I presented this talk on September 23 to the Computer Science and Telecommunications Board of the National Academies in Washington DC. It has three parts
1) What is User Centric Digital Identity
2) What are the technologies that have been developed to date
3) Emerging work on developing a Personal Data Ecosystem.
User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies
1. User-Centric
Digital Identity
September 23
presentation to
Computer Science and Telecomunications Board
National Academies
by Kaliya Hamlin
@identitywoman
http://www.identitywoman.net
kaliya@identitywoman.net
Internet Identity Workshop http://www.internetidentityworkshop.com
Friday, September 24, 2010
2. Where does my personal inspiration about user-
centric digital identity come from?
Building Identity and
Trust into the Next
Generation Internet
asn.planetwork.net
Friday, September 24, 2010
3. Who am I?
IDENTITY GANG! Internet Identity Workshop
formed in 2004 iiw.idcommons.net
www.internetidentityworkshop.com
Friday, September 24, 2010
4. Broad Base of Participation SMALL COMPANY
BIG COMPANY SPONSORS SPONSORS
NONPROFIT SPONSORS
MSFT FuGen Solutions
ISOC
PingID OUNO
Kantara/Liberty Alliance CORPORATE PARTICIPANTS
SUN Rel-ID
Info Card Foundation Paypal
Facebook Poken
OASIS IDTrust Booz Allen Hamilton SMALL COMPANY
Google Vidoop
Mozilla Apple PATICIPANTS
Yahoo Chimp
Higgins Project
Cisco
Burton Group Authentrus Ångströ
Bandit Project Hewlett Packared Digg, Inc.
Plaxo Sxip
Planetwork International Business Machines Privo
Internet Society Commerce Net Intuit ClaimID
Expensify
Adobe LexisNexis FamilySearch.org
NONPROFIT BT Nippon Telegraph and Telephone Corporation FreshBooks
PARTICIPANTS Novell Nokia Siemens Networks Gigya
Center for Democracy and Facebook NRI Gluu
Technology AOL Oracle Janrain
DataPortability Project Ping Identity Orange Kynetx
IdM Network Netherlands Paypal / eBay Rackspace NetMesh Inc.
OCLC Radiant Logic Protiviti
Open Forum Foundation
World Economic Forum
Sony Ericsson
The MITRE Corporation
IETF Socialtext
TriCipher, Inc.
UNIVERSITY PARTICIPANTS
Tucows Inc
VeriSign, Inc.
W3C Trusted-ID
Wave Systems
Goldsmiths, University of London
Newcastle University
Stanford University
Vodafone Group R &D
Alcatel-Lucent OASIS Six Apart
Acxiom Identity Solutions
Acxiom Research
GOVERNMENT PARTICIPANTS Equifax
Office of the Chief Informaiton Office,
Province of British Columbia
LinkedIn
Amazon
and more...
Friday, September 24, 2010
7. Talk Outline
What is User-Centric Digital Identity
(including how it arose in contrast to non-user-centric identity)
Technologies have been developed to date
OpenID, Information Cards, XRD, OAuth, UMA, SAML
Emerging: The Personal Data Ecology
Friday, September 24, 2010
8. What is Digital Identity?
http://www.digital-identities.com/
The »Gestalt« of digital identity http://www.flickr.com/photos/wertarbeit/3825274153/in/photostream/
Friday, September 24, 2010
9. Identifiers Claims
Single String Pairs
Identifiers link things together A claim is by one party about
and enable correlation. another or itself.
It does not have to be linked to
They can be endpoints on the an identifier.
internet.
Proving you are over 18 for
example and not giving your
real name.
Friday, September 24, 2010
10. What is User Centric Digital Identity?
Big Co.
Web 1.0 Web 2.0
Friday, September 24, 2010
11. What is User Centric Digital Identity?
Friday, September 24, 2010
12. The Identity Dog
Represents 2 things:
* Freedom to be who you want to be
* Freedom to share more specific
info about yourself that is validated
Friday, September 24, 2010
13. What is User Centric Digital Identity?
Friday, September 24, 2010
17. X
Why does User Centric Digital Identity Matter?
http://www.fullenglishfood.com/?p=799
Friday, September 24, 2010
18. Buddhist in Tennessee
http://religions.iloveindia.com/buddhism.html http://wwp.greenwichmeantime.com/time-zone/usa/tennessee/map.htm
Friday, September 24, 2010
19. Women having the freedom not to present as women.
Why James Chartrand
Wears Women’s Underpants
http://www.copyblogger.com/james-chartrand-underpants/
Friday, September 24, 2010
20. Real world examples of women managing different
personae from She’s Geeky conference.
1) Live Journal Friends
2) Professional ID
3) Feminist Identity 1) Me linked to real name
2) Spiritual
3) Gaming
1) Totally Professional on Domain, GMail, LinkedIN
2) Social but me on Facebook
3) Spiritual under pseudonym on Live Journal
Friday, September 24, 2010
24. Freedom of Action
Teachers being able to drink Young people free to
socially when in own time. explore themselves
BLIZARD WoW in game ID
vs “RealID” change
this comes from not having all contexts linked together
Friday, September 24, 2010
25. How do people “get”
User Centric Digital Identity today?
Hack it together with handles from web mail providers
or on a service like Twitter
Friday, September 24, 2010
26. How do people “get”
User Centric Digital Identity today?
Hack it together with handles from web mail providers
or on a service like Twitter
Challenge with e-mail addresses as identities
the communications token is the “ID”
Friday, September 24, 2010
27. How do people “get”
User Centric Digital Identity today?
Hack it together with handles from web mail providers
or on a service like Twitter
Challenge with e-mail addresses as identities
the communications token is the “ID”
Google profiles
Yahoo! profiles
Friday, September 24, 2010
28. How do people “get”
User Centric Digital Identity today?
Hack it together with handles from web mail providers
or on a service like Twitter
Challenge with e-mail addresses as identities
the communications token is the “ID”
Google profiles Facebook
Yahoo! profiles LinkedIn
Friday, September 24, 2010
29. Freedom to not be
“erased” under TOS
What are our rights in these commercial
spaces governed by Terms of Service?
How are we “citizens” in private space?
In physical life we have protection of our
physical self - people will be prosecuted for
harming us. What is the equivalent in
online spaces?
Friday, September 24, 2010
30. How do people “get”
User Centric Digtial Identity today?
Identifier side: Claims based side:
Almost impossible.
Own their own
domain name.
Little relying party adoption
(Places where 3rd party
Have a blog?
or self generated claims
Run an openID server?
will be accepted)
Little client side app adoption
Friday, September 24, 2010
31. Why have we have yet to succeed?
It is a REALLY hard problem set to solve for,
User Centric Digital Identity that is:
1. open standards based
2. the scale of the internet + other digital systems
3. that people find usable
4. that they understand
5. that is secure
6. it requires emergence of new social behavior
7. and changes business models & norms
Friday, September 24, 2010
33. Isn’t just a technical problem
TECHNOLOGY
SOCIAL ? BUSINESS
LEGAL
Friday, September 24, 2010
34. We are still the make the vision real
Are we succeeding!
with particular protocols
with various levels of adoption.
Friday, September 24, 2010
35. What were User Centric Digital
Identities ideas arising in response to?
Friday, September 24, 2010
36. These reasons were covered in the above
Corporate mediated ID (Facebook LinkedIn).
Desire to have online world map to how ID
works in physical world - selective disclosure.
A Bazillion different accounts.
Identity is socially constructed not
institutionally issued.
Friday, September 24, 2010
37. Corporate Issued IDs
from employers
http://www.smartdraw.com/blog/archive/2008/09/04/four-ways-to-make-your-org-charts-more-useful.aspx
Friday, September 24, 2010
38. Corporate Issued IDs
for customers
frequent flier
http://usresident.com/ customer number
health insurance number
Friday, September 24, 2010
39. The claim there is no separation between
online and offline life
Friday, September 24, 2010
41. Participants in the Federated Social Web Summit.
Pre-Open Source Convention
July 18th, 2010, Portland, Oregon, USA
Friday, September 24, 2010
42. Protocols are Political
It gets to the heart of what it means to have a civil
society, how we organize together. The choices made in
creating these architectures now will shape the future.
http://www.treehugger.com/files/2010/07/thousands-of-undiscovered-plants-face-extinction.php http://www.moviecritic.com.au/your-favourite-cinematic-dystopian-future/
Friday, September 24, 2010
48. What is the context for people gathering?
“We’re trying to build a social
layer for everything.”
- Mark Zuckerburg
Friday, September 24, 2010
49. Freedom of
Movement and Assembly
Freedom to group and cluster outside commercial silos
& business contexts.
Friday, September 24, 2010
50. Freedom to
Peer-to-Peer Link
Freedom to determine
how the link is seen by
others
Friday, September 24, 2010
51. How can people and groups be
first class objects on the web
(and other electronic networks)?
Friday, September 24, 2010
52. User Centric Digital Identity is the:
• Freedom to Aggregate
• Freedom to Disaggregate
• Freedom to not be “erased” under TOS
• Freedom of Movement and Assembly
• Freedom to Peer-to-Peer link & the
Freedom to determine if the link is seen
by others
Friday, September 24, 2010
69. OpenID has a Ton of Issues
• security
• no payload - identifiers are not enough
• people donʼt understand format URL
• people donʼt have their own domains
• often 3rd level domain
• Nascar Problem
• ADOPTION
• Namespace issue - “solved Facebook”
Friday, September 24, 2010
70. Users take actions on your site
Users come to your site to consume
your unique content. They take
Connect actions like commenting, reviewing,
making purchases, rating, and more.
Users share with friends, who
discover your site
With Facebook Connect, users can
easily share your content and their
actions with their friends on
Facebook. As these friends discover
your content, they click back to your
site, engaging with your content and
completing the viral loop.
Social features increase
engagement
Creating deeper, more social
integrations keeps users engaged with
your site longer, and more likely to
take actions they share with their
friends. (For example — don't just
show users what's most popular on
your site, but what's most popular
with their friends on your site.)
Friday, September 24, 2010
71. Proposal for OpenID Connect
The response is a JSON object which contains some (or all) of the
following reserved keys:
• user_id - e.g. "https://graph.facebook.com/24400320"
• asserted_user - true if the access token presented was issued by
this user, false if it is for a different user
• profile_urls - an array of URLs that belong to the user
• display_name - e.g. "David Recordon"
• given_name - e.g. "David"
• family_name - e.g. "Recordon"
• email - e.g. "recordond@gmail.com"
• picture - e.g. "http://graph.facebook.com/davidrecordon/picture"
The server is free to add additional data to this response (such as
Portable Contacts) so long as they do not change the reserved OpenID
Connect keys.
Friday, September 24, 2010
77. Managed Cards Come in two Flavors
“Phones Home” Doesn’t “Phone Home”
Government
Employee issued ID Issued age
verification
the employer sees
where used just like a drivers
license in the real
world
Friday, September 24, 2010
79. Information Cards have a ton of issues:
• Relying Party Adoption
• why shift to claims from identifiers
• Where are the libraries and tools for Relying
parties
• Client Download Required
• New User Experience
• What are Active Clients and How do they work
• Risk & Liability Models are Unclear
• If a claim is validated and it is untrue who is liable
Friday, September 24, 2010
85. OStatus isn't a new protocol; it
applies some great protocols in a natural
and reasonable way to make distributed
social networking possible.
• Activity Streams encode social events in
standard Atom or RSS feeds.
• PubSubHubbub pushes those feeds in
realtime to subscribers across the Web.
• Salmon notifies people of responses to
their status updates.
• Webfinger makes it easy to find people
across social sites.
Friday, September 24, 2010
102. SAML
SAML has two parts used in higher education
1. Authentication
2. Profiles
Friday, September 24, 2010
103. Big Challenge Protocol Interop
Friday, September 24, 2010
104. Big Challenges
RP adoption at scale.
Integration/adoption of active identity clients ("identity-in-the-
browser") and/or cloud identity services.
Addressing the gap between what these protocols do (federated
authentication, authorization, and simple third-party claims
transfer) and what the market really needs (compelling solutions
built on top of these tools that integrate other key components
like personal data stores).
Harmonizing all of this with government policy and initiatives like
US ICAM and NSTIC and UK Direct Gov open identity
requirements.
Friday, September 24, 2010
105. ICAM and NSTIC
Portable trusted Identities for government.
With the ability to use commercially vetted
identities to interact with government.
Reading NSTIC there is the potential to
have verified anonymity be part of the
ecology.
Friday, September 24, 2010
107. Trust Frameworks /
Policy Repositories
Open Identity Exchange
Policy Repository Levels of
for Auditors Levels of Assurance Protection
Trust Frameworks Identity Providers Relying Parties
ICAM
John Google
Relying Party
Steensen
OCLC PayPal
Other
Relying Party
Auditor
PBS Kids Equifax
Other
Auditor Yahoo!
XAuth
Friday, September 24, 2010
109. Generating More Data than Ever
I put on The Big Data Workshop April 23, 2010
http://www.bigdataworkshop.com
Friday, September 24, 2010
110. Less
Control
Than
Ever
Friday, September 24, 2010
111. Can people control the flow of data about them from:
1.Self to others?
2.Self to institutions?
Friday, September 24, 2010
112. Do you have a copy of what
you put out on the web?
Implicit and Explicit Data
More and more digital devices collecting more
data
Friday, September 24, 2010
116. We should have our own picture of our
“digital selves” or digital projection.
Questions:
• How do we get it (the picture - the data)?
• Who do we trust to manage it?
• How do we get insight into it?
• What is the legal protection it is afforded?
Friday, September 24, 2010
118. Who you are and what you
care about should not be the
possession of someone else.
Friday, September 24, 2010
119. Time/space stamping
You can reconstruct who it is without PII attached to it
It makes the technical architectures matter more
and the legal frameworks critical.
Friday, September 24, 2010
120. Personal Data Store Ecology
Open Standards based Personal
Data Stores with people, groups
and businesses as first class
objects. It will include full data
portability and a range of services.
Friday, September 24, 2010
127. $
APPLICATIONS
EXCHANGE
REFINEMENT
STORAGE
ID + ENCRYPTION
DATA + META DATA
DATA
SOURCES
Stack for Personal Data Banks &
Personal Data Exchanges
by Marc Davis (from IIW10)
Friday, September 24, 2010
128. Higgins Project XDI Stack
Persona Data Model 2.0 XDI Based
Uses card metaphor Supports Link Contracts
Linkable dictionary of terms
RDF based
Standardized at W3C No user interface develoeped
Standardized at OASIS
API’s XDI, OAuth,
(soon) Activity Streams, PubSubHubbub,
SPARQL Young project code is just
starting to be published on
5+year old project the web.
are there others?
Friday, September 24, 2010
129. Vision and Principles for
the Personal Data Ecosystem
by Kaliya Hamlin
• Dignity of the Individual is Core
• Systems Must Respect Relationships
• Remember the Greatness of Groups
• Protocols that Enable Broad Possibilities are Essential
• Open Standards for Data and Metadata are Essential
• Defaults Must Work for Most People Most of the Time
• Norms and Practices in the Personal Data Ecosystem Must
be Backed up by Law
• Business Opportunities Abound in this New Personal Data
Ecosystem
• Diversity is Key to the Success of the Personal Data
Ecosystem
http://www.identitywoman.net/vision-principles-for-the-personal-data-ecosystem
Friday, September 24, 2010
130. PDX Principles by Phil Windley
user-controlled
federated
interoperable
semantic
portability
metadata management
broker services
discoverable
automatable and scriptable
http://www.windley.com/archives/2010/09/pdx_principles.shtml
Friday, September 24, 2010
131. As a community we are working on making the
Personal Data Store Ecology.
Friday, September 24, 2010
132. Questions
• What will be the open standards for data and metadata?
• What will be the legal frameworks for individual protection
(do you have to get warrant to search)?
• What will be legal framework for individual protection and
freedom to remove data from services?
• What business structures can hold ?
• How is any of this going to be usable?
• How will data be protected, encrypted, etc.?
• How will people be able to store keys?
• What will be compelling reasons for adoption?
• Can industry make money and give user more control?
• How will the network work based on identifiers AND not
have everything linkable?.... (ISOC is thinking a lot about this)
Friday, September 24, 2010
133. Questions
• What is the right architecture for distributed groups?
• How are e-mails not the basis of all “social” transactions?
• How do mobile carriers participate in the personal data
ecosystem?
• How do target populations have their needs met in the
design of these systems?
• Women
• Sexual Minorities
• People of Color
• How are mechanisms for the peer production of
governance at the core of these systems?
• What to do about the namespace issue?
Friday, September 24, 2010
134. Questions
• Can we make active clients usable?
• What are the defaults in these systems?
• How do we get away from cookies to give personalized
services?
• What do user-agents do?
• How do user agents make contracts for the user
• How are the data streams made available for agent based
services model?
Friday, September 24, 2010
135. I invite you to the next IIW
November 2-4, Mountain View, CA
Meet the community, learn a lot, and
ask them what would be helpful
research questions to consider.
http://www.internetidentityworkshop.com
Friday, September 24, 2010