Given all the intersections between open identity and governments (in particular the US government, but several others are not far behind), it’s about time we had an Internet Identity Workshop in D.C.
Now we do — immediately following Gov 2.0.
See the invitation. Register. Run a session (or two or three). I’ll look for you there.
Spring is around the corner and that means IIW. The next one is May 18-20 in the standard location: the Computer History Museum in Mountain View.
Early registration is particularly important this year – 75 registrations are needed by the end of March to secure the space.
This continues to be, year after year, where Internet identity happens. If you have to pick only one identity event to attend, this is it.
See you there.
I was just telling a colleague in the identity industry that so many meetings are being planned for the Fall IIW, Nov. 10-12 in Mountain View, CA, that I’m not sure that there will be any time for anything else.
And it always what’s NOT planned that makes it so unforgettable.
What can I say? Don’t miss it.
YAF? (“Yet Another Foundation?â€) Some in the identity community have had that reaction to the announcement of the Information Card Foundation (ICF) today at the start of the Burton Catalyst conference in San Diego.
As one of two members of the ICF board who also serve on the OpenID Foundation (OIDF) board (Mike Jones is the other), and also wearing my Identity Commons steward’s hat, let me share some perspective on this.
Last spring I had the pleasure of working with Eve Maler on an IEEE article called the Venn of Identity, based on Johannes Ernst’s original diagram of the three “pillars†of Internet identity development: SAML/ID-WSF, OpenID, and information cards. The paper was an opportunity to compare and contrast the strengths and weaknesses of all three approaches. I could not leave it without the feeling that the ultimate solution—the “TCP/IP of identity†as it is often called—lies somewhere in the overlapping middle.
Exactly where, I’m not sure anyone can say yet. What we can say, to borrow an analogy from OIDF board discussions, is that if you want to climb the Internet’s never-been-summited Mount Identity, it’s best not to ignore any promising route.
(As I write this I have firmly in my mind a picture of the glorious Mt. Rainer, the Northwest icon that anchors the southwestern skyline of Seattle. Though I have never climbed it myself—I hope to someday with my two sons—many of my high-school classmates have, including one friend whose ascent with famed mountainer Willi Unsoeld ended in tragedy when Willi and a student were killed in an avalanche at Cadaver Gap.)
In this decade we have made great progress up that mountain. An early, well-equipped group of explorers have pushed steadily up the SAML couloir. Then a second party banded together to attempt the OpenID ridge. Now a third group is navigating by way of the Information Card snowfields.
The closer we come to the last and steepest slopes—the hardest and most dangerous part of the journey—the greater the chance we can all help each other take the peak (a lesson Willi would have preached in spades). In fact paths of intersection are starting to appear everywhere. OpenID information cards. OpenID login to ID-WSF. SAML SSO with OpenID. Relationship cards.
I’ll sum it up this way: ever since the “i-card†session at the Berkman Identity Mashup in June 2006, I’ve been convinced that identifiers (OpenID) and claims (information cards) are both essential tools for scaling the mountain. And I’ve always felt that assertions (SAML) and identity services (ID-WSF) could not be left behind either.
So while it may appear from a distance like introducing the Information Card Foundation adds another divergent element to an already confusing landscape, I see just the opposite. It fills in a key piece of the trail that will help us connect other routes and advance everyone’s efforts. Until pretty soon (shall I go out on a limb and say the end of the decade?) we’ll break through the last ice shelf and summit the mountain.
And just imagine the view from there.
Nowadays I find myself orienting my entire year around IIW (the Internet Identity Workshop). DO NOT miss it if you want to seriously intersect with the user-centric identity community. This year it will include a follow-on Data Sharing Summit on May 15, illustrating how the focus is slowly moving to the most important capability enabled by UCI.
See ya there.
Ryan Janssen pinged me via my contact page last week to ask if I had time to share the story of how I came to be working on XRI, XDI, OpenID, i-cards, Higgins, and Identity Commons. He reached me this afternoon and we talked for almost two hours. Boy, did it bring back memories. I’m so focused on building out working identity infrastructure and applications based on all these standards and projects that I rarely have a moment to reflect on how many twists and turns (and dollars) its taken to get here. So this was a full-out stroll in the park.
He’s posted an overview and will be writing more as he talks to others who have been pounding away forging this Internet identity layer. Ryan’s really done his homework too — he even included a link at the end to the original XDI white paper that co-chair Geoffrey Strongin and I contributed at the start of the OASIS XDI Technical Committee in early 2004. Wow, did that trip off the old synapses. Most fascinating is seeing the original proposed XDI schema which had just four elements. Four years later, after numerous twists and turns (and by my count 23 intermediate proposals), the XDI RDF model has…four elements (plus the XDI wrapper element). It’s not the same schema (now it’s based on the RDF graph model) — and in fact the preferred serialization is no longer even XML (it’s X3). But it’s uncannily close.
Deju vu all over again…
Identity Commons is a fascinating story — to my knowledge there has never been an “upside-down umbrella” quite like it. Without going into that here (it needs its own post), I encourage anyone interested in IC to check out the quarterly report just published by Chief Evangelist Kaliya Hamlin (aka IdentityWoman).
And that’s just the beginning. Seven new working groups are being voted on right now, and it looks like there is another wave coming right on the heals of that. Clearly the Identity Commons upside-down-umbrella model is filling a real need, and I have high hopes for what this new form of Internet community collaboration can accomplish.
I’ve never been part of a self-organizing community as large or as effective as the Internet Identity Workshop. If you care about the emerging user-centric identity layer for the Internet – or even if you only only care about the applications that are possible on top of that layer (which frankly are a whole lot sexier than the infrastructure), then don’t miss this next one, Dec. 3-5 at the Computer History Museum. I know of more groups pre-planning sessions for this IIW than ever before, including sessions on Higgins 1.0 (due out at the end of the year), new Identity Commons Working Groups, the new XRI Resolution 2.0 specification (note that the final-final link will be available before IIW), and XDI-RDF.
Last week I mentioned the Social Web User’s Bill of Rights that was drafted for the Data Sharing Summit last Friday and Saturday. When it was first posted, it included the phrase, “ownership”, as in “user’s should own their personal data”.
Mary Hodder, the entrepreneur behind Dabble.com, Paul Trevithick, and I were initially wary of using this term for two reasons:
However in a blog post today, Mary said that after conversations at the Data Sharing Summit, and then with others in the industry and Dabble advisors, she became convinced that the spirit of “ownership” is correct, and so she’s endorsing the Bill of Rights and adjusting the Dabble TOS (Terms of Service) to reflect this concept of user ownership of their data.
Good for her. I fully agree that the spirit is right, and so, with the caveats I expressed above, I’m on board too. So is Doc Searls in a post he just made.
Interestingly, the very last session at the Data Sharing Summit (in fact, after the closing circle – that’s how dedicated the attendees were) was on Identity Rights Agreements (IRAs), a Working Group formed at Identity Commons in the spring of 2006. The whole idea of IRAs is that users actually license their data to sites, and that if the IRA Working Group could come up with a small set of easily understood user data licensing provisions, similar (but not identical to) the Creative Commons license suite for digital works, it could usher in a whole new era of increased trust between users and sites.
Victor Grey called the IRAs session because he’s doing XRI-based data sharing projects where he needs IRAs today, and he wants the IRAs Working Group to start publishing even very simple ones just to get the learning started (Creative Commons licenses all went through several revisions too).
The outcome of the session was to jumpstart the work of the IRAs Working Group. Victor has already set up the mailing list. Please do join us if you support this work and want to help.
I believe IRAs have the potential to remove the last social hurdle to standardized user-controlled personal data sharing (XDI removes the last technical hurdles). I intend to be very active on the IRAs Working Group (as badly time-sliced as I am these days) so that we can make user ownership of personal data not just laudable but actionable.
Yesterday the long-simmering process of birthing the second-generation Identity Commons reached a key milestone: the Stewards Council reached consensus on moving forward with formal incorporation (in Florida to save money, since Steward Dan Perry has volunteered to serve as counsel), set a budget, and began the process of soliciting donations so Identity Commons can become a formal organization.
Over seven years in the making (if you include the evolution of the first generation of Identity Commons started by Owen Davis, Andrew Nelson, and Joel Getzendanner), Identity Commons is the perhaps the most intentionally-designed un-organization in history.
Un-organization? That’s really one of the best ways to describe the goal of Identity Commons, which is to serve as what Joel calls an “upside-down umbrella” organization for a set of Working Groups that do all the real work of figuring out a user-centric identity layer for the Internet.
In other words, the real purpose of Identity Commons is to just “hold the space” for the conversations and collaboration necessary to happen to build that layer we all want. We need just enough to make a “there” there — and no more, because it’s in that “more” that all the complications arise. (This notion of serving as “just a container” was originally suggested by Bill Aal, founder of Riseup, who thought Identity Commons could do for the identity layer what IETF did for the physical layer.)
So how much is enough “there” there? So far the consensus of the stewards is that it’s just a Stewards Council, a simple non-profit corporation, a set of wikis and mailing lists, and a Chief Catalyst. (That wonderful role title courtesy of Eugene Kim, who has served as unofficial chief facilitator of the incubation of this second generation Identity Commons.)
From the moment he suggested that role a few weeks ago, the Stewards have had one person in mind: Kaliya Hamlin, the fabulous Identity Woman. Her work in conjunction with Phil Windley and Doc Searls to catalyse the evolution of user-centric Internet identity via the Internet Identity Workshops has been the single biggest factor in the remarkable amount of convergence that’s already happened (and more to come).
So here’s the way I think of the new Identity Commons: it’s a way for all of us to support the work of Kaliya — and the 15+ working groups — to accelerate achieving the goal of making this identity layer real. Because we can’t get there fast enough.
In particular, I would urge you to support Identity Commons, either as an individual or corporate sponsor, because it will mean Kaliya as Chief Catalyst will have a budget to do more travel around the world and hold more events and do everything else she does to bring more people and organizations into the community and into the work.
I just got back from Internet Identity Workshop 2006A (the “A” because a second one is planned later this year). I want to echo the praises others (Phil Windley, Kim Cameron) have heaped on it. In particular, Kaliya was amazing. You want to do an unconference? She’s the one to call. The whole unconference format showed just how effective it can be to let a motivated audience self-organize.
Following are a few highlights from the sessions which I was able to attend (my only complaint was that there were so many I couldn’t attend ’cause there just wasn’t enough time!)
Net net: as Phil Becker summed up in the Digital ID World newsletter (as quoted by Kim):
“…it was, in my opinion, a tremendously significant moment in the evolution of the identity conversation, and one that will have many significant ramifications going forward – though these will likely take another year to become clear to those not paying close attention.”
Paul Madsen makes another very good point about identity rights agreements (hmm, the acronym is going to end up “IRA”):
This work would be really interesting & valuable. Identity agreements and their identifiers could be common across particular identity systems (e.g. Liberty, Shib, OpenID, LID, SXIP, WS-*, etc) and so serve as a key piece of any metasystem that underlies or unites such systems.
Paul also points out (as has Peter Davis to me in an email) that…
Liberty ID-WSF has a container in our protocols for carrying such identifiers (an empty container because, as yet, we have not ourselves defined any policy syntax or identifiers – despite some early work along this route).
I believe it would be ideal for Identity Commons to work with Liberty Alliance and all the Identity Gang participants to define this vital new piece of the identity metasystem. I continue to have the feeling it may just be the fuse on Kim Cameron’s “identity big bang“.
The term “identity rights agreements” was coined by Phil Windley, Doc Searls, and friends in a discussion about identity after OSCON last summer. The full story is in a blog post with that title by Phil.
At the Internet Identity Workshop last October, we held an open space session by that name because a number of Identity Gang folks have been talking about the general concept for several years now. In particular, from an XRI/XDI perspective, identity rights agreements fit perfectly with the concept of data sharing controls embodied in link contracts.
Now the idea is moving from concept to reality. Identity rights agreements are becoming one of the galvanizing forces for a revitalized Identity Commons. One of the reasons is the oft-used analogy that “Identity Commons should be to identity rights what Creative Commons is to copyright”.
I want to take a moment to explain why I believe this analogy may be so profound — and thus why identity rights agreements may become one of the hottest topics in digital identity.
The trigger for these thoughts was Bob Blakely’s post On the Absurdity of Owning One’s Identity, in which he makes an argument why Kim Cameron’s First Law of Identity is, to use another legal term, “unenforceable”. While I think Bob makes a number of strong points in his post (and illustrates them with fascinating, richly researched examples — who says the art of the essay is dead?), I ultimately disagree with his conclusion only because I think he misinterprets the importance of the first word of the First Law:
Technical identity systems must only reveal information identifying a user with the user’s consent.
In other words, although much of what Bob says is true, only it applies to the people and businesses that operate identity systems and collect/disseminate identity data, not to the technical systems themselves, which is what I believe Kim meant the First Law to apply to.
But that’s a different subject. What really struck me about Bob’s essay was the knock-down-brilliant points he makes about the fundamental privacy concept of “consent”. To quote his introduction to this topic:
Consent
Negotiating the terms on which you will disclose self-image information is what Consent is all about.
In many cases there are laws and regulations constraining what an organization can do with information it collects about you in situations like this, but you don’t control the content of those laws and regulations – so you’re not making the rules (and in fact the interests of society and the interests of corporations influence the content of laws and regulations at least as strongly as the interests of individuals).If you want to control your identity based on consent, you have to decide between two approaches:
- Build one set of terms which covers all uses of your information, and let an automated system take care of negotiating your terms and enforcing your rules. In this case, you need to figure out in advance what all the possible scenarios for use of your identity are, and write a policy which covers each scenario.
- Negotiate terms manually each time someone asks for your information. In this case, you need to get notified each time someone tries to use your identity, and make a decision about whether or not to grant consent.
Case 1 clearly isn’t going to work all the time; you can’t know in advance what benefits are going to be offered in exchange for identity information, and you can’t know in advance what risks are going to be created by giving that information out – so no matter what your policy is, there will always be cases it doesn’t handle correctly. This means there will be lots of exceptions to your policy, and when these exceptions arise you’ll have to fall back on case 2.
Case 2 doesn’t really work either. We know because we’ve tried it. Look here, or here, or here, or here for examples of what you’re already being asked to consent to. How well do you understand these terms? How likely are you to take the time to clear up the things you’re not sure about? How likely are you to say “no”?
Bob then goes on to explain that there are three forces behind his assessment of the problems with consent:
The forces at work here are obscurity, coercion, and burdens.
I encourage anyone who’s interested in this topic to read Bob’s arguments in great detail. But the one I want to highlight here is:
Because Identity Allocates Risk, society makes rules to make sure Identity is used fairly. Two typical rules are (1) someone who wants to use your information has to tell you what it will be used for (”notice”), and (2) someone who wants to use your information in a way that might create risks for you has to get your permission (”consent”). You have to pay close attention here: the rules don’t say that businesses and other parties can’t create risks for you – all the rules say is that other parties have to tell you when they create risks for you, and they have to get you to agree to the creation of the risks.
These rules create obscurity, because in business, the language of risk is law. The bank makes lots of loans, and therefore it is exposed to lots of risk. Because it’s exposed to lots of risk, the bank is willing to spend some money to protect itself against that risk. It spends that money on people who speak the language of risk – lawyers – and those lawyers write consent agreements that let the business do what it needs to do profitably (in this case, it needs to create risks for you by using your identity information) without breaking the rules.
You probably aren’t a lawyer, so the language in which consent agreements are written is foreign, and confusing, to you. On the other hand, you don’t value your privacy enough to hire your own lawyer each time you encounter a consent disclosure – so you end up doing something (reading a complicated legal agreement which allocates risks between you and the corporation) which you’re not really qualified to do, and it’s confusing and frustrating (Don Davis calls this kind of situation a “compliance defect“).
Bingo! Now, if you haven’t done so already, go here right now and read Phil’s very simple and intuitive description of the purpose of an identity rights agreement.
The two fit together like hand and glove. What identity rights agreements could solve — possibly in a very short period of time — is the problem Bob has labelled obscurity. By establishing a small number of very well-known identity rights agreements — and giving them very simple and highly recognizable visual icons that don’t require a user to read A SINGLE WORD — the use of “obscurity” as a tool to all-but-eliminate the value of consent disappears.
Why could identity rights agreements catch on so quickly? For the simple reason that sites who want to give users the real power of consent will start to advertise that fact by posting identity rights agreement icons right on the Web form where they collect personal data. Just as millions of Internet users were first exposed to Creative Commons licenses by seeing the icon for a CC license posted on a blog or Web page they were reading, they will be exposed to Identity Commons identity rights agreements icons on Web forms. One click through to see what they mean and I predict the reaction will be, “Wonderful! I hated those indecipherable legal agreements anyway. I’m going to support sites that use these icons to let me know they are being straight with me about the use of my personal data.”
And suddenly sites become motivated to choose this simpler and more user-friendly form of consent — possibly leading to one of those rare but real “virtuous cycles” (to use a term I first learned from Bill Washburn) that can infect an entire ecosystem.
That’s why — despite my current 150%-of-my-time focus on establishing fully operational XRI infrastructure — I plan to invest time in supporting the creation of the first operational set of identity rights agreements at the revitalized Identity Commons. I’m challenging the rest of the current and new Identity Commons supporters to do the same — I want us to present the first draft set at the next Internet Identity Workshop in May.
See the Internet Identity Workshop wiki for info about a morning meeting for developers to be held at Cafe Won Ton in the Fulsom neighborhood of S.F. next Monday, 2005/12/12, before the Syndicate conference. It’ll be a great chance to see how new identity technologies — XRI/i-names, OpenID, LID, SXIP, YADIS, Yoke – fit together to start offering real, interoperable user-centric identity solutions to requirements Web developers face every time they have to build a new site.
Johannes Ernst posts a summary of the YADIS meeting held in San Fransisco last week (which I couldn’t attend in person but dialed in for). It was one of those classic situations where the common need to interoperate overcame the individual need for any one particular feature/flow. I am very hopeful for the outcome, which should be manifested in the form of a new YADIS draft from editor Joaqun Miller within the next week.
With this draft, YADIS will become the common capability discovery protocol for i-names, LID, and OpenID. That’s exciting.
Jaco Aizenman, an XDI.ORG trustee, has helped found the Virtual Rights Institute (VRI). As he writes me:
VRI is inviting everyone that wants a metasystem become a reality in a way that the individual is empowered. “Everyone” includes people from different protocols, technology providers, legislators, service providers, researchers, legal people, activist, media representatives, etc.
Jaco, who’s based in Costa Rica, is one of the visionaries plowing the ground to connect digital identity with real-world legal identity and governance. His work is even more fascinating because he also bridges a linguistic gap – he works extensively with Costa Rican legislative documents about digital identity in Spanish (his native language) and then translates the key concepts into English to help the Identity Gang, XDI.ORG, and others understand the key concepts (which, for an Internet-wide identity metasystem, must by definition be universal.)
For example, in Spanish the concept of “digital identity” most closely translates into the concept of having a “virtual personality”. So, as Jaco enumerates the VRI goals:
Virtual Rights Institute Goals:
- Research and promote technical and legal developments related to digital identity/virtual personality that give more power and control to the individual.
- Foster international cooperation on the new fundamental right of having a virtual personality, through high quality dialogue and deliberation between legislators, researchers and service and technology providers.
- Foster international cooperation on the development of the new virtual personality legal entity through high quality dialogue and deliberation between legislators, researchers, technology vendors, and service providers.
Of particular interest is the new Costa Rican constitutional amendment to have a new fundamental right of “having or not having a virtual personality”. Here’s a link to the full Spanish version, and (also in Spanish) details of the virtual personality legal entity.
The first VRI activity with be a symposium November 17 and 18 in Costa Rica. Jaco and other VRI founders are inviting legislators, digital identity specialists, researchers, and service providers from all over the world. I don’t know if I’ll be able to make it in person but I’m sure going to try (you can also participate virtually.)
Owen Davis, co-founder and president of Identity Commons, has switched his blog from http://blog.whatbox.biz to the new Identity Commons community blog at http://news.idcommons.net.
But the bigger news is that: this is one of the first i-name enabled blogs, i.e., it accepts an i-name for both site registration and comment authentication. Try it out – just click the comment link on any article.
Whew! You go away for a few weeks and its amazing how much happens. I just got caught up with Marc Canter’s GoingOn Network announcement and the fact that he’ll be using XRI/XDI (along with SXIP, OpenID, and Microsoft’s proposed Identity Metasystem) for identity interoperability.
The vision of distributed service providers powering interoperable identity-centric services (”i-brokers” in XRI/XDI parlance) for individuals, businesses, and communities gets closer every day.
Just back from the longest vacation of my modern working life, and just in time for good news: Phil Windley has announced an Internet Identity Workshop organized by himself, Doc Searls, Kaliya Hamlin, and myself. It grew out of the “Identity Gang” conversations about grassroots identity that started at Digital ID World 2004 and have evolved rapidly because, as Phil puts it:
Providing identity services between people, websites, and organizations that may or may not have any kind of formalized relationship is a different problem than providing authentication and authorization services within a single organization. Many have argued that the lack of a credible identity infrastructure will eventually result in the Internet being so overrun with fraud as to make it useless for many interesting uses.
As Phil points out in the workshop proposal, the goal is to advance the many threads of the Identity Gang conversations towards consensus about both architecture and governance that will work at Internet scale. The first day will be papers/proposals and the second will be focused discussions on the outstanding issues.
Since a large part of my work with the OASIS XRI and XDI technical committees revolves around helping understand where these fit into both Internet and enterprise identity infrastructure, I look forward to these conversations immensely.
Kim Cameron published a great synopsis of a WSJ summary of a recent Gartner Group study that shows quantitatively how much the explosing of phishing, pharming, and spamming is affecting everyday user behaviour.
In short, the problem of steadily degrading electronic trust is forcing us to solve it just as we had to solve the problems of pirates in the open seas or outlaws in the Wild West.
As Phil Windley puts it in citing Kim’s post:
In short, the lack of a credible identity infrastructure for the Internet, threatens to arrest progress in electronic transactions and could very well ruin the net for anything of any sophistication. Even blogging is under attack. I’ve been getting hammered today with comment and trackback spam. Ugh!
Ugh, indeed. Time for this infrastructure we’ve been building to see the light of day.
