Being in the identity space, and having a product that manages people’s identity, the topic of privacy comes up often. In development of Sxipper we had a goal of making sure we were protecting people’s privacy, not reducing it. Perhaps it is because we are Canadian where privacy is a right, and privacy laws restrict what organizations can do with your personal information. This is in sharp contrast to US privacy laws which are about stating what organizations can do with your personal information. Sxipper’s privacy policy is all about what we will and won’t do with your data, with an emphasis on what we will NOT do.

Discussing this topic has led to questions about when is using someone’s data perceived as a privacy problem and I came up with Dick’s Privacy Guideline. (note there is only one guideline, and yes, I did just make up the name)

If the user is pleasantly surprised or does not notice, the use of identity information is a feature. If the user is unpleasantly surprised, then it is a privacy problem.

For example, if you add a book on Barbados to your Amazon shopping cart, you will see recommendations of books that other people bought that also bought that book. Most people will think this is either a pleasant surprise as they see additional books they are interested in, or not really notice.

Contrast this with buying the book on Barbados on Amazon, and then going to Facebook and seeing an advertisement for a Barbados hotel. This is not a pleasant surprise. You wonder how Facebook found out about your interest in Barbados.

As a guideline, it is a little fuzzy, but we have found it useful when building Sxipper to have a seamless user experience by gathering and remembering identity information while avoiding unpleasant surprises.

I have heard a number of great things about Dave Morin at Facebook and have been wanting to chat with him about his views on identity for a while, and yesterday I had the opportunity to sit down with him and Josh Elman. For those that don’t know Dave, he is one of the driving forces behind the Facebook platform and Facebook Connect.

While there is an opportunity for Facebook to be an successful identity silo through Facebook Connect (see my previous post), Dave and Josh are interested in helping Identity 2.0 become a reality. They expressed sincere interest in seeing how OpenID can fit into Facebook Connect. This is a great opportunity for the OpenID community to come together to work with an organization committed to open platforms (see their support of the Open Web Foundation) and that has demonstrated leadership in solving internet identity problems.

My post yesterday on Facebook Connect raised a few eyebrows. I had a few discussions with people and a comparison of consumer identity solutions past and present may provide some context. (I have excluded InfoCards as I see them as a strong, enterprise grade solution that is currently too heavy for general consumer use.)

Passport

Microsoft rolled out Passport in 1999. There was much concern that Microsoft would control an essential component of the Internet, and many other industry players rallied around Project Liberty (an apt name) to provide an alternative. Passport was rejected by the broader Internet community, and while Liberty mobilized an industry, the Liberty solutions were also rejected by the Internet community. Why was Passport rejected? If you have seen any of my earlier talks, you have seen a list of points:

• Cost: Quoted price was $10,000 per site. Out of range for small sites.
• Installation: Proprietary code supplied by Microsoft. Big sites using open source were not all that keen to put some proprietary code into a critical part of their infrastructure. Unix code was problematic to install and get running.
• Functionality: SSO, minimal profile at times.
• Centralization: although Microsoft announced in 2001 that enterprises could run their own federated identity servers, it was not an open environment and the perception that the system was Microsoft controlled was firmly entrenched in the market.

In spite of this, a number of sites did integrate support for Passport. Hard to turn down removing some of the friction in getting at the 165M users — even if only a small percentage of them knew they had a Passport account. The Passport user experience was (and is) reasonably straight forward. You see a graphic that the site used Passport, you click on it. You type in your Passport credentials if you don’t have an active session, and voila, you are logged in.

Now re-branded as Live ID, the system is still by far the largest authentication system in the world and permeates most Microsoft web properties.

OpenID

As an author of the OpenID specifications and a promoter of user-centric identity, I clearly have a bias towards OpenID. With no entry fee, open source libraries for all the major web platforms, the promise of rich profile exchange, and no central control: OpenID 2.0 seems to address all the issues of Passport (and Liberty).

But, concerns about Security and Usability abound. Both SREG and AX exist for moving user profile data, with many OPs opting out of providing that functionality. With AOL, Yahoo!, Blogger and now Orange and MySpace being OpenID providers: there is a large install base. Similar to the early days of Passport though, the vast majority of those users don’t know they have an OpenID. But even if they did, using OpenID on a relying parties site is inconsistent, and frankly — typing in a URL is pretty geeky to most users.

Facebook Connect

Facebook has had some tools to leverage the Facebook accounts in the past, but Facebook Connect looks to substantially add more value to a site. Let’s start with the user experience. The user sees the familiar Facebook logo on the site and know they can use their Facebook account. The user clicks on it, goes to Facebook, and then goes back. A pattern the user is familiar with if they have installed a Facebook app.

The relying party has access to a rich set of profile data that includes their social graph. Additionally, the privacy settings the user has already configured about their profile data are used to determine what gets exposed to whom. The site does not need to manage the privacy settings, and nothing new for the user to configure.

From the users point of view, there are hardly any barriers to having a rich experience on a site using Facebook Connect. You get to see the familiar profile photos of all your friends on the other site, the people you have blocked can’t see what you do, and your inner circle of friends get to see deeper information than your casual friends. All with a few clicks of the mouse.

The killer feature though is something that will be hard for other potential platforms to do. Facebook strives to only have real identities. In the participatory web, the enemy has been the lack of accountability. Trolls pollute the conversation,  spammers fill the web with garbage, and promoters try to game the system. Facebook kills off accounts that are not real people. I know. We had an account for Sxipper on Facebook. Sxipper only lived a few weeks. With the rich profile and feed data that a real user has, the barrier to creating what appears to be a legitimate account is very high. For many Facebook users, losing their Facebook account would be a catastrophe — so the motivation to behave is high for many — which is why there is little spam in Facebook.  Put this in sharp contrast to the barriers to creating an OpenID at Yahoo!, Blogger, AOL or MySpace. (There is little, Orange being an exception for OpenIDs associated with their customers.)  Other social networks such as MySpace, Orkut etc. can’t provide the same level of assurance of accountability.

But OpenID has ____ …

Yes, there are far more users with OpenIDs. OpenID fits into the vision of the Open Web. There is so much more that can be built on OpenID. And what about the Digg screen shots at F8 showing OpenID in addition to Facebook Connect? Digg is going to want to try and keep Facebook honest, and they understand that some users will reject helping Facebook create a monopoly on identity, so it makes sense to support OpenID. But for your average user, the experience of using Facebook to login will be vastly superior. OpenID may be the desktop Linux to Facebook’s Windows. A geeky solution for the rebels.

… and the issue is?

Facebook Connect provides great value to the user, great value to the site, and deepens the dependency of the user on Facebook, which is great for Facebook. Not so great for Facebook competitors. While I empathize with the competitors, we live in a capitalistic society. I am concerned that a centralized identity store is a bad thing for the internet and will delay the arrival of Identity 2.0.

Facebook will have little interest in moving around rich claims from different providers. There is no clear value to them as a consumer grade site to implement strong security. While CardSpace can provide these richer identity transactions: for many sites, Facebook Connect will be “good enough”. It will be interesting to see how the next few months unfold and how the rest of the web platforms respond to Facebook Connect; and if a new “Liberty” emerges to prevent Facebook from building an identity monopoly. With any luck, everyone including Facebook will come together and build Identity 2.0.