IT is now charged with extending existing IDs or incorporating new ones.
Although many people have their Social Security Numbers memorized before
heading off to college, and some people can recite their driver's license
numbers from memory, those numbers are not our identities. Even our given
names-which are at the heart of our society's concept of identity-can be
changed if we want; courts are generally directed to grant such a change unless
there's clear evidence of intent to mislead or defraud.
So how does one assert an identity in a digital environment, and how can
that assertion be verified? That's difficult enough in a society that accepts
the right of the national government to control identity, as is common in
Europe. In the United States, it's infinitely more complicated because, thanks
to the Tenth Amendment, the job of defining one's identity is left to the
But that definition by the state only applies to our physical selves, and
our identity documents are not at all useful online. For better or worse, we
define ourselves online in multiple ways; for example, there are two or three
e-mail addresses that I use as identifiers, a Google ID or two, and so forth.
This keeps me from putting all my eggs in one identity basket, but makes it
difficult to prove that "email@example.com" is the same person that "firstname.lastname@example.org
Should there be a nationally driven digital identity? In some ways, it
sounds like a good idea. We already accept that the federal government, through
the State Department, has the sole authority to issue passports. But by
accepting that authority, we tacitly agree that the federal government has some
say over where we go and what we do when we get there. That's the problem with
having a digital identity that's driven by the goals and requirements of
government; the good news is that the likelihood of such a government-driven
digital ID being put into use is somewhere between slim and nonexistent.
Instead, the private sector is rapidly stepping in to provide digital
identity, but that has its own pitfalls. For starters, a privately issued
digital identity may not have the universal acceptance that a government-issued
ID as part of its very nature. Second, that private sector digital ID is
subject to the rules of the issuer.
Facebook serves as a rather credible provider, thanks in large part to its
half-billion-strong membership. That may not be a substantial fraction of the
6.9 billion people on this planet, but it's a healthy share of the online
population. Facebook's authentication architecture, which is based on the OAuth
2.0 specification, makes it possible to sign in to another Website, which hands
over the authentication to Facebook.
One company that has found Facebook's social network to be invaluable is
e-commerce site Etsy, which focuses on handmade and vintage items, and offers a
marketplace that connects buyers and sellers of such items. Last year, Etsy
began providing its users with gift suggestions via Facebook.
As Jason Davis, lead scientist at Etsy, noted, "One thing we try to do is
connect people to people; we have a million active members, which is a fraction
of Facebook. The fundamental assumption here is that buying gifts is
"The idea," Davis explained, "is that in two clicks, you connect with
Facebook. We analyze information about all your friends: their profile
information, their activities, their interests, their likes, their favorite
bands and musicians, movies and whatnot. From all this information, we ask
-which one of these entities are available on the Etsy marketplace?' and,
moreover, -which of these things that your friends like are popular on the
marketplace; which do we have high-quality items for?' We analyze that across
your friends and make a set of recommendations, up to 20, that show something
that [they might] like."
Making this integration happen wasn't terribly difficult either, Davis says,
adding, "Only two of us really worked on it full-time" in a two-month
Facebook was helpful with integration issues, Davis added. "They have an
awesome API. When you first connect, we analyze up to hundreds of thousands of
individual -likes,' and that's pulling quite a bit of data from Facebook over
to our Web servers."
With Facebook's OAuth 2.0 implementation, "the idea is that you are granting
access to a trusted third party, in this case Etsy, to then go and browse your
profile through the API on your behalf."
Davis went on to say that "people have security and privacy issues, and we
take those seriously; the only thing we use [the data from Facebook] for is to
show gift recommendations to you. We went through every path possible to be
respectful of our users' data."
But Facebook is merely the 800-pound gorilla of digital identification, and
it's not the only one proving a private-sector identity. As Davis noted, "You
have a social identity on Facebook. It's primarily a reflection of your offline
identity; of course, you [may] have an identity on LinkedIn [serving as] a
professional identity, a projection of one aspect of your life onto another."
For decades, IT departments have served as digital-identity providers
although their scope is generally limited to the duration of one's employment,
or one's relationship as customer or vendor. That's changing already,
particularly in academia, as colleges and universities start to treat the
relationship with alumni as less of a money-grubbing exercise and more of a
One example of this is the Thomas M. Cooley Law School, which is based in
Lansing, Mich., and has satellite campuses in Ann Arbor, Grand Rapids and the
Oakland County suburb of Auburn Hills. Cooley's enrollment, when full-time and
part-time students are combined, makes it the largest law school in the country
to be accredited by the American Bar Association.
Cooley's identity and e-mail infrastructure, based on Novell GroupWise and
supported by Novell's eDirectory service, had worked well for internally-hosted
services, supporting 3,500 students and 500 faculty and staff, said Greg
Colegrove, director of IT operations at the law school. The problem, he
explained, was that "we just could not respond quickly enough to the things we
were asked for" in areas such as smartphone integration and other items
touching on collaboration and mobility.
The IT staff at Cooley found during a 2009 pilot program that Google Apps
would satisfy many of the demands for collaborative and mobile access; the
challenging was determining how to scale this from the 100 student volunteers
to the rest of the student body, as a run-up to extending the Google Apps
support to the entire user base. The solution was Novell Identity Manager, an
IDM (identity-management) tool formerly known as DirXML.
It turned out that CosmosKey, a firm based in the United Kingdom, offers a
SAML-based (Security Assertion Markup Language-based) connector between the
Identity Vault in Novell Identity Manager and Google Apps. The CosmosKey IDM
Connector for Google Apps installs on the machine running the IDM engine or on
a server running the Identity Manager Remote Loader. With a proof-of-concept
installation of the IDM tool up and running for the spring 2010 term, the IT
team at Cooley was able to bring the entire student body onto automatic
IDM-based provisioning for the fall 2010 term.
The secret to Cooley's success, noted Colegrove, was end-to-end testing
before unleashing the entire student body on the freshly integrated systems. "A
lot of this was new to us, so we did everything... in a full [developer]
environment." He added that "the beauty of this" was that the students already
had network identities, making it a relatively simple extension of that
Phase Two involves offering this to alumni, Colegrove explained. The previous
policy was that Cooley grads could "keep their e-mail addresses for a year
after they graduate. With Google [Apps] and IDM already in place, now they keep
that [identity] through their legal career," making job searches, networking
and other activities that much more seamless and fostering their identification
with the Cooley brand.
There's no one-size-fits-all approach for integrating social networking and
cloud-based applications with the conventional IT-centric model of identity.
But no matter what approach an organization takes, it's clear that preparation
and testing before deployment is essential.