“Identity” the most widely misused term by Internet experts
November 26, 2007 //
I picked up an interesting concept via Sam Sethi’s twitter today. It involves implementing white lists using OpenID and FOAF profiles to help resolve the issue with online identity.
I don’t wish to commentate on OpenID or FOAF. I do however, want to voice my concern over the misuse of the word ‘identity’ and how it is being associated with OpenID and other so-called solutions to solve identity.
OpenID , is a central register of user names and passwords. So, rather than having say, 10 different user names and passwords for 10 different Web sites, you create an OpenID account and associate it with the 10 user names. That is of course, assuming the 10 Web sites support OpenID by connecting to your account.
FOAF stands for Friend of a Friend. The FOAF project is creating a Web of machine-readable pages describing people, the links between them and the things they create and do.
According to Steve Ivy to which Sam refers in his twitter message
In less than a nutshell, the DIG is using the relationship data in their members’ FOAF files to build a whitelist of users (identified by their OpenID) who can comment on the site.
According to the image on Steve’s blog, which I think he borrowed from Tim Berners-Lee (looking at the file name when I save it)
OpenID Login proves identity
According to Dan Connolly from the W3C
As Simon Willison notes, OpenID solves the identity problem, not the trust problem.
I have to take issue with their use of the word ‘identity’.
OpenID does not prove identity. Identity has a universal meaning to just about everyone on the planet. So why is there so much confusion on the Web?
What is Identity?
When asked for ID by a car rental company for example, you know without fail, that they’re asking for either your passport or drivers license.
Why? Well, because before you were issued with a passport or drivers license, you had to prove ‘who’ you say you are. You did this by getting a trusted third party such as a solicitor or police officer who knows you, to verify your identity. Your identity as confirmed and documented by a trusted third party, was then sent to the appropriate authority for final processing.
Going back to OpenID, you can setup an account under any name and associate it with any number of profiles. None of this information is verified by anyone. Does this prove you are who you say you are? In other words, does it prove your identity? The answer is no. It does prove your identity if by that you mean something entirely different to what the vast majority of the population already believe identity to mean.
I have only witnessed one person articulate the same opinion as me and that’s Saul Klein. Saul understands identity, he co-founded TRUSTe which is the most widely recongnised Trustmark for privacy on the Internet. Saul articulated his opinion about identity after a Garlic presentation at Essential Web, where he was on the panel to whom Garlik pitched. I was on a different panel but was dying to quiz Garlik about their terminology.
How to solve the problem
Just like we do with passports and drivers licenses in the offline world, we can have our company and personal details verified by a trusted third party such as Experian or Equifax. I chose these companies because they already hold personal details and credit scores for most of us.
We could then associate that verified information with a technical solution such as Content Labels (known as POWDER by the W3C for political reasons), FOAF or some other kind of Certificate which can be recognized by a browser or other tool. Only then can you solve the ‘identity’ problem. By default, it would mean we’re half-way to resolving the trust issue at the same time.
If you consider the passport scenario… Experian and Equifax act as the solicitor or police officer who knows you. The Content Label/Certificate authority act as the passport office by issuing the proof of identity.
Gerald Wiggins says 
marco goldschmied says 
Sharon Crossley says 
Hi Paul,
Thanks for the discussion. I wanted to touch on a couple of things:
1) The graphic is mine. Please don’t ascribe any misrepresentation by me of these concepts to Tim.
2) OpenID is not a “central register of user names and passwords”. OpenID is, in fact, explicitly decentralized:
Note the phrase “user-centric” - OpenID puts the control of who does/doesn’t have access to a user’s profile data in the user’s control, not a centralized third-party. While there may be a need/place for “trusted third parties” in online transactions, that’s not the problem OpenID is trying to solve. Per Simon Willison (to which post Dan Connoly was refering):
3) “OpenID does not prove identity”. No, OpenID creates a definition of identity - “the person or persons who can prove ownership of a URI” - A definition upon which a large contingent of web services have agreed. It’s up to other layers or other systems (ie, your trusted third parties) to establish the trustworthiness of a particular identity. The original OpenID home page does a good job at explaining some of this.
Cheers,
–Steve
November 26th, 2007
For the record, I regret my statement that “OpenID solves the identity problem” (which I made quite some time ago) - I don’t think that the word “identity” is correct in that context, in as much as there’s too much potential confusion around the term.
I’ve heard the term “strong identity” used to mean the kind of identity you are talking about (identity that has been tied to a real human being). I like that phrase as it further reduces ambiguity.
November 27th, 2007
Identity on the Internet is vastly different from identity in the real world. When someone asks for proof of identity in the real world, it’s almost always for legal/liability purposes.
But when filling out my information to post this comment, I wasn’t proving my identity, I was simply providing it. Big difference. When people talk about Identity on the Internet, they mean providing identity, not proving it. OpenID is a solution which allows us to provide our identity much more easily, while not attempting to prove it (although that can be the task of the OpenID provider).
November 27th, 2007
@Steve, thanks for correcting me, I’ve updated the post to reflect that the image is in fact yours
Regarding OpenID, how does it prove that I own URI y.com? For example, couldn’t I setup an OpenID and pretend to be John Smith. We can prove that John owns the OpenID and he owns y.com, but we can’t prove that I am John.
Have I got that right?
I must admit that I don’t know much about OpenID. What I do know (I hope) is that it’s impossible to prove one’s identity using OpenID. Unfortunately, nobody has got this right, even the organisations who have adopted OpenID. VeriSign is the closest to getting Identity right but as you know, it’s based on proprietary technology and costs a lot of money.
(for non-techies, URI is the same as URL, it’s not a typo)
November 27th, 2007
@Simon - thanks!
I love the whole idea of OpenID but I do have concerns over the misuse of the word ‘identity’ as I explained. OpenID resolves a very simple problem. I think it should be left there and not endorsed to resolve lots of other problems, at least not until it’s mainstream - by that I mean, it’s easy for my mother to use.
November 27th, 2007
@Luigi - I disagree, as you can tell from my original post, but to address your comment directly…
This blog has asked for your identity and assumes you will tell the truth. Why? well because it’s not that important to ‘us’. However, providing your identity on eBay when creating an account should have a better identity solution - wouldn’t you agree?
PayPal is online only and it verifies your identity by using offline methods. Identity has one simple definition as I provided in my post. It’s the level of security and trust associated with identity that changes depending on the circumstances.
November 27th, 2007
It’s possible for OpenID to provide “strong identity” provided you trust the OpenID provider in question. If a university were to set up an OpenID server for all of their students you could accept OpenIDs from that university and know that it’s pretty likely that you are getting “real” people (assuming the university has a good process for confirming the identity of its students). There’s even an OpenID provider in Estonia which ties in to the Estonian national ID card, again tying an OpenID to a strong identity.
That said, the vast majority of OpenIDs are tied to a virtual persona with no strong identity hooks at all. This is a good thing for preserving online privacy. Whether or not you need strong identity depends very much on the application, and unless strong identity is absolutely essential (paying tax, applying for a passport etc) I think it is best avoided.
November 27th, 2007
@Paul - thanks for correcting your note about the image. I agree with Simon that “proves identity” is the wrong description of what OpenID does, but that “identity” is about the best term we have right now. I also like “strong identity” for the “proved that you are who you say you are” case.
When I get a minute I’ll update my post with a note about the discussion here - I think it’s worth adding to the discussion.
November 27th, 2007
@Simon - that’s very interesting. I forgot you could have OpenID providers. So, it would make sense for say, the passport office or Experian to be a provider?
I still don’t like ’strong identity’. We can continue to use the word identity, but not say that solution x ‘proves’ identity. That said, I think if the passport office was a provider, we could say that it ‘proved’ identities…
I agree that you shouldn’t be forced to prove who you are all of the time. I’m not in favour of ‘policing the Internet’, which I hope, it obvious from my W3C work.
You don’t necessarily want to prove who you are when creating an account with Bebo (I use them instead of MySpace because it’s European and a friend of mine co-founded it). But you might want eBay and PayPaul to force people to prove who they say they are.
November 27th, 2007
@Steve / @Simon - I can see why you like ’strong identity’ but you then have an educational process with terminology when we have a tough enough job with the technology
I like the term identity - I just don’t like the word ‘proven’ in the context of technology with no verification process. So, for identities that have been proven, how about we use the term ‘verified’, or ‘proven’ - say what it does on the tin so our grannies know what the hell we’re talking about.
I remember when the W3C Semantic Web Education and Outreach Special Interest group first started, I almost had to remind the extremely intelligent technical folk that the group’s mission was ‘marketing’, so we had to stop talking about Semantic Web, RDF and definitely had to stop talking about ontologies. We need to speak in layman’s language using terms they already understand.
Try to figure out what a Web page is according to W3C definition for the sake of Web accessibility? It’s a mind fcuk. The terms are ok to the working groups (I’m including my own staff in there) that dream them up, but give them to agencies and freelance developers who actually design and build Web sites and you get a blank stare.
November 27th, 2007
I definitely see the difference you describe between identifying oneself to comment on a blog and identifying oneself to PayPal to start an account and make purchases. But if the former really isn’t identity, then what should we call it? Introduction? It’s the same as if I were to meet you at a cocktail party and say “My name is Luigi and I’m from New York”, but I could be lying. Am I still not identifying myself in that case?
November 27th, 2007
[...] A conversation with Paul Walsh and Simon Willison sprang up in the comments on Pauls’ post, “Identity” the most widely misused term by Internet experts. Paul makes a decent case (and Simon agrees) that saying OpenID “proves identiy” is [...]
November 27th, 2007
@Paul - I’ve updated the diagrams in the original post and added a link to the conversation here.
As far as terminology goes - I can live with differentiating between “identity” and “prov(es/ing) identity” - I think in the context of most online services, an “identity” that is tracable to a unique identifier (URI) is sufficient.
November 27th, 2007
Steve - “provides” identity is absolutely perfect and resides exactly in the middle as far as I’m concerned
November 27th, 2007
Luigi - does Steve’s change do it for you? It’s all identity… the only issue I had was people thinking that a particular solution (in this case, OpenID), ‘proves’ identity. It doesn’t, it ‘provides’ identity.
However, going back to what Simon reminded me of, trusted third parties could possibly use OpenID to prove identity. This could do this by becoming an OpenID Provider - it’s down to people being able to trust the assertions that are made by companies and/or individuals (as you suggest).
November 27th, 2007
Yes, I think we’ve reached a happy agreement about providing identity vs. proving identity.
November 27th, 2007
@Luigi - I don’t think I’ve ever witnessed such a friendly blog post where people work together in order to come up with an agreeable solution.
November 28th, 2007
With regards to proving identity, what are your thoughts on CAcert.org ?
That site offers free certificates, where previously people (and companies) had to pay a lot of money.
There are different levels of trust but they do offer to qoute : “verify your identity using your government issued photo identity documents.”
Would this not be similar to what you all were discussing?
I would be interested in your thoughts for this in relation to the above discussion.
December 21st, 2007