Several of us at Janrain recently participated in the 14th annual Internet Identity Workshop (IIW) in Mountain View, CA. In addition to some of the bigger corporations like Google, Microsoft and Sony, participants included representatives from government, universities, and a strong international presence.
This was my first time at IIW, and also my first time attending an “Unconference.” At an Unconference, there is no formal or pre-planned agenda. Participants propose topics they would like to discuss each morning, and everyone is then invited to join in the discussions. Given the wide range of backgrounds and job titles of the participants, this format resulted in lively and informative discussions that weren’t limited to technical presentations and lectures. I found this refreshing, and enjoyed listening to conversations that ranged from moral and philosophical, to detailed and technical.
Some major themes at the event included:
- Proving your identity on the web
- Government regulations and guidelines: NSTIC
- Vendor Relation Management
- Improved protocols: OpenID Connect, SCIM
- Privacy and data protection
Proving Your Identity
There were some interesting talks about proving identity on the web and obtaining verified attributes. Solutions included address verification through your mobile carrier or actual USPS mail, biometrics, and using social network data to do crowdsourcing and predictive analysis. This all falls under the category of proving who you say you are on the internet. Use cases include government agencies, or anyone else who wants to verify your identity with a high degree of assurance. Although the biometrics stuffs seems a bit immature, I can see a day where all smartphones have some type of biometric scanner which validates your identity.
On the technical side, I was glad to learn more about OpenID Connect. The main component of this protocol is the presence of an “ID Token” (which serves to identify the user), in addition to an OAuth access token. In effect, it seems to standardize the current “OpenID/OAuth” hybrids where you log in with OpenID, and also get back an OAuth token for making API calls. Another advantage over OAuth2 is that it can save a second API call to get the user’s basic profile data, in that some of this data comes back in the ID token (which is actually a JSON Web Token or JWT). Janrain has created a prototype integration of Google’s OpenID Connect in our system, which we hope to build on soon.
Simple Cloud Identity Management (SCIM)
I also attended a talk on SCIM (Simple Cloud Identity Management). This specification is intended to obtaining user data and identity in cloud based applications easier. The idea is to define a common JSON/XML schema for representing user data, and a common set of RESTful APIs to manage it. Most identity providers have some proprietary data schema and set of APIs already, this protocol seeks to standardize it across providers, as far as I can tell.
The Meaning of Privacy
One of my favorite sessions was about the meaning of “privacy”, and how it applies to the growing and complex world of the social web. With user data spread all over the world and APIs to connect it all, this topic is becoming increasingly relevant. We heard the legal definition of privacy versus data protection from a lawyer in attendance, and the discussion expanded into how such legal guidelines might be applied to the products we create. The question is how to build a product that satisfies these requirements across international boundaries, when the requirements, laws, and social conventions are not well defined.
Personal Data Ownership
One of the presenters (I’m sorry I didn’t write down his name) also quoted one of my favorite Steven Wright jokes, which I appreciated not only because it’s funny, but it’s also a great analogy to what’s going on with our personal data. It goes “I have a large seashell collection which I keep scattered on the beaches all over the world. Maybe you’ve seen it.” The analogy of course is that our pieces of personal data are like seashells, scattered across the many identity providers, governments and corporations of the world. The question is who actually owns this data, and the challenge is how to manage and access this data in a secure way that satisfies everyone involved.
This workshop helped to broaden my understanding of the world of identity and personal data beyond the technical realm. By learning more about privacy, legal issues and international concerns, I hope to bring new knowledge and awareness back to Janrain and help build better products.