Identity

There has been much talk lately about privacy on the web, and who does what with your data. Most of this of course has centered around Facebook or Google. New technology from Facebook makes it easy for any website to tap in to your Facebook data when you visit their site. The idea behind this is that people will be interested in stuff their friends "like". Facebook knows a lot about it's users, but Google might know even more. As users of this technology we may be concerned about who knows what about us, and who owns this data.

Many years ago I read an article by Doc Searls about identity that was certainly ahead of it's time. Doc argued that people should own their own data and have a means by which they could "allow" websites to access the data they deemed appropriate for that particular website. In other words we should have control over our data, not Facebook and Google. This idea was beginning to gain traction as the web became pervasive in the late 1990's. Novell, then under the leadership of Eric Schmidt (now CEO of Google), came up with a product called Digital Me that leveraged their directory software to provide such a central repository for your personal information, and provided a secure means to allow third party access to it. Like many things from Novell, this product was either way ahead of it's time, or just poorly positioned, and never went anywhere.

So here we are over 10 years later and the situation is worse than before. Both Facebook and Google assume that they are the keepers of your data, and that they can be trusted to have your best interests in mind. But what about the dozens of other sites you may access? Some may let you choose to login using your Facebook, Google, or Twitter credentials. Most still require you to setup a separate account on their system. Exactly how many passwords can the human brain remember? There are projects like OpenID and Oauth that seek to provide a solution to this, but adaptation has been slow, and unless one of these becomes a universal standard they are of limited value. Then there is the issue of what associated data becomes available to the website if I use one of these authentication mechanisms? With Facebook that currently could be quite a lot.

Both Google and Facebook realize that we would like to have more control over who knows what about us. Google identified a problem with Facebook's model of sharing with one big group of "friends". Maybe there is some stuff that you only want to share with a subset of these friends. Google put together a nice slide show that demonstrates the idea and proposes a solution. It is expected that this will be manifested in a new service called "Google Me". Facebook, not about to be one upped, jumped on the idea and has recently announced an upgraded version of it's groups feature, that will allow this kind of more targeted social sharing.

Still no one is addressing the issue of giving users the ability to control their data. Let's say that I have decided that I want to make my name, e-mail address, and phone number publicly available on the web. Currently Facebook, Google, and probably a dozen other websites, have this data stored their own databases. Suppose I want to change my e-mail address or phone number? I would have to update this data on all of these websites individually. Wouldn't it be better if you could change it in just one place? Wouldn't it be better if all of your data was just in one place, and you could decide which websites had access to which data? This applies to much more than just directory information. For example currently Amazon may know something about my preferences in books, and stores this data in their own databases. If I decide to shop for books at Barnes&Nobel they can't access this data because Amazon "owns" it. Wouldn't it be better if I owned it, and when I visit a new website that sells books the website would ask permission to access my book buying preferences, which I could either grant or deny. Furthermore these sites would no longer keep their own copies of this data but get it from your personal "identity server" each time. This is what Doc Searls was talking about over 10 years ago, and what I and many others think needs to happen for people to regain trust in the web.