was the last person to submit my slides. I have a lot to say about community but I had a hard time figuring out exactly what to say. I knew I wanted to talk about the identity community and our success in working together. Robert Scoble’s quote really got me going and I decided to use the talk to respond to the comment that was catalyzed by his facebook post/tweet “Who is going to win the Identity War of 2010”
This is completely the wrong frame to foster community collaboration.
I was one of the first people to congratulate Chris Messina on his blog when he announced he was going to Google. It was a personal congratulations. I wasn’t sure if it was good overall for the open web vision or the community as a whole. In the end after thinking about it for a few days I feel it is a good move for them, for Google and for the community. The rest of this post explains why.
With Chris going to Google it gives them three seats on the OpenID board (Joseph and Chris are both community board members and Google has a corporate paying board member seat filled by Eric Sachs). It concentrates a lot of power at Google and I agree with Eran’s concerns from Marshall’s RWW/NYTimes article …why be “open” if you can just have an internal product meeting with Brad Fitzpatrick and a few other Googlers and “ship” a product without reaching out to others. I agree with the concern and I think there will be enough eyes on these individuals in particular and Google in particular to challenge them if they do that.
Thursday morning I sat at “geek breakfast” in Berkeley with a friend discussing Chris and Joseph’s move to Google. We mused about how many people we knew who “get social” have been at Google and because “Google didn’t get social” they were unhappy so they left, Kevin Marks being just the latest example leaving in the fall for British Telecom/Ribbit where he works for JP Rangaswami, the CIO who really gets open.
Given this, if “just” Joseph Smarr was going to Google he would be more “alone” trying to “do social right” at Google. Yes, he would have allies but no one quite as high profile as himself. With Chris Messina there too, there are now two major committed community leaders who can work the politics involved in helping Google to “get” social and actually do it right. If anyone has a hope inside that big company it is those two and I don’t think either could be as effective alone.
If Chris and Joseph fail, that is if they get frustrated and leave (which they can at any time they want cause they are very “employable” because of their profiles by a whole range of companies in the valley) then is a sign that Google doesn’t really “get” social and isn’t moving in the right direction in terms of supporting the emergence of an open standards based, individually empowering & social web.
With Zuckerberg’s statement’s about privacy and the recent actions by Facebook to make user-information public, Google has a huge opportunity to live up to its slogan of “not doing evil”. Over the fall Google made some promising statements on the meaning of open and took action spinning up the Data Liberation Front.
I know many people who currently are and have been at Google. All of them talk about how secure things are internally – it is not possible to go into their systems and “look up a user” and poke around at what they have in their e-mail, or what they have searched on or what is in their google docs. Algorithms look at people’s stuff there, not people. Google takes their brand and reputation for protecting people’s private information seriously. I am not particularly starry eyed about Google thinking they can do no evil – they are just a company driven by the need to make a profit. I worry that they might be becoming too dominant in some aspects of the web and that there are legitimate concerns about the monopoly power they have in certain market area.
I don’t see this as a Google vs. Facebook fight either. Chris, Brad, Eric, Joseph are all at Google & David Recordon and Luke at Facebook; they are all good friends socially and are just six people in the overall identity community made up of about 1000 people at 100’s of companies. Yahoo!, AOL, Microsoft (enterprise & MSN side), are all involved along with PayPal, Amazon, BT, Orange, Mozilla, Sun, Equifax, Apple, Axiom, Oracle, & many many more. They all come together twice a year at the Internet Identity Workshops and other events to collaborate on innovating open standards for identity on the social web.
I invite those who want to participate in the dialogue to consider attending the 10th Internet Identity Worskshop May 18-20.
I take the health of the identity community, its over all tone and balance quite seriously. I helped foster it from the beginning really starring in March of 2004 including 9 months from June of that year until January 2005 it was my first major job – evangelizing user-centric identity and growing the community to tackle solving this enormous problem (an identity and social layer of the web for people). I along with others like Doc Searls, Phil Windley, Drummond Reed, Bill Washburn, Mary Ruddy, Mary Rundle, Paul Trevithick, Dick Hardt, Eugene Kim & many others formed the identity community. Having put my heart, soul, sweat and tears into this community and working towards good results for people & the web, I don’t say what I say in this post lightly.
ReadWriteWeb has coverage of Zuckerberg’s talk with Arrington at the Crunchies. According to him, the age of Privacy is Over. This is the quote that is just STUNNING:
..we decided that these would be the social norms now and we just went for it.
When I first heard it in the interview in the video I did a major double take – “we decided” ?? seriously? The we in that sentence is Facebook and clearly with Zuckerburg is at the helm – He could have said “I decided” and he as the CEO of a social network has the power to “decide” the fate of the privately shared amongst friends in the context of this particular social network for millions of people (see my post about the privacy move violating the contract with users). It makes you wonder if this one platform has too much power and in this example makes the case for a distributed social network where people have their own autonomy to share their information on their own terms and not trust that the company running a platform will not expose their information.
It is clear that Zuckerberg and his team don’t get social norms and how they work – people create social norms with their usage and practices in social space (both online and off).
It is “possible” to change what is available publicly and there for making it normal by flipping a switch and making things that were private public for millions of people, but it is unethical and undermines the trust people have in the network.
I will agree there is an emerging norm that young men working building tools in Silicon Valley have a social norm of “being public about everything”, but they are not everyone. I am looking forward to seeing social tools developed by women and actual community organizers rather then just techno geeks.
I will have more to say on this later this week – I was quite busy Saturday – I ran the Community Leadership Summit, yesterday I flew to DC and today I am running the Open Government Directive Workshop. While I am here I hope to meet with folks about Identity in DC over the next 2 days.
I went to the suidicemachine and got this message
We apologize to all our users for the breakdown of our service! Within the last hours the huge demand for 2.0 suicides completely overblew our bandwidth resources!
We are currently considering relocating to another serverfarm. Please consider suicide at a later moment and accept our apologies!
You can still try to catch a free slot, but chances are quiet low at the moment!
More from their site….
Faster, Safer, Smarter, Better Tired of your Social Network?
Liberate your newbie friends with a Web2.0 suicide! This machine lets you delete all your energy sucking social-networking profiles, kill your fake virtual friends, and completely do away with your Web2.0 alterego. The machine is just a metaphor for the website which moddr_ is hosting; the belly of the beast where the web2.0 suicide scripts are maintained. Our services currently runs with facebook.com, myspace.com and LinkedIn.com! Commit NOW!
You can even see video’s about what happens as one uses the machine.
ok the FAQ’s get eve better…..
I always get the message “Sorry, Machine is currently busy with killing someone else?”. What does this mean?
Our server can only handle a certain amount of suicide scripts running at the same time. Please consider your suicide attempt at a later moment! We are very sorry for the inconvenience and working on expanding our resources.If I kill my online friends, does it mean they’re also dead in real life?
No!What do I need to commit suicide with the Web 2.0 Suicide Machine?
A standard webbrowser with Adobe flashplugin and javascript enabled. So, it runs on Windows, Linux and Mac with most of browsers available.I can’t see my friends being killed, what happened?
Probably your flash-plugin is older than version 10? But yikes – you cannot stop the process anymore! Once you entered the login details, the machine is running the suicide script.If I start killing my 2.0-self, can I stop the process?
No!If I start killing my 2.0-self, can YOU stop the process?
No!What shall I do after I’ve killed myself with the web2.0 suicide machine?
Try calling some friends, talk a walk in a park or buy a bottle of wine and start enjoying your real life again. Some Social Suiciders reported that their life has improved by an approximate average of 25%. Don’t worry, if you feel empty right after you committed suicide. This is a normal reaction which will slowly fade away within the first 24-72 hours.Do you store any data on your webserver, like password of the user?
We don’t store your password on our server! Seriously, it goes directly into /dev/null, which is equal to nirvana! We only save your profile picture, your name and your last words! Will the 2.0 suicide machine be available for other networks such as twitter and plaxo? We are currently working on improving our products!. Currently we are working on Flickr and Hyves, but of course we are eagerly thinking of ways to get rid of our “Google Lifes”.How does it work technically?
The machine consists of a tweaked Linux server running apache2 with python module. Selenium RC Control is used to automatically launch and kill browser sessions. This all driven by a single python/cgi script with some additional self-written libraries. ?Each user can watch her suicide action in real-time via a VNC remote desktop session, displayed on our website via an flash applet rendered live into the client’s webbrowser. We are also running some customized bash scripts plus MySQL in the background for logging and debugging, jquery for the website and a modified version of the great FlashlightVNC application built in Flex. Web2.0 Suicide Machine consists of roughly 1800 lines of self-written code.Why do we think the web2.0 suicide machine is not unethical?
Everyone should have the right to disconnect. Seamless connectivity and rich social experience offered by web2.0 companies are the very antithesis of human freedom. Users are entraped in a high resolution panoptic prison without walls, accessible from anywhere in the world. We do have an healthy amount of paranoia to think that everyone should have the right to quit her 2.0-ified life by the help of automatized machines. Facebook and Co. are going to hold all your informations and pictures on their servers forever! We still hope that by removing your contact details and friend connections your data is being cached out from their servers. This can happen after days, weeks, months or even years. Just deactivating the account is thus not enough! [emphasis mine]How much does it cost to kill myself?
Usage of Web 2.0 Suicide machine is for free.Can I build my own suicide machine?
Theoretically yes! You’ll need a Linux WebServer (apache2) with perl and python modules (php should be installed as well). Further, you’ll need VNC-server and Java packages by Sun to launch selenium-remote applets. If you feel like contributing or setting up your own machine, please get in contact with us via email.
Read Write Web published a guest post by me about how the changes at facebook last week leave us Socially Nude.
Facebook’s Privacy Move Violates Contract With Users
Your name, profile picture, gender, current city, networks, Friends List, and all the pages you subscribe to are now publicly available information on Facebook. This means everyone on the web can see it; it is searchable.
This represents just the latest instance of Facebook violating the contract it holds with its users. This is no small matter, either. Lots of people will have very real and valid objections to this arbitrary change to what’s public and what’s private on Facebook.
….an articulation of the nature of the social contract sites with social features have with users….
I wonder how many more times they will get strip us down, leaving our familiar social clothes and underware on the floor, and leaving us socially nude.
I think it is unethical and I agree with the concern that Jason Calacanis raises about how this will affect other Internet companies. “Facebook’s reckless behavior is… simultaneously making users distrust the Internet and bringing the attention of regulators.” This change will affect all of us working on building the new techno-social architecture of our society via the web.
This is cross posted on Fast Company.
The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and video casts. Today there are over 500 government Web sites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government Web sites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.
Yesterday the United States Government in collaboration with industry announced a few pilot projects using emerging open identity technologies for citizens to use when interacting with government sites. I use the word interacting very deliberately because the government doesn’t want to know “who you are” and has gone great lengths to develop their implementations to prevent citizens from revealing personally identifiable information (name, date of birth etc).
How would you use this?–well imagine you are doing an in depth search on an NIH (National Institute of Health) Web site–and you went back to the site many times over several months. Wouldn’t it be great if the site could “know” it was you and help you resume your search where you left off the last time. Not your name and where you live but just that you were there before.
The Identity Spectrum helps us to understand how it all fits together.
Anonymous Identity is on one end of the identity spectrum–basically you use an account or identifier every time go to a Web site–no persistence, no way to connect the search you did last week with the one you did this week.
Pseudonymous Identity is where over time you use the same account or identifier over and over again at a site. It usually means you don’t reveal your common/real name or other information that would make you personally identifiable. You could use the same identifier at multiple sites thus creating a correlation between actions on one site and another.
Self-Asserted Identity is what is typical on the Web today. You are asked to share your name, date of birth, city of residence, mailing address etc. You fill in forms again and again. You can give “fake” information or true information about yourself–it is up to you.
Verified Identity is when there are claims about you that you have had verified by a third party. So for example if you are an employee of a company your employer could issue a claim that you were indeed an employee. You might have your bank verify for your address. etc.
The government pilot is focused on supporting citizens being able to have pseudonymous identities that function only at one Web site–the same citizen interacting with several different government Web sites needs to use a different identifier at each one so their activities across different government agencies do not have a correlation.
It is likely that some readers of this blog know about and understand typical OpenID. Almost all readers of this blog do have an openID whether they know it or not because almost all the major Web platforms/portals provide them to account holders–MySpace, Google, Yahoo!, AOL etc.
So how does this work with OpenID?
Typically when logging in with OpenID on the consumer Web you share your URL with the site you are logging into–they redirect you to where that is hosted on the Web–you authenticate (tell them your password for that account) and they re-direct you back to the site you were logging in. (see this slide show for a detailed flow of how this works). Using OpenID this way explicitly links your activities across multiple sites. For example when you use it to comment on a blog– it is known your words come from you and are connected to your own blog.
Using the OpenID with Directed identity–de-links your the identifiers used across different sites but still lets you use the same account to login to multiple sites.
When you go to login to a site you are asked to share not “your URL” but just the name of the site where your account is–Yahoo! or Google or MySpace etc. you are re-directed to that site and from within your account a “directed identity” is created–that is a unique ID just for that Web site. Thus you get the convenience of not having to manage multiple accounts with multiple passwords and you get to store preferences that might be shared across multiple ID’s but you don’t have identifiers that correlate–that are linked across the Web.
How does this work with Information Cards?
This is a complementary open standard to OpenID that has some sophisticated features that allow it to support verified identities along with pseudonymous & self asserted identities. It involves a client-side piece of software called a selector–which selector helps you manage your different identifiers using a card based metaphor, with each digital “card” representing a different one. Citizens can create their own cards OR get them from third parties that validate things about them.
The government is creating a privacy protecting “card profile” to be used in the pilot program. It is NOT issuing identities.
Trust Framework are needed to get it all to work together.
From the press release yesterday:
“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon–it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”
The OpenID Foundation and Information Card Foundation wrote a joint white paper to describe how they are working on developing this. From the abstract:
[They] are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.
These frameworks, based on the model developed by the InCommon federation for higher education institutions, will enable government Web sites to accept identity credentials from academic, non-profit, and commercial identity providers that meet government standards. These standards are critical as they represent the government’s resolution of the challenging and often competing issues of identity, security, and privacy assurance. Open trust frameworks not only pave the way for greater citizen involvement in government, but can enable even stronger security and privacy protections than those typically available offline.
These are all exciting developments but there is much more to do.
Looking (far) ahead there may be the opportunity to do selective disclosure–combining anonymity with verified identity.
How do these go together–you can take a verified identity claim say your birth date then using cryptography strip the specifics away and just have a claim that says you are “over 21”. Then using an anonymous identifier you have selectively disclosed your age without giving away your date of birth.
You could imagine this would be handy for citizens wanting to communicate their opinions to their member of congress without revealing their actual name and address – they could “prove” using a verified claim they live in the district but not reveal who they are. This aspect of what is possible with the technology is VERY forward looking and will take many years to get there. There is enormous potential to evolve the Web with this emerging identity layer.
I would like to invite all of you interested in being involved/learning more to attend the Internet Identity Workshop in Mountain View California November 3-5. I have been facilitating this event since its inception in 2005. It is truly amazing to see how far things have progressed from when we were 75 idealistic technologist talking about big ideas. at the Hillside Club in Berkeley. It is also some what daunting to think about how much farther we have to go.
Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.
This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:
The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.
Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.
The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.
So how will these technologies work?
Those already familiar with OpenID know that typically when users login with it they give their own URL – www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.
Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.
In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.
Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.
“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”
Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.
The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP). A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.
Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.
There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.
Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.
Johanne Ernst is a builder of Identity technologies (and one of the clearest thoughtful thinkers about identity technologies and markets. He just posted a great post about business models in the identity space. I know he has at various times tried raise money as an entrepruner in this space – so he has thought a lot about the business models.
For those of you who don’t know Johannes he developed Light-Weight Identity (LID) a URL based ID system at the same time Brad Fitzpatrick did at Live Journal and then participated in merging it all together into YADIS discovery which became woven together with OpenIDv1, XRI/i-names and sxip to become OpenIDv2. He also was the first drawer of the identity triangle (OpenID, SAML, InfoCards) which evolved into the Venn of Identity.
Many people have ideas for value-added services that could be sold once sufficiently many users used internet identities at enough sites. The trouble is that the transaction volume for OpenID (or any other identity technology on the internet) is still far too low to make this viable.
The mot important sentence is this one – Let’s not confuse being majorly annoyed how long this is all taking (speaking about myself here) with something being fundamentally wrong (because there isn’t).
I take heart with what he has to say especially because he addresses it to a big part of what I do – organize (un)conferences to continue momentum for the field.
Value-added services:
Many people have ideas for value-added services that could be sold once sufficiently many users used internet identities at enough sites. The trouble is that the transaction volume for OpenID (or any other identity technology on the internet) is still far too low to make this viable.So the verdict here is: perhaps in the future.
So what’s an analyst, or conference organizer, or entrepreneur, or venture capitalist to do?
My take: Hang in there, keep the burn rate low, make no major moves, would be my advice. (Believe it or not, sometimes I’m being asked about my advice on this.) All the signs are pointing in the right direction, the latest being Google’s major OpenID push. Let’s not confuse being majorly annoyed how long this is all taking (speaking about myself here) with something being fundamentally wrong (because there isn’t).
Sooner or later, at least the value-added services opportunity will emerge. Perhaps others. But so far it has not yet.