Last week was a humbling and empowering week. RSA 2008 has given me a good kick in the pants in a number of ways, all of which have inspired and challenged me to think on things I’d never contemplated before.
Quite a few people at RSA wanted to know the “how” of user-centric technologies, yet the biggest question was undeniably “why”? Why would I implement this new technology? Why is OpenID or Information Cards or ID-WSF or anything else truly better than what has gone before?
One thing I truly believe is that we are not building these technologies in order to blindly replace one identity mechanism with a different identity mechanism; the cost & extra complexity associated just wouldn’t compute. There has to be a tangible step forward – not just mysterious head-nodding between experts.
We talk at length about improvements in security, privacy and a million other things – but all of those things are just window dressing on the fundamental paradigm shift that we rarely address. I think we all need to work to create widespread understanding of the reasons why society should care about to whom they authenticate. The answer to such a question can be evaluated independently of the technologies involved — so for the rest of this conversation, you can and should dismiss the technical details. Instead, imagine a world where various identity technologies are available, well constructed and tested, and where a decision to adopt is a simple configuration decision, not a coding adventure or a proof-of-concept. Yes, I know we aren’t anywhere near that yet — but for a minute, let’s step away from the trees and look past to the prosperous village on the other side of the forest.
If I were to give a name to the vision I have of the future, it would be “federated community”. Users sign up for a community, based on some common interest and returned value, and are then able to leverage their identity where they choose, in areas where the context of that identity somehow enriches their web experience. You may say wait! We have this already! Yahoo! is a community, Google is a community, AOL is a community. No, they are not. The YGA crowd are ranchers with herds of cattle. Flickr was a community which was merged into a herd, much to the dismay of the community members. There were obvious plusses and minuses to the merger – but I think it is reasonable to note the anger and consternation that users felt when their community specific identities were force-merged into generic herd identities. These days, companies like Google and Yahoo! can be said to “own” users in the same way that the telcos could have been said to “own” users prior to cell phone portability. This silo-based mentality is a dying business model, and the big guys know it – what will replace it?. This is the BIG CHANGE that we never talk about.
We have already come a long way towards federated community. People want their identities to cross site boundaries, they want to link their output from many sites together into one or more collections — as long as they retain control. The problem is — how to link? Most smaller sites are walled in completely, while the herds get around this by creating massive silo-only service offerings – every herd has photo sharing. groups. email. Yet one herd can’t use the other herd’s service. It’s a big turf war, and if you have friends in every herd, you end up managing accounts in every silo. Of course, if you’re a big site that wants to federate with the herd, you can use their APIs – but there is an API for every herd, and no standard API for the smaller communities at all (the oAuth and OpenSocial guys might disagree here, they seem to be fighting for the same things, just with different weapons). For now though, imagine that herds & communities alike become Identity Providers, and that sites wishing to interact with herds & communities become Relying Parties.
Once the tech is stable and ubiquitous, Identity Providers will provide authentication services as a byproduct, not a goal, and there will be a major and a minor arcana of Identity Provision services that evolve. In order to join the major arcana of Identity Providers in my future world, the provider will need to own some piece of information that many people & sites will want to consume. This is not data that once given is never necessary again (such as your name & email address or other personal data) – it is living data that consumers will want to come back to again and again, the kinds of data that our economy thrives on already **.
In my future world then, the major arcana of Identity Providers will be, for example, Slashdot. Second Life. Equifax. Amazon. Ebay. These types of business can prosper, not from serving your data, but from serving out interpretations of your data — interpretations that are cooked up with a secret sauce that ensures the continuity of the business model. Consumers will be the sites who want to work within that world. Imagine a network of sites that you can visit & take your slashdot karma with you. The user has the advantage of seeing a reputation they have worked hard to achieve gain more credibility. The site owners participating in this network reduce barriers to entry to their own site because users don’t need to rebuild reputations. Site owners also have a way to filter spammers and trolls. Slashdot becomes the hub and reaps the advantages of owning the secret sauce recipe that everyone wants. It is entirely possible that consumer sites then begin contributing back to Slashdot, and we now have an ecosystem. This is the kind of thriving inter-site community that becomes possible when data is shared. I also hope that this era will usher in the return of the pseudonym, a lovely and important part of the internet that is currently taking a beating from snotty, literal-minded “real people only” social networking sites.
The minor arcana of Identity Providers are what I’ll call “Membership Providers”. They are the smaller groups that you join because they are your peeps. Sports clubs. Church groups. Families. Hobby Clubs. Toastmasters. These are the kinds of Identity Providers who may not have much in the way of secret sauce, but whose users will join anyway – not because they expect to use their membership in a million places, but because they feel an affinity, and because it feels good to have affiliations. These kinds of associations don’t *have* to make their own provider, but I think that many will if the software makes it easy — imagine hosted Identity Provisioning Services instantiated in a button-click; Integration of Identity Provision Services into accounting software for management of membership dues, into web advertising components for reciprocal deals between memberships and businesses, then imagine federated relationships between various affiliations that might be linked to a parent organization, so that by becoming a member of the Alberta Motor Association, you get ancilliary benefits at sites where deals have been negotiated by the Canadian Motor Association.
Now – for all this, where does this leave the user? Why should the user care whether they are part of a herd or a community? I don’t think they will care at the beginning. I think they will do whatever they have to do in order to get whatever good or service is their goal – however, once their identity is (a) portable and (b) meaningful in additional useful contexts, I believe that the loyalty equation changes for the better, and that as a result, marketing strategies and business models will evolve too.
This is the kind of world that I see evolving as a result of and a reason for the technology we are working on. It is a lot of work to change this kind of plumbing, and who knows what actual technology incarnation or combination thereof will get us there — No matter what happens, the current approach where everybody spends programming time linking into every mothership via API in order to add value will not cut it. We need a way for communities to form and flourish and decay that is organic. To that end, if you were to ask me what the vision is for any technology that follows the Identity Provider paradigm, I would say that the “why” is so that we can make a system where communities can interact, transact, and relate to each other without the tech getting in the way. This is the ultimate end goal for me – if I didn’t believe that we can build a much better house, I certainly wouldn’t spend so much time perfecting the engineering on a radically new foundation.
If you think that my vision of the future is a big fat load of bollocks, feel free to poke holes, I’m sure there are many — all I ask is that in addition to making fun of my thoughts for the future, you provide your own, alternative vision, so that we as an industry can communicate these various viewpoints to the people who just want to know why.
**: See Bob Blakley’s “Identity Oracle” writings to see how I stand on the shoulders of giants in much of what I say here.
Your vision of the internet’s future is very akin to my own. I believe the difficulty people are having is what McLuhan had predicted with the rise of any new medium: the content of the new medium tends to be is the old medium. People are still looking at the internet from the point of the current economic model, visualizing more-or-less centralized sites where the user has to find a way to keep some modicum of personal power. Turn over the web and re-visualize the internet from a rich p2p, human-centered model of creative sharing and community building and you start to see the real future and power of the internet.