Part of the future of identity series
By Dan Blum, chief security and privacy architect, Respect Network
Blum is an expert in security, privacy, cloud computing and identity management. At Respect Network, he focuses on architecture, business development and consulting. Blum has authored two books, written for numerous publications and participated in standards groups such as OASIS, Kantara Initiative and others. His articles appear regularly at http://security-architect.blogspot.com.
DATELINE 2019 – Today is the five-year anniversary of Respect Network’s launch and I’ve been asked to write this post as if describing the identity management landscape to our younger selves in 2014. To contemplate the time shift, I’ve re-created the state of our topics five-years ago and hyperlinked various references back to old archives.
Remember 2014? Many people had not heard of personal clouds and I’d have to describe it to them as “the first global, private personal cloud network in which individuals manage their relationships with other people and businesses under a trust framework that protects ownership, privacy, and control of personal information.” There was a social media campaign with the hashtag #TakeBackControl and though the network started with minimal functionality, its vision was clear and the architecture well specified.
In 2014, online personal empowerment seemed an audacious concept even in the free world where it belonged – and to which I’ll constrain my generalizations of the present time. Few outside the initial movement for privacy thought personal clouds would have much impact. But now, almost everyone has a personal cloud with one of the many service providers on the network, an ecosystem partner, or with a competing network.
Digital identity defies standardization because it is as individual as the people it’s trying to serve
As for identity management, where do I even start? In 2014, you could still talk about digital identity separate from individual rights to privacy and control – as if our identity was a thing that should be primarily managed for us by organizations. No one could have foreseen the degree to which the world would move towards “Bring Your Own Identity” (BYOID) with tools like safe social sign-on. That democratization of identity has not only been great for people, but also good for business.
When it came to digital identity standards, there was no consensus in 2014, and there is no consensus now. The “Internet identity layer” is still like the meta-system Kim Cameron wrote about in the 1990s.
Digital identity defies standardization because it is as individual as the people it’s trying to serve, not to mention that people, organizations, applications and wearable or implantable device technologies just evolve too fast to pin down the interfaces. The old saying – “the wonderful thing about standards is there’s so many of them” – certainly applies here.
For example, government ID card initiatives generally proved unsuccessful or limited in scope. Today, most organizations outsource what we used to call identity management. Old standards based on centralized authentication and authorization services are fading away as distributed systems increasingly consume meta-data and make contextual, risk-based decisions (as envisioned in the original Global Identity Foundation, but much more de-centralized).
That’s right, personal and business clouds often connect as peers. Personal clouds are portable so that your digital identity, just like your biological one, belongs to you for life. Few would raise their eyebrows in 2019 anymore if you called the personal cloud your “digital self.” And as we built our reputations and keychains, personal clouds became increasingly viable for BYOID as well.
Personal clouds with third party identity providers, claims providers and payments providers now form the dominant architecture pattern for online authentication, authorization, reputation and commerce. Because most personal clouds are implemented as semantic graphs, multiple standards can be used even within a single trust network.
Despite widespread use of biometrics and other forms of “strong” authentication, there’s still a cybercrime problem. Aggregate identity theft levels are much lower for personal cloud users, but when a compromise does happen the consequences can be serious.
Fortunately, the decentralized architecture of trust networks means you don’t suffer really big breaches, nor do most people allow spam on secure, relationship-based channels. Unfortunately, next generation cybercrime continues to evolve as bad actors try to game reputation systems and infiltrate or sabotage self-governing parts of trust networks. It’s a constant battle but de-centralized trust networks are holding their own.
As an enabler of personal empowerment and mutually profitable business relationships, personal cloud networks totally rock. They’ve become the authoritative source (or at least the conduit) not only for identity but for personal information in general. People are incentivized to maintain their cloud because they get a share in the relationship fee model. How the personal cloud expresses oneself is becoming increasingly important; newer personal clouds constantly change their “skins” and behavior depending on our schedules, states or moods.
Businesses are getting major sales, marketing and logistical efficiencies from the new model. The change of address process had caused businesses to lose touch with customers, but not anymore. It’s way beyond BYOID, the expansion of the semantic graphs’ community registries and dictionaries seems endless and continues to scale with the latest OASIS Extensible Data Interchange (XDI) 3.0.
What Doc Searls called “the Intention Economy” is here and growing much faster today than the old advertising and surveillance economy. You see use cases in every industry including ubiquitous personal RFPs, micropayments, smart homes and grids, patient-controlled health records transfer and so much more.
Change identity, change the world!