Wednesday, August 10, 2011

Identity, Society, and Politics

I was reading Paul Hartzog's blog (www.panarchy.com) and his view on society, technology and politics.  Specifically, the "Panarchy" poster:


This got me thinking about Identity and the complexity of the Internet ecosystem and how hierarchical systems  for Identity might work for an organization but cannot be translated to "The Cloud"  So, lets frame the conversation by looking at the definition of some terms:


  • Politics: Social relations involving authority or power
  • Identity: Whatever makes an entity (such as an individual) definable or recognizable
  • Society: A group of individuals related to each other through persistent relations
Let's begin with Society and our current relations occurring online and face to face because of technology.  Prior to the communications revolution, societies were concentrated to a geographical area, therefore our Politics were confined to these geographical boundaries.   

Today, although still confined to a geographical area physically, our relations are much more complex.  We work online, we travel more often to places as far as around the world, faster and more frequently.  We spend time online with family in different areas of the world chatting "face to face."  Our Social relations are more complex and have moved ahead of our Politics.  Our economies are no longer confined to geographical markets, we transact online with everyone in the world.   The purchase of a product or a service is the collective work of individuals in several countries.

The hierarchy of most governments implies the acceptance of a set of norms that may not correspond to the sentiment of its citizens due to the accessibility of information.  We now know the difference between something that we want and something we don't want being enforced by a government.  Governments prefer to know who their citizens are (Identify them) to maintain their power hierarchies.  Prior to the communication revolution, government issued identification was important.  It helped social interactions that required to identify the validity of who a person claimed to be.  But in a complex system, such the Internet, hierarchies are not efficient, costly and almost impossible to control.    

Paul Hartzog writes in his poster (see image above), that we are seeing "the emergence of new forms of social action that function independently of and in parallel to traditional forms of the State."   Identity, of course, is part of the complexity, but a complexity that is currently leading to "self organization" (you have to look at the poster and read it).  

This Identity "self organization" can be seen on the different standard groups working on defining how to organize Identity in the Cloud.   Identity is no longer for (and by) the State, it is about an individual, their privacy and how they interact with other members of society.  It is not even about an organization (look at the interesting conversations about anonymity, pseudonymity and privacy happening because of Google+ policy on names).

These are interesting times for Identity, Society and Politics and thanks to Paul Hartzog I am going to call myself a "Panarchist" (it sounds cool!).

Thursday, July 7, 2011

User Managed Access

You maybe wondering: what is the big deal about UMA?   Well, it is the answer to control over your data and privacy concerns many users have in the form of an internet protocol.  The protocol allows for the implementation of Authorization Managers that give you the ability to control your data at any host that is UMA enabled. Anyone (service or person) attempting to access your protected data will have to interact with the Authorization Manager before getting access.  The beauty of creating a protocol for such interactions is that it allows for a marketplace for the best implementations of the protocol.  User experience, usability, privacy and security will be the measure of the best players at protecting your data.  With UMA you are in control!

The internet draft recommendation contributed to the IETF is an important milestone and just the beginning of many things to come...

Friday, April 1, 2011

Trusted Managed Identities Services Business Model

I have been giving some thought about what the Business Model would be for Managed Identity Services in a trusted identity ecosystem.  

I decided to start by defining the main actors in the ecosystem:  

  • Identity Owner:  Normally considered the end-user, the subject the digital identity represents.
  • Identity Provider:  The service provider that stores and manages the digital identity for the Identity Owner 
  • Relying Party:  The subject requesting authentication and/or authorization to the digital identity data.
  • Trust Provider:  The service provider that assures the relying party the validity of the digital identity stored at the Identity Provider.


Now what?  How can we make money from Managed Identity Services?   What benefits are there to each actor in the ecosystem to validate the capability of such a system?

The Identity Owner benefits from such an ecosystem by allowing them to maintain identity data in a central place where stronger authentication can be used.  When identity data is stored in duplicated disperse stores, as it is today, the end-users demand ease of use over security.   Will the Identity Owner be willing to pay for such service by an Identity Provider for its benefits?  Probably not!

Identity Providers only benefit when someone pays for their services.  Identity Owners do not want to pay for the service; will the Relying Parties be willing to pay for it?  Let’s see…

Relying Parties, in this business model, benefit the most.  The Relying Party reduces costs of authentication and authorization services and passes the risk for such service to the Identity Provider.   Relying Parties, when possible, can maintain the privacy of their end-users by trusting the validity of the identity data to the Identity Provider.   Relying Parties, due to the reduced costs, have the ability to pay and Identity Provider for their services.   Assuming a trusted identity ecosystem, Relying Parties can accept identity data from different Identity Providers by also enrolling in trust services from a Trust Provider.  

Trust Providers allow Relying Parties to be certain the Identity Provider is known to be responsible for due diligence in assuring Identity Owners legitimacy.  Once again, the Relying Party assumes the cost of trust services, since it benefits by passing the cost to validate the identity data from an Identity Provider.

Will Relying Parties be willing to pay for such services?  I think they already are --> Janrain 

The closest ecosystem that resembles Trusted Managed Identity Services is the Credit Card industry where:

Identity Owners = Credit Card Holders
Identity Providers = Credit Card Companies
Relying Parties = Merchants
Trust Providers = Credit Card Networks

The Business Model for Trusted Managed Identity Services has a lot of potential to produce profits.  The technology is there, the standards need to mature but that can only happen if they are used.  We just need someone to be the first to accept the risks and take the profits.  Who is first?

Monday, January 10, 2011

National Strategy for Trusted Identities in Cyberspace (NSTIC)

According to the media and the headlines, the Obama administration is trying to implement a "National Internet Identity for all Americans", similar to what the Bush administration attempted through the department of Homeland Security a few years ago.  User centric identity advocates, such as myself see it different.  Kaliya (Identity Woman), expressed on her recent blog post at Fast Company that user centric-identity is about "1) maintaining the freedom to be who you want to be on the Internet AND 2) having the freedom and ability to share verified information about yourself when you do want to." 

Unfortunately, I also believe in limited government and citizen privacy and many like minded individuals feel skeptic of the governments involvement when it comes to Internet Identities.  And, although, it is not the Homeland Security Department who is driving this initiative, but the Commerce Department, it is still the government.  A government where the President (Obama or any future President) has the ability to change the rules of the game at any time.  Today's plans maybe to protect the privacy of citizens and improve trust in online commerce, but who says that may not change tomorrow?

But, for us, limited government believers, the reality must set in.  We live in a society where governments do provide services (regardless of effective or wasteful) and those services are exposed to the Internet.   Citizens as end-users must access those services.   Standards for Digital Identities that give control to the end user, allow for consumer's privacy and benefit commerce (e.g. Kantara Initiative) are important.  The private sector as well as Governments as Relaying Parties, Identity Providers, Trust Providers and resource hosts of these services have a need to be involved in these standard groups and in some cases, as it is with NSTIC, lead the Internet community in implementing these standards.

So, all in all, NSTIC is a great initiative that I wish would not be "National" but Global, where private sector, governments, privacy groups, technology groups, security groups, etc, would be involved.  At a global level and with involvement from different groups interested in the "common" service, this initiative would be more welcome, be more flexible to improve and not have a chance to be controlled by just one group.