Day: June 12, 2006

MIKE BEACH ON FEDERATION AND USER CENTRIC IDENTITY

Here is more fallout from James McGovern's intervention about InfoCard as a “consumer” interest. 

It's a posting from Mike Beach – an identity pioneer all of us in the enterprise world respect, and who was one of the first to get an inter-corporate federation system off the drawing board and into production. 

His thinking has the benefit not only of vision, but of a lot of real experience.  Whatever he says, pro, con or neutral, I always start by assuming he is speaking to us from the future:

I agree with Kim that the Infocard/Identity Metasystem (or some other form of user-centric identity implementation) will find its way into the corporate world and help to solve some interesting problems. I have recently been mulling the potential impacts to both privacy and federation.  

In the privacy space a colleague of my shared an interesting perspective. Most corporations, especially in the B2C space, have considered user/customer identity data to be an asset. Knowledge about their users that could be leveraged for any number of marketing opportunities. With the rising concerns and increasing regulations around privacy this perspective is, or should be, starting to change. This “asset” is now becoming a liability. Data about people (corporate people and consumer people) is always going to be required to do business, but how do we get that while at the same time minimizing liability? Enter the Infocard concept. It would seem we now have a means to establish authoritative data about the user, but give it to the user for safe keeping.

Relative to B2B federation it also appears the Infocard concept can add value.

Today many federations are established by corporations “on behalf” of their employees.

Consider the many corporate benefits providers that are establishing SSO federations with their clients. The employees are at the mercy of their employer and the benefits providers to ensure security and privacy, and typically have no choice in the matter. I realize the federation standards provide for “opt-in” federation, but I don’t see that fleshed out in products and implementations.

Again enter the Infocard concept. The potential for eliminating the magic, invisible, mandatory federation of today. The corporations can issue Infocard credentials to employees that can be used at benefit provider sites – or not. Employees have visibility, control, and choice. I can imagine the Infocard concept becoming the new federation user experience.

This phrase haunts me, and should haunt the industry:  “The magical, invisble, and madatory federation of today.”

I tend to believe that if anyone knows what the gotchas are, it's Mike.  So having him in this conversation is essential.  Hey Mike, it's time to blog…

DEPERIMETERIZATION AT 1 RAINDROP

Seems like Gunnar Peterson of 1 raindrop finds the intersection of InfoCard and Federation as interesting as I do.  And in resonance with my recent post on enterprise identity management, his taxonomy includes the fascinating “deperimeterization” – I see that while I wasn't working he's done a whole much of good work on this.

Ping is set to demo its new Infocard authentication + federated SSO at Catalyst.

A user authenticates to a healthcare portal leveraging a self-asserted InfoCard. The user’s credentials are validated by a Java InfoCard Server built by Ping Identity. PingFederate is then used to enable federated single sign-on to a remote Web site without a redundant user authentication.

Pinginfocarddemo

 

There are a number of interesting aspects here including proving out Identity Law 5, which is, of course, Pluralism of Technologies and Operators, jacking InfoCards assertion into the federation network through the WS-Trust backplane, and the ability of InfoCards to help to strengthen the authentication process, for example through a smart card and then have that assertion carried through the system, Brian Snow:

Consider the use of smartcards, smart badges, or other critical functions. Although more costly than software, when properly implemented the assurance gain is great. The form factor is not as important as the existence of an isolated processor and address space for assured operations – an “Island of Security” if you will.

An island of security in a networked world, now there is a future worth inventing.

Is it really an island?

TIARA.ORG – A MAJOR IDENTITY SITE

O.K.  I've hit a gold mine.  It's called Tiara.org.  Who or what is Tiara?  “A PhD student in the Department of Culture and Communication at NYU, studying social technology from a feminist perspective.”  Go to her “About me” page and it has everything except… a name – at least in a form straightforward enough to come up in a search engine.  So for me she's just Tiara.

Tiara has assembled a spectacular identity bibliography.  I'm going to ask if she'll let me put it up on identityblog – with credit to her, of course.

It turns out Tiara had blogged about the Times’ Facebook story over the weekend.  Somehow through the miracles of ping-backs this floated past my desktop:

Kim Cameron, the architect of MS’ Infocard Identity Metasystem, which I’m not at all a fan of, writes a great post on Facebook and the globalization of identity, based on the NYT article I blogged over the weekend.

Wow.  Such a smart person is not a fan of the identity metasystem.  I need to find out more about this.  None the less, we seem to agree when it comes to some of the issues raised in the Facebook article.  After quoting my piece, she continues:

Beautiful point: Facebook (& MySpace) are extremely performative communities, where the values being espoused– being cool, being “hard”, being sexy, being transgressive, being resistant– are those of mythical teenage worlds. There’s not just a generation gap between teens/young adults and their future possible bosses, there’s a culture gap between the “professional world”, where we’re not really supposed to have any sort of interesting personal lives (witness the furor over academic blogging), and the “online world”, where we’re supposed to be larger-than-life (microcelebrity again!).

I also like Cameron’s point about companies not being “invited” into these worlds. I definitely feel that Facebook is a private community, and I don’t go poke around looking for my undergraduate students, because it’s none of my business what they do in their private lives. But, again, as I said the other day, there are no regulations about searching social networking sites (or even just Google) , and there aren’t likely to be. The justification that it’s public information trumps the contextualization argument.

I talked to someone else recently who said that their local sheriff’s office uses MySpace as a first resource whenever they are looking for something or bringing someone in — of course it’s a young receptionist who does the searching. And universities like UC Santa Barbara are formulating specific policies to discipline students based on their Facebook information. So although I agree with Cameron, it’s really irrelevant. As long as sites like MySpace and Facebook are viewed as public information, they will not enjoy any type of protection from authorities or employers.

It's not really irrelevant.  There are a lot of issues buried here, and I'm not about to give up the ghost on them. 

One question I have is whether it is possible for an operator to provide access to a site for specific reasons – and prevent it for others.  In other words, is it possible to require those entering a site to sign a binding statement of use?  Can liability be associated with breaking such an agreement? 

Let's go further.  Is it possible to prevent usage of a site for commercial purposes, or purposes of employment, or in the interests of an employer? 

I'm going to be at the identity mashup hosted by Berkman Center for Internet and Society at the Harvard Law School next week.  I'll should probably be able to find a few (hundred) lawyers there.  I'll try to find out more about these issues. 

But as Tiara says in her own interesting post on the matter:

So what’s “the solution”? I’ve heard three:
1. Young people should stop putting content online.
2. Recruiters and employers shouldn’t use Google or Facebook to research potential candidates (don’t hear this one very often, although you’d think in a country where it’s illegal to ask people to include a snapshot with their resume, there might be potential room for legislation here).
3. We just have to wait until there’s no longer a divide between your “work” persona and your “life” persona. I know this sounds stupid, but I heard it from the CEO of Facebook.  (Tiara heard it from the CEO of Facebook??? – Kim)

And here’s what’s actually happening: People are obfuscating personal data by using pseudonyms that can only be identified within situated, contextual networks, or by using services which allow them to restrict who can view their personal information. This is really the only one of these solutions which makes any sense.

O.K.  So we totally agree.  Contextual separation is one of the main concepts behind the identity metasystem.  I suspect she has impressions of what we are trying to do that just aren't accurate.

In truth, InfoCards and the metasystem have been designed to enable privacy while still being able to make provable assumptions.  For example, the system can be used to allow you to limit access to your site to full-time students – and recognize them when they return – without actually knowing their names or exposing their identities to the digital grim reaper.  The very problems Tiara worries are not solvable, are actually some of those addressed by this system.

And in truth, they have to be addressed if the resulting infrastructure is to be consistent with the “third law of identity”.  Identity information should only be available to relevant parties.  As an industry we need to think about how the virtual fabric will work and offer people separation of context – or there will be a further and terrible erosion of confidence in cyberspace by those who constitute its future inhabitants.

FACEBOOK AS A BACKGROUND CHECK

If you missed this article in Sunday's New York TImes, I suggest you read it.   Alan Finder, the author, has done a great job of driving the issues home.  My son Max called me long distance and said, “Dad – you have to read this.  It's very much related to what you've been workng on.”  Imagine – my kids finally understand what I'm doing!  Against all predictions, it turns out Max is now himself trying to help a brick and mortar institution understand that it needs to live on the web – and he looks at the privacy and identity issues as something that will shape young peoples’ attitudes going forward.

I won't quote the Times article in its entirety.  The paper requires an email address to get to their stuff – and then sends you spam for having given you access.  But it's in the public interest to get the main points across.

The Times article describes how companies are using information posted in Facebook (and other similar sites) to vet job applicants.  And even more interestingly, it reports on the reactions of the applicants as they begin to understand what is happening.  They had thought they were releasing information in a context where drama and posturing (dare we say ‘humor’?) are the norm – and in what is supposedly a closed community centered around the university.  But they suddenly found it had been globalized – and was now available to anyone, anywhere for any purpose.

It seems that executives are put off by a candidate looking to party describe his interests as  “smokin’ blunts” (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang”.  (That's funny – sounds like an interesting enough guy to me.)

As Finder says, “It did not matter that the student was clearly posturing. He was done.”

“A lot of it makes me think, what kind of judgment does this person have?” said the company's president, Brad Karsh. “Why are you allowing this to be viewed publicly, effectively, or semipublicly?”

I don't think Brad was invited into the Kids’ facebook world.  A virtual world, by the way.  Where people are atually allowed to be metaphorical.  Why is he following the kids into their heads?  Can't they have fantasies?

The article says:

Many companies that recruit on college campuses have been using search engines like Google and Yahoo to conduct background checks on seniors looking for their first job. But now, college career counselors and other experts say, some recruiters are looking up applicants on social networking sites like Facebook, MySpace, Xanga and Friendster, where college students often post risqué or teasing photographs and provocative comments about drinking, recreational drug use and sexual exploits in what some mistakenly believe is relative privacy…

“It's a growing phenomenon,” said Michael Sciola, director of the career resource center at Wesleyan University in Middletown, Conn. “There are lots of employers that Google. Now they've taken the next step…”

Companies can gain access to the information in several ways. Employees who are recent graduates often retain their college e-mail addresses, which enables them to see pages. Sometimes, too, companies ask college students working as interns to perform online background checks, said Patricia Rose, the director of career services at the University of Pennsylvania.

Another student, having no luck finding a job, researched himself on Google and found an old link to a satirical essay he had done, “Lying Your Way to the Top”.  Once he had that link removed, he suddenly started receiving offers.

“I never really considered that employers would do something like that,” he said. “I thought they would just look at your résumé and grades.”

The way today's college students use the web is remarkable and innovative.  But for many of them, their whole email correspondence and a lot of their social life is etched in bits.  That's why getting the identity metasystem right is really a gift for them.

This brings us back to compartmentalization.  In the old days, we said and even did things in our student days that we might later have regretted.  But our acts and phrases weren't globalized, written into an eminently searchable Book of Life that would be read not by God, but by man, with all of his imperfections and pomposity.

Sites like Facebook need to start getting on the identity bandwagon, looking into new mechanisms for trusted yet anonymous assertions, or they'll lose the trust of their users.  More on the dangers of globalized personal information to come…

 

ENTERPRISE AND INDIVIDUAL IDENTITY

James McGovern over at Enterprise Architecture: Thought Leadership has a nice post where he poses questions for a bunch of his blogrollers.

It's not that the questions are wicked.  He asks Dan Blum:

Would it be possible for you to figure out creative ways for others to observe the client/analyst dialog in a more public fashion? What would it take for you to start blogging more frequently?

Pat Patterson gets this one:

What would it take for you to get Liberty Alliance to embrace the WS-Federation specification? Having federation capabilities built directly into an operating system is liberating…

And for me:

I would love it if you could start talking about identity from a corporate perspective and not stay exclusively focused on consumer-centric identity. You can leave the consumer stuff to Dick Hardt…

It's true I've been dealing a lot with user-centric identity.  But James, the future of the corporation will unfold largely in the virtual world.  What will then be more important to a corporation that its relationships with its “consumers”?  The lack of a reliable grid for dealing with the individual in the digital world is, in the big picture, the most urgent corporate identity issue of our time. That's one of the reasons I was led into the problem area.

The most important thing about the identity metasystem the way it creates a unified infrastructure reaching between the corporation (or organization) and the individual (aka consumer).

What are we going to have?  One set of precepts that faces towards the inside of the corporation, and another completely different set that faces the outside?  That doesn't compute, and my work on this blog applies to both sides of this boundary.

The whole evolution of business is towards a more open mesh of interconnecting organizations in which individual relationships are key.  So empowering the individual within the organization will increasingly become the most important aspect of empowering the corporation.  The dichotomy you propose is a false one.

One of the most interesting trends I've seen is that of enterprises “kicking their employees out of the firewall”.  This isn't a good strategy in all cases, for sure, but I've seen a bunch of studies of companies that have slashed IT expenditures by treating their own employees as external individuals (factors of 10)!  More than one of these just tell their employees to buy their own PCs outfitted with various programs “off the street” and expense them back to the company – and still get order of magnitude savings.  They only keep there line of business apps remain behind the firewall.

I'm not proposing this as a direction forward – simply reporting on trends I see.

Reliable identity-based collaboration between individual users which also integrates with organizational identity will empower them both the users and the organizations.  Making progress on this front is the most important single thing we can do right now to help the corporations we work for benefit from technology.  That is the big picture.

One key takeaway from your request is that I should explain where I'm coming from a lot better.  On a related theme, I'm getting ready to spend more time on the challenges of being “the relying party” in identity transactions, so I'll try to build these notions into what I'm writing.

You probably know that metadirectory, self-management and provisioning of identities all form an interconnected cluster of passionate interests for me.  Note to self:  start writing about these issues too.