When the Information Card Foundation (ICF) and OpenID Foundation (OIDF) launched the Open Identity Exchange (OIX) at RSA on March 2, I temporarily added the hat of OIX Executive Director. ICF agreed to loan me half time to OIX to work through the startup stages of establishing the industry’s first open trust framework platform provider. For its part, OIDF contributed the time of OIDF Executive Director Don Thibeau to serve as OIX President and board chair, and it has been a tremendous pleasure working with Don, OIX counsel Scott David, and Global Inventures program manager John Ehrig to lay the foundation for OIX.

Now, with the announcement at last month’s Burton Catalyst conference that AT&T has joined OIX, that several new OIX Working Groups are starting up, and that OIX and Kantara have begun collaborating on trust framework infrastructure, the startup phase of OIX is over, and I can finally take off the OIX ED hat.

This does not mean I will be any less involved with OIX, however. On the contrary, as I have been blogging throughout this year, the need for a particular trust framework—one governing data exchange with personal data stores (PDX)—is becoming acute. That need also intersects directly with the work I’ve been doing on the XDI data sharing protocol at OASIS since 2004.

So as fast as I’m taking off the OIX ED hat, I’m preparing to take on another one spearheading the development of a PDX trust framework at OIX. This will be one of the key topics both at the VRM+CRM conference in Boston this coming Thursday and Friday, and also at the Internet Identity Workshop East on September 9 and 10 in D.C. following Gov 2.0.

If you are attending either event and want to know more about PDX and the PDX trust framework, please come to the open space sessions we’ll be holding.

Given all the intersections between open identity and governments (in particular the US government, but several others are not far behind), it’s about time we had an Internet Identity Workshop in D.C.

Now we do — immediately following Gov 2.0.

See the invitation. Register. Run a session (or two or three). I’ll look for you there.

Phil Windley, co-founder and CTO of Kynetx (among the many hats he wears), wrote his own rules language, KRL, to “program the Web”. So when Phil writes the following about XDI after he and his team did a two-day deep dive on XDI with XDI4J project founder Markus Sabadello and I, it means a lot.

I haven’t been posting much about XDI because the OASIS XDI Technical Committee (which I co-chair) is still working on the XDI 1.0 technical specs. But since our philosophy has been to code everything in at least one implementation first before committing it to a spec, and since the core XDI graph model and metagraph model are now very solid, by the time the specs come out there will already be multiple operational XDI services.

I hope to finally get time to do many more posts about XDI this fall. In the meantime if you want to learn more, ping me about different ways to get involved.

I’m biased but I think this post is one of Doc Searl’s best about VRM and what’s going to compel it forwards. It’s about the July 31 Wall Street Journal article about behavioral tracking on the net.

He’s been preaching that a paradigm change is coming and he’s dead right (hint: see PDS). That’s why I’m travelling all the way to Boston for the VRM+CRM conference Aug 26/27 in Boston. This despite my standing rule of NO CONFERENCES IN AUGUST. (Damn fool Americans need to learn from the Europeans about how to enjoy life, especially summer, especially in Seattle.)

But I’m making an exception this year (and also for the Privacy Identity Innovation 2010 conference, which is easy because it’s in Seattle) because this paradigm shift is so important.

And because it’s one of the key breakthroughs that user-centric identity has been developed to enable.

About half-way through this movie, I found myself wondering how Christopher Nolan every got it made. No Hollywood exec would ever believe a movie with a plot this complex and layered could find a wide audience.

Wrong.

It is to three-dimensional stories what Avatar is to 3D effects.

See it. It will play 3D chess not just with your mind, but your heart.

My primary involvement as a member of the board of the Data Portability Project has been input about XDI as an open standard for portable data. But I’ve always been very enthusiastic about DP’s work on Portability Policies. The DP Project just announced their first Portability Policy deliverable via this blog post on TechCrunch.

On the DP Project board call this morning I shared the view that Portability Policies are an inevitable first step — and a highly welcome one — towards widespread adoption of personal data stores (see my posts earlier this year about PDS here and here). When PDS finally arrive, the irony is that the policy will turn in the other direction, i.e., the individual will have their own data sharing terms and the vendor will be agreeing to those. That’s the essence of VRM.

Iain Henderson of VRM pioneer Mydex is already working on the terms for such an agreement at the Information Sharing Working Group at Kantara.

Bit by bit, the age of personal data stores and personally-controlled data sharing is dawning.

Remember that year-end blog post about how personal data stores (PDS) are closer than they may appear? Now read Phil Windley’s wonderful summary of why it makes so much sense to create a PDX (not really an acronym for “personal data exchange” so much as just a moniker for a global internetwork of PDS).

It’s happening. Look for more news about it by Internet Identity Workshop (May 17-19 in Mountain View, CA). As if you didn’t have enough great reasons to go already.

I’ve been meaning to say this on my blog ever since the opening ceremonies in Vancouver. But since I just had the chance to recreate the experience on the Web, let me say it loud and clear for the record:

kd lang: Hallelujah.

First, my apologies to everyone who commented on Fixing the Google Account Problem. For some reason WordPress stopped notifying me about comment approval (I’m using Akismet but I still find the majority of comments that get through it are spam, so I moderate comments). So I just logged in and found a bunch of great comments, including several that I replied to.

Three clear themes emerge from these:

1. The problem is even worse if Google Apps is involved. Apparently there isn’t a solution to merging a Google account and a Google Apps account yet (which frightens me because I’m about to need to set up my first Google Apps account).
2. Using email addresses as primary account identifiers is problematic, period.
3. Internet identity managment, especially at scale, is hard. A lot harder than it looks.

I’m told the good folks at Google have been discussing this. Please feel free to add more suggestions about exactly what you think they should do.

I receive an email from a friend:

Drummond,
As my Word expert, how do I turn off the “balloon” captioning of redline changes?

I think, “Good question. I have no idea. I’ve often wondered that myself.” I’m about to start typing that answer to his email when I remember The Incredible Internet Answer Machine

I open a browser tab and type into the Google Search Bar “Microsoft Word bal…”

Google’s AutoSuggest completes it to “Microsoft Word balloons”.

I click Search.

In .25 seconds the answer is back and the second entry on the list is:

“How to turn off balloons for comments and tracking changes in Word“

.25 seconds. My brain doesn’t even think that fast.

I know reams have been written about “are we all getting dumber because the Internet is getting smarter?”

But still, it does take my breath away, almost every day.

In another one for the “new heights of irony” file: I was using Gmail this morning and once again wondered about the little orange dot that appears next to the names of some email senders.

I’d wondered at least a half dozen times before what this meant, because when you hover over it, there’s no balloon (there should be, Google).

So this morning I finally asked The Incredible Internet Answer Machine.

I just opened another tab and typed “Orange dot in Gmail” into my Google search bar.

The #1 hit (in .29 seconds) was the exact answer to my question…

…in Yahoo Answers!

(We’re going to have to rename it The Incredible Internet Irony Machine )

BTW, the answer is: Orange means the sender is using Gmail but is in “idle” status because they haven’t looked at their Gmail page in awhile – they are busy using some other browser tab or application. Green = active on Gmail now, Red = busy, Grey = offline.

This may be the only blog post I ever write with no link in it. But, reading today that Avatar has finally knocked off Titanic as the #1 grossing movie of all time, one hardly needs to provide a link to either.

Given my passion for film, I just want to say: hats off to James Cameron. He may not be the most likeable character in the world. But twice now this man has taken me and countless others (a signficant percentage of the human population, in fact) to a place in film an ocean beyond (or a planet beyond) what we have ever experienced before.

Which really is a new place in consciousness, when you think about it.

I thank him for that, and everyone who helped him realize his vision.

Two pieces of advice:

1. See it in 3D. It doesn’t matter how long you wait to do it. Just see it in 3D.
2. Sit as close to the axis of the center of the screen as you can, i.e., both in the middle of the theatre and at the height of the center of the screen. It really helps with the 3D experience. Ironically in most 3D theaters this is usually the back row or very near it. In other words, the vast majority of the seats are way too close. Go figure.

Every so often you experience a technical problem you can’t find any information about and which takes you forever to solve. Then, after you finally solve it, you are left scratching your head saying, “I don’t get it­—there must be millions of people with this problem—why is there so little information about it?”

Once before, back in 1991, I ran into such a problem with Windows 3.0. After finally solving it, I shared my solution with my friend Seattle Times tech columnist Paul Andrews. He published it in his column, and it turned out that thousands of people had the same problem but nobody understood quite what was happening. So that’s why there was so little information about it.

Now 20 years later, even though we’ve got the Internet and Google and all, I’ve just been through the same experience. And the irony? The problem is with none other than Google accounts—the very accounts that we need from this search giant to access many of the services it offers.

Over the holidays I finally bore down, worked the problem all the way through, and solved it. And throughout the process I was consistently stunned to find so little information available about it, either from Google or anywhere else.

So this time around I’m being proactive about it and publishing the solution right here so it will be easy for anyone to reference. (And, of course, for Google’s own search engine to find — the Internet brings new heights to irony.)

Warning: read this all the way through. The easy fixes are also the ones you may live to regret.

The Problem

1. A friend shares a Google doc with you.
2. You receive an email containing a link to this Google doc.
3. When you click on the link, you are prompted to log into your Google account, but once you do, you can’t get access to the doc because the email address that the friend used is not the same email address you used to originally create your Google account.

Arrggh! (That’s an exact quote from an email I just received from a friend for whom I’m solving this problem by writing this blog post!)

The Simple Solution That Will Get You In Trouble

There is a simple solution for which I thank George Fletcher of AOL, who first explained it to me and others on the OpenID mailing list who were having this problem a few years ago.

The solution is: register a new Google account under the email address that your friend used to share the Google doc with you.

It’s very easy…BUT…read the warning afterwards as to why it’s a red herring.

1. Go to http://google.com.
2. If you are signed in, sign out (top right corner).
3. On the next screen (the plain jane Google home screen), click the Sign in link in the top right corner.
4. On that screen, underneath the login box on the right, click the link “Don’t have a Google account? Create an account now”.
5. Even though you may already have a Google account, enter the email address you want to register for another Google account (the one your friend sent the Google doc too).
6. Confirm the email address via the standard process.
7. When you are done, log in using to this new Google account (using the email address you just registered, not the one for your other Google account).
8. Go to Google Docs (http://docs.google.com).
9. The Google Doc your friend shared with you will be on the list.

Yes, it’s that simple. BUT…

The New Problem This Creates

The reason NOT to solve the problem this way, to which I can attest by long and painful experience, is that while you will now have access to all the Google docs shared with you…you will also have to log in and log back out of each of your different Google accounts in order to access the different sets of Google docs shared with you under your different email addresses.

This might seem like a small pain at first, but believe me, after the 500^th time you will be wishing there was a better way.

There is.

The Better Solution…That Still Isn’t the Right Answer

The “better way” is a standard feature of almost any identity or directory system: aliases. (Disclaimer: I’m in the Internet identity business, so this is the kind of stuff I deal with all the time.) In an identity or directory context, an “alias” is just an alternate name for the same account. And in fact Google accounts supports aliases. What’s interesting, though, is that: a) they don’t call them “aliases”, and b) aliases for Google accounts are completely different than aliases for Gmail accounts.

Gmail accounts, you ask? What’s the difference between a Google account and a Gmail account?

Therein lies a whole ‘nother can of worms (and possibly the reason there is so little information about the Google account problem).

Let me start by explaining the difference (as best I understand it – this WHOLE BLOG POST is an open invitation for the good folks at Google to correct any of my misunderstandings and provide better explanations).

First, a Google account and a Gmail account are not exactly the same thing. The first rule is: every Gmail account is a Google account, but NOT every Google account is a Gmail account.

In other words, if you have a Google account that is NOT a Gmail address, then you have a Google account that is NOT a Gmail account.

The second rule is: BOTH a Google account AND a Gmail address can have an alias. BUT THEY ARE NOT THE SAME THING, AND NEITHER CALLS THEM ALIASES.

I am not making this up. An alias on a Google account (and remember, every Gmail account IS also a Google account) is another name for the entire Google account. But for Gmail, an alias is ONLY an alternate email address that you can send or receive email from using your Gmail account. A GMAIL ALIAS IS NOT A GOOGLE ACCOUNT ALIAS. A GOOGLE ACCOUNT ALIAS IS NOT A GMAIL ALIAS.

Is that clear as mud?

Now, adding an alias to a Gmail account is quite easy, remarkably powerful (most people have no idea how much flexibility Gmail offers to manage your email for any number of email accounts), and surprisingly poorly documented. I just spent 10 minutes searching Gmail for help on this just to see if there was a Gmail help page I could just link to.

Nope.

So here’s how.

Instructions for Adding an Alias to Your Gmail Account (but NOT for your Google Account Even If It Is a Gmail Account!)

1. Login to your Gmail account.
2. Click the Settings link in the top right.
3. Click the Accounts and Import tab.
4. In the second section, Send mail as, click the button labelled, Send mail from another address.
5. Enter the email address as instructed.
6. Google will send you an email with a link you must click to verify you own the address.
7. Go to that mail account, find the mail, click the link (it all takes about 30 seconds).

You’re done. Go back to your Gmail Settings page, click the Accounts and Import tab, and the new email address will be listed in the Send mail as section. You can now send email from this email address by choosing it in the “From” drop down box in Gmail. (See the help link for more info about the different ways you can send mail from a Gmail alias.)

You can add as many email adddresses as aliases to your Gmail account as you want (at least I couldn’t find documentation about a limit). But keep in mind that all of these will ONLY be Gmail account aliases, not Google account aliases — and having them as Gmail aliases does nothing to solve the Google account problem.

So you have to go through a different process — even with the same set of email addresses — to make them Google account aliases. (For example, I have the same four email addresses as BOTH Gmail aliases and Google account aliases.)

The following instructions apply for adding an alias to ANY Google account (whether or not it is a Gmail account), BUT—and this is a big BUT—if your Google account is NOT a Gmail account, keep reading afterwards about why this can come back to bite you.

Instructions for Adding an Alias to Any Google Account (Even If It Is a Gmail Account)

1. Go to www.google.com/accounts. That is the home page for configuring any Google account. If you’re currently logged into Google, Google figures out which Google account you are using via a cookie in your browser. If you’re not logged in, they’ll prompt you to login, and the Google account you will be configuring is based on the email address you use to login.
2. Once you are logged in, confirm it is the correct Google account by checking the email address in black text at the very top of the page (on the left side of the block of links in the top right corner). If this is the right account, proceed. If this is not the right account, meaning you want to add an alias to a different Google account, then sign out (upper right corner), then sign back in under the email address for that different Google account.
3. Under Personal Settings in the top center of the page, the entry at the bottom of the column will be Email addresses. If you have not yet added any aliases to this Google account, you will see only one email address—the same email address as at the top of the page. It will have the grey words (Primary email) next to it. This is the “primary key” for this Google account. You can’t change it! See the warning below.
4. To add an alias (do you see the word “alias” anywhere near here? Or anywhere on this screen? Does Google give you any clue that this is where you should go to access such a feature??), click the Edit link below this email address.
5. On the next screen (https://www.google.com/accounts/EditUserInfo), you will see two blocks: Edit personal information and Add an alternate email address to your account. You want this second block.
6. At the bottom of this second block is a text box labeled: Add an additional email address. Enter the email address you want to add as an alias (the one to which your friend shared the Google doc you can’t access) and click Save.
7. The next screen will tell you that you’ve been sent an email to verify that address.
8. When you receive the email, click the link in the email.

Congratulations, you have just set up that email address to be an alias for your existing Google account.

The benefits?

1. It no longer matters which of your two email addresses your friends share a Google doc with. Either way, the Google doc they shared will show up in your Google docs dashboard at http://docs.google.com. As far as I know, this is true for all the email addresses you add as an alias (again, I don’t know if there is a limit).
2. You no longer have to log in and out of two different Google accounts. All your Google docs will be there in your one master account. Hooray!

Now for the final gotcha. You can do all the above and still end out with a royal headache one day because of the following rule Google explains when you register an alias as described above:

You can use alternate email addresses to sign in to your Google Account, recover your password, and more. Alternate email addresses can only be associated with one Google Account at a time.

In other words, for good security reasons, you can only add an email address as an alias to one Google account at a time. On the surface that doesn’t appear to be an issue…until you circle back to what I explained above…that every Gmail address is also a Google account. By simple deductive logic, you arrive at this conclusion:

You cannot add a Gmail address as an alias to ANY Google account!

In other words, at Google, all email addresses can all serve as primary keys for Google accounts BUT only only non-Gmail accounts can serve as an alias (a secondary key).

So it boils down to this: if have a Gmail account, or ever plan to get one, then you are forcing yourself into the multiple-Google account problem for life UNLESS…

…you make your Gmail account your primary Google account.

Yup, that’s the secret. As long as you make your primary Google account a Gmail account, you’ll never have the problem of wanting to use Gmail but finding yourself forced into the multiple-Google account problem.

What To Do If You Already Have the Multiple Google Account Problem

Okay, say you’ve already fallen into this trap. You did what I did several years ago: created your own non-Gmail Google account using a non-Gmail email address so you could access Google docs under that email address. Then later you started using Gmail, and so now you have at least two Google accounts (and maybe more). And people are constantly sharing Google docs with you under one or the other of the two (or more) email addresses, and you are driving yourself nuts logging in and out of Google trying to remember which email address was used to share which Google doc.

But you CAN’T take your non-Gmail email address and make it an alias to your Gmail Google account (as I advise) because your non-Gmail address is already a Google account.

How do you fix it?

The answer is: a) completely undocumented (at least I couldn’t find it), and b) scary as hell.

That’s why I’m writing this blog post. There’s no reason Google needs to make this so hard. Why they haven’t written it up in one of their generally decent Help articles I have no clue. I even wrote one of my identity friends at Google to ask him. His answer was essentially, “This is just too hard for most users to understand.”

Well, that may be true, but IMHO it’s not a reason to withhold the documentation. The users who are experiencing the problem are highly motivated to understand it, and in fact the solution is pretty easy once you know what it is.

It’s just scary.

In brief, the way to make a non-Gmail Google account an alias for your Gmail account is to first delete the non-Gmail Google account.

Completely. Kaput. Gone. Which, as you might suspect, would ordinarily mean YOU LOSE EVERYTHING ASSOCIATED WITH THAT ACCOUNT.

How’s that for a scary thought? Honestly, that’s why I held off fixing this for so long. Who wants to bother with working around that?

Luckily, the workaround is not that hard once you know what it is and you are sure it is going to work. That’s the other reason I’m writing this blog post: I could not find anything posted anywhere – or even get it confirmed by those I knew at Google – that this procedure would work and everything would be okay in the end.

But I finally got so tired of the problem that I just did it, and I’m happy to say it works just fine.

So: please read and follow the instructions below carefully. I don’t want anyone coming back and telling me that they lost precious data because of my advice that they delete their Google account.

Part One: Share (or Otherwise Backup) All the Data in the Google Account

1. First, make sure you have at least one other Google account (preferably a Gmail account—see above—however this procedure should work with any other Google account. In these instructions I’ll assume this other account is a Gmail account.)
2. Go to the home page of the Google Account you want to delete at  https://www.google.com/accounts/ManageAccount.
3. Make sure this is the account you want to delete by checking the correct email address in black text at left end of the links at the very top of the page.
4. Under Personal Settings, click on the Dashboard link (second one down) called “View data stored with this account”.
5. This helpful utility (created for personal privacy management) will show you all the data you have at Google associated with this account. Now comes the hard part. You need to go through every Google service on this list, then go through any associated documents or data files for each of those services, and share them with your Gmail account. Even more importantly, if you are the owner any document/file, then transfer ownership to your Gmail account. If you don’t own a document/file (someone else shared it with you), don’t worry, you can’t lose it when you delete this Google account. But, as long as you have Edit privileges on the document/file, share it with your Gmail account just so you don’t have to go back to the original owner and ask them to reshare it later. If whomever shared it with you DIDN’T give you Edit privileges, just contact them and have them share it again with your Gmail account.
6. Did I say do this for EVERY document/file in EVERY Google service you use? Go back to your Personal Dashboard and check it again.
7. IMPORTANT: as a final check, log into your Gmail account and VERIFY that all the docs are shared. If you own the document/file, VERIFY that your Gmail account is the new owner.
8. Check everything one more time. If you are unsure than anything has been shared and will not go “poof” when you delete this Google account, just download a copy to your local hard drive (or email it to your Gmail account). Like I said, never come back to me and say you lost any Google data because of this blog post.

Part Two: Delete the Google Account

1. Go back to the home page for the Google account you want to delete: https://www.google.com/accounts/ManageAccount.
2. MAKE SURE this is the right Google account by confirming the email address in black at left end of the links at the very top of the page.
3. Next to the My products header (the second horizontal section down the page), click the Edit link. This should take you to https://www.google.com/accounts/EditServices.
4. The second option on the page is to Delete Account. Choose that option and follow the instructions to confirm you want to permanently delete this account (and wipe that sweat off your brow). Seriously, if you’ve shared or backed up all the files associated with this account, you’ve nothing to fear. It’s just like reformatting a hard drive <ouch>.

Once you’re done, take a deep breath. Wait 15 minutes. (I don’t know if you actually have to wait this long, but I figured it’s long enough to wait for Google’s servers to go through all their account deletion machinations.)

Part Three: Add The Alias to Your Primary Google Account

1. Log back in to your Gmail account (or whichever Google account you want to make your primary).
2. Follow the instructions earlier in this blog post to add the email address (for the Google account you just deleted) as an alias to this Google account.
3. Once Google confirms it as an alias, you’re done.

Problem solved.

Why It’s Still Not Perfect: A Final Warning

It’s worth pointing out that privacy, not just security, can be an issue with account aliases. Sometimes you don’t want someone to know you are using Gmail address to do all this cool stuff. But if your Gmail account is your primary Google account (as I advise), then take note of the following warning:

Note: In some Google services, if you share your alternate email address with your contacts, they might be able to learn your primary email address.

In short, Google hasn’t fully figured out yet how to provide you with completely separate personas on the Web. In my personal opinion, they would be well-advised to do so. It’s not easy — acheiving this level of privacy can be as hard as acheiving corresponding levels of security. But Google has the talent and, I believe, the motivation to attain this goal. I hope they consider it soon.

Joe Andrieu has a wonderful way of cutting the Gordian knot on complex socio-technical topics, with clear prose, compelling arguments, and clever illustrations that explain why you should look at something decidedly differently.

Now he wields that knife on the very knotty “problem” of data ownership.

I passionately agree with Joe (and his Kantara Working Group co-chair Iain Henderson) on this subject; I suspect it’s because my perspective on it was long ago warped by the lens of XDI, which itself is a new way of thinking about data.

Turn the telescope to look at personal data from the standpoint of who controls its  sharing with whom, and many pieces finally come into focus.

Keep that in mind as we move into an XDI-enabled world.

There’s an excellent thread going on among the MyDex team about the accelerating shift towards cloud computing and what this means for the individual. I strongly recommended to them Nicolas Carr’s The Big Switch for a discussion of this very subject.

Arguably, we as individuals need the cloud even more than companies do. On the whole, we have less ability to maintain our own “individual piece of the cloud” than a company does. We have neither the capital, the expertise, nor the ability to persist across major changes (all but the very smallest company can persist when an employee leaves or dies, but when an individual person dies, their world of information disintegrates very quickly).

Google and other cloud-based service providers have recognized this. Given the proper safeguards* (see huge asterisk below), the advantages to individuals maintaining their personal data store of all their personal data assets at one or more cloud service providers are enormous. The latest example: watch the migration taking place from Intuit’s venerable Quicken franchise of desktop personal money management to the cloud-based equivalent at Mint.com.

Mint.com’s advantages are so compelling – all your data is automatically backed up, automatically accessible from any Web-connected device, automatically updated from any of your (supported) financial accounts, automatically able to send you important alerts and reminders – that it makes desktop money management look as antiquated as 5-1/4 inch floppy disks. (Remember, there was a time when 5-1/4 inch floppy disks were manna from heaven.)

If you need any further proof of this paradigm shift, Mint.com was acquired by Intuit last September.

I think we’ve seen only the very start of this paradigm shift of migration of personal data and personal data services to the cloud. And I don’t believe it will be take than a year or two until it becomes the norm. Check back here in January 2012 and let’s see where we are.

*HUGE ASTERISK: I don’t mean for one second to gloss over the topic of the safety (umbrella term for security, privacy, and control) of personal data in the cloud. I spend a good part of my day job as Executive Director of the Information Card Foundation on this topic, and it is the entire premise of emerging VRM service providers like MyDex. It is so deep and rich of a topic that I believe before long it will result in a whole new branch of the law.

According to Facebook founder Mark Zuckerberg, yes. See the video with your own eyes and read the ReadWriteWeb analysis of the interview he did with TechCrunch’s Michael Arrington.

Is the age of privacy really over, or does Mark Zuckerberg just want it to be over?

Myself, I don’t think so. Istead what’s headed for extinction are companies that try to make their money by convincing people they need less privacy.

Watch this space – more coming on this topic coming soon.

I recommend Doc’s new post that explains the essence of what’s behind VRM. It’s a big vision, his, but Doc has a way of framing the future that makes it look inevitable – all that remains is the question of “how close is it in the mirror”?

I’m betting that this object is closer than it appears.

I could spend this entire week doing nothing but reading and posting about good post-holiday reading of recent blog posts. My theory is simple: over the holiday break, people (well, most people – not me this year) have time to take a breather and write down something that’s really been on their minds.

And because they are not rushed, they have time to condense and sharpen their thoughts, and the result is a rash of excellent blog posts.

A wonderful example is Will Norris’ post about identity and identifiers. He speaks from long experience (and he’s worked on several identity protocols, including OpenID and SAML, as part of the Shibboleth project).

Read it and weep (if you have a recyclable OpenID).

(Aside: Although, as Will’s article intimates, XRI architecture solves this problem at the structural level, the implementation of XRI across OpenID 2.0 sites and libraries is currently very uneven. So IMHO realistically a full solution to the recyclable identifier problem with OpenID is still another protocol generation away.)

This entire fall has been intense with work, thus the paucity of posts here. The holidays brings a welcome respite and a chance to catch up with a few key mental threads.

One of them is the growing awareness of the need for what the VRM community calls personal data stores (PDS). The concept is relatively simple: an online store for your own personal data — anything from classic PII (personally identifiable information), such as your identity and contact data, to any other data that you generate or control (files, blog posts, pictures, papers, music, videos, etc.)

Three things have surprised me about PDS:

1. How generally accepted the notion is by almost anyone who spends much time online, even folks well outside the identity community. It’s a relatively intuitive idea as soon as you understand the basic premise that individual people should have their own data source online.
2. How many names have been applied to the same general concept. As I indicated, PDS is only the term applied by the VRM community. The same general concept has been called probably a dozen other names. Here’s an excellent blog post by Mark Dixon that calls it a Personal Identity-Persona Service and a Security Identity Bank Vault.
3. How hard it is to implement. Though there have been several attempts, such as the Mine! Project, nothing has come remotely close to catching on yet.

I have several theses as to why this is so (and yes, the need for a Internet data sharing standard like XDI is high on the list), but I’ll save those for another blog post.

Here, I’ll just conclude with a simple prediction: it’s a threshold problem. Once the first practical solution for PDS starts to take hold, it will catch on and grow just like the first social networks did. The only question is what application will provide that initial traction.

I don’t know why — maybe it’s just the fall weather — but the privacy temperature is changing. We’re in a period of global warming towards privacy as a key component of Internet identity infrastructure. Part of it is my work at the Information Card Foundation on the Open Trust Framework (read this white paper if you haven’t seen it yet). I’ll be blogging more about that soon.

But another sign is this superb post by Bob Blakley on what’s at the heart of privacy and privacy protection. As one of the technologists that’s spent a decade working on technological solutions to privacy, I can’t endorse Bob’s conclusions strongly enough. It’s a social problem, one that technology can only help create the social cues and custodianship to help with.

But read Bob’s post to see how well he frames the problem and what technologists can and can’t do to help.