WILL HARRIS ON PRIVACY AND WEB 2.0

Via Terrell Russell a report on Will Harris's piece on the danger that Web 2.0 represents “the end of privacy”.

Will Harris recently wrote about his views on the end of privacy. He blames the Web 2.0 phenomenon and all the data users are willingly posting and publishing on the network. Well, mostly he blames big business.

“My firm belief is that the net effect of the Web 2.0 movement will be a marked loss of privacy on the internet, one which leads to big business knowing more about you than it ever did before.”

He then moves quickly into talking about how these conglomerates will eventually own all the marketing data it can buy and proceed to advertise, advertise, advertise.

When the Web 2.0 bubble bursts – when the massive buyouts are done, the millionaires are made and the sites we love today are in the hands of big business – the innovation will grind to a halt, and what’s left will be the endless grinding of the marketeering machine.

If anything, I think this is the blunt end of the stick.

The other end is much more dangerous as, once this data is aggregated and compiled, it can be singularly lost or sold to more unscrupulous characters. Big business being what it is – is not the boogeyman here. I am concerned, same as Will, about large corporations feeling they can advertise personally to me whenever and wherever they want – but I’m much more concerned about their potentially cavalier tossing around of all this personally aggregated data without scrubbing it for merely statistical purposes.

Ideally, we move to an identity metasystem (with identity providers and identity brokers) and these companies only know what we let them know about us. Arguably, we can do that today without more software or more technical tools to trickle into mass adoption, simply by not playing – not participating – but that kind of defeats the point of having the conversation, doesn’t it? We need tools to protect us AND that let us do what we want to do online – buy, sell, communicate.

Eventually, online life and offline life will be a blurry distinction that nobody bothers to make. It will just be life.

I do like Will's piece.  Everyone should check it out, even though he has completely missed the central point.  

I speak, as usual, in the architectural conditional.

Will get's what's happening, but not what will start happening when Web 2.0 gets serious about long-term business strategy.  One day people will get to, er, the “things that will destroy our business model” phase. 

Luckily, the fix isn't so hard, if people tune in now.  More when the rest of me has arrived back from Europe.

 

GOOGLE'S AUTHENTICATION VERSUS MICROSOFT'S LIVE ID

Here is a piece by Eric Norlin over at zdnet.com. Windows Live ID is the identity backbone used by Microsoft's web properties and services – for example, by hotmail. For those who haven't followed the bouncing ball, Windows Live ID is the latest evolution of Passport, which has undergone a name change to convey its focus within Window Live services – as well as its ability to federate in a multi-centered identity landscape.

Recent announcements of Google's authentication service have prompted comparisons to Passport, and even gotten to Dick Hardt (of “Identity 2.0” fame) to call it the, “deepening of the identity silo.” I'd like to contrast Google's work with Microsoft's recent work around Live ID.

Microsoft's Live ID *is* the old Passport — with a few key changes. Kim Cameron's work around the identity metasystem has driven the concept of InfoCards (now called CardSpace) deep inside of Microsoft. In essence, Kim's idea is that there is a “metasystem” which utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other.

Of extreme importance is the fact that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server). This means that A) Windows Live ID can interact with other identity metasystem implementations (Open Source versions, for example); B) that your corporate active directory environment can be federated into Windows Live ID; and C) the closed system that was Passport has now effectively been transformed into an open (standards-based) and transparent system that is Live ID.

Contrast all of this with Google's announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend? While Microsoft is now making it easy to interact with other (competing) identity systems, Google is making it nearly impossible. All of which leads one to ask – why?

I honestly believe that Microsoft is ahead of Google on this one for a very simple reason: Passport taught Microsoft some very painful, first-hand lessons. Passport forced Microsoft (over a period of years) to re-examine their fundamental approach to identity. Further, it forced them to figure out how to monetize the idea of identity applications — and not simply the aggregation of identity itself. Conversely, Google's business is now built on the aggregation of identity data, and they have yet to walk the painful Passport path.

Will the market force Google to learn the same lesson? I don't know. On the other hand, one company is clearly advancing the cause of “identity 2.0”, “web 2.0”, “Net 2.0” — call it what you will — and that company is Microsoft. The other company is deepening the silo and building the walled garden — and that is *so* late 90s.

While I love being in the software olympics as much as the next guy, I personally hope that Google embraces federation, Information Cards and the identity metasystem. They have enough smart people who understand these issues that I expect they will.

 

PETE WILL INFOCARD ENABLE HIS SITE

More from Pete Rowley at Red Hat:

Kim Cameron has blogged about a conversation we have been having recently about the OSIS (Open Source Identity Selector) project. Negotiations have been underway for many months in order to get to a point where all parties are comfortable that legal and other issues are in order. I am happy to say that Red Hat has been involved with this process from the beginning.

I agree with Kim on the importance of the participation of Red Hat. As the leading Linux distribution it provides a platform for the project and a significant distribution channel, all things required for ubiquity. Ubiquity and cross platform support is a major goal for OSIS and the identity meta-system in general.

When I met with Paul Trevithick and Mary Ruddy some months ago to discuss Higgins it was clear to me that there was an alignment in project goals. Architecturally Higgins represents an uncannily good fit so I am very pleased to see the client effort folded into the Higgins project. Perhaps Higgins suitability is not so surprising given the exchange of ideas and collaboration that has been going on in the identity gang.

In the coming months I hope to be in a position to enable support for information cards on this site with end to end open source software. Watch this space.

That's very cool.  Which reminds me that someone asked me to start an I-roll for early sites that support Information Cards. 

 

RED HAT SUPPORTING OPEN SOURCE IDENTITY SELECTOR

The Identity Mashup held last week at the Harvard Law School lived up to its name.  There were an endless number of nooks and crannies and people with different trajectories talking and braintorming both in and between the sessions.

A lot of important things happened.  I've already mentioned one key development:  the anouncement of an Open Source Identity Selector project (OSIS).  If you are new to the identity conversation, an Identity Selector is the steering wheel of user-centric identity – the way people select the identity (visualized through what we call an Information Card) appropriate to a given context.  OSIS will create an equivalent to what CardSpace does on Windows.  It's therefore an essential piece if we want to build an identity metasystem that reaches across platforms and devices,    

But there's another deeply significant development:  Red Hat, which lays claim to being “the world's most trusted provider of Linux and open source technology”, will be one of the key participants.

Why is this so important?  First, because it helps bring us closer to a metasystem which truly reaches across all platforms.  Second, because RedHat's participation is emblematic in conveying the idea that Information Cards really represent an open technology and a rallying point for the industry.  Web sites can now add Information Cards and be confident they won't be accused of herding their customers towards any given platform. 

As Pete Rowley said in explaining Red Hat's decision to participate, “With so many companies collaborating on the project it is clear that this is an important piece of the identity puzzle and that the industry recognizes the opportunity to work together for the common good.

“The open source movement is much more than just Linux and we're seeing significant interest from customers and the community in building a common framework for identity interchange on the internet. 

“Like TCP/IP – having a common framework takes more than a standard to encourage adoption – there must be an express need and a community of use to embrace and extend – and with the number of folks worldwide now sharing conversations, there's an express need for easily confirming that you are conversing with who you think you are.

“Seeing the democratization of content take place on the Internet I am convinced that  with the advent of ubiquitous user-centric identity systems there will be a sea change in the services offered and the way we use the Internet.”

Wow.  I love this guy.  I think I can hear the identity big bang starting just beyond the horizon.  Hold on to your seats. 

INTEL IDENTITY PLATFORM AND THE METASYSTEM

Here’s an encouraging story by Martin Banks of Britain's The Register.  If Shelagh Callahan of Intel Systems Technology Lab has her way, we will have another stream of energy powering the Information Card paradigm and underlying Identity Metasystem.  

If your digital identity is going to mean anything, it has to be secured, and Shelagh Callahan of Intel's Systems Technology Lab thinks that has to start on your PC. She compares the state of identity today to early car designs, each with a different way of starting the engine; today every car has a key and you just have to find the ignition.

“With identity, not only do we not know where to put the ignition key, we don't even know there is a key. We want to make the platform understand what a key is and how you can use it. The intent is to make platforms as capable to understand identities in the future, as they are currently able to understand devices – to know what they are, how to ‘load’ them, how to find and associate resources, how to delete them, how to establish policy for them and so on.”

Too many passwords, over-used identifiers that quickly lose any security they had (how hard is it to find your mother's maiden name?), poor privacy; the way we work with identity on our PCs is full of problems and it isn't flexile enough to actually do what we want it to. “I must know exactly who you are and how to find you but you must be able to be anonymous and I must be able to prove I'm not snooping. How can you be both strongly authenticated and anonymous?”

Single sign-on doesn't solve things, Callahan says. “With most solutions I have to give up control to get sanity.” And you'll never get one single sign-on. “Intel won't federate with Amazon or with my local utility company.” The only things all the services and suppliers have in common are you – and the devices you use.

The idea of the identity-capable platform is to authenticate to the platform itself on your device, rather than to a remote service. That avoids interception problems; you aren't broadcasting your biometrics or your smartcard authentication. You can prove who you are without handing over the credentials you use to prove it.

Callahan talks about a secure partition on your PC using the Trusted Platform Module chip. You authenticate yourself to the partition using a fingerprint reader, swipe card, mobile phone SIM or other secure methods and the partition provides your identity to remote sites and services, via web services being developed by the Liberty Alliance. There's no need for a site to deploy a Liberty Federation infrastructure to use ICP identities.

As well as authenticating you to services that need to know who you are, the identity platform can authorise you for services that need to know what you're allowed to do but not who you are. It can also introduce one person, service or device to another, again via web services.

If you travel, getting one bill for data connections from your mobile operator is simpler and often cheaper than paying for every hotspot individually – Callahan's team has worked on a prototype system where your mobile phone SIM gives you access to hotspots on your laptop. So if you want to set up a Wi-Fi account using the same identity as your mobile phone, the identity provisioning system can create a new identity that corresponds to the existing identity, using the TPM to lock the credentials to the platform for security. There will also be tools for linking identities (you might want to link a credit card identity to a membership identity so it gets renewed automatically), deleting identities and transporting them to other devices you use.

Services trust the platform because they trust that it's accurate and secure; the platform can assert how trustworthy it is by disclosing which secure method you've chosen to use. For users to trust it they have to be in control of where it identifies them, so there are policies for controlling who can use the authenticated identity claims you provide and what they can use them for.

“To the service providers the platform can act as a full partner in the infrastructure's identity strategy. And for the end user, their platform can safely store their personal information and they can more easily choose what they wish to disclose and to whom,” Callahan says. The platform can also store preferences and metadata connected to an identity.

Callahan sees the identity platform inside the PC becoming part of the identity metasystem that Microsoft's Kim Cameron and others are arguing for. Identity selection technologies like Microsoft's CardSpace (formerly InfoCard) could use the platform as a way of storing and authenticating your Information Cards, as could the connection manager for your network association or an identity provider like your ISP, bank or enterprise IT team.

“The identity-capable platform is a strong complement to identity infrastructure, not competition for it,” she says. “It is not about providing applications and services, but it is about making sure applications and services (including operating system level applications and services) can depend on consistent, standards-based support of identity functions.”

Multi-core chips and virtualisation make it easier to switch from thinking about multi-tasking to envisioning a PC with different partitions and platforms providing secure, isolated services, whether that's identity, the network connection or a third-party maintenance service. The combination of partitions and services is behind all of Intel's current platforms like ViiV and vPro – although the identity platform is still a research project rather than something planned for a specific Intel release.