Now that I am not constrained by Microsoft policies, I plan on writing about a variety of topics that have been bubbling in my head for the past year. OpenID v Next, Company Culture, Online Privacy etc.

As for this site, the “2.0″ branding seems so last decade now. I will be putting this identity into stasis and doing all my new writing at Dick Hardt dot org, where I will discuss how digital identity is becoming reality.

Any conversation about identity leads to a conversation about privacy. Identity by its nature is a very personal topic, and people are concerned about who can see what about them. In the past, the high friction in moving information provided some privacy protection. Now, as more of our identity becomes digital and the friction in moving it around has dropped dramatically, the risk of privacy issues has subsequently increased.

Facebook is an iconic example of the intersection of identity and privacy. There are internal and external applications that enable the user to easily share an unprecedented variety of information about themselves., with the brand promise that the the user is able to control who can see what information about them.

Some of you may be familiar with the privacy problem I had with Facebook last spring. (no, I’m not going to provide a link to it, since I would prefer it just went away – so please don’t go looking for it!) Although there was a basis to start a legal action, I prefer solving problems rather than complain about them. I had a productive conversation with the team on Facebook, a company that takes privacy very seriously. I provided them with feedback on how to improve some of their processes, and they asked me to review their new Privacy Policy, which was just published today.

The new policy makes it more clear what will happen when, and directs the reader to where they can make adjustments if they prefer settings other then the defaults.

]]> http://identity20.com/?p=193 http://identity20.com/?p=193#comments Sun, 22 Feb 2009 23:45:09 +0000 Dick http://identity20.com/?p=193 Doing my usual Facebook maintenance tonight and I see another intriguing advertisement. The mix of the hot chicks and making more money got me wondering what it was all about. Was this an ad for swim suit models? Who could be behind such an ad?

Well, it is my “old friend” Jeff who is now is “Dave Williams from Bellevue , WA”. Interesting. I live in Bellevue WA as well. Nice targeted marketing Dave/Jeff/Kevin. Even though he is now Dave, the image filename is still “about_jeff.gif” He still is showing the “stimulus” check that he got from the US Treasury. Guessing he got that check (yeah, right), figured out how to run ads on Facebook and Google to get paid to send people to a site selling a kit to make money from Google. This sounds like the kit that Dave/Jeff/Kevin bought where he learned he could make money sending other people to buy the kit. Image of ad below. Link was http://davegetsgreen.com/.

With both ads offering to help me get some money, I had to check them out. Here are screenshots of the pages I landed on:

Well, I guess we have some A|B testing going on here. Same style, same photo for both Jeff Donahue and Kevin Hoeffe. At least they are on different URLs and have different comments. The photoshopped name on the check is a nice touch.  My confidence in the advice from either one of them on getting a grant? Zero. I see this as a great demonstration of how we need to make the Internet more accountable.

Discussing this topic has led to questions about when is using someone’s data perceived as a privacy problem and I came up with Dick’s Privacy Guideline. (note there is only one guideline, and yes, I did just make up the name)

If the user is pleasantly surprised or does not notice, the use of identity information is a feature. If the user is unpleasantly surprised, then it is a privacy problem.

For example, if you add a book on Barbados to your Amazon shopping cart, you will see recommendations of books that other people bought that also bought that book. Most people will think this is either a pleasant surprise as they see additional books they are interested in, or not really notice.

Contrast this with buying the book on Barbados on Amazon, and then going to Facebook and seeing an advertisement for a Barbados hotel. This is not a pleasant surprise. You wonder how Facebook found out about your interest in Barbados.

As a guideline, it is a little fuzzy, but we have found it useful when building Sxipper to have a seamless user experience by gathering and remembering identity information while avoiding unpleasant surprises.

Q: You’re joining the Borg! Have you sold out?

A: Well, I don’t think I have sold out. I was recruited to Microsoft because I am an independant thinker. I have worked with open source and internet technologies for 15 years — and at ActiveState, bridged the gap between them and Microsoft. There are many people I respect in the identity space that are working at Microsoft, and that are doing “the right thing”.  I will be joining my foo camp friends Jon Udell,  Dana Boyd and of course Ray Ozzie.

Q: But you are an enterpreneur, why go to a big company?

A: I’m am very much an entrepreneur and am pretty risk oblivious — the financial security of a job is not a driver for me, even in the current financial environment — in fact the lower beta and reduction in potential upside is a negative factor. I have been an entrepreneur for a long time. Been there, done that. Lots a failures. A few successes.  I view the opportunity to come in at a senior level and learn how big enterprise and big software works a great learning experience. I’m also excited about changes that are afoot at Microsoft such as Azure and to work beside a bunch of really smart people!

Q: What will you be doing?

A: I will have the title Partner Architect and will be working on consumer, enterprise and government identity problems. My open source, open web and digital community experience will continue to guide my thinking. For me, this is an opportunity to work on the identity problems I have been toiling over for the last six years, but now with massive resources.

Q: But, hey, don’t you use a Mac?

A: Yes. And I will continue to use a Mac as long as I am more productive on that platform. (Hint to Windows 7 team — make me more productive!)

Q: Is Microsoft buying Sxipper / Sxip Identity?

A: No. Microsoft is hiring Dick Hardt.

Q: What’s happening to Sxipper?

A: I will continue on as Chair of Sxipper, Inc. We have a small, dedicated team that will continue to advance the technology and start to find revenue sources so that it can be self sufficient in 2009.

Q: What happened to Sxip Identity?

A: A year ago we were in the midst of numerous discussions for the company to be acquired. Unfortunately those did not transpire and we sold off the Sxip Access product line to Ping and some new SSO technology to TriCipher. A few of our investors were unhappy we did not have a successful exit, and launched a lawsuit which crippled the company. The Sxipper product was sold to Sxipper, Inc. where it has thrived, and Sxip Identity is being wound up.

Q: What will happen to the Identity 2.0 blog?

A: I will continue to blog here, and hope I will be able write more often!

Q: Will you be moving to Redmond?

A: Yes. And yes, my fiance will be joining me. If you are interested in the more personal aspects of the move, check out my Blame Canada post.

In Canada, everyone can register at the polls. Voter registration is a convenience so that you can vote faster. Very Canadian, but it does not stop there. You don’t even need identification in Canada! Yep, you can choose Option 3 where you “Swear an oath and be vouched for by an elector who is on the list of electors in the same polling division and who has an acceptable piece or pieces of identification (e.g. a neighbour, your roommate).” Welcome to Canada!

While there is an opportunity for Facebook to be an successful identity silo through Facebook Connect (see my previous post), Dave and Josh are interested in helping Identity 2.0 become a reality. They expressed sincere interest in seeing how OpenID can fit into Facebook Connect. This is a great opportunity for the OpenID community to come together to work with an organization committed to open platforms (see their support of the Open Web Foundation) and that has demonstrated leadership in solving internet identity problems.

Passport

Microsoft rolled out Passport in 1999. There was much concern that Microsoft would control an essential component of the Internet, and many other industry players rallied around Project Liberty (an apt name) to provide an alternative. Passport was rejected by the broader Internet community, and while Liberty mobilized an industry, the Liberty solutions were also rejected by the Internet community. Why was Passport rejected? If you have seen any of my earlier talks, you have seen a list of points:

• Cost: Quoted price was $10,000 per site. Out of range for small sites.
• Installation: Proprietary code supplied by Microsoft. Big sites using open source were not all that keen to put some proprietary code into a critical part of their infrastructure. Unix code was problematic to install and get running.
• Functionality: SSO, minimal profile at times.
• Centralization: although Microsoft announced in 2001 that enterprises could run their own federated identity servers, it was not an open environment and the perception that the system was Microsoft controlled was firmly entrenched in the market.

In spite of this, a number of sites did integrate support for Passport. Hard to turn down removing some of the friction in getting at the 165M users — even if only a small percentage of them knew they had a Passport account. The Passport user experience was (and is) reasonably straight forward. You see a graphic that the site used Passport, you click on it. You type in your Passport credentials if you don’t have an active session, and voila, you are logged in.

Now re-branded as Live ID, the system is still by far the largest authentication system in the world and permeates most Microsoft web properties.

OpenID

As an author of the OpenID specifications and a promoter of user-centric identity, I clearly have a bias towards OpenID. With no entry fee, open source libraries for all the major web platforms, the promise of rich profile exchange, and no central control: OpenID 2.0 seems to address all the issues of Passport (and Liberty).

But, concerns about Security and Usability abound. Both SREG and AX exist for moving user profile data, with many OPs opting out of providing that functionality. With AOL, Yahoo!, Blogger and now Orange and MySpace being OpenID providers: there is a large install base. Similar to the early days of Passport though, the vast majority of those users don’t know they have an OpenID. But even if they did, using OpenID on a relying parties site is inconsistent, and frankly — typing in a URL is pretty geeky to most users.

Facebook Connect

Facebook has had some tools to leverage the Facebook accounts in the past, but Facebook Connect looks to substantially add more value to a site. Let’s start with the user experience. The user sees the familiar Facebook logo on the site and know they can use their Facebook account. The user clicks on it, goes to Facebook, and then goes back. A pattern the user is familiar with if they have installed a Facebook app.

The relying party has access to a rich set of profile data that includes their social graph. Additionally, the privacy settings the user has already configured about their profile data are used to determine what gets exposed to whom. The site does not need to manage the privacy settings, and nothing new for the user to configure.

From the users point of view, there are hardly any barriers to having a rich experience on a site using Facebook Connect. You get to see the familiar profile photos of all your friends on the other site, the people you have blocked can’t see what you do, and your inner circle of friends get to see deeper information than your casual friends. All with a few clicks of the mouse.

The killer feature though is something that will be hard for other potential platforms to do. Facebook strives to only have real identities. In the participatory web, the enemy has been the lack of accountability. Trolls pollute the conversation,  spammers fill the web with garbage, and promoters try to game the system. Facebook kills off accounts that are not real people. I know. We had an account for Sxipper on Facebook. Sxipper only lived a few weeks. With the rich profile and feed data that a real user has, the barrier to creating what appears to be a legitimate account is very high. For many Facebook users, losing their Facebook account would be a catastrophe — so the motivation to behave is high for many — which is why there is little spam in Facebook.  Put this in sharp contrast to the barriers to creating an OpenID at Yahoo!, Blogger, AOL or MySpace. (There is little, Orange being an exception for OpenIDs associated with their customers.)  Other social networks such as MySpace, Orkut etc. can’t provide the same level of assurance of accountability.

But OpenID has ____ …

Yes, there are far more users with OpenIDs. OpenID fits into the vision of the Open Web. There is so much more that can be built on OpenID. And what about the Digg screen shots at F8 showing OpenID in addition to Facebook Connect? Digg is going to want to try and keep Facebook honest, and they understand that some users will reject helping Facebook create a monopoly on identity, so it makes sense to support OpenID. But for your average user, the experience of using Facebook to login will be vastly superior. OpenID may be the desktop Linux to Facebook’s Windows. A geeky solution for the rebels.

… and the issue is?

Facebook Connect provides great value to the user, great value to the site, and deepens the dependency of the user on Facebook, which is great for Facebook. Not so great for Facebook competitors. While I empathize with the competitors, we live in a capitalistic society. I am concerned that a centralized identity store is a bad thing for the internet and will delay the arrival of Identity 2.0.

Facebook will have little interest in moving around rich claims from different providers. There is no clear value to them as a consumer grade site to implement strong security. While CardSpace can provide these richer identity transactions: for many sites, Facebook Connect will be “good enough”. It will be interesting to see how the next few months unfold and how the rest of the web platforms respond to Facebook Connect; and if a new “Liberty” emerges to prevent Facebook from building an identity monopoly. With any luck, everyone including Facebook will come together and build Identity 2.0.

At F8 today, Facebook rolled out their Facebook Connect platform. With a small amount of code, other sites can integrate the Facebook identity system into their site. The keynote reminded me of early days of Microsoft as they rallied developers to build on their platform by explaining how the platform can help them and being inclusive. They even seemed humble as they talked about what they have done wrong in the past and then reaching out to developers asking for their feedback. They even have a fund and a competition for best applications.

Facebook Connect is a powerful identity system. Using Facebook Connect, a site gets access to the user’s profile data and the users friends. For sites such as Digg and Movable Type that want to make users accountable for their activity, there is an implicit reputation of the user based on the depth of the profile. It is much more difficult for a spammer to build a Facebook identity to spam these participatory sites. Facebook is all about real identity rather then a fake persona. Facebook even has rich privacy controls so that users feel in control of who sees what.

The promise of OpenID was to make login simple and move profile data. A number of us have been looking at using OpenID to make an accountable web. Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed.

The announcement from MySpace supporting OpenID may enable a more open identity system to evolve, but Facebook has a compelling offering that provides significant value to sites — well, as soon as Facebook Connect is launched anyway.