Opinions from Burton Group's CEO and Research Chair
« Cingularity defined | Main | The Open Systems Matrix »
 | August 30, 2003 |
Ends and Means: Identity in Two Worlds
Reflecting on my experiences at PC Forum, I became keenly aware that two evolving worlds understand each other poorly, and how, perhaps, digital identity is the subject that will allow (or force) them to understand each other.
One world is typified by the World of Ends, in which Doc Searls and David Wienberger espoused a very customer-centric view of the Net. To their credit, Doc, Weinberger,
If that world is typified by the World of Ends, there's also another world -- let's call it the World of Means. In that world, we have large enterprises and governments. While they don't always use it well, large companies and governments have the means with which to accomplish things, for better or worse. Their means often lead to both of those ends (better and worse), with intentional and unintentional consequences. It's the intersection of these two worlds that makes the discussion on digital identity so interesting.
Customers do business with companies that reside in the Worlds of Means, for example. In that world, some companies are clueful, many of them are not. But all of them have a business to run. And all of them have legitimate business issues that require digital identity that can't simply be written off as "BigCo stuff," as the Cluetrain crowd sometimes does. And unless they're particularly paranoid and refuse to give any identity information to anyone at any time-and there are a few of those out there-people do business with governments as well. Governments tend to be slow, but are a fact of life. We can argue over what governments should or shouldn't do with identity information, but not whether they're a factor in this discussion.
In other words, both of these worlds have legitimate needs for digital identity, and those worlds must interact. That means we need both standards for defining identity and an infrastructure for creating, using, and managing identity. By the way, the infrastructure isn't just about technology. It's also about process and people: who's involved, who can do what, who's accountable, and how accountability manifests itself.
While they share a common requirement, however, it sometimes seems -- and this was the case at PC Forum -- that resolving these two equally legitimate points of view is like trying to resolve Newtonian physics and quantum mechanics. While I don't think we need anything as grand as a unifying theory (or do we?), I do think it's important to acknowledge the legitimacy of the needs both of worlds have. We need a balanced solution that supports both the means and the ends in reasonable and acceptable fashion. Right now, neither side understands the other well enough to see how they can and must coexist. But I think they will.
Identity in the World of Ends
Let's start with the World of Ends. Doc's recent article in Linux Journal
eloquently describes what the World of Ends needs:
. . . A new identity infrastructure-one provided by open APIs, protocols and other standards that serve no agenda other than to enable useful dealings between buyers and sellers of products and services. Like the Web and e-mail infrastructure that are already part of the Net, this new infrastructure would be a full-fledged service on the Net. And it won't become that unless it's something nobody owns, everybody can use and anybody can improve. Again, like the Web, e-mail and the Net itself.
Doc and a lot of other people are asking for a customer-centric digital identity mechanism. This mechanism must allow the individual customer to control their identity, to decide whom they will reveal it to and when. This is a perfectly reasonable request. As an individual, I want the same thing.
Today, none of us is exactly sure what that mechanism will look like. We're fairly certain of what it won't look like. It won't be one big centralized identity repository controlled by one all-knowing, all-seeing entity, no matter who or what it is. Ideally, it will do just what Doc wants: put the individual in control, especially when it comes to the interactions between buyers and sellers. And it has to be comprised of open standards.
When I'm doing business with a company, for example, I want to orchestrate the relationship, both with and between the buyers, to meet my needs. Ideally, I'd like to be able to track what various organizations and people do with the information I give them, so that I can hold them accountable. Ultimately, the world of ends needs a digital identity mechanism that establishes social structure for the Net, allows us to communicate, recognize each other, and do useful things. That's one of the interesting things about Web logs and other social software: They've started us down that path.
Meanwhile, In the World of Means
But the World of Ends is at one end of the see-saw. At the other end are governments and companies, which aren't going away. Let's take the government example. State governments in the US aren't very likely to let people start issuing themselves driver's licenses anytime
soon. Likewise, national governments around the world aren't going to let folks
issue themselves a passport whenever they feel like it. These are the most commonly
used physical forms of identity, and governments will, some day, figure out how
to make them more digital. (Although the driver's license was never conceived by
government as an identity proof; it was a license to drive. But that's another story.)
And in the US, the IRS will probably never (as in ever), allow you to pay taxes based on credentials someone else issues. In other words, the government will issue digital identities, just as they have issued physical ones. So, unless you're one of those paranoid folks I talked about earlier, you'll end up with government-issued digital identities to use when you do business with the government. This will be in addition to, not instead of, the customer-centric identity Doc's asking for. (But it may well be the case that you won't be able to get that customer-centric digital identity without first having a government issued identity.)
Next you have enterprises, which have huge problems associated with identity. And because that's where the money is, and government regulations are forcing the issue, there's more happening right now in the effort to solve those problems than there is the area of customer-centric identity.
Take Sue for Example
Take this relatively extreme, but simple example: A stock broker. Let's say this stock broker, who I'll call Sue, works for First Federal Reserve, which is a highly respected brokerage and financial services firm. Let's also say that Sue works with loyal First Federal customers known as "high net worth individuals." That's financial services-speak for people who are very rich and make very big trades with brokerage firms. In that capacity, Sue is authorized to make trades of up to $5 million. Anything above that and she has to get her supervisor's authorization to make the trade.
When Sue is "Sue the individual," buying stuff over the Net, she's acting as individual. In that context, she should be at the center, able to control her individual identity in the fashion Doc's asking for. But when the context shifts and Sue is "Sue the stock broker at work," she's acting on behalf of First Federal. And she's doing some pretty serious stuff, all of which First Federal bears a huge responsibility and liability for. That means First Federal has the SEC, Congress, the FTC, and a whole bunch of other folks crawling up every orifice they have, and some new ones they've
recently acquired. They also have a lot of customers, all of whom want First Federal to protect their privacy and act in a customer-friendly fashion.
In this context, then, there are some big questions related to digital identity:
- How should First Federal manage Sue's identity in the work context? Should it let folks like Sue issue the credentials necessary to make $5 million trades to themselves?
- Can, or should, First Federal trust anyone else-say, Identities R Us-to issue her those credentials?
- And, in order to get First Federal's business, would Identities R Us be willing to bear the liabilities involved if Sue does something terribly wrong?
- What happens if Sue assumes someone else's identity, gets a job and acquires the broker identity based on that fraud, and defrauds the brokerage and its customers?
- Would anyone, as an individual, want to be a customer of any financial institution that managed things in such a fashion?
I'm guessing not.
In order to be accountable, First Federal must bear both the responsibility and liability for managing what Sue can do at work, and when she can do it. In fact, many of the new regulations designed to ensure accountability and protect individual and customer privacy will not work without digital identity mechanisms for employees. Before it can meet any of its obligations, then, First Federal has to verify who Sue is. Verifying Sue's identity may well entail doing background checks before First Federal issues credentials to her for doing anything at all. She's probably a bonded employee, for example.
In other words, these are business services that no general Internet identity service can easily (not to mention profitably or legally) provide. That means First Federal isn't going to accept anyone's notion of who Sue is except its own, not unless they're willing to sign up for billions in liabilities, millions in fines, and jail time if they screw it up. Call me crazy, but I'm thinking there won't be a long line at that window, if you know what I'm saying.
I've used a relatively extreme example to illustrate my point, but there are stock brokers who deal with high-net-worth individuals out there. And there are plenty of other cases that, while might not involve the same about of money trading hands, do involve serious liabilities, both financial and legal. The pharmaceutical industry, the health care industry, and many, many others face stiff regulations in this regard.
So What to Do?
First, it's important to remember a simple rule: As the possible spectrum of use for any given form of digital identity increases, it's overall security and ability to function in high-value transactions decreases. So, while Sue's customer-centric identity may well empower her as she interacts with a large number of buyers and sellers on the Net, it's insufficient in the rarefied atmosphere of $5 million trades or her yearly income tax returns. It may well be insufficient for some of her individual transactions as a customer, such as buying a $40,000 car or a $350,000 house. Banks are unlikely
to accept the same credentials and identity verification processes that give you access to Web sites and email for large loans.
These facts lead to a simple conclusion: The Net must accommodate more than one form of digital identity. Identity is contextual. It has many aspects. Customer-centrism is only one aspect of the digital identity infrastructure we need. So, it stands to reason that the identity infrastructure will be polycentric: flexible, dynamic and capable of pivoting and changing according to the context. We need both the individual, customer-centric identity that Doc asked for and the tools that allow enterprises to do what we, as customers, want them to do, which is play by the rules. And we'll get the government identities whether we like it or not. Always choose the best tool for the job, and let go of the fantasy that we'll have one ring to rule them all.
In no case should the identity mechanisms that allow the enterprise to function supplant or subvert the customer-centric identity that empowers the individual. But the inverse is also true. If we don't give enterprises the tools they need to manage identity, it will hurt the customer, not help them. In all cases, we have tough issues over privacy and information custodianship to deal with.
Evolution
These different forms of identity: customer-centric, government-issued, and enterprise-managed, will develop in parallel, more or less. The government will probably be the last to develop large-scale identity solutions. Enterprises are rushing like mad toward identity management because, for the most part, government regulation is forcing them to. Right now, there's more talk than action in the customer-centric identity category. But I agree with Doc that something will likely come along, something unexpected, and it will start a fire. What will enterprises do when that happens?
They'll support it. They won't have a choice. In fact, the smart ones will welcome it. Most of the enterprises I talk to would love to have it. It would make their lives easier. But it won't replace what they're doing now, or later.
Enterprise identity infrastructure must give companies the tools they need to manage their
business, and that includes identities for employees, contractors, temps, and a
host of other folks and things. It must also allow them to interact with their customers,
giving those customers convenience and service when they want it-which may require
revealing identity-and, possibly, anonymity when they want that. And so their systems
must accept the customer-centric forms of identity that will ultimately emerge.
But you can also bet that as enterprises work to manage identity on their terms,
we will learn lessons, which will influence the development of customer-centric
identity. That's a good thing.
So why the rant? Before posting this, I called Doc to talk to him about all of the above, and it's clear that he understands both sides of the issue. To his credit, he's trying to catalyze development of the customer-centric identity mechanism. That's a good thing, too. So he focuses on that in his writing. In the quest for solutions, however, neither world should lose sight of the other, or the legitimate need for those solutions, which is my point. And now I feel better.
August 30, 2003 in Essays & Columns | Permalink
