It’s been a while since I blogged over here, the last few months have been intense adding new members to my team in the national security group. We’ve been working on some really great projects that I’d love to talk about but I’d have to kill you. There is something new on the horizon that I see everyone being set up for and needed to talk about it.
You may have noticed lately the push to verify / create your identity on everyone’s favorite social networking sites, twitter and facebook. Twitter is claiming that they take impersonation of people seriously in this blog post. However, in under a week of giving out these verified accounts people are admitting that their accounts were never verified. You make argue that people like Mike Arrington and Chris Messina are well known on twitter and they must be the real person behind the keyboard. No doubt that many of the people at twitter have met them in person, but that doesn’t bode well for the validity of this “verification” service.
Last night facebook launched their vanity urls to the public. No longer to you have to put in a long profile ID to find me on facebook, now its as simple as typing http://www.facebook.com/matt.topper. Some interesting ones have already been taken. Within 15 minutes launching last night 500,000 people had already claimed their vanity url. Meaning that over half a million people decided to spend last night in front of a computer to get a unique name on a social networking site. So what does this have to do with a race for your identity? I have a theory that within the next 6 months we will see both Twitter and Facebook in a race to become the defacto OpenID providers for the web. Google, Yahoo, and AOL have all launched OpenID providers 
that use your existing accounts, but none have provided a compelling reason to use them. Myspace also launched their openid provider earlier this year, but again, failed to catch on. There are plenty around the web.
First I should explain what OpenID is. OpenID provides a lightweight federated single sign-on interface to your accounts across the web. In simple terms, you can sign on in one place and never have to log into another site again. This centralizes the authentication of your accounts across the web and helps determine what personas you portray across the hundreds of sites you may access. Interested in a more in depth description? Check out this wikipedia entry.
I would guess that a good percentage of users check Facebook or Twitter long before they check their email every morning. If they could offer you a service that you log in once with them to start the day and never have to log in again why would you chose anything else? Also, if you wanted to sign up for a new site they would allow you to share your profile / persona information with the new sites instead of filling out a lengthy form and it would update those sites with any changes to your info automagically the next time you logged in. Sounds great doesn’t it?
It sounds like a great service to me, I can’t wait, but why would Twitter and Facebook want to provide this to me? Wouldn’t it cost them money? One of the things that I’ve been discussing for years is a trust model on the Internet. When a crisis comes up who do you know who to trust on the web. If I have a problem with my GTO I go to ls1gto.com and do some searching to find who the top users are and might send them a message with my problem to see what they know. But what happens in a crisis situation when I’m monitoring twitter feeds when a hurricane comes through Florida. I can easily set my location on any of these services and act like I’m the middle of the action. What separates me from being Joe Schmoe and a retired PHD meteorologist who lives in the region. If I want an account of what things are like I’d probably want to pay attention to the tweets of the retired PHD.
Lets keep exploring why they want this info, it’s really powerful stuff. First they have a list of the people my “friends.” Twitter has a distinct advantage here. They actually know who I influence and who influences me. Through my long term tweets / status updates they know what I care about and what I am an expert on. Now if they know the sites I visit they have the ultimate revenue machine on me. They know my identity, they know my likes, they know my demographics, they know my friends, they know what sites I visit, and they know what sites my friends visit. Now they can very accurately target me for potential sites / products that I should be going to. It’s truly a world of “He who owns the data wins.” Once they have all this information on the books they really own the world.
I have my own concerns with OpenID and having one place to “hack” to get access to all my sites. I think any reputable provider will need both strong authentication and risk assessment added to their solution before I trust my identity with them. To be honest I think they US federal government should start their own trusted / verified OpenID provider but thats a topic for another post. (It’s already working in Estonia) Before I scare everyone with that topic, what do you think? Are Twitter and Facebook trying to be the de facto standard for your authentication and access information on the web? Or are they introducing new services to help their userbase identify with one another? Sound off in the comments, I’ll be looking forward to them.
If Twitter and Facebook become providers, they take a step closer to being the single profile source. New web apps will follow the easy path to integrate with existing data stores, rather than force users to start from scratch.
The payload of an OpenID request can include all the interesting data (network, profile attributes) that you want to share, which would give data portability a couple flat tires.
Essentially, all your data (and you) are belong to them, which isn't ideal.
I'm in favor of a trusted, centralized OpenID provider, not run by the government, but run by some non-profit entity or foundation. The death of providers leaves lingering questions, e.g. Vidoop's MyVidoop service.
I don't have many answers, and I'm very interested to see how it plays out over the next few years. Watch Mozilla. The browser as authentication provider has legs, and I'm much more likely to trust a hybrid local/cloud mechanism to manage my identity than a pure cloud-based one.
Good stuff, thanks for posting.
I don't know that I trust either of them to hold my identity. Personally I like the wordpress add-ons that allow me to make my personal blog my own provider. It's a domain that I control and own. I just don't think I have the capital to enable all the strong authentication mechanisms I would want in such a service 😉
I always find it interesting that people in the US have a different perspective on the government that people in Europe. We're very untrusting of what they do with us and our data. I'm not sure where that comes from but based on my work they have our best interest in mind and are the only “company” with the capital to do it safely.
I believe that the US government should provide an OpenID identity provider for their employees. Who needs a “twitter verified” account for the government users, if they can log in with a government provided OpenID service and it shows a symbol that they are government verified I tend to believe them. I think this is critical in the government 2.0 mission to reach out to citizens and gain trust.
Maybe after a few years of a public OpenID provider to employees they can extend it to citizens. Personally I don't care if a government OpenID provider knows what site I log into. I'd prefer it when buying products online or dealing with the IRS / other government sites. The centralized strong authentication would give me a much better piece of mind. It wouldn't prevent me from adding my additional providers and using them for my primary authentication mechanism, but would give me a backup in the cases like Vidoop going belly up and leaving me high and dry from logging into my sites.
I agree with the browser authentication proposition, however, I need it to be synchronized across all my browsers / devices like a XMarks / DropBox. Maybe something could be put together with Gears. I haven't looked into the persistent storage of HTML5 to see if there is any encryption as part of the spec. Obviously something could be implemented in javascript.
Oh, did anyone else notice the new “Hardware Encryption” in the iPhone 3G[S]? I'm still trying to find out what exactly that means, could be something interesting for a portable strong authentication device.
Its kind of interesting that facebook and twitter would become OpenID provider but that would cause a lot of corporations to cringe. Currently a lot of of comapnies block access to facebook and twitter whereas google and yahoo as OpenId providers are permitted . While the concept of OpenID has been long overdue , it will still take time for people to get a hang of it so to speak.
That does make for an interesting problem for people who want to use Facebook and Twitter for ID management.
The uptake of Facebook Connect shows that Facebook *could* be successful as an OpenID provider. Chris Messina has an interesting post about the future of digital identity here:
http://factoryjoe.com/blog/2009/06/09/facebook-…
I think trust (right or wrong) in Facebook will help them find success where other OpenID providers have struggled. Ideally, this will drive the Googles, Yahoos and Microsofts of the world to support OpenID fully as relying parties.