When Google+ launched, I went with my handle as my last name. This makes a ton of sense to me. If you asked most people what my last name is, they wouldn’t know. It isn’t “common” for me. Many people don’t even seem to know my first name. I can’t tell you how many times I have found myself talking with folks at conferences this past year and seeing ZERO lighbulbs going off when I say my name “Kaliya”, but when I say I have the handle or blog “Identity Woman” they are like “Oh wow! You’re Identity Woman… cool!” with a tone of recognition – because they know my work by that name.
One theory I have about why this works is because it is not obvious how you pronounce my name when you read it. And conversely, it isn’t obvious how you write my name when you hear it. So the handle that is a bit longer but everyone can say spell “Identity Woman” really serves me well professionally. It isn’t like some “easy to say and spell” google guy name like Chris Messina or Joseph Smarr or Eric Sachs or Andrew Nash. I don’t have the privilege of a name like that so I have this way around it.
So today…I get this
I have “violated” community standards when using a name I choose to express my identity – an identity that is known by almost all who meet me. I, until last October, had a business card for 5 years that just had Identity Woman across the top.
Display Name – To help fight spam and prevent fake profiles, use the name your friends, family, or co-workers usually call you. For example, if your full legal name is Charles Jones Jr. but you normally use Chuck Jones or Junior Jones, either of these would be acceptable. Learn more about your name and Google Profiles.
There are many definitions of trust, and all people have their own internal perspective on what THEY trust.
As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.
I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.
However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.
When spoken of in every day conversation trust is most often social trust.
The Many Goals for the Identity Ecosystem & NSTIC Governance
The NSTIC governance NOI articulates many key activities, qualities and goals for a governance system for NSTIC. NSTIC must:
- convene a wide variety of stakeholders to facilitate consensus
- administer the process for policy and standards
- development for the Identity Ecosystem Framework in accordance with the Strategy’s Guiding Principles
- maintain the rules of participating in the Identity Ecosystem
- be private sector-led
- be persistent and sustainable
- foster the evolution of the Identity Ecosystem to match the evolution of cyberspace itself.
Achieving these goals will require high-performance collaboration amongst the steering group and all self-identified stakeholder groups. It will also require earning the legitimacy from the public at large and using methods that surface their experience of the Identity Ecosystem Framework as it evolves.
This is the “punchline section” (in my response it is after what is below…the history of collaboration in the identity community):
Proactive Development of Shared Language by NSTIC Stakeholders
In 2004-5 the Identity Gang (user-centric identity community) was 1/10 the size of the current NSTIC stakeholder community. It took us a year of active grassroots effort to develop enough common language and shared understanding to collaborate. NSTIC doesn’t have 5-10 years to coalesce a community that can collaborate to build the Identity Ecosystem Framework. To succeed, the National Program Office must use processes to bring value and insight while also developing shared language and understanding amongst stakeholders participating.
My Complete Response in PDF form Kaliya-NSTIC-NOI
Introductory Letter of the Response.
Context for my NSTIC NOI response
I surprised myself when writing my response to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Governance NOI (Notice of Inquiry). I wasn’t sure exactly what I was going to say because the questions seemed like they were way ahead of where they should be interms of where things were. I decided to begin by sharing important Context, Frames and Terms that were important before getting to the Questions of Governance and what should be done now.
I began with the word Ecosystem – what it meant and that a system was at the heart of this strategy not something simple or easily actionable.
I touched on the history of the Identity Community and how much conversation and intensive dialogue happened amongst that early community to get to a place where collaboration was natural and “easy”. A huge amount of effort went into developing shared language and understanding then and this is needed once again. The range of self identified stakeholders for NSTIC is quite large (the range of not self identified stakeholders it could be said is everyone on the planet or at least all those with a digital connection (via phone or interent).
I put forward two different methods/tools/processes that could be used to form shared language and understanding across this stakeholder community Polarity Management and Value Network Mapping.
I suggest that the governance structure proposed a “steering group” actually have a mandate to regularly listen to and act on the recommendations of the system that are generated via 3 different well established dialogic processes (Creative Insight Council, World Cafe and Open Space Technology [What we use at IIW]. I then answer the NOI questions referencing the ideas above.
I am going to be posting the whole of my Response in a series of posts and linking them all from there.
I began with one earlier last week which is focused on “trust” both as an emergent property of the overall system AND as the current name of technology and policy/legal frameworks for identity creation.
Update: The Personal Data Ecosystem Startup Circle is full of amazing companies.
Today at the Round Table on Do Not Track people were asking me what all the startups in the space are. For expedience a lot of the descriptions are drawn from the companies own websites. We will work on keeping this updated and write better descriptions in the coming week.
This is cross posted on my Fast Company Expert Blog with the same title.
I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us. Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.
I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to. I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”), support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.
Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.
This week I am heading to Telco 2.0 because the conversations with telco’s about how they participate in the Personal Data Ecosystem are moving forward in interesting ways. IIW #10 had several long sessions about the topic. IIW-East was full with each of the 8 time slots having a session about different aspects and IIW-Europe October 11th coincided with the announcement of the first community prototype personal data stores by MyDex.
Learning from one of the mistakes of the past – market confusion inhibiting understanding and adoption of user centric identity technologies. The Personal Data Ecosystem is going to be a “front door” for those seeking to understand the ecosystem overall with a simple message and clear picture of what is happening. It will also connect people to the community working on the aspect of the ecosystem relevant to them. Our focus is on developing the core communities needed for success and fostring communication amongst them. These communities include end users, large personal data service providers, companies providing data to personal data services, developers and startups leveraging this new ecosystem, regulators and advocacy groups along with the legal community and their efforts to create the legal frameworks needed to really protect people.
We arleady have a number of projects working on key aspects around the ecosystem and we will support their success linking them together – Project VRM, ID-Legal, Project Nori, Higgins-Project, Project Danube, XDI.org and IIW (they are linked at the bottom of the Personal Data Ecosystem site), This is a big tent ANY OTHER projects that are related are welcome. We don’t need another dot org to link efforts togethers so PDE is going to be chartered as part of IC3 (Identity Commons).
Right now the Personal Data Ecosystem site is aggregating content from blogs of those covering and building in the space. This week we will be doing our first Podcast covering this emerging industry – Aldo Casteneda who you may remember from The Story of Digital Identity will be hosting it with me.
Next week we will be able to collect links submitted via delicious for the blog. I am working with the fabulous Sarah Dopp on website strategy and online community development and Van Riper is working with me on community management.
IIW coming up in a week is going to be a core community gathering for emerging developments.
The Tenth Internet Identity Workshop in May, 2010 was the largest ever. We have had inquiries from community members on the East Coast of the US and in Europe have been lobbying us to bring the event to their locations. We are happy to confirm that we are going host IIW’s in Washington, DC and London.
WE NEED YOUR HELP! Please take some action if you like IIW and are reading this. IIW is been about the community that attends and participates year round in the activities of groups that use the event to get real work done and move the industry and vision of user-centric identity that works for people forward.
So with these events upcoming Phil, Doc and I need your help in spreading the word to your collegues on the East Coast and in Europe who would enjoy the event.
To help you do this we have several tools and options.
Blog badges for specific events. (These are two of them their are more on the wiki)
For IIW-East September 9-10 in Washington DC
- A Venue! the Josephine Butler Parks Center (a 10min walk from the Columbia Heights Metro)
- an Invitation up online
- Registration is up here and Early Bird ends August 6th.
- an invitation designed to be send via e-mail
- RSVP on Social Networks – LinkedIN, Upcoming, Facebook
For IIW-Europe, October 11 in London we have
- A still being developed invitation up on the IIW site
- Registration is live Early bird ticket sales end August 31
- RSVP on Social Networks: LinkedIN, Upcoming, Facebook
- Twitter List (it will be a bit small until we have more registrations)
For IIW #11 in Mountain View, November 9-11
- We have a simple invitation up online
- Registration is live Super Early bird ticket sales end August 31
If you value IIW and the conversations that happen there please take some initiative and reach out to colleagues to spread the word about these events. Because of the community focus of the events we rely strongly on community word of mouth to let people know about them.
It would be great to have community ideas put forward for the main IIW invitation articulating the current foci of conversations.
I gave this talk at the 10th Internet Identity workshop reviewing the shared history, language, understanding and work we have done together over the last 6 years of community life.
Part of this presentation touched on a timeline of events in the community. Those and more are reflected on this timeline that is beginning to be developed here. IIW11 will be November 9-11 in Mountain View, CA The first ever IIW outside the Bay Area will be happening September 9-10 in Washington DC following the Gov 2.0 Summit with the theme Open Identity for Open Government. The first IIW in Europe will be happening in London likely October 9-10 (dates still to be confirmed) prior to RSA Europe. If you would like to know about when the next IIWs have registration open please join this announce list. TheIdentity Gang is the community mailing list where conversations are ongoing about identity. You can follow modest updates about IIW on twitter via our handle – @idworkshop You can see IIW 10 attendees on our registration page.
I was one of the first people to congratulate Chris Messina on his blog when he announced he was going to Google. It was a personal congratulations. I wasn’t sure if it was good overall for the open web vision or the community as a whole. In the end after thinking about it for a few days I feel it is a good move for them, for Google and for the community. The rest of this post explains why.
With Chris going to Google it gives them three seats on the OpenID board (Joseph and Chris are both community board members and Google has a corporate paying board member seat filled by Eric Sachs). It concentrates a lot of power at Google and I agree with Eran’s concerns from Marshall’s RWW/NYTimes article …why be “open” if you can just have an internal product meeting with Brad Fitzpatrick and a few other Googlers and “ship” a product without reaching out to others. I agree with the concern and I think there will be enough eyes on these individuals in particular and Google in particular to challenge them if they do that.
Thursday morning I sat at “geek breakfast” in Berkeley with a friend discussing Chris and Joseph’s move to Google. We mused about how many people we knew who “get social” have been at Google and because “Google didn’t get social” they were unhappy so they left, Kevin Marks being just the latest example leaving in the fall for British Telecom/Ribbit where he works for JP Rangaswami, the CIO who really gets open.
Given this, if “just” Joseph Smarr was going to Google he would be more “alone” trying to “do social right” at Google. Yes, he would have allies but no one quite as high profile as himself. With Chris Messina there too, there are now two major committed community leaders who can work the politics involved in helping Google to “get” social and actually do it right. If anyone has a hope inside that big company it is those two and I don’t think either could be as effective alone.
If Chris and Joseph fail, that is if they get frustrated and leave (which they can at any time they want cause they are very “employable” because of their profiles by a whole range of companies in the valley) then is a sign that Google doesn’t really “get” social and isn’t moving in the right direction in terms of supporting the emergence of an open standards based, individually empowering & social web.
With Zuckerberg’s statement’s about privacy and the recent actions by Facebook to make user-information public, Google has a huge opportunity to live up to its slogan of “not doing evil”. Over the fall Google made some promising statements on the meaning of open and took action spinning up the Data Liberation Front.
I know many people who currently are and have been at Google. All of them talk about how secure things are internally – it is not possible to go into their systems and “look up a user” and poke around at what they have in their e-mail, or what they have searched on or what is in their google docs. Algorithms look at people’s stuff there, not people. Google takes their brand and reputation for protecting people’s private information seriously. I am not particularly starry eyed about Google thinking they can do no evil – they are just a company driven by the need to make a profit. I worry that they might be becoming too dominant in some aspects of the web and that there are legitimate concerns about the monopoly power they have in certain market area.
I don’t see this as a Google vs. Facebook fight either. Chris, Brad, Eric, Joseph are all at Google & David Recordon and Luke at Facebook; they are all good friends socially and are just six people in the overall identity community made up of about 1000 people at 100’s of companies. Yahoo!, AOL, Microsoft (enterprise & MSN side), are all involved along with PayPal, Amazon, BT, Orange, Mozilla, Sun, Equifax, Apple, Axiom, Oracle, & many many more. They all come together twice a year at the Internet Identity Workshops and other events to collaborate on innovating open standards for identity on the social web.
I invite those who want to participate in the dialogue to consider attending the 10th Internet Identity Worskshop May 18-20.
I take the health of the identity community, its over all tone and balance quite seriously. I helped foster it from the beginning really starring in March of 2004 including 9 months from June of that year until January 2005 it was my first major job – evangelizing user-centric identity and growing the community to tackle solving this enormous problem (an identity and social layer of the web for people). I along with others like Doc Searls, Phil Windley, Drummond Reed, Bill Washburn, Mary Ruddy, Mary Rundle, Paul Trevithick, Dick Hardt, Eugene Kim & many others formed the identity community. Having put my heart, soul, sweat and tears into this community and working towards good results for people & the web, I don’t say what I say in this post lightly.
ReadWriteWeb has coverage of Zuckerberg’s talk with Arrington at the Crunchies. According to him, the age of Privacy is Over. This is the quote that is just STUNNING:
..we decided that these would be the social norms now and we just went for it.
When I first heard it in the interview in the video I did a major double take – “we decided” ?? seriously? The we in that sentence is Facebook and clearly with Zuckerburg is at the helm – He could have said “I decided” and he as the CEO of a social network has the power to “decide” the fate of the privately shared amongst friends in the context of this particular social network for millions of people (see my post about the privacy move violating the contract with users). It makes you wonder if this one platform has too much power and in this example makes the case for a distributed social network where people have their own autonomy to share their information on their own terms and not trust that the company running a platform will not expose their information.
It is clear that Zuckerberg and his team don’t get social norms and how they work – people create social norms with their usage and practices in social space (both online and off).
It is “possible” to change what is available publicly and there for making it normal by flipping a switch and making things that were private public for millions of people, but it is unethical and undermines the trust people have in the network.
I will agree there is an emerging norm that young men working building tools in Silicon Valley have a social norm of “being public about everything”, but they are not everyone. I am looking forward to seeing social tools developed by women and actual community organizers rather then just techno geeks.
I will have more to say on this later this week – I was quite busy Saturday – I ran the Community Leadership Summit, yesterday I flew to DC and today I am running the Open Government Directive Workshop. While I am here I hope to meet with folks about Identity in DC over the next 2 days.
I went to the suidicemachine and got this message
We apologize to all our users for the breakdown of our service! Within the last hours the huge demand for 2.0 suicides completely overblew our bandwidth resources!
We are currently considering relocating to another serverfarm. Please consider suicide at a later moment and accept our apologies!
You can still try to catch a free slot, but chances are quiet low at the moment!
More from their site….
Faster, Safer, Smarter, Better Tired of your Social Network?
Liberate your newbie friends with a Web2.0 suicide! This machine lets you delete all your energy sucking social-networking profiles, kill your fake virtual friends, and completely do away with your Web2.0 alterego. The machine is just a metaphor for the website which moddr_ is hosting; the belly of the beast where the web2.0 suicide scripts are maintained. Our services currently runs with facebook.com, myspace.com and LinkedIn.com! Commit NOW!
You can even see video’s about what happens as one uses the machine.
ok the FAQ’s get eve better…..
I always get the message “Sorry, Machine is currently busy with killing someone else?”. What does this mean?
Our server can only handle a certain amount of suicide scripts running at the same time. Please consider your suicide attempt at a later moment! We are very sorry for the inconvenience and working on expanding our resources.
If I kill my online friends, does it mean they’re also dead in real life?
What do I need to commit suicide with the Web 2.0 Suicide Machine?
I can’t see my friends being killed, what happened?
Probably your flash-plugin is older than version 10? But yikes – you cannot stop the process anymore! Once you entered the login details, the machine is running the suicide script.
If I start killing my 2.0-self, can I stop the process?
If I start killing my 2.0-self, can YOU stop the process?
What shall I do after I’ve killed myself with the web2.0 suicide machine?
Try calling some friends, talk a walk in a park or buy a bottle of wine and start enjoying your real life again. Some Social Suiciders reported that their life has improved by an approximate average of 25%. Don’t worry, if you feel empty right after you committed suicide. This is a normal reaction which will slowly fade away within the first 24-72 hours.
Do you store any data on your webserver, like password of the user?
We don’t store your password on our server! Seriously, it goes directly into /dev/null, which is equal to nirvana! We only save your profile picture, your name and your last words! Will the 2.0 suicide machine be available for other networks such as twitter and plaxo? We are currently working on improving our products!. Currently we are working on Flickr and Hyves, but of course we are eagerly thinking of ways to get rid of our “Google Lifes”.
How does it work technically?
The machine consists of a tweaked Linux server running apache2 with python module. Selenium RC Control is used to automatically launch and kill browser sessions. This all driven by a single python/cgi script with some additional self-written libraries. ?Each user can watch her suicide action in real-time via a VNC remote desktop session, displayed on our website via an flash applet rendered live into the client’s webbrowser. We are also running some customized bash scripts plus MySQL in the background for logging and debugging, jquery for the website and a modified version of the great FlashlightVNC application built in Flex. Web2.0 Suicide Machine consists of roughly 1800 lines of self-written code.
Why do we think the web2.0 suicide machine is not unethical?
Everyone should have the right to disconnect. Seamless connectivity and rich social experience offered by web2.0 companies are the very antithesis of human freedom. Users are entraped in a high resolution panoptic prison without walls, accessible from anywhere in the world. We do have an healthy amount of paranoia to think that everyone should have the right to quit her 2.0-ified life by the help of automatized machines. Facebook and Co. are going to hold all your informations and pictures on their servers forever! We still hope that by removing your contact details and friend connections your data is being cached out from their servers. This can happen after days, weeks, months or even years. Just deactivating the account is thus not enough! [emphasis mine]
How much does it cost to kill myself?
Usage of Web 2.0 Suicide machine is for free.
Can I build my own suicide machine?
Theoretically yes! You’ll need a Linux WebServer (apache2) with perl and python modules (php should be installed as well). Further, you’ll need VNC-server and Java packages by Sun to launch selenium-remote applets. If you feel like contributing or setting up your own machine, please get in contact with us via email.
Read Write Web published a guest post by me about how the changes at facebook last week leave us Socially Nude.
Facebook’s Privacy Move Violates Contract With Users
Your name, profile picture, gender, current city, networks, Friends List, and all the pages you subscribe to are now publicly available information on Facebook. This means everyone on the web can see it; it is searchable.
This represents just the latest instance of Facebook violating the contract it holds with its users. This is no small matter, either. Lots of people will have very real and valid objections to this arbitrary change to what’s public and what’s private on Facebook.
I wonder how many more times they will get strip us down, leaving our familiar social clothes and underware on the floor, and leaving us socially nude.
I think it is unethical and I agree with the concern that Jason Calacanis raises about how this will affect other Internet companies. “Facebook’s reckless behavior is… simultaneously making users distrust the Internet and bringing the attention of regulators.” This change will affect all of us working on building the new techno-social architecture of our society via the web.
The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and video casts. Today there are over 500 government Web sites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government Web sites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.
Yesterday the United States Government in collaboration with industry announced a few pilot projects using emerging open identity technologies for citizens to use when interacting with government sites. I use the word interacting very deliberately because the government doesn’t want to know “who you are” and has gone great lengths to develop their implementations to prevent citizens from revealing personally identifiable information (name, date of birth etc).
How would you use this?–well imagine you are doing an in depth search on an NIH (National Institute of Health) Web site–and you went back to the site many times over several months. Wouldn’t it be great if the site could “know” it was you and help you resume your search where you left off the last time. Not your name and where you live but just that you were there before.
The Identity Spectrum helps us to understand how it all fits together.
Anonymous Identity is on one end of the identity spectrum–basically you use an account or identifier every time go to a Web site–no persistence, no way to connect the search you did last week with the one you did this week.
Pseudonymous Identity is where over time you use the same account or identifier over and over again at a site. It usually means you don’t reveal your common/real name or other information that would make you personally identifiable. You could use the same identifier at multiple sites thus creating a correlation between actions on one site and another.
Self-Asserted Identity is what is typical on the Web today. You are asked to share your name, date of birth, city of residence, mailing address etc. You fill in forms again and again. You can give “fake” information or true information about yourself–it is up to you.
Verified Identity is when there are claims about you that you have had verified by a third party. So for example if you are an employee of a company your employer could issue a claim that you were indeed an employee. You might have your bank verify for your address. etc.
The government pilot is focused on supporting citizens being able to have pseudonymous identities that function only at one Web site–the same citizen interacting with several different government Web sites needs to use a different identifier at each one so their activities across different government agencies do not have a correlation.
It is likely that some readers of this blog know about and understand typical OpenID. Almost all readers of this blog do have an openID whether they know it or not because almost all the major Web platforms/portals provide them to account holders–MySpace, Google, Yahoo!, AOL etc.
So how does this work with OpenID?
Typically when logging in with OpenID on the consumer Web you share your URL with the site you are logging into–they redirect you to where that is hosted on the Web–you authenticate (tell them your password for that account) and they re-direct you back to the site you were logging in. (see this slide show for a detailed flow of how this works). Using OpenID this way explicitly links your activities across multiple sites. For example when you use it to comment on a blog– it is known your words come from you and are connected to your own blog.
Using the OpenID with Directed identity–de-links your the identifiers used across different sites but still lets you use the same account to login to multiple sites.
When you go to login to a site you are asked to share not “your URL” but just the name of the site where your account is–Yahoo! or Google or MySpace etc. you are re-directed to that site and from within your account a “directed identity” is created–that is a unique ID just for that Web site. Thus you get the convenience of not having to manage multiple accounts with multiple passwords and you get to store preferences that might be shared across multiple ID’s but you don’t have identifiers that correlate–that are linked across the Web.
How does this work with Information Cards?
This is a complementary open standard to OpenID that has some sophisticated features that allow it to support verified identities along with pseudonymous & self asserted identities. It involves a client-side piece of software called a selector–which selector helps you manage your different identifiers using a card based metaphor, with each digital “card” representing a different one. Citizens can create their own cards OR get them from third parties that validate things about them.
The government is creating a privacy protecting “card profile” to be used in the pilot program. It is NOT issuing identities.
Trust Framework are needed to get it all to work together.
From the press release yesterday:
“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon–it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”
The OpenID Foundation and Information Card Foundation wrote a joint white paper to describe how they are working on developing this. From the abstract:
[They] are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.
These frameworks, based on the model developed by the InCommon federation for higher education institutions, will enable government Web sites to accept identity credentials from academic, non-profit, and commercial identity providers that meet government standards. These standards are critical as they represent the government’s resolution of the challenging and often competing issues of identity, security, and privacy assurance. Open trust frameworks not only pave the way for greater citizen involvement in government, but can enable even stronger security and privacy protections than those typically available offline.
These are all exciting developments but there is much more to do.
Looking (far) ahead there may be the opportunity to do selective disclosure–combining anonymity with verified identity.
How do these go together–you can take a verified identity claim say your birth date then using cryptography strip the specifics away and just have a claim that says you are “over 21″. Then using an anonymous identifier you have selectively disclosed your age without giving away your date of birth.
You could imagine this would be handy for citizens wanting to communicate their opinions to their member of congress without revealing their actual name and address – they could “prove” using a verified claim they live in the district but not reveal who they are. This aspect of what is possible with the technology is VERY forward looking and will take many years to get there. There is enormous potential to evolve the Web with this emerging identity layer.
I would like to invite all of you interested in being involved/learning more to attend the Internet Identity Workshop in Mountain View California November 3-5. I have been facilitating this event since its inception in 2005. It is truly amazing to see how far things have progressed from when we were 75 idealistic technologist talking about big ideas. at the Hillside Club in Berkeley. It is also some what daunting to think about how much farther we have to go.
Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.
This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:
- Top-down support for open government
- The proliferation of social media
- The availability of open identity technologies
The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.
Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.
The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.
So how will these technologies work?
Those already familiar with OpenID know that typically when users login with it they give their own URL – www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.
Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.
In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.
Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.
“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”
Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.
The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP). A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.
Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.
There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.
Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.
I love the Internet Identity Workshop! it is where innovative ideas are hatched, answers to hard problems are vetted and standards consensus emerges. This is just the latest in amazing collaborations that have emerged.
Web Finger was covered on Tech Crunch today with this headline – Google Points At WebFinger. Your Gmail Address Could Soon Be Your ID.
Chris Messina spliced it together
XRD the discovery protocol is part of how Web Finger works. This spun out of XRI.
Techcrunch didn’t explicitly pick up on the fact that Eran Hammer-Lahev has been a key collaborator and is at Yahoo! (they did link to the mailing list where he is posting). He has been really driving XRD forward lately.
All exciting stuff.
A Perfect Storm Forming for Distributed Social Networking- Read Write Web
Evolution of Blogging – GigaOm
The Push Button Web – Anil Dash
The inside Out Social Network – Chris Messina
The Future Social Web – Jeremiah Owyang
I realize how incredibly ahead of the times I was along with many of the people I have been working with on open standards identity and social web standards.
I wrote this describing open standards for distributed social networking online in April of 2004f or the Planetwork Conference (from Archive.org) that I was promoting.
———————— From Archive.org April 2004 ——————
In 2003 the Planetwork LinkTank white paper The Augmented Social Network: Building Identity and Trust into the Next-Generation Internet proposed weaving new layers of identity and trust into the fabric of the Internet to facilitate social networking for social good – online citizenship for the information age.
The LinkTank white paper outlined three main objectives:
- Establishing a new kind of persistent online identity that supports the public commons and the values of civil society.
- Enhancing the ability of citizens to form relationships and self-organize around shared interests in communities of practice and engage in democratic governance.
- Creating an Internet-wide system for more efficient and effective knowledge sharing between people across institutional, geographic, and social boundaries.
Currently each site with a login or membership profile is like an island, or at worst a walled castle, as no common inter-operation is possible among large numbers of them. Creating a truly interoperable network will require an explicit social agreement that governs the operation of the trusted network, and implementation of a new software protocol consistent with that agreement.
[note this is a reference to the "first" Identity Commons - the current Identity Commons shares the values and some of the organizing principles of this first organization but evolved from it]
The Identity Commons is an open distributive membership organization, designed to develop and operate a common digital identity infrastructure standard based on the shared principle of protecting each user’s control of their own identity data. A common identity infrastructure must be embedded within a binding social agreement ensuring that the technology and its institutional users operate in accordance with core principles. In addition to developing this agreement, Identity Commons is managing the development and implementation of the new technology needed to achieve this as a fiscal project of Planetwork, a California 501(c)3 non-profit.
The Identity Commons is based on an implementation of two new OASIS standards:
XRI – a new identity addressing scheme fully compatible with URIs
XDI – specifies link contracts for shared use of data across the Internet
For more technical information see: http://xrixdi.idcommons.net
Once implemented, the Identity Commons infrastructure will:
- Give individuals, organizations, and even ad-hoc groups persistent addresses (digital identities) that can be used in many ways. Each party can decide what their own address links to, and who can follow the links.
- Provide single sign-on, enabling individuals to connect to multiple sites without having to provide a login and password to each.
- Empower user/citizens to manage their own consolidated profiles, which will be likely to stay up to date as everyone maintains only their own master copy.
- Generate network maps that enable communities to more efficiently understand their own membership, make connections, recognize patterns, filter messages, and self-organize around new topics and functions.
- Provide collaborative filtering services based on knowledge and reputation databases where contributors can also control their own level of anonymity.
- Enable group formation around common interests and affinities with reputation attributes for trusted communication, which could be the key to eliminate spam.
How is this different from what is already happening in the private sector?
The Identity Commons (IC) solves this by (1) replacing thousands of privacy policies with a single institutional membership agreement that simplifies the user experience. Every Identity Commons member site is party to a legally binding commitment that can only be changed by amending the IC membership agreement – which is governed by all IC members. And (2) by using electronic contracts to grant, record, and enforce data sharing across boundaries.
Ultimately there can only be one fully interoperable social network; just as email can travel anywhere on the Internet, your profile must also be able to do so. Microsoft would love to make this possible, and fully control it – their Passport system was designed to do just that. By hosting identity data for nearly everyone who has a computer Microsoft hopes to put themselves in the middle of every transaction they can.
In response to this, a group of large companies formed the Liberty Alliance which developed protocols that will allow institutions to “federate” data across company boundaries. Federation is an improvement over the Microsoft Passport model, however, both of these approaches treat individuals solely as consumers, and neither provide support for civil society, citizen collaboration or for individual citizens to control their own identity data.
The Identity Commons agreement and technical infrastructure is a way to correct this imbalance of power, allowing the Internet to fulfill its great potential as a “commons” in which individual citizens can interact freely and as equals everywhere on Earth.
————- end Identity Commons description from Planetwork’s 2004 site ———
Writing this document was the first work that I did as an evangelist for the proposed open standards for distributed digital identity to enable open distributed social networks.
I wrote it based on reading through all their work and listening to their vision of the founders of Identity Commons and those working together for 2+ years hoped for in the adoption of the open standards they were working on. These protocols are now all ratified in OASIS (one of three standards bodies for the internet the other two being IETF and W3C) – XRI, XDI along with XRD/XRD that spun out of XRI as it became incorporated in OpenIDv2 as a key part of what makes it work.
Identity that is user owned, controlled managed – and this includes the preferences, attention data, uterances, 1/2 of transaction data – is at the heart of what one needs to make this vision of distributed social networking work. I think until recently it has been misunderstood as esoteric and just talk – amazing progress has been made since the early days of the identity gang that community has grown and developed many of the conceptual understandings and protocols that are taken as givens.
Folks from what the identity community (and perhaps should consider “updating” its name to the identity and social web community).…invented – as in used for the first time these two words together Social and Web – SOCIAL WEB – (according to wikipedia)
With the title of this paper: The Social Web: Creating An Open Social Network with XDI
This paper was preceeded by the Augmented Social Network: Building and Trust into the Next Generation Internet
Like the Web or email, the ASN would be available to anyone. It would become a common part of the Internet infrastructure – a person-centered and group-centered service of the net. It will be implemented through the widespread adoption of technical protocols; any online community infrastructure could choose to be part of the ASN by implementing them. Central to its design are fundamental principles of openness, inclusivity, and decentralization — which are necessary for a thriving democracy. At the same time, the ASN would support the highest available forms of security to protect privacy.
There is much wisdom that these communities have developed that can be useful in moving / re-articulating the vision… to be sure lessons are to be learned from understanding more about why certain approaches/standards/proposed ways of doing things didn’t happen (yet).
I think the market wasn’t ready for what the identity community was saying. As someone who has been evangelizing about this set of issues practically full time since 2004. In the first few years I would talk in a range of communities and at conferences about all these issues, user control, open standards the danger of the potential emergence of large silo’s that locked users in and people just “didn’t get” it was an issue or that there was even a need for these kinds of standards. Now the market is finally ready.
The 9th Internet Identity Workshop is this November – and REGISTRATION IS OPEN!
There is a whole conversation on the DiSo list where I highlighted this context/history. There might be a beer meetup in Berkeley this evening at Triple Rock at 7:30.
Yesterday the Government hosted a workshop in DC: Open Government Identity Management Solutions Privacy Workshop.
The OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.
Drummond Reed and Don Tibeau announced their paper Open Trust Frameworks for Open Government.
Quiet and intense work has been going on since just before the last IIW on all this, so it is great to see it begin to see the light of day.
Axel did a Wordle of it:
Here is the Press Release. The announcement triples the number of OpenID accounts.
It should do a lot to encourage relying party adoption of OpenID.
It also means mainstream user education has just begun.
It is also interesting to see the narrative in the ‘media’ that get the story wrong
Clint Boulton on Google Watch has this quote “OpenID creator JanRain.” The story of community collaboration to get to OpenID2.0 to happen is quite remarkable (bringing together 4 different “competing” efforts) and I hope that some media outlet investigating what this all means actually gets it right.
He also goes on to say this
Okay (grumble, grumble) but I’m going to go back to standby that if humans can design something, humans can break it. It’s only a matter of time before folks find a way to break OpenID. If that happens, stick a fork in the emerging protocol. Until then, enjoy the digital convenience OpenID has to offer.
I thought the protocol had already been broken but the community is working very hard to address these problems.
The funny part for me is that my Yahoo! ID kinda sucks – it is ‘earthwaters’ from WAY back in college – I wanted a handle – and that was what I came up with. I don’t really want to use it as a handle around the web. I wonder if thy will have other users with this challenge and how they will address it.
COMMENT FROM SHREYAS:
I am the product manager for Yahoo!’s OpenID effort. One of the nice things about our implementation is that you don’t HAVE to use your Yahoo! ID (eg: johnsmith) in your OpenID URL. Also, if you are a Flickr user, you will be able to use the URL for your Flickr photos page (eg: http://www.flickr.com/photos/johnsmith) as your OpenID URL. We are launching the service pretty soon and your feedback will be highly appreciated!
Also, if it helps other readers of your blog, I can post this comment there once the issue is fixed.
Exciting times ahead!
We will shortly begin beta testing an age and identity verification system, which will allow Residents to provide a one-time proof of identity (such as a driver’s license, passport or ID card) and have that identity verified in a matter of moments.
Second Life has always been restricted to those over 18. All Residents personally assert their age on registration. When we receive reports of underage Residents in Second Life, we close their account until they provide us with proof of age. This system works well, but as the community grows and the attractions of Second Life become more widely known, we’ve decided to add an additional layer of protection.
Once the age verification system is in place, only those Residents with verified age will be able to access adult content in Mature areas. Any Resident wishing to access adult content will have to prove they are over 18 in real life….
Landowners are morally and legally responsible for the content displayed and the behavior taking place on their land. The identity verification system gives them new tools to ensure any adult content is only available to adults over 18 because unverified avatars will not have access to land flagged as containing adult content…..
The verification system will be run by a third party specializing in age and identity authentication. No personally identifying information will be stored by them or by Linden Lab, including date of birth, unless the Resident chooses to do so. Those who wish to be verified, but remain anonymous, are free to do so.
There is an extensive FAQ in the blog post. It seems that online life is going to get more complex. I wonder what vendor they are going to use for this. I wonder how it will work internationally.
The other thing I wonder about is how necessary is this. I kids are exposed to so much already. I am currently reading GenerationMe: Why Today’s Young American’s are more Confident, Assertive, Entitled – and More Miserable Than Ever Before by Jean M. Twenge. Some of the book talks about the current attitudes about sex and the sexual practices of young people. The Monica Lewinsky was all happening when they were in elementary school. They know what sex is and many many of them are doing it – lots are having oral sex (mostly the girls giving it to the guys) in middle school and by highschool many are sleeping around with a lot of partners ‘hooking up’ without really being in boyfriend girlfriend relationships. Yes they are doing it with their peers and not other adults but it is not like it is news to them. I am not condoning this trend of hyper sexually active young people. The number and range of these surveys means it is real not imaginary. I also don’t think they should have access to adult areas of Second Life. The issue is serious and I think there is a social dialogue about sex, its meaning would be a good thing to foster. It is a disconcerting to learn how casual it is being taken by youth however as the author points out imitating the way it is portrayed in the media. So what is the big deal with Avatars in a virtual world I wonder. I hope this question is not to much to ask and that I will not be harshly judged for having asked if we should ask this question.
Personally I gave up on SL 9 months ago for other reasons. I was fed up with downloading a new massive client to wander around an aimless 3D space. Then to top it all off the were hacked and you had to call them to get a new password. I also was annoyed the first thing you had to do was pick your name with some strange last name from a list they determined. Once you picked your name you couldn’t change it….it was the one thing persistent about you. I think online 3D has potential but I am convinced there will be worlds that leapfrog SL.
Here are some of the comments about the proposal on their site
I do not wish to have my personal information – my SSN or anything else, in the hands of a 3rd party organization – or even in the hands of SL. I am very cautious about what info I put out there – and considering how easily sites can be hacked, this is a security issue. Some of us have RL clearances and do not want more info out there – and as such – we will now be unable to access adult content? Let’s face it that’s why many of us put up a credit card for premium membership – to prove our age. Further proof is a burden on the players that we should not have to bear.
First, you should be aware it is illegal to require an individual to provide his/her social security number as a means of identification to anyone but the Federal Government. Second, if driver’s license and or SSN is provided to you or your agent you may become legally liable for the misuse, loss, or theft of that information for the purposes of fraud or identity theft. Good Luck.
A third party that LL trusts and isn’t giving us who this third party is, I’m taking issue with. The moment I give them my driver’s license, they will now own my name, address, license number, AND because I live in a state that puts the Social Security number on the driver’s license, they will have that as well. I’m not impressed with this action nor do I trust LL’s belief in this third party that they will not keep this data. Prove it!
“Driver’s license, passport or ID card” are you joking?
I think you need to come to grips with a few things. Half the residents in SL do not live in Puritanical America. Your ‘immature’ attitude toward sex and alcohol are not shared by the majority of people on Earth. There is no drinking age in most of Europe and Asia and most people look upon sex as a normal human activity.
What about those of us without passports, drivers’ licences or any form of national ID? You falsely assume that all adults have one of these things – not all of us drive, go abroad or live in countries with Big Brother-style ID card schemes.
The best bit IMO is we’re now expected to pay for the privilege of being treated like adults. Are we not mature enough to be given the responsibility of ignoring things we don’t want to see? The way I see it this system is good in theory but completely flawed in practice.
Once again, Linden Labs adopts a US-sentric attitude. US players only have to provide the last 4 digits of their Social Security numbers, while non-US residents have to provide a full National ID Number (whatever that is, and whatever countires use them) or a full passport number! What about people who have no National ID, or passport? What are they to do?
This sounds very heavy handed. It sounds like a roomful of lawyers, FBI Agents, and other law enforcement put the fear of Gawd in to Linden to have them take the extreme step of seeking partial social security numbers, and age verification via key documents. I believe the point has been raised the credit card verification is typically enough to meet age requirement guidelines.
As a UK resident, I do not feel comfortable about giving personal details to an as yet unamed data collection company, which I assume is US based.
With the current climate in the US as regards to Bush’s evesdropping on data communications to aid the War on Terror(tm), I do not want to end up on some US government database as belonging to a virtual porn-ridden community run by a bunch of subversive godless burnt-out californian commie hippies (Ann Coulter is hawt!!).
OpenID made the front page of the Money Section of USA Today - Today.
From the community they quote, David Recordon, Scott Keveton, Brad Fitzpatrick, and Kim Cameron.
SAN FRANCISCO — An emerging technology standard could be the answer to a major headache: It lets consumers use the same user name and password for hundreds of websites that require a sign-in.
What an exciting day!
There’s been considerable conversation around identity on the Internet, or what some would call grassroots identity. Providing identity services between people, websites, and organizations that may or may not have any kind of formalized relationship is a different problem than providing authentication and authorization services within a single organization. Many have argued that the lack of a credible identity infrastructure will eventually result in the Internet being so overrun with fraud as to make it useless for many interesting uses.
To solve this problem, or pieces of it, companies and individuals have made a variety of architectural and governance proposals. Some of these include:
- The Liberty Alliance
- Identity Commons
Myself, Phil Windley, Drummond Reed, and Doc Searls are hosting the Internet Identity Workshop in Berkeley on October 25 and 26th to provide a forum to disucss these and other architectural and governance proposals for Internet-wide identity services and their underlying philosophies. The workshop will comprise a day of presentations on Internet-scale identity architectures followed by a day of structured open space to accommodate the range of topics and issues that will emerge from day one and other issues and identity services that do not fit into the scope of the formal presentations. We’re hoping that adding a little more formality to the conversation will aid in digesting some of the various proposals.
We’re inviting presentations for the first day on the following topics:
- Problems, issues, politics, and economics or Internet-scale identity systems.
- Architectures for Internet-scale identity systems
- Philosophies that drive architectural decisions in these systems (see Kim Cameron’s Laws of Identity for an example of such a philosophy
If you’d like to present on some other topic, drop one of us a line first and weâ€™ll see how it fits in. Prospective presenters will be asked to submit a 250-300 word abstract. We hope to accomodate everyone, but we may end up picking from the abstracts.
I’m excited about this and looking forward to it. I hope we can have a good set of presentations the first day and a solid day of discussion the second. If you’re interested in this sort of thing, I hope to see you there. Please read the full announcement for some other details and register if you’re coming. There is a $75 charge to cover the cost of the venue, administrative expenses, and the cost of snacks and lunch both dats.