Equals Drummond

When the Information Card Foundation (ICF) and OpenID Foundation (OIDF) launched the Open Identity Exchange (OIX) at RSA on March 2, I temporarily added the hat of OIX Executive Director. ICF agreed to loan me half time to OIX to work through the startup stages of establishing the industry’s first open trust framework platform provider. For its part, OIDF contributed the time of OIDF Executive Director Don Thibeau to serve as OIX President and board chair, and it has been a tremendous pleasure working with Don, OIX counsel Scott David, and Global Inventures program manager John Ehrig to lay the foundation for OIX.

Now, with the announcement at last month’s Burton Catalyst conference that AT&T has joined OIX, that several new OIX Working Groups are starting up, and that OIX and Kantara have begun collaborating on trust framework infrastructure, the startup phase of OIX is over, and I can finally take off the OIX ED hat.

This does not mean I will be any less involved with OIX, however. On the contrary, as I have been blogging throughout this year, the need for a particular trust framework—one governing data exchange with personal data stores (PDX)—is becoming acute. That need also intersects directly with the work I’ve been doing on the XDI data sharing protocol at OASIS since 2004.

So as fast as I’m taking off the OIX ED hat, I’m preparing to take on another one spearheading the development of a PDX trust framework at OIX. This will be one of the key topics both at the VRM+CRM conference in Boston this coming Thursday and Friday, and also at the Internet Identity Workshop East on September 9 and 10 in D.C. following Gov 2.0.

If you are attending either event and want to know more about PDX and the PDX trust framework, please come to the open space sessions we’ll be holding.

I’m biased but I think this post is one of Doc Searl’s best about VRM and what’s going to compel it forwards. It’s about the July 31 Wall Street Journal article about behavioral tracking on the net.

He’s been preaching that a paradigm change is coming and he’s dead right (hint: see PDS). That’s why I’m travelling all the way to Boston for the VRM+CRM conference Aug 26/27 in Boston. This despite my standing rule of NO CONFERENCES IN AUGUST. (Damn fool Americans need to learn from the Europeans about how to enjoy life, especially summer, especially in Seattle.)

But I’m making an exception this year (and also for the Privacy Identity Innovation 2010 conference, which is easy because it’s in Seattle) because this paradigm shift is so important.

And because it’s one of the key breakthroughs that user-centric identity has been developed to enable.

My primary involvement as a member of the board of the Data Portability Project has been input about XDI as an open standard for portable data. But I’ve always been very enthusiastic about DP’s work on Portability Policies. The DP Project just announced their first Portability Policy deliverable via this blog post on TechCrunch.

On the DP Project board call this morning I shared the view that Portability Policies are an inevitable first step — and a highly welcome one — towards widespread adoption of personal data stores (see my posts earlier this year about PDS here and here). When PDS finally arrive, the irony is that the policy will turn in the other direction, i.e., the individual will have their own data sharing terms and the vendor will be agreeing to those. That’s the essence of VRM.

Iain Henderson of VRM pioneer Mydex is already working on the terms for such an agreement at the Information Sharing Working Group at Kantara.

Bit by bit, the age of personal data stores and personally-controlled data sharing is dawning.

Remember that year-end blog post about how personal data stores (PDS) are closer than they may appear? Now read Phil Windley’s wonderful summary of why it makes so much sense to create a PDX (not really an acronym for “personal data exchange” so much as just a moniker for a global internetwork of PDS).

It’s happening. Look for more news about it by Internet Identity Workshop (May 17-19 in Mountain View, CA). As if you didn’t have enough great reasons to go already.

Joe Andrieu has a wonderful way of cutting the Gordian knot on complex socio-technical topics, with clear prose, compelling arguments, and clever illustrations that explain why you should look at something decidedly differently.

Now he wields that knife on the very knotty “problem” of data ownership.

I passionately agree with Joe (and his Kantara Working Group co-chair Iain Henderson) on this subject; I suspect it’s because my perspective on it was long ago warped by the lens of XDI, which itself is a new way of thinking about data.

Turn the telescope to look at personal data from the standpoint of who controls its  sharing with whom, and many pieces finally come into focus.

Keep that in mind as we move into an XDI-enabled world.

There’s an excellent thread going on among the MyDex team about the accelerating shift towards cloud computing and what this means for the individual. I strongly recommended to them Nicolas Carr’s The Big Switch for a discussion of this very subject.

Arguably, we as individuals need the cloud even more than companies do. On the whole, we have less ability to maintain our own “individual piece of the cloud” than a company does. We have neither the capital, the expertise, nor the ability to persist across major changes (all but the very smallest company can persist when an employee leaves or dies, but when an individual person dies, their world of information disintegrates very quickly).

Google and other cloud-based service providers have recognized this. Given the proper safeguards* (see huge asterisk below), the advantages to individuals maintaining their personal data store of all their personal data assets at one or more cloud service providers are enormous. The latest example: watch the migration taking place from Intuit’s venerable Quicken franchise of desktop personal money management to the cloud-based equivalent at Mint.com.

Mint.com’s advantages are so compelling – all your data is automatically backed up, automatically accessible from any Web-connected device, automatically updated from any of your (supported) financial accounts, automatically able to send you important alerts and reminders – that it makes desktop money management look as antiquated as 5-1/4 inch floppy disks. (Remember, there was a time when 5-1/4 inch floppy disks were manna from heaven.)

If you need any further proof of this paradigm shift, Mint.com was acquired by Intuit last September.

I think we’ve seen only the very start of this paradigm shift of migration of personal data and personal data services to the cloud. And I don’t believe it will be take than a year or two until it becomes the norm. Check back here in January 2012 and let’s see where we are.

*HUGE ASTERISK: I don’t mean for one second to gloss over the topic of the safety (umbrella term for security, privacy, and control) of personal data in the cloud. I spend a good part of my day job as Executive Director of the Information Card Foundation on this topic, and it is the entire premise of emerging VRM service providers like MyDex. It is so deep and rich of a topic that I believe before long it will result in a whole new branch of the law.

I recommend Doc’s new post that explains the essence of what’s behind VRM. It’s a big vision, his, but Doc has a way of framing the future that makes it look inevitable – all that remains is the question of “how close is it in the mirror”?

I’m betting that this object is closer than it appears.

This entire fall has been intense with work, thus the paucity of posts here. The holidays brings a welcome respite and a chance to catch up with a few key mental threads.

One of them is the growing awareness of the need for what the VRM community calls personal data stores (PDS). The concept is relatively simple: an online store for your own personal data — anything from classic PII (personally identifiable information), such as your identity and contact data, to any other data that you generate or control (files, blog posts, pictures, papers, music, videos, etc.)

Three things have surprised me about PDS:

1. How generally accepted the notion is by almost anyone who spends much time online, even folks well outside the identity community. It’s a relatively intuitive idea as soon as you understand the basic premise that individual people should have their own data source online.
2. How many names have been applied to the same general concept. As I indicated, PDS is only the term applied by the VRM community. The same general concept has been called probably a dozen other names. Here’s an excellent blog post by Mark Dixon that calls it a Personal Identity-Persona Service and a Security Identity Bank Vault.
3. How hard it is to implement. Though there have been several attempts, such as the Mine! Project, nothing has come remotely close to catching on yet.

I have several theses as to why this is so (and yes, the need for a Internet data sharing standard like XDI is high on the list), but I’ll save those for another blog post.

Here, I’ll just conclude with a simple prediction: it’s a threshold problem. Once the first practical solution for PDS starts to take hold, it will catch on and grow just like the first social networks did. The only question is what application will provide that initial traction.