26 March 2012

Online identity: ‘walled gardens’ are not the way

Behind the social agenda of most tech giants there are other underlying goals. It’s a competition to capture the online identity of users, better and more relevant data, in order to deliver ads and monetize. The problem is this competition is leading to a lot of fragmentation; instead of having one ‘identity’ on the web you have to manage several accounts and social graphs: one for , one on , on , Yahoo!, Windows Live, Disqus and so one. There should be a better way to handle this instead of this multitude of centralized identity providers.

Like an earlier post where I shared some thoughts how social networks compare to our offline interactions, I want to do the same for identity. Offline we generally have a single identity (name, age, sex, address, nickname, workplace, interests), with variation depending on the social context: a business persona, a more intimate and open image for family and friends, a very superficial, general image for the rest of the world. There are of course the outliers, public figures who are more universally recognizable, but you can’t really say you know them intimately, that is also reserved for a low number of people. We carry most of out identity with us and don’t build it from scratch with each new circle we encounter; after all, while getting a new job, for example, you are changing only one small aspect of your identity.

In that sense I think online identity should become a independent standard and distributed, outside of the reach of any major company. The best model, I think, is how we use phones and email: there are several companies providing the infrastructure, but you can nevertheless communicate freely with anyone from any company, as long as you know their ID (phone number or email address). Following this model, you should have a single ID on the web storing your data in an encrypted local file with a standard structure, containing everything you would possibly need when interacting online, be it with a website, app or with a real person: from nicknames, photo, email addresses to more personal and sensitive data like your home address and credit card number.

The software to encode/decode the file and establish connections with the web should probably be implemented on an OS-level – like Contacts on iOS. This way the data would benefit from cloud back-up and sync, as the biggest operating systems either already have this feature (MacOS/iOS with iCloud, Android with Google) or plan it for the next iteration (Windows with SkyDrive). Being in a standard format, it should be easy to copy it to another device, even one running a different OS. The OS-cloud combo should also probably take care of storing your contacts – again using only their unique ID – and keeping the information up-to-date, for example when a friend updates his or her identity-file the change would propagate to his immediate contacts.

So how would interacting online work in this model?

  • For general browsing you would have a minimum default level of data that the websites can access from your ID-file. You would be able to define it, going from completely anonymous to sharing some interests, in order to receive personalized ads.
  • When you encounter a site that requires some form of credentials, e.g. when you want to comment on a blog post, the browser would prompt you for the level of data you want to share (full name vs. nickname) and how long should the data be available to the site. The level of access can become very deep, for example on an e-commerce site you will need to share your address and credit card number, but here the browser should check the security of the site and warn of any possible issues.
  • Similarly, when you visit a social network, it should request ongoing access to your ID-file, including the social graph this time. You would be able to revoke the access at any time, thereby preventing the network from using your data – including contacts – from that point on (until you ‘rejoin’ at least) and requiring it to delete the cached copies on their servers.
  • Finally, when encountering another person on the web, you could ask for permission to add him/her to your contacts list, thereby adding a new ‘connection’ to your ID-file. That new connection will be available to any other social network you visit from that point on, including the ones you joined before. Here there should also be some privacy levels to prevent some people from accessing too much of your sensitive data. The privacy levels could also be used in other interesting ways on websites, for example when you connect to comment with your ID-file, the browser could check your connections, identify others who commented and display their real name for you instead of the nickname shown publicly.

Of course, this is highly speculative and mostly wishful thinking at this point. There are some projects trying to evolve the web in this direction (Diaspora, BrowserID, WebFinger), but they are still missing large-scale support from big companies and interest from the general users. As Mathew Ingram put it in a recent article, users don’t seem to really care about privacy and other considerations either, if the services they get are appealing enough. The challenge here is to get the general public to care about these open alternatives. As for support from the tech giants… that’s more of a long shot; it’s nearly impossible to imagine they would willingly give up control on the identities and social graphs they already have in their grasp. Even Google has abandoned it’s open and non-evil mantra and is fully behind Google+. But let’s not forget that phone and email have been around for much longer than social networks; maybe given time they will also become more democratic, more in line with the natural way we communicate and define ourselves.

LearnFWD: BrowserID (Ben Adida) from Mozilla WebFWD on Vimeo.
Today’s web experience is a multi-varied one: your social network is here, your photos are there, your travel plans are somewhere else and that’s just scratching the surface.
Mozilla is dedicated to making the web experience easier - and always controlled by the user rather than the service providers. Browser ID is one very cool way we’re going about this.
Ben Adida, Mozilla’s tech lead on Identity and User Data, shared the possibilities that Browser ID brings to our projects (and more) in this week’s LearnFWD.

1 comment:

  1. There will always be competition if there is a need so I don't think we will ever have 'One' identity provider but there is no reason why, as individuals, we can't have one centrally managed identity. There is no reason why you can't have control over this single identity along with centralised management. In terms of our personal information there has been a lot of activity over the 'midata' initiative and we are seeing a lot of activity in the Personal Information Datastore (PID) space. Although it's not what we do it is related. The technologies are there now with oAuth 2, SAML and a few other things that we will start to see more of in the market soon.

    It's not wishful thinking - it is what is needed...and it's what we are building.