Part of the future of identity series
By Thomas J. Smedinghoff, Partner, Edwards Wildman Palmer LLP
Smedinghoff focuses on the emerging field of information law and electronic business activities. He has been actively involved in developing e-business, e-signature, ID management, and data security legal policy both in the U.S. and globally. He also serves as chair of the Identity Management Legal Task Force for the ABA Business Law Section, and co-chair of its Cybersecurity Committee.
The concept of federated identity management has been discussed and developed in various forms for more than 20 years. During that time, we have witnessed an ever-evolving progression of new ideas and concepts along with much debate and work on standards, policies, trust frameworks and certification requirements.
But has there been real progress? In the next five years, will federated identity management be a ubiquitous reality for most businesses and users? Or will it simply advance to the next stage of an interesting but largely theoretical discussion, punctuated only by isolated sector-specific implementations and proof-of-concept pilot projects? The answer may depend on whether a shift in focus is possible.
Today’s development efforts focus primarily on the specifications and policy issues that must be addressed to build so-called “trustworthy” identity systems. This has generated a great deal of discussion regarding the very concept of “trust,” as well as extensive work on issues such as levels of assurance, identity proofing, trust elevation, certification, trustmarks, privacy, security and interoperability. But these efforts largely ignore a critical prerequisite to success – finding a business model that will provide appropriate incentives for businesses and users to participate in such a trustworthy system in the first place.
Imagine the year is 1900 and we’re trying to promote the recently invented automobile as the future of transportation. While developing standards for building safe and reliable cars might seem to be the primary challenge, that may not be the best approach. At that early stage in the development of the automotive transportation ecosystem, what was truly required were incentives for manufacturers to build cars and users to buy them. And to do that, we needed an infrastructure of roads, gas stations and repair shops. In that early environment, focusing on standards for building safe and reliable cars would most likely not provide the needed incentives.
We can’t operate on the assumption that federated identity is such a great idea that merely designing requirements for a trustworthy system will incentivize widespread implementation
Likewise, efforts focused on requirements for ensuring trustworthy federated identity systems, while important, will not succeed without commensurate attention to the need to incentivize businesses or without users making the investments and commitments necessary to participate in such systems. This requires addressing two key pre-conditions for the development of such incentives:
- Identifying business models that provide an economic justification for all parties to participate in federated identity systems.
- Providing a legal framework that enables and supports such business models.
We can’t operate on the assumption that federated identity is such a great idea that merely designing requirements for a trustworthy system will incentivize widespread implementation. Until we address this fundamental issue of incentives, federated identity systems will likely not be a widespread reality, regardless of how many trustworthy and privacy-enhancing standards, policies and certification processes are developed.
What incentives will motivate businesses and users to participate in federated identity systems? Short of government compulsion that mandates compliance notwithstanding cost (e.g., regulatory requirements), they will likely involve business models that enable identity information providers to make money – either directly or incidentally – relying parties to save money or extract other value from the process and users to simplify their online access requirements. In all cases, the value received by each role must be sufficient to justify the cost or hassle involved in participating.
Facebook has apparently figured this out, and has deployed a business model – login with Facebook – that is arguably the most successful, by volume, federated identity system in use. It flourishes notwithstanding that it operates with a very low level of trust, and largely ignores many of the key identity issues. Instead, it leverages the Facebook business model in a manner that provides economic incentives for itself, its relying web sites and its users. The challenge is to find one or more such incentivizing business models for systems providing higher levels of trust.
Establishing a climate conducive to the development of such value-generating business models also requires an appropriate legal framework. Such a legal framework may take the form of public law, statutes or regulation, but can also come from private law in the form of contracts among participants. Most likely it will be a combination of both.
Regardless of structure, the goal is to provide a legal framework that removes inappropriate legal barriers where and to the extent they exist. This then enables the deployment of viable business models, consistent with appropriate public policy. Doing this will require providing a satisfactory level of legal certainty regarding the rules governing those who participate and fairly addressing allocations of responsibilities, risks and liabilities among the various roles.
At the same time, the legal framework must not restrict the development of viable economic models, such as by imposing burdensome legal structures, requiring parties to execute complex contracts every time they engage in a transaction or allocating liability in a manner that unduly inhibits participation. Instead, it should be designed to encourage and support the market-based experimentation needed to develop an approach to online identity that incentivizes all involved.
At the end of the day, making Internet scale federated identity a reality in the next five years will require addressing more than just the issue of trust. It will require finding viable business models that provide sufficient benefits to all participants to incentivize them to participate while at the same time implementing an appropriate legal framework to support those business models.