greenpoint design

Identity and the Web

May 27, 2010 on 2:38 pm | In IdBlog, Privacy | Add a Comment

The issue of identity verification has been around as long as there has been an Internet. Anonymity and global reach are two things that helped the net become the predominant medium of communication on this planet. Anonymity provides the freedom to fail and the freedom to say stupid stuff. Anonymity also gives license to all manner of nefarious activity and network abuse.

According to a Symantec study published last year, 90 percent of all email is now spam. And a 2009 Canadian study found that the cost of computer security intrusions nearly doubled from 2008 to 2009.

Anonymity is an anathema to the transactional web. In order for the internet to continue to be a viable communication medium and platform for business transactions, there must be a simple and sound method to verify identity across the web. This is not a new idea, but it’s been in the news a lot recently with Facebook’s recent retreat from using user data to create the social graph.

At issue are two aspects of identity: commercial identity and personal identity.  Commercial identity is a requirement of any transaction — proof that you are who you say you are. This verification of commercial identity is the core service that credit card companies have provided for the last 50 years. Personal identity is about who we think we are. Personal identity is a construct of self that is created from our network of friends and acquaintances,  our likes and dislikes and the way we spend our time.

In the last few years, the concept of personal identity has expanded into social media. As people share more of themselves online, and as the network becomes better at logging every mouse click, text message, purchase and comment generated by an individual, a broader construct of personal identity has emerged. That is the perceived value of social networks like Facebook: they own vast piles of behavioral information about each individual subscriber. Facebook CEO Mark Zuckerberg’s announcement of an “open graph” at the F8 developers’ conference in San Francisco last month was a logical step forward to link Facebook data with members’ activity on the wider web.

What Mr. Zuckerberg didn’t count on was that users might want to control the construction of their own identities and that the web community as a whole might prefer that the central repository of personal identification data were non-proprietary. Zuckerberg clearly did not read Kim Cameron’s Seven Laws of Identity, or take into account Microsoft’s failed Hailstorm experiment.

Yet the need for verifiable identity persists.  Symantec’s recent acquisition of Verisign’s authentication business looks to do for business what Zuckerberg proposed to do for consumers. Google has also resurrected the old Unix finger command for Gmail users (see Webfinger).

A host of other groups are working on the same problem. The just concluded tenth annual Internet Identity Workshop brought together some of the usual suspects in Mountain View, California, without arriving at a solution.

Whatever system of identity verification is ultimately adopted for the web, it must — as Cameron’s 7 Laws  decree — put users firmly in control and operate as a metasystem, drawing from many different identity repositories and contexts.