We all like friends, and having the ability to add and remove friends within a social network is critical. How you deal with managing friends from a design point of view is an interesting one.

There are many approaches, depending on the type of information you want to store about the relationships that are created, whether you want to know who initiated the friendship, when it was created, when it was accepted (or rejected even), the type of friendship and so on.

For my little mobile social network, I’m going to use a simplified form of friend relationship tracking, as all I’m interested in is whether or not a relationship exists between two people. To do this, I’m going to use a simple keyless table that holds two values: userID and friendID.

What I am interested in here is whether or not there is a relationship within the table between two user IDs. This tells me whether or not two users are potential friends, or whether a friend request has been made. To do this, I simply enter a row in the database containing a person’s userID, and the userID of the person they wish to befriend. This sets up a one-way relationship in the friends table, indicating that a friendship request has been made. The actual mechanic of processing the friend request I’m going to pass off to the messaging subsystem (which I’ll be covering in another post).

Now that we have a single row in the database, a simple query against a userID will tell me how many ‘friends’ this person has. Of course, this will include all unaccepted friendships, which is not necessarily something we want.

However, this approach works both ways: once a friendship is accepted, a second row is entered in the database with the friend’s userID listed first, and the requestor’s userID listed second. This allows us to write very simple queries to return a complete list of a particular userID’s accepted friends, or a list of a particular userID’s friend requests, since our ‘key’ is the first column in our two column table.

And rejecting a friend request is as simple as removing the original row from the table.

This schema can obviously be expanded to include timestamping should this be needed, or friend type, or anything else really - they key concept here is that what’s of interest is whether or not there is a relationship in the database, not the content of the returned rows (i.e. rowcount = 0, 1 or 2 - this is the information I want).

For those following along, on occasion I’ve mentioned a little side project I’ve been working on called Followup!, an anti-social social bookmarking application.

I’ve not done any real work on it recently, but over the past couple of days I had another look at it, and squashed a couple of annoying bugs (the double-login bug for one), as well as laying out some of the plans for future expansion.

With this, and following an earlier small post, I’m throwing Followup! open to everyone to use. Just sign up and get going - that’s it. Oh, and expect the obligatory Google ads to be installed soon too…

Time flies when you’re having fun, and I’ve certainly been having fun with Ubuntu recently. Looking back through my (not very frequent) posts, I see it’s been about 6 weeks 6 months! since I posted about installing Ubuntu as a test on my new laptop.

Since then, I can, quite literally, count on the fingers of one hand how many times I’ve booted back into Windows Vista. At the moment the Vista partition (all 20Gb of it!) serves to provide me with printing capabilities (My printer is an old Dell USB one that only barely works under Vista), and to update my iPod with some purchased music (Teeny Shiny and Bambi’s Dilemma by Melt Banana)

I have no reason or need to run Windows Vista on my laptop, and has been proven over the past four months, there is no reason I need to run Windows for work either. It’s turning out that the only reason I actually have a Windows desktop at all is to act as my games machine, since this is the one area that Linux is deficient. Whilst I know that a lot of games can run quite happily under WINE or through Cedega’s service, not all do. So for now, I have one Windows machine running XP (which will never have Vista installed on it), and one laptop running Ubuntu.

Going back to the work comment, for the past 4 months I’ve been working for as Head of Web Development for Hachette Filipacchi, the publisher of Elle Magazine, Red Magazine and Ideal Home amongst others. During that entire period I’ve been running a dual monitor desktop running Ubuntu Feisty Fawn (well, until recently when I did a dist-upgrade to Gutsy Gibbon). The only time I’ve had some trouble is with project management software, which I rarely need anyway. There was nothing I needed that was Windows only. As a quick rundown, here’s the most common software in use in the office, and what I replaced it with.

Microsoft Exchange
Replaced with Evolution (through a webmail connection). Whilst it’s possible to connect to an Exchange server through IMAP, the IT department weren’t comfortable with that.

Microsoft Word, Microsoft Excel, Microsoft Powerpoint, Microsoft Visio
Replaced with Open Office, and no-one noticed. I now use Open Office exclusively.

Tortiose SVN+PSPad
Replaced with Eclipse+Subclipse+PHPEclipse. I’m finding the move to an IDE to have been beneficial, rather than just using a text editor. Combining Eclipse with a local copy of Apache+PHP+MySQL means I can do all my web development on my local machine, and use Subversion to store the code, and later publish to the live webserver in a managed way. Very handy.

MSN Messenger
Replaced with Pidgin, although there was also the option of Meebo, and to deal with some firewall issues I also wrote my own web-based chat app.

Photoshop
Replaced with The Gimp. This is perhaps the most contentious issue for some people, since whilst The Gimp isa good piece of software, it is certainly not in the same league as Photoshop when it comes to image manipulation. That said, since I’m not a designer and only use The Gimp to resize images, and perhaps create some spot graphics, it’s not an issue for me.

Winamp
Replaced with Amarok.

Filezilla
Replaced with… Filezilla. Yep, there’s a native port of Filezilla available for Linux, and recent releases have made it as stable as the Windows version of the software.

The Bat
Replaced with Firebird. I think Firebird still a little ways to go to be as useful as The Bat, but I find it quite suitable as a mail client.

That pretty much covers everythign I need on a day to day basis. Having direct access to a command shell also helps tremendously when developing websites, and I can connect to the webserver very quickly. Running Ubuntu also makes it extremely easy to install and maintain a local web development environment, so I actually do all my development directly on my desktop under Apache 2, PHP5 and MySQL5. Once I’ve done my coding, I can simply commit to my SVN repository and then check out the code directly to the live webserver. Makes developing complex websites very easy!

One perhaps under mentioned aspect of running Ubuntu (or many other Linux distributions for that matter) that I have found remakably useful - and something I actively miss when using a Windows machine - is multiple workspaces. For example, on my laptop I have four workspaces arranged in a 2×2 grid, and I can place windows within a particular workspace to organise them into logical work groups.

On my work machine, whilst I had two monitors, I retained the four workspaces (although I also ran Compiz Fusion, so I had the 3D cube rather than a 2×2 grid), again allowing me to group windows together into logical workspaces. So I would have one workspace for email clients, one for research, one for development (Eclipse, local web browser, editors etc) and so on.

The new version of Ubuntu is due for release tomorrow, and having been using it for the past few weeks, I think this is the next major step forward for Linux - it does just work.

As a last note, a lot of people I have spoken to claim that it’s almost impossible to get support for Linux, which is why they don’t use it. I did some checking, and Canonical, the company behind Ubuntu, provides commercial support for Ubuntu via email and telephone - and you can buy support for an entire YEAR for £150…

Cross posted from The Mobile Weblog.

---

I've deliberately avoided posting about this subject the past few days, although I've been following it since it first appeared on The Consumerist website last week. I've also been encouraged to write about the post by a number of other bloggers.

I've vacillated between two schools of thought about this topic, but the one I keep coming back to relates to the underlying principles of capitalism, where Sprint are well within their rights to terminate any customer for pretty much any reason - they are, after all not in the business of providing communication service, but the business of making money for their shareholders. They just happen to be making money by providing communication services.

It can also be argued that the actions Sprint are taking in churning these customers off their books is beneficial to the company's bottom line, as it reduces the number of support calls, and hence the amount of money spent on providing such support. It also has a minor side effect of decreasing the number of accounts with billing problems (which are the primary cited reason for the high number of calls), which should have the impact of increasing revenues again.

Of course, weighed against this is the negative impact that all the exposure has generated across the Internet, and amongst mobile bloggers especially where the response has been almost universally negative. Ars Technica even popped up with their own experience.

Again, I can't help but think there is no real big issue here, there's simply a dispute between customers and the company they are purchasing a service from. Individual instances where customers are being mischarged, overcharged or generally billed for goods or services they didn't use aside, if Sprint choose to terminate a customer's service at no penalty to the customer, then that's their prerogative.

Sprint have however managed to shoot themselves in the foot by instigating another such customer purge, this time adversely affecting a group of US servicemen and women, by penalising them for using Sprint's own roaming service.

A few days after the original story appeared, another appear on The Consumerist with what appeared to be a rebuttal from Sprint, although delivered as if from a Sprint employee reporting anonymously, that claimed that the majority of the people who's accounts were being terminated were actually attempting to defraud Sprint. Consumerist reader ScoobyDoo was one of many who was less than trusting of the veracity of the account:

I call shenanigans.

This guy is probably speaking on behalf of Sprint PR and is trying to slow down the backlash they got from their little stunt.

They probably thought they could fire these 1000 customers without anyone noticing, but forgot about the Internet.

The story he's telling may apply to a couple of customers, but the previous poster proves that not everyone was a scammer, and Sprint should be ashamed of itself for trying to pin the blame on their customers when it is evident that THEY are also to blame in some cases.

Although balanced against this, other posters such as BNET41 say:

If you've ever worked as a CSR you'd know how common this is. There seem to be people out there who have nothing better to do than try to get free stuff.

In all of this, the one party that has yet to make a public announcement is Sprint itself, or at least not anywhere I've seen.

What I do think this situation shows is not that Sprint are necessarily a bad company (although there will always be debate about this), it seems to show there is a fundamental disconnect in the US mobile telecommunications industry, something that is also shown in the recent release of Apple's iPhone as an AT&T exclusive. With each company working hard to generate as much income for their shareholders as possible, the US-wide communications infrastructure is suffering, and consequently customers are having a hard time making use of such services. The original poster on the SprintUsers forum makes the point that whilst serving in Iraq - effectively a warzone - he received a better standard of service and operational coverage, at a lesser price, than he receives from the US telecommunications provider Sprint.

Why on earth I cant get coverage at the United States Military Academy, 40 minutes away from New York City is a mystery to me. I had a cell phone the entire time I was in Iraq with a middle eastern company. I payed LESS to call home and keep in touch from the otherside of the world than I do now with Sprint to call within the country. It also did not matter if I was in a major city or out in the middle of nowhere in the desert, I ALWAYS had full coverage. Never had a dropped call, and the customer reps of that company spoke better English than those with Sprint do.

It is this small section of the post that caught my attention and got me thinking - how can it be that in such a technologically advanced country, obtaining cellphone coverage, roaming and interconnects between existing providers is such a problem?

I remember myself when I used to employ people living in the US I always had to check in advance where in the country they would be to make sure that I could call them. In some cases, depending on location, I couldn't call as their carrier didn't provide international inbound call connectivity in certain regions. In some, especially to me, ludicrous instances I couldn't even send a text message, as there was no text sharing interconnect between carriers for roaming users, a situation that appears to still exist.

More than 30 million viewers tune in to 'America Idol' each week to vote for their favorite contestants by dialing into the toll-free telephone numbers or texting in on their Cingular Wireless phones.

To expand on that small quote - you can only vote for American Idol is you have a Cingular mobile phone. If you're on any other network, you cannot send in a voting text.

The equivalent situation in the UK would have the text voting provider laughed out of business, yet this seems to be the norm in the US.

Apple going with AT&T for the iPhone has also struck many people as odd, for the same reason: AT&T use a proprietary technology to deliver mobile services that is entirely incompatible with every other provider. Sprint phones are also incompatible with other providers, so those who are using Sprint are also locked in to that carrier if they want to continue using the handsets they have bought - and perhaps that is the real reason for the angst, not that the service is bad (which it apparently is), or that the company is doing what it is legally obliged to do (make money for it's shareholders), it's the fact there's no other choice that is driving the anger.

So I really think the larger issue here is not Sprint, but the parlous state of the mobile telecoms industry in the US. Common shortcodes (5 or 6 digit codes that work on all carriers) are a new phenomenon in the US (only being introduced in the past couple of years), and number portability is still a large issue. Coverage varies depending on your provider, and some areas you are limited in which provider you can even choose. Sprint dumping users is just a symptom of a much wider malaise.

---

Technorati Tags: Sprint, Mobile, Customer Service, America, AT&T, Cell, Cellphone

KPMG have released the results of a global survey into attitudes to mobile content. Well, they say ‘global’, but the survey was of 3,576 mobile phone users (which represents 0.0000549747696277206% of the world’s population…)

What’s interesting is one of the conclusions reached: That consumers are not willing to pay for premium content.

In all such sureys, analyst reports and polls, one clear thing stands out to me: The type of content being discussed is the type of content that can be obtained from other sources, in other forms, free of charge, and is almost entirely ‘passive’ content, content that is created once and provided to a wide range of customers in a passive way - download, browsing, alert etc.

What’s never discussed is the willingness of people to pay a premium for personalised content, a type of content of great interest to me as my company provides this kind of service. For example, our GTIP service provides a personalised response based on a customer query. It’s like customer support, but it’s for everyone’s products, not just one company’s product, and it’s about providing help to enjoy the product rather than support when the product breaks.

The relationship here is a one to one relationship between the content and the customer, not a one to many relationship. Each piece of content is created specifically for the customer, based on her query. At the same time the content is small, portable, quite often of great interest to the requester’s friends.

But the important thing is something that a lot of mobile compnay’s are starting to realise:It’s not about selling as much content as possible int he shrotest amount of time, it’s about retaining customers by providing them with what they want.

From a purely economic point of view it’s better to retain a customer who buys from you 2, or 5, or (in the case of one of my customers, more than 500 times) is more valuable than someone who buys something once and then moves on.

Technorati Tags: KPMG, Mobile Content, SMS, Premium Content, Premium SMS, Content, Celllphone, Cellphones

Gamespot have posted an article about a panel discussion held at the California Club on the 9th of February. The topic of discussion was The Era of Connected Gaming - An Inside Look At An Industry On Revolution and featured Lars Butler (ex EA), Laurent Detoc (Ubisoft), Raph Koster (Sony Online) and Peter Moore (Microsoft).

Reading the article and the points raised dragged me right back to 1998, when exactly the same things were said about online multiplayer gaming - by the players. However, in my view between 1999 and 2001 the biggest barrier to the success of online multiplayer gaming were Sony, Microsoft, Ubisoft and EA, all of whom saw no consumer demand for online games, or had no understanding of of them.

Years of discussions with games publishers resulted in nothing more than apathy, for the simple reason that the business model for games was based almost entirely on the first week or two’s sales after a game’s release. Once a game was sold there were no more revenues to be made, so there was no financial incentive for company’s to develop online or multiplayer games.

I have lost track of the number of really good multiplayer games that were less successful than they could have been, simply through poor implementation of multiplayer services. Some companies have managed to turn things around (with more or less success, depending on who you talk to), whilst others got out of the multiplayer market altogether for many years, before returning as a sevrice provider, buying in MMO’s from other markets for local release.

And all the while, FPS gaming has been growing as a spectator sport, with National and International tournaments, and fulltime players earning a fairly good wage along with sponsorships. It’ll be nice to see the large companies finally catching up (is this a repeated refrain?), and hopefully the focus will now be on producing multiplayer games that have consistent wuality over a period of time.

Technorati Tags: online games, multiplayer games, online gaming

I attended the recent EPG Identity Special Interest Group (more on which in another post, once I re-digest all the slides), and one of the topics discussed was the UK’s ID card proposal.

It strikes me, based on the discussion and the number of different suggestions made (not all of which were specifically about the UK ID Card mind) that what we need isn’t a national ID card. What we need is lots of them.

The big issue with the ID card seems to be a combination of overly intrusive recording of information about citizens combined with a lack of surety about what information to store (or even where to store it!) combined with a requirement that the card be a card that a third party can rely on (i.e. the Government must take liability for the veracity of the card). Without these issues being addressed, the card is almost certainly destined for failure. As one person put it: “The Government is trying to sell something it doesn’t understand to a public who don’t understand it (and therefore don’t want it.)”

I would like to propose an alternative model to the single ID card. I’d like to propose we have lots of ID cards, and we be allowed to choose the one (or more!) that we carry, obtaining each ID card from an authorised ID provider. This would place the Government in the position of regulating ID cards instead of legislating them. By allowing private corporations to become Identity Card providers, consumers will be free to choose their preferred provider of an ID card. The Government’s role in this is to ensure that the company’s that are authorised to provide nationally recognised ID cards are properly regulated, authorised and otherwise monitored to avoid abuses.

And the Government would need to ensure that any ID card provided by an authorised ID card provider would be accepted at any Government department as full and final proof of Identity.

Of course, we already have a similar system in place now - the banking industry. It’s relatively simple to set up a bank (yes, I know there are very high barriers to entry, but if you can meet these barriers then the process itself is fairly simple), and the industry as a whole is regulated.

(It’s been commented that one of the key sticking points with ID cards is whether or not the banking industry will accept a national ID card as final proof of identity. If the banks continue to require additional information, then the value of the national card is devalued, as it becomes nothing more than another card citizens have to pay for, which doesn’t provide any tangible value or benefit except when dealing with one particular industry - government. In which case it’s not a national ID card, it’s a government ID card, which is something different.)

So we have wide competition for banking services, even though the primary services provided are all pretty much the same. And of the process of accepting a debit or credit card as proof of payment for goods and services is well documented and widely available.

Why not apply the same principles to the issue of an ID card? This would serve a number of purposes, including introducing competition, ensuring consistency of data transfer, providing transparency of costs in obtaining a card, and would allow consumers to choose whether or not to use a particular ID card.

It also fits in quite nicely with the concept of transient identity, as the consumer is not forced to use a particular ID card, with information stored in a central register with little or no control over accuracy or re-use of said data. With competing ID card providers, the onus is on the ID provider to ensure accuracy of data, transparency of data release and security of operation - after all, with many ID card providers, the incentive to move to a more secure one is higher than if there is no competition at all.

And this also allows the consumer to ensure that the information held about themselves is accurate, and it also allows the consumer the freedom to move all of their personal information to another provider, as well as controlling the release of information to third parties, the Government included.

This leaves citizens in control, provides a regulated environment for ID cards (and therefore provides for the acceptance of liability on the part of the ID card provider), still manages to provide the type of authentication that seems to be required of the national ID card scheme, as well as promoting competition amongst ID providers. After all, who wants an ID card accepted at 1,000 places when a competitor can offer 2,000?

After reading through Stephen Downe’s opus on Identity, it got me thinking about what the most important part of identity is.

Personally, I think it is Trust.

(From Dictionary.com:)
trust Pronunciation Key (trst)
n.
1. Firm reliance on the integrity, ability, or character of a person or thing.
I think this is the essence. If we take the example of transient identity I espoused in my last post, the key underlying factor that makes the system work is the trusted relationships between entities.

In Stepehen Downe’s example (the one that made me think about this in the first place), the key again is trust.

Stephen Says:

To put it in slogan form: when you present your driver’s license to the police officer, that’s an identity claim. When the police officer compares the photo on the license with your face, that’s authentication.

What he’s saying is that the police officer places greater trust in the drivers license being accurate than he does in your verbal assertion of who you are.

This even fits with the discussion around claims and assertions of identity. There is no reason why the drivers license you present to the police officer has to be valid, correct, or even accurate - as long as the trust exists between the police officer and the facts contained within the document presented, then the authentication of your assertion will be accepted.

In a personal identity service, it is trust which is most critical.

Technorati Tags: Digital Identity, Identity, Trust

2 September: This is a work in progress, so please ignore typos or blank bits :)
Update 6 September: It seems other people are travelling down this path: Check out this paper from midentity, as well as this post (part 1) and this post by Stephen Downes.
Update 13 September: Having had to rebuild this weblog recently, I’ve realised I first wrote about this idea back in July!

I’ve been thinking about this for a while. Posts by Kim Cameron and more recently by Bob Blakley talking about digital identity lead me to the topic of this post: Transient Identity.

In my previous entry I talked about data retention and privacy have led me further along this path. Coupled with initiatives like OpenID and Shibboleth, the concept of transient identity comes in to play when the ownership of personal identity is transferred back to the individual.

At the moment I have personal details about myself stored in hundreds of places on the web such as web shops (I won’t mention them - wouldn’t want anyone going trawling!) and other organisations I have an involvement with. Each one of these companies holds a copy of information about me, that I provided at the time.

This information, which is used to identify me to them, is fixed at a single point in time - the last time I edited the information they store about me (or the last time they edited information about me without my knowledge…) In the worst case scenario (as mentioned in this Wired article), the information stored about you may be entirely inaccurate. And all of this information, most of which you have no control over, is used by other people to make decisions about you, or to identify you.

So what do I think is “transient identity”? At its most effective, it is a situation where my chosen identity provider loses all my information and cannot restore it if they have a system, crash. Nothing is stored in long-term storage, nothing is backed up to tape, disk or other storage medium. When companies I deal with request my identity, they receive only that which they need to use for the individual transaction, and this information is requested from my chosen identity provider, not recorded locally.

Shibboleth espouses the idea of attributes for authorisation rather than credential sharing, leaving the actual authorisation process to a single trusted provider. For example, say you’re dealing with Amazon. When you want to buy something, you don’t log in to Amazon, you log in to your own chosen identity provider, who tells Amazon that you have successfully authenticated against their known information.

When you come to buy something, Amazon asks your identity provider for your current postal address (a release of identity information transaction you have necessarily authorised), which Amazon then uses to send you your parcel.

However, given that the information provided is transient, there is no benefit for Amazon to retain this address information for later use - as you may have moved, or changed where you want parcels delivered.

This can even be extended as far as purchasing. The payment for your book could be processed remotely. As a buyer you could authorise Amazon to request a payment from your account. Your identity provider would then initiate the payment (which you would then authorise separately from Amazon itself, or automatically if you chose to accept all payment requests from Amazon), then your identity provider returns confirmation of payment to Amazon.

You get your book delivered where you want, Amazon gets it’s money, and you keep control of your personal information.

Sticking with payments for a moment, have you ever stopped to wonder how interesting the breakdown of credit card usage on a site like Amazon could be to marketing companies - or even the credit card providers themselves? They wouldn’t even need to know who has them or where, but simple breakdowns of ‘x number of Visa cards are used in this state as opposed to y number of Mastercards’ could be used by providers to plan wide spread marketing campaigns.

So back to transient identity, and let’s map them against the Laws of Identity.

1. User Control and Consent:
Well, the whole point of transient identity is that the owner of the identity is in complete control, not only of what data is held, but what data is released and how it is used.

2. Limited Disclosure for Limited Use
See the Amazon example above. Using an attributes-based system like Shibboleth means that you only provide the minimum amount of information needed to complete the identity transaction.

3. The Law of Fewest Parties
See the Amazon example above. All identity comes from a single place.

4. Directed Identity
By integrating a Shibboleth-style attributes delivery service, the identity owner can define up front which information or attributes can be requested or used by anyone without authorisation, and which are private and can therefore only be used with explicit permission.

5. Pluralism of Operators and Technologies:
Well, this is a challenge for companies who want to be digital identity providers. For transient identity systems to work, there needs to be an agreement between identity providers and identity consumers that the information shared is trusted. But there’s no reason to specify what sort of identity storage system is used by an identity provider and what sort of processing systems are used by an identity consumer.

6. Human Integration:
Well…. the whole point of transient identity is that the human who’s identity is being defined is in complete control of all the information stored and revealed about them.

7. Consistent Experience Across Contexts:
Perhaps the least understood of the 7 laws, transient identity has the ability to provide a consistent experience across contexts - since the identity owner defines what is provided in each context, however the decision on how to present the experience of using the identity at a consumer/customer level is down to the Identity Consumer (Amazon from the example I’ve been using).

I guess what I need now is a definition of ‘Identity Provider’, ‘Identity Owner’ and ‘Identity Consumer’? Because strictly speaking, an ‘Identity Provider’ can (and perhaps should?) also be an ‘Identity Consumer’, consuming identity information released by the ‘Identity Owner’ that it retrieves from itself.

Just quickly:
Identity Provider: An organisation or company that provides a secure way of assuring provided credentials are correct, and providing selected subsets of authorised attribute information about an Identity. Also asserts that the Identity information stored and provided has been entered by an asserted Identity Owner.

Identity Consumer: An organisation that makes use of provided Identity information in whatever form is needed or delivered.

Identity Owner: An individual, responsible for providing self-asserted Identity information to an Identity Provider.

Problems
No type of identity system is without problems, and the problems with transient identity are the obvious ones: data retention, data quality, trust between provider/consumer, identity theft, data loss

Interestingly, some of these are easily overcome. Taking on the role of Identity Provider comes with a lot of potential problems, technical and otherwise. However the actual implementation of the service is a purely technical and process issue, and is not actually related to identity at all. For example, setting up to be a primary provider of someone’s digital identity requires that the provider know who the individual is. This is not a digital identity issue, this is a personal identity issue and can be dealt with the same as any other secure identity issue: Get the person to provide non-digital identity information, and require it for every change. Banks do this every day.

Once you’re over this hurdle, providing secure access to the services to make changes to provided information is simple, and again is something done every day using SSL certificates or strong authentication. Setting the service up to handle changes in a secure way is also fairly simple, and examples can be an exercise for the reader :) (However, don’t take the example of my business banking provider: They require I use a username and password as well as a security certificate to access online banking. Once logged in, I can do lots of things, including clearing out the account. But I can’t change my postal address for statements. My personal banking service requires a username, password and security code. And I can change my postal address online. I’m still gob smacked that the stronger authentication process provides me with less options to change data…)

So let’s hit some of the other problems on the head:
Data Quality
Well, the owner of the identity information is entirely responsible for the quality of the data used by everyone else, so data quality problems should not exist - unless the identity owner chooses to give false information. Which then becomes a law enforcement issue if false information is deliberately provided, and not an identity issue.

Data Retention
We don’t want data retention. We want our data to be lost if there’s a system crash. We don’t want old data inadvertently used without our knowledge - or deliberately.

The only other real issue here is with legislative requirements. In the UK information must be stored for up to 7 years, so there could be some legislative issues around whether or not an identity provider could exist if they didn’t back up their data. After all, in the strictest sense the identity provider itself would be a consumer of identity information about their own customers - there would not need to be a separate ‘customer database’ of people who purchased identity storage.

Perhaps a re-drafting of data protection & retention legislation is required?

Data Loss
Data loss will always be an issue, but if you are in complete control of all the information stored about you, data loss is not actually a problem, it’s a benefit, since you know that all the information stored about you has been provided by you, rather than derived from other organisations or from old data.

Identity Theft
Identity Theft is always going to be a problem. After all, it’s it’s been around for centuries. How it’s dealt with is not an identity issue, it’s a functional or operational issue. However if all your identity is provided by a single trusted provider, then you control how that information is used, even to the point of where it can be used. If you want to protect your identity details, disallow changes to certain types of information online, and disallow certain transactions.

Trust between Identity Provider/Identity Consumer
This is not an identity issue, this is a marketing/business development issue. And there is great incentive for an identity provision company to provide secure services, accurate services that other companies trust, as this is their primary market. If you can’t do a deal with Amazon, then you’re unlikely to get many customers…

The Amazon Example

The above image illustrates the information flow in the Amazon example I gave earlier. The interesting thing about this diagram is there is no relationship at all between Amazon and the consumer, and there is no relationship between Amazon and the credit card provider. The entire transaction is carried out using attributes or assertions about the customer, not by the customer providing details to Amazon.

A small side effect of this is that it makes it very hard to conduct credit card fraud through online stores - since there’s no actual relationship between the online store and the credit card itself, simply assertions made between the two parties by a trusted intermediary.

Technorati Tags: Identity Management, Digital Identity, Privacy, Identity