A fascinating case

The story of Joe Anthony and the Barack Obama MySpace profile is a crazy tale of identity and social networking power.

My probably garbled & over-simplified summary:

  • A fan worked for several years to create and maintain a network of friends in support of Barack Obama, using an online profile that is the MySpace equivalent to barackobama.com. The resulting network of friends was huge – 160,000 connections.
  • The campaign decided that this web property was too critical to not directly control. They asked Joe to make a buyout offer and Joe gave them one – a little under $50, 000.
  • The campaign balked at the number, never counter-offering, and decided that Joe was squatting. MySpace agreed with that assessment (remember, the profile was created in Barack Obama’s name).
  • Control of the web property was given to Obama campaign — but after what appears to be some yelling and screaming, the friends list was assigned back to Joe, on a newly chosen web property.

The combined value of the web property and the FOAF list is obvious. How much value have they each lost by being separated? And what about the damage done by the publicity over the separation? I really, really like the justice in awarding the property to the identity-holder, while awarding the friends-list to the relationship-builder. It is a rare single-site example of the value of portability in social network data.

If Joe had registered barackobama.com and had it taken away by the campaign (an open/shut squatting case), the campaign would have gained control of both the website and the readership. An easy done deal, no ifs ands or buts, thanks for the work we’ll take it from here Joe.

But at MySpace, Joe still has his soapbox. And the Obama campaign still has to work to build up their social network again. The great thing about this, is that the readership gets to decide. They can show their support for this political campaign by registering for the now official profile. They can show support for the unofficial fan site by sticking with the original profile under a new name. They can do both. They can do neither, withdrawing subscription from both profiles in protest. I don’t think it gets much more egalitarian than that.

Power to the people, baby, power to the people…

IIW 2006b – Content

Here are the things that I want to remember about IIW 2006b in Mountain View CA – meeting all sorts of brilliant people, trying to make Kaliya’s massive unconference schedule stick to the wall so that the lines matched between sheets, ordering larb gai at dinner PET PET, strategizing over lattes, impromtu demos and work sessions, suggesting new voices for TomTom (ya hoser), and late night life philosophy trading… Yeah, we had fun.

And now for the geeky bits:

1) OSIS update: This was one of the first sessions of the day, and I found it fascinating. Session notes are here.

My takeaways (FWIW as an outside observer):

  • We won’t see any release of an Identity Selector by a vendor until certain things are ironed out on the IP front. Who knows how long that will take. What a bummer.
  • I find that there is a disconnect between how insiders see OSIS and how outsiders see OSIS, which seems to results in the need for constant expectation adjustment at these public meetings. The insiders grok all the history, how it evolved, how this group and that group blended & merged to form today’s OSIS working group, and what they hope to accomplish. Perfectly logical, but inwards facing. Outsiders don’t see that stuff. They see an entity that calls itself a system, and which seems to offer an opportunity to rationalize a whole bunch of separate efforts into a more easily understood whole — in other words, an outwards facing project. As far as I can tell, the current OSIS goals are primarily about making sure the vendors get it all ironed out between themselves. It is a critical function. At the same time, however, the rest of us are already clamoring to build on that foundation. The external rationalization needs to come, one way or another. Perhaps OSIS will start a second committee – after all, it is a logical place for this work to occur, and also, this is where all the thought leaders are. If not — well I guess we’ll have to wait and see who picks up that particular torch.

2) Lightbulb: Pat’s code is always fun to see in action, but what excited me was the integration he showed with the Sun Access Manager product. That opens up a whole raft of possibilities… Now that I’ve seen it, I might have to take a shot at OpenID-enabling our company mail server, just for fun :-D

3) Sxipper Demo: Sxip showed off their new service, which lives at sxipper.com. The goal is to simplify online interactions with both registration and login forms. It looked purty, definitely worth trying out.

4) Speed-Geeking: This was the highlight of the conference for me. I was able to get a quick glimpse of many different development efforts, a number of which I’m sure I would have missed had they been only in a full-time conference session. Since my primary focus is on the CardSpace stuff, I hadn’t been attending as many of the OpenID-facing sessions, but some of the OpenID demos really opened my eyes. I think the most fascinating demo was the one that was given by Avery Glasser – but I’ll save my thoughts on that topic for another entire entry :)

5) Kim’s Code: Kim showed off PHP code that utilized new XML security libraries that I can’t wait to get my grubby little paws on.

6) The Ruby on Rails guys: After Kim’s talk, 3 guys decided to take fate into their own hands and code an RP in Ruby on Rails. Justin, Trenton, and Devlin worked into the night figuring all of this out from scratch, and they made a significant dent in the code, too. It was really really fun to watch them work. I hope we get to see the fruits of these efforts at the next speed-geeking session!

7) OSIS in Action: It was great to see Dale Olds and Mary Ruddy demonstrate RP & IdP interactions using an open source stack. Talk about a wonderful milestone to hit – it was obvious that some serious love and care had gone into the making of this demo. During the session, there was an interesting discussion around ways in which an RP can deal with mid-session elevation of privileges that I think is just the tip of the iceberg, and which demonstrates the massive body of best practices that need to emerge surrounding information card based user interactions. The scenario at hand was as follows: a user needs one set of claims to have read access to the site, and should they wish to write to the site, they need a single extra claim. If the RP asks for the extra claim as an optional claim at initial login, they need to somehow communicate to the user (a) That the optional claim exists (since it isn’t particularly obvious in the CardSpace GUI), and (b) in what exact context the optional claim is meaningful. These are critical conversations to have, and I enjoyed taking part.

Ha, well there you go, more opinion than you ever wanted on IIW 2006b…

IIW 2006b – Logistics

I don’t know even where to start, in talking about the last week. Many of you who are likely to be reading this were probably at the Internet Identity Workshop in Mountain View CA. For those who weren’t, you missed out on a pretty spectacular meeting of the minds.

I have so much to say, that I’m going to have to divvy up the content into multiple entries. Before I even get into all the things that inspired me technically, I want to talk about the conference itself.

In my opinion, IIW 2006b was well organized, well situated, and well provisioned. Whoever thought of having a Barista onsite for both days should be given a medal, it was so very civilized to wander over and grab a latte between talks. I also liked the fact that there were recycling bins for cans and bottles – maybe it’s just where I come from, but throwing cans into the garbage makes me feel like a bad person. Recycling seems low on the priority list of most conference organizers these days, so it was nice to see a blue bin around.

The recommended hotel was beautiful, and the service was flawless. How nice to be in a hotel where everything isn’t bolted to the floors and the walls, where the rooms contained things like vases and a stereo and a pack of cards, and where if you became thirsty and picked up the bottle of water next to your bed, it said ‘compliments of Hotel Avante’ instead of showing a hefty price tag.

Most importantly, the structure of this conference was perfect for what everyone wanted to accomplish. Tuesday and Wednesday were dedicated, not to the people that the organizers thought were important, but to the people who had something to say, or something to show. It was great to see who was making progress at what, and to meet new people tackling fresh problems, and to watch conversations start and evolve, instead of having to follow a strictly pre-organized rhythm. I also loved seeing someone like Pat Patterson demonstrate code that was written the day before – as he noted, you don’t get to see such things when you have to submit your slide decks weeks in advance.

To be honest, IIW 2006b seemed less like a conference and more like an enthusiasts club. And, seeing that I am nothing if not enthusiastic, you can imagine why I might have had such a good time :)

Stay tuned for my report on the oodles of user-centric geek goodness that went down…

Update: Just in case you thought I was the only one who had a good time…

‘Confabulated’ is definitely the starting point

I really like the idea of Confabb.com – a nice spot to go find out about various conferences that you might want to attend, with reviews and other great stuff built in.

As a first impression, however, I think that they have a ways to go before they are relevant. A search for identity management doesn’t exactly return comprehensive results. A search for “Catalyst” does bring up the Burton Group Catalyst conference — but they seem to think that the conference is about: “Computers and Internet , Computers and Internet, Computers and Internet , Computers , Networking , Firewalls/Security.” Out of their advertised 16,000+ conferences, who wants to guess how many of them are similarly tagged?

But the one that really makes me crack up is this:

Here is Eric’s review of Digital ID World – you can see the conference has a number: 4810. This would say to me that it is registered somewhere. You can also see the review, and the details of the conference:

However even though you can get to it if you go through the review, you can’t search for it by name:

So – Confabb has a little work to do. Or should I say, conference organizers have a little work to do. Confabb has supplied little more than a placeholder — the question is, will organizers care enough to fill the database with relevant data? Here’s hoping they do, and that after they do, the vendor improves their search algorithm enough for the rest of us to actually leverage the information.

Good luck Confabb, I hope people work hard to make you a success :)

The Web Giveth…

Earlier I posted about what I called “the Age of TMI“. The world is busy pouring their heart and soul out into publicly hosted websites such as MySpace, Flickr, WordPress, Blogspot — you name it.

But what happens when you cross a line that the site hosting your particular accumulation of TMI doesn’t care for? What happens if your site accidentally deletes your account, or suffers an outage and can’t restore your information?

Imagine your life’s thoughts, your pictures, your list of friends, obliterated without notice, without recourse, and in some cases without even a backup in case a mistake was made.

What happens when your particular Web 2.0 personality site goes out of business? Or in the case of users on PhotoNet, what happens when your account suddenly disappears, because you don’t see eye-to-eye with the new management?

Consider the case of Rose & Olive, whose Flickr account containing years of photos and thoughts about their photos disappeared without notice. Rose & Olive made controversial pictures – but had for a long time, creating traffic for Flickr along the way, and making many friends and contacts. They were not warned, they were not notified in any way — one day their account was simply deleted. When they asked if they could at least archive what was on their account so that they could move to another site they were told that their account was permanently gone and that Flickr could not retrieve it.

Now – I can’t speak to the question of whether Rose & Olive deserved to be turfed – but the poor quality of the deprovisioning processes are striking.

What responsibility do Web 2.0 companies have to provide recourse to users who have been disabled or deleted? How about portability? And is there a difference between voluntary portability (ie quitting a site but retaining your content) and involuntary portability (ie getting kicked out of a site, but having your content tossed out after you, to do with what you wish)?

On a more personal note, in writing this entry I was directed to this portrait.  I was surprised at the emotions it brought out in me. The story behind the photo is heartbreaking. The discussion around ‘flagging’ a photo (an action that could lead to deprovisioning of the photographer’s account) is also interesting. I think that this is an example of the depth and quality that community sites can have in our society, as long as we allow the controversial to exist and to affect us, one way or the other.

Real Life Trust and the Mess that it is (too)

Mark Wahl got me thinking last week, with his second post on trust and the mythology of PKI.

Often, when involved in discussions around online trust, I hear the sentiment “if only we could do it as well as they do in the real world”. When expressed, it is always greeted with nods of acceptance; as if we can all just move on to saving some other part of the little ‘ol world if we could just hit such a milestone as emulating real world trust.

But what of the real world, this supposed Elysium of trust bliss? Nobody assumes that cash can’t still be counterfeited. Nobody assumes that passports and drivers licenses and birth certificates can’t be obtained fraudulently. Nobody thinks that elections can’t be rigged. People get away with all sorts of crimes in the real world, by successfully creating trust relationships that are then abused. We certainly haven’t been able to abandon a vigilant stance in the real world, and I don’t suppose we ever will. So what is it that evokes such reverence in the techie world for real world trust?

Let’s take an example from Mark Wahl’s post. I’m not sure he meant to contrast the two in exactly the way that I’m about to contrast them – but nevertheless, let’s compare the “Trusted Root authority” list on the Windows platform, to the “Trusted Adult” list that Mark pointed to in his post (I’m not sure if this list was taken verbatim from the Netsmartz site, or whether Mark paraphrased – I was unable to see such a list on the Netsmartz site, but I may have simply overlooked it).

As a very simplistic definition, the ‘Trusted Root Authority’ list contains a list of entities that may issue certificates which, when successfully validated by the browser, will result in a “closed lock” icon such as this: . Non-validating certificates, on the other hand, will be flagged for attention by the user.

The theory is that while you can’t necessarily count on those certificates to be used in good faith, you should be able to count on the certificates being issued in good faith — and that introduces some level of accountability into the whole affair. There is one extra level of assurance in a certificate that chains to a member of the ‘Trusted Root Authority’ list.

This is a similar concept to many of the members of the ‘Trusted Adult’ list that Mark Wahl talks about. By the documented definition a ‘Trusted Adult’ can be

  • family members,
  • caregivers,
  • family friends,
  • teachers,
  • counselors,
  • coaches,
  • clergy members,
  • youth leaders,
  • and law-enforcement officers.

Obviously, proof of list membership shouldn’t be sufficient assurance to place trust in all cases, just as a little closed lock icon with a blue background shouldn’t be sufficient assurance, a point that Mark makes in his post. When someone displays a police shield, they are evoking a chained certification – but the fact that the person has been issued a badge does not mean that they aren’t a criminal, it only means that in committing a crime they are, in addition to breaking the law, also breaking an agreement that they had with the certifying authority. Possession of a badge gives some amount of assurance to citizens who must decide whether to comply with orders from an individual based on the strength of the backing authority that the person represents, combined with a risk assessment as to what due diligence was done by the certifying authority to ensure that the extra assurance is properly placed. The badge also provides accountability, in case the individual acts in a manner not in accordance with their authoritative position.

Seems to me that the lists have a lot in common.

With regard to the online list, Mark says:

A further danger is that the level of trust provided by path validation will be conflated in a user’s mind with trust of identity providers, and in the future, with the trust of identities issued by that identity provider.

This exact thing happens all the time in the real world. You place initial trust in a cop because you trust the agency he/she represents. You place initial trust in a priest because you trust the agency he/she represents. You place initial trust in a teacher because of the agency he/she represents. But the ‘Trusted Adult’ list cannot be the only metric you use, because these positions have been abused, and because sometimes bad people gain positions of authority. That is life, in the real world and online. Any trust list can only be the first step in a cautious ritual that only the person living it can undergo.

No matter how perfect the system might get, people will need to know how to keep themselves safe, and the more they know and understand the tools at their disposal to expose the bad guys of the world, the safer they can be. They have to be street-smart, discerning and skeptical. Trusting someone/thing after validating their credentials is not perfect, but it is still better than trusting them without validating their credentials. Trust is not simple, and vigilance is required no matter what – all you can do is use the tools at hand to filter out as many of the bad guys as you can. People who don’t understand or use the tools are more at risk.

For example – recently a 14-year-old girl endured 10 days in a hole suffering at the hands of a psycho because she didn’t or couldn’t discern that the hand-drawn police insignia on his shirt was not the real thing. Note that this crime occurred in spite of whatever measures might have been taken by the local police force to ensure that their credentials could not be counterfeited, stolen, or fraudulently obtained. I can see no way in which the police force could have prevented this poor assignment of trust. The psycho used the most grossly low-tech mockery of a credential to pose as a member of the ‘Trusted Adult’ list, but it worked – if only the girl had even superficially validated his credentials, she might have had a warning that something might be wrong. She needed to know what to do in such a case, and her lack of knowledge of the tools at her disposal cost her terribly. The only way to prevent these kinds of attacks is to raise awareness and improve the sophistication of the general populace.

My point here is that we on the technology side can’t do everything. We can only make things harder in the cases where a sophisticated attacker tries to remove the warning signs that a savvy user might recognize. No matter how good our technology gets, poorly educated users will still be at risk. We need to help them understand who to trust, in real life and online, because at the end of it all, whether we are trusting an internet banking website or a chat room pal or a man with a shiny brass badge, we are making a personal choice that has risk attached to it, and nobody can make all of the risk go away… Trust is not a destination, it is an ever-changing journey. In the real world and everywhere else.

DIDW 2006 Thoughts

Well, DIDW 2006 has been over for a couple of days. Here are my slightly schizophrenic thoughts, now that I’ve had a chance to go over my experiences:

This year marked a big change in topics of discussion. There was a lot of ‘deployment experience’ content, the content on which IT personnel make their case for the expense of attending the conference in the first place. I did not however, hear a lot of hallway discussion surrounding provisioning, or single sign-on. Not even much discussion around (passive) federation.

There was a lot of interest in user-centric technologies, but my impression was that the interest was in personal application first and foremost. What I mean by that is that it seemed that many attendees identified as a user more than as an IT shop. It isn’t surprising, really – the B2C advantages are obvious, and the technology itself is just plain fun to geek out on. Plus, I think that the personalities involved in user-centric technologies make it hard to not want to find out more. That kind of pioneering passion and enthusiasm is easy to find enticing.

Luckily, on Thursday Ping helped to bring the user-centric stuff more officially into the realm of usefulness for the DIDW demographic with their presentation on Understanding Infocards in an Enterprise Setting. By talking about “passive” and “active” federation, they introduced a simple way to contrast the 2-party system vs. the 3-party system. How nice to have a way to characterize what is happening and to help make decisions about when user control is desirable within and at the borders of the Enterprise. Also during that presentation, Ping announced that Ashish Jain’s Managed Card IdP implementation will be open sourced. I’m very happy about that and can’t wait to play!

On the vendor floor, I saw at least three different vendors demonstrate use of some combination of Infocards and OpenID. It didn’t look like the big deal that it was, to be honest, it all just looked to me like such options had always been there. It seems obvious as well that the number of login options will hit a natural limit. Three options (for example OpenID, Information Card, Username/Password) is a nice number — how many more can be added before it gets confusing? I’m interested to watch and see who wins the login form real estate war, and when the war starts not just in proof of concept, but in reality.

I was hoping to see a deployment presentation from a Liberty member this year, detailing their rollout of ID-WSF. Was it too soon? Am I allowed to make a request for next year?

One thing I think was lacking was a central place for everyone to get together at night. The theory was that this place was the vendor floor, and there were receptions planned there on monday and tuesday night — but the problem was that people had to leave to get food, since there were only appetizers at the reception. Once everyone splintered up to eat, they stayed splintered. There just wasn’t a sense that it was a party… I thought that the gambling theme of DIDW in Denver was a much more social event, even if I did suffer the indignity of lasting less than .05 seconds on the electronic bull :-)

All in all, DIDW 2006 was entertaining and educational. I liked the pairing of IOS with DIDW — kudos to the organizers of both events for thinking to team up. I think that IOS provided excellent grounding for later DIDW talks. Next year DIDW will take place in San Francisco – I hope I’ll be there to do it all over again…

I know you were kidding Paul, but…

Paul Madsen responded to this reference to the Liberty Alliance sarcastically, but I think that Liberty as an organization should take such a remark far more seriously — because I know exactly where this blogger is coming from:

The Liberty Alliance has churned out a number of PDFs but that seems to be the extent so far of their effort.

Paul, the reason people think Liberty is nothing more than a bunch of PDFs is because that’s all they see when they research it online. Last January, I too tried to figure out what ID-WSF was and how it could be used. I’m sorry this sounds so harsh, but frankly, the Liberty website sucks at communicating the spirit and the purpose of ID-WSF.

There are several problems. First, as a geek-investigating-liberty, I don’t want to read the specs first. I want to know what the specs are FOR. I want to know what business & technical problems can be solved with them. Imagine trying to figure out what LDAP does and why I might want to deploy a directory server — and being directed to a page like this:

LDAP specs

Nobody would evangelize LDAP this way, and I can’t figure out why anybody would want to evangelize ID-WSF like that either. And yet, when I tried to research ID-WSF, that was exactly what I found. Hey look, same thing the other blogger found, gee funny it’s just a whole bunch of document links! Was there a gentler introduction? Not that I could find. Oh, and don’t even try to search on “ID-WSF” within projectliberty.org, the top hits on the site are mail thread references.

Second, the front page of the site (which is very pretty) is 100% about the organization and 0% percent about the specifications, even though their stated objective is the creation of said specifications. The words ID-WSF and ID-FF do not appear once on the page, let along People Service or other components. Doesn’t that seem odd???

Third, to address Conor‘s point – I may or may not represent anyone other than little ol’ me, but personally, I couldn’t care less about “real” deployments. I just want to know that it is deployable, maybe whether there are toolkits, access to community forums, sample code. Perhaps other people really do care about real deployments in the first 20 minutes of investigation, but I believe that in fact, what they look for is evidence of a vibrant community. There are NO indications that anything other than the specs in their starkest incarnation are available for people outside Liberty. I’m not saying those things aren’t there. I’m saying that newcomers can’t possibly know one way or the other from the web material.

So. My hypothesis is that if you want to see adoption of Liberty by schmucks off the street like me (and perhaps even a few less guys deciding to brew their own SSO solution, we can always hope), you need to treat these specs like a solution. I should be able to easily discover what context in which the solution is valuable, in what high-level ways I can implement the solution, and who will commiserate with me if I have troubles. If all of that meets my approval, I might then want to take a look at the specs. After that, I may even become interested in joining the Liberty Alliance.

Having met many Liberty people at IOS in July, I know they are passionate people doing great work. I just don’t think that passion is being communicated to those not intimately involved. If the goal is to make the WORLD aware of ID-WSF, and not just insiders, fix the first 20 minutes of user investigation into the framework, and I predict that great things will happen. In my opinion, this is worth just as much time and effort as any of your standards efforts.

Update:  Turns out Liberty is way ahead of me, and they are working on a redesign of the website.  Thanks for responding with such class (:   Paul, I’m holding you to that Leafs game, I’ve never been to Kanata!

I’m LinkedIn, but is LinkedIn linked in?

I’m now a proud member of LinkedIn – entirely due to conversations I was part of during the Identity Open Space in Vancouver last week. This particular site seemed to be the poster child for cases involving portability & accessibility of relationship data. The question on everybody’s mind seemed to be: Assuming that protocols exist to make relationships portable, what possible reason could there be for a site such as LinkedIn to adopt such protocols? Isn’t their identity silo a corporate asset? Technically, you can export your LinkedIn contacts – but the trick is, without some kind of common identifier to re-link your list into other social networks, your list is nothing but a bunch of text strings. Really it isn’t the data itself that is valuable – it is the method by which the data is indexed.

Enter Liberty “PeopleService”. The idea is for users to create & manage relationship lists which are made available & indexed in such a way that they can be leveraged in many places. Every person in the relationship cloud would have an IdP account that is (a) used to authenticate to the PeopleService, and (b) is used as part of the “handle” that would be used to uniquely identify this person within a relationship list that might span multiple PeopleServices. This is a woefully simplistic summary of the service, based on a talk given at IOSVan by Paul Madsen, hopefully I’ve got the essence.

The advantages to this plan are straightforward. Users would see the same relationship data at multiple sites, and would only have to maintain those relationships in one place. Sites leveraging this information could gain access to a fully fleshed out network of people without having to persuade their users to input everything from scratch. Best of all, everyone’s computer-unsavvy aunt doesn’t have to be walked through a whole new account creation step every time you want to share something with her on a different site – just get her an IdP account and refer to it forever more.

The problem is, entities who have worked to build their own “zoo” (to use the slashdot term) will need a good solid profitable reason to switch from a successful silo mentality to a federated method, which in their case would seem to be more about giving than taking. The idea that everyone will just suddenly see the light and ‘heed the lessons of Microsoft’ makes me laugh. Not even I’m that optimistic :-)

The way I see it, the only way the plumbing is going to change is if the decision is a business decision and not a technical decision. And the only way I can see that decision-makers who don’t happen to be visionaries in this space will come to understand the benefits, is to be outplayed. In a rosy perfect world, the right startup company will adopt Liberty’s PeopleService (& therefore the rest of the stack) from inception, and build their zoo from scratch. They will sign everyone up to what I predict would be their own ‘locally owned & operated’ IdP & PeopleService, and the resulting zoo + service will be adopted gladly by other sites. At some point the advantage of a wholly owned relationship cloud would consequently dwindle. The advantage will fall to those with valuable meta-data, as Bob Blakley so eloquently pointed out at Catalyst this year.

Can I pause to ask a dumb question? Is it really a given that moving ownership of the zoo from application silos to IdPs gives more power and/or convenience to the user? Pete Rowley asked at IOS Van whether the Liberty folks were just architecting yet another identity silo. His comment started me down the path of pondering what happens when you distribute ownership of the zoo, but merge usage from an RP perspective. Seems to me that vertical silos will be replaced by horizontal silos. Sure, in theory no one IdP would control all the users – but they will control all the sites that their own local userbase can access, through negotiation of trust relationships and/or contractual red tape, however that works. This seems to me to potentially be much more powerful than the clout wielded today by a Yahoo! or a LinkedIn. Are we leaping from the frying pan into the fire, trading application lock-in for IdP lock-in, or is the portability built into the protocol enough to make sure that a user can dodge that kind of pitfall with their relationship lists intact?

Either way — wanna connect?

— Pam