[Dave Birch] I had a typical fascinating and productive discussion with Hazel Lacohee and Piotr Cofta when we last got together. We were kicking around some ideas for finding practical ways to improve privacy, security and other good stuff while simultaneously worrying about the government's approach to the interweb, broadband and ID cards. With the right combination of technology and vision we can take an entirely different view of the "identity problem" and how to solve it. In a decentralised fashion we can see identity develop as an emergent property of trust networks, shaped by evolution to be fit for purpose or, as Piotr Cofta puts it, "good enough identity". Good enough identity (GEI). I love it.

I'm certain that there is merit in this approach. There is a real difference between between trying to create a kind of "gold standard" identity that delivers the highest possible levels of authentication and identification in all circumstances and trying to create an identity that is useful (defined by: reduces total transaction costs and, in my world, aligns social costs with private costs). Therefore, a utilitarian approach of trying to do something, anything to make the identity situation improve for individuals and organisations, we might be better off starting with some simple building blocks and building up rather than by starting with a national ID card (I mean, a 21st-century national ID card of the psychic ID kind, not electronic cardboard) and driving that down. Go from the personal to the enterprise, from the enterprise to government.

I was reminded of the conversation with Hazel and Piotr by a recent piece in Wired, making the same point.

That is certainly part of what happens with Good Enough tech: MP3s entered at the bottom of the market, were ignored, and then turned the music business upside down. But oddly, audio quality never really readjusted upward.

[From The Good Enough Revolution: When Cheap and Simple Is Just Fine]

The same point is made by numerous case studies that focus (pun intended) on the response of the analogue photography industry to the introduction of digital photography. It turned out that the majority of the public want cheap, quick, simple much more than they wanted something with the quality of analogue film. I can remember how amazed I was when I got my original Apple QuickTake 100 digital camera (a gigantic thing that had 640×480 resolution) back in 1994: yes, the quality wasn't perfect, but it provided instant gratification and meant that I could take loads of photos and keep the 1 in a 100 good ones, a statistical approach to photography perfectly suited to my level of photographic skills.

What is the equivalent today? What is the GEI? What is the identity Quicktake? It might be two-factor OpenID. I already find it very convenient to be able to log in to a variety of web sites using my Twitter identity (I tend to choose this because it's easy) or a pseudonymous gmail identity and it seems to me to be a pretty small extension to imagine web sites where you can log in using OpenIDs but only OpenIDs that are known to be 2FA (whether using smart cards, phones, dongles or whatever). Far fetched? Well, some people have said that to me when discussing this idea in the past. But I think that the US government's commitment to the technology has changed this.

Last week, the federal government announced a pilot project to develop digital identity solutions for federal websites, working with OpenID and Information Cards technologies. This will allow government agencies authenticate the public (for low and no security uses) and provide personalization and services… federal CIO Vivek Kundra noted that identity is crucial if government websites are to move beyond ‘brochureware” and provide services to and interact with the public.

[From Thoughts on Identity from the Gov 2.0 Summit | Privacy Digest]

This opens up a pragmatic path through the identity management roadmap if you ask me. Organisations can begin to implement OpenID login right away, and their customers and employees can start using it right away. There's no need to explain OpenID to them: to the average person it just translates to "use your twitter name" or "use your facebook login" and makes life easier for them. Then, once (for example) banks are providing 2FA OpenID responders using the "dongles" they're already issued or (for example) mobile operators are providing 2FA OpenID responders that use handset PKI, simply explain to customers that if they want to view a statement they can use any OpenID to log in, but if they want to make a payment then they must use their bank login or their mobile operator login.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

1 comment

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: