The History of Tomorrow’s Internet: Identity (iCards, pt. 1)

In my OpenID report from SXSW I jumped to OpenID briefly, but I want to cover iCards before continuing down that road. iCards are the generic name (technically just for the client-side technology, but I’m using the term generically to refer to Cardspace and Higgins) for a couple of implementations of what has become known as the “Identity Metasystem”. The Identity Metasystem is in turn a formalization of what have become known as the “Laws of Identity”. So let’s backup to the beginning and talk about the Laws in this post.

In 2004, Microsoft was still smarting from its hugely ambitious and hugely unpopular Passport service. As a way to move forward, Kim Cameron, Microsoft’s Identity Architect, did an interesting thing: he started a blog. On his identity blog Kim started a discussion about why Passport had failed and how to properly bring an identity layer to the internet. In 2005, Kim encapsulated the discussion of the previous year in a white paper called “The Seven Laws of Identity”.

1. User control and consent: Pretty straight-forward—people should determine what information they share about themselves.

2. Minimal disclosure for a constrained use: This means the system should share ONLY what it needs to. The canonical example is buying booze. The Identity Metasystem should only say that you are “over 21” (necessary), not your actual age (too much information).

3. Justifiable Parties: Only parties that need to be involved should be involved. This one is a little tricky—how to we determine who needs to be involved? The short answer is you do. The point of this is NOT that there shouldn’t be a third party (like an Identity Provider), the point is that if there IS a third-party, it should be clear to YOU that they are involved so you can make the choice whether to proceed.

4. Directed Identity: A directed identity is one intended for a particular party (e.g. my medical records for my doctor). It seems OBVIOUS that an identity metasystem would do this, but REALLY what this law is asserting is that the system shouldn’t use correlatable information as your identity. In other words, an identity metasystem that decided to send your Social Security number to every site that wanted to verify you are you would be subject to GROSS abuse. Instead, the IP should send a unique token to each site, so that it isn’t easy for them to realize you are the same person across sites.

5. Pluralism of Operators and Technologies: This just means that we can’t have a single company or a single technology manage identity for the internet. The prohibition against a single company is pretty obvious, as that company would be WAY to powerful. The prohibition against a single technology is more controversial. On the surface it makes sense for the identity layer to handle any previous and future protocols and security frameworks. In reality though, the internet has done pretty well relying on HTTP, and there is a real question as to whether this law adds unnecessary complexity.

6. Human integration: Put simply this means the metasystem should be as clear as possible to ordinary people. Implicitly it means this need should overrule other considerations (like UI customization or rad design). This is also the “anti-fishing” law.

7. Consistent experience across contexts: This is kind of a weird one, but essentially it means that whether you are handing over your medical records or just your email address, the experience should be consistent enough so that in both cases you know that you are giving up a piece of your identity.

I’ll save the discussion as to whether these laws are ALL really necessary and some of the real historical reasons for their inclusion for other posts. Next up is the actual implementation of an identity metasystem that Kim derived from these laws and after that the Higgins project.