The academy is ahead of business and news media in establishing one account that works for many websites -- and the government wants to get there too
This is a sidebar to a longer piece found at the Reynolds Journalism Institute website.
BY BILL DENSMORE
Americans are bipolar when it comes to identity and privacy.
- We cringe at the idea that our social-number might be used as a national identifier, for fear it will enable the Big Brother state, and so we enact laws that limit how private industry may use the social-security number.
- And yet, because it is so convenient, we carry credit-cards with numbers which uniquely identify us across a globe-spanning, private commercial network.
- We reject the idea that police may enter our house or our car without a warrant or probably cause.
- But we allow marketers to store and retrieve files on our computers and devices without our knowledge or consent, building a sub-rosa file of what we’re reading and view, and connecting ith with data about our family, our income, our education and our location.
The cost of identity theft is rising, Ian Glazer, senior director, identity for SalesForce.com tallied in an Aug. 4 conference presentation. A total of 11.6 million U.S. victims in 2013 – up 13 percent year to year, and a cost of $37 billion, his presentation asserted based on Javelin Strategy research.
Now, on the grounds of making transactions and exchanges safer and more secure, the government, academia and marketers all have initiatives underway to change the way were are identified – or not – on the Internet and on mobile devices. Meanwhile, the news industry has no coordinated approach of its own. Should it? And what should it look like?
Why does identity matter?
First, let’s explain why identity matters, then offer a quick sampling of key government, academic and marketing-driven initiatives.
The technical debate is how networks like the Internet manage our “identity.” Most of us think of our identity as how we appear, where we live, who our friends are, what interests us, and what we do. On the Internet those things are translated into data – called “attributes.” A collection of attributes make up our identity for purposes of an online transaction or event. Experts who study Internet identity systems call this collect of attributes a “persona.” An individual might want to have different personas for different purposes – what you share with your health provider is different from what you share on your Facebook page or with your news provider.
Internet and mobile services increasingly understand the opportunity to personalize relationships with individual users. Doing so means tracking their movements and actions, or asking them for information about their preferences. If, when and how consumers give permission for this tracking necessary to personalization is the core of a policy debate labeled broadly, and sometimes emotionally, as about “privacy.”
Facebook is a big factor in identity, because thousands of websites allow users to “log in” with their Facebook identity. What these sites receive as a result is some basic information about us, courtesy of Facebook. However, the idea that a single company – with over a billion user accounts – might become a de facto private registrar for web, raises important questions of competition, privacy and control, concerns discussed in the main body of this report.
So, if a portable, unique identity is needed, and we don’t want that controlled by either the government or a single company, what is to be done?
NSTIC – a government plea to improve on passwords – with no Big Brother
Three years ago, President Obama signed an executive order which created the “National Strategy for Trusted Identities in Cyberspace” or NSTIC. The government, said Obama, shouldn’t be in the business of creating a national digital identity system for individuals. But government agencies were increasingly troubled by the danger of identity theft from public use of user names and passwords to access private records in government systems like Social Security and veterans services.
NSTIC is described by the government as a private-public sector partnership to create an Identity Ecosystem, where all consumers could choose from a variety of credentials that could be used in lieu of passwords to enable more secure, convenient and privacy-enhancing transactions everyplace they go online. Officials say some private firms have started offering multi-factor authentication (MFA) to their customers, aiming to cut down on the most commonly executed, password-centric security attacks.
NSTIC called in a 55-page-document for the government to support (with an initial $25 million in grants) development of competitive, private technologies that interoperate – with no single “Big Brother” type database of names and identity information. The vision was to allow consumers to choose among providers of one ID, which works at multiple web sites and services. “Other countries have chosen to rely on government-led initiatives to essentially create national identity cards,” said U.S. Commerce Secretary Gary Locke in explaining the initiative and why it’s needed. “Having a single issuer of identities creates unacceptable privacy and civil liberties issues.” The idea is to have multiple identity providers that are part of the same system. The government has sent up a portal site, Connect.gov, that explains the single-signon to government services idea. And there is at least one company, ID.me providing the service.
NSTIC represents a challenge to the private sector to create something better that user names and passwords and the government will pay to use it as the biggest first customer. But three years later and despite a half dozen more more public gatherings, and government-funded trials, nothing has definitively caught on. There has been no obvious participation by news or publishing interests. For the most part, the ideas circulated and trials undertaken with grants from NSTIC are focused on more secure login, not payments. Thus NSTIC is a hybrid public-private effort –- spawned by a challenge from the government to improve on the security of passwords, and with a mandate not to create a central database (which Facebook has created through marketplace dominance).
There are at least three other “federated identity” efforts:
- The Mozilla Foundation, which maintains the Firefox browser, released in Sept. 2012 a beta cross-site login system it called "Persona." The system is designed to allow enterprises to manage logins across many resources using open-standard technologies in a competitive challenge to Facebook Connect and Google ID. However after two years, [·https://groups.google.com/forum/#!topic/mozilla.dev.identity/E8jMFUEBH9Y informal project managers] at Mozilla reported the system is no longer aggressively supported by Mozilla and may be discontinued in 2015.
- For a decade, the independent, non-profit Identity Commons have convened meetings including individuals from companies such as Google, Microsoft, Facebook, Myspace, SUN, Oracle, Salesforce and Novell to explore ideas for the protection and sharing of personal data across the web. A core idea is to put more control over data in the hands of individual users.
- Google is also a supporter of the Open Identity Exchange, founded by the OpenID Foundation and Information Card Foundation. Some of the participants or supporters of both groups have been working with the White House and U.S. Commerce Department on roles for the government. All of this activity is taking part under the NSTIC, umbrella, and there are regular meetings. Largely absent from NSTIC and other collaborative identity discussions – Facebook.
Meanwhile, academic-led identity systems forges ahead.
Harvard University is one of more than 200 U.S. research institutions –- mostly universities –- that are part of Internet2 – an ultra-high-speed Internet backbone that makes collaboration easier on projects using massive amounts of distributed computing power. It’s users need constantly to be logging into resources at different institutions. Keeping multiple sets of user names and passwords was becoming impractical.
For the Internet2 consortium, the solution began with an open-source technology called Shiboleth, according to Scott Bradner, who is liaison to the consortium’s identity and access-management group for Harvard’s chief technology office. Bradner is a long-time and well-know collaborator on key early Internet technologies.
“The Central Internet 2 management doesn't get the identities,” says Bradner. “The whole point of federated identity management is you can go to your identity manager of choice.”
As an example, Bradner points to the HathiTrust Digital Library, a massive database of academic research. The University of Michigan is the current host of the infrastructure where digital content deposited by Hathi partners is preserved and made accessible. But if a Harvard-affiliated Internet user (faculty, staff, student) goes to the HathiTrust website and seeks information, the HathiTrust server asks them to log in using their Harvard user-name password – on a page located at Harvard. The user logs in, the Harvard system checks their credentials and – behind the scenes -- informs the Hathi service they can serve content to a valid Harvard user.
“When I want to log into HathiTrust, there is a pulldown list that lists the institutions that it accepts identity comes from,” Bradner says. “It is not to the scale one would like at some point. But it has a lot of characteristics which you should take a look at in terms of what you might want to do [for the news industry].”
One feature of Internet2’s version of Shiboleth is that the Harvard user, in the HathiTrust example, doesn’t necessarily have to be known by name to the HathiTrust server. All HathiTrust needs to know is that they are vouched for by Harvard.
There’s another service spreading across U.S. academia that makes it easy to log into wireless networks if you have credentials on one university campus and are visiting a different one. It’s called Eduroam. It began in Europe and has spread. Again, it uses largely open-source technology, requiring a RADIUS server at each participating institution. The RADIUS servers are able to exchange information about logins from different institutions.
Another organization, the non-profit XDI.org, offers help to organizations that want to share registration and other data. Its board president is Drummond Read, co-founder and CEO of the Respect Network.
As Bradner sees the opportunity for news providers, there could be multiple news providers, each with their own users, and each of them could be the source of billing to their individual subscribers, rather than a central service, “The Shiboleth technology would just do that out of the box,” he says. “There is nothing special you would have to do.”
And Bradner sees a privacy aspect to the service which could appeal to consumers. “One of the issues with payment systems has always been the privacy issue,” he says. “If I’m reading articles about wife swapping, that can be a problem if it gets known. If those pieces are served anonoymously, which you can do with Shiboleth, the billing service doesn’t need to know what articles you’re reading and the source of the articles doesn’t need to know who you are.”
Login to multiple services at newspapers – the SAML solution
Although U.S. daily newspapers do not yet share user identities they way Internet2 is doing with Shiboleth, they have been dealing with challenges of multiple logins for years – within their own systems. For example, the user name and password for access to a paper’s website might be different from the login for online management of print subscriptions. Third-party content or advertising services may require other logins.
Jim Barnard, senior vice president of digital at the Minneapolis Star Tribune says they deal with nine or 10 services which need logins. To streamline it, they use another open-source technology called SAML – security assertion markup language, which specifies a XML-standard data format for exchanging authentication and authorization data between parties.
“Every party we talk to knows it, there is lots of stuff published about it, and it is totally understood,” says Bernard. “SAML is the one we ended up solidifying around. And if there are two then the two of them will figure out how to cross authentication using SAML.”
The promise of single-signon
The idea of one ID, one password, one account for reaching multiple information resources was the core idea behind pre-World Wide Web services such as Compuserve, The Source and AmericaOnline. When you logged on, those services knew instantly who you were, and they could watch your activity.
From the outset in the 1990s, the World Wide Web was different. Yes, you had a unique, personal log-on to your Internet Service Provider (ISP) and ISPs have gradually developed sophisticated means to track your activity. Many users of Facebook may not know that once they log into their Facebook account, Facebook is able to track their movements among all the sites that use Facebook icons for any reason (such as sharing, or liking).
Whether it is your ISP or Facebook, however, these services don’t let you take control of your identity, and neither at present allows you to bundle access to your choice of digital content from many websites.
As with NSTIC, Internet2 and Facebook, perhaps it is time for the news industry to create a common identity system to make that possible. It doesn’t have to invent new technology. It could simply look at the work done with Shiboleth, SAML and one other emerging protocol – OAuth(which is used by Twitter, Google and Facebook to support third-party logins – and decide which to support and extend.
“Oauth is finally gaining tranction after a long ramp-up period (eight years), and the ITE charter would be a natural evolution of that platform,” observed Paul Gillin, social-media consultant and former editor of ComputerWorld Magazine, in comments to the draft of this paper. “The participation of RJI and any other reputable journalism organizations in Oauth would probably be welcomed by the members.”