I’m beginning to have second thoughts.
Plenty of people (myself included) got involved in internet identity because of its promise to put all of us asÂ individuals at the center of our interactions on-line. To empower individuals to define and offer and enforce their own terms in their interactions with others. To not merely be somebody’s user or consumer, but to be a first-class citizen of the net. To not be at the mercy of any government or organization.
And from a merry band of similar-minded individuals, the movement was born. The assumptions were:
- Anybody could set up their “digital home” anywhere on the web at any URL of their choosing. The address of that home would be their LID or OpenID URL.
- When visiting somebody else’s site, they would use that URL-to-home to create a relationship from your site to my site, from your on-line home to my on-line home. It wasn’t thought of single-sign-on, but the equivalent of leaving one’s card at someone else’s place with the invitation to visit and establish a relationship. Technologically similar, but very different in intent.
- This relationship between your site and my site would enable two-directional information flow for a variety of interesting purposes that could be switched off by either participant at any time.
While OpenID, the technology, still can support all of this, the thrust of the thinking of many of its larger supporters today goes into a different direction:
- There is a belief that URLs are too complicated to use by the average individual, which has encouraged what’s called the OpenID “NASCAR GUI“. However, because that GUI can only show a few icons, it clearly encourages me to use a big-company-provided identity instead of my own.
- Directed identity and identifier select hides the identity URL and downplays the “let’s create a relationship by exchanging pointers to home” to the extent that few people new to OpenID can even comprehend they are getting mere single-sign-on, not relationships.
- The primary focus of OpenID-based profile exchange is to convey the user’s e-mail address to the visited site (usually a vendor), so that vendors can send e-mail to the user. Note that because it is e-mail, the the user cannot turn it off. It didn’t have to be that way.
- Certification has entered the picture. While many details are still unclear, all certification schemes that I’ve ever heard of require substantial effort and perhaps money to get certified. In all likelihood, that will make it all but impossible or impractical for individuals to play on a level playing field with mere users of large company’s products. This is particularly ironic when applied to the relationship between citizen and government, which suddenly will have to be mediated by substantial commercial entities. Among other things, they get to see which citizen interacts with which part of the government when and how often.
I know the argument that “if the user can see which attributes go over the wire, it’s user-centric.” Well, yes, perhaps, but in my view that’s user-centric in the same way a calorie-free chocolate cake is sweet. I ordered a real chocolate cake, though, please, where did it go?
Don’t get me wrong, there are good things about all of this, the most important of which is that the state of the art has driven substantially more adoption than it likely would have been in the less organized, decentralized, you-be-in-charge-of-your-own-destiny world.
But is the price of more adoption less user-centricity? Or is that just a phase we are going through?
I hope to discuss this and other big questions at the upcoming Internet Identity Workshop. Hope to see you there.