Equals Drummond

When the Information Card Foundation (ICF) and OpenID Foundation (OIDF) launched the Open Identity Exchange (OIX) at RSA on March 2, I temporarily added the hat of OIX Executive Director. ICF agreed to loan me half time to OIX to work through the startup stages of establishing the industry’s first open trust framework platform provider. For its part, OIDF contributed the time of OIDF Executive Director Don Thibeau to serve as OIX President and board chair, and it has been a tremendous pleasure working with Don, OIX counsel Scott David, and Global Inventures program manager John Ehrig to lay the foundation for OIX.

Now, with the announcement at last month’s Burton Catalyst conference that AT&T has joined OIX, that several new OIX Working Groups are starting up, and that OIX and Kantara have begun collaborating on trust framework infrastructure, the startup phase of OIX is over, and I can finally take off the OIX ED hat.

This does not mean I will be any less involved with OIX, however. On the contrary, as I have been blogging throughout this year, the need for a particular trust framework—one governing data exchange with personal data stores (PDX)—is becoming acute. That need also intersects directly with the work I’ve been doing on the XDI data sharing protocol at OASIS since 2004.

So as fast as I’m taking off the OIX ED hat, I’m preparing to take on another one spearheading the development of a PDX trust framework at OIX. This will be one of the key topics both at the VRM+CRM conference in Boston this coming Thursday and Friday, and also at the Internet Identity Workshop East on September 9 and 10 in D.C. following Gov 2.0.

If you are attending either event and want to know more about PDX and the PDX trust framework, please come to the open space sessions we’ll be holding.

I’m biased but I think this post is one of Doc Searl’s best about VRM and what’s going to compel it forwards. It’s about the July 31 Wall Street Journal article about behavioral tracking on the net.

He’s been preaching that a paradigm change is coming and he’s dead right (hint: see PDS). That’s why I’m travelling all the way to Boston for the VRM+CRM conference Aug 26/27 in Boston. This despite my standing rule of NO CONFERENCES IN AUGUST. (Damn fool Americans need to learn from the Europeans about how to enjoy life, especially summer, especially in Seattle.)

But I’m making an exception this year (and also for the Privacy Identity Innovation 2010 conference, which is easy because it’s in Seattle) because this paradigm shift is so important.

And because it’s one of the key breakthroughs that user-centric identity has been developed to enable.

My primary involvement as a member of the board of the Data Portability Project has been input about XDI as an open standard for portable data. But I’ve always been very enthusiastic about DP’s work on Portability Policies. The DP Project just announced their first Portability Policy deliverable via this blog post on TechCrunch.

On the DP Project board call this morning I shared the view that Portability Policies are an inevitable first step — and a highly welcome one — towards widespread adoption of personal data stores (see my posts earlier this year about PDS here and here). When PDS finally arrive, the irony is that the policy will turn in the other direction, i.e., the individual will have their own data sharing terms and the vendor will be agreeing to those. That’s the essence of VRM.

Iain Henderson of VRM pioneer Mydex is already working on the terms for such an agreement at the Information Sharing Working Group at Kantara.

Bit by bit, the age of personal data stores and personally-controlled data sharing is dawning.

There’s an excellent thread going on among the MyDex team about the accelerating shift towards cloud computing and what this means for the individual. I strongly recommended to them Nicolas Carr’s The Big Switch for a discussion of this very subject.

Arguably, we as individuals need the cloud even more than companies do. On the whole, we have less ability to maintain our own “individual piece of the cloud” than a company does. We have neither the capital, the expertise, nor the ability to persist across major changes (all but the very smallest company can persist when an employee leaves or dies, but when an individual person dies, their world of information disintegrates very quickly).

Google and other cloud-based service providers have recognized this. Given the proper safeguards* (see huge asterisk below), the advantages to individuals maintaining their personal data store of all their personal data assets at one or more cloud service providers are enormous. The latest example: watch the migration taking place from Intuit’s venerable Quicken franchise of desktop personal money management to the cloud-based equivalent at Mint.com.

Mint.com’s advantages are so compelling – all your data is automatically backed up, automatically accessible from any Web-connected device, automatically updated from any of your (supported) financial accounts, automatically able to send you important alerts and reminders – that it makes desktop money management look as antiquated as 5-1/4 inch floppy disks. (Remember, there was a time when 5-1/4 inch floppy disks were manna from heaven.)

If you need any further proof of this paradigm shift, Mint.com was acquired by Intuit last September.

I think we’ve seen only the very start of this paradigm shift of migration of personal data and personal data services to the cloud. And I don’t believe it will be take than a year or two until it becomes the norm. Check back here in January 2012 and let’s see where we are.

*HUGE ASTERISK: I don’t mean for one second to gloss over the topic of the safety (umbrella term for security, privacy, and control) of personal data in the cloud. I spend a good part of my day job as Executive Director of the Information Card Foundation on this topic, and it is the entire premise of emerging VRM service providers like MyDex. It is so deep and rich of a topic that I believe before long it will result in a whole new branch of the law.

I recommend Doc’s new post that explains the essence of what’s behind VRM. It’s a big vision, his, but Doc has a way of framing the future that makes it look inevitable – all that remains is the question of “how close is it in the mirror”?

I’m betting that this object is closer than it appears.

This entire fall has been intense with work, thus the paucity of posts here. The holidays brings a welcome respite and a chance to catch up with a few key mental threads.

One of them is the growing awareness of the need for what the VRM community calls personal data stores (PDS). The concept is relatively simple: an online store for your own personal data — anything from classic PII (personally identifiable information), such as your identity and contact data, to any other data that you generate or control (files, blog posts, pictures, papers, music, videos, etc.)

Three things have surprised me about PDS:

1. How generally accepted the notion is by almost anyone who spends much time online, even folks well outside the identity community. It’s a relatively intuitive idea as soon as you understand the basic premise that individual people should have their own data source online.
2. How many names have been applied to the same general concept. As I indicated, PDS is only the term applied by the VRM community. The same general concept has been called probably a dozen other names. Here’s an excellent blog post by Mark Dixon that calls it a Personal Identity-Persona Service and a Security Identity Bank Vault.
3. How hard it is to implement. Though there have been several attempts, such as the Mine! Project, nothing has come remotely close to catching on yet.

I have several theses as to why this is so (and yes, the need for a Internet data sharing standard like XDI is high on the list), but I’ll save those for another blog post.

Here, I’ll just conclude with a simple prediction: it’s a threshold problem. Once the first practical solution for PDS starts to take hold, it will catch on and grow just like the first social networks did. The only question is what application will provide that initial traction.

At the Glue Conference this week I’m enjoying a great set of speakers lined up by Eric Norlin on the topic of how everything in the networked universe gets glued together using Web 2.0 tools and beyond. (The talk Mitch Kapor gave this morning was worth the trip all by itself.)

In a few minutes I’ll be on a panel called Implementing the Open Web. In chatting with Lloyd Hilaiel of Yahoo, Kevin Mullins of MIT, and Phil Windley of Kynetx about this topic last night, we hit on one key point that Phil articulated this way: “People tend to conflate ‘open’ with ‘public domain’, i.e.,  that anything that qualifies as open must be freely available to all.”

It struck me how true this is. It reminds me of the Richard Stallman quote describing open source (cited in the Wikipedia Gratis versus Libre article): “Think free as in free speech, not free beer.”

In terms of data on the Open Web, what this means that even though a particular pool of data may be available via an open standard, publicly-accessible interface, it does NOT mean this data must be publicly available to anyone. If that were true, the whole concept of a personal data store — a key premise of VRM (Vendor Relationship Management) — would not be possible.

So what makes any system or node participating in the Web “open” is not that its data is public, but that the metadata and services for accessing it are available via a publicly discoverable, open-standard interface. The public discovery portion of this is the goal of the XRD work now underway at the XRI Technical Committee at OASIS (based on the original XRDS work – see this blog post by Eran Hammer-Lahav of Yahoo to understand the differences). The open standard portion is the output of IETF, W3C, OASIS, and all the other SSOs (standards-setting organizations) for the net. (The potential of the Open Web Foundation, once it finishes its bootstrap stage, is to make this process of creating open standards even more lightweight and distributed.)

This combination – open discovery of open interfaces accessible over open protocols – is the DNA of the Open Web. And it applies equally to both public and private data. In fact it can finally open up what might be called the Permissioned Web - the Web of all all data that any one party has permission from other parties to access.

That would lead us to the need for integrating identity and permissions with the data, which brings us to the motivations for XDI as a semantic data sharing format/protocol – but my panel is about to start so that will have to be another post.

More about the long quiet spell soon. First I must post about a trip I made last week to spend the day with Phil Windley, his partner Stephen Fulling, and the inimitable Craig Burton down in Salt Lake City.

What Phil and company are doing at Kynetx is earthshaking. There’s not much info on the website yet, but last week Phil posted a white paper The Advent of Next Generation Browsing that introduces the whole concept of structured browsing. I won’t even bother to try to explain it here; just get the paper and read it. Then read another one of Joe Andrieu’s exceedingly cogent essays with his impressions, criticisms, and suggestions about the Kynetx vision of structured browsing and how it fits with Joe’s work on search maps. Also read Phil’s reply to Joe.

The rules language Phil wrote (KRL – Kynetx Rules Language) is at the heart of their solution for structured browsing. I am a huge fan of what rules languages can do with structured identifiers and structured information. That’s what I was down in Salt Lake talking with Phil, Stephen, and Craig about. Phil followed it up with a great post, First Class Namespaces in Programming Languages, that sums up how XRI and XDI might fit with KRL.

Did I say earthshaking? Watch out when this quake breaks loose.

I’m going to start referring to her as the Venn Queen. Eve Maler has done another Venn diagram, this time to show the relationship of whole areas of the “user-centric” sphere of activities. Going into Digital ID World next week, I’ll use this to help orient conversations around why there needs to be a simple, consistent way for users to control and manage identity and data sharing relationships no matter what site, application, or type of relationship is involved. We just need to build it! (hint: OpenID + relationship cards + XDI =

Phil Windley has an uncanny ability to size up new technologies in a single bound. Read his take on relationship providers and how far they can go beyond the role of “identity providers” (a term I have never liked since the moment I first heard it six years ago).

As he concludes:

I’m still trying to understand all the details, but convinced of the necessity of this kind of thing. My work on reputation (PDF) was a start at understanding how trust relationships can be created online. I’ll be writing more about this as I understand it more over the coming weeks.

I can hardly wait to read his further thoughts. Relationship is the pot of real gold at the end of the identity rainbow.

Joe Andrieu nails another super post (where DOES he find the time to write/draw all of these???), this time about what it means for a platform to really be open.

My favorite part is that he doesn’t just do it in words — he does it in pictures, deliciously simple and understandable graphics that make it really clear what he means by “open platform”. In short, it’s the protocol, stupid!

Or as Joe puts it:

Level 4 platforms allow developers to build applications anywhere–on a website, on your desktop, even on your cell phone–and those applications can talk to any number of platform providers without restriction, using standard open protocols. Many of us have heard of the most successful protocols: SMTP, POP, HTTP, HTML, TCP/IP, RSS, but most users know these by the applications they enable: email, the World Wide Web, the Internet, blogs.

It’s the perfect message before the VRM Workshop starting tomorrow, and of course it’s exactly what we’re driving towards with XDI. One day I hope Joe can say the same thing about XDI – most users will never have heard of it or the dataweb model of data sharing, but they’ll know the application – VRM!

Doc Searls has done a very succinct post on the Principles of VRM in preparation for the VRM Workshop next week in Boston. You can’t read it and not see how closely VRM is related to r-cards (relationship cards) and XDI. I’m so excited to actually start bringing this to market this year that sometimes I want to drop everything else (standards calls, conferences, email, expense reports, EVERYTHING) and just work on that ’till its out the door.

Like the Web itself, the Web of Relationships — the whole Web becoming a social network — will change the world in ways we can hardly begin to imagine.

So much for the naive thought that I’ have time at the Burton Catalyst conference last week to finally blog about two subjects near and dear to my heart that I knew would be covered at the conference. It backfired because they were too topical — all available time was consumed by related conversations.

I did manage two posts about the first one — launch of the Information Card Foundation — about which there will be much more to say in the coming months.

But the other one — relationship cards — is long overdue. I first promised to blog more about r-cards after both doing a demo and hearing Bob Blakley’s fantastic talk on The Relationship Layer at Spring IIW in May. Then Joe Andrieu and Eve Maler both posted about them and asked me to add more details. Then I fell into an abyss of work (actually building this stuff) from which I have yet to climb out.

But Bob’s new talk on The Relationship Layer at Catalyst last week, followed by Eve’s talk on The Care and Feeding of Online Relationships, plus the upcoming VRM (Vendor Relationship Management) Workshop at the Harvard Berkman Project on July 14-15, compels me to finally post about why I believe r-cards may be what finally pushes Internet identity across the chasm.

—-

First: what is a relationship card (”r-card”)? At the most general, the definition I would offer is:  “a digital object instantiating a mutually authorized data sharing relationship between two or more parties on a network”. The abstraction is intentional: the generic concept of an r-card, like the generic concept of a folder, a link, or a network, can take different forms in different implementations.

To take a step more towards the concrete, the concept of an r-card was conceived at the Higgins Project as a new kind of information card (i-card). For their part, i-cards were first conceived by Kim Cameron and team at Microsoft, where they have been promoted as a key element of Microsoft’s vision of an identity metasystem. These memes subsequently took hold at Higgins, among other places, where the concept of an i-card was generalized to the definition that currently appears on Wikipedia:

An i-card is a rectangular icon displayed in the user interface of an identity selector (sometimes also called an identity agent) that represents a digital identity–a set of claims about some entity (typically a person, but it could also be an organization, application, service, digital object, etc.).

The i-card metaphor is based on familiar physical identity credentials like business cards, credit cards, library cards, association cards, driver’s licenses, badges, etc. However, just as computer file folders are similar to but more powerful than real-world file folders, i-cards are similar to but more powerful than real-world identification cards. The i-card metaphor is identical to the information card metaphor used in numerous identity selectors.

So what distinguishes an r-card from a plain-vanilla i-card? The capability to instantiate an ongoing data sharing relationship. In other words, a standard i-card invokes a one-time exchange of a set of digital claims using a security token. An r-card, by contrast, exchanges a set of claims and associated policies that enables both parties to continue to share other information over time, e.g.:

• Updates to the initial values of the claims
• New claims
• Permissions and controls over communications via other channels
• Changes to the r-card itself

A simple analogy would be: a standard i-card is like showing your driver’s license to a bartender to prove you are of age: you use it once and put it away. An r-card is much more like giving a business card to an associate or a customer: it is an invitation for an ongoing relationship via the address(es) and other information shared on the card.

—-

But while instantiating a private data sharing channel by exchanging a digital object is cool — sort of like RSS on steriods — for some reason that aspect alone doesn’t capture the real power of r-cards. Case in point: after a live participatory enactment of how r-cards work with audience members during the first day of IIW in May (all based on business cards, scissors, and string — no computers involved), several audience members came up to me and said, “Why didn’t you show this years ago? Anyone can understand the value of r-cards. They are the most compelling use case we’ve ever heard for all this Internet identity stuff.”

After that experience, even I was trying to grok what it was that made r-cards so intuitive and attractive. I was having trouble putting it into words until I was listening to Bob Blakley’s talk on The Relationship Layer again at Catalyst last Wednesday morning. At the midway point, he put up an “intermission” slide with five bullets summarizing the first half of his talk. Two of them hit me like they were shot out of a gun:

Relationship is the context which protects the security and the privacy of identity information.

Identities are built in the context of relationships.

This Copernican revolution Bob was proposing — that relationship is really the sun around which identities orbit — suddenly made me look at r-cards in a new way. It wasn’t just that r-cards enabled bidirectional data sharing. It was that r-cards create the context for a relationship. And by doing so, they call forth all social dynamics of real world relationships that are often missing on the Web today. Dynamics like:

“I am more inclined to trust you because we both know if you break that trust, I can terminate the relationship.”

“Of course you wouldn’t share our private shared information outside our relationship — friends always respect each other’s privacy.”

“Each of us shares information in proportion to the value it brings to the relationship — both of us are incented to build that value.”

That’s why people find r-cards so intuitive — they are a way of creating and managing the same balanced, mutually-controlled, give-and-take between two parties over a network that we have in the real world relationships we manage every day. And they can apply to any form of relationship — person-to-person, person-to-community, person-to-employer, person-to-vendor, etc.

—-

Okay, okay, at this point I know all the geeks are screaming “enough with the soft stuff — where’’s the technical beef??” I don’t want to duck that question, because as I’ve told Joe Andrieu, chair of the VRM Standards group, I’m knee-deep in it every day. But with the limited time I have left for this post, I can only give the high-level recipe we are currently putting to the oven test at Parity and the Higgins Project:

• Take a conventional i-card as currently defined by the Microsoft ISIP documents (which can’t get into an SDO fast enough).
• Add an OpenID — or to be precise, an identifier on which you can do XRDS discovery to locate a data sharing endpoint. In Higgins we call this form of identifier a UDI (Universal Data Identifier).
• When the r-card recipient receives the r-card, use the UDI to perform XRDS discovery of an Internet data sharing protocol supported by both parties.
• Intiatite data sharing via the selected protocol, using the UDI and other supporting claims on the r-card as necessary.

Of course readers of this blog know what data sharing protocol I have in mind: XDI — specifically the XDI RDF model. It’s particularly well-suited to r-cards because XDI link contracts provide a portable, machine-readable description of the mutually-agreed data sharing controls. But it’s important to clarify that any data sharing protocol supported by both parties will work. As an example, Asa Hardcastle showed a wonderful demo of OpenID-enabled Liberty ID-WSF at Spring IIW, and we are deep in conversations about how UDI discovery for ID-WSF endpoints can work. OpenID Attribute Exchange is another option because any OpenID identifier can already support XRDS service discovery.

—-

I know that’s only the tip of the iceburg, but this is a huge topic that I’ll be posting about for months. For example, in Bob’s talk he showed a relationship schema that he, Lori Rowland, and their colleagues at Burton group have already started to develop. I eagerly anticipate working with them to map that to XDI link contracts to make sure we have all the bases covered.

And I’d like to find time to start posting some example r-card XDI messages using super-simple X3 format to illustrate common use cases like the VRM personal address manager.

But right now I’m going to work on maintaining a particularly important relationship — with my wife — by getting to bed!

If you haven’t heard of VRM (Vendor Relationship Management) yet, you will soon. Not that it will be an overnight phenomena – that’s one of the points Joe Andrieu makes in his mini-FAQ about VRM. But read Joe’s post to see why in many ways the emergence of VRM is as inevitable — due to the steady evolution of Internet identity and data sharing technology — as the emergence of CRM systems was in the 90’s — due to the steady evolution of database technology.

Ryan Janssen has posted another interview in his series on digital identity, and I daresay that if you’ve ever met Doc Searls, you can just feel his energy and passion about VRM coming through in this writeup. Highly recommended reading. Doc has been right about many things, and ultimately I think VRM is going to be one of the most important.

Joe Andrieu, one of the leaders of the VRM (Vendor Relationship Management) community, has posted a good initial assessment of Microsoft’s first foray (post-Passport) of storing personal data for consumers via their Health Care Record initiative. It’s well worth reading his assessment of how this really legitimizes the market for “personal data stores”.

Since that’s one of the primary use cases for which XDI is being developed as a protocol and Higgins is being developed as an open source projects, there will be much more to say about this in the coming months.

Joe Andrieu, one of the pioneers of the VRM movement, wrote an inspired blog post on how not just VRM, but user-centric identity as a whole, can enable a radical rethinking of how systems integration can work. If you put the user at the center of the system not just from a “control” standpoint, but from a data integration standpoint, all kinds of new possibilities arise.

What’s really eye-opening about his post is the way he puts it in the context of Einsteinian relativism and an AI concept called “stigmergy”.

You have to read it. In his conclusion, Joe notes:

Sure, there is still a lot of work yet to be done. We have to figure out the protocols and technologies for what data vendors actually share in that data-store and how we assure reliable, always-on access in a secure and privacy-protected manner. Fortunately, as I mentioned earlier, the user-centric Identity meta-system is addressing a huge portion of that.

If ever there was a clarion-call for XDI as a protocol for doing exactly what Joe envisions, this is it.

Many of us in Internet identity like to joke about how we all work for Doc Searls, since he’s the one who initiated the Identity Gang and the whole current movement towards user-centric identity. But we may all seriously end up working for Doc in the new industry he’s setting out to create: VRM (Vendor Relationship Management). You can get a feel for it from the VRM wiki at Harvard’s Berkman Center, and there’s already a serious set of bloggers explaining how it will be the next big thing.

All I can say is: VROOOM! We can’t get to the starting line fast enough. As powerful as you think this idea might be, wait until the rubber meets the road and VRM services and solutions start hitting the market. It’s going be a tangible example of what Kim Cameron calls the “identity Big Bang”.
Like the Cluetrain Manifesto, I don’t think anything short of crawling inside Doc’s brain can really explain how much VRM will change marketing and CRM as we know it. But I plan to do everything I can to help, and with luck that will be plenty, because this is EXACTLY the kind of application for which XRI/XDI infrastructure was conceived.

I’ve added VRM as a category to my blog, and plan to attend Doc’s VRM development workshop before his Mobile Identity unconference at the end of January, so watch for more stories on it as the New Year unfolds.