Thoughts from a life hacker

Today, on /., I caught an entry regarding a new project that Google and Facebook are finally sponsoring to facilitate Data Portability. Conveniently, the group of folks that are taking this initiative found a home at DataPortability.org. The fact that Google and Facebook jumped on the bandwagon has positives and negatives, but I think the net outcome will benefit the average user who can't, or isn't savvy enough to keep track of their own personal information. The younger generation who is able to divulge their nasty little secrets on every social networking site under the sun should know what their posting where, shouldn't they? Not. Initiatives like this are supported by professional advocates for technology, who are weary about releasing their private information to site after site, community after community, because if it changes, they have to modify it in every single location. It's for the user who wants to be identified by an identity, and take advantage of it to comment on a colleague's post on a site that they don't specifically have an account on. I suppose this is first iteration of how to combine all of the "Web 2.0" technologies to become a functional unit for those wanting to present and share a unified identity of themselves.

The only concern that I have regarding a project like this is, who will host your identifying information? Within the SAML standard, there exists a concept of an Identity Provider, and a Service Provider which clearly identifies where a user's identity resides, and specifically, where a service provider like Facebook, Livejournal, Google, etc. can validate a user's identity before giving them access to an application. However, it seems that OpenID is being adopted by the Internet community, and if I'm not mistaken, treats Identity and Service providers the same as in SAML. There are some that will depend on Google for their identity, others on Facebook, LinkedIn, LiveJournal, some even on MySpace, and the hundreds of other sites that individuals have accounts at. For any federation technology to work properly, that identity information needs to be dependable, and secure because applications that you as a user want to take advantage of will have no choice but to depend on that information. The facilities that these identity providers need to protect their data with need to be of the same caliber as any financial institution would use. Users are depending more and more on their virtual identities through blogs, and other public information as a reference for jobs, and even personal relationships. If a user's identity information was compromised, and was used in a malicious manner, the identity provider could most certainly be punishable by the fullest extent of the data by contributing to the possible defamation of the victim's virtual identity.

There have been several instances in the past year or so that I've had to use my OpenID reference from LiveJournal to post replies to communities outside of the network, and it's worked flawlessly. Just the other day, I used my OpenID identity to validate this blog on Technorati without having to enter in my LiveJournal credentials. As more and more applications become OpenID compliant, users will start to look for dependable Identity Providers (who have a dependable name in the community, or who can offer security through various forms of payment). This migration to Identity Providers will not be immediate, and will come over time with initiatives like the one taking place at DataPortability.