Although many people have their Social Security Numbers memorized before heading off to college, and some people can recite their driver’s license numbers from memory, those numbers are not our identities. Even our given names-which are at the heart of our society’s concept of identity-can be changed if we want; courts are generally directed to grant such a change unless there’s clear evidence of intent to mislead or defraud.
So how does one assert an identity in a digital environment, and how can that assertion be verified? That’s difficult enough in a society that accepts the right of the national government to control identity, as is common in Europe. In the United States, it’s infinitely more complicated because, thanks to the Tenth Amendment, the job of defining one’s identity is left to the individual states.
But that definition by the state only applies to our physical selves, and our identity documents are not at all useful online. For better or worse, we define ourselves online in multiple ways; for example, there are two or three e-mail addresses that I use as identifiers, a Google ID or two, and so forth. This keeps me from putting all my eggs in one identity basket, but makes it difficult to prove that “pjc@eweek.com” is the same person that “pjc@foo.com is.
Should there be a nationally driven digital identity? In some ways, it sounds like a good idea. We already accept that the federal government, through the State Department, has the sole authority to issue passports. But by accepting that authority, we tacitly agree that the federal government has some say over where we go and what we do when we get there. That’s the problem with having a digital identity that’s driven by the goals and requirements of government; the good news is that the likelihood of such a government-driven digital ID being put into use is somewhere between slim and nonexistent.
Instead, the private sector is rapidly stepping in to provide digital identity, but that has its own pitfalls. For starters, a privately issued digital identity may not have the universal acceptance that a government-issued ID as part of its very nature. Second, that private sector digital ID is subject to the rules of the issuer.
Facebook serves as a rather credible provider, thanks in large part to its half-billion-strong membership. That may not be a substantial fraction of the 6.9 billion people on this planet, but it’s a healthy share of the online population. Facebook’s authentication architecture, which is based on the OAuth 2.0 specification, makes it possible to sign in to another Website, which hands over the authentication to Facebook.
One company that has found Facebook’s social network to be invaluable is e-commerce site Etsy, which focuses on handmade and vintage items, and offers a marketplace that connects buyers and sellers of such items. Last year, Etsy began providing its users with gift suggestions via Facebook.
As Jason Davis, lead scientist at Etsy, noted, “One thing we try to do is connect people to people; we have a million active members, which is a fraction of Facebook. The fundamental assumption here is that buying gifts is hard.”
“The idea,” Davis explained, “is that in two clicks, you connect with Facebook. We analyze information about all your friends: their profile information, their activities, their interests, their likes, their favorite bands and musicians, movies and whatnot. From all this information, we ask -which one of these entities are available on the Etsy marketplace?’ and, moreover, -which of these things that your friends like are popular on the marketplace; which do we have high-quality items for?’ We analyze that across your friends and make a set of recommendations, up to 20, that show something that [they might] like.”
Making this integration happen wasn’t terribly difficult either, Davis says, adding, “Only two of us really worked on it full-time” in a two-month iteration.
Facebook was helpful with integration issues, Davis added. “They have an awesome API. When you first connect, we analyze up to hundreds of thousands of individual -likes,’ and that’s pulling quite a bit of data from Facebook over to our Web servers.”
With Facebook’s OAuth 2.0 implementation, “the idea is that you are granting access to a trusted third party, in this case Etsy, to then go and browse your profile through the API on your behalf.”
Davis went on to say that “people have security and privacy issues, and we take those seriously; the only thing we use [the data from Facebook] for is to show gift recommendations to you. We went through every path possible to be respectful of our users’ data.”
But Facebook is merely the 800-pound gorilla of digital identification, and it’s not the only one proving a private-sector identity. As Davis noted, “You have a social identity on Facebook. It’s primarily a reflection of your offline identity; of course, you [may] have an identity on LinkedIn [serving as] a professional identity, a projection of one aspect of your life onto another.”
For decades, IT departments have served as digital-identity providers although their scope is generally limited to the duration of one’s employment, or one’s relationship as customer or vendor. That’s changing already, particularly in academia, as colleges and universities start to treat the relationship with alumni as less of a money-grubbing exercise and more of a community-building operation.
One example of this is the Thomas M. Cooley Law School, which is based in Lansing, Mich., and has satellite campuses in Ann Arbor, Grand Rapids and the Oakland County suburb of Auburn Hills. Cooley’s enrollment, when full-time and part-time students are combined, makes it the largest law school in the country to be accredited by the American Bar Association.
Cooley’s identity and e-mail infrastructure, based on Novell GroupWise and supported by Novell’s eDirectory service, had worked well for internally-hosted services, supporting 3,500 students and 500 faculty and staff, said Greg Colegrove, director of IT operations at the law school. The problem, he explained, was that “we just could not respond quickly enough to the things we were asked for” in areas such as smartphone integration and other items touching on collaboration and mobility.
The IT staff at Cooley found during a 2009 pilot program that Google Apps would satisfy many of the demands for collaborative and mobile access; the challenging was determining how to scale this from the 100 student volunteers to the rest of the student body, as a run-up to extending the Google Apps support to the entire user base. The solution was Novell Identity Manager, an IDM (identity-management) tool formerly known as DirXML.
It turned out that CosmosKey, a firm based in the United Kingdom, offers a SAML-based (Security Assertion Markup Language-based) connector between the Identity Vault in Novell Identity Manager and Google Apps. The CosmosKey IDM Connector for Google Apps installs on the machine running the IDM engine or on a server running the Identity Manager Remote Loader. With a proof-of-concept installation of the IDM tool up and running for the spring 2010 term, the IT team at Cooley was able to bring the entire student body onto automatic IDM-based provisioning for the fall 2010 term.
The secret to Cooley’s success, noted Colegrove, was end-to-end testing before unleashing the entire student body on the freshly integrated systems. “A lot of this was new to us, so we did everything… in a full [developer] environment.” He added that “the beauty of this” was that the students already had network identities, making it a relatively simple extension of that identity.
Phase Two involves offering this to alumni, Colegrove explained. The previous policy was that Cooley grads could “keep their e-mail addresses for a year after they graduate. With Google [Apps] and IDM already in place, now they keep that [identity] through their legal career,” making job searches, networking and other activities that much more seamless and fostering their identification with the Cooley brand.
There’s no one-size-fits-all approach for integrating social networking and cloud-based applications with the conventional IT-centric model of identity. But no matter what approach an organization takes, it’s clear that preparation and testing before deployment is essential.