I love life. When I decide to give a talk about identity, it ends up being in front of Chris Messina AND it comes off I was totally against OpenID. Crap. 15 seconds a slide needs to be clear and to the point, and I must have veered. I actually changed some of my talk at the last minute based on things Chris said at DrupalCon on March 6. Here’s his slides. Identity starts on #27. Love the direction they are heading with identity on the web.
I’m not against OpenID at all, I’m actually into it and like it, but from the discussions I’ve had, few developers or users are actually talking about what it means to use a centralized identity manager. I want to keep the discussion moving on this because I think it is really worthwhile, for online and offline communications. Since Chris escaped Maloney’s before I could explain this, I can only hope he can telepathically read my thoughts. Transmitting now.
Thanks to John and the IgniteDenver crew for letting me rant. I had a blast and will be back for more. Props to Maloney’s Tavern for allowing us to invade. Check the Twitter stream with the tag #ignitedenver.
Here’s my point which I didn’t make very well last night:
Identity is not solely a technical issue, it is a human issue. Humans are more than a login and password combination, and will need a system that allows for the complexities of human life. We all have different aspects of our lives that we allow to mix and mingle to varying degrees, and in the online space, we need a system that allows us to control our information just as we control our identity in real life. Not just controlling where our streams show up, but also what information we offer to online entities. On the other side of that mouse pad are the sites and services that we register for. They also need certain sets of information to be able to provide their services. You trade your info for service, but you should still own and have control of your info.
When clients tell me to just use OpenID or Facebook Connect for the registration to their site, they are not realizing the position that they could be putting their user in, and all the things that could happen that they (and when it does happen, I) will be held responsible for.
Here are the notes. The first few slides are dull background crap. Find the slides here. Mine start on #57, but take some time to go through it all. Lots of great people and information.
Who I am now. SMS the name bugfrog to 50500 to get a text of this info.
Who/where I have been before now
Everybody has used non-secure ways to remember their passwords. The 3M Password protection system is very popular. Entries in your address book, using the same password for every site, trying to use the same login and password for every site. What have you used?
If you read your terms of service agreements, most sites own your data once you give it to them. And even if they explicitly say they won’t do anything with it, it is very easy for them to change their mind in the future without giving you a chance to pull out your info first.
OpenID is a system available to help address these two issues: Multiple logins and data ownership.
Estonia is adopting an OpenID system for all it’s citizens. Great. Thankfully they’ve also implemented a Data Protection Act to make sure there is no abuse of this new system. They are pretty confident that there will be no identity fraud possible in Estonia. That’s pretty confident. The word hubris comes to mind.
Problems with Open ID
Not universally adopted. Not every site uses OpenID and not every site will. Linking your login to a public standard can limit the information that a site can collect from their users, so not everybody will do it.
Not to mention that there is version 2 of out and not everyone has been able to get their systems upgraded and working. Bigger companies who have the money have been able to upgrade, but not everyone. And if it fails, you are locked out of your site. No second chances. You wait. We see the same failure pattern with new features on web browsers. Some people either don’t or can’t upgrade immediately.
OpenID is a standard, but not all services implement the standard exactly the same. Does everyone implement HTML standards the same? Like any standard, some sources adopt quickly and completely, some lag behind a little, some jump ahead and add on their own special features that they feel should be there.
Open Id is one of the more successful early players in this id space. What else is going on?
OpenID provider Comparison at SpreadOpenID.org
OpenID review at Loudit
Lets’s expand beyond just OpenID. There are other people making a play for the identity management market. Of course. Google, Yahoo, OAuth, and the recently newsy Facebook connect.
Some say that while the OpenID system is strange and confusing, leveraging these other systems that people are already using makes sense. “I’ll just login with my facebook ID.” It’s easy, available and ready to go. Why not?
In the simplest form, we could rephrase this to “Let’s make it possible for everyone from Aunt Mable to the happy hour crew, every person in my friend list, to know about every single site that I register for, and maybe even how often I visit and what I do there. Wouldn’t that be great!”
Let’s expand even more. Online identity managers are not the core problem. Complex human lives are the problem. Just like you don’t go into a job interview talking about your obsession with Penguin figurines and clown porn, you also find sites you want to be a part of that you don’t want connected to your LinkedIn account through openID. So now you need to decide again, do I have many different openIDs? Do I set up multiple identity accounts, one for work, one for friends, one for clown porn sites. We all have different facets of our lives that we might control differently.
Human Upgrades. Our lives change. What happens when a site or service transitions from a hobby to a work related identity? Twitter for example. How many of us picked a twandle based on some goofy animal hybrid and then started using it to make contact with people that you actually do real work with? Trust and community is rooted in the concept of identity and recognition. Can you change an identity and still have that trust? If you set up an identity intending it to be private, and then need to change it over to a public realm, does every site you’ve used it for also come into the public realm also?
Humans in general are lazy. Most people are lazy when it comes to internet security. People who hide a house key in a fake rock aren’t going to worry about 16 random character passwords. For most people, convenience is key. They will choose the easy route over the secure route almost every time. If they are logging in to a site, they just want to get in right then. They don’t want to sit and think and consider the implications of which ID they should use. Usually they realize later “Hey. Maybe I shouldn’t be posting all my personal photos where my employer can find it. How can I change that?”
If there is one standard, then there is one sweet target for any hacker who needs a goal. Maybe they could all pool their resources and work together to find an exploit. Instead of having to figure out what type of obstacles each site puts in their way, they’ll be able to focus all their time on one single protocol. Keep this in mind if you bank offers standard identity system compliance.
Ethics and identity. Business executives have found out that what they say online, whether intended or not, is increasingly considered part of the company communication stream. If James Andrews comments on Memphis before meeting with his FedEx client, it’s considered a comment delivered by his company, not just him.
Even more murky and extended, the people who are connected to executives through Facebook or Twitter are obviously aware of and possibly connected to the company as well, possibly even shareholders. What if this executive comments about a contract issue, or the failure of a big supplier. Suddenly, there is a very real possibility of insider trading if they were to act on any information.
And what about HR issues? If your work identity is aware that you go out and drink, smoke, and party on the weekends (not on work time, but on your time) how well will they be able to disassociate the work you from the weekend you? If mandatory drug testing is a hot issue, mandatory social network registration is going to get touchy too.
Geolocation. Here’s another wrinkle to think about. More and more services are adding geolocation ability into their apps. At first, this is great. Find the people you know when they are nearby. Get notified of a special offer when you are near your favorite store. Cool. But lets say you are with a big client at a work dinner and your auto updating Latitude or Brightkite app tells the members of one of your less than publicly known social groups that you are present. Suddenly, 2 facets of you world collide in a way that you were not expecting or intending.
Think of the marketing mishaps that are waiting to happen. What if you opt in for special deals from some Personal Lifestyle store (whatever that might be), and as you go by that store, you get a batch of marketing messages and special offers. Normally, that is fine. But this time, you happen to be with your boss, grandmother, or friends who aren’t aware of your connection to that unique store. Could get dicey.
I love Brightkite and use it as much as I can with my clunky Q. Latitude is cool too. But the mass market is a different audience and doesn’t think the way that tech early adopters do. They still worry about things like “Who is looking at my photos on Flickr? Who knows that I am at the mall today?” We say Who cares? But the answer is They Do. And they are the users who will make your site or service successful.
Who are you anyway? This brings up a question: what the hell is identity anyway? Who are you? Do you talk and act exactly the same way in all situations? Probably not. You may be different with your famliy than with your friends than with your boss and coworkers.
As far as those groups are concerned, their PERCEPTION of your identity is made up of what they know about you only. Here’s a way to look at it.
If you go to your twitter page, a valid argument could be made that all the tweets that you find there make up your identity. We could construct a picture of you based on what you follow and what you tweet. Just like in real life, the people around you tell us about who you are or may be at that moment. It might not be 100% accurate, and it can be very easily taken out of context, but it is what people do – make generalizations and evaluations based on the facts at hand. It’s what we do.
Extending from that, here’s another interesting fact: some companies are experimenting with scanning the content of an employee’s email to determine what that person does. Basically trying to build a map of who each employee is and what they do based on the content of their emails. So instead of giving you a title, putting you in an org chart, and telling everyone what you should be responsible for, you will be identified by what you have written in your daily mail. In theory, you should be able to find out the go to person for a specific task by searching for that task, and the people who deal with it most will top the search. That’s sure to cut down on those non-work related messages.
I’m not trying to rip the idea of openid apart. But it is a young technology trying to work with an old concept of identity. The issues and behaviors that we are trying to model are things that haven’t even been worked out completely in real life.
Ever run into your Aunt Sally when you are out drinking with your friends? We all have work, social, companion, recreation, and many other circles of people that we interact with, and they all intersect to varying degrees, some a lot, some not at all, and each person has a different need and a different way to maintain those associations.
Some people would never dream of inviting work friends to a party at their house, others only have work friends, and once they leave a job, they no longer associate with those people. This is a personal choice, and a mass adopted identity system should be able to handle any degree of that choice.
Where can it go wrong? It never goes wrong by people doing what you expect them to do. In the geo location example, maybe the marketing messages are originally programmed to go be triggered when you are within a very short radius. One day, a programming tweak increases that radius to 5 miles. Or bad weather confuses the triangulation so that it thinks you are closer than you really are.
What if you just set up your ID account and missed a setting, or misunderstood how it worked. Again, MOST people work with convenience and ease. Going through a huge tutorial on how to properly set up your account doesn’t quite fit there.
These are not things that could happen, they are things that WILL happen. Look at some of the goofy disclaimers that are on products lately. People don’t think about what they are doing in the moment the way that a develop thinks when building a site. Developers focus on the task and how to solve a problem. Users focus on talking on the phone while they are driving, eating, reading a text message, giving a toy to their child, and trying to find a shopping list.
When considering a login schema, don’t think about a using doing what they should do, test in the ways that a user should absolutely not do, because they will.
Proponents of single identity systems have said that if we all have one online identity with our real name attached, people will be less rude and disruptive on the internet. Sure, because the internet is the only place that people are rude and disruptive. There ARE people who do things that they probably wouldn’t do in person, but they would also do those things in real life if they thought they wouldn’t get in trouble. How many people turn into complete assholes when they get in their car? That’s not even annonymous, just easy to get away.
Let’s be honest, rude behavior is a human thing, not a computer thing. If you’re a jerk, you’ll be a jerk online, no matter who sees you.
I bring all this up because if you build or advise on websites, there are no login silver bullets. Any solutions to online identity issues will be found by looking at human social behaviors, not by building on traditional computer protocols.
Until that time, Make sure you give you users options. Don’t have just way to login, let your user do what’s best for them.
I can see why someone might think I’m bashing OpenID, but I’m really not. I just want it to continue evolving to work with human behavior, not computer needs.
If you haven’t yet, I suggest you go get some OpenID variant. Have it ready and get familiar with it. Consider where you implement it, and why. And if someone tells you that it’s the next great thing that will rule the net, send ’em here. I’ll be waiting.
Here are some reference links you might be interested in.
OpenID for Google Apps
Poll on OpenID use
Yahoo Updates to Challenge Google Friend Connect, Facebook Connect
Twitter and Ethics
Bad News for OpenID