For a while I’ve been thinking about how personal identity data (often called Personally Identifiable Information, or PII) is managed – both as a consumer, and from the perspective of service providers. I’ve been following along with the work being done by (amongst others) Microsoft, Google and the Kantara Initiative UMA WG, and it seems inevitable that over the next year or so the landscape will have the scope to evolve dramatically; I say ‘have the scope’ because I wonder what this will actually mean from a consumer’s point of view.
The internet landscape of the ‘average Bob’ consumer user has changed significantly over the past year or two, resulting in not only an explosion of logins and of PII scattered everywhere, but of services that allow (or require) this data to be shared from site to site. Bob might well have logins to various sites for online account management (banks, utilities, etc), each of which will hold local copies of his PII (address, DOB, etc), but he also now has a Facebook profile, a Flickr account, and perhaps shares his travel through Dopplr and his location through Google Latitude, and allows his friends to see his data in some or all of these services.
What I want
Because I’m conscious of my PII spreading out over the internet, and of the hassles of managing it all in a secure manner, I’d like a service along the lines of that described by Mark Dixon here to manage it all; though as I commented on his post, I’d like something a bit more outward-facing. My ideal identity service would contain:
- Credential Vault: Consolidate credentials into one identity (‘me’), which lets me authenticate to services as appropriate. This should be a standard federated identity (an OpenID, InfoCard or whatever) where it can be, but it should also act as a LastPass-style credential vault where the service provider doesn’t support new-fangled federation. This credential store should be cloud-based, but locally cached, and optionally integrated with my OS (for strong auth via smart card, biometric, etc). The credential actually exposed to the end service will vary (I might want to be totally anonymous, or at least pseudonymous – not traceable from one service to the next), so they don’t necessarily need my strongly authenticated, full-on identity, and this is separate to my level of authentication to the broker (which is by necessity always equal, or stronger).
- Attribute Store / Persona Editor, with Assurance: Collect all my PII, and provide an easy way for me to group this into personae (my personalities, if you will) and present this to SPs. Services should be able to specify that they need a level of assurance, and that the various attributes I provide are true – and my identity store should be able to keep this and present it when needed. As an example, I might just present a name (it might not be real) to a web forum, but my real address, verified by an independent body, when applying for a new credit card.
- Auditing and Updating Service: Beyond providing PII to sites, I want to be able to look back and find out who I gave it to. Today, I have no idea how many sites have my addresses (email or physical) – probably thousands over time. I’d like to see a log of this; moreover I’d like to be able to revoke that data from the providers, or force them to update their cache of it from my store when it changes. Furthermore, I want to know where else my data has gone – a list of which of my Facebook friends has synced my contact details to their mobile, perhaps. Ideally I should be able to set terms on registration of what each service can do with my data – this is more of a contractual, rather than technical, assertion.
- Sharing and translation: For site-to-site sharing of my data (Dopplr updating my Facebook, for example), OAuth describes how permission can be granted at a service-to-service level, but my Identity Store should be a broker in the middle so I can make decisions in one place. By sitting in the middle, this broker could offer additional services, translating data into a shareable format where a point-to-point service doesn’t already work.
I’d probably be prepared to pay for this, or see it as a value-add service from someone I already have a relationship with, as long as I trusted them with all this data.
What Bob wants
Bob, our ‘average internet user’, doesn’t really understand security. He’s the guy whose PC you have to fix when you go to visit, who has 15 browser toolbars from assorted malware running, and who loves to throw sheep at you on Facebook. He isn’t curious about why all those quizzes exist, and on a quiet Friday night wonders if that Viagra email might actually be a good deal.
He’s got online banking, GMail, Facebook and MSN Messenger. They all use his name (or a variant of) for the login name, and every password is the same, but it’s 8 characters and has a number in it – because his work IT policy says so, and that password is the same too.
Bob doesn’t think about where his PII is going, nor about who has it – at least until he moves house and has to tell dozens of companies – and gets a bailiffs letter because he missed one off the list and bills get sent to his old house. He’d likely be pretty confused with the concept of the identity service I’ve described.
What the services want
Service Providers (like my bank, Facebook, or even government) want me and Bob to use their services. They want to capture enough PII from me to provide that service without scaring me off (because the service is insecure, or they’re taking too much PII) or scaring Bob off (because signup is hard and confusing), in the cheapest way possible. They want users to be ‘sticky’ to their services, locking me in as much as they can so I don’t leave for a competitor. And if they’re less than scrupulous, they can sell all my juicy PII to ad companies.
The attributes actually needed by the service provider, and how sure they need to be that the attribute is trusted, varies according to the service. Twitter doesn’t care that I’m me – unless I’m a celebrity – but the government wants to be pretty sure I’m who I say I am when issuing me a passport.
There aren’t too many standalone Identity Providers, and no ‘Identity Store’ brokers in the way I describe that I’m aware of. The best we have today are things like OpenID and OAuth. These allow me to use the credentials from one service provider to access others, or to set up point-to-point data sharing, but these are far from perfect… Google is of course keen for me to use my Google login to access services like Plaxo or Facebook – but they wouldn’t let me use a credential from these sites to get into all my Google services. This is done to assert the Google brand, and to keep me using their services.
Will we meet in the middle?
The various great technical minds in the identity world will no doubt come up with excellent solutions to a lot of this, but I don’t think the technology is the real challenge; instead, it’s the fact that the bulk of internet users are like Bob.
Service providers are generally not independent enough to build a complete service like this, and for it to be truly trusted, and there isn’t a business case for a standalone identity provider because most people are like Bob, and wouldn’t pay for an identity service.
It’s not all doom and gloom, however. The fact I can use my Facebook, Twitter, Google or Windows Live login to log into multiple sites is a step forward; indeed I even think the ‘NASCAR problem‘ is a good thing, because it’s forcing people to think of elegant ways to move forward. This will over time
I’m not sure there’ll ever be a business case for completely standalone identity providers, but would imagine decent consumer-grade services will evolve out of services like Verisign’s Personal Identity Portal, or equivalents from people who already store lots of your PII (credit agencies, governments, banks etc) when they spot the consumer value in doing so. These will inevitably be multi-tiered services, offering Bob something nice and simple, yet offering me a (perhaps paid-for) more complex service.
As someone working in the identity field, I figure the best way to drive these things forward is to encourage all the Bobs I know to be more aware of their PII and where it goes – if enough of them start to ask questions, the services to support them will fall into place.