Day: April 17, 2005

I was taken aback to come across a post by Stefan Brands where he transcribes and comments on the ideas I put forward in an interview that ZDNet's cool David Berlind did with me at PCForum. I met Stefan recently at the Computers, Freedom and Privacy conference and he impressed me as a very talented technologist who really understands privacy and other security issues.

Just for the record, I want everyone to know that I'm not Microsoft's “Chief Architect”… That title belongs to Bill Gates… I am “Architect of Identity and Access” – meaning I'm the architect responsible for the identity software products: Active Directory (AD), Microsoft Identity Integration Services (MIIS), Active Directory Federation Services and so on. In turn, each of these products have someone working on detailed architecture.

Anyway, on to Stefan's piece:

Kim Cameron on the role of privacy in digital identity:

[4:31] “You need more than just the ability to be public, you need the ability to be private, it’s two sides of the same coin. ” [4.58] “Anonymity is [not] the most important aspect of things, but I think privacy is very important and the ability to protect is very important, as well as the ability to be public and provide access. ” [5.58] “Identity has to be able to be uni-directional or multi-directional or, basically, anonymous. You need to be able to support all three types of things. If you look at our current technologies, they are really based on supporting public entities much better than private entities.”

[7.09] “If I as an individual go to a web site I don’t want the identity I use there to be shared between that web site and other web sites. ” [7.58] “I have a private relationship with each of these parties. Now, under certain circumstances I might be convinced that I should let them actually share parts of my profile because it will benefit me. ” [8.12] “We should not have a system based on this widespread profile being created automatically. So, in order to do that what we need is an identity when we are dealing with each of those that is just uni-directional, it concerns only the relationship between me and that web site.” [8.30] “The public model came along first, and everybody has sort of assumed that identity for individuals should follow that public model. That isn’t good enough, you need both the public and the private capabilities.”

Wonderful! Note that such user-controlled (un)linkability would have serious implications for current online marketing tactics that thrive on the capability to link user activities without explicit user permission – including Microsoft’s new search engine strategy.

[11.24] “We need to rethink how you build this identity system in such a way that it behaves the way people expect it to behave. One of those things is the uni-directional thing, one of the things is don’t have any irrelevant parties in your identity relations. ” [12.10] “We need to have a unified way of doing identity that encompasses both our customers who are individuals and our customers who are enterprises. ”

Kim on two major shortcomings of Passport, user privacy concerns and service provider privacy concerns:

[9.18] “Passport actually began supporting uni-directional identifiers. Over time it changed to just omni-directional because the web sites wanted to be able to amalgamate digital dossiers in order to market to us better. Nobody had really thought very deeply about what these issues meant in terms of how people would react and so on. The technology evolved, I think personally, in the wrong direction.” [9.54] “Passport had other problems. ” [10.09] “People would ask: “what exactly is Microsoft doing between me and Amazon?” It did not make sense to people that the Microsoft site would be there. And a lot of the web sites themselves would look at it and go: “do I really want a Microsoft service between me and my customer base?” And they would say “No.” ”

On Liberty Alliance:

[27.20] “Liberty is a very interesting set of proposals and implementations. But it deals with some very specific scenarios which are from the point of view of a company that is in a circle of trust with some other companies and they want to share your profile. [] It is federation, in my view, in a particular set of scenarios. [] It is from the point of view of the company which is trying to provide a portal onto these other associated companies. That is different than the requirements of the consumer in general, for instance, or it is different from the requirements of a lot of companies who just want to manage a customer relationship. [] It could still function inside this metasystem that I am talking about. [] Just like I am trying to incorporate Passport into it. ”

Eric Norlin has posted some comments on Chris Ceppi's explanation of “Identity Reform“:

1. i'm not sure if Identity Reform is the proper way to speak about what we're all doing.

2. I like what these cummulative posts are saying — namely, the critical thinking and conversation is a beginning point, the technology is a continuation of that —- the story around that is a third, important piece…..I'd call the first and third parts marketing 🙂

Of course while marketing may be critical thinking and conversation, I'm not sure that means critical thinking and conversation is marketing… But hey – Eric is pushing our buttons – so I won't say anything.

3. don't underestimate the power of a good story. chris points out frank lutz. doc often speaks of Lakoff. we have yet to dig up all of the story threads in identity — but several have already been told (and had effect) — threads like:

A) the entrepreneur whiz kid that starts an identity company because he just *knows* it'll be the next big thing [any guesses what i'm referring to there?]

B) the “laws discussion” — a thread that implies community discussion and some kind of *rational* thought that will allow the deduction of *what* should be built….ie, not only is everyone being included, but once the laws are done, we'll have some agreement grounded in “the natural state of things” [note: AKMA should have a ball dissecting how the laws of identity relates to Augustine theology up through Erasmus and the rise of the protestant work ethic…natural law anyone?]

C) the “people's” identity: the us v. (insert big bad evil entity) story is a powerful one…..open source movements feed on this one, but its certainly not limited to them. the idea that we can all become involved in something bigger than ourselves that will strip away the wrong-doings of an existing order of things…..well….

and other threads will form:

the technology that was the best that never suceeded

the person who champions reform after a tragedy

the evil CEO that fights reform to the end

….feel the mythic qualities? see, the more closely you weave in “mythic” elements, the more powerful they become….and let me stress this mythic DOES NOT equal false. all of the stories i've cited are true — and mythic.

good “marketing” is not just conversation — its recognizing the stories that people *want* to tell and acting accordingly.

The identity story is a powerful one because it touches most of us very deeply. the depth of it is attested to by the oft-had response of “the individual must own” their identity information and its use. Watch the emotion that attaches to that response – people *react* – with their hearts and minds.

The story of identity is being told in multiple ways with many different threads — in such a way that it has room for everyone and all of their stories. the last technology that I know of that was big enough for that was blogging (everyone tells their story); before that, the internet (the wild west gold rush); before that the personal computer (bringing to life the Jetsons future); before that the credit card (you can have what you want now, and worry about it later); before that the automobile (freedom on the open road); before that, the land rush (free land and fortune); before that, the american promise…….;-)

ps: wanna hear a good story?

the entrepreneur whiz kid founds an identity company after being inspired to think deeply about technology by the events of 9/11. he grows out of whiz kid and into experienced executive, as his company grows through funding – assembling a bright young staff of developers to build out the infrastructure of his vision. this company goes on to be a rising star in a david v. goliath fight versus the big technology stack guys — bringing a “best of breed” (which is marketing codeword for david v. goliath story) technology to market — with critical customer wins – it becomes a press and analyst darling….

how does the story end? i dunno – yet.

yes, my friends, we don't live out our stories. our stories live us.

So true.

Here‘s a new blog by Gunnar Peterson called 1 Raindrop. This is quality thinking for those interested in issues of distributed computing.

It consists of “loosely coupled thoughts on distributed systems, security, and software that runs on them.” Gunnar summarizes alternate web technologies this way: “When you are content to simply be yourself and don’t compare or compete, everybody will respect you.” – Lao Tzu