User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies

User-Centric
Digital Identity
September 23

presentation to
Computer Science and Telecomunications Board
National Academies
by Kaliya Hamlin
@identitywoman
http://www.identitywoman.net
kaliya@identitywoman.net

Internet Identity Workshop http://www.internetidentityworkshop.com

Friday, September 24, 2010

Where does my personal inspiration about user-
centric digital identity come from?

Building Identity and
Trust into the Next
Generation Internet

asn.planetwork.net


Who am I?

IDENTITY GANG! Internet Identity Workshop
formed in 2004 iiw.idcommons.net
www.internetidentityworkshop.com


Broad Base of Participation SMALL COMPANY
BIG COMPANY SPONSORS SPONSORS
NONPROFIT SPONSORS
MSFT FuGen Solutions
ISOC
PingID OUNO
Kantara/Liberty Alliance CORPORATE PARTICIPANTS
SUN Rel-ID
Info Card Foundation Paypal
Facebook Poken
OASIS IDTrust Booz Allen Hamilton SMALL COMPANY
Google Vidoop
Mozilla Apple PATICIPANTS
Yahoo Chimp
Higgins Project
Cisco
Burton Group Authentrus Ångströ
Bandit Project Hewlett Packared Digg, Inc.
Plaxo Sxip
Planetwork International Business Machines Privo
Internet Society Commerce Net Intuit ClaimID
Expensify
Adobe LexisNexis FamilySearch.org
NONPROFIT BT Nippon Telegraph and Telephone Corporation FreshBooks
PARTICIPANTS Novell Nokia Siemens Networks Gigya
Center for Democracy and Facebook NRI Gluu
Technology AOL Oracle Janrain
DataPortability Project Ping Identity Orange Kynetx
IdM Network Netherlands Paypal / eBay Rackspace NetMesh Inc.
OCLC Radiant Logic Protiviti
Open Forum Foundation
World Economic Forum
Sony Ericsson
The MITRE Corporation
IETF Socialtext
TriCipher, Inc.
UNIVERSITY PARTICIPANTS
Tucows Inc
VeriSign, Inc.
W3C Trusted-ID
Wave Systems
Goldsmiths, University of London
Newcastle University
Stanford University
Vodafone Group R &D
Alcatel-Lucent OASIS Six Apart

Acxiom Identity Solutions
Acxiom Research
GOVERNMENT PARTICIPANTS Equifax
Office of the Chief Informaiton Office,
Province of British Columbia
LinkedIn
Amazon
and more...

Unconference Format


Talk Outline

What is User-Centric Digital Identity
(including how it arose in contrast to non-user-centric identity)

Technologies have been developed to date
OpenID, Information Cards, XRD, OAuth, UMA, SAML

Emerging: The Personal Data Ecology


What is Digital Identity?

http://www.digital-identities.com/
The »Gestalt« of digital identity http://www.ﬂickr.com/photos/wertarbeit/3825274153/in/photostream/


Identifiers Claims
Single String Pairs

Identifiers link things together A claim is by one party about
and enable correlation. another or itself.

It does not have to be linked to
They can be endpoints on the an identifier.
internet.
Proving you are over 18 for
example and not giving your
real name.


What is User Centric Digital Identity?

Big Co.

Web 1.0 Web 2.0


What is User Centric Digital Identity?


The Identity Dog
Represents 2 things:

* Freedom to be who you want to be

* Freedom to share more speciﬁc
info about yourself that is validated


Freedom to Aggregate


Freedom to Disaggregate


Freedom to Disaggregate

X

X
Why does User Centric Digital Identity Matter?

http://www.fullenglishfood.com/?p=799

Buddhist in Tennessee

http://religions.iloveindia.com/buddhism.html http://wwp.greenwichmeantime.com/time-zone/usa/tennessee/map.htm


Women having the freedom not to present as women.

Why James Chartrand
Wears Women’s Underpants

http://www.copyblogger.com/james-chartrand-underpants/

Real world examples of women managing different
personae from She’s Geeky conference.
1) Live Journal Friends
2) Professional ID
3) Feminist Identity 1) Me linked to real name
2) Spiritual
3) Gaming

1) Totally Professional on Domain, GMail, LinkedIN
2) Social but me on Facebook
3) Spiritual under pseudonym on Live Journal


Goofy Habits or Hobbies


Freedom of Expression

personal
and
political


Freedom of Action

Teachers being able to drink Young people free to
socially when in own time. explore themselves

BLIZARD WoW in game ID
vs “RealID” change

this comes from not having all contexts linked together

How do people “get”
User Centric Digital Identity today?

Hack it together with handles from web mail providers
or on a service like Twitter




Challenge with e-mail addresses as identities
the communications token is the “ID”





Google proﬁles
Yahoo! proﬁles





Google proﬁles Facebook
Yahoo! proﬁles LinkedIn


Freedom to not be
“erased” under TOS
What are our rights in these commercial
spaces governed by Terms of Service?
How are we “citizens” in private space?
In physical life we have protection of our
physical self - people will be prosecuted for
harming us. What is the equivalent in
online spaces?


User Centric Digtial Identity today?

Identiﬁer side: Claims based side:

Almost impossible.
Own their own
domain name.
Little relying party adoption
(Places where 3rd party
Have a blog?
or self generated claims
Run an openID server?
will be accepted)

Little client side app adoption


Why have we have yet to succeed?
It is a REALLY hard problem set to solve for,
User Centric Digital Identity that is:

1. open standards based
2. the scale of the internet + other digital systems
3. that people ﬁnd usable
4. that they understand
5. that is secure
6. it requires emergence of new social behavior
7. and changes business models & norms

Isn’t just a technical problem

TECHNOLOGY

SOCIAL ? BUSINESS

LEGAL


We are still the make the vision real

Are we succeeding!
with particular protocols
with various levels of adoption.


What were User Centric Digital
Identities ideas arising in response to?


These reasons were covered in the above

Corporate mediated ID (Facebook LinkedIn).

Desire to have online world map to how ID
works in physical world - selective disclosure.

A Bazillion different accounts.

Identity is socially constructed not
institutionally issued.


Corporate Issued IDs
from employers

http://www.smartdraw.com/blog/archive/2008/09/04/four-ways-to-make-your-org-charts-more-useful.aspx


Corporate Issued IDs
for customers

frequent ﬂier
http://usresident.com/ customer number
health insurance number


The claim there is no separation between
online and ofﬂine life


Participants in the Federated Social Web Summit.
Pre-Open Source Convention
July 18th, 2010, Portland, Oregon, USA


Protocols are Political
It gets to the heart of what it means to have a civil
society, how we organize together. The choices made in
creating these architectures now will shape the future.

http://www.treehugger.com/ﬁles/2010/07/thousands-of-undiscovered-plants-face-extinction.php http://www.moviecritic.com.au/your-favourite-cinematic-dystopian-future/


OR


What is the context for people gathering?

“We’re trying to build a social
layer for everything.”
- Mark Zuckerburg

Freedom of
Movement and Assembly

Freedom to group and cluster outside commercial silos
& business contexts.


Freedom to
Peer-to-Peer Link

Freedom to determine
how the link is seen by
others


How can people and groups be
ﬁrst class objects on the web
(and other electronic networks)?


User Centric Digital Identity is the:

• Freedom to Aggregate
• Freedom to Disaggregate
• Freedom to not be “erased” under TOS
• Freedom of Movement and Assembly
• Freedom to Peer-to-Peer link & the
Freedom to determine if the link is seen
by others


Transition to Technology Section


Text
Text
+
?
Can you have both?


OpenID 101
(identiﬁer)


OpenID has a Ton of Issues

• security
• no payload - identiﬁers are not enough
• people donʼt understand format URL
• people donʼt have their own domains
• often 3rd level domain
• Nascar Problem
• ADOPTION

• Namespace issue - “solved Facebook”


Users take actions on your site
Users come to your site to consume
your unique content. They take

Connect actions like commenting, reviewing,
making purchases, rating, and more.
Users share with friends, who
discover your site
With Facebook Connect, users can
easily share your content and their
actions with their friends on
Facebook. As these friends discover
your content, they click back to your
site, engaging with your content and
completing the viral loop.
Social features increase
engagement
Creating deeper, more social
integrations keeps users engaged with
your site longer, and more likely to
take actions they share with their
friends. (For example — don't just
show users what's most popular on
your site, but what's most popular
with their friends on your site.)


Proposal for OpenID Connect

The response is a JSON object which contains some (or all) of the
following reserved keys:
• user_id - e.g. "https://graph.facebook.com/24400320"
• asserted_user - true if the access token presented was issued by
this user, false if it is for a different user
• profile_urls - an array of URLs that belong to the user
• display_name - e.g. "David Recordon"
• given_name - e.g. "David"
• family_name - e.g. "Recordon"
• email - e.g. "recordond@gmail.com"
• picture - e.g. "http://graph.facebook.com/davidrecordon/picture"

The server is free to add additional data to this response (such as
Portable Contacts) so long as they do not change the reserved OpenID
Connect keys.


Information Cards (claims)

informationcard.net


Managed Cards Come in two Flavors

“Phones Home” Doesn’t “Phone Home”

Government
Employee issued ID Issued age
veriﬁcation
the employer sees
where used just like a drivers
license in the real
world


Veriﬁed Anonymity (U-Prove)


Information Cards have a ton of issues:

• Relying Party Adoption
• why shift to claims from identiﬁers
• Where are the libraries and tools for Relying
parties

• Client Download Required
• New User Experience
• What are Active Clients and How do they work
• Risk & Liability Models are Unclear
• If a claim is validated and it is untrue who is liable


More Technologies


XRD
(the most successful standard arising
from user centric ID community that
you have never heard of)


Discovery =
Patterns +
Interfaces +
Descriptors


Evolution of Discovery
XRDS --> XRD-Simple --> XRD
(within XRI spec)


Application of

XRI/XDI


OStatus isn't a new protocol; it
applies some great protocols in a natural
and reasonable way to make distributed
social networking possible.
• Activity Streams encode social events in
standard Atom or RSS feeds.
• PubSubHubbub pushes those feeds in
realtime to subscribers across the Web.
• Salmon notifies people of responses to
their status updates.
• Webfinger makes it easy to find people
across social sites.

OAuth


User Managed
Access


SAML

SAML has two parts used in higher education
1. Authentication
2. Proﬁles


Big Challenge Protocol Interop


Big Challenges
RP adoption at scale.

Integration/adoption of active identity clients ("identity-in-the-
browser") and/or cloud identity services.

Addressing the gap between what these protocols do (federated
authentication, authorization, and simple third-party claims
transfer) and what the market really needs (compelling solutions
built on top of these tools that integrate other key components
like personal data stores).

Harmonizing all of this with government policy and initiatives like
US ICAM and NSTIC and UK Direct Gov open identity
requirements.


ICAM and NSTIC
Portable trusted Identities for government.

With the ability to use commercially vetted
identities to interact with government.

Reading NSTIC there is the potential to
have veriﬁed anonymity be part of the
ecology.


Trust Frameworks /
Policy Repositories
Open Identity Exchange
Policy Repository Levels of
for Auditors Levels of Assurance Protection
Trust Frameworks Identity Providers Relying Parties

ICAM
John Google
Relying Party
Steensen

OCLC PayPal

Other
Relying Party
Auditor
PBS Kids Equifax

Other
Auditor Yahoo!
XAuth


The next frontier
PERSONAL DATA


Generating More Data than Ever

I put on The Big Data Workshop April 23, 2010
http://www.bigdataworkshop.com

Less
Control
Than
Ever


Can people control the ﬂow of data about them from:

1.Self to others?
2.Self to institutions?


Do you have a copy of what
you put out on the web?

Implicit and Explicit Data
More and more digital devices collecting more
data


We should have our own picture of our
“digital selves” or digital projection.

Questions:
• How do we get it (the picture - the data)?
• Who do we trust to manage it?
• How do we get insight into it?
• What is the legal protection it is afforded?


Who you are and what you
care about should not be the
possession of someone else.


Time/space stamping

You can reconstruct who it is without PII attached to it

It makes the technical architectures matter more
and the legal frameworks critical.


Personal Data Store Ecology

Open Standards based Personal
Data Stores with people, groups
and businesses as ﬁrst class
objects. It will include full data
portability and a range of services.


Personal Data Ecology


Project VRM - 4th Parties

http://bit.ly/VRM4thParty


$

APPLICATIONS

EXCHANGE
REFINEMENT
STORAGE
ID + ENCRYPTION

DATA + META DATA
DATA
SOURCES

Stack for Personal Data Banks &
Personal Data Exchanges
by Marc Davis (from IIW10)

Higgins Project XDI Stack

Persona Data Model 2.0 XDI Based
Uses card metaphor Supports Link Contracts
Linkable dictionary of terms
RDF based
Standardized at W3C No user interface develoeped
Standardized at OASIS
API’s XDI, OAuth,
(soon) Activity Streams, PubSubHubbub,
SPARQL Young project code is just
starting to be published on
5+year old project the web.

are there others?

Vision and Principles for
the Personal Data Ecosystem
by Kaliya Hamlin
• Dignity of the Individual is Core
• Systems Must Respect Relationships
• Remember the Greatness of Groups
• Protocols that Enable Broad Possibilities are Essential
• Open Standards for Data and Metadata are Essential
• Defaults Must Work for Most People Most of the Time
• Norms and Practices in the Personal Data Ecosystem Must
be Backed up by Law
• Business Opportunities Abound in this New Personal Data
Ecosystem
• Diversity is Key to the Success of the Personal Data
Ecosystem
http://www.identitywoman.net/vision-principles-for-the-personal-data-ecosystem

PDX Principles by Phil Windley

user-controlled
federated
interoperable
semantic
portability
metadata management
broker services
discoverable
automatable and scriptable
http://www.windley.com/archives/2010/09/pdx_principles.shtml

As a community we are working on making the
Personal Data Store Ecology.


Questions
• What will be the open standards for data and metadata?
• What will be the legal frameworks for individual protection
(do you have to get warrant to search)?
• What will be legal framework for individual protection and
freedom to remove data from services?
• What business structures can hold ?
• How is any of this going to be usable?
• How will data be protected, encrypted, etc.?
• How will people be able to store keys?
• What will be compelling reasons for adoption?
• Can industry make money and give user more control?
• How will the network work based on identiﬁers AND not
have everything linkable?.... (ISOC is thinking a lot about this)

Questions
• What is the right architecture for distributed groups?
• How are e-mails not the basis of all “social” transactions?
• How do mobile carriers participate in the personal data
ecosystem?
• How do target populations have their needs met in the
design of these systems?
• Women
• Sexual Minorities
• People of Color
• How are mechanisms for the peer production of
governance at the core of these systems?
• What to do about the namespace issue?


Questions
• Can we make active clients usable?
• What are the defaults in these systems?
• How do we get away from cookies to give personalized
services?
• What do user-agents do?
• How do user agents make contracts for the user
• How are the data streams made available for agent based
services model?


I invite you to the next IIW
November 2-4, Mountain View, CA

Meet the community, learn a lot, and
ask them what would be helpful
research questions to consider.
http://www.internetidentityworkshop.com

Thank You!

Kaliya Hamlin

@identitywoman
http://www.identitywoman.net
kaliya@identitywoman.net


User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies

More Related Content

What's hot (19)

Viewers also liked (20)

Similar to User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies (20)

More from Kaliya "Identity Woman" Young (19)

User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies